cmd/tailscale: add basic support for admin subcommand

The admin subcommand is a thin wrapper over the REST API.
It (hopefully) makes administration of tailnets easier
than vanilla curl.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>

cmd/tailscale/cli/admin.go

@@ -0,0 +1,155 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/dsnet/golib/jsonfmt"
+	"github.com/peterbourgon/ff/v2/ffcli"
+)
+
+const tailscaleAPIURL = "https://api.tailscale.com/api"
+
+var adminCmd = &ffcli.Command{
+	Name:       "admin",
+	ShortUsage: "admin <subcommand> [command flags]",
+	ShortHelp:  "Administrate a tailnet",
+	LongHelp: strings.TrimSpace(`
+The "tailscale admin" command administrates a tailnet through the CLI.
+It is a wrapper over the RESTful API served at ` + tailscaleAPIURL + `.
+See https://github.com/tailscale/tailscale/blob/main/api.md for more information
+about the API itself.
+
+In order for the "admin" command to call the API, it needs an API key,
+which is specified by setting the TAILSCALE_API_KEY environment variable.
+Also, to easy usage, the tailnet to administrate can be specified through the
+TAILSCALE_NET_NAME environment variable, or specified with the -tailnet flag.
+
+Visit https://login.tailscale.com/admin/settings/authkeys in order to obtain
+an API key.
+`),
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("status", flag.ExitOnError)
+		// TODO(dsnet): Can we determine the default tailnet from what this
+		// device is currently part of? Alternatively, when add specific logic
+		// to handle auth keys, we can always associate a given key with a
+		// specific tailnet.
+		fs.StringVar(&adminArgs.tailnet, "tailnet", os.Getenv("TAILSCALE_NET_NAME"), "which tailnet to administrate")
+		return fs
+	})(),
+	// TODO(dsnet): Handle users, groups, dns.
+	Subcommands: []*ffcli.Command{{
+		Name:       "acl",
+		ShortUsage: "acl <subcommand> [command flags]",
+		ShortHelp:  "Manage the ACL for a tailnet",
+		// TODO(dsnet): Handle preview.
+		Subcommands: []*ffcli.Command{{
+			Name:       "get",
+			ShortUsage: "get",
+			ShortHelp:  "Downloads the HuJSON ACL file to stdout",
+			Exec:       checkAdminKey(runAdminACLGet),
+		}, {
+			Name:       "set",
+			ShortUsage: "set",
+			ShortHelp:  "Uploads the HuJSON ACL file from stdin",
+			Exec:       checkAdminKey(runAdminACLSet),
+		}},
+		Exec: runHelp,
+	}, {
+		Name:       "devices",
+		ShortUsage: "devices <subcommand> [command flags]",
+		ShortHelp:  "Manage devices in a tailnet",
+		Subcommands: []*ffcli.Command{{
+			Name:       "list",
+			ShortUsage: "list",
+			ShortHelp:  "List all devices in a tailnet",
+			Exec:       checkAdminKey(runAdminDevicesList),
+		}, {
+			Name:       "get",
+			ShortUsage: "get <id>",
+			ShortHelp:  "Get information about a specific device",
+			Exec:       checkAdminKey(runAdminDevicesGet),
+		}},
+		Exec: runHelp,
+	}},
+	Exec: runHelp,
+}
+
+var adminArgs struct {
+	tailnet string // which tailnet to operate upon
+}
+
+func checkAdminKey(f func(context.Context, string, []string) error) func(context.Context, []string) error {
+	return func(ctx context.Context, args []string) error {
+		// TODO(dsnet): We should have a subcommand or flag to manage keys.
+		// Use of an environment variable is a temporary hack.
+		key := os.Getenv("TAILSCALE_API_KEY")
+		if !strings.HasPrefix(key, "tskey-") {
+			return errors.New("no API key specified")
+		}
+		return f(ctx, key, args)
+	}
+}
+
+func runAdminACLGet(ctx context.Context, key string, args []string) error {
+	if len(args) > 0 {
+		return flag.ErrHelp
+	}
+	return adminCallAPI(ctx, key, http.MethodGet, "/v2/tailnet/"+adminArgs.tailnet+"/acl", nil, os.Stdout)
+}
+
+func runAdminACLSet(ctx context.Context, key string, args []string) error {
+	if len(args) > 0 {
+		return flag.ErrHelp
+	}
+	return adminCallAPI(ctx, key, http.MethodPost, "/v2/tailnet/"+adminArgs.tailnet+"/acl", os.Stdin, os.Stdout)
+}
+
+func runAdminDevicesList(ctx context.Context, key string, args []string) error {
+	if len(args) > 0 {
+		return flag.ErrHelp
+	}
+	return adminCallAPI(ctx, key, http.MethodGet, "/v2/tailnet/"+adminArgs.tailnet+"/devices", nil, os.Stdout)
+}
+
+func runAdminDevicesGet(ctx context.Context, key string, args []string) error {
+	if len(args) != 1 {
+		return flag.ErrHelp
+	}
+	return adminCallAPI(ctx, key, http.MethodGet, "/v2/device/"+args[0], nil, os.Stdout)
+}
+
+func adminCallAPI(ctx context.Context, key, method, path string, in io.Reader, out io.Writer) error {
+	req, err := http.NewRequestWithContext(ctx, method, tailscaleAPIURL+path, in)
+	req.SetBasicAuth(key, "")
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send HTTP request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("failed to receive HTTP response: %w", err)
+	}
+	b, err = jsonfmt.Format(b)
+	if err != nil {
+		return fmt.Errorf("failed to format JSON response: %w", err)
+	}
+	_, err = out.Write(b)
+	return err
+
+}

cmd/tailscale/cli/cli.go

@@ -76,6 +76,10 @@ func ActLikeCLI() bool {
 	return false
 }
 
+func runHelp(context.Context, []string) error {
+	return flag.ErrHelp
+}
+
 // Run runs the CLI. The args do not include the binary name.
 func Run(args []string) error {
 	if len(args) == 1 && (args[0] == "-V" || args[0] == "--version") {
@@ -99,6 +103,7 @@ change in the future.
 			upCmd,
 			downCmd,
 			logoutCmd,
+			adminCmd,
 			netcheckCmd,
 			ipCmd,
 			statusCmd,
@@ -109,7 +114,7 @@ change in the future.
 			bugReportCmd,
 		},
 		FlagSet:   rootfs,
-		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
+		Exec:      runHelp,
 		UsageFunc: usageFunc,
 	}
 	for _, c := range rootCmd.Subcommands {

cmd/tailscale/cli/diag.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux || windows || darwin
 // +build linux windows darwin
 
 package cli

cmd/tailscale/cli/diag_other.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !linux && !windows && !darwin
 // +build !linux,!windows,!darwin
 
 package cli

cmd/tailscale/depaware.txt

@@ -3,6 +3,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/dsnet/golib/jsonfmt                               from tailscale.com/cmd/tailscale/cli
         github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli
         github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
@@ -51,6 +52,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
      💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
         tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
         tailscale.com/types/empty                                    from tailscale.com/ipn
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
         tailscale.com/types/key                                      from tailscale.com/derp+

cmd/tailscaled/depaware.txt

@@ -139,6 +139,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
      💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
         tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
         tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
         tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+

cmd/tailscaled/tailscaled.go

@@ -142,7 +142,7 @@ func main() {
 		os.Exit(0)
 	}
 
-	if runtime.GOOS == "darwin" && os.Getuid() != 0 && !strings.Contains(args.tunname, "userspace-networking") {
+	if runtime.GOOS == "darwin" && os.Getuid() != 0 && !strings.Contains(args.tunname, "userspace-networking") && !args.cleanup {
 		log.SetFlags(0)
 		log.Fatalf("tailscaled requires root; use sudo tailscaled (or use --tun=userspace-networking)")
 	}

cmd/tailscaled/tailscaled_notwindows.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows
 // +build !windows
 
 package main // import "tailscale.com/cmd/tailscaled"

cmd/tsshd/tsshd.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows
 // +build !windows
 
