tailcfg: add Clone methods to Login and DNSConfig

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>

.github/workflows/depaware.yml

@@ -1,28 +0,0 @@
-name: depaware
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v1
-      with:
-        go-version: 1.15
-
-    - name: Check out code
-      uses: actions/checkout@v1
-
-    - name: depaware tailscaled
-      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
-
-    - name: depaware tailscale
-      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale

Makefile

@@ -4,15 +4,7 @@ usage:
 vet:
 	go vet ./...
 
-updatedeps:
-	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
-	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale
-
-depaware:
-	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
-	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
-
-check: staticcheck vet depaware
+check: staticcheck vet
 
 staticcheck:
 	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)

cmd/cloner/cloner.go

@@ -86,8 +86,8 @@ func main() {
 					}
 					pkg := typeNameObj.Pkg()
 					gen(buf, imports, typeName, typ, pkg)
-					found = true
 				}
+				found = true
 			}
 		}
 		if !found {
@@ -95,29 +95,6 @@ func main() {
 		}
 	}
 
-	w := func(format string, args ...interface{}) {
-		fmt.Fprintf(buf, format+"\n", args...)
-	}
-	w("// Clone duplicates src into dst and reports whether it succeeded.")
-	w("// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,")
-	w("// where T is one of %s.", *flagTypes)
-	w("func Clone(dst, src interface{}) bool {")
-	w("	switch src := src.(type) {")
-	for _, typeName := range typeNames {
-		w("	case *%s:", typeName)
-		w("		switch dst := dst.(type) {")
-		w("		case *%s:", typeName)
-		w("			*dst = *src.Clone()")
-		w("			return true")
-		w("		case **%s:", typeName)
-		w("			*dst = src.Clone()")
-		w("			return true")
-		w("		}")
-	}
-	w("	}")
-	w("	return false")
-	w("}")
-
 	contents := new(bytes.Buffer)
 	fmt.Fprintf(contents, header, *flagTypes, pkg.Name)
 	fmt.Fprintf(contents, "import (\n")
@@ -166,19 +143,7 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types
 
 	switch t := typ.Underlying().(type) {
 	case *types.Struct:
-		// We generate two bits of code simultaneously while we walk the struct.
-		// One is the Clone method itself, which we write directly to buf.
-		// The other is a variable assignment that will fail if the struct
-		// changes without the Clone method getting regenerated.
-		// We write that to regenBuf, and then append it to buf at the end.
-		regenBuf := new(bytes.Buffer)
-		writeRegen := func(format string, args ...interface{}) {
-			fmt.Fprintf(regenBuf, format+"\n", args...)
-		}
-		writeRegen("// A compilation failure here means this code must be regenerated, with command:")
-		writeRegen("//   tailscale.com/cmd/cloner -type %s", *flagTypes)
-		writeRegen("var _%sNeedsRegeneration = %s(struct {", name, name)
-
+		_ = t
 		name := typ.Obj().Name()
 		fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
 		fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
@@ -194,9 +159,6 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types
 		for i := 0; i < t.NumFields(); i++ {
 			fname := t.Field(i).Name()
 			ft := t.Field(i).Type()
-
-			writeRegen("\t%s %s", fname, importedName(ft))
-
 			if !containsPointers(ft) {
 				continue
 			}
@@ -258,10 +220,6 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types
 		}
 		writef("return dst")
 		fmt.Fprintf(buf, "}\n\n")
-
-		writeRegen("}{})\n")
-
-		buf.Write(regenBuf.Bytes())
 	}
 }
 

cmd/derper/derper.go

@@ -13,7 +13,6 @@ import (
 	"expvar"
 	"flag"
 	"fmt"
-	"html"
 	"io"
 	"io/ioutil"
 	"log"
@@ -230,10 +229,10 @@ func debugHandler(s *derp.Server) http.Handler {
 <h1>DERP debug</h1>
 <ul>
 `)
-		f("<li><b>Hostname:</b> %v</li>\n", html.EscapeString(*hostname))
+		f("<li><b>Hostname:</b> %v</li>\n", *hostname)
 		f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
 		f("<li><b>Mesh Key:</b> %v</li>\n", s.HasMeshKey())
-		f("<li><b>Version:</b> %v</li>\n", html.EscapeString(version.LONG))
+		f("<li><b>Version:</b> %v</li>\n", version.LONG)
 
 		f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
    <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>

cmd/microproxy/microproxy.go

@@ -34,7 +34,6 @@ var (
 	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
 	nodeExporter  = flag.String("node-exporter", "http://localhost:9100", "URL of the local prometheus node exporter")
 	goVarsURL     = flag.String("go-vars-url", "http://localhost:8383/debug/vars", "URL of a local Go server's /debug/vars endpoint")
-	insecure      = flag.Bool("insecure", false, "serve over http, for development")
 )
 
 func main() {
@@ -67,15 +66,12 @@ func main() {
 	httpsrv := &http.Server{
 		Addr:    *addr,
 		Handler: mux,
+		TLSConfig: &tls.Config{
+			GetCertificate: ch.GetCertificate,
+		},
 	}
 
-	if !*insecure {
-		httpsrv.TLSConfig = &tls.Config{GetCertificate: ch.GetCertificate}
-		err = httpsrv.ListenAndServeTLS("", "")
-	} else {
-		err = httpsrv.ListenAndServe()
-	}
-	if err != nil && err != http.ErrServerClosed {
+	if err := httpsrv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
 		log.Fatal(err)
 	}
 }

cmd/tailscale/cli/up.go

@@ -7,7 +7,6 @@ package cli
 import (
 	"bytes"
 	"context"
-	"errors"
 	"flag"
 	"fmt"
 	"log"
@@ -24,7 +23,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/version"
-	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/router"
 )
 
@@ -65,21 +63,14 @@ specify any flags, options are reset to their default.
 			upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. 10.0.0.0/8,192.168.0.0/24)")
 		}
 		if runtime.GOOS == "linux" {
-			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with --advertise-routes")
-			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", defaultNetfilterMode(), "netfilter mode (one of on, nodivert, off)")
+			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with -advertise-routes")
+			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", "on", "netfilter mode (one of on, nodivert, off)")
 		}
 		return upf
 	})(),
 	Exec: runUp,
 }
 
-func defaultNetfilterMode() string {
-	if distro.Get() == distro.Synology {
-		return "off"
-	}
-	return "on"
-}
-
 var upArgs struct {
 	server          string
 	acceptRoutes    bool
@@ -160,19 +151,6 @@ func runUp(ctx context.Context, args []string) error {
 		log.Fatalf("too many non-flag arguments: %q", args)
 	}
 
