github actions: resume running Nix-based integration tests

These should be back in a good state, and some tests (ie: TestMITMProxy)
are based on nix tooling so we should do these in CI.

Signed-off-by: Tom DNetto <tom@tailscale.com>

.github/workflows/vm.yml

@@ -19,12 +19,16 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.18
+      - name: Set up Nix
+        uses: cachix/install-nix-action@v17
+        with:
+          nix_path: nixpkgs=channel:nixos-21.11
 
       - name: Checkout Code
         uses: actions/checkout@v3
 
       - name: Run VM tests
-        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
+        run: go test ./tstest/integration/vms -v --timeout=20m --no-s3 --run-vm-tests --distro-regex '(nix|ubuntu)'
         env:
           HOME: "/tmp"
           TMPDIR: "/tmp"

VERSION.txt

@@ -1 +1 @@
-1.25.0
+1.23.0

api.md

@@ -22,9 +22,9 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
 * **[Tailnets](#tailnet)**
   - ACLs
     - [GET tailnet ACL](#tailnet-acl-get)
-    - [POST tailnet ACL](#tailnet-acl-post)
-    - [POST tailnet ACL preview](#tailnet-acl-preview-post)
-	- [POST tailnet ACL validate](#tailnet-acl-validate-post)
+    - [POST tailnet ACL](#tailnet-acl-post): set ACL for a tailnet
+    - [POST tailnet ACL preview](#tailnet-acl-preview-post): preview rule matches on an ACL for a resource
+	- [POST tailnet ACL validate](#tailnet-acl-validate-post): run validation tests against the tailnet's existing ACL
   - [Devices](#tailnet-devices)
     - [GET tailnet devices](#tailnet-devices-get)
   - [Keys](#tailnet-keys)
@@ -42,12 +42,12 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
 
 ## Device
 <!-- TODO: description about what devices are -->
-Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id".
+Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id". 
 You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.
 
-To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network.
+To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network. 
 Find the device you're looking for and get the "id" field.
-This is your deviceID.
+This is your deviceID. 
 
 <a name=device-get></a>
 
@@ -60,7 +60,7 @@ Use the `fields` query parameter to explicitly indicate which fields are returne
 ##### Parameters
 ##### Query Parameters
 `fields` - Controls which fields will be included in the returned response.
-Currently, supported options are:
+Currently, supported options are: 
 * `all`: returns all fields in the response.
 * `default`: return all fields except:
   * `enabledRoutes`
@@ -72,7 +72,7 @@ If more than one option is indicated, then the union is used.
 For example, for `fields=default,all`, all fields are returned.
 If the `fields` parameter is not provided, then the default option is used.
 
-##### Example
+##### Example 
 ```
 GET /api/v2/device/12345
 curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
@@ -102,10 +102,10 @@ Response
   "nodeKey":"nodekey:user1-node-key",
   "blocksIncomingConnections":false,
   "enabledRoutes":[
-
+    
   ],
   "advertisedRoutes":[
-
+    
   ],
   "clientConnectivity": {
     "endpoints":[
@@ -141,7 +141,7 @@ Response
 <a name=device-delete></a>
 
 #### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
-Deletes the provided device from its tailnet.
+Deletes the provided device from its tailnet. 
 The device must belong to the user's tailnet.
 Deleting shared/external devices is not supported.
 Supply the device of interest in the path using its ID.
@@ -159,7 +159,7 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
 
 Response
 
-If successful, the response should be empty:
+If successful, the response should be empty: 
 ```
 < HTTP/1.1 200 OK
 ...
@@ -167,7 +167,7 @@ If successful, the response should be empty:
 * Closing connection 0
 ```
 
-If the device is not owned by your tailnet:
+If the device is not owned by your tailnet: 
 ```
 < HTTP/1.1 501 Not Implemented
 ...
@@ -317,9 +317,14 @@ Allows for updating properties on the device key.
 - Provide `false` to enable the device's key expiry. Sets the key to expire at the original expiry time prior to disabling. The key may already have expired. In that case, the device must be re-authenticated.
 - Empty value will not change the key expiry.
 
+`preauthorized`
+
+- If `true`, don't require machine authorization (if enabled on the tailnet)
+
 ```
 {
-  "keyExpiryDisabled": true
+  "keyExpiryDisabled": true,
+  "preauthorized": true
 }
 ```
 
@@ -334,8 +339,8 @@ curl 'https://api.tailscale.com/api/v2/device/11055/key' \
 The response is 2xx on success. The response body is currently an empty JSON
 object.
 
-## Tailnet
-A tailnet is the name of your Tailscale network.
+## Tailnet 
+A tailnet is the name of your Tailscale network. 
 You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
 
 
@@ -615,12 +620,7 @@ Response:
 
 #### `POST /api/v2/tailnet/:tailnet/acl/validate` - run validation tests against the tailnet's active ACL
 
-This endpoint works in one of two modes:
-
-1. with a request body that's a JSON array, the body is interpreted as ACL tests to run against the domain's current ACLs.
-2. with a request body that's a JSON object, the body is interpreted as a hypothetical new JSON (HuJSON) body with new ACLs, including any tests.
-
-In either case, this endpoint does not modify the ACL in any way.
+Runs the provided ACL tests against the tailnet's existing ACL. This endpoint does not modify the ACL in any way.
 
 ##### Parameters
 
@@ -630,7 +630,7 @@ The POST body should be a JSON formatted array of ACL Tests.
 
 See https://tailscale.com/kb/1018/acls for more information on the format of ACL tests.
 
-##### Example with tests
+##### Example
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
@@ -641,28 +641,11 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
   ]'
 ```
 
-##### Example with an ACL body
-```
-POST /api/v2/tailnet/example.com/acl/validate
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
-  -u "tskey-yourapikey123:" \
-  --data-binary '
-  {
-    "ACLs": [
-     { "Action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] },
-    ],
-    "Tests", [
-      {"src": "100.105.106.107", "allow": ["1.2.3.4:80"]}
-    ],
-  }'
-```
-
 Response:
+If all the tests pass, the response will be empty, with an http status code of 200.
 
-The HTTP status code will be 200 if the request was well formed and there were no server errors, even in the case of failing tests or an invalid ACL. Look at the response body to determine whether there was a problem within your ACL or tests.
-
-If there's a problem, the response body will be a JSON object with a non-empty `message` property and optionally additional details in `data`:
-
+Failed test error response:
+A 400 http status code and the errors in the response body.  
 ```
 {
   "message":"test(s) failed",
@@ -675,8 +658,6 @@ If there's a problem, the response body will be a JSON object with a non-empty `
 }
 ```
 
-An empty body or a JSON object with no `message` is returned on success.
-
 <a name=tailnet-devices></a>
 
 ### Devices
@@ -684,7 +665,7 @@ An empty body or a JSON object with no `message` is returned on success.
 <a name=tailnet-devices-get></a>
 
 #### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
-Lists the devices in a tailnet.
+Lists the devices in a tailnet. 
 Supply the tailnet of interest in the path.
 Use the `fields` query parameter to explicitly indicate which fields are returned.
 
@@ -693,7 +674,7 @@ Use the `fields` query parameter to explicitly indicate which fields are returne
 
 ###### Query Parameters
 `fields` - Controls which fields will be included in the returned response.
-Currently, supported options are:
+Currently, supported options are: 
 * `all`: Returns all fields in the response.
 * `default`: return all fields except:
   * `enabledRoutes`
@@ -713,7 +694,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
   -u "tskey-yourapikey123:"
 ```
 
-Response
+Response 
 ```
 {
   "devices":[
@@ -889,22 +870,10 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
 Response:
 ```
 {
-  "id": "k123456CNTRL",
-  "created": "2022-05-05T18:55:44Z",
-  "expires": "2022-08-03T18:55:44Z",
-  "capabilities": {
-    "devices": {
-      "create": {
-        "reusable": false,
-        "ephemeral": true,
-        "preauthorized": false,
-        "tags": [
-          "tag:bar",
-          "tag:foo"
-        ]
-      }
-    }
-  }
+	"id":           "k123456CNTRL",
+	"created":      "2021-12-09T22:13:53Z",
+	"expires":      "2022-03-09T22:13:53Z",
+	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
 }
 ```
 
@@ -935,13 +904,13 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k12345
 <a name=tailnet-dns-nameservers-get></a>
 
 #### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
-Lists the DNS nameservers for a tailnet.
+Lists the DNS nameservers for a tailnet. 
 Supply the tailnet of interest in the path.
 
 ##### Parameters
 No parameters.
 
-##### Example
+##### Example 
 
 ```
 GET /api/v2/tailnet/example.com/dns/nameservers
@@ -949,7 +918,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
   -u "tskey-yourapikey123:"
 ```
 
-Response
+Response 
 ```
 {
   "dns": ["8.8.8.8"],
@@ -959,7 +928,7 @@ Response
 <a name=tailnet-dns-nameservers-post></a>
 
 #### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
-Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user.
+Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user. 
 Supply the tailnet of interest in the path.
 Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).
 
@@ -973,7 +942,7 @@ Note that changing the list of DNS nameservers may also affect the status of Mag
 ```
 
 ##### Returns
-Returns the new list of nameservers and the status of MagicDNS.
+Returns the new list of nameservers and the status of MagicDNS. 
 
 If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).
 
@@ -1017,31 +986,31 @@ Retrieves the DNS preferences that are currently set for the given tailnet.
 Supply the tailnet of interest in the path.
 
 ##### Parameters
-No parameters.
+No parameters. 
 
 ##### Example
 ```
 GET /api/v2/tailnet/example.com/dns/preferences
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
-  -u "tskey-yourapikey123:"
+  -u "tskey-yourapikey123:" 
 ```
 
 Response:
 ```
 {
-  "magicDNS":false,
+  "magicDNS":false, 
 }
 ```
 
 <a name=tailnet-dns-preferences-post></a>
 
-#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet
+#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet 
 Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
-Note that MagicDNS is dependent on DNS servers.
+Note that MagicDNS is dependent on DNS servers. 
 
-If there is at least one DNS server, then MagicDNS can be enabled.
+If there is at least one DNS server, then MagicDNS can be enabled. 
 Otherwise, it returns an error.
-Note that removing all nameservers will turn off MagicDNS.
+Note that removing all nameservers will turn off MagicDNS. 
 To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.
 
 ##### Parameters
@@ -1072,7 +1041,7 @@ If there are no DNS servers, it returns an error message:
 }
 ```
 