 // The tsshd binary is an SSH server that accepts connections

cmd/tsshd/tsshd_windows.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build windows
 // +build windows
 
 package main

control/controlclient/hostinfo_linux.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux && !android
 // +build linux,!android
 
 package controlclient

control/controlclient/sign_supported.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build windows && cgo
 // +build windows,cgo
 
 // darwin,cgo is also supported by certstore but machineCertificateSubject will

control/controlclient/sign_unsupported.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows || !cgo
 // +build !windows !cgo
 
 package controlclient

disco/disco_fuzzer.go

@@ -1,6 +1,7 @@
 // Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
+//go:build gofuzz
 // +build gofuzz
 
 package disco

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/coreos/go-iptables v0.6.0
 	github.com/creack/pty v1.1.9
 	github.com/dave/jennifer v1.4.1
+	github.com/dsnet/golib/jsonfmt v1.0.0
 	github.com/frankban/quicktest v1.13.0
 	github.com/gliderlabs/ssh v0.3.2
 	github.com/go-multierror/multierror v1.0.2

go.sum

@@ -96,6 +96,8 @@ github.com/denis-tingajkin/go-header v0.3.1 h1:ymEpSiFjeItCy1FOP+x0M2KdCELdEAHUs
 github.com/denis-tingajkin/go-header v0.3.1/go.mod h1:sq/2IxMhaZX+RRcgHfCRx/m0M5na0fBt4/CRe7Lrji0=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/dsnet/golib/jsonfmt v1.0.0 h1:qrfqvbua2pQvj+dt3BcxEwwqy86F7ri2NdLQLm6g2TQ=
+github.com/dsnet/golib/jsonfmt v1.0.0/go.mod h1:C0/DCakJBCSVJ3mWBjDVzym2Wf7w5hpvwgHCwI/M7/w=
 github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=

ipn/ipnlocal/local.go

@@ -38,6 +38,7 @@ import (
 	"tailscale.com/paths"
 	"tailscale.com/portlist"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -1820,7 +1821,7 @@ func (b *LocalBackend) authReconfig() {
 	}
 
 	if uc.CorpDNS {
-		addDefault := func(resolvers []tailcfg.DNSResolver) {
+		addDefault := func(resolvers []dnstype.Resolver) {
 			for _, resolver := range resolvers {
 				res, err := parseResolver(resolver)
 				if err != nil {
@@ -1896,7 +1897,7 @@ func (b *LocalBackend) authReconfig() {
 	b.initPeerAPIListener()
 }
 
-func parseResolver(cfg tailcfg.DNSResolver) (netaddr.IPPort, error) {
+func parseResolver(cfg dnstype.Resolver) (netaddr.IPPort, error) {
 	ip, err := netaddr.ParseIP(cfg.Addr)
 	if err != nil {
 		return netaddr.IPPort{}, fmt.Errorf("[unexpected] non-IP resolver %q", cfg.Addr)

ipn/ipnlocal/peerapi_macios_ext.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build (darwin && ts_macext) || (ios && ts_macext)
 // +build darwin,ts_macext ios,ts_macext
 
 package ipnlocal

logtail/filch/filch_unix.go

@@ -2,7 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//+build !windows
+//go:build !windows
+// +build !windows
 
 package filch
 

net/dns/debian_resolvconf.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux || freebsd || openbsd
 // +build linux freebsd openbsd
 
 package dns

net/dns/ini.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build windows
 // +build windows
 
 package dns

net/dns/ini_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build windows
 // +build windows
 
 package dns

net/dns/manager_default.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !linux && !freebsd && !openbsd && !windows
 // +build !linux,!freebsd,!openbsd,!windows
 
 package dns

net/dns/nm.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package dns

net/dns/openresolv.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux || freebsd || openbsd
 // +build linux freebsd openbsd
 
 package dns

net/dns/resolvconf.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux || freebsd || openbsd
 // +build linux freebsd openbsd
 
 package dns

net/dns/resolved.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package dns

net/dns/resolver/macios_ext.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build (darwin && ts_macext) || (ios && ts_macext)
 // +build darwin,ts_macext ios,ts_macext
 
 package resolver

net/dns/resolver/neterr_other.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !darwin && !windows
 // +build !darwin,!windows
 
 package resolver

net/dnsfallback/update-dns-fallbacks.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build ignore
 // +build ignore
 
 package main

net/interfaces/interfaces_default_route_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux || (darwin && !ts_macext)
 // +build linux darwin,!ts_macext
 
 package interfaces

net/interfaces/interfaces_defaultrouteif_todo.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !linux && !windows && !darwin
 // +build !linux,!windows,!darwin
 
 package interfaces

net/netns/netns_android.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build android
 // +build android
 
 package netns

net/netns/netns_darwin_tailscaled.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build darwin && !ts_macext
 // +build darwin,!ts_macext
 
 package netns

net/netns/netns_default.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build (!linux && !windows && !darwin) || (darwin && ts_macext)
 // +build !linux,!windows,!darwin darwin,ts_macext
 
 package netns

net/netns/netns_linux.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux && !android
 // +build linux,!android
 
 package netns

net/netns/netns_macios.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build darwin || ios
 // +build darwin ios
 
 package netns

net/netns/socks.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !ios
 // +build !ios
 
 package netns

net/netstat/netstat_noimpl.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows
 // +build !windows
 
 package netstat

net/portmapper/disabled_stubs.go

@@ -2,7 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build ios
 // +build ios
+
 // (https://github.com/tailscale/tailscale/issues/2495)
 