-	if distro.Get() == distro.Synology {
-		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
-		if upArgs.advertiseRoutes != "" {
-			return errors.New("--advertise-routes is " + notSupported)
-		}
-		if upArgs.acceptRoutes {
-			return errors.New("--accept-routes is " + notSupported)
-		}
-		if upArgs.netfilterMode != "off" {
-			return errors.New("--netfilter-mode values besides \"off\" " + notSupported)
-		}
-	}
-
 	var routes []wgcfg.CIDR
 	if upArgs.advertiseRoutes != "" {
 		advroutes := strings.Split(upArgs.advertiseRoutes, ",")

cmd/tailscale/depaware.txt

@@ -1,219 +0,0 @@
-tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)
-
-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
-   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/apenwarr/fixconsole                               from tailscale.com/cmd/tailscale
-   W 💣 github.com/apenwarr/w32                                      from github.com/apenwarr/fixconsole
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
-   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
-   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
-   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/wgengine/router/dns
-        github.com/golang/groupcache/lru                             from tailscale.com/wgengine/filter+
-   L    github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
-   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
-   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
-        github.com/peterbourgon/ff/v2/ffcli                          from tailscale.com/cmd/tailscale/cli
-   W 💣 github.com/tailscale/winipcfg-go                             from tailscale.com/net/interfaces+
-     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
-     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
-        github.com/tailscale/wireguard-go/device/tokenbucket         from github.com/tailscale/wireguard-go/device
-     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
-   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
-        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
-        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
-        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
-        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device
-     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/iphlpapi        from github.com/tailscale/wireguard-go/tun/wintun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/namespaceapi    from github.com/tailscale/wireguard-go/tun/wintun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/nci             from github.com/tailscale/wireguard-go/tun/wintun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/registry        from github.com/tailscale/wireguard-go/tun/wintun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/setupapi        from github.com/tailscale/wireguard-go/tun/wintun
-        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/conn+
-        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
-        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
-     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
-        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
-        rsc.io/goversion/version                                     from tailscale.com/version
-        tailscale.com/atomicfile                                     from tailscale.com/ipn+
-        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
-        tailscale.com/control/controlclient                          from tailscale.com/ipn+
-        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
-        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscale/cli
-        tailscale.com/disco                                          from tailscale.com/derp+
-        tailscale.com/internal/deepprint                             from tailscale.com/ipn+
-        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/ipn/policy                                     from tailscale.com/ipn
-        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
-        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient
-        tailscale.com/metrics                                        from tailscale.com/derp
-        tailscale.com/net/dnscache                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli+
-     💣 tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
-        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
-        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
-        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
-     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli
-        tailscale.com/portlist                                       from tailscale.com/ipn
-        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli
-     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
-        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
-  DW    tailscale.com/tempfork/osexec                                from tailscale.com/portlist
-   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
-        tailscale.com/types/key                                      from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
-        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
-        tailscale.com/types/strbuilder                               from tailscale.com/wgengine/packet
-        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
-        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/wgengine                                       from tailscale.com/ipn
-        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-        tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine
-     💣 tailscale.com/wgengine/monitor                               from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/wgengine/packet                                from tailscale.com/wgengine+
-        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscale/cli+
-     💣 tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
-        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
-        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine
-   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
-        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
-        golang.org/x/crypto/chacha20poly1305                         from github.com/tailscale/wireguard-go/device+
-        golang.org/x/crypto/curve25519                               from github.com/tailscale/wireguard-go/wgcfg+
-        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
-        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
-        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
-        golang.org/x/net/context/ctxhttp                             from golang.org/x/oauth2/internal
-        golang.org/x/net/dns/dnsmessage                              from tailscale.com/wgengine/tsdns
-        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
-        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
-        golang.org/x/net/proxy                                       from tailscale.com/net/netns
-        golang.org/x/oauth2                                          from tailscale.com/control/controlclient+
-        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2
-        golang.org/x/sync/errgroup                                   from tailscale.com/derp
-        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
-        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
-   W    golang.org/x/sys/windows                                     from github.com/apenwarr/fixconsole+
-   W    golang.org/x/sys/windows/registry                            from github.com/tailscale/wireguard-go/tun/wintun+
-   W    golang.org/x/text/transform                                  from golang.org/x/text/unicode/norm
-   W    golang.org/x/text/unicode/norm                               from github.com/tailscale/wireguard-go/tun/wintun
-        golang.org/x/time/rate                                       from tailscale.com/types/logger+
-        vendor/golang.org/x/crypto/chacha20                          from vendor/golang.org/x/crypto/chacha20poly1305
-        vendor/golang.org/x/crypto/chacha20poly1305                  from crypto/tls
-        vendor/golang.org/x/crypto/cryptobyte                        from crypto/ecdsa+
-        vendor/golang.org/x/crypto/cryptobyte/asn1                   from crypto/ecdsa+
-        vendor/golang.org/x/crypto/curve25519                        from crypto/tls
-        vendor/golang.org/x/crypto/hkdf                              from crypto/tls
-        vendor/golang.org/x/crypto/poly1305                          from vendor/golang.org/x/crypto/chacha20poly1305
-        vendor/golang.org/x/net/dns/dnsmessage                       from net
-        vendor/golang.org/x/net/http/httpguts                        from net/http
-        vendor/golang.org/x/net/http/httpproxy                       from net/http
-        vendor/golang.org/x/net/http2/hpack                          from net/http
-        vendor/golang.org/x/net/idna                                 from net/http+
-   D    vendor/golang.org/x/net/route                                from net
-        vendor/golang.org/x/sys/cpu                                  from vendor/golang.org/x/crypto/chacha20poly1305
-        vendor/golang.org/x/text/secure/bidirule                     from vendor/golang.org/x/net/idna
-        vendor/golang.org/x/text/transform                           from vendor/golang.org/x/text/secure/bidirule+
-        vendor/golang.org/x/text/unicode/bidi                        from vendor/golang.org/x/net/idna+
-        vendor/golang.org/x/text/unicode/norm                        from vendor/golang.org/x/net/idna
-        bufio                                                        from compress/flate+
-        bytes                                                        from bufio+
-        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from net/http+
-        compress/zlib                                                from debug/elf+
-        container/list                                               from crypto/tls+
-        context                                                      from crypto/tls+
-        crypto                                                       from crypto/ecdsa+
-        crypto/aes                                                   from crypto/ecdsa+
-        crypto/cipher                                                from crypto/aes+
-        crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509
-        crypto/ecdsa                                                 from crypto/tls+
-        crypto/ed25519                                               from crypto/tls+
-        crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls+
-        crypto/md5                                                   from crypto/tls+
-        crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls
-        crypto/rsa                                                   from crypto/tls+
-        crypto/sha1                                                  from crypto/tls+
-        crypto/sha256                                                from crypto/tls+
-        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
-        crypto/x509                                                  from crypto/tls+
-        crypto/x509/pkix                                             from crypto/x509+
-        debug/dwarf                                                  from debug/elf+
-        debug/elf                                                    from rsc.io/goversion/version
-        debug/macho                                                  from rsc.io/goversion/version
-        debug/pe                                                     from rsc.io/goversion/version
-        encoding                                                     from encoding/json+
-        encoding/asn1                                                from crypto/x509+
-        encoding/base64                                              from encoding/json+
-        encoding/binary                                              from compress/gzip+
-        encoding/hex                                                 from crypto/x509+
-        encoding/json                                                from expvar+
-        encoding/pem                                                 from crypto/tls+
-        errors                                                       from bufio+
-        expvar                                                       from tailscale.com/derp+
-        flag                                                         from github.com/peterbourgon/ff/v2+
-        fmt                                                          from compress/flate+
-        hash                                                         from compress/zlib+
-        hash/adler32                                                 from compress/zlib
-        hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from tailscale.com/wgengine/magicsock
-        html                                                         from tailscale.com/ipn/ipnstate
-        io                                                           from bufio+
-        io/ioutil                                                    from crypto/tls+
-        log                                                          from expvar+
-        math                                                         from compress/flate+
-        math/big                                                     from crypto/dsa+
-        math/bits                                                    from compress/flate+
-        math/rand                                                    from github.com/mdlayher/netlink+
-        mime                                                         from golang.org/x/oauth2/internal+
-        mime/multipart                                               from net/http
-        mime/quotedprintable                                         from mime/multipart
-        net                                                          from crypto/tls+
-        net/http                                                     from expvar+
-        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
-        net/http/internal                                            from net/http
-        net/textproto                                                from mime/multipart+
-        net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
-        os/exec                                                      from github.com/coreos/go-iptables/iptables+
-        os/signal                                                    from tailscale.com/cmd/tailscale/cli
-   L    os/user                                                      from github.com/godbus/dbus/v5
-        path                                                         from debug/dwarf+
-        path/filepath                                                from crypto/x509+
-        reflect                                                      from crypto/x509+
-        regexp                                                       from github.com/coreos/go-iptables/iptables+
-        regexp/syntax                                                from regexp
-  LD    runtime/cgo                                                  
-        runtime/pprof                                                from tailscale.com/log/logheap+
-        sort                                                         from compress/flate+
-        strconv                                                      from compress/flate+
-        strings                                                      from bufio+
-        sync                                                         from compress/flate+
-        sync/atomic                                                  from context+
-        syscall                                                      from crypto/rand+
-        text/tabwriter                                               from github.com/peterbourgon/ff/v2/ffcli+
-        time                                                         from compress/gzip+
-        unicode                                                      from bytes+
-        unicode/utf16                                                from encoding/asn1+
-        unicode/utf8                                                 from bufio+
-        unsafe                                                       from crypto/internal/subtle+