-If there are DNS servers:
+If there are DNS servers: 
 ```
 {
   "magicDNS":true,
@@ -1081,8 +1050,8 @@ If there are DNS servers:
 
 <a name=tailnet-dns-searchpaths-get></a>
 
-#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet
-Retrieves the list of search paths that is currently set for the given tailnet.
+#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet 
+Retrieves the list of search paths that is currently set for the given tailnet. 
 Supply the tailnet of interest in the path.
 
 
@@ -1093,7 +1062,7 @@ No parameters.
 ```
 GET /api/v2/tailnet/example.com/dns/searchpaths
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
-  -u "tskey-yourapikey123:"
+  -u "tskey-yourapikey123:" 
 ```
 
 Response:
@@ -1105,7 +1074,7 @@ Response:
 
 <a name=tailnet-dns-searchpaths-post></a>
 
-#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet
+#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet 
 Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.
 
 ##### Parameters

client/tailscale/acl.go

@@ -1,469 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"inet.af/netaddr"
-)
-
-// ACLRow defines a rule that grants access by a set of users or groups to a set of servers and ports.
-type ACLRow struct {
-	Action string   `json:"action,omitempty"` // valid values: "accept"
-	Users  []string `json:"users,omitempty"`
-	Ports  []string `json:"ports,omitempty"`
-}
-
-// ACLTest defines a test for your ACLs to prevent accidental exposure or revoking of access to key servers and ports.
-type ACLTest struct {
-	User  string   `json:"user,omitempty"`  // source
-	Allow []string `json:"allow,omitempty"` // expected destination ip:port that user can access
-	Deny  []string `json:"deny,omitempty"`  // expected destination ip:port that user cannot access
-}
-
-// ACLDetails contains all the details for an ACL.
-type ACLDetails struct {
-	Tests     []ACLTest           `json:"tests,omitempty"`
-	ACLs      []ACLRow            `json:"acls,omitempty"`
-	Groups    map[string][]string `json:"groups,omitempty"`
-	TagOwners map[string][]string `json:"tagowners,omitempty"`
-	Hosts     map[string]string   `json:"hosts,omitempty"`
-}
-
-// ACL contains an ACLDetails and metadata.
-type ACL struct {
-	ACL  ACLDetails
-	ETag string // to check with version on server
-}
-
-// ACLHuJSON contains the HuJSON string of the ACL and metadata.
-type ACLHuJSON struct {
-	ACL      string
-	Warnings []string
-	ETag     string // to check with version on server
-}
-
-// ACL makes a call to the Tailscale server to get a JSON-parsed version of the ACL.
-// The JSON-parsed version of the ACL contains no comments as proper JSON does not support
-// comments.
-func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACL: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/json")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	acl = &ACL{
-		ACL:  aclDetails,
-		ETag: resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLHuJSON makes a call to the Tailscale server to get the ACL HuJSON and returns
-// it as a string.
-// HuJSON is JSON with a few modifications to make it more human-friendly. The primary
-// changes are allowing comments and trailing comments. See the following links for more info:
-// https://tailscale.com/kb/1018/acls?q=acl#tailscale-acl-policy-format
-// https://github.com/tailscale/hujson
-func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACLHuJSON: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	data := struct {
-		ACL      []byte   `json:"acl"`
-		Warnings []string `json:"warnings"`
-	}{}
-	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, err
-	}
-
-	acl = &ACLHuJSON{
-		ACL:      string(data.ACL),
-		Warnings: data.Warnings,
-		ETag:     resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLTestFailureSummary specifies a user for which ACL tests
-// failed and the related user-friendly error messages.
-//
-// ACLTestFailureSummary specifies the JSON format sent to the
-// JavaScript client to be rendered in the HTML.
-type ACLTestFailureSummary struct {
-	User   string   `json:"user"`
-	Errors []string `json:"errors"`
-}
-
-// ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
-type ACLTestError struct {
-	ErrResponse
-	Data []ACLTestFailureSummary `json:"data"`
-}
-
-func (e ACLTestError) Error() string {
-	return fmt.Sprintf("%s, Data: %+v", e.ErrResponse.Error(), e.Data)
-}
-
-func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, "", err
-	}
-
-	if avoidCollisions {
-		req.Header.Set("If-Match", etag)
-	}
-	req.Header.Set("Accept", acceptHeader)
-	req.Header.Set("Content-Type", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		// check if test error
-		var ate ACLTestError
-		if err := json.Unmarshal(b, &ate); err != nil {
-			return nil, "", err
-		}
-		ate.Status = resp.StatusCode
-		return nil, "", ate
-	}
-	return b, resp.Header.Get("ETag"), nil
-}
-
-// SetACL sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACL(ctx context.Context, acl ACL, avoidCollisions bool) (res *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACL: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	res = &ACL{
-		ACL:  aclDetails,
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// SetACLHuJSON sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if the HuJSON is invalid.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACLHuJSON(ctx context.Context, acl ACLHuJSON, avoidCollisions bool) (res *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACLHuJSON: %w", err)
-		}
-	}()
-
-	postData := []byte(acl.ACL)
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/hujson")
-	if err != nil {
-		return nil, err
-	}
-
-	res = &ACLHuJSON{
-		ACL:  string(b),
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// UserRuleMatch specifies the source users/groups/hosts that a rule targets
-// and the destination ports that they can access.
-// LineNumber is only useful for requests provided in HuJSON form.
-// While JSON requests will have LineNumber, the value is not useful.
-type UserRuleMatch struct {
-	Users      []string `json:"users"`
-	Ports      []string `json:"ports"`
-	LineNumber int      `json:"lineNumber"`
-}
-
-// ACLPreviewResponse is the response type of previewACLPostRequest
-type ACLPreviewResponse struct {
-	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
-	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
-	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
-}
-
-// ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
-type ACLPreview struct {
-	Matches []UserRuleMatch `json:"matches"`
-	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
-	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
-}
-
-func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, err
-	}
-
-	q := req.URL.Query()
-	q.Add("type", previewType)
-	q.Add("previewFor", previewFor)
-	req.URL.RawQuery = q.Encode()
-
-	req.Header.Set("Content-Type", "application/hujson")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-	if err = json.Unmarshal(b, &res); err != nil {
-		return nil, err
-	}
-
-	return res, nil
-}
-
-// PreviewACLForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForUser: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netaddr.IPPort) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForIPPort: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport.String())
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLHuJSONForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForUser: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLHuJSONForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, ipport string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForIPPort: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
-	}, nil
-}
-
-// ValidateACLJSON takes in the given source and destination (in this situation,
-// it is assumed that you are checking whether the source can connect to destination)
-// and creates an ACLTest from that. It then sends the ACLTest to the control api acl
-// validate endpoint, where the test is run. It returns a nil ACLTestError pointer if
-// no test errors occur.
-func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (testErr *ACLTestError, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ValidateACLJSON: %w", err)
-		}
-	}()
-
-	tests := []ACLTest{ACLTest{User: source, Allow: []string{dest}}}
-	postData, err := json.Marshal(tests)
-	if err != nil {
-		return nil, err
-	}
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("Content-Type", "application/json")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
-	}
-
-	// The test ran without fail
-	if len(b) == 0 {
-		return nil, nil
-	}
-
-	var res ACLTestError
-	// The test returned errors.
-	if err = json.Unmarshal(b, &res); err != nil {
-		// failed to unmarshal
-		return nil, err
-	}
-	return &res, nil
-}

client/tailscale/apitype/apitype.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package apitype contains types for the Tailscale local API and control plane API.
+// Package apitype contains types for the Tailscale local API.
 package apitype
 
 import "tailscale.com/tailcfg"
@@ -11,9 +11,6 @@ import "tailscale.com/tailcfg"
 type WhoIsResponse struct {
 	Node        *tailcfg.Node
 	UserProfile *tailcfg.UserProfile
-
-	// Caps are extra capabilities that the remote Node has to this node.
-	Caps []string `json:",omitempty"`
 }
 
 // FileTarget is a node to which files can be sent, and the PeerAPI

client/tailscale/apitype/controltype.go

@@ -1,20 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package apitype
-
-type DNSConfig struct {
-	Resolvers         []DNSResolver            `json:"resolvers"`
-	FallbackResolvers []DNSResolver            `json:"fallbackResolvers"`
-	Routes            map[string][]DNSResolver `json:"routes"`
-	Domains           []string                 `json:"domains"`
-	Nameservers       []string                 `json:"nameservers"`
-	Proxied           bool                     `json:"proxied"`
-	PerDomain         bool                     `json:",omitempty"`
-}
-
-type DNSResolver struct {
-	Addr                string   `json:"addr"`
-	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
-}

client/tailscale/devices.go

@@ -1,262 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/url"
-	"strings"
-
-	"tailscale.com/types/opt"
-)
-
-type GetDevicesResponse struct {
-	Devices []*Device `json:"devices"`
-}
-
-type DerpRegion struct {
-	Preferred           bool    `json:"preferred,omitempty"`
-	LatencyMilliseconds float64 `json:"latencyMs"`
-}
-
-type ClientConnectivity struct {
-	Endpoints             []string `json:"endpoints"`
-	DERP                  string   `json:"derp"`
-	MappingVariesByDestIP opt.Bool `json:"mappingVariesByDestIP"`
-	// DERPLatency is mapped by region name (e.g. "New York City", "Seattle").
-	DERPLatency    map[string]DerpRegion `json:"latency"`
-	ClientSupports map[string]opt.Bool   `json:"clientSupports"`
-}
-
-type Device struct {
-	// Addresses is a list of the devices's Tailscale IP addresses.
-	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
-	Addresses []string `json:"addresses"`
-	DeviceID  string   `json:"id"`
-	User      string   `json:"user"`
-	Name      string   `json:"name"`
-	Hostname  string   `json:"hostname"`
-
-	ClientVersion     string `json:"clientVersion"`   // Empty for external devices.
-	UpdateAvailable   bool   `json:"updateAvailable"` // Empty for external devices.
-	OS                string `json:"os"`
-	Created           string `json:"created"` // Empty for external devices.
-	LastSeen          string `json:"lastSeen"`
-	KeyExpiryDisabled bool   `json:"keyExpiryDisabled"`
-	Expires           string `json:"expires"`
-	Authorized        bool   `json:"authorized"`
-	IsExternal        bool   `json:"isExternal"`
-	MachineKey        string `json:"machineKey"` // Empty for external devices.
-	NodeKey           string `json:"nodeKey"`
-
-	// BlocksIncomingConnections is configured via the device's
-	// Tailscale client preferences. This field is only reported
-	// to the API starting with Tailscale 1.3.x clients.
-	BlocksIncomingConnections bool `json:"blocksIncomingConnections"`
-
-	// The following fields are not included by default:
-
-	// EnabledRoutes are the previously-approved subnet routes
-	// (e.g. "192.168.4.16/24", "10.5.2.4/32").
-	EnabledRoutes []string `json:"enabledRoutes"` // Empty for external devices.
-	// AdvertisedRoutes are the subnets (both enabled and not enabled)
-	// being requested from the node.
-	AdvertisedRoutes []string `json:"advertisedRoutes"` // Empty for external devices.
-
-	ClientConnectivity *ClientConnectivity `json:"clientConnectivity"`
-}
-
-// DeviceFieldsOpts determines which fields should be returned in the response.
-//
-// Please only use DeviceAllFields and DeviceDefaultFields.
-// Other DeviceFieldsOpts are not supported.
-//
-// TODO: Support other DeviceFieldsOpts.
-// In the future, users should be able to create their own DeviceFieldsOpts
-// as valid arguments by setting the fields they want returned to a "non-nil"
-// value. For example, DeviceFieldsOpts{NodeID: "true"} should only return NodeIDs.
-type DeviceFieldsOpts Device
-
-func (d *DeviceFieldsOpts) addFieldsToQueryParameter() string {
-	if d == DeviceDefaultFields || d == nil {
-		return "default"
-	}
-	if d == DeviceAllFields {
-		return "all"
-	}
-
-	return ""
-}
-
-var (
-	DeviceAllFields = &DeviceFieldsOpts{}
-
-	// DeviceDefaultFields specifies that the following fields are returned:
-	//   Addresses, NodeID, User, Name, Hostname, ClientVersion, UpdateAvailable,
-	//   OS, Created, LastSeen, KeyExpiryDisabled, Expires, Authorized, IsExternal
-	//   MachineKey, NodeKey, BlocksIncomingConnections.
-	DeviceDefaultFields = &DeviceFieldsOpts{}
-)
-
-// Devices retrieves the list of devices for a tailnet.
-//
-// See the Device structure for the list of fields hidden for external devices.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceList []*Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Devices: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var devices GetDevicesResponse
-	err = json.Unmarshal(b, &devices)
-	return devices.Devices, err
-}
-
-// Device retrieved the details for a specific device.
-//
-// See the Device structure for the list of fields hidden for an external device.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFieldsOpts) (device *Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Device: %w", err)
-		}
-	}()
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	err = json.Unmarshal(b, &device)
-	return device, err
-}
-
-// DeleteDevice deletes the specified device from the Client's tailnet.
-// NOTE: Only devices that belong to the Client's tailnet can be deleted.
-// Deleting external devices is not supported.
-func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteDevice: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}
-
-// AuthorizeDevice marks a device as authorized.
-func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
-	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
-
-// SetTags updates the ACL tags on a device.
-func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) error {
-	params := &struct {
-		Tags []string `json:"tags"`
-	}{Tags: tags}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/tags", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}

client/tailscale/dns.go

@@ -1,235 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"tailscale.com/client/tailscale/apitype"
-)
-
-// DNSNameServers is returned when retrieving the list of nameservers.
-// It is also the structure provided when setting nameservers.
-type DNSNameServers struct {
-	DNS []string `json:"dns"` // DNS name servers
-}
-
-// DNSNameServersPostResponse is returned when setting the list of DNS nameservers.
-//
-// It includes the MagicDNS status since nameservers changes may affect MagicDNS.
-type DNSNameServersPostResponse struct {
-	DNS      []string `json:"dns"`      // DNS name servers
-	MagicDNS bool     `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-// DNSSearchpaths is the list of search paths for a given domain.
-type DNSSearchPaths struct {
-	SearchPaths []string `json:"searchPaths"` // DNS search paths
-}
-
-// DNSPreferences is the preferences set for a given tailnet.
-//
-// It includes MagicDNS which can be turned on or off. To enable MagicDNS,
-// there must be at least one nameserver. When all nameservers are removed,
-// MagicDNS is disabled.
-type DNSPreferences struct {
-	MagicDNS bool `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData interface{}) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	data, err := json.Marshal(&postData)
-	if err != nil {
-		return nil, err
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	req.Header.Set("Content-Type", "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-// DNSConfig retrieves the DNSConfig settings for a domain.
-func (c *Client) DNSConfig(ctx context.Context) (cfg *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSConfig: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "config")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp apitype.DNSConfig
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-func (c *Client) SetDNSConfig(ctx context.Context, cfg apitype.DNSConfig) (resp *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSConfig: %w", err)
-		}
-	}()
-	var dnsResp apitype.DNSConfig
-	b, err := c.dnsPOSTRequest(ctx, "config", cfg)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-// NameServers retrieves the list of nameservers set for a domain.
-func (c *Client) NameServers(ctx context.Context) (nameservers []string, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.NameServers: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "nameservers")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSNameServers
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.DNS, err
-}
-
-// SetNameServers sets the list of nameservers for a tailnet to the list provided
-// by the user.
-//
-// It returns the new list of nameservers and the MagicDNS status in case it was
-// affected by the change. For example, removing all nameservers will turn off
-// MagicDNS.
-func (c *Client) SetNameServers(ctx context.Context, nameservers []string) (dnsResp *DNSNameServersPostResponse, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetNameServers: %w", err)
-		}
-	}()
-	dnsReq := DNSNameServers{DNS: nameservers}
-	b, err := c.dnsPOSTRequest(ctx, "nameservers", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// DNSPreferences retrieves the DNS preferences set for a tailnet.
-//
-// It returns the status of MagicDNS.
-func (c *Client) DNSPreferences(ctx context.Context) (dnsResp *DNSPreferences, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSPreferences: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "preferences")
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SetDNSPreferences sets the DNS preferences for a tailnet.
-//
-// MagicDNS can only be enabled when there is at least one nameserver provided.
-// When all nameservers are removed, MagicDNS is disabled and will stay disabled,
-// unless explicitly enabled by a user again.
-func (c *Client) SetDNSPreferences(ctx context.Context, magicDNS bool) (dnsResp *DNSPreferences, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSPreferences: %w", err)
-		}
-	}()
-	dnsReq := DNSPreferences{MagicDNS: magicDNS}
-	b, err := c.dnsPOSTRequest(ctx, "preferences", dnsReq)
-	if err != nil {
-		return
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SearchPaths retrieves the list of searchpaths set for a tailnet.
-func (c *Client) SearchPaths(ctx context.Context) (searchpaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SearchPaths: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "searchpaths")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp *DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}
-
-// SetSearchPaths sets the list of searchpaths for a tailnet.
-func (c *Client) SetSearchPaths(ctx context.Context, searchpaths []string) (newSearchPaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetSearchPaths: %w", err)
-		}
-	}()
-	dnsReq := DNSSearchPaths{SearchPaths: searchpaths}
-	b, err := c.dnsPOSTRequest(ctx, "searchpaths", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}

client/tailscale/localclient.go

@@ -1,711 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net"
-	"net/http"
-	"net/http/httptrace"
-	"net/url"
-	"os/exec"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"go4.org/mem"
-	"inet.af/netaddr"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/netutil"
-	"tailscale.com/paths"
-	"tailscale.com/safesocket"
-	"tailscale.com/tailcfg"
-)
-
-// defaultLocalClient is the default LocalClient when using the legacy
-// package-level functions.
-var defaultLocalClient LocalClient
-
-// LocalClient is a client to Tailscale's "local API", communicating with the
-// Tailscale daemon on the local machine. Its API is not necessarily stable and
-// subject to changes between releases. Some API calls have stricter
-// compatibility guarantees, once they've been widely adopted. See method docs
-// for details.
-//
-// Its zero value is valid to use.
-//
-// Any exported fields should be set before using methods on the type
-// and not changed thereafter.
-type LocalClient struct {
-	// Dial optionally specifies an alternate func that connects to the local
-	// machine's tailscaled or equivalent. If nil, a default is used.
-	Dial func(ctx context.Context, network, addr string) (net.Conn, error)
-
-	// Socket specifies an alternate path to the local Tailscale socket.
-	// If empty, a platform-specific default is used.
-	Socket string
-
-	// UseSocketOnly, if true, tries to only connect to tailscaled via the
-	// Unix socket and not via fallback mechanisms as done on macOS when
-	// connecting to the GUI client variants.
-	UseSocketOnly bool
-
-	// tsClient does HTTP requests to the local Tailscale daemon.
-	// It's lazily initialized on first use.
-	tsClient     *http.Client
-	tsClientOnce sync.Once
-}
-
-func (lc *LocalClient) socket() string {
-	if lc.Socket != "" {
-		return lc.Socket
-	}
-	return paths.DefaultTailscaledSocket()
-}
-
-func (lc *LocalClient) dialer() func(ctx context.Context, network, addr string) (net.Conn, error) {
-	if lc.Dial != nil {
-		return lc.Dial
-	}
-	return lc.defaultDialer
-}
-
-func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
-	if addr != "local-tailscaled.sock:80" {
-		return nil, fmt.Errorf("unexpected URL address %q", addr)
-	}
-	if !lc.UseSocketOnly {
-		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
-		// a TCP server on a random port, find the random port. For HTTP connections,
-		// we don't send the token. It gets added in an HTTP Basic-Auth header.
-		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
-			var d net.Dialer
-			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
-		}
-	}
-	s := safesocket.DefaultConnectionStrategy(lc.socket())
-	// The user provided a non-default tailscaled socket address.
-	// Connect only to exactly what they provided.
-	s.UseFallback(false)
-	return safesocket.Connect(s)
-}
-
-// DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
-//
-// URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
-//
-// The hostname must be "local-tailscaled.sock", even though it
-// doesn't actually do any DNS lookup. The actual means of connecting to and
-// authenticating to the local Tailscale daemon vary by platform.
-//
-// DoLocalRequest may mutate the request to add Authorization headers.
-func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error) {
-	lc.tsClientOnce.Do(func() {
-		lc.tsClient = &http.Client{
-			Transport: &http.Transport{
-				DialContext: lc.dialer(),
-			},
-		}
-	})
-	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
-		req.SetBasicAuth("", token)
-	}
-	return lc.tsClient.Do(req)
-}
-
-func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
-	res, err := lc.DoLocalRequest(req)
-	if err == nil {
-		if server := res.Header.Get("Tailscale-Version"); server != "" && server != ipn.IPCVersion() && onVersionMismatch != nil {
-			onVersionMismatch(ipn.IPCVersion(), server)
-		}
-		if res.StatusCode == 403 {
-			all, _ := ioutil.ReadAll(res.Body)
-			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
-		}
-		return res, nil
-	}
-	if ue, ok := err.(*url.Error); ok {
-		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
-			path := req.URL.Path
-			pathPrefix, _, _ := strings.Cut(path, "?")
-			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
-		}
-	}
-	return nil, err
-}
-
-type errorJSON struct {
-	Error string
-}
-
-// AccessDeniedError is an error due to permissions.
-type AccessDeniedError struct {
-	err error
-}
-
-func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
-func (e *AccessDeniedError) Unwrap() error { return e.err }
-
-// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
-func IsAccessDeniedError(err error) bool {
-	var ae *AccessDeniedError
-	return errors.As(err, &ae)
-}
-
-// bestError returns either err, or if body contains a valid JSON
-// object of type errorJSON, its non-empty error body.
-func bestError(err error, body []byte) error {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return errors.New(j.Error)
-	}
-	return err
-}
-
-func errorMessageFromBody(body []byte) string {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return j.Error
-	}
-	return strings.TrimSpace(string(body))
-}
-
-var onVersionMismatch func(clientVer, serverVer string)
-
-// SetVersionMismatchHandler sets f as the version mismatch handler
-// to be called when the client (the current process) has a version
-// number that doesn't match the server's declared version.
-func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
-	onVersionMismatch = f
-}
-
-func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
-	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
-	if err != nil {
-		return nil, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	slurp, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != wantStatus {
-		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
-		return nil, bestError(err, slurp)
-	}
-	return slurp, nil
-}
-
-func (lc *LocalClient) get200(ctx context.Context, path string) ([]byte, error) {
-	return lc.send(ctx, "GET", path, 200, nil)
-}
-
-// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-//
-// Deprecated: use LocalClient.WhoIs.
-func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	return defaultLocalClient.WhoIs(ctx, remoteAddr)
-}
-
-// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
-	if err != nil {
-		return nil, err
-	}
-	r := new(apitype.WhoIsResponse)
-	if err := json.Unmarshal(body, r); err != nil {
-		if max := 200; len(body) > max {
-			body = append(body[:max], "..."...)
-		}
-		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
-	}
-	return r, nil
-}
-
-// Goroutines returns a dump of the Tailscale daemon's current goroutines.
-func (lc *LocalClient) Goroutines(ctx context.Context) ([]byte, error) {
-	return lc.get200(ctx, "/localapi/v0/goroutines")
-}
-
-// DaemonMetrics returns the Tailscale daemon's metrics in
-// the Prometheus text exposition format.
-func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
-	return lc.get200(ctx, "/localapi/v0/metrics")
-}
-
-// Profile returns a pprof profile of the Tailscale daemon.
-func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
-	var secArg string
-	if sec < 0 || sec > 300 {
-		return nil, errors.New("duration out of range")
-	}
-	if sec != 0 || pprofType == "profile" {
-		secArg = fmt.Sprint(sec)
-	}
-	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
-}
-
-// BugReport logs and returns a log marker that can be shared by the user with support.
-func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
-	if err != nil {
-		return "", err
-	}
-	return strings.TrimSpace(string(body)), nil
-}
-
-// DebugAction invokes a debug action, such as "rebind" or "restun".
-// These are development tools and subject to change or removal over time.
-func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
-	if err != nil {
-		return fmt.Errorf("error %w: %s", err, body)
-	}
-	return nil
-}
-
-// Status returns the Tailscale daemon's status.
-func Status(ctx context.Context) (*ipnstate.Status, error) {
-	return defaultLocalClient.Status(ctx)
-}
-
-// Status returns the Tailscale daemon's status.
-func (lc *LocalClient) Status(ctx context.Context) (*ipnstate.Status, error) {
-	return lc.status(ctx, "")
-}
-
-// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
-func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return defaultLocalClient.StatusWithoutPeers(ctx)
-}
-
-// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
-func (lc *LocalClient) StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return lc.status(ctx, "?peers=false")
-}
-
-func (lc *LocalClient) status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/status"+queryString)
-	if err != nil {
-		return nil, err
-	}
-	st := new(ipnstate.Status)
-	if err := json.Unmarshal(body, st); err != nil {
-		return nil, err
-	}
-	return st, nil
-}
-
-// IDToken is a request to get an OIDC ID token for an audience.
-// The token can be presented to any resource provider which offers OIDC
-// Federation.
-func (lc *LocalClient) IDToken(ctx context.Context, aud string) (*tailcfg.TokenResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/id-token?aud="+url.QueryEscape(aud))
-	if err != nil {
-		return nil, err
-	}
-	tr := new(tailcfg.TokenResponse)
-	if err := json.Unmarshal(body, tr); err != nil {
-		return nil, err
-	}
-	return tr, nil
-}
-
-func (lc *LocalClient) WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/files/")
-	if err != nil {
-		return nil, err
-	}
-	var wfs []apitype.WaitingFile
-	if err := json.Unmarshal(body, &wfs); err != nil {
-		return nil, err
-	}
-	return wfs, nil
-}
-
-func (lc *LocalClient) DeleteWaitingFile(ctx context.Context, baseName string) error {
-	_, err := lc.send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
-	return err
-}
-
-func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
-	if err != nil {
-		return nil, 0, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, 0, err
-	}
-	if res.ContentLength == -1 {
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("unexpected chunking")
-	}
-	if res.StatusCode != 200 {
-		body, _ := ioutil.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
-	}
-	return res.Body, res.ContentLength, nil
-}
-
-func (lc *LocalClient) FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/file-targets")
-	if err != nil {
-		return nil, err
-	}
-	var fts []apitype.FileTarget
-	if err := json.Unmarshal(body, &fts); err != nil {
-		return nil, fmt.Errorf("invalid JSON: %w", err)
-	}
-	return fts, nil
-}
-
-// PushFile sends Taildrop file r to target.
-//
-// A size of -1 means unknown.
-// The name parameter is the original filename, not escaped.
-func (lc *LocalClient) PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
-	if err != nil {
-		return err
-	}
-	if size != -1 {
-		req.ContentLength = size
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return err
-	}
-	if res.StatusCode == 200 {
-		io.Copy(io.Discard, res.Body)
-		return nil
-	}
-	all, _ := io.ReadAll(res.Body)
-	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
-}
-
-// CheckIPForwarding asks the local Tailscale daemon whether it looks like the
-// machine is properly configured to forward IP packets as a subnet router
-// or exit node.
-func (lc *LocalClient) CheckIPForwarding(ctx context.Context) error {
-	body, err := lc.get200(ctx, "/localapi/v0/check-ip-forwarding")
-	if err != nil {
-		return err
-	}
-	var jres struct {
-		Warning string
-	}
-	if err := json.Unmarshal(body, &jres); err != nil {
-		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
-	}
-	if jres.Warning != "" {
-		return errors.New(jres.Warning)
-	}
-	return nil
-}
-
-// CheckPrefs validates the provided preferences, without making any changes.
-//
-// The CLI uses this before a Start call to fail fast if the preferences won't
-// work. Currently (2022-04-18) this only checks for SSH server compatibility.
-// Note that EditPrefs does the same validation as this, so call CheckPrefs before
-// EditPrefs is not necessary.
-func (lc *LocalClient) CheckPrefs(ctx context.Context, p *ipn.Prefs) error {
-	pj, err := json.Marshal(p)
-	if err != nil {
-		return err
-	}
-	_, err = lc.send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, bytes.NewReader(pj))
-	return err
-}
-
-func (lc *LocalClient) GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/prefs")
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func (lc *LocalClient) EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
-	mpj, err := json.Marshal(mp)
-	if err != nil {
-		return nil, err
-	}
-	body, err := lc.send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func (lc *LocalClient) Logout(ctx context.Context) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
-	return err
-}
-
-// SetDNS adds a DNS TXT record for the given domain name, containing
-// the provided TXT value. The intended use case is answering
-// LetsEncrypt/ACME dns-01 challenges.
-//
-// The control plane will only permit SetDNS requests with very
-// specific names and values. The name should be
-// "_acme-challenge." + your node's MagicDNS name. It's expected that
-// clients cache the certs from LetsEncrypt (or whichever CA is
-// providing them) and only request new ones as needed; the control plane
-// rate limits SetDNS requests.
-//
-// This is a low-level interface; it's expected that most Tailscale
-// users use a higher level interface to getting/using TLS
-// certificates.
-func (lc *LocalClient) SetDNS(ctx context.Context, name, value string) error {
-	v := url.Values{}
-	v.Set("name", name)
-	v.Set("value", value)
-	_, err := lc.send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
-	return err
-}
-
-// DialTCP connects to the host's port via Tailscale.
-//
-// The host may be a base DNS name (resolved from the netmap inside
-// tailscaled), a FQDN, or an IP address.
-//
-// The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
-func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
-	connCh := make(chan net.Conn, 1)
-	trace := httptrace.ClientTrace{
-		GotConn: func(info httptrace.GotConnInfo) {
-			connCh <- info.Conn
-		},
-	}
-	ctx = httptrace.WithClientTrace(ctx, &trace)
-	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/dial", nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header = http.Header{
-		"Upgrade":    []string{"ts-dial"},
-		"Connection": []string{"upgrade"},
-		"Dial-Host":  []string{host},
-		"Dial-Port":  []string{fmt.Sprint(port)},
-	}
-	res, err := lc.DoLocalRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != http.StatusSwitchingProtocols {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
-	}
-	// From here on, the underlying net.Conn is ours to use, but there
-	// is still a read buffer attached to it within resp.Body. So, we
-	// must direct I/O through resp.Body, but we can still use the
-	// underlying net.Conn for stuff like deadlines.
-	var switchedConn net.Conn
-	select {
-	case switchedConn = <-connCh:
-	default:
-	}
-	if switchedConn == nil {
-		res.Body.Close()
-		return nil, fmt.Errorf("httptrace didn't provide a connection")
-	}
-	rwc, ok := res.Body.(io.ReadWriteCloser)
-	if !ok {
-		res.Body.Close()
-		return nil, errors.New("http Transport did not provide a writable body")
-	}
-	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
-}
-
-// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
-// It is intended to be used with netcheck to see availability of DERPs.
-func (lc *LocalClient) CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
-	var derpMap tailcfg.DERPMap
-	res, err := lc.send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
-	if err != nil {
-		return nil, err
-	}
-	if err = json.Unmarshal(res, &derpMap); err != nil {
-		return nil, fmt.Errorf("invalid derp map json: %w", err)
-	}
-	return &derpMap, nil
-}
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// Deprecated: use LocalClient.CertPair.
-func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return defaultLocalClient.CertPair(ctx, domain)
-}
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// API maturity: this is considered a stable API.
-func (lc *LocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	res, err := lc.send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	// with ?type=pair, the response PEM is first the one private
-	// key PEM block, then the cert PEM blocks.
-	i := mem.Index(mem.B(res), mem.S("--\n--"))
-	if i == -1 {
-		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
-	}
-	i += len("--\n")
-	keyPEM, certPEM = res[:i], res[i:]
-	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
-		return nil, nil, fmt.Errorf("unexpected output: key in cert")
-	}
-	return certPEM, keyPEM, nil
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-//
-// Deprecated: use LocalClient.GetCertificate.
-func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return defaultLocalClient.GetCertificate(hi)
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-//
-// API maturity: this is considered a stable API.
-func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi == nil || hi.ServerName == "" {
-		return nil, errors.New("no SNI ServerName")
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-
-	name := hi.ServerName
-	if !strings.Contains(name, ".") {
-		if v, ok := lc.ExpandSNIName(ctx, name); ok {
-			name = v
-		}
-	}
-	certPEM, keyPEM, err := lc.CertPair(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-	cert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
-	}
-	return &cert, nil
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-//
-// Deprecated: use LocalClient.ExpandSNIName.
-func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	return defaultLocalClient.ExpandSNIName(ctx, name)
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	st, err := lc.StatusWithoutPeers(ctx)
-	if err != nil {
-		return "", false
-	}
-	for _, d := range st.CertDomains {
-		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
-			return d, true
-		}
-	}
-	return "", false
-}
-
-// Ping sends a ping of the provided type to the provided IP and waits
-// for its response.
-func (lc *LocalClient) Ping(ctx context.Context, ip netaddr.IP, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
-	v := url.Values{}
-	v.Set("ip", ip.String())
-	v.Set("type", string(pingtype))
-	body, err := lc.send(ctx, "POST", "/localapi/v0/ping?"+v.Encode(), 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error %w: %s", err, body)
-	}
-	pr := new(ipnstate.PingResult)
-	if err := json.Unmarshal(body, pr); err != nil {
-		return nil, err
-	}
-	return pr, nil
-}
-
-// tailscaledConnectHint gives a little thing about why tailscaled (or
-// platform equivalent) is not answering localapi connections.
-//
-// It ends in a punctuation. See caller.
-func tailscaledConnectHint() string {
-	if runtime.GOOS != "linux" {
-		// TODO(bradfitz): flesh this out
-		return "not running?"
-	}
-	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
-	if err != nil {
-		return "not running?"
-	}
-	// Parse:
-	// LoadState=loaded
-	// ActiveState=inactive
-	// SubState=dead
-	st := map[string]string{}
-	for _, line := range strings.Split(string(out), "\n") {
-		if k, v, ok := strings.Cut(line, "="); ok {
-			st[k] = strings.TrimSpace(v)
-		}
-	}
-	if st["LoadState"] == "loaded" &&
-		(st["SubState"] != "running" || st["ActiveState"] != "active") {
-		return "systemd tailscaled.service not running."
-	}
-	return "not running?"
-}

client/tailscale/routes.go

@@ -1,98 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"inet.af/netaddr"
-)
-
-// Routes contains the lists of subnet routes that are currently advertised by a device,
-// as well as the subnets that are enabled to be routed by the device.
-type Routes struct {
-	AdvertisedRoutes []netaddr.IPPrefix `json:"advertisedRoutes"`
-	EnabledRoutes    []netaddr.IPPrefix `json:"enabledRoutes"`
-}
-
-// Routes retrieves the list of subnet routes that have been enabled for a device.
-// The routes that are returned are not necessarily advertised by the device,
-// they have only been preapproved.
-func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Routes: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var sr Routes
-	err = json.Unmarshal(b, &sr)
-	return &sr, err
-}
-
-type postRoutesParams struct {
-	Routes []netaddr.IPPrefix `json:"routes"`
-}
-
-// SetRoutes updates the list of subnets that are enabled for a device.
-// Subnets must be parsable by inet.af/netaddr.ParseIPPrefix.
-// Subnets do not have to be currently advertised by a device, they may be pre-enabled.
-// Returns the updated list of enabled and advertised subnet routes in a *Routes object.
-func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netaddr.IPPrefix) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
-		}
-	}()
-	params := &postRoutesParams{Routes: subnets}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return nil, err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var srr *Routes
-	if err := json.Unmarshal(b, &srr); err != nil {
-		return nil, err
-	}
-	return srr, err
-}

client/tailscale/tailnet.go

@@ -1,42 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/url"
-)
-
-// TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
-func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteTailnet: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
-	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, path, nil)
-	if err != nil {
-		return err
-	}
-
-	c.setAuth(req)
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}

client/tailscale/tailscale.go

@@ -1,160 +1,601 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
 //go:build go1.18
 // +build go1.18
 
-// Package tailscale contains Go clients for the Tailscale Local API and
-// Tailscale control plane API.
-//