 package portmapper

net/portmapper/igd_test.go

@@ -0,0 +1,155 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package portmapper
+
+import (
+	"bytes"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+
+	"inet.af/netaddr"
+)
+
+// TestIGD is an IGD (Intenet Gateway Device) for testing. It supports fake
+// implementations of NAT-PMP, PCP, and/or UPnP to test clients against.
+type TestIGD struct {
+	upnpConn net.PacketConn // for UPnP discovery
+	pxpConn  net.PacketConn // for NAT-PMP and/or PCP
+	ts       *httptest.Server
+
+	doPMP  bool
+	doPCP  bool
+	doUPnP bool // TODO: more options for 3 flavors of UPnP services
+
+	mu       sync.Mutex // guards below
+	counters igdCounters
+}
+
+type igdCounters struct {
+	numUPnPDiscoRecv     int32
+	numUPnPOtherUDPRecv  int32
+	numUPnPHTTPRecv      int32
+	numPMPRecv           int32
+	numPMPDiscoRecv      int32
+	numPCPRecv           int32
+	numPCPDiscoRecv      int32
+	numPMPPublicAddrRecv int32
+	numPMPBogusRecv      int32
+}
+
+func NewTestIGD() (*TestIGD, error) {
+	d := &TestIGD{
+		doPMP:  true,
+		doPCP:  true,
+		doUPnP: true,
+	}
+	var err error
+	if d.upnpConn, err = net.ListenPacket("udp", "127.0.0.1:1900"); err != nil {
+		return nil, err
+	}
+	if d.pxpConn, err = net.ListenPacket("udp", "127.0.0.1:5351"); err != nil {
+		return nil, err
+	}
+	d.ts = httptest.NewServer(http.HandlerFunc(d.serveUPnPHTTP))
+	go d.serveUPnPDiscovery()
+	go d.servePxP()
+	return d, nil
+}
+
+func (d *TestIGD) Close() error {
+	d.ts.Close()
+	d.upnpConn.Close()
+	d.pxpConn.Close()
+	return nil
+}
+
+func (d *TestIGD) inc(p *int32) {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	(*p)++
+}
+
+func (d *TestIGD) stats() igdCounters {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	return d.counters
+}
+
+func (d *TestIGD) serveUPnPHTTP(w http.ResponseWriter, r *http.Request) {
+	http.NotFound(w, r) // TODO
+}
+
+func (d *TestIGD) serveUPnPDiscovery() {
+	buf := make([]byte, 1500)
+	for {
+		n, src, err := d.upnpConn.ReadFrom(buf)
+		if err != nil {
+			return
+		}
+		pkt := buf[:n]
+		if bytes.Equal(pkt, uPnPPacket) { // a super lazy "parse"
+			d.inc(&d.counters.numUPnPDiscoRecv)
+			resPkt := []byte(fmt.Sprintf("HTTP/1.1 200 OK\r\nCACHE-CONTROL: max-age=120\r\nST: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nUSN: uuid:bee7052b-49e8-3597-b545-55a1e38ac11::urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nEXT:\r\nSERVER: Tailscale-Test/1.0 UPnP/1.1 MiniUPnPd/2.2.1\r\nLOCATION: %s\r\nOPT: \"http://schemas.upnp.org/upnp/1/0/\"; ns=01\r\n01-NLS: 1627958564\r\nBOOTID.UPNP.ORG: 1627958564\r\nCONFIGID.UPNP.ORG: 1337\r\n\r\n", d.ts.URL+"/rootDesc.xml"))
+			d.upnpConn.WriteTo(resPkt, src)
+		} else {
+			d.inc(&d.counters.numUPnPOtherUDPRecv)
+		}
+	}
+}
+
+// servePxP serves NAT-PMP and PCP, which share a port number.
+func (d *TestIGD) servePxP() {
+	buf := make([]byte, 1500)
+	for {
+		n, a, err := d.pxpConn.ReadFrom(buf)
+		if err != nil {
+			return
+		}
+		ua := a.(*net.UDPAddr)
+		src, ok := netaddr.FromStdAddr(ua.IP, ua.Port, ua.Zone)
+		if !ok {
+			panic("bogus addr")
+		}
+		pkt := buf[:n]
+		if len(pkt) < 2 {
+			continue
+		}
+		ver := pkt[0]
+		switch ver {
+		default:
+			continue
+		case pmpVersion:
+			d.handlePMPQuery(pkt, src)
+		case pcpVersion:
+			d.handlePCPQuery(pkt, src)
+		}
+	}
+}
+
+func (d *TestIGD) handlePMPQuery(pkt []byte, src netaddr.IPPort) {
+	d.inc(&d.counters.numPMPRecv)
+	if len(pkt) < 2 {
+		return
+	}
+	op := pkt[1]
+	switch op {
+	case pmpOpMapPublicAddr:
+		if len(pkt) != 2 {
+			d.inc(&d.counters.numPMPBogusRecv)
+			return
+		}
+		d.inc(&d.counters.numPMPPublicAddrRecv)
+
+	}
+	// TODO
+}
+
+func (d *TestIGD) handlePCPQuery(pkt []byte, src netaddr.IPPort) {
+	d.inc(&d.counters.numPCPRecv)
+	// TODO
+}

net/portmapper/pcp.go

@@ -0,0 +1,155 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package portmapper
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
+	"time"
+
+	"inet.af/netaddr"
+	"tailscale.com/net/netns"
+)
+
+// References:
+//
+// https://www.rfc-editor.org/rfc/pdfrfc/rfc6887.txt.pdf
+// https://tools.ietf.org/html/rfc6887
+
+// PCP constants
+const (
+	pcpVersion = 2
+	pcpPort    = 5351
+
+	pcpMapLifetimeSec = 7200 // TODO does the RFC recommend anything? This is taken from PMP.
+
+	pcpCodeOK            = 0
+	pcpCodeNotAuthorized = 2
+
+	pcpOpReply    = 0x80 // OR'd into request's op code on response
+	pcpOpAnnounce = 0
+	pcpOpMap      = 1
+
+	pcpUDPMapping = 17 // portmap UDP
+	pcpTCPMapping = 6  // portmap TCP
+)
+
+type pcpMapping struct {
+	gw       netaddr.IP
+	internal netaddr.IPPort
+	external netaddr.IPPort
+
+	renewAfter time.Time
+	goodUntil  time.Time
+
+	// TODO should this also contain an epoch?
+	// Doesn't seem to be used elsewhere, but can use it for validation at some point.
+}
+
+func (p *pcpMapping) GoodUntil() time.Time     { return p.goodUntil }
+func (p *pcpMapping) RenewAfter() time.Time    { return p.renewAfter }
+func (p *pcpMapping) External() netaddr.IPPort { return p.external }
+func (p *pcpMapping) Release(ctx context.Context) {
+	uc, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
+	if err != nil {
+		return
+	}
+	defer uc.Close()
+	pkt := buildPCPRequestMappingPacket(p.internal.IP(), p.internal.Port(), p.external.Port(), 0, p.external.IP())
+	uc.WriteTo(pkt, netaddr.IPPortFrom(p.gw, pcpPort).UDPAddr())
+}
+
+// buildPCPRequestMappingPacket generates a PCP packet with a MAP opcode.
+// To create a packet which deletes a mapping, lifetimeSec should be set to 0.
+// If prevPort is not known, it should be set to 0.
+// If prevExternalIP is not known, it should be set to 0.0.0.0.
+func buildPCPRequestMappingPacket(
+	myIP netaddr.IP,
+	localPort, prevPort uint16,
+	lifetimeSec uint32,
+	prevExternalIP netaddr.IP,
+) (pkt []byte) {
+	// 24 byte common PCP header + 36 bytes of MAP-specific fields
+	pkt = make([]byte, 24+36)
+	pkt[0] = pcpVersion
+	pkt[1] = pcpOpMap
+	binary.BigEndian.PutUint32(pkt[4:8], lifetimeSec)
+	myIP16 := myIP.As16()
+	copy(pkt[8:24], myIP16[:])
+
+	mapOp := pkt[24:]
+	rand.Read(mapOp[:12]) // 96 bit mapping nonce
+
+	// TODO: should this be a UDP mapping? It looks like it supports "all protocols" with 0, but
+	// also doesn't support a local port then.
+	mapOp[12] = pcpUDPMapping
+	binary.BigEndian.PutUint16(mapOp[16:18], localPort)
+	binary.BigEndian.PutUint16(mapOp[18:20], prevPort)
+
+	prevExternalIP16 := prevExternalIP.As16()
+	copy(mapOp[20:], prevExternalIP16[:])
+	return pkt
+}
+
+func parsePCPMapResponse(resp []byte) (*pcpMapping, error) {
+	if len(resp) < 60 {
+		return nil, fmt.Errorf("Does not appear to be PCP MAP response")
+	}
+	res, ok := parsePCPResponse(resp[:24])
+	if !ok {
+		return nil, fmt.Errorf("Invalid PCP common header")
+	}
+	if res.ResultCode != pcpCodeOK {
+		return nil, fmt.Errorf("PCP response not ok, code %d", res.ResultCode)
+	}
+	// TODO: don't ignore the nonce and make sure it's the same?
+	externalPort := binary.BigEndian.Uint16(resp[42:44])
+	externalIPBytes := [16]byte{}
+	copy(externalIPBytes[:], resp[44:])
+	externalIP := netaddr.IPFrom16(externalIPBytes)
+
+	external := netaddr.IPPortFrom(externalIP, externalPort)
+
+	lifetime := time.Second * time.Duration(res.Lifetime)
+	now := time.Now()
+	mapping := &pcpMapping{
+		external:   external,
+		renewAfter: now.Add(lifetime / 2),
+		goodUntil:  now.Add(lifetime),
+	}
+
+	return mapping, nil
+}
+
+// pcpAnnounceRequest generates a PCP packet with an ANNOUNCE opcode.
+func pcpAnnounceRequest(myIP netaddr.IP) []byte {
+	// See https://tools.ietf.org/html/rfc6887#section-7.1
+	pkt := make([]byte, 24)
+	pkt[0] = pcpVersion
+	pkt[1] = pcpOpAnnounce
+	myIP16 := myIP.As16()
+	copy(pkt[8:], myIP16[:])
+	return pkt
+}
+
+type pcpResponse struct {
+	OpCode     uint8
+	ResultCode uint8
+	Lifetime   uint32
+	Epoch      uint32
+}
+
+func parsePCPResponse(b []byte) (res pcpResponse, ok bool) {
+	if len(b) < 24 || b[0] != pcpVersion {
+		return
+	}
+	res.OpCode = b[1]
+	res.ResultCode = b[3]
+	res.Lifetime = binary.BigEndian.Uint32(b[4:])
+	res.Epoch = binary.BigEndian.Uint32(b[8:])
+	return res, true
+}