cmd/tailscaled/depaware.txt

@@ -1,234 +0,0 @@
-tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)
-
-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
-   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/apenwarr/fixconsole                               from tailscale.com/cmd/tailscaled
-   W 💣 github.com/apenwarr/w32                                      from github.com/apenwarr/fixconsole
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
-   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
-   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
-   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/wgengine/router/dns
-        github.com/golang/groupcache/lru                             from tailscale.com/wgengine/filter+
-   L    github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
-   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
-        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
-        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/snappy                         from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
-        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-        github.com/pborman/getopt/v2                                 from tailscale.com/cmd/tailscaled
-   W 💣 github.com/tailscale/winipcfg-go                             from tailscale.com/net/interfaces+
-     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
-     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
-        github.com/tailscale/wireguard-go/device/tokenbucket         from github.com/tailscale/wireguard-go/device
-     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
-   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
-        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
-        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
-        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
-        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device
-     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/iphlpapi        from github.com/tailscale/wireguard-go/tun/wintun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/namespaceapi    from github.com/tailscale/wireguard-go/tun/wintun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/nci             from github.com/tailscale/wireguard-go/tun/wintun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/registry        from github.com/tailscale/wireguard-go/tun/wintun
-   W 💣 github.com/tailscale/wireguard-go/tun/wintun/setupapi        from github.com/tailscale/wireguard-go/tun/wintun
-        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/conn+
-        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
-     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
-        inet.af/netaddr                                              from tailscale.com/control/controlclient+
-        rsc.io/goversion/version                                     from tailscale.com/version
-        tailscale.com/atomicfile                                     from tailscale.com/ipn+
-        tailscale.com/control/controlclient                          from tailscale.com/ipn+
-        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
-        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
-        tailscale.com/disco                                          from tailscale.com/derp+
-        tailscale.com/internal/deepprint                             from tailscale.com/ipn+
-        tailscale.com/ipn                                            from tailscale.com/ipn/ipnserver
-        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/ipn+
-        tailscale.com/ipn/policy                                     from tailscale.com/ipn
-        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
-        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled
-        tailscale.com/logtail                                        from tailscale.com/logpolicy
-        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
-        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
-        tailscale.com/metrics                                        from tailscale.com/derp
-        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp+
-        tailscale.com/net/interfaces                                 from tailscale.com/ipn+
-        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
-     💣 tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
-     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
-        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
-        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
-        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
-     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
-        tailscale.com/paths                                          from tailscale.com/cmd/tailscaled+
-        tailscale.com/portlist                                       from tailscale.com/ipn
-        tailscale.com/safesocket                                     from tailscale.com/ipn/ipnserver
-        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
-     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
-        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
-  DW    tailscale.com/tempfork/osexec                                from tailscale.com/portlist
-   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
-        tailscale.com/types/key                                      from tailscale.com/derp+
-        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscaled+
-        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
-        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
-        tailscale.com/types/strbuilder                               from tailscale.com/wgengine/packet
-        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
-        tailscale.com/version                                        from tailscale.com/control/controlclient+
-        tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
-        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
-        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-        tailscale.com/wgengine/magicsock                             from tailscale.com/cmd/tailscaled+
-     💣 tailscale.com/wgengine/monitor                               from tailscale.com/wgengine
-        tailscale.com/wgengine/packet                                from tailscale.com/wgengine+
-        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
-     💣 tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
-        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
-        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine
-   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
-        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
-        golang.org/x/crypto/chacha20poly1305                         from github.com/tailscale/wireguard-go/device+
-        golang.org/x/crypto/curve25519                               from github.com/tailscale/wireguard-go/wgcfg+
-        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
-        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
-        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/ssh/terminal                             from tailscale.com/logpolicy
-        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
-        golang.org/x/net/context/ctxhttp                             from golang.org/x/oauth2/internal
-        golang.org/x/net/dns/dnsmessage                              from tailscale.com/wgengine/tsdns
-        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
-        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
-        golang.org/x/net/proxy                                       from tailscale.com/net/netns
-        golang.org/x/oauth2                                          from tailscale.com/control/controlclient+
-        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2
-        golang.org/x/sync/errgroup                                   from tailscale.com/derp
-        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
-        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
-   W    golang.org/x/sys/windows                                     from github.com/apenwarr/fixconsole+
-   W    golang.org/x/sys/windows/registry                            from github.com/tailscale/wireguard-go/tun/wintun+
-   W    golang.org/x/text/transform                                  from golang.org/x/text/unicode/norm
-   W    golang.org/x/text/unicode/norm                               from github.com/tailscale/wireguard-go/tun/wintun
-        golang.org/x/time/rate                                       from tailscale.com/types/logger+
-        vendor/golang.org/x/crypto/chacha20                          from vendor/golang.org/x/crypto/chacha20poly1305
-        vendor/golang.org/x/crypto/chacha20poly1305                  from crypto/tls
-        vendor/golang.org/x/crypto/cryptobyte                        from crypto/ecdsa+