-// Warning: this package is in development and makes no API compatibility
-// promises as of 2022-04-29. It is subject to change at any time.
+// Package tailscale contains Tailscale client code.
 package tailscale
 
 import (
+	"bytes"
+	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"net"
 	"net/http"
+	"net/http/httptrace"
+	"net/url"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"go4.org/mem"
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/netutil"
+	"tailscale.com/paths"
+	"tailscale.com/safesocket"
+	"tailscale.com/tailcfg"
+	"tailscale.com/version"
 )
 
-// I_Acknowledge_This_API_Is_Unstable must be set true to use this package
-// for now. It was added 2022-04-29 when it was moved to this git repo
-// and will be removed when the public API has settled.
+var (
+	// TailscaledSocket is the tailscaled Unix socket. It's used by the TailscaledDialer.
+	TailscaledSocket = paths.DefaultTailscaledSocket()
+
+	// TailscaledSocketSetExplicitly reports whether the user explicitly set TailscaledSocket.
+	TailscaledSocketSetExplicitly bool
+
+	// TailscaledDialer is the DialContext func that connects to the local machine's
+	// tailscaled or equivalent.
+	TailscaledDialer = defaultDialer
+)
+
+func defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
+	if addr != "local-tailscaled.sock:80" {
+		return nil, fmt.Errorf("unexpected URL address %q", addr)
+	}
+	// TODO: make this part of a safesocket.ConnectionStrategy
+	if !TailscaledSocketSetExplicitly {
+		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
+		// a TCP server on a random port, find the random port. For HTTP connections,
+		// we don't send the token. It gets added in an HTTP Basic-Auth header.
+		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
+			var d net.Dialer
+			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
+		}
+	}
+	s := safesocket.DefaultConnectionStrategy(TailscaledSocket)
+	// The user provided a non-default tailscaled socket address.
+	// Connect only to exactly what they provided.
+	s.UseFallback(false)
+	return safesocket.Connect(s)
+}
+
+var (
+	// tsClient does HTTP requests to the local Tailscale daemon.
+	// We lazily initialize the client in case the caller wants to
+	// override TailscaledDialer.
+	tsClient     *http.Client
+	tsClientOnce sync.Once
+)
+
+// DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
 //
-// TODO(bradfitz): remove this after the we're happy with the public API.
-var I_Acknowledge_This_API_Is_Unstable = false
-
-// TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
-
-const defaultAPIBase = "https://api.tailscale.com"
-
-// maxSize is the maximum read size (10MB) of responses from the server.
-const maxReadSize = 10 << 20
-
-// Client makes API calls to the Tailscale control plane API server.
+// URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
 //
-// Use NewClient to instantiate one. Exported fields should be set before
-// the client is used and not changed thereafter.
-type Client struct {
-	// tailnet is the globally unique identifier for a Tailscale network, such
-	// as "example.com" or "user@gmail.com".
-	tailnet string
-	// auth is the authentication method to use for this client.
-	// nil means none, which generally won't work, but won't crash.
-	auth AuthMethod
-
-	// BaseURL optionally specifies an alternate API server to use.
-	// If empty, "https://api.tailscale.com" is used.
-	BaseURL string
-
-	// HTTPClient optionally specifies an alternate HTTP client to use.
-	// If nil, http.DefaultClient is used.
-	HTTPClient *http.Client
-}
-
-func (c *Client) httpClient() *http.Client {
-	if c.HTTPClient != nil {
-		return c.HTTPClient
-	}
-	return http.DefaultClient
-}
-
-func (c *Client) baseURL() string {
-	if c.BaseURL != "" {
-		return c.BaseURL
-	}
-	return defaultAPIBase
-}
-
-// AuthMethod is the interface for API authentication methods.
+// The hostname must be "local-tailscaled.sock", even though it
+// doesn't actually do any DNS lookup. The actual means of connecting to and
+// authenticating to the local Tailscale daemon vary by platform.
 //
-// Most users will use AuthKey.
-type AuthMethod interface {
-	modifyRequest(req *http.Request)
-}
-
-// APIKey is an AuthMethod for NewClient that authenticates requests
-// using an authkey.
-type APIKey string
-
-func (ak APIKey) modifyRequest(req *http.Request) {
-	req.SetBasicAuth(string(ak), "")
-}
-
-func (c *Client) setAuth(r *http.Request) {
-	if c.auth != nil {
-		c.auth.modifyRequest(r)
+// DoLocalRequest may mutate the request to add Authorization headers.
+func DoLocalRequest(req *http.Request) (*http.Response, error) {
+	tsClientOnce.Do(func() {
+		tsClient = &http.Client{
+			Transport: &http.Transport{
+				DialContext: TailscaledDialer,
+			},
+		}
+	})
+	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
+		req.SetBasicAuth("", token)
 	}
+	return tsClient.Do(req)
 }
 
-// NewClient is a convenience method for instantiating a new Client.
-//
-// tailnet is the globally unique identifier for a Tailscale network, such
-// as "example.com" or "user@gmail.com".
-// If httpClient is nil, then http.DefaultClient is used.
-// "api.tailscale.com" is set as the BaseURL for the returned client
-// and can be changed manually by the user.
-func NewClient(tailnet string, auth AuthMethod) *Client {
-	return &Client{
-		tailnet: tailnet,
-		auth:    auth,
+func doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
+	res, err := DoLocalRequest(req)
+	if err == nil {
+		if server := res.Header.Get("Tailscale-Version"); server != "" && server != version.Long && onVersionMismatch != nil {
+			onVersionMismatch(version.Long, server)
+		}
+		if res.StatusCode == 403 {
+			all, _ := ioutil.ReadAll(res.Body)
+			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
+		}
+		return res, nil
 	}
+	if ue, ok := err.(*url.Error); ok {
+		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
+			path := req.URL.Path
+			pathPrefix, _, _ := strings.Cut(path, "?")
+			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
+		}
+	}
+	return nil, err
 }
 
-func (c *Client) Tailnet() string { return c.tailnet }
-
-// Do sends a raw HTTP request, after adding any authentication headers.
-func (c *Client) Do(req *http.Request) (*http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
-	}
-	c.setAuth(req)
-	return c.httpClient().Do(req)
+type errorJSON struct {
+	Error string
 }
 
-// sendRequest add the authenication key to the request and sends it. It
-// receives the response and reads up to 10MB of it.
-func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
+// AccessDeniedError is an error due to permissions.
+type AccessDeniedError struct {
+	err error
+}
+
+func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
+func (e *AccessDeniedError) Unwrap() error { return e.err }
+
+// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
+func IsAccessDeniedError(err error) bool {
+	var ae *AccessDeniedError
+	return errors.As(err, &ae)
+}
+
+// bestError returns either err, or if body contains a valid JSON
+// object of type errorJSON, its non-empty error body.
+func bestError(err error, body []byte) error {
+	var j errorJSON
+	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
+		return errors.New(j.Error)
 	}
-	c.setAuth(req)
-	resp, err := c.httpClient().Do(req)
+	return err
+}
+
+func errorMessageFromBody(body []byte) string {
+	var j errorJSON
+	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
+		return j.Error
+	}
+	return strings.TrimSpace(string(body))
+}
+
+var onVersionMismatch func(clientVer, serverVer string)
+
+// SetVersionMismatchHandler sets f as the version mismatch handler
+// to be called when the client (the current process) has a version
+// number that doesn't match the server's declared version.
+func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
+	onVersionMismatch = f
+}
+
+func send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
+	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
 	if err != nil {
-		return nil, resp, err
+		return nil, err
 	}
-	defer resp.Body.Close()
-
-	// Read response. Limit the response to 10MB.
-	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := ioutil.ReadAll(body)
-	if len(b) > maxReadSize {
-		err = errors.New("API response too large")
+	res, err := doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, err
 	}
-	return b, resp, err
+	defer res.Body.Close()
+	slurp, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != wantStatus {
+		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
+		return nil, bestError(err, slurp)
+	}
+	return slurp, nil
 }
 
-// ErrResponse is the HTTP error returned by the Tailscale server.
-type ErrResponse struct {
-	Status  int
-	Message string
+func get200(ctx context.Context, path string) ([]byte, error) {
+	return send(ctx, "GET", path, 200, nil)
 }
 
-func (e ErrResponse) Error() string {
-	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
+// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
+func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
+	body, err := get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
+	if err != nil {
+		return nil, err
+	}
+	r := new(apitype.WhoIsResponse)
+	if err := json.Unmarshal(body, r); err != nil {
+		if max := 200; len(body) > max {
+			body = append(body[:max], "..."...)
+		}
+		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
+	}
+	return r, nil
 }
 
-// handleErrorResponse decodes the error message from the server and returns
-// an ErrResponse from it.
-func handleErrorResponse(b []byte, resp *http.Response) error {
-	var errResp ErrResponse
-	if err := json.Unmarshal(b, &errResp); err != nil {
+// Goroutines returns a dump of the Tailscale daemon's current goroutines.
+func Goroutines(ctx context.Context) ([]byte, error) {
+	return get200(ctx, "/localapi/v0/goroutines")
+}
+
+// DaemonMetrics returns the Tailscale daemon's metrics in
+// the Prometheus text exposition format.
+func DaemonMetrics(ctx context.Context) ([]byte, error) {
+	return get200(ctx, "/localapi/v0/metrics")
+}
+
+// Profile returns a pprof profile of the Tailscale daemon.
+func Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
+	var secArg string
+	if sec < 0 || sec > 300 {
+		return nil, errors.New("duration out of range")
+	}
+	if sec != 0 || pprofType == "profile" {
+		secArg = fmt.Sprint(sec)
+	}
+	return get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
+}
+
+// BugReport logs and returns a log marker that can be shared by the user with support.
+func BugReport(ctx context.Context, note string) (string, error) {
+	body, err := send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(body)), nil
+}
+
+// DebugAction invokes a debug action, such as "rebind" or "restun".
+// These are development tools and subject to change or removal over time.
+func DebugAction(ctx context.Context, action string) error {
+	body, err := send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	return nil
+}
+
+// Status returns the Tailscale daemon's status.
+func Status(ctx context.Context) (*ipnstate.Status, error) {
+	return status(ctx, "")
+}
+
+// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
+func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
+	return status(ctx, "?peers=false")
+}
+
+func status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
+	body, err := get200(ctx, "/localapi/v0/status"+queryString)
+	if err != nil {
+		return nil, err
+	}
+	st := new(ipnstate.Status)
+	if err := json.Unmarshal(body, st); err != nil {
+		return nil, err
+	}
+	return st, nil
+}
+
+// IDToken is a request to get an OIDC ID token for an audience.
+// The token can be presented to any resource provider which offers OIDC
+// Federation.
+func IDToken(ctx context.Context, aud string) (*tailcfg.TokenResponse, error) {
+	body, err := get200(ctx, "/localapi/v0/id-token?aud="+url.QueryEscape(aud))
+	if err != nil {
+		return nil, err
+	}
+	tr := new(tailcfg.TokenResponse)
+	if err := json.Unmarshal(body, tr); err != nil {
+		return nil, err
+	}
+	return tr, nil
+}
+
+func WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
+	body, err := get200(ctx, "/localapi/v0/files/")
+	if err != nil {
+		return nil, err
+	}
+	var wfs []apitype.WaitingFile
+	if err := json.Unmarshal(body, &wfs); err != nil {
+		return nil, err
+	}
+	return wfs, nil
+}
+
+func DeleteWaitingFile(ctx context.Context, baseName string) error {
+	_, err := send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
+	return err
+}
+
+func GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	res, err := doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, 0, err
+	}
+	if res.ContentLength == -1 {
+		res.Body.Close()
+		return nil, 0, fmt.Errorf("unexpected chunking")
+	}
+	if res.StatusCode != 200 {
+		body, _ := ioutil.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
+	}
+	return res.Body, res.ContentLength, nil
+}
+
+func FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
+	body, err := get200(ctx, "/localapi/v0/file-targets")
+	if err != nil {
+		return nil, err
+	}
+	var fts []apitype.FileTarget
+	if err := json.Unmarshal(body, &fts); err != nil {
+		return nil, fmt.Errorf("invalid JSON: %w", err)
+	}
+	return fts, nil
+}
+
+// PushFile sends Taildrop file r to target.
+//
+// A size of -1 means unknown.
+// The name parameter is the original filename, not escaped.
+func PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
+	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
+	if err != nil {
 		return err
 	}
-	errResp.Status = resp.StatusCode
-	return errResp
+	if size != -1 {
+		req.ContentLength = size
+	}
+	res, err := doLocalRequestNiceError(req)
+	if err != nil {
+		return err
+	}
+	if res.StatusCode == 200 {
+		io.Copy(io.Discard, res.Body)
+		return nil
+	}
+	all, _ := io.ReadAll(res.Body)
+	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
+}
+
+func CheckIPForwarding(ctx context.Context) error {
+	body, err := get200(ctx, "/localapi/v0/check-ip-forwarding")
+	if err != nil {
+		return err
+	}
+	var jres struct {
+		Warning string
+	}
+	if err := json.Unmarshal(body, &jres); err != nil {
+		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
+	}
+	if jres.Warning != "" {
+		return errors.New(jres.Warning)
+	}
+	return nil
+}
+
+func GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
+	body, err := get200(ctx, "/localapi/v0/prefs")
+	if err != nil {
+		return nil, err
+	}
+	var p ipn.Prefs
+	if err := json.Unmarshal(body, &p); err != nil {
+		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
+	}
+	return &p, nil
+}
+
+func EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
+	mpj, err := json.Marshal(mp)
+	if err != nil {
+		return nil, err
+	}
+	body, err := send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
+	if err != nil {
+		return nil, err
+	}
+	var p ipn.Prefs
+	if err := json.Unmarshal(body, &p); err != nil {
+		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
+	}
+	return &p, nil
+}
+
+func Logout(ctx context.Context) error {
+	_, err := send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
+	return err
+}
+
+// SetDNS adds a DNS TXT record for the given domain name, containing
+// the provided TXT value. The intended use case is answering
+// LetsEncrypt/ACME dns-01 challenges.
+//
+// The control plane will only permit SetDNS requests with very
+// specific names and values. The name should be
+// "_acme-challenge." + your node's MagicDNS name. It's expected that
+// clients cache the certs from LetsEncrypt (or whichever CA is
+// providing them) and only request new ones as needed; the control plane
+// rate limits SetDNS requests.
+//
+// This is a low-level interface; it's expected that most Tailscale
+// users use a higher level interface to getting/using TLS
+// certificates.
+func SetDNS(ctx context.Context, name, value string) error {
+	v := url.Values{}
+	v.Set("name", name)
+	v.Set("value", value)
+	_, err := send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
+	return err
+}
+
+// DialTCP connects to the host's port via Tailscale.
+//
+// The host may be a base DNS name (resolved from the netmap inside
+// tailscaled), a FQDN, or an IP address.
+//
+// The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
+func DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
+	connCh := make(chan net.Conn, 1)
+	trace := httptrace.ClientTrace{
+		GotConn: func(info httptrace.GotConnInfo) {
+			connCh <- info.Conn
+		},
+	}
+	ctx = httptrace.WithClientTrace(ctx, &trace)
+	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/dial", nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header = http.Header{
+		"Upgrade":    []string{"ts-dial"},
+		"Connection": []string{"upgrade"},
+		"Dial-Host":  []string{host},
+		"Dial-Port":  []string{fmt.Sprint(port)},
+	}
+	res, err := DoLocalRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != http.StatusSwitchingProtocols {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
+	}
+	// From here on, the underlying net.Conn is ours to use, but there
+	// is still a read buffer attached to it within resp.Body. So, we
+	// must direct I/O through resp.Body, but we can still use the
+	// underlying net.Conn for stuff like deadlines.
+	var switchedConn net.Conn
+	select {
+	case switchedConn = <-connCh:
+	default:
+	}
+	if switchedConn == nil {
+		res.Body.Close()
+		return nil, fmt.Errorf("httptrace didn't provide a connection")
+	}
+	rwc, ok := res.Body.(io.ReadWriteCloser)
+	if !ok {
+		res.Body.Close()
+		return nil, errors.New("http Transport did not provide a writable body")
+	}
+	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
+}
+
+// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
+// It is intended to be used with netcheck to see availability of DERPs.
+func CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
+	var derpMap tailcfg.DERPMap
+	res, err := send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
+	if err != nil {
+		return nil, err
+	}
+	if err = json.Unmarshal(res, &derpMap); err != nil {
+		return nil, fmt.Errorf("invalid derp map json: %w", err)
+	}
+	return &derpMap, nil
+}
+
+// CertPair returns a cert and private key for the provided DNS domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
+	res, err := send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	// with ?type=pair, the response PEM is first the one private
+	// key PEM block, then the cert PEM blocks.
+	i := mem.Index(mem.B(res), mem.S("--\n--"))
+	if i == -1 {
+		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
+	}
+	i += len("--\n")
+	keyPEM, certPEM = res[:i], res[i:]
+	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
+		return nil, nil, fmt.Errorf("unexpected output: key in cert")
+	}
+	return certPEM, keyPEM, nil
+}
+
+// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// It's the right signature to use as the value of
+// tls.Config.GetCertificate.
+func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if hi == nil || hi.ServerName == "" {
+		return nil, errors.New("no SNI ServerName")
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	name := hi.ServerName
+	if !strings.Contains(name, ".") {
+		if v, ok := ExpandSNIName(ctx, name); ok {
+			name = v
+		}
+	}
+	certPEM, keyPEM, err := CertPair(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, err
+	}
+	return &cert, nil
+}
+
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
+	st, err := StatusWithoutPeers(ctx)
+	if err != nil {
+		return "", false
+	}
+	for _, d := range st.CertDomains {
+		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
+			return d, true
+		}
+	}
+	return "", false
+}
+
+// tailscaledConnectHint gives a little thing about why tailscaled (or
+// platform equivalent) is not answering localapi connections.
+//
+// It ends in a punctuation. See caller.
+func tailscaledConnectHint() string {
+	if runtime.GOOS != "linux" {
+		// TODO(bradfitz): flesh this out
+		return "not running?"
+	}
+	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
+	if err != nil {
+		return "not running?"
+	}
+	// Parse:
+	// LoadState=loaded
+	// ActiveState=inactive
+	// SubState=dead
+	st := map[string]string{}
+	for _, line := range strings.Split(string(out), "\n") {
+		if k, v, ok := strings.Cut(line, "="); ok {
+			st[k] = strings.TrimSpace(v)
+		}
+	}
+	if st["LoadState"] == "loaded" &&
+		(st["SubState"] != "running" || st["ActiveState"] != "active") {
+		return "systemd tailscaled.service not running."
+	}
+	return "not running?"
 }

cmd/cloner/cloner.go

@@ -22,11 +22,13 @@ import (
 	"os"
 	"strings"
 
+	"golang.org/x/tools/go/packages"
 	"tailscale.com/util/codegen"
 )
 
 var (
 	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
+	flagOutput    = flag.String("output", "", "output file; required")
 	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
 	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
 )
@@ -41,18 +43,30 @@ func main() {
 	}
 	typeNames := strings.Split(*flagTypes, ",")
 
-	pkg, namedTypes, err := codegen.LoadTypes(*flagBuildTags, ".")
+	cfg := &packages.Config{
+		Mode:  packages.NeedTypes | packages.NeedTypesInfo | packages.NeedSyntax | packages.NeedName,
+		Tests: false,
+	}
+	if *flagBuildTags != "" {
+		cfg.BuildFlags = []string{"-tags=" + *flagBuildTags}
+	}
+	pkgs, err := packages.Load(cfg, ".")
 	if err != nil {
 		log.Fatal(err)
 	}
-	it := codegen.NewImportTracker(pkg.Types)
+	if len(pkgs) != 1 {
+		log.Fatalf("wrong number of packages: %d", len(pkgs))
+	}
+	pkg := pkgs[0]
 	buf := new(bytes.Buffer)
+	imports := make(map[string]struct{})
+	namedTypes := codegen.NamedTypes(pkg)
 	for _, typeName := range typeNames {
 		typ, ok := namedTypes[typeName]
 		if !ok {
 			log.Fatalf("could not find type %s", typeName)
 		}
-		gen(buf, it, typ)
+		gen(buf, imports, typ, pkg.Types)
 	}
 
 	w := func(format string, args ...any) {
@@ -79,13 +93,62 @@ func main() {
 		w("	return false")
 		w("}")
 	}
-	cloneOutput := pkg.Name + "_clone.go"
-	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
+
+	contents := new(bytes.Buffer)
+	var flagArgs []string
+	if *flagTypes != "" {
+		flagArgs = append(flagArgs, "-type="+*flagTypes)
+	}
+	if *flagOutput != "" {
+		flagArgs = append(flagArgs, "-output="+*flagOutput)
+	}
+	if *flagBuildTags != "" {
+		flagArgs = append(flagArgs, "-tags="+*flagBuildTags)
+	}
+	if *flagCloneFunc {
+		flagArgs = append(flagArgs, "-clonefunc")
+	}
+	fmt.Fprintf(contents, header, strings.Join(flagArgs, " "), pkg.Name)
+	fmt.Fprintf(contents, "import (\n")
+	for s := range imports {
+		fmt.Fprintf(contents, "\t%q\n", s)
+	}
+	fmt.Fprintf(contents, ")\n\n")
+	contents.Write(buf.Bytes())
+
+	output := *flagOutput
+	if output == "" {
+		flag.Usage()
+		os.Exit(2)
+	}
+	if err := codegen.WriteFormatted(contents.Bytes(), output); err != nil {
 		log.Fatal(err)
 	}
 }
 
-func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
+const header = `// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
+//` + `go:generate` + ` go run tailscale.com/cmd/cloner %s
+
+package %s
+
+`
+
+func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisPkg *types.Package) {
+	pkgQual := func(pkg *types.Package) string {
+		if thisPkg == pkg {
+			return ""
+		}
+		imports[pkg.Path()] = struct{}{}
+		return pkg.Name()
+	}
+	importedName := func(t types.Type) string {
+		return types.TypeString(t, pkgQual)
+	}
+
 	t, ok := typ.Underlying().(*types.Struct)
 	if !ok {
 		return
@@ -106,11 +169,11 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	for i := 0; i < t.NumFields(); i++ {
 		fname := t.Field(i).Name()
 		ft := t.Field(i).Type()
-		if !codegen.ContainsPointers(ft) || codegen.HasNoClone(t.Tag(i)) {
+		if !codegen.ContainsPointers(ft) {
 			continue
 		}
 		if named, _ := ft.(*types.Named); named != nil {
-			if codegen.IsViewType(ft) {
+			if isViewType(ft) {
 				writef("dst.%s = src.%s", fname, fname)
 				continue
 			}
@@ -122,16 +185,11 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 		switch ft := ft.Underlying().(type) {
 		case *types.Slice:
 			if codegen.ContainsPointers(ft.Elem()) {
-				n := it.QualifiedName(ft.Elem())
+				n := importedName(ft.Elem())
 				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
 				writef("for i := range dst.%s {", fname)
-				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
-						writef("\tx := *src.%s[i]", fname)
-						writef("\tdst.%s[i] = &x", fname)
-					} else {
-						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
-					}
+				if _, isPtr := ft.Elem().(*types.Pointer); isPtr {
+					writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
@@ -144,7 +202,7 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = src.%s.Clone()", fname, fname)
 				continue
 			}
-			n := it.QualifiedName(ft.Elem())
+			n := importedName(ft.Elem())
 			writef("if dst.%s != nil {", fname)
 			writef("\tdst.%s = new(%s)", fname, n)
 			writef("\t*dst.%s = *src.%s", fname, fname)
@@ -154,9 +212,9 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 			writef("}")
 		case *types.Map:
 			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(ft.Elem()))
+			writef("\tdst.%s = map[%s]%s{}", fname, importedName(ft.Key()), importedName(ft.Elem()))
 			if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
-				n := it.QualifiedName(sliceType.Elem())
+				n := importedName(sliceType.Elem())
 				writef("\tfor k := range src.%s {", fname)
 				// use zero-length slice instead of nil to ensure
 				// the key is always copied.
@@ -179,10 +237,20 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	writef("return dst")
 	fmt.Fprintf(buf, "}\n\n")
 
-	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
+	buf.Write(codegen.AssertStructUnchanged(t, thisPkg, name, "Clone", imports))
+}
+
+func isViewType(typ types.Type) bool {
+	t, ok := typ.Underlying().(*types.Struct)
+	if !ok {
+		return false
+	}
+	if t.NumFields() != 1 {
+		return false
+	}
+	return t.Field(0).Name() == "ж"
 }
 
-// hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
 func hasBasicUnderlying(typ types.Type) bool {
 	switch typ.Underlying().(type) {
 	case *types.Slice, *types.Map:

cmd/nginx-auth/README.md

@@ -117,32 +117,10 @@ header.
 
 The `Tailscale-Tailnet` header can help you identify which tailnet the session
 is coming from. If you are using node sharing, this can help you make sure that
-you aren't giving administrative access to people outside your tailnet.
-
-### Allow Requests From Only One Tailnet
-
-If you want to prevent node sharing from allowing users to access a service, add
-the `Expected-Tailnet` header to your auth request:
-
-```nginx
-location /auth {
-  # ...
-  proxy_set_header Expected-Tailnet "tailscale.com";
-}
-```
-
-If a user from a different tailnet tries to use that service, this will return a
-generic "forbidden" error page:
-
-```html
-<html>
-<head><title>403 Forbidden</title></head>
-<body>
-<center><h1>403 Forbidden</h1></center>
-<hr><center>nginx/1.18.0 (Ubuntu)</center>
-</body>
-</html>
-```
+you aren't giving administrative access to people outside your tailnet. You will
+need to be sure to check this in your application code. If you use OpenResty,
+you may be able to do more complicated access controls than you can with NGINX
+alone.
 
 ## Building
 

cmd/nginx-auth/deb/postinst.sh

@@ -1,14 +0,0 @@
-if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-	  deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
-	  if deb-systemd-helper --quiet was-enabled 'tailscale.nginx-auth.socket'; then
-		    deb-systemd-helper enable 'tailscale.nginx-auth.socket' >/dev/null || true
-	  else
-		    deb-systemd-helper update-state 'tailscale.nginx-auth.socket' >/dev/null || true
-	  fi
-
-    if systemctl is-active tailscale.nginx-auth.socket >/dev/null; then
-        systemctl --system daemon-reload >/dev/null || true
-        deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
-        deb-systemd-invoke restart 'tailscale.nginx-auth.socket' >/dev/null || true
-    fi
-fi

cmd/nginx-auth/deb/postrm.sh

@@ -1,19 +0,0 @@
-#!/bin/sh
-set -e
-if [ -d /run/systemd/system ] ; then
-	  systemctl --system daemon-reload >/dev/null || true
-fi
-
-if [ -x "/usr/bin/deb-systemd-helper" ]; then
-    if [ "$1" = "remove" ]; then
-		    deb-systemd-helper mask 'tailscale.nginx-auth.socket' >/dev/null || true
-		    deb-systemd-helper mask 'tailscale.nginx-auth.service' >/dev/null || true
-	  fi
-
-    if [ "$1" = "purge" ]; then
-		    deb-systemd-helper purge 'tailscale.nginx-auth.socket' >/dev/null || true
-		    deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
-		    deb-systemd-helper purge 'tailscale.nginx-auth.service' >/dev/null || true
-		    deb-systemd-helper unmask 'tailscale.nginx-auth.service' >/dev/null || true
-	  fi
-fi

cmd/nginx-auth/deb/prerm.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-set -e
-if [ "$1" = "remove" ]; then
-	  if [ -d /run/systemd/system ]; then
-		    deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
-		    deb-systemd-invoke stop 'tailscale.nginx-auth.socket' >/dev/null || true
-	  fi
-fi

cmd/nginx-auth/mkdeb.sh

@@ -4,28 +4,20 @@ set -e
 
 CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o tailscale.nginx-auth .
 
-VERSION=0.1.1
-
 mkpkg \
-    --out=tailscale-nginx-auth-${VERSION}-amd64.deb \
+    --out tailscale-nginx-auth-0.1.0-amd64.deb \
     --name=tailscale-nginx-auth \
-    --version=${VERSION} \
-    --type=deb \
+    --version=0.1.0 \
+    --type=deb\
     --arch=amd64 \
-    --postinst=deb/postinst.sh \
-    --postrm=deb/postrm.sh \
-    --prerm=deb/prerm.sh \
     --description="Tailscale NGINX authentication protocol handler" \
-    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service
 
 mkpkg \
-    --out=tailscale-nginx-auth-${VERSION}-amd64.rpm \
+    --out tailscale-nginx-auth-0.1.0-amd64.rpm \
     --name=tailscale-nginx-auth \
-    --version=${VERSION} \
+    --version=0.1.0 \
     --type=rpm \
     --arch=amd64 \
-    --postinst=rpm/postinst.sh \
-    --postrm=rpm/postrm.sh \
-    --prerm=rpm/prerm.sh \
     --description="Tailscale NGINX authentication protocol handler" \
-    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service

cmd/nginx-auth/nginx-auth.go

@@ -17,7 +17,6 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
-	"net/url"
 	"os"
 	"strings"
 
@@ -76,12 +75,6 @@ func main() {
 			return
 		}
 
-		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
-			w.WriteHeader(http.StatusForbidden)
-			log.Printf("user is part of tailnet %s, wanted: %s", tailnet, url.QueryEscape(expectedTailnet))
-			return
-		}
-
 		h := w.Header()
 		h.Set("Tailscale-Login", strings.Split(info.UserProfile.LoginName, "@")[0])
 		h.Set("Tailscale-User", info.UserProfile.LoginName)

cmd/nginx-auth/rpm/postrm.sh

@@ -1,9 +0,0 @@
-# $1 == 0 for uninstallation.
-# $1 == 1 for removing old package during upgrade.
-
-systemctl daemon-reload >/dev/null 2>&1 || :
-if [ $1 -ge 1 ] ; then
-    # Package upgrade, not uninstall
-    systemctl stop tailscale.nginx-auth.service >/dev/null 2>&1 || :
-    systemctl try-restart tailscale.nginx-auth.socket >/dev/null 2>&1 || :
-fi

cmd/nginx-auth/rpm/prerm.sh

@@ -1,9 +0,0 @@
-# $1 == 0 for uninstallation.
-# $1 == 1 for removing old package during upgrade.
-
-if [ $1 -eq 0 ] ; then
-    # Package removal, not upgrade
-    systemctl --no-reload disable tailscale.nginx-auth.socket > /dev/null 2>&1 || :
-    systemctl stop tailscale.nginx-auth.socket > /dev/null 2>&1 || :
-    systemctl stop tailscale.nginx-auth.service > /dev/null 2>&1 || :
-fi

cmd/proxy-to-grafana/proxy-to-grafana.go

@@ -62,12 +62,6 @@ func main() {
 		Hostname: *hostname,
 	}
 
-	// TODO(bradfitz,maisem): move this to a method on tsnet.Server probably.
-	if err := ts.Start(); err != nil {
-		log.Fatalf("Error starting tsnet.Server: %v", err)
-	}
-	localClient, _ := ts.LocalClient()
-
 	url, err := url.Parse(fmt.Sprintf("http://%s", *backendAddr))
 	if err != nil {
 		log.Fatalf("couldn't parse backend address: %v", err)
@@ -77,7 +71,7 @@ func main() {
 	originalDirector := proxy.Director
 	proxy.Director = func(req *http.Request) {
 		originalDirector(req)
-		modifyRequest(req, localClient)
+		modifyRequest(req)
 	}
 
 	var ln net.Listener
@@ -90,14 +84,13 @@ func main() {
 		go func() {
 			// wait for tailscale to start before trying to fetch cert names
 			for i := 0; i < 60; i++ {
-				st, err := localClient.Status(context.Background())
+				st, err := tailscale.Status(context.Background())
 				if err != nil {
-					log.Printf("error retrieving tailscale status; retrying: %v", err)
-				} else {
-					log.Printf("tailscale status: %v", st.BackendState)
-					if st.BackendState == "Running" {
-						break
-					}
+					log.Fatal(err)
+				}
+				log.Printf("tailscale status: %v", st.BackendState)
+				if st.BackendState == "Running" {
+					break
 				}
 				time.Sleep(time.Second)
 			}
@@ -106,7 +99,7 @@ func main() {
 			if err != nil {
 				log.Fatal(err)
 			}
-			name, ok := localClient.ExpandSNIName(context.Background(), *hostname)
+			name, ok := tailscale.ExpandSNIName(context.Background(), *hostname)
 			if !ok {
 				log.Fatalf("can't get hostname for https redirect")
 			}
@@ -126,14 +119,14 @@ func main() {
 	log.Fatal(http.Serve(ln, proxy))
 }
 
-func modifyRequest(req *http.Request, localClient *tailscale.LocalClient) {
+func modifyRequest(req *http.Request) {
 	// with enable_login_token set to true, we get a cookie that handles
 	// auth for paths that are not /login
 	if req.URL.Path != "/login" {
 		return
 	}
 
-	user, err := getTailscaleUser(req.Context(), localClient, req.RemoteAddr)
+	user, err := getTailscaleUser(req.Context(), req.RemoteAddr)
 	if err != nil {
 		log.Printf("error getting Tailscale user: %v", err)
 		return
@@ -143,8 +136,8 @@ func modifyRequest(req *http.Request, localClient *tailscale.LocalClient) {
 	req.Header.Set("X-Webauth-Name", user.DisplayName)
 }
 
-func getTailscaleUser(ctx context.Context, localClient *tailscale.LocalClient, ipPort string) (*tailcfg.UserProfile, error) {
-	whois, err := localClient.WhoIs(ctx, ipPort)
+func getTailscaleUser(ctx context.Context, ipPort string) (*tailcfg.UserProfile, error) {
+	whois, err := tailscale.WhoIs(ctx, ipPort)
 	if err != nil {
 		return nil, fmt.Errorf("failed to identify remote host: %w", err)
 	}

cmd/tailscale/cli/bugreport.go

@@ -9,6 +9,7 @@ import (
 	"errors"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )
 
 var bugReportCmd = &ffcli.Command{
@@ -27,7 +28,7 @@ func runBugReport(ctx context.Context, args []string) error {
 	default:
 		return errors.New("unknown argumets")
 	}
-	logMarker, err := localClient.BugReport(ctx, note)
+	logMarker, err := tailscale.BugReport(ctx, note)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/cert.go

@@ -50,7 +50,7 @@ func runCert(ctx context.Context, args []string) error {
 			},
 			Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				if r.TLS != nil && !strings.Contains(r.Host, ".") && r.Method == "GET" {
-					if v, ok := localClient.ExpandSNIName(r.Context(), r.Host); ok {
+					if v, ok := tailscale.ExpandSNIName(r.Context(), r.Host); ok {
 						http.Redirect(w, r, "https://"+v+r.URL.Path, http.StatusTemporaryRedirect)
 						return
 					}
@@ -64,7 +64,7 @@ func runCert(ctx context.Context, args []string) error {
 
 	if len(args) != 1 {
 		var hint bytes.Buffer
-		if st, err := localClient.Status(ctx); err == nil {
+		if st, err := tailscale.Status(ctx); err == nil {
 			if st.BackendState != ipn.Running.String() {
 				fmt.Fprintf(&hint, "\nTailscale is not running.\n")
 			} else if len(st.CertDomains) == 0 {

cmd/tailscale/cli/cli.go

@@ -125,8 +125,6 @@ func CleanUpArgs(args []string) []string {
 	return out
 }
 
-var localClient tailscale.LocalClient
-
 // Run runs the CLI. The args do not include the binary name.
 func Run(args []string) (err error) {
 	if len(args) == 1 && (args[0] == "-V" || args[0] == "--version") {
@@ -195,10 +193,10 @@ change in the future.
 		return err
 	}
 
-	localClient.Socket = rootArgs.socket
+	tailscale.TailscaledSocket = rootArgs.socket
 	rootfs.Visit(func(f *flag.Flag) {
 		if f.Name == "socket" {
-			localClient.UseSocketOnly = true
+			tailscale.TailscaledSocketSetExplicitly = true
 		}
 	})
 

cmd/tailscale/cli/cli_test.go

@@ -664,11 +664,11 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			goos: "linux",
 			args: upArgsT{
 				advertiseRoutes: "fd7a:115c:a1e0:b1a::bb:10.0.0.0/112",
-				netfilterMode:   "off",
+				netfilterMode: "off",
 			},
 			want: &ipn.Prefs{
-				WantRunning: true,
-				NoSNAT:      true,
+				WantRunning:   true,
+				NoSNAT:        true,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
 				},
@@ -679,7 +679,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			goos: "linux",
 			args: upArgsT{
 				advertiseRoutes: "fd7a:115c:a1e0:b1a::/64",
-				netfilterMode:   "off",
+				netfilterMode: "off",
 			},
 			wantErr: "fd7a:115c:a1e0:b1a::/64 4-in-6 prefix must be at least a /96",
 		},
@@ -688,7 +688,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			goos: "linux",
 			args: upArgsT{
 				advertiseRoutes: "fd7a:115c:a1e0:b1a:1234:5678::/112",
-				netfilterMode:   "off",
+				netfilterMode: "off",
 			},
 			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xff or less",
 		},

cmd/tailscale/cli/debug.go

@@ -8,7 +8,6 @@ import (
 	"bufio"
 	"bytes"
 	"context"
-	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"flag"
@@ -22,10 +21,9 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
-	"tailscale.com/net/tsaddr"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 )
@@ -68,11 +66,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      runEnv,
 			ShortHelp: "print cmd/tailscale environment",
 		},
-		{
-			Name:      "stat",
-			Exec:      runStat,
-			ShortHelp: "stat a file",
-		},
 		{
 			Name:      "hostinfo",
 			Exec:      runHostinfo,
@@ -113,11 +106,6 @@ var debugCmd = &ffcli.Command{
 				return fs
 			})(),
 		},
-		{
-			Name:      "via",
-			Exec:      runVia,
-			ShortHelp: "convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
-		},
 	},
 }
 
@@ -154,7 +142,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if out := debugArgs.cpuFile; out != "" {
 		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing CPU profile for %v seconds ...", debugArgs.cpuSec)
-		if v, err := localClient.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
+		if v, err := tailscale.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -166,7 +154,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if out := debugArgs.memFile; out != "" {
 		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing memory profile ...")
-		if v, err := localClient.Profile(ctx, "heap", 0); err != nil {
+		if v, err := tailscale.Profile(ctx, "heap", 0); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -178,7 +166,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if debugArgs.file != "" {
 		usedFlag = true // TODO(bradfitz): add "file" subcommand
 		if debugArgs.file == "get" {
-			wfs, err := localClient.WaitingFiles(ctx)
+			wfs, err := tailscale.WaitingFiles(ctx)
 			if err != nil {
 				fatalf("%v\n", err)
 			}
@@ -189,9 +177,9 @@ func runDebug(ctx context.Context, args []string) error {
 		}
 		delete := strings.HasPrefix(debugArgs.file, "delete:")
 		if delete {
-			return localClient.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
+			return tailscale.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
 		}
-		rc, size, err := localClient.GetWaitingFile(ctx, debugArgs.file)
+		rc, size, err := tailscale.GetWaitingFile(ctx, debugArgs.file)
 		if err != nil {
 			return err
 		}
@@ -226,7 +214,7 @@ var prefsArgs struct {
 }
 
 func runPrefs(ctx context.Context, args []string) error {
-	prefs, err := localClient.GetPrefs(ctx)
+	prefs, err := tailscale.GetPrefs(ctx)
 	if err != nil {
 		return err
 	}
@@ -260,7 +248,7 @@ func runWatchIPN(ctx context.Context, args []string) error {
 }
 
 func runDERPMap(ctx context.Context, args []string) error {
-	dm, err := localClient.CurrentDERPMap(ctx)
+	dm, err := tailscale.CurrentDERPMap(ctx)
 	if err != nil {
 		return fmt.Errorf(
 			"failed to get local derp map, instead `curl %s/derpmap/default`: %w", ipn.DefaultControlURL, err,
@@ -277,7 +265,7 @@ func localAPIAction(action string) func(context.Context, []string) error {
 		if len(args) > 0 {
 			return errors.New("unexpected arguments")
 		}
-		return localClient.DebugAction(ctx, action)
+		return tailscale.DebugAction(ctx, action)
 	}
 }
 
@@ -288,28 +276,6 @@ func runEnv(ctx context.Context, args []string) error {
 	return nil
 }
 
-func runStat(ctx context.Context, args []string) error {
-	for _, a := range args {
-		fi, err := os.Lstat(a)
-		if err != nil {
-			fmt.Printf("%s: %v\n", a, err)
-			continue
-		}
-		fmt.Printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
-		if fi.IsDir() {
-			ents, _ := os.ReadDir(a)
-			for i, ent := range ents {
-				if i == 25 {
-					fmt.Printf("  ...\n")
-					break
-				}
-				fmt.Printf("  - %s\n", ent.Name())
-			}
-		}
-	}
-	return nil
-}
-
 func runHostinfo(ctx context.Context, args []string) error {
 	hi := hostinfo.New()
 	j, _ := json.MarshalIndent(hi, "", "  ")
@@ -318,7 +284,7 @@ func runHostinfo(ctx context.Context, args []string) error {
 }
 
 func runDaemonGoroutines(ctx context.Context, args []string) error {
-	goroutines, err := localClient.Goroutines(ctx)
+	goroutines, err := tailscale.Goroutines(ctx)
 	if err != nil {
 		return err
 	}
@@ -333,7 +299,7 @@ var metricsArgs struct {
 func runDaemonMetrics(ctx context.Context, args []string) error {
 	last := map[string]int64{}
 	for {
-		out, err := localClient.DaemonMetrics(ctx)
+		out, err := tailscale.DaemonMetrics(ctx)
 		if err != nil {
 			return err
 		}
@@ -382,46 +348,3 @@ func runDaemonMetrics(ctx context.Context, args []string) error {
 		time.Sleep(time.Second)
 	}
 }
-
-func runVia(ctx context.Context, args []string) error {
-	switch len(args) {
-	default:
-		return errors.New("expect either <site-id> <v4-cidr> or <v6-route>")
-	case 1:
-		ipp, err := netaddr.ParseIPPrefix(args[0])
-		if err != nil {
-			return err
-		}
-		if !ipp.IP().Is6() {
-			return errors.New("with one argument, expect an IPv6 CIDR")