net/portmapper/pcp_test.go

@@ -0,0 +1,27 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package portmapper
+
+import (
+	"testing"
+
+	"inet.af/netaddr"
+)
+
+var examplePCPMapResponse = []byte{2, 129, 0, 0, 0, 0, 28, 32, 0, 2, 155, 237, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 129, 112, 9, 24, 241, 208, 251, 45, 157, 76, 10, 188, 17, 0, 0, 0, 4, 210, 4, 210, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 135, 180, 175, 246}
+
+func TestParsePCPMapResponse(t *testing.T) {
+	mapping, err := parsePCPMapResponse(examplePCPMapResponse)
+	if err != nil {
+		t.Fatalf("failed to parse PCP Map Response: %v", err)
+	}
+	if mapping == nil {
+		t.Fatalf("got nil mapping when expected non-nil")
+	}
+	expectedAddr := netaddr.MustParseIPPort("135.180.175.246:1234")
+	if mapping.external != expectedAddr {
+		t.Errorf("mismatched external address, got: %v, want: %v", mapping.external, expectedAddr)
+	}
+}

net/portmapper/portmapper.go

@@ -3,12 +3,11 @@
 // license that can be found in the LICENSE file.
 
 // Package portmapper is a UDP port mapping client. It currently allows for mapping over
-// NAT-PMP and UPnP, but will perhaps do PCP later.
+// NAT-PMP, UPnP, and PCP.
 package portmapper
 
 import (
 	"context"
-	"crypto/rand"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -25,9 +24,12 @@ import (
 	"tailscale.com/types/logger"
 )
 
-// Debub knobs for "tailscaled debug --portmap".
+// Debug knobs for "tailscaled debug --portmap".
 var (
 	VerboseLogs bool
+
+	// Disable* disables a specific service from mapping.
+
 	DisableUPnP bool
 	DisablePMP  bool
 	DisablePCP  bool
@@ -36,7 +38,6 @@ var (
 // References:
 //
 // NAT-PMP: https://tools.ietf.org/html/rfc6886
-// PCP: https://tools.ietf.org/html/rfc6887
 
 // portMapServiceTimeout is the time we wait for port mapping
 // services (UPnP, NAT-PMP, PCP) to respond before we give up and
@@ -239,6 +240,10 @@ func (c *Client) sawPMPRecentlyLocked() bool {
 func (c *Client) sawPCPRecently() bool {
 	c.mu.Lock()
 	defer c.mu.Unlock()
+	return c.sawPCPRecentlyLocked()
+}
+
+func (c *Client) sawPCPRecentlyLocked() bool {
 	return c.pcpSawTime.After(time.Now().Add(-trustServiceStillAvailableDuration))
 }
 
@@ -337,12 +342,18 @@ func (c *Client) createMapping() {
 	}
 }
 
+// wildcardIP is used when the previous external IP is not known for PCP port mapping.
+var wildcardIP = netaddr.MustParseIP("0.0.0.0")
+
 // createOrGetMapping either creates a new mapping or returns a cached
 // valid one.
 //
 // If no mapping is available, the error will be of type
 // NoMappingError; see IsNoMappingError.
 func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPort, err error) {
+	if DisableUPnP && DisablePCP && DisablePMP {
+		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+	}
 	gw, myIP, ok := c.gatewayAndSelfIP()
 	if !ok {
 		return netaddr.IPPort{}, NoMappingError{ErrGatewayRange}
@@ -351,10 +362,6 @@ func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	c.mu.Lock()
 	localPort := c.localPort
 	internalAddr := netaddr.IPPortFrom(myIP, localPort)
-	m := &pmpMapping{
-		gw:       gw,
-		internal: internalAddr,
-	}
 
 	// prevPort is the port we had most previously, if any. We try
 	// to ask for the same port. 0 means to give us any port.
@@ -371,23 +378,41 @@ func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPor
 		prevPort = m.External().Port()
 	}
 
-	// If we just did a Probe (e.g. via netchecker) but didn't
-	// find a PMP service, bail out early rather than probing
-	// again. Cuts down latency for most clients.
-	haveRecentPMP := c.sawPMPRecentlyLocked()
-
-	if haveRecentPMP {
-		m.external = m.external.WithIP(c.pmpPubIP)
-	}
-	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentPMP {
+	if DisablePCP && DisablePMP {
 		c.mu.Unlock()
-		// fallback to UPnP portmapping
-		if mapping, ok := c.getUPnPPortMapping(ctx, gw, internalAddr, prevPort); ok {
-			return mapping, nil
+		if external, ok := c.getUPnPPortMapping(ctx, gw, internalAddr, prevPort); ok {
+			return external, nil
 		}
 		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
 	}
 