-        vendor/golang.org/x/crypto/cryptobyte/asn1                   from crypto/ecdsa+
-        vendor/golang.org/x/crypto/curve25519                        from crypto/tls
-        vendor/golang.org/x/crypto/hkdf                              from crypto/tls
-        vendor/golang.org/x/crypto/poly1305                          from vendor/golang.org/x/crypto/chacha20poly1305
-        vendor/golang.org/x/net/dns/dnsmessage                       from net
-        vendor/golang.org/x/net/http/httpguts                        from net/http
-        vendor/golang.org/x/net/http/httpproxy                       from net/http
-        vendor/golang.org/x/net/http2/hpack                          from net/http
-        vendor/golang.org/x/net/idna                                 from net/http+
-   D    vendor/golang.org/x/net/route                                from net
-        vendor/golang.org/x/sys/cpu                                  from vendor/golang.org/x/crypto/chacha20poly1305
-        vendor/golang.org/x/text/secure/bidirule                     from vendor/golang.org/x/net/idna
-        vendor/golang.org/x/text/transform                           from vendor/golang.org/x/text/secure/bidirule+
-        vendor/golang.org/x/text/unicode/bidi                        from vendor/golang.org/x/net/idna+
-        vendor/golang.org/x/text/unicode/norm                        from vendor/golang.org/x/net/idna
-        bufio                                                        from compress/flate+
-        bytes                                                        from bufio+
-        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from internal/profile+
-        compress/zlib                                                from debug/elf+
-        container/list                                               from crypto/tls+
-        context                                                      from crypto/tls+
-        crypto                                                       from crypto/ecdsa+
-        crypto/aes                                                   from crypto/ecdsa+
-        crypto/cipher                                                from crypto/aes+
-        crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509
-        crypto/ecdsa                                                 from crypto/tls+
-        crypto/ed25519                                               from crypto/tls+
-        crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls+
-        crypto/md5                                                   from crypto/tls+
-        crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls
-        crypto/rsa                                                   from crypto/tls+
-        crypto/sha1                                                  from crypto/tls+
-        crypto/sha256                                                from crypto/tls+
-        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
-        crypto/x509                                                  from crypto/tls+
-        crypto/x509/pkix                                             from crypto/x509+
-        debug/dwarf                                                  from debug/elf+
-        debug/elf                                                    from rsc.io/goversion/version
-        debug/macho                                                  from rsc.io/goversion/version
-        debug/pe                                                     from rsc.io/goversion/version
-        encoding                                                     from encoding/json+
-        encoding/asn1                                                from crypto/x509+
-        encoding/base64                                              from encoding/json+
-        encoding/binary                                              from compress/gzip+
-        encoding/hex                                                 from crypto/x509+
-        encoding/json                                                from expvar+
-        encoding/pem                                                 from crypto/tls+
-        errors                                                       from bufio+
-        expvar                                                       from tailscale.com/derp+
-   L    flag                                                         from tailscale.com/net/netns
-        fmt                                                          from compress/flate+
-        hash                                                         from compress/zlib+
-        hash/adler32                                                 from compress/zlib
-        hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from tailscale.com/wgengine/magicsock
-        html                                                         from html/template+
-        html/template                                                from net/http/pprof
-        io                                                           from bufio+
-        io/ioutil                                                    from crypto/tls+
-        log                                                          from expvar+
-        math                                                         from compress/flate+
-        math/big                                                     from crypto/dsa+
-        math/bits                                                    from compress/flate+
-        math/rand                                                    from github.com/mdlayher/netlink+
-        mime                                                         from golang.org/x/oauth2/internal+
-        mime/multipart                                               from net/http
-        mime/quotedprintable                                         from mime/multipart
-        net                                                          from crypto/tls+
-        net/http                                                     from expvar+
-        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
-        net/http/internal                                            from net/http
-        net/http/pprof                                               from tailscale.com/cmd/tailscaled
-        net/textproto                                                from mime/multipart+
-        net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
-        os/exec                                                      from github.com/coreos/go-iptables/iptables+
-        os/signal                                                    from tailscale.com/cmd/tailscaled+
-        os/user                                                      from github.com/godbus/dbus/v5+
-        path                                                         from debug/dwarf+
-        path/filepath                                                from crypto/x509+
-        reflect                                                      from crypto/x509+
-        regexp                                                       from github.com/coreos/go-iptables/iptables+
-        regexp/syntax                                                from regexp
-  LD    runtime/cgo                                                  
-        runtime/debug                                                from github.com/klauspost/compress/zstd+
-        runtime/pprof                                                from net/http/pprof+
-        runtime/trace                                                from net/http/pprof
-        sort                                                         from compress/flate+
-        strconv                                                      from compress/flate+
-        strings                                                      from bufio+
-        sync                                                         from compress/flate+
-        sync/atomic                                                  from context+
-        syscall                                                      from crypto/rand+
-        text/tabwriter                                               from runtime/pprof
-        text/template                                                from html/template
-        text/template/parse                                          from html/template+
-        time                                                         from compress/gzip+
-        unicode                                                      from bytes+
-        unicode/utf16                                                from encoding/asn1+
-        unicode/utf8                                                 from bufio+
-        unsafe                                                       from crypto/internal/subtle+

control/controlclient/direct.go

@@ -717,8 +717,6 @@ func decode(res *http.Response, v interface{}, serverKey *wgcfg.Key, mkey *wgcfg
 	return decodeMsg(msg, v, serverKey, mkey)
 }
 