-		}
-		if !tsaddr.TailscaleViaRange().Contains(ipp.IP()) {
-			return errors.New("not a via route")
-		}
-		if ipp.Bits() < 96 {
-			return errors.New("short length, want /96 or more")
-		}
-		v4 := tsaddr.UnmapVia(ipp.IP())
-		a := ipp.IP().As16()
-		siteID := binary.BigEndian.Uint32(a[8:12])
-		fmt.Printf("site %v (0x%x), %v\n", siteID, siteID, netaddr.IPPrefixFrom(v4, ipp.Bits()-96))
-	case 2:
-		siteID, err := strconv.ParseUint(args[0], 0, 32)
-		if err != nil {
-			return fmt.Errorf("invalid site-id %q; must be decimal or hex with 0x prefix", args[0])
-		}
-		if siteID > 0xff {
-			return fmt.Errorf("site-id values over 255 are currently reserved")
-		}
-		ipp, err := netaddr.ParseIPPrefix(args[1])
-		if err != nil {
-			return err
-		}
-		via, err := tsaddr.MapVia(uint32(siteID), ipp)
-		if err != nil {
-			return err
-		}
-		fmt.Println(via)
-	}
-	return nil
-}

cmd/tailscale/cli/down.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 )
 
@@ -25,7 +26,7 @@ func runDown(ctx context.Context, args []string) error {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
 
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return fmt.Errorf("error fetching current status: %w", err)
 	}
@@ -33,7 +34,7 @@ func runDown(ctx context.Context, args []string) error {
 		fmt.Fprintf(Stderr, "Tailscale was already stopped.\n")
 		return nil
 	}
-	_, err = localClient.EditPrefs(ctx, &ipn.MaskedPrefs{
+	_, err = tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
 			WantRunning: false,
 		},

cmd/tailscale/cli/file.go

@@ -24,6 +24,7 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/time/rate"
 	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -156,7 +157,7 @@ func runCp(ctx context.Context, args []string) error {
 		if cpArgs.verbose {
 			log.Printf("sending %q to %v/%v/%v ...", name, target, ip, stableID)
 		}
-		err := localClient.PushFile(ctx, stableID, contentLength, name, fileContents)
+		err := tailscale.PushFile(ctx, stableID, contentLength, name, fileContents)
 		if err != nil {
 			return err
 		}
@@ -172,7 +173,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 	if err != nil {
 		return "", false, err
 	}
-	fts, err := localClient.FileTargets(ctx)
+	fts, err := tailscale.FileTargets(ctx)
 	if err != nil {
 		return "", false, err
 	}
@@ -193,7 +194,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 // invalid file sharing target.
 func fileTargetErrorDetail(ctx context.Context, ip netaddr.IP) error {
 	found := false
-	if st, err := localClient.Status(ctx); err == nil && st.Self != nil {
+	if st, err := tailscale.Status(ctx); err == nil && st.Self != nil {
 		for _, peer := range st.Peer {
 			for _, pip := range peer.TailscaleIPs {
 				if pip == ip {
@@ -260,7 +261,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("invalid arguments with --targets")
 	}
-	fts, err := localClient.FileTargets(ctx)
+	fts, err := tailscale.FileTargets(ctx)
 	if err != nil {
 		return err
 	}
@@ -384,7 +385,7 @@ func openFileOrSubstitute(dir, base string, action onConflict) (*os.File, error)
 }
 
 func receiveFile(ctx context.Context, wf apitype.WaitingFile, dir string) (targetFile string, size int64, err error) {
-	rc, size, err := localClient.GetWaitingFile(ctx, wf.Name)
+	rc, size, err := tailscale.GetWaitingFile(ctx, wf.Name)
 	if err != nil {
 		return "", 0, fmt.Errorf("opening inbox file %q: %w", wf.Name, err)
 	}
@@ -406,7 +407,7 @@ func runFileGetOneBatch(ctx context.Context, dir string) []error {
 	var err error
 	var errs []error
 	for len(errs) == 0 {
-		wfs, err = localClient.WaitingFiles(ctx)
+		wfs, err = tailscale.WaitingFiles(ctx)
 		if err != nil {
 			errs = append(errs, fmt.Errorf("getting WaitingFiles: %w", err))
 			break
@@ -427,7 +428,7 @@ func runFileGetOneBatch(ctx context.Context, dir string) []error {
 		if len(errs) > 100 {
 			// Likely, everything is broken.
 			// Don't try to receive any more files in this batch.
-			errs = append(errs, fmt.Errorf("too many errors in runFileGetOneBatch(). %d files unexamined", len(wfs)-i))
+			errs = append(errs, fmt.Errorf("too many errors in runFileGetOneBatch(). %d files unexamined", len(wfs) - i))
 			break
 		}
 		writtenFile, size, err := receiveFile(ctx, wf, dir)
@@ -438,7 +439,7 @@ func runFileGetOneBatch(ctx context.Context, dir string) []error {
 		if getArgs.verbose {
 			printf("wrote %v as %v (%d bytes)\n", wf.Name, writtenFile, size)
 		}
-		if err = localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
+		if err = tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
 			errs = append(errs, fmt.Errorf("deleting %q from inbox: %v", wf.Name, err))
 			continue
 		}
@@ -502,7 +503,7 @@ func wipeInbox(ctx context.Context) error {
 	if getArgs.wait {
 		return errors.New("can't use --wait with /dev/null target")
 	}
-	wfs, err := localClient.WaitingFiles(ctx)
+	wfs, err := tailscale.WaitingFiles(ctx)
 	if err != nil {
 		return fmt.Errorf("getting WaitingFiles: %w", err)
 	}
@@ -511,7 +512,7 @@ func wipeInbox(ctx context.Context) error {
 		if getArgs.verbose {
 			log.Printf("deleting %v ...", wf.Name)
 		}
-		if err := localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
+		if err := tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
 			return fmt.Errorf("deleting %q: %v", wf.Name, err)
 		}
 		deleted++

cmd/tailscale/cli/id-token.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )
 
 var idTokenCmd = &ffcli.Command{
@@ -24,7 +25,7 @@ func runIDToken(ctx context.Context, args []string) error {
 		return errors.New("usage: id-token <aud>")
 	}
 
-	tr, err := localClient.IDToken(ctx, args[0])
+	tr, err := tailscale.IDToken(ctx, args[0])
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/ip.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn/ipnstate"
 )
 
@@ -58,7 +59,7 @@ func runIP(ctx context.Context, args []string) error {
 	if !v4 && !v6 {
 		v4, v6 = true, true
 	}
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/logout.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )
 
 var logoutCmd = &ffcli.Command{
@@ -29,5 +30,5 @@ func runLogout(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
-	return localClient.Logout(ctx)
+	return tailscale.Logout(ctx)
 }

cmd/tailscale/cli/nc.go

@@ -13,6 +13,7 @@ import (
 	"strconv"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 )
 
 var ncCmd = &ffcli.Command{
@@ -23,7 +24,7 @@ var ncCmd = &ffcli.Command{
 }
 
 func runNC(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -44,7 +45,7 @@ func runNC(ctx context.Context, args []string) error {
 	}
 
 	// TODO(bradfitz): also add UDP too, via flag?
-	c, err := localClient.DialTCP(ctx, hostOrIP, uint16(port))
+	c, err := tailscale.DialTCP(ctx, hostOrIP, uint16(port))
 	if err != nil {
 		return fmt.Errorf("Dial(%q, %v): %w", hostOrIP, port, err)
 	}

cmd/tailscale/cli/netcheck.go

@@ -18,6 +18,7 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
@@ -62,7 +63,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 		fmt.Fprintln(Stderr, "# Warning: this JSON format is not yet considered a stable interface")
 	}
 
-	dm, err := localClient.CurrentDERPMap(ctx)
+	dm, err := tailscale.CurrentDERPMap(ctx)
 	noRegions := dm != nil && len(dm.Regions) == 0
 	if noRegions {
 		log.Printf("No DERP map from tailscaled; using default.")

cmd/tailscale/cli/ping.go

@@ -16,9 +16,9 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
 )
 
 var pingCmd = &ffcli.Command{
@@ -27,7 +27,7 @@ var pingCmd = &ffcli.Command{
 	ShortHelp:  "Ping a host at the Tailscale layer, see how it routed",
 	LongHelp: strings.TrimSpace(`
 
-The 'tailscale ping' command pings a peer node from the Tailscale layer
+The 'tailscale ping' command pings a peer node at the Tailscale layer
 and reports which route it took for each response. The first ping or
 so will likely go over DERP (Tailscale's TCP relay protocol) while NAT
 traversal finds a direct path through.
@@ -49,8 +49,7 @@ relay node.
 		fs := newFlagSet("ping")
 		fs.BoolVar(&pingArgs.verbose, "verbose", false, "verbose output")
 		fs.BoolVar(&pingArgs.untilDirect, "until-direct", true, "stop once a direct path is established")
-		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through WireGuard, but not either host OS stack)")
-		fs.BoolVar(&pingArgs.icmp, "icmp", false, "do a ICMP-level ping (through WireGuard, but not the local host OS stack)")
+		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through IP + wireguard, but not involving host OS stack)")
 		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
 		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
 		return fs
@@ -62,22 +61,11 @@ var pingArgs struct {
 	untilDirect bool
 	verbose     bool
 	tsmp        bool
-	icmp        bool
 	timeout     time.Duration
 }
 
-func pingType() tailcfg.PingType {
-	if pingArgs.tsmp {
-		return tailcfg.PingTSMP
-	}
-	if pingArgs.icmp {
-		return tailcfg.PingICMP
-	}
-	return tailcfg.PingDisco
-}
-
 func runPing(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -87,10 +75,24 @@ func runPing(ctx context.Context, args []string) error {
 		os.Exit(1)
 	}
 
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
 	if len(args) != 1 || args[0] == "" {
 		return errors.New("usage: ping <hostname-or-IP>")
 	}
 	var ip string
+	prc := make(chan *ipnstate.PingResult, 1)
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			fatalf("Notify.ErrMessage: %v", *n.ErrMessage)
+		}
+		if pr := n.PingResult; pr != nil && pr.IP == ip {
+			prc <- pr
+		}
+	})
+	pumpErr := make(chan error, 1)
+	go func() { pumpErr <- pump(ctx, bc, c) }()
 
 	hostOrIP := args[0]
 	ip, self, err := tailscaleIPFromArg(ctx, hostOrIP)
@@ -110,47 +112,48 @@ func runPing(ctx context.Context, args []string) error {
 	anyPong := false
 	for {
 		n++
-		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
-		pr, err := localClient.Ping(ctx, netaddr.MustParseIP(ip), pingType())
-		cancel()
-		if err != nil {
-			if errors.Is(err, context.DeadlineExceeded) {
-				printf("ping %q timed out\n", ip)
-				continue
-			}
+		bc.Ping(ip, pingArgs.tsmp)
+		timer := time.NewTimer(pingArgs.timeout)
+		select {
+		case <-timer.C:
+			printf("timeout waiting for ping reply\n")
+		case err := <-pumpErr:
 			return err
-		}
-		if pr.Err != "" {
-			if pr.IsLocalIP {
-				outln(pr.Err)
+		case pr := <-prc:
+			timer.Stop()
+			if pr.Err != "" {
+				if pr.IsLocalIP {
+					outln(pr.Err)
+					return nil
+				}
+				return errors.New(pr.Err)
+			}
+			latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
+			via := pr.Endpoint
+			if pr.DERPRegionID != 0 {
+				via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
+			}
+			if pingArgs.tsmp {
+				// TODO(bradfitz): populate the rest of ipnstate.PingResult for TSMP queries?
+				// For now just say it came via TSMP.
+				via = "TSMP"
+			}
+			anyPong = true
+			extra := ""
+			if pr.PeerAPIPort != 0 {
+				extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
+			}
+			printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
+			if pingArgs.tsmp {
 				return nil
 			}
-			return errors.New(pr.Err)
+			if pr.Endpoint != "" && pingArgs.untilDirect {
+				return nil
+			}
+			time.Sleep(time.Second)
+		case <-ctx.Done():
+			return ctx.Err()
 		}
-		latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
-		via := pr.Endpoint
-		if pr.DERPRegionID != 0 {
-			via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
-		}
-		if via == "" {
-			// TODO(bradfitz): populate the rest of ipnstate.PingResult for TSMP queries?
-			// For now just say which protocol it used.
-			via = string(pingType())
-		}
-		anyPong = true
-		extra := ""
-		if pr.PeerAPIPort != 0 {
-			extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
-		}
-		printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
-		if pingArgs.tsmp || pingArgs.icmp {
-			return nil
-		}
-		if pr.Endpoint != "" && pingArgs.untilDirect {
-			return nil
-		}
-		time.Sleep(time.Second)
-
 		if n == pingArgs.num {
 			if !anyPong {
 				return errors.New("no reply")
@@ -170,7 +173,7 @@ func tailscaleIPFromArg(ctx context.Context, hostOrIP string) (ip string, self b
 	}
 
 	// Otherwise, try to resolve it first from the network peer list.
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return "", false, err
 	}

cmd/tailscale/cli/ssh.go

@@ -18,8 +18,10 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/alessio/shellescape"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 )
@@ -46,7 +48,7 @@ func runSSH(ctx context.Context, args []string) error {
 		username = lu.Username
 	}
 
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return err
 	}
@@ -74,52 +76,34 @@ func runSSH(ctx context.Context, args []string) error {
 		return err
 	}
 
-	argv := []string{ssh}
+	argv := append([]string{
+		ssh,
 
-	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
-		argv = append(argv, "-vvv")
-	}
-	argv = append(argv,
-		// Only trust SSH hosts that we know about.
-		"-o", fmt.Sprintf("UserKnownHostsFile %q", knownHostsFile),
-		"-o", "UpdateHostKeys no",
-		"-o", "StrictHostKeyChecking yes",
-	)
+		"-o", fmt.Sprintf("UserKnownHostsFile %s",
+			shellescape.Quote(knownHostsFile),
+		),
+		"-o", fmt.Sprintf("ProxyCommand %s --socket=%s nc %%h %%p",
+			shellescape.Quote(tailscaleBin),
+			shellescape.Quote(rootArgs.socket),
+		),
 
-	// TODO(bradfitz): nc is currently broken on macOS:
-	// https://github.com/tailscale/tailscale/issues/4529
-	// So don't use it for now. MagicDNS is usually working on macOS anyway
-	// and they're not in userspace mode, so 'nc' isn't very useful.
-	if runtime.GOOS != "darwin" {
-		argv = append(argv,
-			"-o", fmt.Sprintf("ProxyCommand %q --socket=%q nc %%h %%p",
-				tailscaleBin,
-				rootArgs.socket,
-			))
-	}
-
-	// Explicitly rebuild the user@host argument rather than
-	// passing it through.  In general, the use of OpenSSH's ssh
-	// binary is a crutch for now.  We don't want to be
-	// Hyrum-locked into passing through all OpenSSH flags to the
-	// OpenSSH client forever. We try to make our flags and args
-	// be compatible, but only a subset. The "tailscale ssh"
-	// command should be a simple and portable one. If they want
-	// to use a different one, we'll later be making stock ssh
-	// work well by default too. (doing things like automatically
-	// setting known_hosts, etc)
-	argv = append(argv, username+"@"+hostForSSH)
-
-	argv = append(argv, argRest...)
-
-	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
-		log.Printf("Running: %q, %q ...", ssh, argv)
-	}
+		// Explicitly rebuild the user@host argument rather than
+		// passing it through.  In general, the use of OpenSSH's ssh
+		// binary is a crutch for now.  We don't want to be
+		// Hyrum-locked into passing through all OpenSSH flags to the
+		// OpenSSH client forever. We try to make our flags and args
+		// be compatible, but only a subset. The "tailscale ssh"
+		// command should be a simple and portable one. If they want
+		// to use a different one, we'll later be making stock ssh
+		// work well by default too. (doing things like automatically
+		// setting known_hosts, etc)
+		username + "@" + hostForSSH,
+	}, argRest...)
 
 	if runtime.GOOS == "windows" {
 		// Don't use syscall.Exec on Windows.
 		cmd := exec.Command(ssh, argv[1:]...)
-		cmd.Stdin = os.Stdin
+		cmd.Stderr = os.Stderr
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 		var ee *exec.ExitError
@@ -130,6 +114,9 @@ func runSSH(ctx context.Context, args []string) error {
 		return err
 	}
 
+	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
+		log.Printf("Running: %q, %q ...", ssh, argv)
+	}
 	if err := syscall.Exec(ssh, argv, os.Environ()); err != nil {
 		return err
 	}

cmd/tailscale/cli/status.go

@@ -19,6 +19,7 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/toqueteos/webbrowser"
 	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
@@ -72,9 +73,9 @@ func runStatus(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("unexpected non-flag arguments to 'tailscale status'")
 	}
-	getStatus := localClient.Status
+	getStatus := tailscale.Status
 	if !statusArgs.peers {
-		getStatus = localClient.StatusWithoutPeers
+		getStatus = tailscale.StatusWithoutPeers
 	}
 	st, err := getStatus(ctx)
 	if err != nil {
@@ -114,7 +115,7 @@ func runStatus(ctx context.Context, args []string) error {
 				http.NotFound(w, r)
 				return
 			}
-			st, err := localClient.Status(ctx)
+			st, err := tailscale.Status(ctx)
 			if err != nil {
 				http.Error(w, err.Error(), 500)
 				return

cmd/tailscale/cli/up.go

@@ -24,6 +24,8 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
 	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -51,7 +53,7 @@ down").
 If flags are specified, the flags must be the complete set of desired
 settings. An error is returned if any setting would be changed as a
 result of an unspecified flag's default value, unless the --reset flag
-is also used. (The flags --auth-key, --force-reauth, and --qr are not
+is also used. (The flags --authkey, --force-reauth, and --qr are not
 considered settings that need to be re-specified when modifying
 settings.)
 `),
@@ -98,7 +100,9 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf.StringVar(&upArgs.exitNodeIP, "exit-node", "", "Tailscale exit node (IP or base name) for internet traffic, or empty string to not use an exit node")
 	upf.BoolVar(&upArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
 	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
-	upf.BoolVar(&upArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
+	if envknob.UseWIPCode() || inTest() {
+		upf.BoolVar(&upArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
+	}
 	upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "comma-separated ACL tags to request; each must start with \"tag:\" (e.g. \"tag:eng,tag:montreal,tag:ssh\")")
 	upf.StringVar(&upArgs.authKeyOrFile, "auth-key", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
 	upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
@@ -405,7 +409,7 @@ func runUp(ctx context.Context, args []string) error {
 		fatalf("too many non-flag arguments: %q", args)
 	}
 
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -446,12 +450,12 @@ func runUp(ctx context.Context, args []string) error {
 	}
 
 	if len(prefs.AdvertiseRoutes) > 0 {
-		if err := localClient.CheckIPForwarding(context.Background()); err != nil {
+		if err := tailscale.CheckIPForwarding(context.Background()); err != nil {
 			warnf("%v", err)
 		}
 	}
 
-	curPrefs, err := localClient.GetPrefs(ctx)
+	curPrefs, err := tailscale.GetPrefs(ctx)
 	if err != nil {
 		return err
 	}
@@ -470,7 +474,7 @@ func runUp(ctx context.Context, args []string) error {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		_, err := localClient.EditPrefs(ctx, justEditMP)
+		_, err := tailscale.EditPrefs(ctx, justEditMP)
 		return err
 	}
 
@@ -581,7 +585,7 @@ func runUp(ctx context.Context, args []string) error {
 	// Special case: bare "tailscale up" means to just start
 	// running, if there's ever been a login.
 	if simpleUp {
-		_, err := localClient.EditPrefs(ctx, &ipn.MaskedPrefs{
+		_, err := tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
 			Prefs: ipn.Prefs{
 				WantRunning: true,
 			},
@@ -591,10 +595,6 @@ func runUp(ctx context.Context, args []string) error {
 			return err
 		}
 	} else {
-		if err := localClient.CheckPrefs(ctx, prefs); err != nil {
-			return err
-		}
-
 		authKey, err := upArgs.getAuthKey()
 		if err != nil {
 			return err

cmd/tailscale/cli/version.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/version"
 )
 
@@ -40,7 +41,7 @@ func runVersion(ctx context.Context, args []string) error {
 
 	printf("Client: %s\n", version.String())
 
-	st, err := localClient.StatusWithoutPeers(ctx)
+	st, err := tailscale.StatusWithoutPeers(ctx)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/web.go

@@ -28,6 +28,7 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
@@ -317,7 +318,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
-		prefs, err := localClient.GetPrefs(r.Context())
+		prefs, err := tailscale.GetPrefs(r.Context())
 		if err != nil && !postData.Reauthenticate {
 			w.WriteHeader(http.StatusInternalServerError)
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
@@ -347,12 +348,12 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	st, err := localClient.Status(r.Context())
+	st, err := tailscale.Status(r.Context())
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	prefs, err := localClient.GetPrefs(r.Context())
+	prefs, err := tailscale.GetPrefs(r.Context())
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -405,7 +406,7 @@ func tailscaleUp(ctx context.Context, prefs *ipn.Prefs, forceReauth bool) (authU
 		prefs.NetfilterMode = preftype.NetfilterOff
 	}
 
-	st, err := localClient.Status(ctx)
+	st, err := tailscale.Status(ctx)
 	if err != nil {
 		return "", fmt.Errorf("can't fetch status: %v", err)
 	}

cmd/tailscale/depaware.txt

@@ -1,5 +1,6 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)
 
+        github.com/alessio/shellescape                               from tailscale.com/cmd/tailscale/cli
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy

cmd/tailscaled/depaware.txt

@@ -82,8 +82,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
         github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
         github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-        github.com/kortschak/wol                                     from tailscale.com/ipn/ipnlocal
-  LD    github.com/kr/fs                                             from github.com/pkg/sftp
    L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
    L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
    L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
@@ -91,8 +89,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
    W    github.com/pkg/errors                                        from github.com/tailscale/certstore
-  LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
-  LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
    W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
   LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
   LD 💣 github.com/tailscale/golang-x-crypto/internal/subtle         from github.com/tailscale/golang-x-crypto/chacha20
@@ -235,7 +231,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
         tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
-  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
+  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/wgengine/netstack
         tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
   LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
@@ -265,7 +261,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
         tailscale.com/util/multierr                                  from tailscale.com/cmd/tailscaled+
         tailscale.com/util/netconv                                   from tailscale.com/wgengine/magicsock
         tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
@@ -275,7 +270,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
         tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
    W 💣 tailscale.com/util/winutil/vss                               from tailscale.com/util/winutil
-        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/version                                        from tailscale.com/client/tailscale+
         tailscale.com/version/distro                                 from tailscale.com/cmd/tailscaled+
    W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
         tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
@@ -303,7 +298,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
+  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -323,7 +318,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
    W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
    W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
-   W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
    W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
         golang.org/x/term                                            from tailscale.com/logpolicy
         golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna

cmd/tailscaled/ssh.go

@@ -1,11 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux || darwin
-// +build linux darwin
-
-package main
-
-// Force registration of tailssh with LocalBackend.
-import _ "tailscale.com/ssh/tailssh"

cmd/tailscaled/tailscaled.go

@@ -332,7 +332,6 @@ func run() error {
 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)
 
 	dialer := new(tsdial.Dialer) // mutated below (before used)
-	dialer.Logf = logf
 	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return fmt.Errorf("createEngine: %w", err)
@@ -342,7 +341,7 @@ func run() error {
 	}
 	if debugMux != nil {
 		if ig, ok := e.(wgengine.InternalsGetter); ok {
-			if _, mc, _, ok := ig.GetInternals(); ok {
+			if _, mc, ok := ig.GetInternals(); ok {
 				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
 			}
 		}
@@ -395,7 +394,6 @@ func run() error {
 	// want to keep running.
 	signal.Ignore(syscall.SIGPIPE)
 	go func() {
-		defer dialer.Close()
 		select {
 		case s := <-interrupt:
 			logf("tailscaled got signal %v; shutting down", s)
@@ -566,11 +564,11 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 }
 
 func newNetstack(logf logger.Logf, dialer *tsdial.Dialer, e wgengine.Engine) (*netstack.Impl, error) {
-	tunDev, magicConn, dns, ok := e.(wgengine.InternalsGetter).GetInternals()
+	tunDev, magicConn, ok := e.(wgengine.InternalsGetter).GetInternals()
 	if !ok {
 		return nil, fmt.Errorf("%T is not a wgengine.InternalsGetter", e)
 	}
-	return netstack.Create(logf, tunDev, e, magicConn, dialer, dns)
+	return netstack.Create(logf, tunDev, e, magicConn, dialer)
 }
 
 // mustStartProxyListeners creates listeners for local SOCKS and HTTP

cmd/tailscaled/tailscaled_windows.go

@@ -30,7 +30,6 @@ import (
 
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc"
-	"golang.org/x/sys/windows/svc/eventlog"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
 	"tailscale.com/envknob"
@@ -61,31 +60,12 @@ func isWindowsService() bool {
 	return v
 }
 
-// syslogf is a logger function that writes to the Windows event log (ie, the
-// one that you see in the Windows Event Viewer). tailscaled may optionally
-// generate diagnostic messages in the same event timeline as the Windows
-// Service Control Manager to assist with diagnosing issues with tailscaled's
-// lifetime (such as slow shutdowns).
-var syslogf logger.Logf = logger.Discard
-
 // runWindowsService starts running Tailscale under the Windows
 // Service environment.
 //
 // At this point we're still the parent process that
 // Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
-	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
-		syslog, err := eventlog.Open(serviceName)
-		if err == nil {
-			syslogf = func(format string, args ...any) {
-				syslog.Info(0, fmt.Sprintf(format, args...))
-			}
-			defer syslog.Close()
-		}
-	}
-
-	syslogf("Service entering svc.Run")
-	defer syslogf("Service exiting svc.Run")
 	return svc.Run(serviceName, &ipnService{Policy: pol})
 }
 
@@ -95,10 +75,7 @@ type ipnService struct {
 
 // Called by Windows to execute the windows service.
 func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, changes chan<- svc.Status) (bool, uint32) {
-	defer syslogf("SvcStopped notification imminent")
-
 	changes <- svc.Status{State: svc.StartPending}
-	syslogf("Service start pending")
 
 	svcAccepts := svc.AcceptStop
 	if winutil.GetPolicyInteger("FlushDNSOnSessionUnlock", 0) != 0 {
@@ -121,29 +98,26 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	}()
 
 	changes <- svc.Status{State: svc.Running, Accepts: svcAccepts}
-	syslogf("Service running")
 
-	for {
+	for ctx.Err() == nil {
 		select {
 		case <-doneCh:
-			return false, windows.NO_ERROR
 		case cmd := <-r:
 			log.Printf("Got Windows Service event: %v", cmdName(cmd.Cmd))
 			switch cmd.Cmd {
 			case svc.Stop:
-				changes <- svc.Status{State: svc.StopPending}
-				syslogf("Service stop pending")
-				cancel() // so BabysitProc will kill the child process
+				cancel()
 			case svc.Interrogate:
-				syslogf("Service interrogation")
 				changes <- cmd.CurrentStatus
 			case svc.SessionChange:
-				syslogf("Service session change notification")
 				handleSessionChange(cmd)
 				changes <- cmd.CurrentStatus
 			}
 		}
 	}
+
+	changes <- svc.Status{State: svc.StopPending}
+	return false, windows.NO_ERROR
 }
 
 func cmdName(c svc.Cmd) string {

cmd/viewer/tests/tests.go

@@ -1,48 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package tests serves a list of tests for tailscale.com/cmd/viewer.
-package tests
-
-import (
-	"fmt"
-
-	"inet.af/netaddr"
-)
-
-//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices
-
-type StructWithoutPtrs struct {
-	Int int
-	Pfx netaddr.IPPrefix
-}
-
-type Map struct {
-	M map[string]int
-}
-
-type StructWithPtrs struct {
-	Value *StructWithoutPtrs
-	Int   *int
-
-	NoCloneValue *StructWithoutPtrs `codegen:"noclone"`
-}
-
-func (v *StructWithPtrs) String() string { return fmt.Sprintf("%v", v.Int) }
-
-func (v *StructWithPtrs) Equal(v2 *StructWithPtrs) bool {
-	return v.Value == v2.Value
-}
-
-type StructWithSlices struct {
-	Values         []StructWithoutPtrs
-	ValuePointers  []*StructWithoutPtrs
-	StructPointers []*StructWithPtrs
-	Structs        []StructWithPtrs
-	Ints           []*int
-
-	Slice    []string
-	Prefixes []netaddr.IPPrefix
-	Data     []byte
-}

cmd/viewer/tests/tests_clone.go

@@ -1,120 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
-
-package tests
-
-import (
-	"inet.af/netaddr"
-)
-
-// Clone makes a deep copy of StructWithPtrs.
-// The result aliases no memory with the original.
-func (src *StructWithPtrs) Clone() *StructWithPtrs {
-	if src == nil {
-		return nil
-	}
-	dst := new(StructWithPtrs)
-	*dst = *src
-	if dst.Value != nil {
-		dst.Value = new(StructWithoutPtrs)
-		*dst.Value = *src.Value
-	}
-	if dst.Int != nil {
-		dst.Int = new(int)
-		*dst.Int = *src.Int
-	}
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithPtrsCloneNeedsRegeneration = StructWithPtrs(struct {
-	Value        *StructWithoutPtrs
-	Int          *int
-	NoCloneValue *StructWithoutPtrs
-}{})
-
-// Clone makes a deep copy of StructWithoutPtrs.
-// The result aliases no memory with the original.
-func (src *StructWithoutPtrs) Clone() *StructWithoutPtrs {
-	if src == nil {
-		return nil
-	}
-	dst := new(StructWithoutPtrs)
-	*dst = *src
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithoutPtrsCloneNeedsRegeneration = StructWithoutPtrs(struct {
-	Int int
-	Pfx netaddr.IPPrefix
-}{})
-
-// Clone makes a deep copy of Map.
-// The result aliases no memory with the original.
-func (src *Map) Clone() *Map {
-	if src == nil {
-		return nil
-	}
-	dst := new(Map)
-	*dst = *src
-	if dst.M != nil {
-		dst.M = map[string]int{}
-		for k, v := range src.M {
-			dst.M[k] = v
-		}
-	}
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _MapCloneNeedsRegeneration = Map(struct {
-	M map[string]int
-}{})
-
-// Clone makes a deep copy of StructWithSlices.
-// The result aliases no memory with the original.
-func (src *StructWithSlices) Clone() *StructWithSlices {
-	if src == nil {
-		return nil
-	}
-	dst := new(StructWithSlices)
-	*dst = *src
-	dst.Values = append(src.Values[:0:0], src.Values...)
-	dst.ValuePointers = make([]*StructWithoutPtrs, len(src.ValuePointers))
-	for i := range dst.ValuePointers {
-		dst.ValuePointers[i] = src.ValuePointers[i].Clone()
-	}
-	dst.StructPointers = make([]*StructWithPtrs, len(src.StructPointers))
-	for i := range dst.StructPointers {
-		dst.StructPointers[i] = src.StructPointers[i].Clone()
-	}
-	dst.Structs = make([]StructWithPtrs, len(src.Structs))
-	for i := range dst.Structs {
-		dst.Structs[i] = *src.Structs[i].Clone()
-	}
-	dst.Ints = make([]*int, len(src.Ints))
-	for i := range dst.Ints {
-		x := *src.Ints[i]
-		dst.Ints[i] = &x
-	}
-	dst.Slice = append(src.Slice[:0:0], src.Slice...)
-	dst.Prefixes = append(src.Prefixes[:0:0], src.Prefixes...)
-	dst.Data = append(src.Data[:0:0], src.Data...)
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithSlicesCloneNeedsRegeneration = StructWithSlices(struct {
-	Values         []StructWithoutPtrs
-	ValuePointers  []*StructWithoutPtrs
-	StructPointers []*StructWithPtrs
-	Structs        []StructWithPtrs
-	Ints           []*int
-	Slice          []string
-	Prefixes       []netaddr.IPPrefix
-	Data           []byte
-}{})

cmd/viewer/tests/tests_view.go

@@ -1,268 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Code generated by tailscale/cmd/viewer; DO NOT EDIT.
-
-package tests
-
-import (
-	"encoding/json"
-	"errors"
-
-	"go4.org/mem"
-	"inet.af/netaddr"
-	"tailscale.com/types/views"
-)
-
-//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices
-
-// View returns a readonly view of StructWithPtrs.
-func (p *StructWithPtrs) View() StructWithPtrsView {
-	return StructWithPtrsView{ж: p}
-}
-
-// StructWithPtrsView provides a read-only view over StructWithPtrs.
-//
-// Its methods should only be called if `Valid()` returns true.
-type StructWithPtrsView struct {
-	// ж is the underlying mutable value, named with a hard-to-type
-	// character that looks pointy like a pointer.
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *StructWithPtrs
-}
-
-// Valid reports whether underlying value is non-nil.
-func (v StructWithPtrsView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a clone of the underlying value which aliases no memory with
-// the original.
-func (v StructWithPtrsView) AsStruct() *StructWithPtrs {
-	if v.ж == nil {
-		return nil
-	}
-	return v.ж.Clone()
-}
-
-func (v StructWithPtrsView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
-
-func (v *StructWithPtrsView) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	var x StructWithPtrs
-	if err := json.Unmarshal(b, &x); err != nil {
-		return err
-	}
-	v.ж = &x
-	return nil
-}
-
-func (v StructWithPtrsView) Value() *StructWithoutPtrs {
-	if v.ж.Value == nil {
-		return nil
-	}
-	x := *v.ж.Value
-	return &x
-}
-
-func (v StructWithPtrsView) Int() *int {
-	if v.ж.Int == nil {
-		return nil
-	}
-	x := *v.ж.Int
-	return &x
-}
-
-func (v StructWithPtrsView) NoCloneValue() *StructWithoutPtrs { return v.ж.NoCloneValue }
-func (v StructWithPtrsView) String() string                   { return v.ж.String() }
-func (v StructWithPtrsView) Equal(v2 StructWithPtrsView) bool { return v.ж.Equal(v2.ж) }
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithPtrsViewNeedsRegeneration = StructWithPtrs(struct {
-	Value        *StructWithoutPtrs
-	Int          *int
-	NoCloneValue *StructWithoutPtrs
-}{})
-
-// View returns a readonly view of StructWithoutPtrs.
-func (p *StructWithoutPtrs) View() StructWithoutPtrsView {
-	return StructWithoutPtrsView{ж: p}
-}
-
-// StructWithoutPtrsView provides a read-only view over StructWithoutPtrs.
-//
-// Its methods should only be called if `Valid()` returns true.
-type StructWithoutPtrsView struct {
-	// ж is the underlying mutable value, named with a hard-to-type
-	// character that looks pointy like a pointer.
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *StructWithoutPtrs
-}
-
-// Valid reports whether underlying value is non-nil.
-func (v StructWithoutPtrsView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a clone of the underlying value which aliases no memory with
-// the original.
-func (v StructWithoutPtrsView) AsStruct() *StructWithoutPtrs {
-	if v.ж == nil {
-		return nil
-	}
-	return v.ж.Clone()
-}
-
-func (v StructWithoutPtrsView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
-
-func (v *StructWithoutPtrsView) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	var x StructWithoutPtrs
-	if err := json.Unmarshal(b, &x); err != nil {
-		return err
-	}
-	v.ж = &x
-	return nil
-}
-
-func (v StructWithoutPtrsView) Int() int              { return v.ж.Int }
-func (v StructWithoutPtrsView) Pfx() netaddr.IPPrefix { return v.ж.Pfx }
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithoutPtrsViewNeedsRegeneration = StructWithoutPtrs(struct {
-	Int int
-	Pfx netaddr.IPPrefix
-}{})
-
-// View returns a readonly view of Map.
-func (p *Map) View() MapView {
-	return MapView{ж: p}
-}
-
-// MapView provides a read-only view over Map.
-//
-// Its methods should only be called if `Valid()` returns true.
-type MapView struct {
-	// ж is the underlying mutable value, named with a hard-to-type
-	// character that looks pointy like a pointer.
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *Map
-}
-
-// Valid reports whether underlying value is non-nil.
-func (v MapView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a clone of the underlying value which aliases no memory with
-// the original.
-func (v MapView) AsStruct() *Map {
-	if v.ж == nil {
-		return nil
-	}
-	return v.ж.Clone()
-}
-
-func (v MapView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
-
-func (v *MapView) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	var x Map
-	if err := json.Unmarshal(b, &x); err != nil {
-		return err
-	}
-	v.ж = &x
-	return nil
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _MapViewNeedsRegeneration = Map(struct {
-	M map[string]int
-}{})
-
-// View returns a readonly view of StructWithSlices.
-func (p *StructWithSlices) View() StructWithSlicesView {
-	return StructWithSlicesView{ж: p}
-}
-
-// StructWithSlicesView provides a read-only view over StructWithSlices.
-//
-// Its methods should only be called if `Valid()` returns true.
-type StructWithSlicesView struct {
-	// ж is the underlying mutable value, named with a hard-to-type
-	// character that looks pointy like a pointer.
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *StructWithSlices
-}
-
-// Valid reports whether underlying value is non-nil.
-func (v StructWithSlicesView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a clone of the underlying value which aliases no memory with
-// the original.
-func (v StructWithSlicesView) AsStruct() *StructWithSlices {
-	if v.ж == nil {
-		return nil
-	}
-	return v.ж.Clone()
-}
-
-func (v StructWithSlicesView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
-
-func (v *StructWithSlicesView) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	var x StructWithSlices
-	if err := json.Unmarshal(b, &x); err != nil {
-		return err
-	}
-	v.ж = &x
-	return nil
-}
-
-func (v StructWithSlicesView) Values() views.Slice[StructWithoutPtrs] {
-	return views.SliceOf(v.ж.Values)
-}
-func (v StructWithSlicesView) ValuePointers() views.SliceView[*StructWithoutPtrs, StructWithoutPtrsView] {
-	return views.SliceOfViews[*StructWithoutPtrs, StructWithoutPtrsView](v.ж.ValuePointers)
-}
-func (v StructWithSlicesView) StructPointers() views.SliceView[*StructWithPtrs, StructWithPtrsView] {
-	return views.SliceOfViews[*StructWithPtrs, StructWithPtrsView](v.ж.StructPointers)
-}
-func (v StructWithSlicesView) Structs() StructWithPtrs    { panic("unsupported") }
-func (v StructWithSlicesView) Ints() *int                 { panic("unsupported") }
-func (v StructWithSlicesView) Slice() views.Slice[string] { return views.SliceOf(v.ж.Slice) }
-func (v StructWithSlicesView) Prefixes() views.IPPrefixSlice {
-	return views.IPPrefixSliceOf(v.ж.Prefixes)
-}
-func (v StructWithSlicesView) Data() mem.RO { return mem.B(v.ж.Data) }
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithSlicesViewNeedsRegeneration = StructWithSlices(struct {
-	Values         []StructWithoutPtrs
-	ValuePointers  []*StructWithoutPtrs
-	StructPointers []*StructWithPtrs
-	Structs        []StructWithPtrs
-	Ints           []*int
-	Slice          []string
-	Prefixes       []netaddr.IPPrefix
-	Data           []byte
-}{})

cmd/viewer/viewer.go

@@ -1,316 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Viewer is a tool to automate the creation of "view" wrapper types that
-// provide read-only accessor methods to underlying fields.
-package main
-
-import (
-	"bytes"
-	"flag"
-	"fmt"
-	"go/types"
-	"html/template"
-	"log"
-	"os"
-	"strings"
-
-	"tailscale.com/util/codegen"
-)
-
-const viewTemplateStr = `{{define "common"}}
-// View returns a readonly view of {{.StructName}}.
-func (p *{{.StructName}}) View() {{.ViewName}} {
-	return {{.ViewName}}{ж: p}
-}
-
-// {{.ViewName}} provides a read-only view over {{.StructName}}.
-//
-// Its methods should only be called if ` + "`Valid()`" + ` returns true.
-type {{.ViewName}} struct {
-	// ж is the underlying mutable value, named with a hard-to-type
-	// character that looks pointy like a pointer.
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *{{.StructName}}
-}
-
-// Valid reports whether underlying value is non-nil.
-func (v {{.ViewName}}) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a clone of the underlying value which aliases no memory with
-// the original.
-func (v {{.ViewName}}) AsStruct() *{{.StructName}}{ 
-	if v.ж == nil {
-		return nil
-	}
-	return v.ж.Clone()
-}
-
-func (v {{.ViewName}}) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
-
-func (v *{{.ViewName}}) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	var x {{.StructName}}
-	if err := json.Unmarshal(b, &x); err != nil {
-		return err
-	}
-	v.ж=&x
-	return nil
-}
-
-{{end}}
-{{define "valueField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} { return v.ж.{{.FieldName}} }
-{{end}}
-{{define "byteSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() mem.RO { return mem.B(v.ж.{{.FieldName}}) }
-{{end}}
-{{define "ipPrefixSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.IPPrefixSlice { return views.IPPrefixSliceOf(v.ж.{{.FieldName}}) }
-{{end}}
-{{define "sliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.Slice[{{.FieldType}}] { return views.SliceOf(v.ж.{{.FieldName}}) }
-{{end}}
-{{define "viewSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.SliceView[{{.FieldType}},{{.FieldViewName}}] { return views.SliceOfViews[{{.FieldType}},{{.FieldViewName}}](v.ж.{{.FieldName}}) }
-{{end}}
-{{define "viewField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}}View { return v.ж.{{.FieldName}}.View() }
-{{end}}