+	// If we just did a Probe (e.g. via netchecker) but didn't
+	// find a PMP service, bail out early rather than probing
+	// again. Cuts down latency for most clients.
+	haveRecentPMP := c.sawPMPRecentlyLocked()
+	haveRecentPCP := c.sawPCPRecentlyLocked()
+
+	// Since PMP mapping may require multiple calls, and it's not clear from the outset
+	// whether we're doing a PCP or PMP call, initialize the PMP mapping here,
+	// and only return it once completed.
+	//
+	// PCP returns all the information necessary for a mapping in a single packet, so we can
+	// construct it upon receiving that packet.
+	m := &pmpMapping{
+		gw:       gw,
+		internal: internalAddr,
+	}
+	if haveRecentPMP {
+		m.external = m.external.WithIP(c.pmpPubIP)
+	}
+	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentPMP && !haveRecentPCP {
+		c.mu.Unlock()
+		// fallback to UPnP portmapping
+		if external, ok := c.getUPnPPortMapping(ctx, gw, internalAddr, prevPort); ok {
+			return external, nil
+		}
+		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+	}
 	c.mu.Unlock()
 
 	uc, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
@@ -399,20 +424,31 @@ func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	uc.SetReadDeadline(time.Now().Add(portMapServiceTimeout))
 	defer closeCloserOnContextDone(ctx, uc)()
 
-	pmpAddr := netaddr.IPPortFrom(gw, pmpPort)
-	pmpAddru := pmpAddr.UDPAddr()
+	pxpAddr := netaddr.IPPortFrom(gw, pmpPort)
+	pxpAddru := pxpAddr.UDPAddr()
 
-	// Ask for our external address if needed.
-	if m.external.IP().IsZero() {
-		if _, err := uc.WriteTo(pmpReqExternalAddrPacket, pmpAddru); err != nil {
+	preferPCP := !DisablePCP && (DisablePMP || (!haveRecentPMP && haveRecentPCP))
+
+	// Create a mapping, defaulting to PMP unless only PCP was seen recently.
+	if preferPCP {
+		// TODO replace wildcardIP here with previous external if known.
+		// Only do PCP mapping in the case when PMP did not appear to be available recently.
+		pkt := buildPCPRequestMappingPacket(myIP, localPort, prevPort, pcpMapLifetimeSec, wildcardIP)
+		if _, err := uc.WriteTo(pkt, pxpAddru); err != nil {
 			return netaddr.IPPort{}, err
 		}
-	}
+	} else {
+		// Ask for our external address if needed.
+		if m.external.IP().IsZero() {
+			if _, err := uc.WriteTo(pmpReqExternalAddrPacket, pxpAddru); err != nil {
+				return netaddr.IPPort{}, err
+			}
+		}
 
-	// And ask for a mapping.
-	pmpReqMapping := buildPMPRequestMappingPacket(localPort, prevPort, pmpMapLifetimeSec)
-	if _, err := uc.WriteTo(pmpReqMapping, pmpAddru); err != nil {
-		return netaddr.IPPort{}, err
+		pkt := buildPMPRequestMappingPacket(localPort, prevPort, pmpMapLifetimeSec)
+		if _, err := uc.WriteTo(pkt, pxpAddru); err != nil {
+			return netaddr.IPPort{}, err
+		}
 	}
 
 	res := make([]byte, 1500)
@@ -433,25 +469,45 @@ func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPor
 		if !ok {
 			continue
 		}
-		if src == pmpAddr {
-			pres, ok := parsePMPResponse(res[:n])
-			if !ok {
-				c.logf("unexpected PMP response: % 02x", res[:n])
-				continue
-			}
-			if pres.ResultCode != 0 {
-				return netaddr.IPPort{}, NoMappingError{fmt.Errorf("PMP response Op=0x%x,Res=0x%x", pres.OpCode, pres.ResultCode)}
-			}
-			if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr {
-				m.external = m.external.WithIP(pres.PublicAddr)
-			}
-			if pres.OpCode == pmpOpReply|pmpOpMapUDP {
-				m.external = m.external.WithPort(pres.ExternalPort)
-				d := time.Duration(pres.MappingValidSeconds) * time.Second
-				now := time.Now()
-				m.goodUntil = now.Add(d)
-				m.renewAfter = now.Add(d / 2) // renew in half the time
-				m.epoch = pres.SecondsSinceEpoch
+		if src == pxpAddr {
+			version := res[0]
+			switch version {
+			case pmpVersion:
+				pres, ok := parsePMPResponse(res[:n])
+				if !ok {
+					c.logf("unexpected PMP response: % 02x", res[:n])
+					continue
+				}
+				if pres.ResultCode != 0 {
+					return netaddr.IPPort{}, NoMappingError{fmt.Errorf("PMP response Op=0x%x,Res=0x%x", pres.OpCode, pres.ResultCode)}
+				}
+				if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr {
+					m.external = m.external.WithIP(pres.PublicAddr)
+				}
+				if pres.OpCode == pmpOpReply|pmpOpMapUDP {
+					m.external = m.external.WithPort(pres.ExternalPort)
+					d := time.Duration(pres.MappingValidSeconds) * time.Second
+					now := time.Now()
+					m.goodUntil = now.Add(d)
+					m.renewAfter = now.Add(d / 2) // renew in half the time
+					m.epoch = pres.SecondsSinceEpoch
+				}
+			case pcpVersion:
+				pcpMapping, err := parsePCPMapResponse(res[:n])
+				if err != nil {
+					c.logf("failed to get PCP mapping: %v", err)
+					// PCP should only have a single packet response
+					return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+				}
+				pcpMapping.internal = m.internal
+				pcpMapping.gw = gw
+				c.mu.Lock()
+				defer c.mu.Unlock()
+				c.mapping = pcpMapping
+				return pcpMapping.external, nil
+			default:
+				c.logf("unknown PMP/PCP version number: %d %v", version, res[:n])
+				return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
 			}
 		}
 
@@ -472,6 +528,7 @@ const (
 	pmpMapLifetimeSec    = 7200 // RFC recommended 2 hour map duration
 	pmpMapLifetimeDelete = 0    // 0 second lifetime deletes
 
+	pmpVersion         = 0
 	pmpOpMapPublicAddr = 0
 	pmpOpMapUDP        = 1
 	pmpOpReply         = 0x80 // OR'd into request's op code on response
@@ -669,78 +726,7 @@ func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
 	}
 }
 