-var dumpMapResponse, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_MAPRESPONSE"))
-
 func (c *Direct) decodeMsg(msg []byte, v interface{}) error {
 	c.mu.Lock()
 	mkey := c.persist.PrivateMachineKey
@@ -743,11 +741,6 @@ func (c *Direct) decodeMsg(msg []byte, v interface{}) error {
 			return err
 		}
 	}
-	if dumpMapResponse {
-		var buf bytes.Buffer
-		json.Indent(&buf, b, "", "    ")
-		log.Printf("MapResponse: %s", buf.Bytes())
-	}
 	if err := json.Unmarshal(b, v); err != nil {
 		return fmt.Errorf("response: %v", err)
 	}

control/controlclient/hostinfo_linux.go

@@ -16,7 +16,6 @@ import (
 
 	"go4.org/mem"
 	"tailscale.com/util/lineread"
-	"tailscale.com/version/distro"
 )
 
 func init() {
@@ -24,14 +23,8 @@ func init() {
 }
 
 func osVersionLinux() string {
-	dist := distro.Get()
-	propFile := "/etc/os-release"
-	if dist == distro.Synology {
-		propFile = "/etc.defaults/VERSION"
-	}
-
 	m := map[string]string{}
-	lineread.File(propFile, func(line []byte) error {
+	lineread.File("/etc/os-release", func(line []byte) error {
 		eq := bytes.IndexByte(line, '=')
 		if eq == -1 {
 			return nil
@@ -78,9 +71,6 @@ func osVersionLinux() string {
 			return fmt.Sprintf("%s%s", v, attr)
 		}
 	}
-	if dist == distro.Synology {
-		return fmt.Sprintf("Synology %s%s", m["productversion"], attr)
-	}
 	return fmt.Sprintf("Other%s", attr)
 }
 

control/controlclient/hostinfo_windows.go

@@ -21,10 +21,6 @@ func osVersionWindows() string {
 	s := strings.TrimSpace(string(out))
 	s = strings.TrimPrefix(s, "Microsoft Windows [")
 	s = strings.TrimSuffix(s, "]")
-
-	// "Version 10.x.y.z", with "Version" localized. Keep only stuff after the space.
-	if sp := strings.Index(s, " "); sp != -1 {
-		s = s[sp+1:]
-	}
-	return s // "10.0.19041.388", ideally
+	s = strings.TrimPrefix(s, "Version ") // is this localized? do it last in case.
+	return s                              // "10.0.19041.388", ideally
 }

control/controlclient/netmap.go

@@ -219,6 +219,7 @@ const (
 	AllowSingleHosts WGConfigFlags = 1 << iota
 	AllowSubnetRoutes
 	AllowDefaultRoute
+	HackDefaultRoute
 )
 
 // EndpointDiscoSuffix is appended to the hex representation of a peer's discovery key
@@ -273,7 +274,11 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 					logf("wgcfg: %v skipping default route", peer.Key.ShortString())
 					continue
 				}
-			} else if cidrIsSubnet(peer, allowedIP) {
+				if (flags & HackDefaultRoute) != 0 {
+					allowedIP = wgcfg.CIDR{IP: wgcfg.IPv4(10, 0, 0, 0), Mask: 8}
+					logf("wgcfg: %v converting default route => %v", peer.Key.ShortString(), allowedIP.String())
+				}
+			} else if allowedIP.Mask < 32 {
 				if (flags & AllowSubnetRoutes) == 0 {
 					logf("wgcfg: %v skipping subnet route", peer.Key.ShortString())
 					continue
@@ -286,29 +291,6 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 	return cfg, nil
 }
 
-// cidrIsSubnet reports whether cidr is a non-default-route subnet
-// exported by node that is not one of its own self addresses.
-func cidrIsSubnet(node *tailcfg.Node, cidr wgcfg.CIDR) bool {
-	if cidr.Mask == 0 {
-		return false
-	}
-	if cidr.Mask < 32 {
-		// Fast path for IPv4, to avoid loop below.
-		//
-		// TODO: if cidr.IP is an IPv6 address, we could do "< 128"
-		// to avoid the range over node.Addresses. Or we could
-		// just remove this fast path and unconditionally do the range
-		// loop.
-		return true
-	}
-	for _, selfCIDR := range node.Addresses {
-		if cidr == selfCIDR {
-			return false
-		}
-	}
-	return true
-}
-
 func appendEndpoint(peer *wgcfg.Peer, epStr string) error {
 	if epStr == "" {
 		return nil

go.mod

@@ -21,8 +21,7 @@ require (
 	github.com/miekg/dns v1.1.30
 	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
-	github.com/tailscale/depaware v0.0.0-20200914232109-e09ee10c1824
-	github.com/tailscale/winipcfg-go v0.0.0-20200916205758-decb9ee8e170
+	github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f
 	github.com/tailscale/wireguard-go v0.0.0-20200902185615-1997cf6f9fe4
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0