-{{define "valuePointerField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {
-	if v.ж.{{.FieldName}} == nil {
-		return nil
-	}
-	x := *v.ж.{{.FieldName}}
-	return &x
-}
-
-{{end}}
-{{define "mapField"}}
-// Unsupported, panics.
-func(v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {panic("unsupported")}
-{{end}}
-{{define "unsupportedField"}}func(v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {panic("unsupported")}
-{{end}}
-{{define "stringFunc"}}func(v {{.ViewName}}) String() string { return v.ж.String() }
-{{end}}
-{{define "equalFunc"}}func(v {{.ViewName}}) Equal(v2 {{.ViewName}}) bool { return v.ж.Equal(v2.ж) }
-{{end}}
-`
-
-var viewTemplate *template.Template
-
-func init() {
-	viewTemplate = template.Must(template.New("view").Parse(viewTemplateStr))
-}
-
-func requiresCloning(t types.Type) (shallow, deep bool, base types.Type) {
-	switch v := t.(type) {
-	case *types.Pointer:
-		_, deep, base = requiresCloning(v.Elem())
-		return true, deep, base
-	case *types.Slice:
-		_, deep, base = requiresCloning(v.Elem())
-		return true, deep, base
-	}
-	p := codegen.ContainsPointers(t)
-	return p, p, t
-}
-
-func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thisPkg *types.Package) {
-	t, ok := typ.Underlying().(*types.Struct)
-	if !ok || codegen.IsViewType(t) {
-		return
-	}
-	it.Import("encoding/json")
-	it.Import("errors")
-
-	args := struct {
-		StructName    string
-		ViewName      string
-		FieldName     string
-		FieldType     string
-		FieldViewName string
-	}{
-		StructName: typ.Obj().Name(),
-		ViewName:   typ.Obj().Name() + "View",
-	}
-
-	writeTemplate := func(name string) {
-		if err := viewTemplate.ExecuteTemplate(buf, name, args); err != nil {
-			log.Fatal(err)
-		}
-	}
-	writeTemplate("common")
-	for i := 0; i < t.NumFields(); i++ {
-		f := t.Field(i)
-		fname := f.Name()
-		if !f.Exported() {
-			continue
-		}
-		args.FieldName = fname
-		fieldType := f.Type()
-		if codegen.IsInvalid(fieldType) {
-			continue
-		}
-		if !codegen.ContainsPointers(fieldType) || codegen.IsViewType(fieldType) || codegen.HasNoClone(t.Tag(i)) {
-			args.FieldType = it.QualifiedName(fieldType)
-			writeTemplate("valueField")
-			continue
-		}
-		switch underlying := fieldType.Underlying().(type) {
-		case *types.Slice:
-			slice := underlying
-			elem := slice.Elem()
-			args.FieldType = it.QualifiedName(elem)
-			switch elem.String() {
-			case "byte":
-				it.Import("go4.org/mem")
-				writeTemplate("byteSliceField")
-			case "inet.af/netaddr.IPPrefix":
-				it.Import("tailscale.com/types/views")
-				writeTemplate("ipPrefixSliceField")
-			default:
-				it.Import("tailscale.com/types/views")
-				shallow, deep, base := requiresCloning(elem)
-				if deep {
-					if _, isPtr := elem.(*types.Pointer); isPtr {
-						args.FieldViewName = it.QualifiedName(base) + "View"
-						writeTemplate("viewSliceField")
-					} else {
-						writeTemplate("unsupportedField")
-					}
-					continue
-				} else if shallow {
-					if _, isBasic := base.(*types.Basic); isBasic {
-						writeTemplate("unsupportedField")
-					} else {
-						args.FieldViewName = it.QualifiedName(base) + "View"
-						writeTemplate("viewSliceField")
-					}
-					continue
-				}
-				writeTemplate("sliceField")
-			}
-			continue
-		case *types.Struct:
-			strucT := underlying
-			args.FieldType = it.QualifiedName(fieldType)
-			if codegen.ContainsPointers(strucT) {
-				writeTemplate("viewField")
-				continue
-			}
-			writeTemplate("valueField")
-			continue
-		case *types.Map:
-			// TODO(maisem): support this.
-			// args.FieldType = importedName(ft)
-			// writeTemplate("mapField")
-			continue
-		case *types.Pointer:
-			ptr := underlying
-			_, deep, base := requiresCloning(ptr)
-			if deep {
-				args.FieldType = it.QualifiedName(base)
-				writeTemplate("viewField")
-			} else {
-				args.FieldType = it.QualifiedName(ptr)
-				writeTemplate("valuePointerField")
-			}
-			continue
-		}
-		writeTemplate("unsupportedField")
-	}
-	for i := 0; i < typ.NumMethods(); i++ {
-		f := typ.Method(i)
-		if !f.Exported() {
-			continue
-		}
-		sig, ok := f.Type().(*types.Signature)
-		if !ok {
-			continue
-		}
-
-		switch f.Name() {
-		case "Clone", "View":
-			continue // "AsStruct"
-		case "String":
-			writeTemplate("stringFunc")
-			continue
-		case "Equal":
-			if sig.Results().Len() == 1 && sig.Results().At(0).Type().String() == "bool" {
-				writeTemplate("equalFunc")
-				continue
-			}
-		}
-	}
-	fmt.Fprintf(buf, "\n")
-	buf.Write(codegen.AssertStructUnchanged(t, args.StructName, "View", it))
-}
-
-var (
-	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
-	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
-	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
-)
-
-func main() {
-	log.SetFlags(0)
-	log.SetPrefix("viewer: ")
-	flag.Parse()
-	if len(*flagTypes) == 0 {
-		flag.Usage()
-		os.Exit(2)
-	}
-	typeNames := strings.Split(*flagTypes, ",")
-
-	var flagArgs []string
-	flagArgs = append(flagArgs, fmt.Sprintf("-clonefunc=%v", *flagCloneFunc))
-	if *flagTypes != "" {
-		flagArgs = append(flagArgs, "-type="+*flagTypes)
-	}
-	if *flagBuildTags != "" {
-		flagArgs = append(flagArgs, "-tags="+*flagBuildTags)
-	}
-	pkg, namedTypes, err := codegen.LoadTypes(*flagBuildTags, ".")
-	if err != nil {
-		log.Fatal(err)
-	}
-	it := codegen.NewImportTracker(pkg.Types)
-
-	buf := new(bytes.Buffer)
-	fmt.Fprintf(buf, `//go:generate go run tailscale.com/cmd/cloner  %s`, strings.Join(flagArgs, " "))
-	fmt.Fprintln(buf)
-	runCloner := false
-	for _, typeName := range typeNames {
-		typ, ok := namedTypes[typeName]
-		if !ok {
-			log.Fatalf("could not find type %s", typeName)
-		}
-		var hasClone bool
-		for i, n := 0, typ.NumMethods(); i < n; i++ {
-			if typ.Method(i).Name() == "Clone" {
-				hasClone = true
-				break
-			}
-		}
-		if !hasClone {
-			runCloner = true
-		}
-		genView(buf, it, typ, pkg.Types)
-	}
-	out := pkg.Name + "_view.go"
-	if err := codegen.WritePackageFile("tailscale/cmd/viewer", pkg, out, it, buf); err != nil {
-		log.Fatal(err)
-	}
-	if runCloner {
-		// When a new pacakge is added or when existing generated files have
-		// been deleted, we might run into a case where tailscale.com/cmd/cloner
-		// has not run yet. We detect this by verifying that all the structs we
-		// interacted with have had Clone method already generated. If they
-		// haven't we ask the caller to rerun generation again so that those get
-		// generated.
-		log.Printf("%v requires regeneration. Please run go generate again", pkg.Name+"_clone.go")
-	}
-}

control/controlclient/auto.go

@@ -61,9 +61,10 @@ type Auto struct {
 	loggedIn        bool       // true if currently logged in
 	loginGoal       *LoginGoal // non-nil if some login activity is desired
 	synced          bool       // true if our netmap is up-to-date
-	inPollNetMap    bool       // true if currently running a PollNetMap
-	inLiteMapUpdate bool       // true if a lite (non-streaming) map request is outstanding
-	inSendStatus    int        // number of sendStatus calls currently in progress
+	hostinfo        *tailcfg.Hostinfo
+	inPollNetMap    bool // true if currently running a PollNetMap
+	inLiteMapUpdate bool // true if a lite (non-streaming) map request is outstanding
+	inSendStatus    int  // number of sendStatus calls currently in progress
 	state           State
 
 	authCtx    context.Context // context used for auth requests
@@ -554,8 +555,9 @@ func (c *Auto) SetNetInfo(ni *tailcfg.NetInfo) {
 	if !c.direct.SetNetInfo(ni) {
 		return
 	}
+	c.logf("NetInfo: %v", ni)
 
-	// Send new NetInfo to server
+	// Send new Hostinfo (which includes NetInfo) to server
 	c.sendNewMapRequest()
 }
 
@@ -565,6 +567,7 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	loggedIn := c.loggedIn
 	synced := c.synced
 	statusFunc := c.statusFunc
+	hi := c.hostinfo
 	c.inSendStatus++
 	c.mu.Unlock()
 
@@ -592,6 +595,7 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		URL:            url,
 		Persist:        p,
 		NetMap:         nm,
+		Hostinfo:       hi,
 		State:          state,
 		Err:            err,
 	}

control/controlclient/controlclient_test.go

@@ -22,7 +22,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 
 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist"}
+	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)

control/controlclient/direct.go

@@ -34,13 +34,12 @@ import (
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
-	"tailscale.com/logtail"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netns"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
-	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -57,8 +56,7 @@ import (
 // Direct is the client that connects to a tailcontrol server for a node.
 type Direct struct {
 	httpc                  *http.Client // HTTP client used to talk to tailcontrol
-	dialer                 *tsdial.Dialer
-	serverURL              string // URL of the tailcontrol server
+	serverURL              string       // URL of the tailcontrol server
 	timeNow                func() time.Time
 	lastPrintMap           time.Time
 	newDecompressor        func() (Decompressor, error)
@@ -80,12 +78,12 @@ type Direct struct {
 	sfGroup     singleflight.Group // protects noiseClient creation.
 	noiseClient *noiseClient
 
-	persist       persist.Persist
-	authKey       string
-	tryingNewKey  key.NodePrivate
-	expiry        *time.Time
+	persist      persist.Persist
+	authKey      string
+	tryingNewKey key.NodePrivate
+	expiry       *time.Time
+	// hostinfo is mutated in-place while mu is held.
 	hostinfo      *tailcfg.Hostinfo // always non-nil
-	netinfo       *tailcfg.NetInfo
 	endpoints     []tailcfg.Endpoint
 	everEndpoints bool   // whether we've ever had non-empty endpoints
 	localPort     uint16 // or zero to mean auto
@@ -107,7 +105,6 @@ type Options struct {
 	DebugFlags           []string         // debug settings to send to control
 	LinkMonitor          *monitor.Mon     // optional link monitor
 	PopBrowserURL        func(url string) // optional func to open browser
-	Dialer               *tsdial.Dialer   // non-nil
 
 	// KeepSharerAndUserSplit controls whether the client
 	// understands Node.Sharer. If false, the Sharer is mapped to the User.
@@ -126,9 +123,9 @@ type Options struct {
 
 // Pinger is a subset of the wgengine.Engine interface, containing just the Ping method.
 type Pinger interface {
-	// Ping is a request to start a ping with the peer handling the given IP and
-	// then call cb with its ping latency & method.
-	Ping(ip netaddr.IP, pingType tailcfg.PingType, cb func(*ipnstate.PingResult))
+	// Ping is a request to start a discovery or TSMP ping with the peer handling
+	// the given IP and then call cb with its ping latency & method.
+	Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.PingResult))
 }
 
 type Decompressor interface {
@@ -172,12 +169,13 @@ func NewDirect(opts Options) (*Direct, error) {
 			UseLastGood:      true,
 			LookupIPFallback: dnsfallback.Lookup,
 		}
+		dialer := netns.NewDialer(opts.Logf)
 		tr := http.DefaultTransport.(*http.Transport).Clone()
 		tr.Proxy = tshttpproxy.ProxyFromEnvironment
 		tshttpproxy.SetTransportGetProxyConnectHeader(tr)
 		tr.TLSClientConfig = tlsdial.Config(serverURL.Hostname(), tr.TLSClientConfig)
-		tr.DialContext = dnscache.Dialer(opts.Dialer.SystemDial, dnsCache)
-		tr.DialTLSContext = dnscache.TLSDialer(opts.Dialer.SystemDial, dnsCache, tr.TLSClientConfig)
+		tr.DialContext = dnscache.Dialer(dialer.DialContext, dnsCache)
+		tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dnsCache, tr.TLSClientConfig)
 		tr.ForceAttemptHTTP2 = true
 		// Disable implicit gzip compression; the various
 		// handlers (register, map, set-dns, etc) do their own
@@ -203,17 +201,11 @@ func NewDirect(opts Options) (*Direct, error) {
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
 		pinger:                 opts.Pinger,
 		popBrowser:             opts.PopBrowserURL,
-		dialer:                 opts.Dialer,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(hostinfo.New())
 	} else {
-		ni := opts.Hostinfo.NetInfo
-		opts.Hostinfo.NetInfo = nil
 		c.SetHostinfo(opts.Hostinfo)
-		if ni != nil {
-			c.SetNetInfo(ni)
-		}
 	}
 	return c, nil
 }
@@ -258,11 +250,14 @@ func (c *Direct) SetNetInfo(ni *tailcfg.NetInfo) bool {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
-	if reflect.DeepEqual(ni, c.netinfo) {
+	if c.hostinfo == nil {
+		c.logf("[unexpected] SetNetInfo called with no HostInfo; ignoring NetInfo update: %+v", ni)
 		return false
 	}
-	c.netinfo = ni.Clone()
-	c.logf("NetInfo: %v", ni)
+	if reflect.DeepEqual(ni, c.hostinfo.NetInfo) {
+		return false
+	}
+	c.hostinfo.NetInfo = ni.Clone()
 	return true
 }
 
@@ -339,14 +334,6 @@ type httpClient interface {
 	Do(req *http.Request) (*http.Response, error)
 }
 
-// hostInfoLocked returns a Clone of c.hostinfo and c.netinfo.
-// It must only be called with c.mu held.
-func (c *Direct) hostInfoLocked() *tailcfg.Hostinfo {
-	hi := c.hostinfo.Clone()
-	hi.NetInfo = c.netinfo.Clone()
-	return hi
-}
-
 func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
 	c.mu.Lock()
 	persist := c.persist
@@ -354,7 +341,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	serverKey := c.serverKey
 	serverNoiseKey := c.serverNoiseKey
 	authKey := c.authKey
-	hi := c.hostInfoLocked()
+	hi := c.hostinfo.Clone()
 	backendLogID := hi.BackendLogID
 	expired := c.expiry != nil && !c.expiry.IsZero() && c.expiry.Before(c.timeNow())
 	c.mu.Unlock()
@@ -388,7 +375,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		if err != nil {
 			return regen, opt.URL, err
 		}
-		c.logf("control server key from %s: ts2021=%s, legacy=%v", c.serverURL, keys.PublicKey.ShortString(), keys.LegacyPublicKey.ShortString())
+		c.logf("control server key %s from %s", serverKey.ShortString(), c.serverURL)
 
 		c.mu.Lock()
 		c.serverKey = keys.LegacyPublicKey
@@ -656,7 +643,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	serverURL := c.serverURL
 	serverKey := c.serverKey
 	serverNoiseKey := c.serverNoiseKey
-	hi := c.hostInfoLocked()
+	hi := c.hostinfo.Clone()
 	backendLogID := hi.BackendLogID
 	localPort := c.localPort
 	var epStrs []string
@@ -863,7 +850,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 
 		if pr := resp.PingRequest; pr != nil && c.isUniquePingRequest(pr) {
 			metricMapResponsePings.Add(1)
-			go answerPing(c.logf, c.httpc, pr, c.pinger)
+			go answerPing(c.logf, c.httpc, pr)
 		}
 		if u := resp.PopBrowserURL; u != "" && u != sess.lastPopBrowserURL {
 			sess.lastPopBrowserURL = u
@@ -908,9 +895,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 				c.logf("exiting process with status %v per controlplane", *code)
 				os.Exit(*code)
 			}
-			if resp.Debug.DisableLogTail {
-				logtail.Disable()
-			}
 			if resp.Debug.LogHeapPprof {
 				go logheap.LogHeap(resp.Debug.LogHeapURL)
 			}
@@ -1197,46 +1181,29 @@ func (c *Direct) isUniquePingRequest(pr *tailcfg.PingRequest) bool {
 	return true
 }
 
-func answerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger) {
+func answerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest) {
 	if pr.URL == "" {
 		logf("invalid PingRequest with no URL")
 		return
 	}
-	if pr.Types == "" {
-		answerHeadPing(logf, c, pr)
-		return
-	}
-	for _, t := range strings.Split(pr.Types, ",") {
-		switch pt := tailcfg.PingType(t); pt {
-		case tailcfg.PingTSMP, tailcfg.PingDisco, tailcfg.PingICMP:
-			go doPingerPing(logf, c, pr, pinger, pt)
-		// TODO(tailscale/corp#754)
-		// case "peerapi":
-		default:
-			logf("unsupported ping request type: %q", t)
-		}
-	}
-}
-
-func answerHeadPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest) {
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 
 	req, err := http.NewRequestWithContext(ctx, "HEAD", pr.URL, nil)
 	if err != nil {
-		logf("answerHeadPing: NewRequestWithContext: %v", err)
+		logf("http.NewRequestWithContext(%q): %v", pr.URL, err)
 		return
 	}
 	if pr.Log {
-		logf("answerHeadPing: sending HEAD ping to %v ...", pr.URL)
+		logf("answerPing: sending ping to %v ...", pr.URL)
 	}
 	t0 := time.Now()
 	_, err = c.Do(req)
 	d := time.Since(t0).Round(time.Millisecond)
 	if err != nil {
-		logf("answerHeadPing error: %v to %v (after %v)", err, pr.URL, d)
+		logf("answerPing error: %v to %v (after %v)", err, pr.URL, d)
 	} else if pr.Log {
-		logf("answerHeadPing complete to %v (after %v)", pr.URL, d)
+		logf("answerPing complete to %v (after %v)", pr.URL, d)
 	}
 }
 
@@ -1289,7 +1256,7 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 			return nil, err
 		}
 
-		nc, err = newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer)
+		nc, err = newNoiseClient(k, serverNoiseKey, c.serverURL)
 		if err != nil {
 			return nil, err
 		}
@@ -1409,28 +1376,35 @@ func (c *Direct) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 	return nc.Do(req)
 }
 
-// doPingerPing sends a Ping to pr.IP using pinger, and sends an http request back to
-// pr.URL with ping response data.
-func doPingerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger, pingType tailcfg.PingType) {
-	if pr.URL == "" || pr.IP.IsZero() || pinger == nil {
-		logf("invalid ping request: missing url, ip or pinger")
-		return
+// tsmpPing sends a Ping to pr.IP, and sends an http request back to pr.URL
+// with ping response data.
+func tsmpPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger) error {
+	var err error
+	if pr.URL == "" {
+		return errors.New("invalid PingRequest with no URL")
 	}
-	start := time.Now()
-	pinger.Ping(pr.IP, pingType, func(res *ipnstate.PingResult) {
+	if pr.IP.IsZero() {
+		return errors.New("PingRequest without IP")
+	}
+	if !strings.Contains(pr.Types, "TSMP") {
+		return fmt.Errorf("PingRequest with no TSMP in Types, got %q", pr.Types)
+	}
+
+	now := time.Now()
+	pinger.Ping(pr.IP, true, func(res *ipnstate.PingResult) {
 		// Currently does not check for error since we just return if it fails.
-		postPingResult(start, logf, c, pr, res.ToPingResponse(pingType))
+		err = postPingResult(now, logf, c, pr, res)
 	})
+	return err
 }
 
-func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, res *tailcfg.PingResponse) error {
-	duration := time.Since(start)
+func postPingResult(now time.Time, logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, res *ipnstate.PingResult) error {
+	if res.Err != "" {
+		return errors.New(res.Err)
+	}
+	duration := time.Since(now)
 	if pr.Log {
-		if res.Err == "" {
-			logf("ping to %v completed in %v. pinger.Ping took %v seconds", pr.IP, res.LatencySeconds, duration)
-		} else {
-			logf("ping to %v failed after %v: %v", pr.IP, duration, res.Err)
-		}
+		logf("TSMP ping to %v completed in %v seconds. pinger.Ping took %v seconds", pr.IP, res.LatencySeconds, duration.Seconds())
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
@@ -1440,20 +1414,20 @@ func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailc
 		return err
 	}
 	// Send the results of the Ping, back to control URL.
-	req, err := http.NewRequestWithContext(ctx, "POST", pr.URL, bytes.NewReader(jsonPingRes))
+	req, err := http.NewRequestWithContext(ctx, "POST", pr.URL, bytes.NewBuffer(jsonPingRes))
 	if err != nil {
 		return fmt.Errorf("http.NewRequestWithContext(%q): %w", pr.URL, err)
 	}
 	if pr.Log {
-		logf("postPingResult: sending ping results to %v ...", pr.URL)
+		logf("tsmpPing: sending ping results to %v ...", pr.URL)
 	}
 	t0 := time.Now()
 	_, err = c.Do(req)
 	d := time.Since(t0).Round(time.Millisecond)
 	if err != nil {
-		return fmt.Errorf("postPingResult error: %w to %v (after %v)", err, pr.URL, d)
+		return fmt.Errorf("tsmpPing error: %w to %v (after %v)", err, pr.URL, d)
 	} else if pr.Log {
-		logf("postPingResult complete to %v (after %v)", pr.URL, d)
+		logf("tsmpPing complete to %v (after %v)", pr.URL, d)
 	}
 	return nil
 }

control/controlclient/direct_test.go

@@ -14,7 +14,6 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
@@ -31,7 +30,6 @@ func TestNewDirect(t *testing.T) {
 		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
 			return k, nil
 		},
-		Dialer: new(tsdial.Dialer),
 	}
 	c, err := NewDirect(opts)
 	if err != nil {
@@ -108,7 +106,6 @@ func TestTsmpPing(t *testing.T) {
 		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
 			return k, nil
 		},
-		Dialer: new(tsdial.Dialer),
 	}
 
 	c, err := NewDirect(opts)
@@ -116,8 +113,7 @@ func TestTsmpPing(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	pingRes := &tailcfg.PingResponse{
-		Type:     "TSMP",
+	pingRes := &ipnstate.PingResult{
 		IP:       "123.456.7890",
 		Err:      "",
 		NodeName: "testnode",

control/controlclient/noise.go

@@ -18,10 +18,8 @@ import (
 	"golang.org/x/net/http2"
 	"tailscale.com/control/controlbase"
 	"tailscale.com/control/controlhttp"
-	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
 )
 
@@ -47,7 +45,6 @@ func (c *noiseConn) Close() error {
 // the ts2021 protocol.
 type noiseClient struct {
 	*http.Client // HTTP client used to talk to tailcontrol
-	dialer       *tsdial.Dialer
 	privKey      key.MachinePrivate
 	serverPubKey key.MachinePublic
 	serverHost   string // the host:port part of serverURL
@@ -60,7 +57,7 @@ type noiseClient struct {
 
 // newNoiseClient returns a new noiseClient for the provided server and machine key.
 // serverURL is of the form https://<host>:<port> (no trailing slash).
-func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer) (*noiseClient, error) {
+func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string) (*noiseClient, error) {
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		return nil, err
@@ -77,7 +74,6 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 		serverPubKey: serverPubKey,
 		privKey:      priKey,
 		serverHost:   host,
-		dialer:       dialer,
 	}
 
 	// Create the HTTP/2 Transport using a net/http.Transport
@@ -141,6 +137,9 @@ func (nc *noiseClient) Close() error {
 func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.mu.Lock()
 	connID := nc.nextID
+	if nc.connPool == nil {
+		nc.connPool = make(map[int]*noiseConn)
+	}
 	nc.nextID++
 	nc.mu.Unlock()
 
@@ -154,7 +153,7 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 		// thousand version numbers before getting to this point.
 		panic("capability version is too high to fit in the wire protocol")
 	}
-	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion), nc.dialer.SystemDial)
+	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion))
 	if err != nil {
 		return nil, err
 	}
@@ -162,6 +161,6 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.mu.Lock()
 	defer nc.mu.Unlock()
 	ncc := &noiseConn{Conn: conn, id: connID, pool: nc}
-	mak.Set(&nc.connPool, ncc.id, ncc)
+	nc.connPool[ncc.id] = ncc
 	return ncc, nil
 }

control/controlclient/status.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"reflect"
 
+	"tailscale.com/tailcfg"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
@@ -74,8 +75,9 @@ type Status struct {
 	// package, but we have some automated tests elsewhere that need to
 	// use them. Please don't use these fields.
 	// TODO(apenwarr): Unexport or remove these.
-	State   State
-	Persist *persist.Persist // locally persisted configuration
+	State    State
+	Persist  *persist.Persist  // locally persisted configuration
+	Hostinfo *tailcfg.Hostinfo // current Hostinfo data
 }
 
 // Equal reports whether s and s2 are equal.
@@ -90,6 +92,7 @@ func (s *Status) Equal(s2 *Status) bool {
 		s.URL == s2.URL &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
 		reflect.DeepEqual(s.NetMap, s2.NetMap) &&
+		reflect.DeepEqual(s.Hostinfo, s2.Hostinfo) &&
 		s.State == s2.State
 }
 

control/controlhttp/client.go

@@ -25,15 +25,16 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log"
 	"net"
 	"net/http"
 	"net/http/httptrace"
 	"net/url"
-	"time"
 
 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
+	"tailscale.com/net/netns"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
@@ -64,12 +65,13 @@ const (
 //
 // The provided ctx is only used for the initial connection, until
 // Dial returns. It does not affect the connection once established.
-func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
+func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16) (*controlbase.Conn, error) {
 	host, port, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil, err
 	}
 	a := &dialParams{
+		ctx:        ctx,
 		host:       host,
 		httpPort:   port,
 		httpsPort:  "443",
@@ -77,12 +79,12 @@ func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, contr
 		controlKey: controlKey,
 		version:    protocolVersion,
 		proxyFunc:  tshttpproxy.ProxyFromEnvironment,
-		dialer:     dialer,
 	}
-	return a.dial(ctx)
+	return a.dial()
 }
 
 type dialParams struct {
+	ctx        context.Context
 	host       string
 	httpPort   string
 	httpsPort  string
@@ -90,132 +92,65 @@ type dialParams struct {
 	controlKey key.MachinePublic
 	version    uint16
 	proxyFunc  func(*http.Request) (*url.URL, error) // or nil
-	dialer     dnscache.DialContextFunc
 
 	// For tests only
-	insecureTLS       bool
-	testFallbackDelay time.Duration
+	insecureTLS bool
 }
 
-// httpsFallbackDelay is how long we'll wait for a.httpPort to work before
-// starting to try a.httpsPort.
-func (a *dialParams) httpsFallbackDelay() time.Duration {
-	if v := a.testFallbackDelay; v != 0 {
-		return v
-	}
-	return 500 * time.Millisecond
-}
-
-func (a *dialParams) dial(ctx context.Context) (*controlbase.Conn, error) {
-	// Create one shared context used by both port 80 and port 443 dials.
-	// If port 80 is still in flight when 443 returns, this deferred cancel
-	// will stop the port 80 dial.
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	// u80 and u443 are the URLs we'll try to hit over HTTP or HTTPS,
-	// respectively, in order to do the HTTP upgrade to a net.Conn over which
-	// we'll speak Noise.
-	u80 := &url.URL{
-		Scheme: "http",
-		Host:   net.JoinHostPort(a.host, a.httpPort),
-		Path:   serverUpgradePath,
-	}
-	u443 := &url.URL{
-		Scheme: "https",
-		Host:   net.JoinHostPort(a.host, a.httpsPort),
-		Path:   serverUpgradePath,
-	}
-
-	type tryURLRes struct {
-		u    *url.URL          // input (the URL conn+err are for/from)
-		conn *controlbase.Conn // result (mutually exclusive with err)
-		err  error
-	}
-	ch := make(chan tryURLRes) // must be unbuffered
-	try := func(u *url.URL) {
-		cbConn, err := a.dialURL(ctx, u)
-		select {
-		case ch <- tryURLRes{u, cbConn, err}:
-		case <-ctx.Done():
-			if cbConn != nil {
-				cbConn.Close()
-			}
-		}
-	}
-
-	// Start the plaintext HTTP attempt first.
-	go try(u80)
-
-	// In case outbound port 80 blocked or MITM'ed poorly, start a backup timer
-	// to dial port 443 if port 80 doesn't either succeed or fail quickly.
-	try443Timer := time.AfterFunc(a.httpsFallbackDelay(), func() { try(u443) })
-	defer try443Timer.Stop()
-
-	var err80, err443 error
-	for {
-		select {
-		case <-ctx.Done():
-			return nil, fmt.Errorf("connection attempts aborted by context: %w", ctx.Err())
-		case res := <-ch:
-			if res.err == nil {
-				return res.conn, nil
-			}
-			switch res.u {
-			case u80:
-				// Connecting over plain HTTP failed; assume it's an HTTP proxy
-				// being difficult and see if we can get through over HTTPS.
-				err80 = res.err
-				// Stop the fallback timer and run it immediately. We don't use
-				// Timer.Reset(0) here because on AfterFuncs, that can run it
-				// again.
-				if try443Timer.Stop() {
-					go try(u443)
-				} // else we lost the race and it started already which is what we want
-			case u443:
-				err443 = res.err
-			default:
-				panic("invalid")
-			}
-			if err80 != nil && err443 != nil {
-				return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", err80, err443)
-			}
-		}
-	}
-}
-
-// dialURL attempts to connect to the given URL.
-func (a *dialParams) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, error) {
+func (a *dialParams) dial() (*controlbase.Conn, error) {
 	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
 	if err != nil {
 		return nil, err
 	}
-	netConn, err := a.tryURLUpgrade(ctx, u, init)
+
+	u := &url.URL{
+		Scheme: "http",
+		Host:   net.JoinHostPort(a.host, a.httpPort),
+		Path:   serverUpgradePath,
+	}
+	conn, httpErr := a.tryURL(u, init)
+	if httpErr == nil {
+		ret, err := cont(a.ctx, conn)
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+		return ret, nil
+	}
+
+	// Connecting over plain HTTP failed, assume it's an HTTP proxy
+	// being difficult and see if we can get through over HTTPS.
+	u.Scheme = "https"
+	u.Host = net.JoinHostPort(a.host, a.httpsPort)
+	init, cont, err = controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
 	if err != nil {
 		return nil, err
 	}
-	cbConn, err := cont(ctx, netConn)
-	if err != nil {
-		netConn.Close()
-		return nil, err
+	conn, tlsErr := a.tryURL(u, init)
+	if tlsErr == nil {
+		ret, err := cont(a.ctx, conn)
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+		return ret, nil
 	}
-	return cbConn, nil
+
+	return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", httpErr, tlsErr)
 }
 
-// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn.
-//
-// Only the provided ctx is used, not a.ctx.
-func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte) (net.Conn, error) {
+func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
 	dns := &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward,
 		LookupIPFallback: dnsfallback.Lookup,
 		UseLastGood:      true,
 	}
+	dialer := netns.NewDialer(log.Printf)
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	defer tr.CloseIdleConnections()
 	tr.Proxy = a.proxyFunc
 	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
-	tr.DialContext = dnscache.Dialer(a.dialer, dns)
+	tr.DialContext = dnscache.Dialer(dialer.DialContext, dns)
 	// Disable HTTP2, since h2 can't do protocol switching.
 	tr.TLSClientConfig.NextProtos = []string{}
 	tr.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
@@ -224,7 +159,7 @@ func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte)
 		tr.TLSClientConfig.InsecureSkipVerify = true
 		tr.TLSClientConfig.VerifyConnection = nil
 	}
-	tr.DialTLSContext = dnscache.TLSDialer(a.dialer, dns, tr.TLSClientConfig)
+	tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dns, tr.TLSClientConfig)
 	tr.DisableCompression = true
 
 	// (mis)use httptrace to extract the underlying net.Conn from the
@@ -254,7 +189,7 @@ func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte)
 			connCh <- info.Conn
 		},
 	}
-	ctx = httptrace.WithClientTrace(ctx, &trace)
+	ctx := httptrace.WithClientTrace(a.ctx, &trace)
 	req := &http.Request{
 		Method: "POST",
 		URL:    u,

control/controlhttp/http_test.go

@@ -17,36 +17,22 @@ import (
 	"strconv"
 	"sync"
 	"testing"
-	"time"
 
 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/socks5"
-	"tailscale.com/net/tsdial"
 	"tailscale.com/types/key"
 )
 
-type httpTestParam struct {
-	name  string
-	proxy proxy
-
-	// makeHTTPHangAfterUpgrade makes the HTTP response hang after sending a
-	// 101 switching protocols.
-	makeHTTPHangAfterUpgrade bool
-}
-
 func TestControlHTTP(t *testing.T) {
-	tests := []httpTestParam{
+	tests := []struct {
+		name  string
+		proxy proxy
+	}{
 		// direct connection
 		{
 			name:  "no_proxy",
 			proxy: nil,
 		},
-		// direct connection but port 80 is MITM'ed and broken
-		{
-			name:                     "port80_broken_mitm",
-			proxy:                    nil,
-			makeHTTPHangAfterUpgrade: true,
-		},
 		// SOCKS5
 		{
 			name:  "socks5",
@@ -110,13 +96,12 @@ func TestControlHTTP(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			testControlHTTP(t, test)
+			testControlHTTP(t, test.proxy)
 		})
 	}
 }
 
-func testControlHTTP(t *testing.T, param httpTestParam) {
-	proxy := param.proxy
+func testControlHTTP(t *testing.T, proxy proxy) {
 	client, server := key.NewMachine(), key.NewMachine()
 
 	const testProtocolVersion = 1
@@ -147,11 +132,7 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 		t.Fatalf("HTTPS listen: %v", err)
 	}
 
-	var httpHandler http.Handler = handler
-	if param.makeHTTPHangAfterUpgrade {
-		httpHandler = http.HandlerFunc(brokenMITMHandler)
-	}
-	httpServer := &http.Server{Handler: httpHandler}
+	httpServer := &http.Server{Handler: handler}
 	go httpServer.Serve(httpLn)
 	defer httpServer.Close()
 
@@ -162,24 +143,18 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 	go httpsServer.ServeTLS(httpsLn, "", "")
 	defer httpsServer.Close()
 
-	ctx := context.Background()
-	const debugTimeout = false
-	if debugTimeout {
-		var cancel context.CancelFunc
-		ctx, cancel = context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-	}
+	//ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	//defer cancel()
 
 	a := dialParams{
-		host:              "localhost",
-		httpPort:          strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
-		httpsPort:         strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
-		machineKey:        client,
-		controlKey:        server.Public(),
-		version:           testProtocolVersion,
-		insecureTLS:       true,
-		dialer:            new(tsdial.Dialer).SystemDial,
-		testFallbackDelay: 50 * time.Millisecond,
+		ctx:         context.Background(), //ctx,
+		host:        "localhost",
+		httpPort:    strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
+		httpsPort:   strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
+		machineKey:  client,
+		controlKey:  server.Public(),
+		version:     testProtocolVersion,
+		insecureTLS: true,
 	}
 
 	if proxy != nil {
@@ -198,7 +173,7 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 		}
 	}
 
-	conn, err := a.dial(ctx)
+	conn, err := a.dial()
 	if err != nil {
 		t.Fatalf("dialing controlhttp: %v", err)
 	}
@@ -240,7 +215,6 @@ type proxy interface {
 
 type socksProxy struct {
 	sync.Mutex
-	closed          bool
 	proxy           socks5.Server
 	ln              net.Listener
 	clientConnAddrs map[string]bool // addrs of the local end of outgoing conns from proxy
@@ -256,14 +230,7 @@ func (s *socksProxy) Start(t *testing.T) (url string) {
 	}
 	s.ln = ln
 	s.clientConnAddrs = map[string]bool{}
-	s.proxy.Logf = func(format string, a ...any) {
-		s.Lock()
-		defer s.Unlock()
-		if s.closed {
-			return
-		}
-		t.Logf(format, a...)
-	}
+	s.proxy.Logf = t.Logf
 	s.proxy.Dialer = s.dialAndRecord
 	go s.proxy.Serve(ln)
 	return fmt.Sprintf("socks5://%s", ln.Addr().String())
@@ -272,10 +239,6 @@ func (s *socksProxy) Start(t *testing.T) (url string) {
 func (s *socksProxy) Close() {
 	s.Lock()
 	defer s.Unlock()
-	if s.closed {
-		return
-	}
-	s.closed = true
 	s.ln.Close()
 }
 
@@ -435,11 +398,3 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		Certificates: []tls.Certificate{cert},
 	}
 }
-
-func brokenMITMHandler(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Upgrade", upgradeHeaderValue)
-	w.Header().Set("Connection", "upgrade")
-	w.WriteHeader(http.StatusSwitchingProtocols)
-	w.(http.Flusher).Flush()
-	<-r.Context().Done()
-}

derp/derp_client.go

@@ -485,7 +485,7 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 			c.peeked = int(n)
 		} else {
 			// But if for some reason we read a large DERP message (which isn't necessarily
-			// a WireGuard packet), then just allocate memory for it.
+			// a Wireguard packet), then just allocate memory for it.
 			// TODO(bradfitz): use a pool if large frames ever happen in practice.
 			b = make([]byte, n)
 			_, err = io.ReadFull(c.br, b)

derp/derphttp/derphttp_client.go

@@ -538,17 +538,12 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 	return tls.Client(nc, tlsConf)
 }
 
-// DialRegionTLS returns a TLS connection to a DERP node in the given region.
-//
-// DERP nodes for a region are tried in sequence according to their order
-// in the DERP map. TLS is initiated on the first node where a socket is
-// established.
-func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, node *tailcfg.DERPNode, err error) {
+func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, err error) {
 	tcpConn, node, err := c.dialRegion(ctx, reg)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
-	done := make(chan bool) // unbuffered
+	done := make(chan bool) // unbufferd
 	defer close(done)
 
 	tlsConn = c.tlsClient(tcpConn, node)
@@ -561,13 +556,13 @@ func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tl
 	}()
 	err = tlsConn.Handshake()
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 	select {
 	case done <- true:
-		return tlsConn, tcpConn, node, nil
+		return tlsConn, tcpConn, nil
 	case <-ctx.Done():
-		return nil, nil, nil, ctx.Err()
+		return nil, nil, ctx.Err()
 	}
 }
 

envknob/envknob.go

@@ -149,9 +149,3 @@ func UseWIPCode() bool { return Bool("TAILSCALE_USE_WIP_CODE") }
 // if already enabled and any attempt to re-enable it will result in
 // an error.
 func CanSSHD() bool { return !Bool("TS_DISABLE_SSH_SERVER") }
-
-// SSHPolicyFile returns the path, if any, to the SSHPolicy JSON file for development.
-func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }
-
-// SSHIgnoreTailnetPolicy is whether to ignore the Tailnet SSH policy for development.
-func SSHIgnoreTailnetPolicy() bool { return Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") }

go.mod

@@ -5,6 +5,7 @@ go 1.18
 require (
 	filippo.io/mkcert v1.4.3
 	github.com/akutz/memconn v0.1.0
+	github.com/alessio/shellescape v1.4.1
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
 	github.com/aws/aws-sdk-go-v2 v1.11.2
@@ -13,14 +14,13 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.21.0
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.17.1
 	github.com/coreos/go-iptables v0.6.0
-	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/creack/pty v1.1.17
 	github.com/dave/jennifer v1.4.1
 	github.com/frankban/quicktest v1.14.0
 	github.com/go-ole/go-ole v1.2.6
 	github.com/godbus/dbus/v5 v5.0.6
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
-	github.com/google/go-cmp v0.5.8
+	github.com/google/go-cmp v0.5.7
 	github.com/google/uuid v1.3.0
 	github.com/goreleaser/nfpm v1.10.3
 	github.com/iancoleman/strcase v0.2.0
@@ -28,7 +28,6 @@ require (
 	github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/klauspost/compress v1.13.6
-	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a
 	github.com/mdlayher/genetlink v1.2.0
 	github.com/mdlayher/netlink v1.6.0
 	github.com/mdlayher/sdnotify v1.0.0
@@ -40,19 +39,19 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1
+	github.com/tailscale/golang-x-crypto v0.0.0-20220330002111-62119522bbcf
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
-	github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17
+	github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	github.com/u-root/u-root v0.8.0
 	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
 	go4.org/mem v0.0.0-20210711025021-927187094b94
-	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
+	golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064
 	golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20220422013727-9388b58f7150
+	golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11-0.20220413170336-afc6aad76eb1
@@ -106,6 +105,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/charithe/durationcheck v0.0.9 // indirect
 	github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af // indirect
+	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect
 	github.com/daixiang0/gci v0.2.9 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/denis-tingajkin/go-header v0.4.2 // indirect
@@ -252,7 +252,7 @@ require (
 	golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect

go.sum

@@ -104,6 +104,8 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
+github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/alexkohler/prealloc v1.0.0 h1:Hbq0/3fJPQhNkN0dR95AVrr6R7tou91y0uHG5pOcUuw=
@@ -467,9 +469,8 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 h1:CVuJwN34x4xM2aT4sIKhmeib40NeBPhRihNjQmpJsA4=
 github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2/go.mod h1:nOFQdrUlIlx6M6ODdSpBj1NVA+VgLC6kmw60mkw34H4=
@@ -681,8 +682,6 @@ github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47e
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
-github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
@@ -1068,12 +1067,12 @@ github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HP
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1 h1:vsFV6BKSIgjRd8m8UfrGW4r+cc28fRF71K6IRo46rKs=
-github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
+github.com/tailscale/golang-x-crypto v0.0.0-20220330002111-62119522bbcf h1:+DSoknr7gaiW2LlViX6+ko8TBdxTLkvOBbIWQtYyMaE=
+github.com/tailscale/golang-x-crypto v0.0.0-20220330002111-62119522bbcf/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
-github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17 h1:QaQrUggZ7U2lE3HhoPx6bDK7fO385FR7pHRYSPEv70Q=
-github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
+github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83 h1:f7nwzdAHTUUOJjHZuDvLz9CEAlUM228amCRvwzlPvsA=
+github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83/go.mod h1:iTDXJsA6A2wNNjurgic2rk+is6uzU4U2NLm4T+edr6M=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
@@ -1228,8 +1227,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f h1:OeJjE6G4dgCY4PIXvIRQbE8+RX+uXZyGhUy/ksMGJoc=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064 h1:S25/rfnfsMVgORT4/J61MJ7rdyseOZOyvLIrZEZ7s6s=
+golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1479,8 +1478,8 @@ golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f h1:8w7RhxzTVgUzw/AH/9mUV5q0vMgy40SQRursCcfmkCw=
+golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
@@ -1618,9 +1617,8 @@ golang.org/x/tools v0.1.11-0.20220413170336-afc6aad76eb1/go.mod h1:Uh6Zz+xoGYZom
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f h1:GGU+dLjvlC3qDwqYgL6UgRmHXhOOgns0bZu2Ty5mm6U=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=

go.toolchain.rev

@@ -1 +1 @@
-710a0d861098c07540ad073bb73a42ce81bf54a8
+5ce3ec4d89c72f2a2b6f6f5089c950d7a6a33530

hostinfo/hostinfo.go

@@ -17,14 +17,11 @@ import (
 
 	"go4.org/mem"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/opt"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/lineread"