-const (
-	pcpVersion = 2
-	pcpPort    = 5351
-
-	pcpCodeOK            = 0
-	pcpCodeNotAuthorized = 2
-
-	pcpOpReply    = 0x80 // OR'd into request's op code on response
-	pcpOpAnnounce = 0
-	pcpOpMap      = 1
-)
-
-// pcpAnnounceRequest generates a PCP packet with an ANNOUNCE opcode.
-func pcpAnnounceRequest(myIP netaddr.IP) []byte {
-	// See https://tools.ietf.org/html/rfc6887#section-7.1
-	pkt := make([]byte, 24)
-	pkt[0] = pcpVersion // version
-	pkt[1] = pcpOpAnnounce
-	myIP16 := myIP.As16()
-	copy(pkt[8:], myIP16[:])
-	return pkt
-}
-
-// pcpMapRequest generates a PCP packet with a MAP opcode.
-func pcpMapRequest(myIP netaddr.IP, mapToLocalPort int, delete bool) []byte {
-	const udpProtoNumber = 17
-	lifetimeSeconds := uint32(1)
-	if delete {
-		lifetimeSeconds = 0
-	}
-	const opMap = 1
-
-	// 24 byte header + 36 byte map opcode
-	pkt := make([]byte, (32+32+128)/8+(96+8+24+16+16+128)/8)
-
-	// The header (https://tools.ietf.org/html/rfc6887#section-7.1)
-	pkt[0] = 2 // version
-	pkt[1] = opMap
-	binary.BigEndian.PutUint32(pkt[4:8], lifetimeSeconds)
-	myIP16 := myIP.As16()
-	copy(pkt[8:], myIP16[:])
-
-	// The map opcode body (https://tools.ietf.org/html/rfc6887#section-11.1)
-	mapOp := pkt[24:]
-	rand.Read(mapOp[:12]) // 96 bit mappping nonce
-	mapOp[12] = udpProtoNumber
-	binary.BigEndian.PutUint16(mapOp[16:], uint16(mapToLocalPort))
-	v4unspec := netaddr.MustParseIP("0.0.0.0")
-	v4unspec16 := v4unspec.As16()
-	copy(mapOp[20:], v4unspec16[:])
-	return pkt
-}
-
-type pcpResponse struct {
-	OpCode     uint8
-	ResultCode uint8
-	Lifetime   uint32
-	Epoch      uint32
-}
-
-func parsePCPResponse(b []byte) (res pcpResponse, ok bool) {
-	if len(b) < 24 || b[0] != pcpVersion {
-		return
-	}
-	res.OpCode = b[1]
-	res.ResultCode = b[3]
-	res.Lifetime = binary.BigEndian.Uint32(b[4:])
-	res.Epoch = binary.BigEndian.Uint32(b[8:])
-	return res, true
-}
-
-var pmpReqExternalAddrPacket = []byte{0, 0} // version 0, opcode 0 = "Public address request"
+var pmpReqExternalAddrPacket = []byte{pmpVersion, pmpOpMapPublicAddr} // 0, 0
 
 const (
 	upnpPort = 1900 // for UDP discovery only; TCP port discovered later

net/portmapper/portmapper_test.go

@@ -10,6 +10,9 @@ import (
 	"strconv"
 	"testing"
 	"time"
+
+	"inet.af/netaddr"
+	"tailscale.com/types/logger"
 )
 
 func TestCreateOrGetMapping(t *testing.T) {
@@ -55,3 +58,30 @@ func TestClientProbeThenMap(t *testing.T) {
 	ext, err := c.createOrGetMapping(context.Background())
 	t.Logf("createOrGetMapping: %v, %v", ext, err)
 }
+
+func TestProbeIntegration(t *testing.T) {
+	igd, err := NewTestIGD()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer igd.Close()
+
+	logf := t.Logf
+	var c *Client
+	c = NewClient(logger.WithPrefix(logf, "portmapper: "), func() {
+		logf("portmapping changed.")
+		logf("have mapping: %v", c.HaveMapping())
+	})
+
+	c.SetGatewayLookupFunc(func() (gw, self netaddr.IP, ok bool) {
+		return netaddr.IPv4(127, 0, 0, 1), netaddr.IPv4(1, 2, 3, 4), true
+	})
+
+	res, err := c.Probe(context.Background())
+	if err != nil {
+		t.Fatalf("Probe: %v", err)
+	}
+	t.Logf("Probe: %+v", res)
+	t.Logf("IGD stats: %+v", igd.stats())
+	// TODO(bradfitz): finish
+}

net/portmapper/upnp.go

@@ -2,7 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !ios
 // +build !ios
+
 // (https://github.com/tailscale/tailscale/issues/2495)
 
 package portmapper
@@ -152,7 +154,7 @@ func addAnyPortMapping(
 // The provided ctx is not retained in the returned upnpClient, but
 // its associated HTTP client is (if set via goupnp.WithHTTPClient).
 func getUPnPClient(ctx context.Context, logf logger.Logf, gw netaddr.IP, meta uPnPDiscoResponse) (client upnpClient, err error) {
-	if controlknobs.DisableUPnP() {
+	if controlknobs.DisableUPnP() || DisableUPnP {
 		return nil, nil
 	}
 
@@ -234,7 +236,7 @@ func (c *Client) getUPnPPortMapping(
 	internal netaddr.IPPort,
 	prevPort uint16,
 ) (external netaddr.IPPort, ok bool) {
-	if controlknobs.DisableUPnP() {
+	if controlknobs.DisableUPnP() || DisableUPnP {
 		return netaddr.IPPort{}, false
 	}
 	now := time.Now()

net/stun/stun_fuzzer.go

@@ -1,6 +1,7 @@
 // Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
+//go:build gofuzz
 // +build gofuzz
 
 package stun

net/tshttpproxy/tshttpproxy_future.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build tailscale_go
 // +build tailscale_go
 
 // We want to use https://github.com/golang/go/issues/41048 but it's only in the

net/tstun/ifstatus_noop.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows
 // +build !windows
 
 package tstun

net/tstun/tap_unsupported.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !linux
 // +build !linux
 
 package tstun

net/tstun/tun_notwindows.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows
 // +build !windows
 
 package tstun

paths/paths_unix.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows
 // +build !windows
 
 package paths

portlist/netstat.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build (go1.16 && !ios) || (!go1.16 && !darwin) || (!go1.16 && !arm64)
 // +build go1.16,!ios !go1.16,!darwin !go1.16,!arm64
 
 package portlist

portlist/netstat_exec.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build (windows || freebsd || openbsd || (darwin && go1.16) || (darwin && !go1.16 && !arm64)) && !ios
 // +build windows freebsd openbsd darwin,go1.16 darwin,!go1.16,!arm64
 // +build !ios
 

portlist/portlist_ios.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build (go1.16 && ios) || (!go1.16 && darwin && !amd64)
 // +build go1.16,ios !go1.16,darwin,!amd64
 
 package portlist

portlist/portlist_macos.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build ((darwin && amd64 && !go1.16) || (darwin && go1.16)) && !ios
 // +build darwin,amd64,!go1.16 darwin,go1.16
 // +build !ios
 

portlist/portlist_other.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !linux && !windows && !darwin
 // +build !linux,!windows,!darwin
 
 package portlist

safesocket/unixsocket.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows
 // +build !windows
 
 package safesocket

scripts/installer.sh

@@ -46,11 +46,11 @@ main() {
 				VERSION="$VERSION_CODENAME"
 				PACKAGETYPE="apt"
 				;;
-			centos)
+			centos|ol)
 				OS="$ID"
 				VERSION="$VERSION_ID"
 				PACKAGETYPE="dnf"
-				if [ "$VERSION" = "7" ]; then
+				if [ "$VERSION" =~ ^7 ]; then
 					PACKAGETYPE="yum"
 				fi
 				;;

syncs/locked.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build go1.13 && !go1.16
 // +build go1.13,!go1.16
 
 // This file makes assumptions about the inner workings of sync.Mutex and sync.RWMutex.