go.sum

@@ -76,8 +76,6 @@ github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3/go.mod h1:85jBQOZwp
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
 github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY=
 github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk=
-github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 h1:+/+DxvQaYifJ+grD4klzrS5y+KJXldn/2YTl5JG+vZ8=
-github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -85,22 +83,13 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b h1:+gCnWOZV8Z/8jehJ2CdqB47Z3S+SREmQcuXkRFLNsiI=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/tailscale/depaware v0.0.0-20200909185729-8ca448326e3a h1:PjVmKyzFfgQrdrmX7kpRkKXkvwMZP/MF3nJT/WJyjW8=
-github.com/tailscale/depaware v0.0.0-20200909185729-8ca448326e3a/go.mod h1:H0k9mKUzaDpb22Zn2FiSzY3zeRbAiZ7wUFxKJ7kp8GE=
-github.com/tailscale/depaware v0.0.0-20200910145248-cb751026f10d h1:tjLqVTL0IZdV2kBvM2WqCjug6IBJTWOYiM8wqPk2Xp0=
-github.com/tailscale/depaware v0.0.0-20200910145248-cb751026f10d/go.mod h1:H0k9mKUzaDpb22Zn2FiSzY3zeRbAiZ7wUFxKJ7kp8GE=
-github.com/tailscale/depaware v0.0.0-20200914201916-3f1070fd0d55 h1:hLAgSpbb0rfOq9jziQbvOsOarpfTDxnFbG8kG6INFeY=
-github.com/tailscale/depaware v0.0.0-20200914201916-3f1070fd0d55/go.mod h1:nyzwKFaLuckPu3dAJHH7B6lMi4xDBWzD0r3pEpGZm2Y=
-github.com/tailscale/depaware v0.0.0-20200914232109-e09ee10c1824 h1:MD/YQ8xI070ZqFC3SnLAlhPPUNfeRKErQaAaXc/r4dQ=
-github.com/tailscale/depaware v0.0.0-20200914232109-e09ee10c1824/go.mod h1:nyzwKFaLuckPu3dAJHH7B6lMi4xDBWzD0r3pEpGZm2Y=
 github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f h1:uFj5bslHsMzxIM8UTjAhq4VXeo6GfNW91rpoh/WMJaY=
 github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f/go.mod h1:x880GWw5fvrl2DVTQ04ttXQD4DuppTt1Yz6wLibbjNE=
-github.com/tailscale/winipcfg-go v0.0.0-20200916205758-decb9ee8e170 h1:vJ0twi0120W/LKiDxzXROSVx1F4pIKZBQqvtPahnH60=
-github.com/tailscale/winipcfg-go v0.0.0-20200916205758-decb9ee8e170/go.mod h1:x880GWw5fvrl2DVTQ04ttXQD4DuppTt1Yz6wLibbjNE=
+github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a h1:dQEgNpoOJf+8MswlvXJicb8ZDQqZAGe8f/WfzbDMvtE=
+github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
 github.com/tailscale/wireguard-go v0.0.0-20200902185615-1997cf6f9fe4 h1:UiTXdZChEWxxci7bx+jS9OyHQx2IA8zmMWQqp5wfP7c=
 github.com/tailscale/wireguard-go v0.0.0-20200902185615-1997cf6f9fe4/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
@@ -128,6 +117,7 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191003171128-d98b1b443823/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -148,6 +138,7 @@ golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191003212358-c178f38b412c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -183,6 +174,8 @@ gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c h1:si3Owrfem175Ry6gKqnh59eOXxDojyBTIHxUKuvK/Eo=
+inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
 inet.af/netaddr v0.0.0-20200810144936-56928fe48a98 h1:bWyWDZP0l6VnQ1TDKf6yNwuiEDV6Q3q1Mv34m+lzT1I=
 inet.af/netaddr v0.0.0-20200810144936-56928fe48a98/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
 rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=

internal/tooldeps/tooldeps.go

@@ -1,9 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tooldeps
-
-import (
-	_ "github.com/tailscale/depaware/depaware"
-)

ipn/ipnserver/server.go

@@ -8,29 +8,22 @@ import (
 	"bufio"
 	"context"
 	"fmt"
-	"html"
-	"io"
 	"log"
 	"net"
 	"net/http"
 	"os"
 	"os/exec"
 	"os/signal"
-	"os/user"
-	"runtime"
 	"sync"
 	"syscall"
 	"time"
 
-	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn"
 	"tailscale.com/logtail/backoff"
-	"tailscale.com/net/netstat"
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/pidowner"
 	"tailscale.com/version"
 	"tailscale.com/wgengine"
 )
@@ -91,22 +84,11 @@ type server struct {
 }
 
 func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
-	br := bufio.NewReader(c)
-
-	// First see if it's an HTTP request.
-	c.SetReadDeadline(time.Now().Add(time.Second))
-	peek, _ := br.Peek(4)
-	c.SetReadDeadline(time.Time{})
-	if string(peek) == "GET " {
-		http.Serve(&oneConnListener{altReaderNetConn{br, c}}, localhostHandler(c))
-		return
-	}
-
 	s.addConn(c)
 	logf("incoming control connection")
 	defer s.removeAndCloseConn(c)
 	for ctx.Err() == nil {
-		msg, err := ipn.ReadMsg(br)
+		msg, err := ipn.ReadMsg(c)
 		if err != nil {
 			if ctx.Err() == nil {
 				logf("ReadMsg: %v", err)
@@ -412,83 +394,3 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 func FixedEngine(eng wgengine.Engine) func() (wgengine.Engine, error) {
 	return func() (wgengine.Engine, error) { return eng, nil }
 }
-
-type dummyAddr string
-type oneConnListener struct {
-	conn net.Conn
-}
-
-func (l *oneConnListener) Accept() (c net.Conn, err error) {
-	c = l.conn
-	if c == nil {
-		err = io.EOF
-		return
-	}
-	err = nil
-	l.conn = nil
-	return
-}
-
-func (l *oneConnListener) Close() error { return nil }
-
-func (l *oneConnListener) Addr() net.Addr { return dummyAddr("unused-address") }
-
-func (a dummyAddr) Network() string { return string(a) }
-func (a dummyAddr) String() string  { return string(a) }
-
-type altReaderNetConn struct {
-	r io.Reader
-	net.Conn
-}
-
-func (a altReaderNetConn) Read(p []byte) (int, error) { return a.r.Read(p) }
-
-func localhostHandler(c net.Conn) http.Handler {
-	la, lerr := netaddr.ParseIPPort(c.LocalAddr().String())
-	ra, rerr := netaddr.ParseIPPort(c.RemoteAddr().String())
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, "<html><body><h1>tailscale</h1>\n")
-		if lerr != nil || rerr != nil {
-			io.WriteString(w, "failed to parse remote address")
-			return
-		}
-		if !la.IP.IsLoopback() || !ra.IP.IsLoopback() {
-			io.WriteString(w, "not loopback")
-			return
-		}
-		tab, err := netstat.Get()
-		if err == netstat.ErrNotImplemented {
-			io.WriteString(w, "status page not available on "+runtime.GOOS)
-			return
-		}
-		if err != nil {
-			io.WriteString(w, "failed to get netstat table")
-			return
-		}
-		pid := peerPid(tab.Entries, la, ra)
-		if pid == 0 {
-			io.WriteString(w, "peer pid not found")
-			return
-		}
-		uid, err := pidowner.OwnerOfPID(pid)
-		if err != nil {
-			io.WriteString(w, "owner of peer pid not found")
-			return
-		}
-		u, err := user.LookupId(uid)
-		if err != nil {
-			io.WriteString(w, "User lookup failed")
-			return
-		}
-		fmt.Fprintf(w, "Hello, %s", html.EscapeString(u.Username))
-	})
-}
-
-func peerPid(entries []netstat.Entry, la, ra netaddr.IPPort) int {
-	for _, e := range entries {
-		if e.Local == ra && e.Remote == la {
-			return e.Pid
-		}
-	}
-	return 0
-}