 	"tailscale.com/version"
 )
 
-var started = time.Now()
-
 // New returns a partially populated Hostinfo for the current host.
 func New() *tailcfg.Hostinfo {
 	hostname, _ := os.Hostname()
@@ -34,7 +31,6 @@ func New() *tailcfg.Hostinfo {
 		Hostname:    hostname,
 		OS:          version.OS(),
 		OSVersion:   GetOSVersion(),
-		Desktop:     desktop(),
 		Package:     packageTypeCached(),
 		GoArch:      runtime.GOARCH,
 		DeviceModel: deviceModel(),
@@ -101,7 +97,6 @@ func GetEnvType() EnvType {
 var (
 	deviceModelAtomic atomic.Value // of string
 	osVersionAtomic   atomic.Value // of string
-	desktopAtomic     atomic.Value // of opt.Bool
 	packagingType     atomic.Value // of string
 )
 
@@ -122,31 +117,6 @@ func deviceModel() string {
 	return s
 }
 
-func desktop() (ret opt.Bool) {
-	if runtime.GOOS != "linux" {
-		return opt.Bool("")
-	}
-	if v := desktopAtomic.Load(); v != nil {
-		v, _ := v.(opt.Bool)
-		return v
-	}
-
-	seenDesktop := false
-	lineread.File("/proc/net/unix", func(line []byte) error {
-		seenDesktop = seenDesktop || mem.Contains(mem.B(line), mem.S(" @/tmp/dbus-"))
-		seenDesktop = seenDesktop || mem.Contains(mem.B(line), mem.S(".X11-unix"))
-		seenDesktop = seenDesktop || mem.Contains(mem.B(line), mem.S("/wayland-1"))
-		return nil
-	})
-	ret.Set(seenDesktop)
-
-	// Only cache after a minute - compositors might not have started yet.
-	if time.Since(started) > time.Minute {
-		desktopAtomic.Store(ret)
-	}
-	return ret
-}
-
 func getEnvType() EnvType {
 	if inKnative() {
 		return KNative

ipn/backend.go

@@ -65,13 +65,14 @@ type Notify struct {
 	// For State InUseOtherUser, ErrMessage is not critical and just contains the details.
 	ErrMessage *string
 
-	LoginFinished *empty.Message     // non-nil when/if the login process succeeded
-	State         *State             // if non-nil, the new or current IPN state
-	Prefs         *Prefs             // if non-nil, the new or current preferences
-	NetMap        *netmap.NetworkMap // if non-nil, the new or current netmap
-	Engine        *EngineStatus      // if non-nil, the new or urrent wireguard stats
-	BrowseToURL   *string            // if non-nil, UI should open a browser right now
-	BackendLogID  *string            // if non-nil, the public logtail ID used by backend
+	LoginFinished *empty.Message       // non-nil when/if the login process succeeded
+	State         *State               // if non-nil, the new or current IPN state
+	Prefs         *Prefs               // if non-nil, the new or current preferences
+	NetMap        *netmap.NetworkMap   // if non-nil, the new or current netmap
+	Engine        *EngineStatus        // if non-nil, the new or urrent wireguard stats
+	BrowseToURL   *string              // if non-nil, UI should open a browser right now
+	BackendLogID  *string              // if non-nil, the public logtail ID used by backend
+	PingResult    *ipnstate.PingResult // if non-nil, a ping response arrived
 
 	// FilesWaiting if non-nil means that files are buffered in
 	// the Tailscale daemon and ready for local transfer to the
@@ -121,6 +122,9 @@ func (n Notify) String() string {
 	if n.BackendLogID != nil {
 		sb.WriteString("BackendLogID ")
 	}
+	if n.PingResult != nil {
+		fmt.Fprintf(&sb, "ping=%v ", *n.PingResult)
+	}
 	if n.FilesWaiting != nil {
 		sb.WriteString("FilesWaiting ")
 	}
@@ -241,4 +245,13 @@ type Backend interface {
 	// counts. Connection events are emitted automatically without
 	// polling.
 	RequestEngineStatus()
+	// FakeExpireAfter pretends that the current key is going to
+	// expire after duration x. This is useful for testing GUIs to
+	// make sure they react properly with keys that are going to
+	// expire.
+	FakeExpireAfter(x time.Duration)
+	// Ping attempts to start connecting to the given IP and sends a Notify
+	// with its PingResult. If the host is down, there might never
+	// be a PingResult sent. The cmd/tailscale CLI client adds a timeout.
+	Ping(ip string, useTSMP bool)
 }

ipn/fake_test.go

@@ -5,6 +5,9 @@
 package ipn
 
 import (
+	"time"
+
+	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/netmap"
 )
@@ -98,3 +101,15 @@ func (b *FakeBackend) RequestEngineStatus() {
 		b.notify(Notify{Engine: &EngineStatus{}})
 	}
 }
+
+func (b *FakeBackend) FakeExpireAfter(x time.Duration) {
+	if b.notify != nil {
+		b.notify(Notify{NetMap: &netmap.NetworkMap{}})
+	}
+}
+
+func (b *FakeBackend) Ping(ip string, useTSMP bool) {
+	if b.notify != nil {
+		b.notify(Notify{PingResult: &ipnstate.PingResult{}})
+	}
+}

ipn/handle.go

@@ -174,3 +174,7 @@ func (h *Handle) Logout() {
 func (h *Handle) RequestEngineStatus() {
 	h.b.RequestEngineStatus()
 }
+
+func (h *Handle) FakeExpireAfter(x time.Duration) {
+	h.b.FakeExpireAfter(x)
+}

ipn/ipnlocal/dnsconfig_test.go

@@ -51,7 +51,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			nm:    &netmap.NetworkMap{},
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
+				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
 				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
 			},
 		},
@@ -77,7 +77,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
+				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
 				Hosts: map[dnsname.FQDN][]netaddr.IP{
 					"b.net.":       ips("100.102.0.1", "100.102.0.2"),
 					"myname.net.":  ips("100.101.101.101"),
@@ -112,7 +112,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
 				OnlyIPv6: true,
-				Routes:   map[dnsname.FQDN][]*dnstype.Resolver{},
+				Routes:   map[dnsname.FQDN][]dnstype.Resolver{},
 				Hosts: map[dnsname.FQDN][]netaddr.IP{
 					"b.net.":       ips("fe75::2"),
 					"myname.net.":  ips("fe75::1"),
@@ -136,7 +136,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
+				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
 				Hosts: map[dnsname.FQDN][]netaddr.IP{
 					"myname.net.": ips("100.101.101.101"),
 					"foo.com.":    ips("1.2.3.4"),
@@ -158,7 +158,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			want: &dns.Config{
 				Hosts: map[dnsname.FQDN][]netaddr.IP{},
-				Routes: map[dnsname.FQDN][]*dnstype.Resolver{
+				Routes: map[dnsname.FQDN][]dnstype.Resolver{
 					"0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.": nil,
 					"100.100.in-addr.arpa.":             nil,
 					"101.100.in-addr.arpa.":             nil,
@@ -242,13 +242,13 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			os:   "android",
 			nm: &netmap.NetworkMap{
 				DNS: tailcfg.DNSConfig{
-					Resolvers: []*dnstype.Resolver{
+					Resolvers: []dnstype.Resolver{
 						{Addr: "8.8.8.8"},
 					},
-					FallbackResolvers: []*dnstype.Resolver{
+					FallbackResolvers: []dnstype.Resolver{
 						{Addr: "8.8.4.4"},
 					},
-					Routes: map[string][]*dnstype.Resolver{
+					Routes: map[string][]dnstype.Resolver{
 						"foo.com.": {{Addr: "1.2.3.4"}},
 					},
 				},
@@ -258,11 +258,11 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			want: &dns.Config{
 				Hosts: map[dnsname.FQDN][]netaddr.IP{},
-				DefaultResolvers: []*dnstype.Resolver{
-					{Addr: "8.8.8.8"},
+				DefaultResolvers: []dnstype.Resolver{
+					{Addr: "8.8.8.8:53"},
 				},
-				Routes: map[dnsname.FQDN][]*dnstype.Resolver{
-					"foo.com.": {{Addr: "1.2.3.4"}},
+				Routes: map[dnsname.FQDN][]dnstype.Resolver{
+					"foo.com.": {{Addr: "1.2.3.4:53"}},
 				},
 			},
 		},
@@ -270,7 +270,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			name: "exit_nodes_need_fallbacks",
 			nm: &netmap.NetworkMap{
 				DNS: tailcfg.DNSConfig{
-					FallbackResolvers: []*dnstype.Resolver{
+					FallbackResolvers: []dnstype.Resolver{
 						{Addr: "8.8.4.4"},
 					},
 				},
@@ -281,9 +281,9 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			want: &dns.Config{
 				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
-				DefaultResolvers: []*dnstype.Resolver{
-					{Addr: "8.8.4.4"},
+				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+				DefaultResolvers: []dnstype.Resolver{
+					{Addr: "8.8.4.4:53"},
 				},
 			},
 		},
@@ -291,7 +291,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			name: "not_exit_node_NOT_need_fallbacks",
 			nm: &netmap.NetworkMap{
 				DNS: tailcfg.DNSConfig{
-					FallbackResolvers: []*dnstype.Resolver{
+					FallbackResolvers: []dnstype.Resolver{
 						{Addr: "8.8.4.4"},
 					},
 				},
@@ -301,7 +301,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			want: &dns.Config{
 				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
+				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
 			},
 		},
 	}

ipn/ipnlocal/local.go

@@ -73,25 +73,6 @@ func getControlDebugFlags() []string {
 	return nil
 }
 
-// SSHServer is the interface of the conditionally linked ssh/tailssh.server.
-type SSHServer interface {
-	HandleSSHConn(net.Conn) error
-
-	// OnPolicyChange is called when the SSH access policy changes,
-	// so that existing sessions can be re-evaluated for validity
-	// and closed if they'd no longer be accepted.
-	OnPolicyChange()
-}
-
-type newSSHServerFunc func(logger.Logf, *LocalBackend) (SSHServer, error)
-
-var newSSHServer newSSHServerFunc // or nil
-
-// RegisterNewSSHServer lets the conditionally linked ssh/tailssh package register itself.
-func RegisterNewSSHServer(fn newSSHServerFunc) {
-	newSSHServer = fn
-}
-
 // LocalBackend is the glue between the major pieces of the Tailscale
 // network software: the cloud control plane (via controlclient), the
 // network data plane (via wgengine), and the user-facing UIs and CLIs
@@ -122,15 +103,14 @@ type LocalBackend struct {
 	newDecompressor       func() (controlclient.Decompressor, error)
 	varRoot               string // or empty if SetVarRoot never called
 	sshAtomicBool         syncs.AtomicBool
-	sshServer             SSHServer // or nil
-	shutdownCalled        bool      // if Shutdown has been called
+
+	filterHash deephash.Sum
 
 	filterAtomic            atomic.Value // of *filter.Filter
 	containsViaIPFuncAtomic atomic.Value // of func(netaddr.IP) bool
 
 	// The mutex protects the following elements.
 	mu             sync.Mutex
-	filterHash     deephash.Sum
 	httpTestClient *http.Client // for controlclient. nil by default, used by tests.
 	ccGen          clientGen    // function for producing controlclient; lazily populated
 	notify         func(ipn.Notify)
@@ -225,12 +205,6 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 		gotPortPollRes: make(chan struct{}),
 		loginFlags:     loginFlags,
 	}
-	if newSSHServer != nil {
-		b.sshServer, err = newSSHServer(logf, b)
-		if err != nil {
-			return nil, fmt.Errorf("newSSHServer: %w", err)
-		}
-	}
 
 	// Default filter blocks everything and logs nothing, until Start() is called.
 	b.setFilter(filter.NewAllowNone(logf, &netaddr.IPSet{}))
@@ -249,7 +223,7 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 
 	wiredPeerAPIPort := false
 	if ig, ok := e.(wgengine.InternalsGetter); ok {
-		if tunWrap, _, _, ok := ig.GetInternals(); ok {
+		if tunWrap, _, ok := ig.GetInternals(); ok {
 			tunWrap.PeerAPIPort = b.GetPeerAPIPort
 			wiredPeerAPIPort = true
 		}
@@ -321,7 +295,7 @@ func (b *LocalBackend) linkChange(major bool, ifst *interfaces.State) {
 
 	// If the local network configuration has changed, our filter may
 	// need updating to tweak default routes.
-	b.updateFilterLocked(b.netMap, b.prefs)
+	b.updateFilter(b.netMap, b.prefs)
 
 	if peerAPIListenAsync && b.netMap != nil && b.state == ipn.Running {
 		want := len(b.netMap.Addresses)
@@ -344,9 +318,7 @@ func (b *LocalBackend) onHealthChange(sys health.Subsystem, err error) {
 // can no longer be used after Shutdown returns.
 func (b *LocalBackend) Shutdown() {
 	b.mu.Lock()
-	b.shutdownCalled = true
 	cc := b.cc
-	b.closePeerAPIListenersLocked()
 	b.mu.Unlock()
 
 	b.unregisterLinkMon()
@@ -533,30 +505,6 @@ func (b *LocalBackend) WhoIs(ipp netaddr.IPPort) (n *tailcfg.Node, u tailcfg.Use
 	return n, u, true
 }
 
-// PeerCaps returns the capabilities that remote src IP has to
-// ths current node.
-func (b *LocalBackend) PeerCaps(src netaddr.IP) []string {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.netMap == nil {
-		return nil
-	}
-	filt, ok := b.filterAtomic.Load().(*filter.Filter)
-	if !ok {
-		return nil
-	}
-	for _, a := range b.netMap.Addresses {
-		if !a.IsSingleIP() {
-			continue
-		}
-		dstIP := a.IP()
-		if dstIP.BitLen() == src.BitLen() {
-			return filt.AppendCaps(nil, src, a.IP())
-		}
-	}
-	return nil
-}
-
 // SetDecompressor sets a decompression function, which must be a zstd
 // reader.
 //
@@ -668,9 +616,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	if prefsChanged {
 		prefs = b.prefs.Clone()
 	}
-	if st.NetMap != nil {
-		b.updateFilterLocked(st.NetMap, prefs)
-	}
+
 	b.mu.Unlock()
 
 	// Now complete the lock-free parts of what we started while locked.
@@ -692,6 +638,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 			}
 		}
 
+		b.updateFilter(st.NetMap, prefs)
 		b.e.SetNetworkMap(st.NetMap)
 		b.e.SetDERPMap(st.NetMap.DERPMap)
 
@@ -935,7 +882,8 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	httpTestClient := b.httpTestClient
 
 	if b.hostinfo != nil {
-		hostinfo.Services = b.hostinfo.Services // keep any previous services
+		hostinfo.Services = b.hostinfo.Services // keep any previous session and netinfo
+		hostinfo.NetInfo = b.hostinfo.NetInfo
 	}
 	b.hostinfo = hostinfo
 	b.state = ipn.NoState
@@ -975,9 +923,10 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 
 	b.setNetMapLocked(nil)
 	persistv := b.prefs.Persist
-	b.updateFilterLocked(nil, nil)
 	b.mu.Unlock()
 
+	b.updateFilter(nil, nil)
+
 	if b.portpoll != nil {
 		b.portpollOnce.Do(func() {
 			go b.portpoll.Run(b.ctx)
@@ -1035,7 +984,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		LinkMonitor:          b.e.GetLinkMonitor(),
 		Pinger:               b.e,
 		PopBrowserURL:        b.tellClientToBrowseToURL,
-		Dialer:               b.Dialer(),
 
 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
@@ -1076,11 +1024,9 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	return nil
 }
 
-// updateFilterLocked updates the packet filter in wgengine based on the
+// updateFilter updates the packet filter in wgengine based on the
 // given netMap and user preferences.
-//
-// b.mu must be held.
-func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs *ipn.Prefs) {
+func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs) {
 	// NOTE(danderson): keep change detection as the first thing in
 	// this function. Don't try to optimize by returning early, more
 	// likely than not you'll just end up breaking the change
@@ -1136,12 +1082,8 @@ func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs *ipn.
 	}
 	localNets, _ := localNetsB.IPSet()
 	logNets, _ := logNetsB.IPSet()
-	var sshPol tailcfg.SSHPolicy
-	if haveNetmap && netMap.SSHPolicy != nil {
-		sshPol = *netMap.SSHPolicy
-	}
 
-	changed := deephash.Update(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp, sshPol)
+	changed := deephash.Update(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
 	if !changed {
 		return
 	}
@@ -1160,10 +1102,6 @@ func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs *ipn.
 		b.logf("[v1] netmap packet filter: %v filters", len(packetFilter))
 		b.setFilter(filter.New(packetFilter, localNets, logNets, oldFilter, b.logf))
 	}
-
-	if b.sshServer != nil {
-		go b.sshServer.OnPolicyChange()
-	}
 }
 
 func (b *LocalBackend) setFilter(f *filter.Filter) {
@@ -1616,7 +1554,7 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 	case err != nil:
 		return fmt.Errorf("backend prefs: store.ReadState(%q): %v", key, err)
 	}
-	b.prefs, err = ipn.PrefsFromBytes(bs)
+	b.prefs, err = ipn.PrefsFromBytes(bs, false)
 	if err != nil {
 		b.logf("using backend prefs for %q", key)
 		return fmt.Errorf("PrefsFromBytes: %v", err)
@@ -1698,20 +1636,37 @@ func (b *LocalBackend) StartLoginInteractive() {
 	}
 }
 
-func (b *LocalBackend) Ping(ctx context.Context, ip netaddr.IP, pingType tailcfg.PingType) (*ipnstate.PingResult, error) {
-	ch := make(chan *ipnstate.PingResult, 1)
-	b.e.Ping(ip, pingType, func(pr *ipnstate.PingResult) {
-		select {
-		case ch <- pr:
-		default:
-		}
-	})
-	select {
-	case pr := <-ch:
-		return pr, nil
-	case <-ctx.Done():
-		return nil, ctx.Err()
+// FakeExpireAfter implements Backend.
+func (b *LocalBackend) FakeExpireAfter(x time.Duration) {
+	b.logf("FakeExpireAfter: %v", x)
+
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if b.netMap == nil {
+		return
 	}
+
+	// This function is called very rarely,
+	// so we prefer to fully copy the netmap over introducing in-place modification here.
+	mapCopy := *b.netMap
+	e := mapCopy.Expiry
+	if e.IsZero() || time.Until(e) > x {
+		mapCopy.Expiry = time.Now().Add(x)
+	}
+	b.setNetMapLocked(&mapCopy)
+	b.send(ipn.Notify{NetMap: b.netMap})
+}
+
+func (b *LocalBackend) Ping(ipStr string, useTSMP bool) {
+	ip, err := netaddr.ParseIP(ipStr)
+	if err != nil {
+		b.logf("ignoring Ping request to invalid IP %q", ipStr)
+		return
+	}
+	b.e.Ping(ip, useTSMP, func(pr *ipnstate.PingResult) {
+		b.send(ipn.Notify{PingResult: pr})
+	})
 }
 
 // parseWgStatusLocked returns an EngineStatus based on s.
@@ -1765,53 +1720,11 @@ func (b *LocalBackend) SetCurrentUserID(uid string) {
 	b.mu.Unlock()
 }
 
-func (b *LocalBackend) CheckPrefs(p *ipn.Prefs) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	return b.checkPrefsLocked(p)
-}
-
-func (b *LocalBackend) checkPrefsLocked(p *ipn.Prefs) error {
-	if p.Hostname == "badhostname.tailscale." {
-		// Keep this one just for testing.
-		return errors.New("bad hostname [test]")
-	}
-	if p.RunSSH {
-		switch runtime.GOOS {
-		case "linux":
-			// okay
-		case "darwin":
-			// okay only in tailscaled mode for now.
-			if version.IsSandboxedMacOS() {
-				return errors.New("The Tailscale SSH server does not run in sandboxed Tailscale GUI builds.")
-			}
-			if !envknob.UseWIPCode() {
-				return errors.New("The Tailscale SSH server is disabled on macOS tailscaled by default. To try, set env TAILSCALE_USE_WIP_CODE=1")
-			}
-		default:
-			return errors.New("The Tailscale SSH server is not supported on " + runtime.GOOS)
-		}
-		if !canSSH {
-			return errors.New("The Tailscale SSH server has been administratively disabled.")
-		}
-		if b.netMap != nil && b.netMap.SSHPolicy == nil &&
-			envknob.SSHPolicyFile() == "" && !envknob.SSHIgnoreTailnetPolicy() {
-			return errors.New("Unable to enable local Tailscale SSH server; not enabled/configured on Tailnet.")
-		}
-	}
-	return nil
-}
-
 func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
 	b.mu.Lock()
 	p0 := b.prefs.Clone()
 	p1 := b.prefs.Clone()
 	p1.ApplyEdits(mp)
-	if err := b.checkPrefsLocked(p1); err != nil {
-		b.mu.Unlock()
-		b.logf("EditPrefs check error: %v", err)
-		return nil, err
-	}
 	if p1.RunSSH && !canSSH {
 		b.mu.Unlock()
 		b.logf("EditPrefs requests SSH, but disabled by envknob; returning error")
@@ -1867,12 +1780,6 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 	userID := b.userID
 	cc := b.cc
 
-	// [GRINDER STATS LINE] - please don't remove (used for log parsing)
-	if caller == "SetPrefs" {
-		b.logf("SetPrefs: %v", newp.Pretty())
-	}
-	b.updateFilterLocked(netMap, newp)
-
 	b.mu.Unlock()
 
 	if stateKey != "" {
@@ -1882,6 +1789,10 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 	}
 	b.writeServerModeStartState(userID, newp)
 
+	// [GRINDER STATS LINE] - please don't remove (used for log parsing)
+	if caller == "SetPrefs" {
+		b.logf("SetPrefs: %v", newp.Pretty())
+	}
 	if netMap != nil {
 		if login := netMap.UserProfiles[netMap.User].LoginName; login != "" {
 			if newp.Persist == nil {
@@ -1901,6 +1812,8 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 		b.doSetHostinfoFilterServices(newHi)
 	}
 
+	b.updateFilter(netMap, newp)
+
 	if netMap != nil {
 		b.e.SetDERPMap(netMap.DERPMap)
 	}
@@ -1916,10 +1829,6 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 		b.authReconfig()
 	}
 
-	if oldp.RunSSH && !newp.RunSSH && b.sshServer != nil {
-		go b.sshServer.OnPolicyChange()
-	}
-
 	b.send(ipn.Notify{Prefs: newp})
 }
 
@@ -2112,7 +2021,7 @@ func (b *LocalBackend) authReconfig() {
 // a runtime.GOOS.
 func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Logf, versionOS string) *dns.Config {
 	dcfg := &dns.Config{
-		Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
+		Routes: map[dnsname.FQDN][]dnstype.Resolver{},
 		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
 	}
 
@@ -2199,17 +2108,16 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 		}
 	}
 
-	addDefault := func(resolvers []*dnstype.Resolver) {
+	addDefault := func(resolvers []dnstype.Resolver) {
 		for _, r := range resolvers {
-			r := r
-			dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, r)
+			dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, normalizeResolver(r))
 		}
 	}
 
 	// If we're using an exit node and that exit node is new enough (1.19.x+)
 	// to run a DoH DNS proxy, then send all our DNS traffic through it.
 	if dohURL, ok := exitNodeCanProxyDNS(nm, prefs.ExitNodeID); ok {
-		addDefault([]*dnstype.Resolver{{Addr: dohURL}})
+		addDefault([]dnstype.Resolver{{Addr: dohURL}})
 		return dcfg
 	}
 
@@ -2228,10 +2136,10 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 		//
 		// While we're already populating it, might as well size the
 		// slice appropriately.
-		dcfg.Routes[fqdn] = make([]*dnstype.Resolver, 0, len(resolvers))
+		dcfg.Routes[fqdn] = make([]dnstype.Resolver, 0, len(resolvers))
 
 		for _, r := range resolvers {
-			dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], r)
+			dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], normalizeResolver(r))
 		}
 	}
 
@@ -2262,6 +2170,16 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 	return dcfg
 }
 
+func normalizeResolver(cfg dnstype.Resolver) dnstype.Resolver {
+	if ip, err := netaddr.ParseIP(cfg.Addr); err == nil {
+		// Add 53 here for bare IPs for consistency with previous data type.
+		return dnstype.Resolver{
+			Addr: netaddr.IPPortFrom(ip, 53).String(),
+		}
+	}
+	return cfg
+}
+
 // SetVarRoot sets the root directory of Tailscale's writable
 // storage area . (e.g. "/var/lib/tailscale")
 //
@@ -2331,9 +2249,6 @@ const peerAPIListenAsync = runtime.GOOS == "windows" || runtime.GOOS == "android
 func (b *LocalBackend) initPeerAPIListener() {
 	b.mu.Lock()
 	defer b.mu.Unlock()
-	if b.shutdownCalled {
-		return
-	}
 
 	if b.netMap == nil {
 		// We're called from authReconfig which checks that
@@ -2875,6 +2790,9 @@ func (b *LocalBackend) assertClientLocked() {
 func (b *LocalBackend) setNetInfo(ni *tailcfg.NetInfo) {
 	b.mu.Lock()
 	cc := b.cc
+	if b.hostinfo != nil {
+		b.hostinfo.NetInfo = ni.Clone()
+	}
 	b.mu.Unlock()
 
 	if cc == nil {
@@ -3289,7 +3207,7 @@ func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
 	if !ok {
 		return nil, errors.New("engine isn't InternalsGetter")
 	}
-	_, mc, _, ok := ig.GetInternals()
+	_, mc, ok := ig.GetInternals()
 	if !ok {
 		return nil, errors.New("failed to get internals")
 	}
@@ -3307,45 +3225,3 @@ func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error)
 	}
 	return cc.DoNoiseRequest(req)
 }
-
-func (b *LocalBackend) HandleSSHConn(c net.Conn) error {
-	if b.sshServer == nil {
-		return errors.New("no SSH server")
-	}
-	return b.sshServer.HandleSSHConn(c)
-}
-
-// HandleQuad100Port80Conn serves http://100.100.100.100/ on port 80 (and
-// the equivalent tsaddr.TailscaleServiceIPv6 address).
-func (b *LocalBackend) HandleQuad100Port80Conn(c net.Conn) {
-	var s http.Server
-	s.Handler = http.HandlerFunc(b.handleQuad100Port80Conn)
-	s.Serve(netutil.NewOneConnListener(c, nil))
-}
-
-func (b *LocalBackend) handleQuad100Port80Conn(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("X-Frame-Options", "DENY")
-	w.Header().Set("Content-Security-Policy", "default-src 'self';")
-	if r.Method != "GET" && r.Method != "HEAD" {
-		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-		return
-	}
-
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	io.WriteString(w, "<h1>Tailscale</h1>\n")
-	if b.netMap == nil {
-		io.WriteString(w, "No netmap.\n")
-		return
-	}
-	if len(b.netMap.Addresses) == 0 {
-		io.WriteString(w, "No local addresses.\n")
-		return
-	}
-	io.WriteString(w, "<p>Local addresses:</p><ul>\n")
-	for _, ipp := range b.netMap.Addresses {
-		fmt.Fprintf(w, "<li>%v</li>\n", ipp.IP())
-	}
-	io.WriteString(w, "</ul>\n")
-}

ipn/ipnlocal/peerapi.go

@@ -29,7 +29,6 @@ import (
 	"unicode"
 	"unicode/utf8"
 
-	"github.com/kortschak/wol"
 	"golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
@@ -387,14 +386,6 @@ func (s *peerAPIServer) OpenFile(baseName string) (rc io.ReadCloser, size int64,
 }
 
 func (s *peerAPIServer) listen(ip netaddr.IP, ifState *interfaces.State) (ln net.Listener, err error) {
-	// Android for whatever reason often has problems creating the peerapi listener.
-	// But since we started intercepting it with netstack, it's not even important that
-	// we have a real kernel-level listener. So just create a dummy listener on Android
-	// and let netstack intercept it.
-	if runtime.GOOS == "android" {
-		return newFakePeerAPIListener(ip), nil
-	}
-
 	ipStr := ip.String()
 
 	var lc net.ListenConfig
@@ -437,15 +428,8 @@ func (s *peerAPIServer) listen(ip netaddr.IP, ifState *interfaces.State) (ln net
 			return ln, nil
 		}
 	}
-	// Fall back to some random ephemeral port.
-	ln, err = lc.Listen(context.Background(), tcp4or6, net.JoinHostPort(ipStr, "0"))
-
-	// And if we're on a platform with netstack (anything but iOS), then just fallback to netstack.
-	if err != nil && runtime.GOOS != "ios" {
-		s.b.logf("peerapi: failed to do peerAPI listen, harmless (netstack available) but error was: %v", err)
-		return newFakePeerAPIListener(ip), nil
-	}
-	return ln, err
+	// Fall back to random ephemeral port.
+	return lc.Listen(context.Background(), tcp4or6, net.JoinHostPort(ipStr, "0"))
 }
 
 type peerAPIListener struct {
@@ -564,12 +548,6 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case "/v0/dnsfwd":
 		h.handleServeDNSFwd(w, r)
 		return
-	case "/v0/wol":
-		h.handleWakeOnLAN(w, r)
-		return
-	case "/v0/interfaces":
-		h.handleServeInterfaces(w, r)
-		return
 	}
 	who := h.peerUser.DisplayName
 	fmt.Fprintf(w, `<html>
@@ -584,40 +562,6 @@ This is my Tailscale device. Your device is %v.
 	}
 }
 
-func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
-		return
-	}
-	i, err := interfaces.GetList()
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-	}
-
-	dr, err := interfaces.DefaultRoute()
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	fmt.Fprintln(w, "<h1>Interfaces</h1>")
-	fmt.Fprintf(w, "<h3>Default route is %q(%d)</h3>\n", dr.InterfaceName, dr.InterfaceIndex)
-
-	fmt.Fprintln(w, "<table>")
-	fmt.Fprint(w, "<tr>")
-	for _, v := range []any{"Index", "Name", "MTU", "Flags", "Addrs"} {
-		fmt.Fprintf(w, "<th>%v</th> ", v)
-	}
-	fmt.Fprint(w, "</tr>\n")
-	i.ForeachInterface(func(iface interfaces.Interface, ipps []netaddr.IPPrefix) {
-		fmt.Fprint(w, "<tr>")
-		for _, v := range []any{iface.Index, iface.Name, iface.MTU, iface.Flags, ipps} {
-			fmt.Fprintf(w, "<td>%v</td> ", v)
-		}
-		fmt.Fprint(w, "</tr>\n")
-	})
-	fmt.Fprintln(w, "</table>")
-}
-
 type incomingFile struct {
 	name        string // "foo.jpg"
 	started     time.Time
@@ -676,34 +620,9 @@ func (f *incomingFile) PartialFile() ipn.PartialFile {
 	}
 }
 
-// canPutFile reports whether h can put a file ("Taildrop") to this node.
-func (h *peerAPIHandler) canPutFile() bool {
-	return h.isSelf || h.peerHasCap(tailcfg.CapabilityFileSharingSend)
-}
-
-// canDebug reports whether h can debug this node (goroutines, metrics,
-// magicsock internal state, etc).
-func (h *peerAPIHandler) canDebug() bool {
-	return h.isSelf || h.peerHasCap(tailcfg.CapabilityDebugPeer)
-}
-
-// canWakeOnLAN reports whether h can send a Wake-on-LAN packet from this node.
-func (h *peerAPIHandler) canWakeOnLAN() bool {
-	return h.isSelf || h.peerHasCap(tailcfg.CapabilityWakeOnLAN)
-}
-
-func (h *peerAPIHandler) peerHasCap(wantCap string) bool {
-	for _, hasCap := range h.ps.b.PeerCaps(h.remoteAddr.IP()) {
-		if hasCap == wantCap {
-			return true
-		}
-	}
-	return false
-}
-
 func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
-	if !h.canPutFile() {
-		http.Error(w, "Taildrop access denied", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	if !h.ps.b.hasCapFileSharing() {
@@ -822,8 +741,8 @@ func approxSize(n int64) string {
 }
 
 func (h *peerAPIHandler) handleServeGoroutines(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	var buf []byte
@@ -838,8 +757,8 @@ func (h *peerAPIHandler) handleServeGoroutines(w http.ResponseWriter, r *http.Re
 }
 
 func (h *peerAPIHandler) handleServeEnv(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	var data struct {
@@ -858,13 +777,13 @@ func (h *peerAPIHandler) handleServeEnv(w http.ResponseWriter, r *http.Request)
 }
 
 func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	eng := h.ps.b.e
 	if ig, ok := eng.(wgengine.InternalsGetter); ok {
-		if _, mc, _, ok := ig.GetInternals(); ok {
+		if _, mc, ok := ig.GetInternals(); ok {
 			mc.ServeHTTPDebug(w, r)
 			return
 		}
@@ -873,8 +792,8 @@ func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Req
 }
 
 func (h *peerAPIHandler) handleServeMetrics(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	w.Header().Set("Content-Type", "text/plain")
@@ -882,8 +801,8 @@ func (h *peerAPIHandler) handleServeMetrics(w http.ResponseWriter, r *http.Reque
 }
 
 func (h *peerAPIHandler) handleServeDNSFwd(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	dh := health.DebugHandler("dnsfwd")
@@ -894,62 +813,6 @@ func (h *peerAPIHandler) handleServeDNSFwd(w http.ResponseWriter, r *http.Reques
 	dh.ServeHTTP(w, r)
 }
 
-func (h *peerAPIHandler) handleWakeOnLAN(w http.ResponseWriter, r *http.Request) {
-	if !h.canWakeOnLAN() {
-		http.Error(w, "no WoL access", http.StatusForbidden)
-		return
-	}
-	if r.Method != "POST" {
-		http.Error(w, "bad method", http.StatusMethodNotAllowed)
-		return
-	}
-	macStr := r.FormValue("mac")
-	if macStr == "" {
-		http.Error(w, "missing 'mac' param", http.StatusBadRequest)
-		return
-	}
-	mac, err := net.ParseMAC(macStr)
-	if err != nil {
-		http.Error(w, "bad 'mac' param", http.StatusBadRequest)
-		return
-	}
-	var password []byte // TODO(bradfitz): support?
-	st, err := interfaces.GetState()
-	if err != nil {
-		http.Error(w, "failed to get interfaces state", http.StatusInternalServerError)
-		return
-	}
-	var res struct {
-		SentTo []string
-		Errors []string
-	}
-	for ifName, ips := range st.InterfaceIPs {
-		for _, ip := range ips {
-			if ip.IP().IsLoopback() || ip.IP().Is6() {
-				continue
-			}
-			ipa := ip.IP().IPAddr()
-			local := &net.UDPAddr{
-				IP:   ipa.IP,
-				Port: 0,
-			}
-			remote := &net.UDPAddr{
-				IP:   net.IPv4bcast,
-				Port: 0,
-			}
-			if err := wol.Wake(mac, password, local, remote); err != nil {
-				res.Errors = append(res.Errors, err.Error())
-			} else {
-				res.SentTo = append(res.SentTo, ifName)
-			}
-			break // one per interface is enough
-		}
-	}
-	sort.Strings(res.SentTo)
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(res)
-}
-
 func (h *peerAPIHandler) replyToDNSQueries() bool {
 	if h.isSelf {
 		// If the peer is owned by the same user, just allow it
@@ -1164,49 +1027,3 @@ func writePrettyDNSReply(w io.Writer, res []byte) (err error) {
 	w.Write(j)
 	return nil
 }
-
-// newFakePeerAPIListener creates a new net.Listener that acts like
-// it's listening on the provided IP address and on TCP port 1.
-//
-// See docs on fakePeerAPIListener.
-func newFakePeerAPIListener(ip netaddr.IP) net.Listener {
-	return &fakePeerAPIListener{
-		addr:   netaddr.IPPortFrom(ip, 1).TCPAddr(),
-		closed: make(chan struct{}),
-	}
-}
-
-// fakePeerAPIListener is a net.Listener that has an Addr method returning a TCPAddr
-// for a given IP on port 1 (arbitrary) and can be Closed, but otherwise Accept
-// just blocks forever until closed. The purpose of this is to let the rest
-// of the LocalBackend/PeerAPI code run and think it's talking to the kernel,
-// even if the kernel isn't cooperating (like on Android: Issue 4449, 4293, etc)
-// or we lack permission to listen on a port. It's okay to not actually listen via
-// the kernel because on almost all platforms (except iOS as of 2022-04-20) we
-// also intercept netstack TCP requests in to our peerapi port and hand it over
-// directly to peerapi, without involving the kernel. So this doesn't need to be
-// real. But the port number we return (1, in this case) is the port number we advertise
-// to peers and they connect to. 1 seems pretty safe to use. Even if the kernel's
-// using it, it doesn't matter, as we intercept it first in netstack and the kernel
-// never notices.
-//
-// Eventually we'll remove this code and do this on all platforms, when iOS also uses
-// netstack.
-type fakePeerAPIListener struct {
-	addr net.Addr
-
-	closeOnce sync.Once
-	closed    chan struct{}
-}
-
-func (fl *fakePeerAPIListener) Close() error {
-	fl.closeOnce.Do(func() { close(fl.closed) })
-	return nil
-}
-
-func (fl *fakePeerAPIListener) Accept() (net.Conn, error) {
-	<-fl.closed
-	return nil, net.ErrClosed
-}
-
-func (fl *fakePeerAPIListener) Addr() net.Addr { return fl.addr }

ipn/ipnlocal/peerapi_test.go

@@ -158,7 +158,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
 			checks: checks(
 				httpStatus(http.StatusForbidden),
-				bodyContains("Taildrop access denied"),
+				bodyContains("not owner"),
 			),
 		},
 		{

ipn/ipnstate/ipnstate.go

@@ -480,8 +480,6 @@ func osEmoji(os string) string {
 
 // PingResult contains response information for the "tailscale ping" subcommand,
 // saying how Tailscale can reach a Tailscale IP or subnet-routed IP.
-// See tailcfg.PingResponse for a related response that is sent back to control
-// for remote diagnostic pings.
 type PingResult struct {
 	IP       string // ping destination
 	NodeIP   string // Tailscale IP of node handling IP (different for subnet routers)
@@ -515,22 +513,6 @@ type PingResult struct {
 	// TODO(bradfitz): details like whether port mapping was used on either side? (Once supported)
 }
 
-func (pr *PingResult) ToPingResponse(pingType tailcfg.PingType) *tailcfg.PingResponse {
-	return &tailcfg.PingResponse{
-		Type:           pingType,
-		IP:             pr.IP,
-		NodeIP:         pr.NodeIP,
-		NodeName:       pr.NodeName,
-		Err:            pr.Err,
-		LatencySeconds: pr.LatencySeconds,
-		Endpoint:       pr.Endpoint,
-		DERPRegionID:   pr.DERPRegionID,
-		DERPRegionCode: pr.DERPRegionCode,
-		PeerAPIPort:    pr.PeerAPIPort,
-		IsLocalIP:      pr.IsLocalIP,
-	}
-}
-
 func SortPeers(peers []*PeerStatus) {
 	sort.Slice(peers, func(i, j int) bool { return sortKey(peers[i]) < sortKey(peers[j]) })
 }

ipn/localapi/localapi.go

@@ -111,10 +111,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveLogout(w, r)
 	case "/localapi/v0/prefs":
 		h.servePrefs(w, r)
-	case "/localapi/v0/ping":
-		h.servePing(w, r)
-	case "/localapi/v0/check-prefs":
-		h.serveCheckPrefs(w, r)
 	case "/localapi/v0/check-ip-forwarding":
 		h.serveCheckIPForwarding(w, r)
 	case "/localapi/v0/bugreport":
@@ -227,7 +223,6 @@ func (h *Handler) serveWhoIs(w http.ResponseWriter, r *http.Request) {
 	res := &apitype.WhoIsResponse{
 		Node:        n,
 		UserProfile: &u,
-		Caps:        b.PeerCaps(ipp.IP()),
 	}
 	j, err := json.MarshalIndent(res, "", "\t")
 	if err != nil {
@@ -380,9 +375,7 @@ func (h *Handler) servePrefs(w http.ResponseWriter, r *http.Request) {
 		var err error
 		prefs, err = h.b.EditPrefs(mp)
 		if err != nil {
-			w.Header().Set("Content-Type", "application/json")
-			w.WriteHeader(http.StatusBadRequest)
-			json.NewEncoder(w).Encode(resJSON{Error: err.Error()})
+			http.Error(w, err.Error(), 400)
 			return
 		}
 	case "GET", "HEAD":
@@ -397,33 +390,6 @@ func (h *Handler) servePrefs(w http.ResponseWriter, r *http.Request) {
 	e.Encode(prefs)
 }
 
-type resJSON struct {
-	Error string `json:",omitempty"`
-}
-
-func (h *Handler) serveCheckPrefs(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "checkprefs access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != "POST" {
-		http.Error(w, "unsupported method", http.StatusMethodNotAllowed)
-		return
-	}
-	p := new(ipn.Prefs)
-	if err := json.NewDecoder(r.Body).Decode(p); err != nil {
-		http.Error(w, "invalid JSON body", 400)
-		return
-	}
-	err := h.b.CheckPrefs(p)
-	var res resJSON
-	if err != nil {
-		res.Error = err.Error()
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(res)
-}
-
 func (h *Handler) serveFiles(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "file access denied", http.StatusForbidden)
@@ -627,36 +593,6 @@ func (h *Handler) serveSetExpirySooner(w http.ResponseWriter, r *http.Request) {
 	io.WriteString(w, "done\n")
 }
 
-func (h *Handler) servePing(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	if r.Method != "POST" {
-		http.Error(w, "want POST", 400)
-		return
-	}
-	ipStr := r.FormValue("ip")
-	if ipStr == "" {
-		http.Error(w, "missing 'ip' parameter", 400)
-		return
-	}
-	ip, err := netaddr.ParseIP(ipStr)
-	if err != nil {
-		http.Error(w, "invalid IP", 400)
-		return
-	}
-	pingTypeStr := r.FormValue("type")
-	if ipStr == "" {
-		http.Error(w, "missing 'type' parameter", 400)
-		return
-	}
-	res, err := h.b.Ping(ctx, ip, tailcfg.PingType(pingTypeStr))
-	if err != nil {
-		writeErrorJSON(w, err)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(res)
-}
-
 func (h *Handler) serveDial(w http.ResponseWriter, r *http.Request) {
 	if r.Method != "POST" {
 		http.Error(w, "POST required", http.StatusMethodNotAllowed)

ipn/message.go

@@ -13,8 +13,8 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"time"
 
-	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/structs"
@@ -51,6 +51,15 @@ type SetPrefsArgs struct {
 	New *Prefs
 }
 
+type FakeExpireAfterArgs struct {
+	Duration time.Duration
+}
+
+type PingArgs struct {
+	IP      string
+	UseTSMP bool
+}
+
 // Command is a command message that is JSON encoded and sent by a
 // frontend to a backend.
 type Command struct {
@@ -73,6 +82,8 @@ type Command struct {
 	SetPrefs              *SetPrefsArgs
 	RequestEngineStatus   *NoArgs
 	RequestStatus         *NoArgs
+	FakeExpireAfter       *FakeExpireAfterArgs
+	Ping                  *PingArgs
 }
 
 type BackendServer struct {
@@ -105,7 +116,7 @@ func (bs *BackendServer) send(n Notify) {
 	if bs.sendNotifyMsg == nil {
 		return
 	}
-	n.Version = ipcVersion
+	n.Version = version.Long
 	bs.sendNotifyMsg(n)
 }
 
@@ -142,9 +153,9 @@ func (bs *BackendServer) GotCommandMsg(ctx context.Context, b []byte) error {
 const ErrMsgPermissionDenied = "permission denied"
 
 func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
-	if cmd.Version != ipcVersion && !cmd.AllowVersionSkew {
+	if cmd.Version != version.Long && !cmd.AllowVersionSkew {
 		vs := fmt.Sprintf("GotCommand: Version mismatch! frontend=%#v backend=%#v",
-			cmd.Version, ipcVersion)
+			cmd.Version, version.Long)
 		bs.logf("%s", vs)
 		// ignore the command, but send a message back to the
 		// caller so it can realize the version mismatch too.
@@ -164,6 +175,9 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	if c := cmd.RequestEngineStatus; c != nil {
 		bs.b.RequestEngineStatus()
 		return nil
+	} else if c := cmd.Ping; c != nil {
+		bs.b.Ping(c.IP, c.UseTSMP)
+		return nil
 	}
 
 	if IsReadonlyContext(ctx) {
@@ -190,6 +204,9 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	} else if c := cmd.SetPrefs; c != nil {
 		bs.b.SetPrefs(c.New)
 		return nil
+	} else if c := cmd.FakeExpireAfter; c != nil {
+		bs.b.FakeExpireAfter(c.Duration)
+		return nil
 	}
 	return fmt.Errorf("BackendServer.Do: no command specified")
 }
@@ -211,19 +228,6 @@ func NewBackendClient(logf logger.Logf, sendCommandMsg func(jsonb []byte)) *Back
 	}
 }
 
-// IPCVersion returns version.Long usually, unless TS_DEBUG_FAKE_IPC_VERSION is
-// set, in which it contains that value. This is only used for weird development
-// cases when testing mismatched versions and you want the client to act like it's
-// compatible with the server.
-func IPCVersion() string {
-	if v := envknob.String("TS_DEBUG_FAKE_IPC_VERSION"); v != "" {
-		return v
-	}
-	return version.Long
-}
-
-var ipcVersion = IPCVersion()
-
 func (bc *BackendClient) GotNotifyMsg(b []byte) {
 	if len(b) == 0 {
 		// not interesting
@@ -236,9 +240,9 @@ func (bc *BackendClient) GotNotifyMsg(b []byte) {
 	if err := json.Unmarshal(b, &n); err != nil {
 		log.Fatalf("BackendClient.Notify: cannot decode message (length=%d, %#q): %v", len(b), b, err)
 	}
-	if n.Version != ipcVersion && !bc.AllowVersionSkew {
+	if n.Version != version.Long && !bc.AllowVersionSkew {
 		vs := fmt.Sprintf("GotNotify: Version mismatch! frontend=%#v backend=%#v",
-			ipcVersion, n.Version)
+			version.Long, n.Version)
 		bc.logf("%s", vs)
 		// delete anything in the notification except the version,
 		// to prevent incorrect operation.
@@ -253,7 +257,7 @@ func (bc *BackendClient) GotNotifyMsg(b []byte) {
 }
 
 func (bc *BackendClient) send(cmd Command) {
-	cmd.Version = ipcVersion
+	cmd.Version = version.Long
 	b, err := json.Marshal(cmd)
 	if err != nil {
 		log.Fatalf("Failed json.Marshal(cmd): %v\n", err)
@@ -302,6 +306,17 @@ func (bc *BackendClient) RequestStatus() {
 	bc.send(Command{AllowVersionSkew: true, RequestStatus: &NoArgs{}})
 }
 
+func (bc *BackendClient) FakeExpireAfter(x time.Duration) {
+	bc.send(Command{FakeExpireAfter: &FakeExpireAfterArgs{Duration: x}})
+}
+
+func (bc *BackendClient) Ping(ip string, useTSMP bool) {
+	bc.send(Command{Ping: &PingArgs{
+		IP:      ip,
+		UseTSMP: useTSMP,
+	}})
+}
+
 // MaxMessageSize is the maximum message size, in bytes.
 const MaxMessageSize = 10 << 20
 

ipn/prefs.go

@@ -27,7 +27,7 @@ import (
 	"tailscale.com/util/dnsname"
 )
 
-//go:generate go run tailscale.com/cmd/cloner -type=Prefs
+//go:generate go run tailscale.com/cmd/cloner -type=Prefs -output=prefs_clone.go
 
 // DefaultControlURL is the URL base of the control plane
 // ("coordination server") for use when no explicit one is configured.
@@ -428,14 +428,9 @@ func NewPrefs() *Prefs {
 }
 