syncs/locked_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build go1.13 && !go1.16
 // +build go1.13,!go1.16
 
 package syncs

tailcfg/tailcfg.go

@@ -4,7 +4,7 @@
 
 package tailcfg
 
-//go:generate go run tailscale.com/cmd/cloner --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode --clonefunc=true --output=tailcfg_clone.go
+//go:generate go run tailscale.com/cmd/cloner --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode --clonefunc=true --output=tailcfg_clone.go
 
 import (
 	"encoding/hex"
@@ -16,6 +16,7 @@ import (
 
 	"go4.org/mem"
 	"inet.af/netaddr"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
@@ -832,38 +833,21 @@ var FilterAllowAll = []FilterRule{
 	},
 }
 
-// DNSResolver is the configuration for one DNS resolver.
-type DNSResolver struct {
-	// Addr is the address of the DNS resolver, one of:
-	//  - A plain IP address for a "classic" UDP+TCP DNS resolver
-	//  - [TODO] "tls://resolver.com" for DNS over TCP+TLS
-	//  - [TODO] "https://resolver.com/query-tmpl" for DNS over HTTPS
-	Addr string `json:",omitempty"`
-
-	// BootstrapResolution is an optional suggested resolution for the
-	// DoT/DoH resolver, if the resolver URL does not reference an IP
-	// address directly.
-	// BootstrapResolution may be empty, in which case clients should
-	// look up the DoT/DoH server using their local "classic" DNS
-	// resolver.
-	BootstrapResolution []netaddr.IP `json:",omitempty"`
-}
-
 // DNSConfig is the DNS configuration.
 type DNSConfig struct {
 	// Resolvers are the DNS resolvers to use, in order of preference.
-	Resolvers []DNSResolver `json:",omitempty"`
+	Resolvers []dnstype.Resolver `json:",omitempty"`
 	// Routes maps DNS name suffixes to a set of DNS resolvers to
 	// use. It is used to implement "split DNS" and other advanced DNS
 	// routing overlays.
 	// Map keys must be fully-qualified DNS name suffixes, with a
 	// trailing dot but no leading dot.
-	Routes map[string][]DNSResolver `json:",omitempty"`
+	Routes map[string][]dnstype.Resolver `json:",omitempty"`
 	// FallbackResolvers is like Resolvers, but is only used if a
 	// split DNS configuration is requested in a configuration that
 	// doesn't work yet without explicit default resolvers.
 	// https://github.com/tailscale/tailscale/issues/1743
-	FallbackResolvers []DNSResolver `json:",omitempty"`
+	FallbackResolvers []dnstype.Resolver `json:",omitempty"`
 	// Domains are the search domains to use.
 	// Search domains must be FQDNs, but *without* the trailing dot.
 	Domains []string `json:",omitempty"`

tailcfg/tailcfg_clone.go

@@ -2,12 +2,13 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Code generated by tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode; DO NOT EDIT.
+// Code generated by tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode; DO NOT EDIT.
 
 package tailcfg
 
 import (
 	"inet.af/netaddr"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
 	"time"
@@ -26,7 +27,7 @@ func (src *User) Clone() *User {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _UserNeedsRegeneration = User(struct {
 	ID            UserID
 	LoginName     string
@@ -63,7 +64,7 @@ func (src *Node) Clone() *Node {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _NodeNeedsRegeneration = Node(struct {
 	ID                      NodeID
 	StableID                StableNodeID
@@ -107,7 +108,7 @@ func (src *Hostinfo) Clone() *Hostinfo {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _HostinfoNeedsRegeneration = Hostinfo(struct {
 	IPNVersion    string
 	FrontendLogID string
@@ -144,7 +145,7 @@ func (src *NetInfo) Clone() *NetInfo {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _NetInfoNeedsRegeneration = NetInfo(struct {
 	MappingVariesByDestIP opt.Bool
 	HairPinning           opt.Bool
@@ -171,7 +172,7 @@ func (src *Login) Clone() *Login {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _LoginNeedsRegeneration = Login(struct {
 	_             structs.Incomparable
 	ID            LoginID
@@ -190,17 +191,17 @@ func (src *DNSConfig) Clone() *DNSConfig {
 	}
 	dst := new(DNSConfig)
 	*dst = *src
-	dst.Resolvers = make([]DNSResolver, len(src.Resolvers))
+	dst.Resolvers = make([]dnstype.Resolver, len(src.Resolvers))
 	for i := range dst.Resolvers {
 		dst.Resolvers[i] = *src.Resolvers[i].Clone()
 	}
 	if dst.Routes != nil {
-		dst.Routes = map[string][]DNSResolver{}
+		dst.Routes = map[string][]dnstype.Resolver{}
 		for k := range src.Routes {
-			dst.Routes[k] = append([]DNSResolver{}, src.Routes[k]...)
+			dst.Routes[k] = append([]dnstype.Resolver{}, src.Routes[k]...)
 		}
 	}
-	dst.FallbackResolvers = make([]DNSResolver, len(src.FallbackResolvers))
+	dst.FallbackResolvers = make([]dnstype.Resolver, len(src.FallbackResolvers))
 	for i := range dst.FallbackResolvers {
 		dst.FallbackResolvers[i] = *src.FallbackResolvers[i].Clone()
 	}
@@ -212,11 +213,11 @@ func (src *DNSConfig) Clone() *DNSConfig {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _DNSConfigNeedsRegeneration = DNSConfig(struct {
-	Resolvers         []DNSResolver
-	Routes            map[string][]DNSResolver
-	FallbackResolvers []DNSResolver
+	Resolvers         []dnstype.Resolver
+	Routes            map[string][]dnstype.Resolver
+	FallbackResolvers []dnstype.Resolver
 	Domains           []string
 	Proxied           bool
 	Nameservers       []netaddr.IP
@@ -225,25 +226,6 @@ var _DNSConfigNeedsRegeneration = DNSConfig(struct {
 	ExtraRecords      []DNSRecord
 }{})
 
-// Clone makes a deep copy of DNSResolver.
-// The result aliases no memory with the original.
-func (src *DNSResolver) Clone() *DNSResolver {
-	if src == nil {
-		return nil
-	}
-	dst := new(DNSResolver)
-	*dst = *src
-	dst.BootstrapResolution = append(src.BootstrapResolution[:0:0], src.BootstrapResolution...)
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
-var _DNSResolverNeedsRegeneration = DNSResolver(struct {
-	Addr                string
-	BootstrapResolution []netaddr.IP
-}{})
-
 // Clone makes a deep copy of RegisterResponse.
 // The result aliases no memory with the original.
 func (src *RegisterResponse) Clone() *RegisterResponse {
@@ -257,7 +239,7 @@ func (src *RegisterResponse) Clone() *RegisterResponse {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _RegisterResponseNeedsRegeneration = RegisterResponse(struct {
 	User              User
 	Login             Login
@@ -282,7 +264,7 @@ func (src *DERPRegion) Clone() *DERPRegion {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _DERPRegionNeedsRegeneration = DERPRegion(struct {
 	RegionID   int
 	RegionCode string
@@ -309,7 +291,7 @@ func (src *DERPMap) Clone() *DERPMap {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _DERPMapNeedsRegeneration = DERPMap(struct {
 	Regions            map[int]*DERPRegion
 	OmitDefaultRegions bool
@@ -327,7 +309,7 @@ func (src *DERPNode) Clone() *DERPNode {
 }
 