ipn/local.go

@@ -555,7 +555,7 @@ func (b *LocalBackend) updateDNSMap(netMap *controlclient.NetworkMap) {
 
 	nameToIP := make(map[string]netaddr.IP)
 	set := func(name string, addrs []wgcfg.CIDR) {
-		if len(addrs) == 0 || name == "" {
+		if len(addrs) == 0 {
 			return
 		}
 		nameToIP[name] = netaddr.IPFrom16(addrs[0].IP.Addr)
@@ -953,6 +953,12 @@ func (b *LocalBackend) authReconfig() {
 		flags |= controlclient.AllowDefaultRoute
 		// TODO(apenwarr): Make subnet routes a different pref?
 		flags |= controlclient.AllowSubnetRoutes
+		// TODO(apenwarr): Remove this once we sort out subnet routes.
+		//  Right now default routes are broken in Windows, but
+		//  controlclient doesn't properly send subnet routes. So
+		//  let's convert a default route into a subnet route in order
+		//  to allow experimentation.
+		flags |= controlclient.HackDefaultRoute
 	}
 	if uc.AllowSingleHosts {
 		flags |= controlclient.AllowSingleHosts
@@ -1245,21 +1251,11 @@ func (b *LocalBackend) requestEngineStatusAndWait() {
 //  rebooting will fix it.
 func (b *LocalBackend) Logout() {
 	b.mu.Lock()
+	b.assertClientLocked()
 	c := b.c
 	b.netMap = nil
 	b.mu.Unlock()
 
-	if c == nil {
-		// Double Logout can happen via repeated IPN
-		// connections to ipnserver making it repeatedly
-		// transition from 1->0 total connections, which on
-		// Windows by default ("client mode") causes a Logout
-		// on the transition to zero.
-		// Previously this crashed when we asserted that c was non-nil
-		// here.
-		return
-	}
-
 	c.Logout()
 
 	b.mu.Lock()

ipn/loglines_test.go

@@ -5,7 +5,6 @@
 package ipn
 
 import (
-	"reflect"
 	"testing"
 	"time"
 
@@ -21,7 +20,7 @@ import (
 // being logged by the expected functions. Update these tests if moving log lines between
 // functions.
 func TestLocalLogLines(t *testing.T) {
-	logListen := tstest.NewLogLineTracker(t.Logf, []string{
+	logListen := tstest.ListenFor(t.Logf, []string{
 		"SetPrefs: %v",
 		"peer keys: %s",
 		"v%v peers: %v",
@@ -49,7 +48,6 @@ func TestLocalLogLines(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer lb.Shutdown()
 
 	// custom adjustments for required non-nil fields
 	lb.prefs = NewPrefs()
@@ -57,10 +55,30 @@ func TestLocalLogLines(t *testing.T) {
 	// hacky manual override of the usual log-on-change behaviour of keylogf
 	lb.keyLogf = logListen.Logf
 
-	testWantRemain := func(wantRemain ...string) func(t *testing.T) {
+	// testing infrastructure
+	type linesTest struct {
+		name string
+		want []string
+	}
+
+	tests := []linesTest{
+		{
+			name: "after prefs",
+			want: []string{
+				"peer keys: %s",
+				"v%v peers: %v",
+			},
+		},
+		{
+			name: "after peers",
+			want: []string{},
+		},
+	}
+
+	testLogs := func(want linesTest) func(t *testing.T) {
 		return func(t *testing.T) {
-			if remain := logListen.Check(); !reflect.DeepEqual(remain, wantRemain) {
-				t.Errorf("remain %q, want %q", remain, wantRemain)
+			if linesLeft := logListen.Check(); len(linesLeft) != len(want.want) {
+				t.Errorf("got %v, expected %v", linesLeft, want)
 			}
 		}
 	}
@@ -71,7 +89,7 @@ func TestLocalLogLines(t *testing.T) {
 	prefs.Persist = persist
 	lb.SetPrefs(prefs)
 
-	t.Run("after_prefs", testWantRemain("peer keys: %s", "v%v peers: %v"))
+	t.Run(tests[0].name, testLogs(tests[0]))
 
 	// log peers, peer keys
 	status := &wgengine.Status{
@@ -85,5 +103,5 @@ func TestLocalLogLines(t *testing.T) {
 	}
 	lb.parseWgStatus(status)
 
-	t.Run("after_peers", testWantRemain())
+	t.Run(tests[1].name, testLogs(tests[1]))
 }

log/logheap/logheap.go

@@ -15,18 +15,15 @@ import (
 	"time"
 )
 
-// LogHeap uploads a JSON logtail record with the base64 heap pprof by means
-// of an HTTP POST request to the endpoint referred to in postURL.
+// LogHeap writes a JSON logtail record with the base64 heap pprof to
+// os.Stderr.
 func LogHeap(postURL string) {
 	if postURL == "" {
 		return
 	}
 	runtime.GC()
 	buf := new(bytes.Buffer)
-	if err := pprof.WriteHeapProfile(buf); err != nil {
-		log.Printf("LogHeap: %v", err)
-		return
-	}
+	pprof.WriteHeapProfile(buf)
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()

net/interfaces/interfaces_windows.go

@@ -8,10 +8,8 @@ import (
 	"os/exec"
 	"syscall"
 
-	"github.com/tailscale/winipcfg-go"
 	"go4.org/mem"
 	"inet.af/netaddr"
-	"tailscale.com/tsconst"
 	"tailscale.com/util/lineread"
 )
 