 // ControlURLOrDefault returns the coordination server's URL base.
-//
-// If not configured, or if the configured value is a legacy name equivalent to
-// the default, then DefaultControlURL is returned instead.
+// If not configured, DefaultControlURL is returned instead.
 func (p *Prefs) ControlURLOrDefault() string {
 	if p.ControlURL != "" {
-		if p.ControlURL != DefaultControlURL && IsLoginServerSynonym(p.ControlURL) {
-			return DefaultControlURL
-		}
 		return p.ControlURL
 	}
 	return DefaultControlURL
@@ -584,8 +579,10 @@ func (p *Prefs) SetExitNodeIP(s string, st *ipnstate.Status) error {
 	return err
 }
 
-// PrefsFromBytes deserializes Prefs from a JSON blob.
-func PrefsFromBytes(b []byte) (*Prefs, error) {
+// PrefsFromBytes deserializes Prefs from a JSON blob. If
+// enforceDefaults is true, Prefs.RouteAll and Prefs.AllowSingleHosts
+// are forced on.
+func PrefsFromBytes(b []byte, enforceDefaults bool) (*Prefs, error) {
 	p := NewPrefs()
 	if len(b) == 0 {
 		return p, nil
@@ -601,6 +598,10 @@ func PrefsFromBytes(b []byte) (*Prefs, error) {
 			log.Printf("Prefs parse: %v: %v\n", err, b)
 		}
 	}
+	if enforceDefaults {
+		p.RouteAll = true
+		p.AllowSingleHosts = true
+	}
 	return p, err
 }
 
@@ -619,7 +620,7 @@ func LoadPrefs(filename string) (*Prefs, error) {
 		// to log in again. (better than crashing)
 		return nil, os.ErrNotExist
 	}
-	p, err := PrefsFromBytes(data)
+	p, err := PrefsFromBytes(data, false)
 	if err != nil {
 		return nil, fmt.Errorf("LoadPrefs(%q) decode: %w", filename, err)
 	}

ipn/prefs_clone.go

@@ -1,8 +1,9 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
 // Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
+//go:generate go run tailscale.com/cmd/cloner -type=Prefs -output=prefs_clone.go
 
 package ipn
 

ipn/prefs_test.go

@@ -302,7 +302,7 @@ func checkPrefs(t *testing.T, p Prefs) {
 	if p.Equals(p2) {
 		t.Fatalf("p == p2\n")
 	}
-	p2b, err = PrefsFromBytes(p2.ToBytes())
+	p2b, err = PrefsFromBytes(p2.ToBytes(), false)
 	if err != nil {
 		t.Fatalf("PrefsFromBytes(p2) failed\n")
 	}
@@ -810,18 +810,3 @@ func TestExitNodeIPOfArg(t *testing.T) {
 		})
 	}
 }
-
-func TestControlURLOrDefault(t *testing.T) {
-	var p Prefs
-	if got, want := p.ControlURLOrDefault(), DefaultControlURL; got != want {
-		t.Errorf("got %q; want %q", got, want)
-	}
-	p.ControlURL = "http://foo.bar"
-	if got, want := p.ControlURLOrDefault(), "http://foo.bar"; got != want {
-		t.Errorf("got %q; want %q", got, want)
-	}
-	p.ControlURL = "https://login.tailscale.com"
-	if got, want := p.ControlURLOrDefault(), DefaultControlURL; got != want {
-		t.Errorf("got %q; want %q", got, want)
-	}
-}

ipn/store/stores.go

@@ -21,7 +21,6 @@ import (
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/paths"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/mak"
 )
 
 // Provider returns a StateStore for the provided path.
@@ -83,7 +82,10 @@ func Register(prefix string, fn Provider) {
 	if _, ok := knownStores[prefix]; ok {
 		panic(fmt.Sprintf("%q already registered", prefix))
 	}
-	mak.Set(&knownStores, prefix, fn)
+	if knownStores == nil {
+		knownStores = make(map[string]Provider)
+	}
+	knownStores[prefix] = fn
 }
 
 // TryWindowsAppDataMigration attempts to copy the Windows state file

logtail/logtail.go

@@ -20,7 +20,6 @@ import (
 
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/syncs"
 	tslogger "tailscale.com/types/logger"
 	"tailscale.com/wgengine/monitor"
 )
@@ -413,18 +412,7 @@ func (l *Logger) Flush() error {
 	return nil
 }
 
-// logtailDisabled is whether logtail uploads to logcatcher are disabled.
-var logtailDisabled syncs.AtomicBool
-
-// Disable disables logtail uploads for the lifetime of the process.
-func Disable() {
-	logtailDisabled.Set(true)
-}
-
 func (l *Logger) send(jsonBlob []byte) (int, error) {
-	if logtailDisabled.Get() {
-		return len(jsonBlob), nil
-	}
 	n, err := l.buffer.Write(jsonBlob)
 	if l.drainLogs == nil {
 		select {

net/dns/config.go

@@ -22,14 +22,14 @@ type Config struct {
 	// which aren't covered by more specific per-domain routes below.
 	// If empty, the OS's default resolvers (the ones that predate
 	// Tailscale altering the configuration) are used.
-	DefaultResolvers []*dnstype.Resolver
+	DefaultResolvers []dnstype.Resolver
 	// Routes maps a DNS suffix to the resolvers that should be used
 	// for queries that fall within that suffix.
 	// If a query doesn't match any entry in Routes, the
 	// DefaultResolvers are used.
 	// A Routes entry with no resolvers means the route should be
 	// authoritatively answered using the contents of Hosts.
-	Routes map[dnsname.FQDN][]*dnstype.Resolver
+	Routes map[dnsname.FQDN][]dnstype.Resolver
 	// SearchDomains are DNS suffixes to try when expanding
 	// single-label queries.
 	SearchDomains []dnsname.FQDN
@@ -84,7 +84,10 @@ func (c Config) hasDefaultIPResolversOnly() bool {
 		return false
 	}
 	for _, r := range c.DefaultResolvers {
-		if ipp, ok := r.IPPort(); !ok || ipp.Port() != 53 {
+		if ipp, err := netaddr.ParseIPPort(r.Addr); err == nil && ipp.Port() == 53 {
+			continue
+		}
+		if _, err := netaddr.ParseIP(r.Addr); err != nil {
 			return false
 		}
 	}
@@ -98,9 +101,9 @@ func (c Config) hasDefaultResolvers() bool {
 // singleResolverSet returns the resolvers used by c.Routes if all
 // routes use the same resolvers, or nil if multiple sets of resolvers
 // are specified.
-func (c Config) singleResolverSet() []*dnstype.Resolver {
+func (c Config) singleResolverSet() []dnstype.Resolver {
 	var (
-		prev            []*dnstype.Resolver
+		prev            []dnstype.Resolver
 		prevInitialized bool
 	)
 	for _, resolvers := range c.Routes {
@@ -128,7 +131,7 @@ func (c Config) matchDomains() []dnsname.FQDN {
 	return ret
 }
 
-func sameResolverNames(a, b []*dnstype.Resolver) bool {
+func sameResolverNames(a, b []dnstype.Resolver) bool {
 	if len(a) != len(b) {
 		return false
 	}

net/dns/manager.go

@@ -6,64 +6,20 @@ package dns
 
 import (
 	"bufio"
-	"bytes"
-	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/binary"
-	"encoding/pem"
-	"errors"
-	"io"
-	"math/big"
-	"net"
 	"runtime"
-	"sync"
-	"sync/atomic"
 	"time"
 
 	"inet.af/netaddr"
 	"tailscale.com/health"
 	"tailscale.com/net/dns/resolver"
-	"tailscale.com/net/packet"
-	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tsdial"
-	"tailscale.com/net/tstun"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/ipproto"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/wgengine/monitor"
 )
 
-var (
-	magicDNSIP   = tsaddr.TailscaleServiceIP()
-	magicDNSIPv6 = tsaddr.TailscaleServiceIPv6()
-)
-
-var (
-	errFullQueue = errors.New("request queue full")
-)
-
-// maxActiveQueries returns the maximal number of DNS requests that be
-// can running.
-// If EnqueueRequest is called when this many requests are already pending,
-// the request will be dropped to avoid blocking the caller.
-func maxActiveQueries() int32 {
-	if runtime.GOOS == "ios" {
-		// For memory paranoia reasons on iOS, match the
-		// historical Tailscale 1.x..1.8 behavior for now
-		// (just before the 1.10 release).
-		return 64
-	}
-	// But for other platforms, allow more burstiness:
-	return 256
-}
-
 // We use file-ignore below instead of ignore because on some platforms,
 // the lint exception is necessary and on others it is not,
 // and plain ignore complains if the exception is unnecessary.
@@ -75,32 +31,10 @@ func maxActiveQueries() int32 {
 // Such operations should be wrapped in a timeout context.
 const reconfigTimeout = time.Second
 
-type response struct {
-	pkt []byte
-	to  netaddr.IPPort // response destination (request source)
-}
-
 // Manager manages system DNS settings.
 type Manager struct {
 	logf logger.Logf
 
-	// When netstack is not used, Manager implements magic DNS.
-	// In this case, responses tracks completed DNS requests
-	// which need a response, and NextPacket() synthesizes a
-	// fake IP+UDP header to finish assembling the response.
-	//
-	// TODO(tom): Rip out once all platforms use netstack.
-	responses           chan response
-	activeQueriesAtomic int32
-
-	// DNS-over-TLS cached value.
-	dotCertMu   sync.Mutex
-	dotCertLast time.Time
-	dotCertVal  tls.Certificate
-
-	ctx       context.Context    // good until Down
-	ctxCancel context.CancelFunc // closes ctx
-
 	resolver *resolver.Resolver
 	os       OSConfigurator
 }
@@ -112,12 +46,10 @@ func NewManager(logf logger.Logf, oscfg OSConfigurator, linkMon *monitor.Mon, di
 	}
 	logf = logger.WithPrefix(logf, "dns: ")
 	m := &Manager{
-		logf:      logf,
-		resolver:  resolver.New(logf, linkMon, linkSel, dialer),
-		os:        oscfg,
-		responses: make(chan response),
+		logf:     logf,
+		resolver: resolver.New(logf, linkMon, linkSel, dialer),
+		os:       oscfg,
 	}
-	m.ctx, m.ctxCancel = context.WithCancel(context.Background())
 	m.logf("using %T", m.os)
 	return m
 }
@@ -159,7 +91,7 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// authoritative suffixes, even if we don't propagate MagicDNS to
 	// the OS.
 	rcfg.Hosts = cfg.Hosts
-	routes := map[dnsname.FQDN][]*dnstype.Resolver{} // assigned conditionally to rcfg.Routes below.
+	routes := map[dnsname.FQDN][]dnstype.Resolver{} // assigned conditionally to rcfg.Routes below.
 	for suffix, resolvers := range cfg.Routes {
 		if len(resolvers) == 0 {
 			rcfg.LocalDomains = append(rcfg.LocalDomains, suffix)
@@ -240,9 +172,9 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 			health.SetDNSOSHealth(err)
 			return resolver.Config{}, OSConfig{}, err
 		}
-		var defaultRoutes []*dnstype.Resolver
+		var defaultRoutes []dnstype.Resolver
 		for _, ip := range bcfg.Nameservers {
-			defaultRoutes = append(defaultRoutes, &dnstype.Resolver{Addr: ip.String()})
+			defaultRoutes = append(defaultRoutes, dnstype.ResolverFromIP(ip))
 		}
 		rcfg.Routes["."] = defaultRoutes
 		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
@@ -254,304 +186,34 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 // toIPsOnly returns only the IP portion of dnstype.Resolver.
 // Only safe to use if the resolvers slice has been cleared of
 // DoH or custom-port entries with something like hasDefaultIPResolversOnly.
-func toIPsOnly(resolvers []*dnstype.Resolver) (ret []netaddr.IP) {
+func toIPsOnly(resolvers []dnstype.Resolver) (ret []netaddr.IP) {
 	for _, r := range resolvers {
-		if ipp, ok := r.IPPort(); ok && ipp.Port() == 53 {
+		if ipp, err := netaddr.ParseIPPort(r.Addr); err == nil && ipp.Port() == 53 {
 			ret = append(ret, ipp.IP())
+		} else if ip, err := netaddr.ParseIP(r.Addr); err == nil {
+			ret = append(ret, ip)
 		}
 	}
 	return ret
 }
 
-// EnqueuePacket is the legacy path for handling magic DNS traffic, and is
-// called with a DNS request payload.
-//
-// TODO(tom): Rip out once all platforms use netstack.
+func toIPPorts(ips []netaddr.IP) (ret []netaddr.IPPort) {
+	ret = make([]netaddr.IPPort, 0, len(ips))
+	for _, ip := range ips {
+		ret = append(ret, netaddr.IPPortFrom(ip, 53))
+	}
+	return ret
+}
+
 func (m *Manager) EnqueuePacket(bs []byte, proto ipproto.Proto, from, to netaddr.IPPort) error {
-	if to.Port() != 53 || proto != ipproto.UDP {
-		return nil
-	}
-
-	if n := atomic.AddInt32(&m.activeQueriesAtomic, 1); n > maxActiveQueries() {
-		atomic.AddInt32(&m.activeQueriesAtomic, -1)
-		metricDNSQueryErrorQueue.Add(1)
-		return errFullQueue
-	}
-
-	go func() {
-		resp, err := m.resolver.Query(m.ctx, bs, from)
-		if err != nil {
-			atomic.AddInt32(&m.activeQueriesAtomic, -1)
-			m.logf("dns query: %v", err)
-			return
-		}
-
-		select {
-		case <-m.ctx.Done():
-			return
-		case m.responses <- response{resp, from}:
-		}
-	}()
-	return nil
+	return m.resolver.EnqueuePacket(bs, proto, from, to)
 }
 
-// NextPacket is the legacy path for obtaining DNS results in response to
-// magic DNS queries. It blocks until a response is available.
-//
-// TODO(tom): Rip out once all platforms use netstack.
 func (m *Manager) NextPacket() ([]byte, error) {
-	var resp response
-	select {
-	case <-m.ctx.Done():
-		return nil, net.ErrClosed
-	case resp = <-m.responses:
-		// continue
-	}
-
-	// Unused space is needed further down the stack. To avoid extra
-	// allocations/copying later on, we allocate such space here.
-	const offset = tstun.PacketStartOffset
-
-	var buf []byte
-	switch {
-	case resp.to.IP().Is4():
-		h := packet.UDP4Header{
-			IP4Header: packet.IP4Header{
-				Src: magicDNSIP,
-				Dst: resp.to.IP(),
-			},
-			SrcPort: 53,
-			DstPort: resp.to.Port(),
-		}
-		hlen := h.Len()
-		buf = make([]byte, offset+hlen+len(resp.pkt))
-		copy(buf[offset+hlen:], resp.pkt)
-		h.Marshal(buf[offset:])
-	case resp.to.IP().Is6():
-		h := packet.UDP6Header{
-			IP6Header: packet.IP6Header{
-				Src: magicDNSIPv6,
-				Dst: resp.to.IP(),
-			},
-			SrcPort: 53,
-			DstPort: resp.to.Port(),
-		}
-		hlen := h.Len()
-		buf = make([]byte, offset+hlen+len(resp.pkt))
-		copy(buf[offset+hlen:], resp.pkt)
-		h.Marshal(buf[offset:])
-	}
-
-	atomic.AddInt32(&m.activeQueriesAtomic, -1)
-	return buf, nil
-}
-
-func (m *Manager) Query(ctx context.Context, bs []byte, from netaddr.IPPort) ([]byte, error) {
-	select {
-	case <-m.ctx.Done():
-		return nil, net.ErrClosed
-	default:
-		// continue
-	}
-
-	if n := atomic.AddInt32(&m.activeQueriesAtomic, 1); n > maxActiveQueries() {
-		atomic.AddInt32(&m.activeQueriesAtomic, -1)
-		metricDNSQueryErrorQueue.Add(1)
-		return nil, errFullQueue
-	}
-	defer atomic.AddInt32(&m.activeQueriesAtomic, -1)
-	return m.resolver.Query(ctx, bs, from)
-}
-
-const (
-	// RFC 7766 6.2 recommends connection reuse & request pipelining
-	// be undertaken, and the connection be closed by the server
-	// using an idle timeout on the order of seconds.
-	idleTimeoutTCP = 45 * time.Second
-	// The RFCs don't specify the max size of a TCP-based DNS query,
-	// but we want to keep this reasonable. Given payloads are typically
-	// much larger and all known client send a single query, I've arbitrarily
-	// chosen 2k.
-	maxReqSizeTCP = 2048
-)
-
-// dnsTCPSession services DNS requests sent over TCP.
-type dnsTCPSession struct {
-	m *Manager
-
-	conn    net.Conn
-	srcAddr netaddr.IPPort
-
-	readClosing chan struct{}
-	responses   chan []byte // DNS replies pending writing
-
-	ctx      context.Context
-	closeCtx context.CancelFunc
-}
-
-func (s *dnsTCPSession) handleWrites() {
-	defer s.conn.Close()
-	defer close(s.responses)
-	defer s.closeCtx()
-
-	for {
-		select {
-		case <-s.readClosing:
-			return // connection closed or timeout, teardown time
-
-		case resp := <-s.responses:
-			s.conn.SetWriteDeadline(time.Now().Add(idleTimeoutTCP))
-			if err := binary.Write(s.conn, binary.BigEndian, uint16(len(resp))); err != nil {
-				s.m.logf("tcp write (len): %v", err)
-				return
-			}
-			if _, err := s.conn.Write(resp); err != nil {
-				s.m.logf("tcp write (response): %v", err)
-				return
-			}
-		}
-	}
-}
-
-func (s *dnsTCPSession) handleQuery(q []byte) {
-	resp, err := s.m.Query(s.ctx, q, s.srcAddr)
-	if err != nil {
-		s.m.logf("tcp query: %v", err)
-		return
-	}
-
-	select {
-	case <-s.ctx.Done():
-	case s.responses <- resp:
-	}
-}
-
-func (s *dnsTCPSession) handleReads() {
-	defer close(s.readClosing)
-
-	for {
-		select {
-		case <-s.ctx.Done():
-			return
-
-		default:
-			s.conn.SetReadDeadline(time.Now().Add(idleTimeoutTCP))
-			var reqLen uint16
-			if err := binary.Read(s.conn, binary.BigEndian, &reqLen); err != nil {
-				if err == io.EOF || err == io.ErrClosedPipe {
-					return // connection closed nominally, we gucci
-				}
-				s.m.logf("tcp read (len): %v", err)
-				return
-			}
-			if int(reqLen) > maxReqSizeTCP {
-				s.m.logf("tcp request too large (%d > %d)", reqLen, maxReqSizeTCP)
-				return
-			}
-
-			buf := make([]byte, int(reqLen))
-			if _, err := io.ReadFull(s.conn, buf); err != nil {
-				s.m.logf("tcp read (payload): %v", err)
-				return
-			}
-
-			select {
-			case <-s.ctx.Done():
-				return
-			default:
-				go s.handleQuery(buf)
-			}
-		}
-	}
-}
-
-// HandleTCPConn implements magicDNS over TCP, taking a connection and
-// servicing DNS requests sent down it.
-func (m *Manager) HandleTCPConn(conn net.Conn, srcAddr netaddr.IPPort) {
-	s := dnsTCPSession{
-		m:           m,
-		conn:        conn,
-		srcAddr:     srcAddr,
-		responses:   make(chan []byte),
-		readClosing: make(chan struct{}),
-	}
-	s.ctx, s.closeCtx = context.WithCancel(context.Background())
-	go s.handleReads()
-	s.handleWrites()
-}
-
-const dotCertValidity = time.Hour * 24 * 30 // arbitrary; LetsEncrypt-ish
-
-func (m *Manager) dotCert() (tls.Certificate, error) {
-	m.dotCertMu.Lock()
-	defer m.dotCertMu.Unlock()
-
-	if !m.dotCertLast.IsZero() && time.Since(m.dotCertLast) < dotCertValidity {
-		return m.dotCertVal, nil
-	}
-
-	cert, err := genSelfSignedDoTCert()
-	if err == nil {
-		m.dotCertVal = cert
-		m.dotCertLast = time.Now()
-	}
-	return cert, err
-}
-
-// genSelfSignedDoTCert generates a self-signed certificate for DNS-over-TLS
-// (DoT) queries on 100.100.100.100.
-//
-// This exists for Android Private DNS, which in "Automatic" (aka opportunistic)
-// mode doesn't verify certs.
-//
-// See https://github.com/tailscale/tailscale/issues/915.
-func genSelfSignedDoTCert() (tls.Certificate, error) {
-	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	template := x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject: pkix.Name{
-			Organization: []string{"Tailscale MagicDNS"},
-		},
-		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(dotCertValidity),
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	privKeyBytes, _ := x509.MarshalECPrivateKey(privKey)
-	pemCert := new(bytes.Buffer)
-	pemKey := new(bytes.Buffer)
-	pem.Encode(pemCert, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
-	pem.Encode(pemKey, &pem.Block{Type: "EC PRIVATE KEY", Bytes: privKeyBytes})
-	return tls.X509KeyPair(pemCert.Bytes(), pemKey.Bytes())
-}
-
-// HandleDNSoverTLSConn implements magicDNS over DNS-over-TLS, taking a
-// connection and servicing DNS requests sent down it.
-//
-// It uses a self-signed cert; see genSelfSignedDoTCert for backbground.
-func (m *Manager) HandleDNSoverTLSConn(conn net.Conn, srcAddr netaddr.IPPort) {
-	tlsCert, err := m.dotCert()
-	if err != nil {
-		m.logf("[unexpected] HandleDNSoverTLSConn.dotCert: %v", err)
-		conn.Close()
-	}
-	tlsConn := tls.Server(conn, &tls.Config{
-		Certificates: []tls.Certificate{tlsCert},
-	})
-	m.HandleTCPConn(tlsConn, srcAddr)
+	return m.resolver.NextPacket()
 }
 
 func (m *Manager) Down() error {
-	m.ctxCancel()
 	if err := m.os.Close(); err != nil {
 		return err
 	}
@@ -577,7 +239,3 @@ func Cleanup(logf logger.Logf, interfaceName string) {
 		logf("dns down: %v", err)
 	}
 }
-
-var (
-	metricDNSQueryErrorQueue = clientmetric.NewCounter("dns_query_local_error_queue")
-)

net/dns/manager_darwin.go

@@ -1,127 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"bytes"
-	"errors"
-	"os"
-
-	"go4.org/mem"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/mak"
-)
-
-func NewOSConfigurator(logf logger.Logf, ifName string) (OSConfigurator, error) {
-	return &darwinConfigurator{logf: logf, ifName: ifName}, nil
-}
-
-// darwinConfigurator is the tailscaled-on-macOS DNS OS configurator that
-// maintains the Split DNS nameserver entries pointing MagicDNS DNS suffixes
-// to 100.100.100.100 using the macOS /etc/resolver/$SUFFIX files.
-type darwinConfigurator struct {
-	logf   logger.Logf
-	ifName string
-}
-
-func (c *darwinConfigurator) Close() error {
-	c.removeResolverFiles(func(domain string) bool { return true })
-	return nil
-}
-
-func (c *darwinConfigurator) SupportsSplitDNS() bool {
-	return true
-}
-
-func (c *darwinConfigurator) SetDNS(cfg OSConfig) error {
-	var buf bytes.Buffer
-	buf.WriteString(macResolverFileHeader)
-	for i, ip := range cfg.Nameservers {
-		if i == 0 {
-			buf.WriteString("nameserver ")
-		} else {
-			buf.WriteString(" ")
-		}
-		buf.WriteString(ip.String())
-	}
-	buf.WriteString("\n")
-
-	if err := os.MkdirAll("/etc/resolver", 0755); err != nil {
-		return err
-	}
-
-	var keep map[string]bool
-
-	// Add a dummy file to /etc/resolver with a "search ..." directive if we have
-	// search suffixes to add.
-	if len(cfg.SearchDomains) > 0 {
-		const searchFile = "search.tailscale" // fake DNS suffix+TLD to put our search
-		mak.Set(&keep, searchFile, true)
-		var sbuf bytes.Buffer
-		sbuf.WriteString(macResolverFileHeader)
-		sbuf.WriteString("search")
-		for _, d := range cfg.SearchDomains {
-			sbuf.WriteString(" ")
-			sbuf.WriteString(string(d.WithoutTrailingDot()))
-		}
-		sbuf.WriteString("\n")
-		if err := os.WriteFile("/etc/resolver/"+searchFile, sbuf.Bytes(), 0644); err != nil {
-			return err
-		}
-	}
-
-	for _, d := range cfg.MatchDomains {
-		fileBase := string(d.WithoutTrailingDot())
-		mak.Set(&keep, fileBase, true)
-		fullPath := "/etc/resolver/" + fileBase
-
-		if err := os.WriteFile(fullPath, buf.Bytes(), 0644); err != nil {
-			return err
-		}
-	}
-	return c.removeResolverFiles(func(domain string) bool { return !keep[domain] })
-}
-
-func (c *darwinConfigurator) GetBaseConfig() (OSConfig, error) {
-	return OSConfig{}, errors.New("[unexpected] unreachable")
-}
-
-const macResolverFileHeader = "# Added by tailscaled\n"
-
-// removeResolverFiles deletes all files in /etc/resolver for which the shouldDelete
-// func returns true.
-func (c *darwinConfigurator) removeResolverFiles(shouldDelete func(domain string) bool) error {
-	dents, err := os.ReadDir("/etc/resolver")
-	if os.IsNotExist(err) {
-		return nil
-	}
-	if err != nil {
-		return err
-	}
-	for _, de := range dents {
-		if !de.Type().IsRegular() {
-			continue
-		}
-		name := de.Name()
-		if !shouldDelete(name) {
-			continue
-		}
-		fullPath := "/etc/resolver/" + name
-		contents, err := os.ReadFile(fullPath)
-		if err != nil {
-			if os.IsNotExist(err) { // race?
-				continue
-			}
-			return err
-		}
-		if !mem.HasPrefix(mem.B(contents), mem.S(macResolverFileHeader)) {
-			continue
-		}
-		if err := os.Remove(fullPath); err != nil {
-			return err
-		}
-	}
-	return nil
-}

net/dns/manager_default.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !linux && !freebsd && !openbsd && !windows && !darwin
-// +build !linux,!freebsd,!openbsd,!windows,!darwin
+//go:build !linux && !freebsd && !openbsd && !windows
+// +build !linux,!freebsd,!openbsd,!windows
 
 package dns
 

net/dns/manager_tcp_test.go

@@ -1,136 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"encoding/binary"
-	"io"
-	"net"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	dns "golang.org/x/net/dns/dnsmessage"
-	"inet.af/netaddr"
-	"tailscale.com/net/tsdial"
-	"tailscale.com/util/dnsname"
-)
-
-func mkDNSRequest(domain dnsname.FQDN, tp dns.Type) []byte {
-	var dnsHeader dns.Header
-	question := dns.Question{
-		Name:  dns.MustNewName(domain.WithTrailingDot()),
-		Type:  tp,
-		Class: dns.ClassINET,
-	}
-
-	builder := dns.NewBuilder(nil, dnsHeader)
-	if err := builder.StartQuestions(); err != nil {
-		panic(err)
-	}
-	if err := builder.Question(question); err != nil {
-		panic(err)
-	}
-
-	if err := builder.StartAdditionals(); err != nil {
-		panic(err)
-	}
-
-	ednsHeader := dns.ResourceHeader{
-		Name:  dns.MustNewName("."),
-		Type:  dns.TypeOPT,
-		Class: dns.Class(4095),
-	}
-
-	if err := builder.OPTResource(ednsHeader, dns.OPTResource{}); err != nil {
-		panic(err)
-	}
-
-	payload, _ := builder.Finish()
-
-	return payload
-}
-
-func TestDNSOverTCP(t *testing.T) {
-	f := fakeOSConfigurator{
-		SplitDNS: true,
-		BaseConfig: OSConfig{
-			Nameservers:   mustIPs("8.8.8.8"),
-			SearchDomains: fqdns("coffee.shop"),
-		},
-	}
-	m := NewManager(t.Logf, &f, nil, new(tsdial.Dialer), nil)
-	m.resolver.TestOnlySetHook(f.SetResolver)
-	m.Set(Config{
-		Hosts: hosts(
-			"dave.ts.com.", "1.2.3.4",
-			"bradfitz.ts.com.", "2.3.4.5"),
-		Routes:        upstreams("ts.com", ""),
-		SearchDomains: fqdns("tailscale.com", "universe.tf"),
-	})
-	defer m.Down()
-
-	c, s := net.Pipe()
-	defer s.Close()
-	go m.HandleTCPConn(s, netaddr.IPPort{})
-	defer c.Close()
-
-	wantResults := map[dnsname.FQDN]string{
-		"dave.ts.com.":     "1.2.3.4",
-		"bradfitz.ts.com.": "2.3.4.5",
-	}
-
-	for domain, _ := range wantResults {
-		b := mkDNSRequest(domain, dns.TypeA)
-		binary.Write(c, binary.BigEndian, uint16(len(b)))
-		c.Write(b)
-	}
-
-	results := map[dnsname.FQDN]string{}
-	for i := 0; i < len(wantResults); i++ {
-		var respLength uint16
-		if err := binary.Read(c, binary.BigEndian, &respLength); err != nil {
-			t.Fatalf("reading len: %v", err)
-		}
-		resp := make([]byte, int(respLength))
-		if _, err := io.ReadFull(c, resp); err != nil {
-			t.Fatalf("reading data: %v", err)
-		}
-
-		var parser dns.Parser
-		if _, err := parser.Start(resp); err != nil {
-			t.Errorf("parser.Start() failed: %v", err)
-			continue
-		}
-		q, err := parser.Question()
-		if err != nil {
-			t.Errorf("parser.Question(): %v", err)
-			continue
-		}
-		if err := parser.SkipAllQuestions(); err != nil {
-			t.Errorf("parser.SkipAllQuestions(): %v", err)
-			continue
-		}
-		ah, err := parser.AnswerHeader()
-		if err != nil {
-			t.Errorf("parser.AnswerHeader(): %v", err)
-			continue
-		}
-		if ah.Type != dns.TypeA {
-			t.Errorf("unexpected answer type: got %v, want %v", ah.Type, dns.TypeA)
-			continue
-		}
-		res, err := parser.AResource()
-		if err != nil {
-			t.Errorf("parser.AResource(): %v", err)
-			continue
-		}
-		results[dnsname.FQDN(q.Name.String())] = net.IP(res.A[:]).String()
-	}
-	c.Close()
-
-	if diff := cmp.Diff(wantResults, results); diff != "" {
-		t.Errorf("wrong results (-got+want)\n%s", diff)
-	}
-}

net/dns/manager_test.go

@@ -96,7 +96,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 			},
 			os: OSConfig{
@@ -107,7 +107,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp-split",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
@@ -119,7 +119,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp-magic",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
@@ -131,7 +131,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			rs: resolver.Config{
-				Routes: upstreams(".", "1.1.1.1", "9.9.9.9"),
+				Routes: upstreams(".", "1.1.1.1:53", "9.9.9.9:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -141,7 +141,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp-magic-split",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
@@ -154,7 +154,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			rs: resolver.Config{
-				Routes: upstreams(".", "1.1.1.1", "9.9.9.9"),
+				Routes: upstreams(".", "1.1.1.1:53", "9.9.9.9:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -164,8 +164,8 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp-routes",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
-				Routes:           upstreams("corp.com", "2.2.2.2"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
+				Routes:           upstreams("corp.com", "2.2.2.2:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 			},
 			os: OSConfig{
@@ -174,15 +174,15 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					".", "1.1.1.1", "9.9.9.9",
-					"corp.com.", "2.2.2.2"),
+					".", "1.1.1.1:53", "9.9.9.9:53",
+					"corp.com.", "2.2.2.2:53"),
 			},
 		},
 		{
 			name: "corp-routes-split",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
-				Routes:           upstreams("corp.com", "2.2.2.2"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
+				Routes:           upstreams("corp.com", "2.2.2.2:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
@@ -192,14 +192,14 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					".", "1.1.1.1", "9.9.9.9",
-					"corp.com.", "2.2.2.2"),
+					".", "1.1.1.1:53", "9.9.9.9:53",
+					"corp.com.", "2.2.2.2:53"),
 			},
 		},
 		{
 			name: "routes",
 			in: Config{
-				Routes:        upstreams("corp.com", "2.2.2.2"),
+				Routes:        upstreams("corp.com", "2.2.2.2:53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
@@ -212,14 +212,14 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					".", "8.8.8.8",
-					"corp.com.", "2.2.2.2"),
+					".", "8.8.8.8:53",
+					"corp.com.", "2.2.2.2:53"),
 			},
 		},
 		{
 			name: "routes-split",
 			in: Config{
-				Routes:        upstreams("corp.com", "2.2.2.2"),
+				Routes:        upstreams("corp.com", "2.2.2.2:53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
@@ -233,8 +233,8 @@ func TestManager(t *testing.T) {
 			name: "routes-multi",
 			in: Config{
 				Routes: upstreams(
-					"corp.com", "2.2.2.2",
-					"bigco.net", "3.3.3.3"),
+					"corp.com", "2.2.2.2:53",
+					"bigco.net", "3.3.3.3:53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
@@ -247,17 +247,17 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					".", "8.8.8.8",
-					"corp.com.", "2.2.2.2",
-					"bigco.net.", "3.3.3.3"),
+					".", "8.8.8.8:53",
+					"corp.com.", "2.2.2.2:53",
+					"bigco.net.", "3.3.3.3:53"),
 			},
 		},
 		{
 			name: "routes-multi-split",
 			in: Config{
 				Routes: upstreams(
-					"corp.com", "2.2.2.2",
-					"bigco.net", "3.3.3.3"),
+					"corp.com", "2.2.2.2:53",
+					"bigco.net", "3.3.3.3:53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
@@ -268,8 +268,8 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					"corp.com.", "2.2.2.2",
-					"bigco.net.", "3.3.3.3"),
+					"corp.com.", "2.2.2.2:53",
+					"bigco.net.", "3.3.3.3:53"),
 			},
 		},
 		{
@@ -290,7 +290,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
 			},
 			rs: resolver.Config{
-				Routes: upstreams(".", "8.8.8.8"),
+				Routes: upstreams(".", "8.8.8.8:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -322,7 +322,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic",
 			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2", "ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53", "ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -338,8 +338,8 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					"corp.com.", "2.2.2.2",
-					".", "8.8.8.8"),
+					"corp.com.", "2.2.2.2:53",
+					".", "8.8.8.8:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -350,7 +350,7 @@ func TestManager(t *testing.T) {
 			name: "routes-magic-split",
 			in: Config{
 				Routes: upstreams(
-					"corp.com", "2.2.2.2",
+					"corp.com", "2.2.2.2:53",
 					"ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
@@ -364,7 +364,7 @@ func TestManager(t *testing.T) {
 				MatchDomains:  fqdns("corp.com", "ts.com"),
 			},
 			rs: resolver.Config{
-				Routes: upstreams("corp.com.", "2.2.2.2"),
+				Routes: upstreams("corp.com.", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -393,14 +393,6 @@ func TestManager(t *testing.T) {
 		},
 	}
 
-	trIP := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
-	trIPPort := cmp.Transformer("ippStr", func(ipp netaddr.IPPort) string {
-		if ipp.Port() == 53 {
-			return ipp.IP().String()
-		}
-		return ipp.String()
-	})
-
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			f := fakeOSConfigurator{
@@ -413,6 +405,8 @@ func TestManager(t *testing.T) {
 			if err := m.Set(test.in); err != nil {
 				t.Fatalf("m.Set: %v", err)
 			}
+			trIP := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
+			trIPPort := cmp.Transformer("ippStr", func(ipp netaddr.IPPort) string { return ipp.String() })
 			if diff := cmp.Diff(f.OSConfig, test.os, trIP, trIPPort, cmpopts.EquateEmpty()); diff != "" {
 				t.Errorf("wrong OSConfig (-got+want)\n%s", diff)
 			}
@@ -437,9 +431,9 @@ func mustIPPs(strs ...string) (ret []netaddr.IPPort) {
 	return ret
 }
 
-func mustRes(strs ...string) (ret []*dnstype.Resolver) {
+func mustRes(strs ...string) (ret []dnstype.Resolver) {
 	for _, s := range strs {
-		ret = append(ret, &dnstype.Resolver{Addr: s})
+		ret = append(ret, dnstype.Resolver{Addr: s})
 	}
 	return ret
 }
@@ -495,9 +489,9 @@ func hostsR(strs ...string) (ret map[dnsname.FQDN][]dnstype.Resolver) {
 	return ret
 }
 
-func upstreams(strs ...string) (ret map[dnsname.FQDN][]*dnstype.Resolver) {
+func upstreams(strs ...string) (ret map[dnsname.FQDN][]dnstype.Resolver) {
 	var key dnsname.FQDN
-	ret = map[dnsname.FQDN][]*dnstype.Resolver{}
+	ret = map[dnsname.FQDN][]dnstype.Resolver{}
 	for _, s := range strs {
 		if s == "" {
 			if key == "" {
@@ -508,14 +502,9 @@ func upstreams(strs ...string) (ret map[dnsname.FQDN][]*dnstype.Resolver) {
 			if key == "" {
 				panic("IPPort provided before suffix")
 			}
-			ret[key] = append(ret[key], &dnstype.Resolver{Addr: ipp.String()})
-		} else if _, err := netaddr.ParseIP(s); err == nil {
-			if key == "" {
-				panic("IPPort provided before suffix")
-			}
-			ret[key] = append(ret[key], &dnstype.Resolver{Addr: s})
+			ret[key] = append(ret[key], dnstype.Resolver{Addr: ipp.String()})
 		} else if strings.HasPrefix(s, "http") {
-			ret[key] = append(ret[key], &dnstype.Resolver{Addr: s})
+			ret[key] = append(ret[key], dnstype.Resolver{Addr: s})
 		} else {
 			fqdn, err := dnsname.ToFQDN(s)
 			if err != nil {

net/dns/resolver/doh_test.go

@@ -49,9 +49,9 @@ func TestDoH(t *testing.T) {
 		dohSem: make(chan struct{}, 10),
 	}
 
-	for urlBase := range publicdns.DoHIPsOfBase() {
-		t.Run(urlBase, func(t *testing.T) {
-			c, ok := f.getKnownDoHClientForProvider(urlBase)
+	for ip := range publicdns.KnownDoH() {
+		t.Run(ip.String(), func(t *testing.T) {
+			urlBase, c, ok := f.getKnownDoHClient(ip)
 			if !ok {
 				t.Fatal("expected DoH")
 			}

net/dns/resolver/forwarder.go

@@ -15,7 +15,6 @@ import (
 	"math/rand"
 	"net"
 	"net/http"
-	"net/url"
 	"runtime"
 	"sort"
 	"strconv"
@@ -25,10 +24,8 @@ import (
 
 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
-	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
 	"tailscale.com/net/dns/publicdns"
-	"tailscale.com/net/dnscache"
 	"tailscale.com/net/neterror"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tsdial"
@@ -41,19 +38,6 @@ import (
 // headerBytes is the number of bytes in a DNS message header.
 const headerBytes = 12
 
-// dnsFlagTruncated is set in the flags word when the packet is truncated.
-const dnsFlagTruncated = 0x200
-
-// truncatedFlagSet returns true if the DNS packet signals that it has
-// been truncated. False is also returned if the packet was too small
-// to be valid.
-func truncatedFlagSet(pkt []byte) bool {
-	if len(pkt) < headerBytes {
-		return false
-	}
-	return (binary.BigEndian.Uint16(pkt[2:4]) & dnsFlagTruncated) != 0
-}
-
 const (
 	// responseTimeout is the maximal amount of time to wait for a DNS response.
 	responseTimeout = 5 * time.Second
@@ -63,11 +47,6 @@ const (
 	// arbitrary.
 	dohTransportTimeout = 30 * time.Second
 
-	// dohTransportTimeout is how much of a head start to give a DoH query
-	// that was upgraded from a well-known public DNS provider's IP before
-	// normal UDP mode is attempted as a fallback.
-	dohHeadStart = 500 * time.Millisecond
-
 	// wellKnownHostBackupDelay is how long to artificially delay upstream
 	// DNS queries to the "fallback" DNS server IP for a known provider
 	// (e.g. how long to wait to query Google's 8.8.4.4 after 8.8.8.8).
@@ -170,7 +149,7 @@ type route struct {
 // long to wait before querying it.
 type resolverAndDelay struct {
 	// name is the upstream resolver.
-	name *dnstype.Resolver
+	name dnstype.Resolver
 
 	// startDelay is an amount to delay this resolver at
 	// start. It's used when, say, there are four Google or
@@ -190,6 +169,9 @@ type forwarder struct {
 	ctx       context.Context    // good until Close
 	ctxCancel context.CancelFunc // closes ctx
 
+	// responses is a channel by which responses are returned.
+	responses chan packet
+
 	mu sync.Mutex // guards following
 
 	dohClient map[string]*http.Client // urlBase -> client
@@ -226,13 +208,14 @@ func maxDoHInFlight(goos string) int {
 	return 1000
 }
 
-func newForwarder(logf logger.Logf, linkMon *monitor.Mon, linkSel ForwardLinkSelector, dialer *tsdial.Dialer) *forwarder {
+func newForwarder(logf logger.Logf, responses chan packet, linkMon *monitor.Mon, linkSel ForwardLinkSelector, dialer *tsdial.Dialer) *forwarder {
 	f := &forwarder{
-		logf:    logger.WithPrefix(logf, "forward: "),
-		linkMon: linkMon,
-		linkSel: linkSel,
-		dialer:  dialer,
-		dohSem:  make(chan struct{}, maxDoHInFlight(runtime.GOOS)),
+		logf:      logger.WithPrefix(logf, "forward: "),
+		linkMon:   linkMon,
+		linkSel:   linkSel,
+		dialer:    dialer,
+		responses: responses,
+		dohSem:    make(chan struct{}, maxDoHInFlight(runtime.GOOS)),
 	}
 	f.ctx, f.ctxCancel = context.WithCancel(context.Background())
 	return f
@@ -243,55 +226,65 @@ func (f *forwarder) Close() error {
 	return nil
 }
 
-// resolversWithDelays maps from a set of DNS server names to a slice of a type
-// that included a startDelay, upgrading any well-known DoH (DNS-over-HTTP)
-// servers in the process, insert a DoH lookup first before UDP fallbacks.
-func resolversWithDelays(resolvers []*dnstype.Resolver) []resolverAndDelay {
-	rr := make([]resolverAndDelay, 0, len(resolvers)+2)
-
-	// Add the known DoH ones first, starting immediately.
-	didDoH := map[string]bool{}
-	for _, r := range resolvers {
-		ipp, ok := r.IPPort()
-		if !ok {
-			continue
-		}
-		dohBase, ok := publicdns.KnownDoH()[ipp.IP()]
-		if !ok || didDoH[dohBase] {
-			continue
-		}
-		didDoH[dohBase] = true
-		rr = append(rr, resolverAndDelay{name: &dnstype.Resolver{Addr: dohBase}})
-	}
-
+// resolversWithDelays maps from a set of DNS server names to a slice of
+// a type that included a startDelay. So if resolvers contains e.g. four
+// Google DNS IPs (two IPv4 + twoIPv6), this function partition adds
+// delays to some.
+func resolversWithDelays(resolvers []dnstype.Resolver) []resolverAndDelay {
 	type hostAndFam struct {
 		host string // some arbitrary string representing DNS host (currently the DoH base)
 		bits uint8  // either 32 or 128 for IPv4 vs IPv6s address family
 	}
-	done := map[hostAndFam]int{}
+
+	// Track how many of each known resolver host are in the list,
+	// per address family.
+	total := map[hostAndFam]int{}
+
+	rr := make([]resolverAndDelay, len(resolvers))
 	for _, r := range resolvers {
-		ipp, ok := r.IPPort()
-		if !ok {
-			// Pass non-IP ones through unchanged, without delay.
-			// (e.g. DNS-over-ExitDNS when using an exit node)
-			rr = append(rr, resolverAndDelay{name: r})
-			continue
-		}
-		ip := ipp.IP()
-		var startDelay time.Duration
-		if host, ok := publicdns.KnownDoH()[ip]; ok {
-			// We already did the DoH query early. These
-			startDelay = dohHeadStart
-			key := hostAndFam{host, ip.BitLen()}
-			if done[key] > 0 {
-				startDelay += wellKnownHostBackupDelay
+		if ip, err := netaddr.ParseIP(r.Addr); err == nil {
+			if host, ok := publicdns.KnownDoH()[ip]; ok {
+				total[hostAndFam{host, ip.BitLen()}]++
 			}
-			done[key]++
 		}
-		rr = append(rr, resolverAndDelay{
+	}
+
+	done := map[hostAndFam]int{}
+	for i, r := range resolvers {
+		var startDelay time.Duration
+		if ip, err := netaddr.ParseIP(r.Addr); err == nil {
+			if host, ok := publicdns.KnownDoH()[ip]; ok {
+				key4 := hostAndFam{host, 32}
+				key6 := hostAndFam{host, 128}
+				switch {
+				case ip.Is4():
+					if done[key4] > 0 {
+						startDelay += wellKnownHostBackupDelay
+					}
+				case ip.Is6():
+					total4 := total[key4]
+					if total4 >= 2 {
+						// If we have two IPv4 IPs of the same provider
+						// already in the set, delay the IPv6 queries
+						// until halfway through the timeout (so wait
+						// 2.5 seconds). Even the network is IPv6-only,
+						// the DoH dialer will fallback to IPv6
+						// immediately anyway.
+						startDelay = responseTimeout / 2
+					} else if total4 == 1 {
+						startDelay += wellKnownHostBackupDelay
+					}
+					if done[key6] > 0 {
+						startDelay += wellKnownHostBackupDelay
+					}
+				}
+				done[hostAndFam{host, ip.BitLen()}]++
+			}
+		}
+		rr[i] = resolverAndDelay{
 			name:       r,
 			startDelay: startDelay,
-		})
+		}
 	}
 	return rr
 }
@@ -300,7 +293,7 @@ func resolversWithDelays(resolvers []*dnstype.Resolver) []resolverAndDelay {
 // Resolver.SetConfig on reconfig.
 //
 // The memory referenced by routesBySuffix should not be modified.
-func (f *forwarder) setRoutes(routesBySuffix map[dnsname.FQDN][]*dnstype.Resolver) {
+func (f *forwarder) setRoutes(routesBySuffix map[dnsname.FQDN][]dnstype.Resolver) {
 	routes := make([]route, 0, len(routesBySuffix))
 	for suffix, rs := range routesBySuffix {
 		routes = append(routes, route{
@@ -339,30 +332,21 @@ func (f *forwarder) packetListener(ip netaddr.IP) (packetListener, error) {
 	return lc, nil
 }
 
-// getKnownDoHClientForProvider returns an HTTP client for a specific DoH
-// provider named by its DoH base URL (like "https://dns.google/dns-query").
-//
-// The returned client race/Happy Eyeballs dials all IPs for urlBase (usually
-// 4), as statically known by the publicdns package.
-func (f *forwarder) getKnownDoHClientForProvider(urlBase string) (c *http.Client, ok bool) {
+func (f *forwarder) getKnownDoHClient(ip netaddr.IP) (urlBase string, c *http.Client, ok bool) {
+	urlBase, ok = publicdns.KnownDoH()[ip]
+	if !ok {
+		return
+	}
+
 	f.mu.Lock()
 	defer f.mu.Unlock()
 	if c, ok := f.dohClient[urlBase]; ok {
-		return c, true
+		return urlBase, c, true
 	}
-	allIPs := publicdns.DoHIPsOfBase()[urlBase]
-	if len(allIPs) == 0 {
-		return nil, false
-	}
-	dohURL, err := url.Parse(urlBase)
-	if err != nil {
-		return nil, false
+	if f.dohClient == nil {
+		f.dohClient = map[string]*http.Client{}
 	}
 	nsDialer := netns.NewDialer(f.logf)
-	dialer := dnscache.Dialer(nsDialer.DialContext, &dnscache.Resolver{
-		SingleHost:             dohURL.Hostname(),
-		SingleHostStaticResult: allIPs,
-	})
 	c = &http.Client{
 		Transport: &http.Transport{
 			IdleConnTimeout: dohTransportTimeout,
@@ -370,15 +354,21 @@ func (f *forwarder) getKnownDoHClientForProvider(urlBase string) (c *http.Client
 				if !strings.HasPrefix(netw, "tcp") {
 					return nil, fmt.Errorf("unexpected network %q", netw)
 				}
-				return dialer(ctx, netw, addr)
+				c, err := nsDialer.DialContext(ctx, "tcp", net.JoinHostPort(ip.String(), "443"))
+				// If v4 failed, try an equivalent v6 also in the time remaining.
+				if err != nil && ctx.Err() == nil {
+					if ip6, ok := publicdns.DoHV6(urlBase); ok && ip.Is4() {