 // A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode
+//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
 var _DERPNodeNeedsRegeneration = DERPNode(struct {
 	Name             string
 	RegionID         int
@@ -344,7 +326,7 @@ var _DERPNodeNeedsRegeneration = DERPNode(struct {
 
 // Clone duplicates src into dst and reports whether it succeeded.
 // To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,
-// where T is one of User,Node,Hostinfo,NetInfo,Login,DNSConfig,DNSResolver,RegisterResponse,DERPRegion,DERPMap,DERPNode.
+// where T is one of User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode.
 func Clone(dst, src interface{}) bool {
 	switch src := src.(type) {
 	case *User:
@@ -401,15 +383,6 @@ func Clone(dst, src interface{}) bool {
 			*dst = src.Clone()
 			return true
 		}
-	case *DNSResolver:
-		switch dst := dst.(type) {
-		case *DNSResolver:
-			*dst = *src.Clone()
-			return true
-		case **DNSResolver:
-			*dst = src.Clone()
-			return true
-		}
 	case *RegisterResponse:
 		switch dst := dst.(type) {
 		case *RegisterResponse:

tempfork/wireguard-windows/firewall/blocker.go

@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows
 
 /* SPDX-License-Identifier: MIT

tempfork/wireguard-windows/firewall/helpers.go

@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows
 
 /* SPDX-License-Identifier: MIT

tempfork/wireguard-windows/firewall/rules.go

@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows
 
 /* SPDX-License-Identifier: MIT

tempfork/wireguard-windows/firewall/types_windows.go

@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows
 
 /* SPDX-License-Identifier: MIT

tempfork/wireguard-windows/firewall/types_windows_32.go

@@ -1,3 +1,4 @@
+//go:build (windows && 386) || (windows && arm)
 // +build windows,386 windows,arm
 
 /* SPDX-License-Identifier: MIT

tempfork/wireguard-windows/firewall/types_windows_64.go

@@ -1,3 +1,4 @@
+//go:build (windows && amd64) || (windows && arm64)
 // +build windows,amd64 windows,arm64
 
 /* SPDX-License-Identifier: MIT

tempfork/wireguard-windows/firewall/types_windows_test.go

@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows
 
 /* SPDX-License-Identifier: MIT

tstest/integration/gen_deps.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build ignore
 // +build ignore
 
 package main

tstest/integration/vms/derive_bindhost_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package vms

tstest/integration/vms/distros_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package vms

tstest/integration/vms/harness_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package vms

tstest/integration/vms/nixos_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package vms

tstest/integration/vms/opensuse_leap_15_1_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package vms

tstest/integration/vms/top_level_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package vms

tstest/integration/vms/udp_tester.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build ignore
 // +build ignore
 
 // Command udp_tester exists because all of these distros being tested don't

tstest/integration/vms/vm_setup_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package vms

tstest/integration/vms/vms_steps_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package vms

tstest/integration/vms/vms_test.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package vms

types/dnstype/dnstype.go

@@ -0,0 +1,27 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package dnstype defines types for working with DNS.
+package dnstype
+
+//go:generate go run tailscale.com/cmd/cloner --type=Resolver --clonefunc=true --output=dnstype_clone.go
+
+import "inet.af/netaddr"
+
+// Resolver is the configuration for one DNS resolver.
+type Resolver struct {
+	// Addr is the address of the DNS resolver, one of:
+	//  - A plain IP address for a "classic" UDP+TCP DNS resolver
+	//  - [TODO] "tls://resolver.com" for DNS over TCP+TLS
+	//  - [TODO] "https://resolver.com/query-tmpl" for DNS over HTTPS
+	Addr string `json:",omitempty"`
+
+	// BootstrapResolution is an optional suggested resolution for the
+	// DoT/DoH resolver, if the resolver URL does not reference an IP
+	// address directly.
+	// BootstrapResolution may be empty, in which case clients should
+	// look up the DoT/DoH server using their local "classic" DNS
+	// resolver.
+	BootstrapResolution []netaddr.IP `json:",omitempty"`
+}

types/dnstype/dnstype_clone.go

@@ -0,0 +1,48 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner -type Resolver; DO NOT EDIT.
+
+package dnstype
+
+import (
+	"inet.af/netaddr"
+)
+
+// Clone makes a deep copy of Resolver.
+// The result aliases no memory with the original.
+func (src *Resolver) Clone() *Resolver {
+	if src == nil {
+		return nil
+	}
+	dst := new(Resolver)
+	*dst = *src
+	dst.BootstrapResolution = append(src.BootstrapResolution[:0:0], src.BootstrapResolution...)
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with command:
+//   tailscale.com/cmd/cloner -type Resolver
+var _ResolverNeedsRegeneration = Resolver(struct {
+	Addr                string
+	BootstrapResolution []netaddr.IP
+}{})
+
+// Clone duplicates src into dst and reports whether it succeeded.
+// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,
+// where T is one of Resolver.
+func Clone(dst, src interface{}) bool {
+	switch src := src.(type) {
+	case *Resolver:
+		switch dst := dst.(type) {
+		case *Resolver:
+			*dst = *src.Clone()
+			return true
+		case **Resolver:
+			*dst = src.Clone()
+			return true
+		}
+	}
+	return false
+}

types/logger/rusage_nowindows.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows
 // +build !windows
 
 package logger

util/deephash/deephash_test.go

@@ -15,6 +15,7 @@ import (
 
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/types/ipproto"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/version"
@@ -189,7 +190,7 @@ func getVal() []interface{} {
 				},
 			},
 			DNSConfig: &tailcfg.DNSConfig{
-				Resolvers: []tailcfg.DNSResolver{
+				Resolvers: []dnstype.Resolver{
 					{Addr: "10.0.0.1"},
 				},
 			},

util/deephash/mapiter.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !tailscale_go
 // +build !tailscale_go
 
 package deephash

util/deephash/mapiter_future.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build tailscale_go
 // +build tailscale_go
 
 package deephash

util/endian/big.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build mips || mips64 || ppc64 || s390x
 // +build mips mips64 ppc64 s390x
 
 package endian

util/endian/little.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build 386 || amd64 || arm || arm64 || mips64le || mipsle || ppc64le || riscv64 || wasm
 // +build 386 amd64 arm arm64 mips64le mipsle ppc64le riscv64 wasm
 
 package endian

util/groupmember/groupmember_cgo.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build cgo
 // +build cgo
 
 package groupmember

util/groupmember/groupmember_noimpl.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !cgo && !linux && !darwin
 // +build !cgo,!linux,!darwin
 
 package groupmember

util/groupmember/groupmember_notcgo.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !cgo && (linux || darwin)
 // +build !cgo
 // +build linux darwin
 

util/osshare/filesharingstatus_noop.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows
 // +build !windows
 
 package osshare

util/osshare/filesharingstatus_windows.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build windows
 // +build windows
 
 package osshare

util/pidowner/pidowner_noimpl.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !windows && !linux
 // +build !windows,!linux
 
 package pidowner

util/racebuild/off.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !race
 // +build !race
 
 package racebuild

util/racebuild/on.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build race
 // +build race
 
 package racebuild

util/systemd/systemd_linux.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 package systemd

util/systemd/systemd_nonlinux.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !linux
 // +build !linux
 
 package systemd

util/winutil/winutil.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build windows
 // +build windows
 
 // Package winuntil contains misc Windows/win32 helper functions.