+						if c6, err := nsDialer.DialContext(ctx, "tcp", net.JoinHostPort(ip6.String(), "443")); err == nil {
+							return c6, nil
+						}
+					}
+				}
+				return c, err
 			},
 		},
 	}
-	if f.dohClient == nil {
-		f.dohClient = map[string]*http.Client{}
-	}
 	f.dohClient[urlBase] = c
-	return c, true
+	return urlBase, c, true
 }
 
 const dohType = "application/dns-message"
@@ -429,57 +419,40 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
 	if err != nil {
 		metricDNSFwdDoHErrorBody.Add(1)
 	}
-	if truncatedFlagSet(res) {
-		metricDNSFwdTruncated.Add(1)
-	}
 	return res, err
 }
 
-var verboseDNSForward = envknob.Bool("TS_DEBUG_DNS_FORWARD_SEND")
-
 // send sends packet to dst. It is best effort.
 //
 // send expects the reply to have the same txid as txidOut.
-func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) (ret []byte, err error) {
-	if verboseDNSForward {
-		f.logf("forwarder.send(%q) ...", rr.name.Addr)
-		defer func() {
-			f.logf("forwarder.send(%q) = %v, %v", rr.name.Addr, len(ret), err)
-		}()
-	}
+func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) ([]byte, error) {
 	if strings.HasPrefix(rr.name.Addr, "http://") {
 		return f.sendDoH(ctx, rr.name.Addr, f.dialer.PeerAPIHTTPClient(), fq.packet)
 	}
 	if strings.HasPrefix(rr.name.Addr, "https://") {
-		// Only known DoH providers are supported currently. Specifically, we
-		// only support DoH providers where we can TCP connect to them on port
-		// 443 at the same IP address they serve normal UDP DNS from (1.1.1.1,
-		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custon DoH providers
-		// aren't currently supported. There's no backup DNS resolution path for
-		// them.
-		urlBase := rr.name.Addr
-		if hc, ok := f.getKnownDoHClientForProvider(urlBase); ok {
-			return f.sendDoH(ctx, urlBase, hc, fq.packet)
-		}
 		metricDNSFwdErrorType.Add(1)
-		return nil, fmt.Errorf("arbitrary https:// resolvers not supported yet")
+		return nil, fmt.Errorf("https:// resolvers not supported yet")
 	}
 	if strings.HasPrefix(rr.name.Addr, "tls://") {
 		metricDNSFwdErrorType.Add(1)
 		return nil, fmt.Errorf("tls:// resolvers not supported yet")
 	}
-
-	return f.sendUDP(ctx, fq, rr)
-}
-
-func (f *forwarder) sendUDP(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) (ret []byte, err error) {
-	ipp, ok := rr.name.IPPort()
-	if !ok {
-		metricDNSFwdErrorType.Add(1)
-		return nil, fmt.Errorf("unrecognized resolver type %q", rr.name.Addr)
+	ipp, err := netaddr.ParseIPPort(rr.name.Addr)
+	if err != nil {
+		return nil, err
 	}
-	metricDNSFwdUDP.Add(1)
 
+	// Upgrade known DNS IPs to DoH (DNS-over-HTTPs).
+	// All known DoH is over port 53.
+	if urlBase, dc, ok := f.getKnownDoHClient(ipp.IP()); ok {
+		res, err := f.sendDoH(ctx, urlBase, dc, fq.packet)
+		if err == nil || ctx.Err() != nil {
+			return res, err
+		}
+		f.logf("DoH error from %v: %v", ipp.IP(), err)
+	}
+
+	metricDNSFwdUDP.Add(1)
 	ln, err := f.packetListener(ipp.IP())
 	if err != nil {
 		return nil, err
@@ -539,7 +512,7 @@ func (f *forwarder) sendUDP(ctx context.Context, fq *forwardQuery, rr resolverAn
 	}
 
 	if truncated {
-		// Set the truncated bit if it wasn't already.
+		const dnsFlagTruncated = 0x200
 		flags := binary.BigEndian.Uint16(out[2:4])
 		flags |= dnsFlagTruncated
 		binary.BigEndian.PutUint16(out[2:4], flags)
@@ -551,10 +524,6 @@ func (f *forwarder) sendUDP(ctx context.Context, fq *forwardQuery, rr resolverAn
 		// best we can do.
 	}
 
-	if truncatedFlagSet(out) {
-		metricDNSFwdTruncated.Add(1)
-	}
-
 	clampEDNSSize(out, maxResponseBytes)
 	metricDNSFwdUDPSuccess.Add(1)
 	return out, nil
@@ -597,6 +566,17 @@ type forwardQuery struct {
 	// ...
 }
 
+// forward forwards the query to all upstream nameservers and waits for
+// the first response.
+//
+// It either sends to f.responses and returns nil, or returns a
+// non-nil error (without sending to the channel).
+func (f *forwarder) forward(query packet) error {
+	ctx, cancel := context.WithTimeout(f.ctx, responseTimeout)
+	defer cancel()
+	return f.forwardWithDestChan(ctx, query, f.responses)
+}
+
 // forwardWithDestChan forwards the query to all upstream nameservers
 // and waits for the first response.
 //
@@ -613,10 +593,6 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 		return err
 	}
 
-	// Guarantee that the ctx we use below is done when this function returns.
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
 	// Drop DNS service discovery spam, primarily for battery life
 	// on mobile.  Things like Spotify on iOS generate this traffic,
 	// when browsing for LAN devices.  But even when filtering this
@@ -657,8 +633,12 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 	}
 	defer fq.closeOnCtxDone.Close()
 
-	resc := make(chan []byte, 1) // it's fine buffered or not
-	errc := make(chan error, 1)  // it's fine buffered or not too
+	resc := make(chan []byte, 1)
+	var (
+		mu       sync.Mutex
+		firstErr error
+	)
+
 	for i := range resolvers {
 		go func(rr *resolverAndDelay) {
 			if rr.startDelay > 0 {
@@ -672,48 +652,39 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 			}
 			resb, err := f.send(ctx, fq, *rr)
 			if err != nil {
-				select {
-				case errc <- err:
-				case <-ctx.Done():
+				mu.Lock()
+				defer mu.Unlock()
+				if firstErr == nil {
+					firstErr = err
 				}
 				return
 			}
 			select {
 			case resc <- resb:
-			case <-ctx.Done():
+			default:
 			}
 		}(&resolvers[i])
 	}
 
-	var firstErr error
-	var numErr int
-	for {
+	select {
+	case v := <-resc:
 		select {
-		case v := <-resc:
-			select {
-			case <-ctx.Done():
-				metricDNSFwdErrorContext.Add(1)
-				return ctx.Err()
-			case responseChan <- packet{v, query.addr}:
-				metricDNSFwdSuccess.Add(1)
-				return nil
-			}
-		case err := <-errc:
-			if firstErr == nil {
-				firstErr = err
-			}
-			numErr++
-			if numErr == len(resolvers) {
-				return firstErr
-			}
 		case <-ctx.Done():
 			metricDNSFwdErrorContext.Add(1)
-			if firstErr != nil {
-				metricDNSFwdErrorContextGotError.Add(1)
-				return firstErr
-			}
 			return ctx.Err()
+		case responseChan <- packet{v, query.addr}:
+			metricDNSFwdSuccess.Add(1)
+			return nil
 		}
+	case <-ctx.Done():
+		mu.Lock()
+		defer mu.Unlock()
+		metricDNSFwdErrorContext.Add(1)
+		if firstErr != nil {
+			metricDNSFwdErrorContextGotError.Add(1)
+			return firstErr
+		}
+		return ctx.Err()
 	}
 }
 

net/dns/resolver/forwarder_test.go

@@ -5,8 +5,8 @@
 package resolver
 
 import (
-	"flag"
 	"fmt"
+	"net"
 	"reflect"
 	"strings"
 	"testing"
@@ -23,9 +23,13 @@ func (rr resolverAndDelay) String() string {
 
 func TestResolversWithDelays(t *testing.T) {
 	// query
-	q := func(ss ...string) (ipps []*dnstype.Resolver) {
-		for _, host := range ss {
-			ipps = append(ipps, &dnstype.Resolver{Addr: host})
+	q := func(ss ...string) (ipps []dnstype.Resolver) {
+		for _, s := range ss {
+			host, _, err := net.SplitHostPort(s)
+			if err != nil {
+				t.Fatal(err)
+			}
+			ipps = append(ipps, dnstype.Resolver{Addr: host})
 		}
 		return
 	}
@@ -41,8 +45,12 @@ func TestResolversWithDelays(t *testing.T) {
 					panic(fmt.Sprintf("parsing duration in %q: %v", s, err))
 				}
 			}
+			host, _, err := net.SplitHostPort(s)
+			if err != nil {
+				t.Fatal(err)
+			}
 			rr = append(rr, resolverAndDelay{
-				name:       &dnstype.Resolver{Addr: s},
+				name:       dnstype.Resolver{Addr: host},
 				startDelay: d,
 			})
 		}
@@ -51,33 +59,33 @@ func TestResolversWithDelays(t *testing.T) {
 
 	tests := []struct {
 		name string
-		in   []*dnstype.Resolver
+		in   []dnstype.Resolver
 		want []resolverAndDelay
 	}{
 		{
 			name: "unknown-no-delays",
-			in:   q("1.2.3.4", "2.3.4.5"),
-			want: o("1.2.3.4", "2.3.4.5"),
+			in:   q("1.2.3.4:53", "2.3.4.5:53"),
+			want: o("1.2.3.4:53", "2.3.4.5:53"),
 		},
 		{
 			name: "google-all-ipv4",
-			in:   q("8.8.8.8", "8.8.4.4"),
-			want: o("https://dns.google/dns-query", "8.8.8.8+0.5s", "8.8.4.4+0.7s"),
+			in:   q("8.8.8.8:53", "8.8.4.4:53"),
+			want: o("8.8.8.8:53", "8.8.4.4:53+200ms"),
 		},
 		{
 			name: "google-only-ipv6",
-			in:   q("2001:4860:4860::8888", "2001:4860:4860::8844"),
-			want: o("https://dns.google/dns-query", "2001:4860:4860::8888+0.5s", "2001:4860:4860::8844+0.7s"),
+			in:   q("[2001:4860:4860::8888]:53", "[2001:4860:4860::8844]:53"),
+			want: o("[2001:4860:4860::8888]:53", "[2001:4860:4860::8844]:53+200ms"),
 		},
 		{
 			name: "google-all-four",
-			in:   q("8.8.8.8", "8.8.4.4", "2001:4860:4860::8888", "2001:4860:4860::8844"),
-			want: o("https://dns.google/dns-query", "8.8.8.8+0.5s", "8.8.4.4+0.7s", "2001:4860:4860::8888+0.5s", "2001:4860:4860::8844+0.7s"),
+			in:   q("8.8.8.8:53", "8.8.4.4:53", "[2001:4860:4860::8888]:53", "[2001:4860:4860::8844]:53"),
+			want: o("8.8.8.8:53", "8.8.4.4:53+200ms", "[2001:4860:4860::8888]:53+2.5s", "[2001:4860:4860::8844]:53+2.7s"),
 		},
 		{
 			name: "quad9-one-v4-one-v6",
-			in:   q("9.9.9.9", "2620:fe::fe"),
-			want: o("https://dns.quad9.net/dns-query", "9.9.9.9+0.5s", "2620:fe::fe+0.5s"),
+			in:   q("9.9.9.9:53", "[2620:fe::fe]:53"),
+			want: o("9.9.9.9:53", "[2620:fe::fe]:53+200ms"),
 		},
 	}
 
@@ -161,25 +169,6 @@ func TestMaxDoHInFlight(t *testing.T) {
 	}
 }
 
-var testDNS = flag.Bool("test-dns", false, "run tests that require a working DNS server")
-
-func TestGetKnownDoHClientForProvider(t *testing.T) {
-	var fwd forwarder
-	c, ok := fwd.getKnownDoHClientForProvider("https://dns.google/dns-query")
-	if !ok {
-		t.Fatal("not found")
-	}
-	if !*testDNS {
-		t.Skip("skipping without --test-dns")
-	}
-	res, err := c.Head("https://dns.google/")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer res.Body.Close()
-	t.Logf("Got: %+v", res)
-}
-
 func BenchmarkNameFromQuery(b *testing.B) {
 	builder := dns.NewBuilder(nil, dns.Header{})
 	builder.StartQuestions()

net/dns/resolver/tsdns.go

@@ -17,7 +17,6 @@ import (
 	"os"
 	"runtime"
 	"sort"
-	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -26,9 +25,12 @@ import (
 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/net/dns/resolvconffile"
+	tspacket "tailscale.com/net/packet"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tsdial"
+	"tailscale.com/net/tstun"
 	"tailscale.com/types/dnstype"
+	"tailscale.com/types/ipproto"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/dnsname"
@@ -37,15 +39,41 @@ import (
 
 const dnsSymbolicFQDN = "magicdns.localhost-tailscale-daemon."
 
+var (
+	magicDNSIP   = tsaddr.TailscaleServiceIP()
+	magicDNSIPv6 = tsaddr.TailscaleServiceIPv6()
+)
+
+const magicDNSPort = 53
+
 // maxResponseBytes is the maximum size of a response from a Resolver. The
 // actual buffer size will be one larger than this so that we can detect
 // truncation in a platform-agnostic way.
 const maxResponseBytes = 4095
 
+// maxActiveQueries returns the maximal number of DNS requests that be
+// can running.
+// If EnqueueRequest is called when this many requests are already pending,
+// the request will be dropped to avoid blocking the caller.
+func maxActiveQueries() int32 {
+	if runtime.GOOS == "ios" {
+		// For memory paranoia reasons on iOS, match the
+		// historical Tailscale 1.x..1.8 behavior for now
+		// (just before the 1.10 release).
+		return 64
+	}
+	// But for other platforms, allow more burstiness:
+	return 256
+}
+
 // defaultTTL is the TTL of all responses from Resolver.
 const defaultTTL = 600 * time.Second
 
+// ErrClosed indicates that the resolver has been closed and readers should exit.
+var ErrClosed = errors.New("closed")
+
 var (
+	errFullQueue  = errors.New("request queue full")
 	errNotQuery   = errors.New("not a DNS query")
 	errNotOurName = errors.New("not a Tailscale DNS name")
 )
@@ -66,7 +94,7 @@ type Config struct {
 	// queries within that suffix.
 	// Queries only match the most specific suffix.
 	// To register a "default route", add an entry for ".".
-	Routes map[dnsname.FQDN][]*dnstype.Resolver
+	Routes map[dnsname.FQDN][]dnstype.Resolver
 	// LocalHosts is a map of FQDNs to corresponding IPs.
 	Hosts map[dnsname.FQDN][]netaddr.IP
 	// LocalDomains is a list of DNS name suffixes that should not be
@@ -115,7 +143,7 @@ func WriteIPPorts(w *bufio.Writer, vv []netaddr.IPPort) {
 }
 
 // WriteDNSResolver writes r to w.
-func WriteDNSResolver(w *bufio.Writer, r *dnstype.Resolver) {
+func WriteDNSResolver(w *bufio.Writer, r dnstype.Resolver) {
 	io.WriteString(w, r.Addr)
 	if len(r.BootstrapResolution) > 0 {
 		w.WriteByte('(')
@@ -129,7 +157,7 @@ func WriteDNSResolver(w *bufio.Writer, r *dnstype.Resolver) {
 }
 
 // WriteDNSResolvers writes resolvers to w.
-func WriteDNSResolvers(w *bufio.Writer, resolvers []*dnstype.Resolver) {
+func WriteDNSResolvers(w *bufio.Writer, resolvers []dnstype.Resolver) {
 	w.WriteByte('[')
 	for i, r := range resolvers {
 		if i > 0 {
@@ -142,7 +170,7 @@ func WriteDNSResolvers(w *bufio.Writer, resolvers []*dnstype.Resolver) {
 
 // WriteRoutes writes routes to w, omitting *.arpa routes and instead
 // summarizing how many of them there were.
-func WriteRoutes(w *bufio.Writer, routes map[dnsname.FQDN][]*dnstype.Resolver) {
+func WriteRoutes(w *bufio.Writer, routes map[dnsname.FQDN][]dnstype.Resolver) {
 	var kk []dnsname.FQDN
 	arpa := 0
 	for k := range routes {
@@ -180,6 +208,12 @@ type Resolver struct {
 	// forwarder forwards requests to upstream nameservers.
 	forwarder *forwarder
 
+	activeQueriesAtomic int32 // number of DNS queries in flight
+
+	// responses is an unbuffered channel to which responses are returned.
+	responses chan packet
+	// errors is an unbuffered channel to which errors are returned.
+	errors chan error
 	// closed signals all goroutines to stop.
 	closed chan struct{}
 	// wg signals when all goroutines have stopped.
@@ -206,14 +240,16 @@ func New(logf logger.Logf, linkMon *monitor.Mon, linkSel ForwardLinkSelector, di
 		panic("nil Dialer")
 	}
 	r := &Resolver{
-		logf:     logger.WithPrefix(logf, "resolver: "),
-		linkMon:  linkMon,
-		closed:   make(chan struct{}),
-		hostToIP: map[dnsname.FQDN][]netaddr.IP{},
-		ipToHost: map[netaddr.IP]dnsname.FQDN{},
-		dialer:   dialer,
+		logf:      logger.WithPrefix(logf, "resolver: "),
+		linkMon:   linkMon,
+		responses: make(chan packet),
+		errors:    make(chan error),
+		closed:    make(chan struct{}),
+		hostToIP:  map[dnsname.FQDN][]netaddr.IP{},
+		ipToHost:  map[netaddr.IP]dnsname.FQDN{},
+		dialer:    dialer,
 	}
-	r.forwarder = newForwarder(r.logf, linkMon, linkSel, dialer)
+	r.forwarder = newForwarder(r.logf, r.responses, linkMon, linkSel, dialer)
 	return r
 }
 
@@ -256,29 +292,94 @@ func (r *Resolver) Close() {
 	r.forwarder.Close()
 }
 
-func (r *Resolver) Query(ctx context.Context, bs []byte, from netaddr.IPPort) ([]byte, error) {
+// EnqueuePacket handles a packet to the magicDNS endpoint.
+// It takes ownership of the payload and does not block.
+// If the queue is full, the request will be dropped and an error will be returned.
+func (r *Resolver) EnqueuePacket(bs []byte, proto ipproto.Proto, from, to netaddr.IPPort) error {
+	if to.Port() != magicDNSPort || proto != ipproto.UDP {
+		return nil
+	}
+
+	return r.enqueueRequest(bs, proto, from, to)
+}
+
+// enqueueRequest places the given DNS request in the resolver's queue.
+// If the queue is full, the request will be dropped and an error will be returned.
+func (r *Resolver) enqueueRequest(bs []byte, proto ipproto.Proto, from, to netaddr.IPPort) error {
 	metricDNSQueryLocal.Add(1)
 	select {
 	case <-r.closed:
 		metricDNSQueryErrorClosed.Add(1)
-		return nil, net.ErrClosed
+		return ErrClosed
 	default:
 	}
+	if n := atomic.AddInt32(&r.activeQueriesAtomic, 1); n > maxActiveQueries() {
+		atomic.AddInt32(&r.activeQueriesAtomic, -1)
+		metricDNSQueryErrorQueue.Add(1)
+		return errFullQueue
+	}
+	go r.handleQuery(packet{bs, from})
+	return nil
+}
 
-	out, err := r.respond(bs)
-	if err == errNotOurName {
-		responses := make(chan packet, 1)
-		ctx, cancel := context.WithCancel(ctx)
-		defer close(responses)
-		defer cancel()
-		err = r.forwarder.forwardWithDestChan(ctx, packet{bs, from}, responses)
-		if err != nil {
-			return nil, err
-		}
-		return (<-responses).bs, nil
+// NextPacket returns the next packet to service traffic for magicDNS. The returned
+// packet is prefixed with unused space consistent with the semantics of injection
+// into tstun.Wrapper.
+// It blocks until a response is available and gives up ownership of the response payload.
+func (r *Resolver) NextPacket() (ipPacket []byte, err error) {
+	bs, to, err := r.nextResponse()
+	if err != nil {
+		return nil, err
 	}
 
-	return out, err
+	// Unused space is needed further down the stack. To avoid extra
+	// allocations/copying later on, we allocate such space here.
+	const offset = tstun.PacketStartOffset
+
+	var buf []byte
+	switch {
+	case to.IP().Is4():
+		h := tspacket.UDP4Header{
+			IP4Header: tspacket.IP4Header{
+				Src: magicDNSIP,
+				Dst: to.IP(),
+			},
+			SrcPort: magicDNSPort,
+			DstPort: to.Port(),
+		}
+		hlen := h.Len()
+		buf = make([]byte, offset+hlen+len(bs))
+		copy(buf[offset+hlen:], bs)
+		h.Marshal(buf[offset:])
+	case to.IP().Is6():
+		h := tspacket.UDP6Header{
+			IP6Header: tspacket.IP6Header{
+				Src: magicDNSIPv6,
+				Dst: to.IP(),
+			},
+			SrcPort: magicDNSPort,
+			DstPort: to.Port(),
+		}
+		hlen := h.Len()
+		buf = make([]byte, offset+hlen+len(bs))
+		copy(buf[offset+hlen:], bs)
+		h.Marshal(buf[offset:])
+	}
+
+	return buf, nil
+}
+
+// nextResponse returns a DNS response to a previously enqueued request.
+// It blocks until a response is available and gives up ownership of the response payload.
+func (r *Resolver) nextResponse() (packet []byte, to netaddr.IPPort, err error) {
+	select {
+	case <-r.closed:
+		return nil, netaddr.IPPort{}, ErrClosed
+	case resp := <-r.responses:
+		return resp.bs, resp.addr, nil
+	case err := <-r.errors:
+		return nil, netaddr.IPPort{}, err
+	}
 }
 
 // parseExitNodeQuery parses a DNS request packet.
@@ -347,7 +448,7 @@ func (r *Resolver) HandleExitNodeDNSQuery(ctx context.Context, q []byte, from ne
 			// will use its default ones from our DNS config.
 		} else {
 			resolvers = []resolverAndDelay{{
-				name: &dnstype.Resolver{Addr: net.JoinHostPort(nameserver.String(), "53")},
+				name: dnstype.Resolver{Addr: net.JoinHostPort(nameserver.String(), "53")},
 			}}
 		}
 
@@ -532,10 +633,6 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP,
 			return tsaddr.TailscaleServiceIPv6(), dns.RCodeSuccess
 		}
 	}
-	// Special-case: 'via-<siteid>.<ipv4>' queries.
-	if ip, ok := r.parseViaDomain(domain, typ); ok {
-		return ip, dns.RCodeSuccess
-	}
 
 	r.mu.Lock()
 	hosts := r.hostToIP
@@ -611,46 +708,6 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP,
 	}
 }
 
-// parseViaDomain synthesizes an IP address for quad-A DNS requests of
-// the form 'via-<X>.<IPv4-address>', where X is a decimal, or hex-encoded
-// number with a '0x' prefix.
-//
-// This exists as a convenient mapping into Tailscales 'Via Range'.
-func (r *Resolver) parseViaDomain(domain dnsname.FQDN, typ dns.Type) (netaddr.IP, bool) {
-	fqdn := string(domain.WithoutTrailingDot())
-	if typ != dns.TypeAAAA {
-		return netaddr.IP{}, false
-	}
-	if len(fqdn) < len("via-X.0.0.0.0") {
-		return netaddr.IP{}, false // too short to be valid
-	}
-	if !strings.HasPrefix(fqdn, "via-") {
-		return netaddr.IP{}, false
-	}
-
-	firstDot := strings.Index(fqdn, ".")
-	if firstDot < 0 {
-		return netaddr.IP{}, false // missing dot delimiters
-	}
-
-	siteID := fqdn[len("via-"):firstDot]
-	ip4Str := fqdn[firstDot+1:]
-
-	ip4, err := netaddr.ParseIP(ip4Str)
-	if err != nil {
-		return netaddr.IP{}, false // badly formed, dont respond
-	}
-
-	prefix, err := strconv.ParseUint(siteID, 0, 32)
-	if err != nil {
-		return netaddr.IP{}, false // badly formed, dont respond
-	}
-
-	// MapVia will never error when given an ipv4 netaddr.IPPrefix.
-	out, _ := tsaddr.MapVia(uint32(prefix), netaddr.IPPrefixFrom(ip4, ip4.BitLen()))
-	return out.IP(), true
-}
-
 // resolveReverse returns the unique domain name that maps to the given address.
 func (r *Resolver) resolveLocalReverse(name dnsname.FQDN) (dnsname.FQDN, dns.RCode) {
 	var ip netaddr.IP
@@ -668,22 +725,6 @@ func (r *Resolver) resolveLocalReverse(name dnsname.FQDN) (dnsname.FQDN, dns.RCo
 		return "", dns.RCodeRefused
 	}
 
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	// If the requested IP is part of the IPv6 4-to-6 range, it might
-	// correspond to an IPv4 address (assuming IPv4 is enabled).
-	if ip4, ok := tsaddr.Tailscale6to4(ip); ok {
-		fqdn, code := r.fqdnForIPLocked(ip4, name)
-		if code == dns.RCodeSuccess {
-			return fqdn, code
-		}
-	}
-	return r.fqdnForIPLocked(ip, name)
-}
-
-// r.mu must be held.
-func (r *Resolver) fqdnForIPLocked(ip netaddr.IP, name dnsname.FQDN) (dnsname.FQDN, dns.RCode) {
 	// If someone curiously does a reverse lookup on the DNS IP, we
 	// return a domain that helps indicate that Tailscale is using
 	// this IP for a special purpose and it is not a node on their
@@ -692,6 +733,8 @@ func (r *Resolver) fqdnForIPLocked(ip netaddr.IP, name dnsname.FQDN) (dnsname.FQ
 		return dnsSymbolicFQDN, dns.RCodeSuccess
 	}
 
+	r.mu.Lock()
+	defer r.mu.Unlock()
 	ret, ok := r.ipToHost[ip]
 	if !ok {
 		for _, suffix := range r.localDomains {
@@ -706,6 +749,30 @@ func (r *Resolver) fqdnForIPLocked(ip netaddr.IP, name dnsname.FQDN) (dnsname.FQ
 	return ret, dns.RCodeSuccess
 }
 
+func (r *Resolver) handleQuery(pkt packet) {
+	defer atomic.AddInt32(&r.activeQueriesAtomic, -1)
+
+	out, err := r.respond(pkt.bs)
+	if err == errNotOurName {
+		err = r.forwarder.forward(pkt)
+		if err == nil {
+			// forward will send response into r.responses, nothing to do.
+			return
+		}
+	}
+	if err != nil {
+		select {
+		case <-r.closed:
+		case r.errors <- err:
+		}
+	} else {
+		select {
+		case <-r.closed:
+		case r.responses <- packet{out, pkt.addr}:
+		}
+	}
+}
+
 type response struct {
 	Header   dns.Header
 	Question dns.Question
@@ -1190,6 +1257,7 @@ func unARPA(a string) (ipStr string, ok bool) {
 var (
 	metricDNSQueryLocal       = clientmetric.NewCounter("dns_query_local")
 	metricDNSQueryErrorClosed = clientmetric.NewCounter("dns_query_local_error_closed")
+	metricDNSQueryErrorQueue  = clientmetric.NewCounter("dns_query_local_error_queue")
 
 	metricDNSErrorParseNoQ   = clientmetric.NewCounter("dns_query_respond_error_no_question")
 	metricDNSErrorParseQuery = clientmetric.NewCounter("dns_query_respond_error_parse")
@@ -1213,7 +1281,6 @@ var (
 
 	metricDNSFwdErrorType      = clientmetric.NewCounter("dns_query_fwd_error_type")
 	metricDNSFwdErrorParseAddr = clientmetric.NewCounter("dns_query_fwd_error_parse_addr")
-	metricDNSFwdTruncated      = clientmetric.NewCounter("dns_query_fwd_truncated")
 
 	metricDNSFwdUDP            = clientmetric.NewCounter("dns_query_fwd_udp")       // on entry
 	metricDNSFwdUDPWrote       = clientmetric.NewCounter("dns_query_fwd_udp_wrote") // sent UDP packet

net/dns/resolver/tsdns_test.go

@@ -27,6 +27,7 @@ import (
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tstest"
 	"tailscale.com/types/dnstype"
+	"tailscale.com/types/ipproto"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/wgengine/monitor"
 )
@@ -233,7 +234,11 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 }
 
 func syncRespond(r *Resolver, query []byte) ([]byte, error) {
-	return r.Query(context.Background(), query, netaddr.IPPort{})
+	if err := r.enqueueRequest(query, ipproto.UDP, netaddr.IPPort{}, magicDNSv4Port); err != nil {
+		return nil, fmt.Errorf("enqueueRequest: %w", err)
+	}
+	payload, _, err := r.nextResponse()
+	return payload, err
 }
 
 func mustIP(str string) netaddr.IP {
@@ -343,9 +348,6 @@ func TestResolveLocal(t *testing.T) {
 		{"ns-nxdomain", "test3.ipn.dev.", dns.TypeNS, netaddr.IP{}, dns.RCodeNameError},
 		{"onion-domain", "footest.onion.", dns.TypeA, netaddr.IP{}, dns.RCodeNameError},
 		{"magicdns", dnsSymbolicFQDN, dns.TypeA, netaddr.MustParseIP("100.100.100.100"), dns.RCodeSuccess},
-		{"via_hex", dnsname.FQDN("via-0xff.1.2.3.4."), dns.TypeAAAA, netaddr.MustParseIP("fd7a:115c:a1e0:b1a:0:ff:102:304"), dns.RCodeSuccess},
-		{"via_dec", dnsname.FQDN("via-1.10.0.0.1."), dns.TypeAAAA, netaddr.MustParseIP("fd7a:115c:a1e0:b1a:0:1:a00:1"), dns.RCodeSuccess},
-		{"via_invalid", dnsname.FQDN("via-."), dns.TypeA, netaddr.IP{}, dns.RCodeRefused},
 	}
 
 	for _, tt := range tests {
@@ -380,7 +382,6 @@ func TestResolveLocalReverse(t *testing.T) {
 		{"ipv6_nxdomain", dnsname.FQDN("0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.ip6.arpa."), "", dns.RCodeNameError},
 		{"nxdomain", dnsname.FQDN("2.3.4.5.in-addr.arpa."), "", dns.RCodeRefused},
 		{"magicdns", dnsname.FQDN("100.100.100.100.in-addr.arpa."), dnsSymbolicFQDN, dns.RCodeSuccess},
-		{"ipv6_4to6", dnsname.FQDN("4.6.4.6.4.6.2.6.6.9.d.c.3.4.8.4.2.1.b.a.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), dnsSymbolicFQDN, dns.RCodeSuccess},
 	}
 
 	for _, tt := range tests {
@@ -480,10 +481,10 @@ func TestDelegate(t *testing.T) {
 	defer r.Close()
 
 	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]*dnstype.Resolver{
+	cfg.Routes = map[dnsname.FQDN][]dnstype.Resolver{
 		".": {
-			&dnstype.Resolver{Addr: v4server.PacketConn.LocalAddr().String()},
-			&dnstype.Resolver{Addr: v6server.PacketConn.LocalAddr().String()},
+			dnstype.Resolver{Addr: v4server.PacketConn.LocalAddr().String()},
+			dnstype.Resolver{Addr: v6server.PacketConn.LocalAddr().String()},
 		},
 	}
 	r.SetConfig(cfg)
@@ -655,7 +656,7 @@ func TestDelegateSplitRoute(t *testing.T) {
 	defer r.Close()
 
 	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]*dnstype.Resolver{
+	cfg.Routes = map[dnsname.FQDN][]dnstype.Resolver{
 		".":      {{Addr: server1.PacketConn.LocalAddr().String()}},
 		"other.": {{Addr: server2.PacketConn.LocalAddr().String()}},
 	}
@@ -703,6 +704,75 @@ func TestDelegateSplitRoute(t *testing.T) {
 	}
 }
 
+func TestDelegateCollision(t *testing.T) {
+	server := serveDNS(t, "127.0.0.1:0",
+		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
+	defer server.Shutdown()
+
+	r := newResolver(t)
+	defer r.Close()
+
+	cfg := dnsCfg
+	cfg.Routes = map[dnsname.FQDN][]dnstype.Resolver{
+		".": {{Addr: server.PacketConn.LocalAddr().String()}},
+	}
+	r.SetConfig(cfg)
+
+	packets := []struct {
+		qname dnsname.FQDN
+		qtype dns.Type
+		addr  netaddr.IPPort
+	}{
+		{"test.site.", dns.TypeA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1001)},
+		{"test.site.", dns.TypeAAAA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1002)},
+	}
+
+	// packets will have the same dns txid.
+	for _, p := range packets {
+		payload := dnspacket(p.qname, p.qtype, noEdns)
+		err := r.enqueueRequest(payload, ipproto.UDP, p.addr, magicDNSv4Port)
+		if err != nil {
+			t.Error(err)
+		}
+	}
+
+	// Despite the txid collision, the answer(s) should still match the query.
+	resp, addr, err := r.nextResponse()
+	if err != nil {
+		t.Error(err)
+	}
+
+	var p dns.Parser
+	_, err = p.Start(resp)
+	if err != nil {
+		t.Error(err)
+	}
+	err = p.SkipAllQuestions()
+	if err != nil {
+		t.Error(err)
+	}
+	ans, err := p.AllAnswers()
+	if err != nil {
+		t.Error(err)
+	}
+
+	var wantType dns.Type
+	switch ans[0].Body.(type) {
+	case *dns.AResource:
+		wantType = dns.TypeA
+	case *dns.AAAAResource:
+		wantType = dns.TypeAAAA
+	default:
+		t.Errorf("unexpected answer type: %T", ans[0].Body)
+	}
+
+	for _, p := range packets {
+		if p.qtype == wantType && p.addr != addr {
+			t.Errorf("addr = %v; want %v", addr, p.addr)
+		}
+	}
+}
+
 var allResponse = []byte{
 	0x00, 0x00, // transaction id: 0
 	0x84, 0x00, // flags: response, authoritative, no error
@@ -947,7 +1017,7 @@ func BenchmarkFull(b *testing.B) {
 	defer r.Close()
 
 	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]*dnstype.Resolver{
+	cfg.Routes = map[dnsname.FQDN][]dnstype.Resolver{
 		".": {{Addr: server.PacketConn.LocalAddr().String()}},
 	}
 
@@ -999,7 +1069,7 @@ func TestForwardLinkSelection(t *testing.T) {
 	// routes differently.
 	specialIP := netaddr.IPv4(1, 2, 3, 4)
 
-	fwd := newForwarder(t.Logf, nil, linkSelFunc(func(ip netaddr.IP) string {
+	fwd := newForwarder(t.Logf, nil, nil, linkSelFunc(func(ip netaddr.IP) string {
 		if ip == netaddr.IPv4(1, 2, 3, 4) {
 			return "special"
 		}

net/dnscache/dnscache.go

@@ -72,15 +72,6 @@ type Resolver struct {
 	// if a refresh fails.
 	UseLastGood bool
 
-	// SingleHostStaticResult, if non-nil, is the static result of IPs that is returned
-	// by Resolver.LookupIP for any hostname. When non-nil, SingleHost must also be
-	// set with the expected name.
-	SingleHostStaticResult []netaddr.IP
-
-	// SingleHost is the hostname that SingleHostStaticResult is for.
-	// It is required when SingleHostStaticResult is present.
-	SingleHost string
-
 	sf singleflight.Group
 
 	mu      sync.Mutex
@@ -117,22 +108,6 @@ var debug = envknob.Bool("TS_DEBUG_DNS_CACHE")
 // If err is nil, ip will be non-nil. The v6 address may be nil even
 // with a nil error.
 func (r *Resolver) LookupIP(ctx context.Context, host string) (ip, v6 net.IP, allIPs []net.IPAddr, err error) {
-	if r.SingleHostStaticResult != nil {
-		if r.SingleHost != host {
-			return nil, nil, nil, fmt.Errorf("dnscache: unexpected hostname %q doesn't match expected %q", host, r.SingleHost)
-		}
-		for _, naIP := range r.SingleHostStaticResult {
-			ipa := naIP.IPAddr()
-			if ip == nil && naIP.Is4() {
-				ip = ipa.IP
-			}
-			if v6 == nil && naIP.Is6() {
-				v6 = ipa.IP
-			}
-			allIPs = append(allIPs, *ipa)
-		}
-		return
-	}
 	if ip := net.ParseIP(host); ip != nil {
 		if ip4 := ip.To4(); ip4 != nil {
 			return ip4, nil, []net.IPAddr{{IP: ip4}}, nil

net/dnscache/dnscache_test.go

@@ -8,7 +8,6 @@ import (
 	"context"
 	"errors"
 	"flag"
-	"fmt"
 	"net"
 	"reflect"
 	"testing"
@@ -111,33 +110,3 @@ func TestDialCall_uniqueIPs(t *testing.T) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 }
-
-func TestResolverAllHostStaticResult(t *testing.T) {
-	r := &Resolver{
-		SingleHost: "foo.bar",
-		SingleHostStaticResult: []netaddr.IP{
-			netaddr.MustParseIP("2001:4860:4860::8888"),
-			netaddr.MustParseIP("2001:4860:4860::8844"),
-			netaddr.MustParseIP("8.8.8.8"),
-			netaddr.MustParseIP("8.8.4.4"),
-		},
-	}
-	ip4, ip6, allIPs, err := r.LookupIP(context.Background(), "foo.bar")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if got, want := ip4.String(), "8.8.8.8"; got != want {
-		t.Errorf("ip4 got %q; want %q", got, want)
-	}
-	if got, want := ip6.String(), "2001:4860:4860::8888"; got != want {
-		t.Errorf("ip4 got %q; want %q", got, want)
-	}
-	if got, want := fmt.Sprintf("%q", allIPs), `[{"2001:4860:4860::8888" ""} {"2001:4860:4860::8844" ""} {"8.8.8.8" ""} {"8.8.4.4" ""}]`; got != want {
-		t.Errorf("allIPs got %q; want %q", got, want)
-	}
-
-	_, _, _, err = r.LookupIP(context.Background(), "bad")
-	if got, want := fmt.Sprint(err), `dnscache: unexpected hostname "bad" doesn't match expected "foo.bar"`; got != want {
-		t.Errorf("bad dial error got %q; want %q", got, want)
-	}
-}

net/dnsfallback/dns-fallback-servers.json

@@ -6,25 +6,18 @@
 			"RegionName": "r1",
 			"Nodes": [
 				{
-					"Name": "1c",
+					"Name": "1a",
 					"RegionID": 1,
-					"HostName": "derp1c.tailscale.com",
-					"IPv4": "104.248.8.210",
-					"IPv6": "2604:a880:800:10::7a0:e001"
+					"HostName": "derp1.tailscale.com",
+					"IPv4": "159.89.225.99",
+					"IPv6": "2604:a880:400:d1::828:b001"
 				},
 				{
-					"Name": "1d",
+					"Name": "1b",
 					"RegionID": 1,
-					"HostName": "derp1d.tailscale.com",
-					"IPv4": "165.22.33.71",
-					"IPv6": "2604:a880:800:10::7fe:f001"
-				},
-				{
-					"Name": "1e",
-					"RegionID": 1,
-					"HostName": "derp1e.tailscale.com",
-					"IPv4": "64.225.56.166",
-					"IPv6": "2604:a880:800:10::873:4001"
+					"HostName": "derp1b.tailscale.com",
+					"IPv4": "45.55.35.93",
+					"IPv6": "2604:a880:800:a1::f:2001"
 				}
 			]
 		},

net/netcheck/netcheck.go

@@ -979,21 +979,13 @@ func (c *Client) runHTTPOnlyChecks(ctx context.Context, last *Report, rs *report
 			// One warm-up one to get HTTP connection set
 			// up and get a connection from the browser's
 			// pool.
-			if r, err := http.DefaultClient.Do(req); err != nil || r.StatusCode > 299 {
-				if err != nil {
-					c.logf("probing %s: %v", node.HostName, err)
-				} else {
-					c.logf("probing %s: unexpected status %s", node.HostName, r.Status)
-				}
+			if _, err := http.DefaultClient.Do(req); err != nil {
+				c.logf("probing %s: %v", node.HostName, err)
 				return
 			}
 			t0 := c.timeNow()
-			if r, err := http.DefaultClient.Do(req); err != nil || r.StatusCode > 299 {
-				if err != nil {
-					c.logf("probing %s: %v", node.HostName, err)
-				} else {
-					c.logf("probing %s: unexpected status %s", node.HostName, r.Status)
-				}
+			if _, err := http.DefaultClient.Do(req); err != nil {
+				c.logf("probing %s: %v", node.HostName, err)
 				return
 			}
 			d := c.timeNow().Sub(t0)
@@ -1013,7 +1005,7 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	var ip netaddr.IP
 
 	dc := derphttp.NewNetcheckClient(c.logf)
-	tlsConn, tcpConn, node, err := dc.DialRegionTLS(ctx, reg)
+	tlsConn, tcpConn, err := dc.DialRegionTLS(ctx, reg)
 	if err != nil {
 		return 0, ip, err
 	}
@@ -1044,7 +1036,7 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	}
 	hc := &http.Client{Transport: tr}
 
-	req, err := http.NewRequestWithContext(ctx, "GET", "https://"+node.HostName+"/derp/latency-check", nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", "https://derp-unused-hostname.tld/derp/latency-check", nil)
 	if err != nil {
 		return 0, ip, err
 	}
@@ -1055,13 +1047,6 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	}
 	defer resp.Body.Close()
 
-	// DERPs should give us a nominal status code, so anything else is probably
-	// an access denied by a MITM proxy (or at the very least a signal not to
-	// trust this latency check).
-	if resp.StatusCode > 299 {
-		return 0, ip, fmt.Errorf("unexpected status code: %d (%s)", resp.StatusCode, resp.Status)
-	}
-
 	_, err = io.Copy(ioutil.Discard, io.LimitReader(resp.Body, 8<<10))
 	if err != nil {
 		return 0, ip, err

net/packet/icmp.go

@@ -1,29 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package packet
-
-import (
-	crand "crypto/rand"
-
-	"encoding/binary"
-)
-
-// ICMPEchoPayload generates a new random ID/Sequence pair, and returns a uint32
-// derived from them, along with the id, sequence and given payload in a buffer.
-// It returns an error if the random source could not be read.
-func ICMPEchoPayload(payload []byte) (idSeq uint32, buf []byte) {
-	buf = make([]byte, len(payload)+4)
-
-	// make a completely random id/sequence combo, which is very unlikely to
-	// collide with a running ping sequence on the host system. Errors are
-	// ignored, that would result in collisions, but errors reading from the
-	// random device are rare, and will cause this process universe to soon end.
-	crand.Read(buf[:4])
-
-	idSeq = binary.LittleEndian.Uint32(buf)
-	copy(buf[4:], payload)
-
-	return
-}

net/packet/packet.go

@@ -434,29 +434,6 @@ func (q *Parsed) IsEchoResponse() bool {
 	}
 }
 
-// EchoIDSeq extracts the identifier/sequence bytes from an ICMP Echo response,
-// and returns them as a uint32, used to lookup internally routed ICMP echo
-// responses. This function is intentionally lightweight as it is called on
-// every incoming ICMP packet.
-func (q *Parsed) EchoIDSeq() uint32 {
-	switch q.IPProto {
-	case ipproto.ICMPv4:
-		offset := ip4HeaderLength + icmp4HeaderLength
-		if len(q.b) < offset+4 {
-			return 0
-		}
-		return binary.LittleEndian.Uint32(q.b[offset:])
-	case ipproto.ICMPv6:
-		offset := ip6HeaderLength + icmp6HeaderLength
-		if len(q.b) < offset+4 {
-			return 0
-		}
-		return binary.LittleEndian.Uint32(q.b[offset:])
-	default:
-		return 0
-	}
-}
-
 func Hexdump(b []byte) string {
 	out := new(strings.Builder)
 	for i := 0; i < len(b); i += 16 {

net/packet/tsmp.go

@@ -5,7 +5,7 @@
 // TSMP is our ICMP-like "Tailscale Message Protocol" for signaling
 // Tailscale-specific messages between nodes. It uses IP protocol 99
 // (reserved for "any private encryption scheme") within
-// WireGuard's normal encryption between peers and never hits the host
+// Wireguard's normal encryption between peers and never hits the host
 // network stack.
 
 package packet

net/tsaddr/tsaddr.go

@@ -6,8 +6,6 @@
 package tsaddr
 
 import (
-	"encoding/binary"
-	"errors"
 	"sync"
 
 	"inet.af/netaddr"
@@ -128,18 +126,6 @@ func Tailscale4To6(ipv4 netaddr.IP) netaddr.IP {
 	return netaddr.IPFrom16(ret)
 }
 
-// Tailscale6to4 returns the IPv4 address corresponding to the given
-// tailscale IPv6 address within the 4To6 range. The IPv4 address
-// and true are returned if the given address was in the correct range,
-// false if not.
-func Tailscale6to4(ipv6 netaddr.IP) (netaddr.IP, bool) {
-	if !ipv6.Is6() || !Tailscale4To6Range().Contains(ipv6) {
-		return netaddr.IP{}, false
-	}
-	v6 := ipv6.As16()
-	return netaddr.IPv4(100, v6[13], v6[14], v6[15]), true
-}
-
 func mustPrefix(v *netaddr.IPPrefix, prefix string) {
 	var err error
 	*v, err = netaddr.ParseIPPrefix(prefix)
@@ -294,17 +280,3 @@ func UnmapVia(ip netaddr.IP) netaddr.IP {
 	}
 	return ip
 }
-
-// MapVia returns an IPv6 "via" route for an IPv4 CIDR in a given siteID.
-func MapVia(siteID uint32, v4 netaddr.IPPrefix) (via netaddr.IPPrefix, err error) {
-	if !v4.IP().Is4() {
-		return via, errors.New("want IPv4 CIDR with a site ID")
-	}
-	viaRange16 := TailscaleViaRange().IP().As16()
-	var a [16]byte
-	copy(a[:], viaRange16[:8])
-	binary.BigEndian.PutUint32(a[8:], siteID)
-	ip4a := v4.IP().As4()
-	copy(a[12:], ip4a[:])
-	return netaddr.IPPrefixFrom(netaddr.IPFrom16(a), v4.Bits()+64+32), nil
-}

net/tsdial/tsdial.go

@@ -20,12 +20,8 @@ import (
 
 	"inet.af/netaddr"
 	"tailscale.com/net/dnscache"
-	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netknob"
-	"tailscale.com/net/netns"
-	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
-	"tailscale.com/util/mak"
 	"tailscale.com/wgengine/monitor"
 )
 
@@ -34,7 +30,6 @@ import (
 // (TUN, netstack), the OS network sandboxing style (macOS/iOS
 // Extension, none), user-selected route acceptance prefs, etc.
 type Dialer struct {
-	Logf logger.Logf
 	// UseNetstackForIP if non-nil is whether NetstackDialTCP (if
 	// it's non-nil) should be used to dial the provided IP.
 	UseNetstackForIP func(netaddr.IP) bool
@@ -51,33 +46,12 @@ type Dialer struct {
 	peerDialerOnce sync.Once
 	peerDialer     *net.Dialer
 
-	netnsDialerOnce sync.Once
-	netnsDialer     netns.Dialer
-
-	mu                sync.Mutex
-	closed            bool
-	dns               dnsMap
-	tunName           string // tun device name
-	linkMon           *monitor.Mon
-	linkMonUnregister func()
-	exitDNSDoHBase    string                 // non-empty if DoH-proxying exit node in use; base URL+path (without '?')
-	dnsCache          *dnscache.MessageCache // nil until first first non-empty SetExitDNSDoH
-	nextSysConnID     int
-	activeSysConns    map[int]net.Conn // active connections not yet closed
-}
-
-// sysConn wraps a net.Conn that was created using d.SystemDial.
-// It exists to track which connections are still open, and should be
-// closed on major link changes.
-type sysConn struct {
-	net.Conn
-	id int
-	d  *Dialer
-}
-
-func (c sysConn) Close() error {
-	c.d.closeSysConn(c.id)
-	return nil
+	mu             sync.Mutex
+	dns            dnsMap
+	tunName        string // tun device name
+	linkMon        *monitor.Mon
+	exitDNSDoHBase string                 // non-empty if DoH-proxying exit node in use; base URL+path (without '?')
+	dnsCache       *dnscache.MessageCache // nil until first first non-empty SetExitDNSDoH
 }
 
 // SetTUNName sets the name of the tun device in use ("tailscale0", "utun6",
@@ -117,53 +91,10 @@ func (d *Dialer) SetExitDNSDoH(doh string) {
 	}
 }
 
-func (d *Dialer) Close() error {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	d.closed = true
-	if d.linkMonUnregister != nil {
-		d.linkMonUnregister()
-		d.linkMonUnregister = nil
-	}
-	for _, c := range d.activeSysConns {
-		c.Close()
-	}
-	d.activeSysConns = nil
-	return nil
-}
-
 func (d *Dialer) SetLinkMonitor(mon *monitor.Mon) {
 	d.mu.Lock()
 	defer d.mu.Unlock()
-	if d.linkMonUnregister != nil {
-		go d.linkMonUnregister()
-		d.linkMonUnregister = nil
-	}
 	d.linkMon = mon
-	d.linkMonUnregister = d.linkMon.RegisterChangeCallback(d.linkChanged)
-}
-
-func (d *Dialer) linkChanged(major bool, state *interfaces.State) {
-	if !major {
-		return
-	}
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	for id, c := range d.activeSysConns {
-		go c.Close()
-		delete(d.activeSysConns, id)
-	}
-}
-
-func (d *Dialer) closeSysConn(id int) {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	c, ok := d.activeSysConns[id]
-	if !ok {
-		return
-	}
-	delete(d.activeSysConns, id)
-	go c.Close() // ignore the error
 }
 
 func (d *Dialer) interfaceIndexLocked(ifName string) (index int, ok bool) {
@@ -266,42 +197,6 @@ func ipNetOfNetwork(n string) string {
 	return "ip"
 }
 
-// SystemDial connects to the provided network address without going over
-// Tailscale. It prefers going over the default interface and closes existing
-// connections if the default interface changes. It is used to connect to
-// Control and (in the future, as of 2022-04-27) DERPs..
-func (d *Dialer) SystemDial(ctx context.Context, network, addr string) (net.Conn, error) {
-	d.mu.Lock()
-	closed := d.closed
-	d.mu.Unlock()
-	if closed {
-		return nil, net.ErrClosed
-	}
-
-	d.netnsDialerOnce.Do(func() {
-		logf := d.Logf
-		if logf == nil {
-			logf = logger.Discard
-		}
-		d.netnsDialer = netns.NewDialer(logf)
-	})
-	c, err := d.netnsDialer.DialContext(ctx, network, addr)
-	if err != nil {
-		return nil, err
-	}
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	id := d.nextSysConnID
-	d.nextSysConnID++
-	mak.Set(&d.activeSysConns, id, c)
-
-	return sysConn{
-		id:   id,
-		d:    d,
-		Conn: c,
-	}, nil
-}
-
 // UserDial connects to the provided network address as if a user were initiating the dial.
 // (e.g. from a SOCKS or HTTP outbound proxy)
 func (d *Dialer) UserDial(ctx context.Context, network, addr string) (net.Conn, error) {