@@ -73,22 +71,3 @@ func likelyHomeRouterIPWindows() (ret netaddr.IP, ok bool) {
 	})
 	return ret, !ret.IsZero()
 }
-
-// NonTailscaleMTUs returns a map of interface LUID to interface MTU,
-// for all interfaces except Tailscale tunnels.
-func NonTailscaleMTUs() (map[uint64]uint32, error) {
-	ifs, err := winipcfg.GetInterfaces()
-	if err != nil {
-		return nil, err
-	}
-
-	ret := map[uint64]uint32{}
-	for _, iface := range ifs {
-		if iface.Description == tsconst.WintunInterfaceDesc {
-			continue
-		}
-		ret[iface.Luid] = iface.Mtu
-	}
-
-	return ret, nil
-}

net/netcheck/netcheck.go

@@ -236,6 +236,7 @@ func (c *Client) ReceiveSTUNPacket(pkt []byte, src netaddr.IPPort) {
 
 	tx, addr, port, err := stun.ParseResponse(pkt)
 	if err != nil {
+		c.mu.Unlock()
 		if _, err := stun.ParseBindingRequest(pkt); err == nil {
 			// This was probably our own netcheck hairpin
 			// check probe coming in late. Ignore.

net/netns/netns_default.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !linux,!windows
+// +build !linux
 
 package netns
 

net/netns/netns_windows.go

@@ -1,123 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package netns
-
-import (
-	"encoding/binary"
-	"syscall"
-	"unsafe"
-
-	"github.com/tailscale/winipcfg-go"
-	"golang.org/x/sys/windows"
-	"tailscale.com/net/interfaces"
-)
-
-// control binds c to the Windows interface that holds a default
-// route, and is not the Tailscale WinTun interface.
-func control(network, address string, c syscall.RawConn) error {
-	canV4, canV6 := false, false
-	switch network {
-	case "tcp", "udp":
-		canV4, canV6 = true, true
-	case "tcp4", "udp4":
-		canV4 = true
-	case "tcp6", "udp6":
-		canV6 = true
-	}
-
-	if canV4 {
-		if4, err := getDefaultInterface(winipcfg.AF_INET)
-		if err != nil {
-			return err
-		}
-		if err := bindSocket4(c, if4); err != nil {
-			return err
-		}
-	}
-
-	if canV6 {
-		if6, err := getDefaultInterface(winipcfg.AF_INET6)
-		if err != nil {
-			return err
-		}
-		if err := bindSocket6(c, if6); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// getDefaultInterface returns the index of the interface that has the
-// non-Tailscale default route for the given address family.
-func getDefaultInterface(family winipcfg.AddressFamily) (ifidx uint32, err error) {
-	ifs, err := interfaces.NonTailscaleMTUs()
-	if err != nil {
-		return 0, err
-	}
-
-	routes, err := winipcfg.GetRoutes(family)
-	if err != nil {
-		return 0, err
-	}
-
-	bestMetric := ^uint32(0)
-	// The zero index means "unspecified". If we end up passing zero
-	// to bindSocket*(), it unsets the binding and lets the socket
-	// behave as normal again, which is what we want if there's no
-	// default route we can use.
-	var index uint32
-	for _, route := range routes {
-		if route.DestinationPrefix.PrefixLength != 0 || ifs[route.InterfaceLuid] == 0 {
-			continue
-		}
-		if route.Metric < bestMetric {
-			bestMetric = route.Metric
-			index = route.InterfaceIndex
-		}
-	}
-
-	return index, nil
-}
-
-const sockoptBoundInterface = 31
-
-// bindSocket4 binds the given RawConn to the network interface with
-// index ifidx, for IPv4 traffic only.
-func bindSocket4(c syscall.RawConn, ifidx uint32) error {
-	// For v4 the interface index must be passed as a big-endian
-	// integer, regardless of platform endianness.
-	index := nativeToBigEndian(ifidx)
-	var controlErr error
-	err := c.Control(func(fd uintptr) {
-		controlErr = windows.SetsockoptInt(windows.Handle(fd), windows.IPPROTO_IP, sockoptBoundInterface, int(index))
-	})
-	if err != nil {
-		return err
-	}
-	return controlErr
-}
-
-// bindSocket6 binds the given RawConn to the network interface with
-// index ifidx, for IPv6 traffic only.
-func bindSocket6(c syscall.RawConn, ifidx uint32) error {
-	var controlErr error
-	err := c.Control(func(fd uintptr) {
-		controlErr = windows.SetsockoptInt(windows.Handle(fd), windows.IPPROTO_IPV6, sockoptBoundInterface, int(ifidx))
-	})
-	if err != nil {
-		return err
-	}
-	return controlErr
-}
-
-// nativeToBigEndian returns i converted into big-endian
-// representation, suitable for passing to Windows APIs that require a
-// mangled uint32.
-func nativeToBigEndian(i uint32) uint32 {
-	var b [4]byte
-	binary.BigEndian.PutUint32(b[:], i)
-	return *(*uint32)(unsafe.Pointer(&b[0]))
-}

net/netstat/netstat.go

@@ -1,36 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package netstat returns the local machine's network connection table.
-package netstat
-
-import (
-	"errors"
-	"runtime"
-
-	"inet.af/netaddr"
-)
-
-var ErrNotImplemented = errors.New("not implemented for GOOS=" + runtime.GOOS)
-
-type Entry struct {
-	Local, Remote netaddr.IPPort
-	Pid           int
-	State         string // TODO: type?
-}
-
-// Table contains local machine's TCP connection entries.
-//
-// Currently only TCP (IPv4 and IPv6) are included.
-type Table struct {
-	Entries []Entry
-}
-
-// Get returns the connection table.
-//
-// It returns ErrNotImplemented if the table is not available for the
-// current operating system.
-func Get() (*Table, error) {
-	return get()
-}

net/netstat/netstat_noimpl.go

@@ -1,11 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !windows
-
-package netstat
-
-func get() (*Table, error) {
-	return nil, ErrNotImplemented
-}

net/netstat/netstat_test.go

@@ -1,22 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package netstat
-
-import (
-	"testing"
-)
-
-func TestGet(t *testing.T) {
-	nt, err := Get()
-	if err == ErrNotImplemented {
-		t.Skip("TODO: not implemented")
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	for _, e := range nt.Entries {
-		t.Logf("Entry: %+v", e)
-	}
-}

net/netstat/netstat_windows.go

@@ -1,178 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package netstat returns the local machine's network connection table.
-package netstat
-
-import (
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-	"inet.af/netaddr"
-)
-
-// See https://docs.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getextendedtcptable
-
-// TCP_TABLE_OWNER_PID_ALL means to include the PID info. The table type
-// we get back from Windows depends on AF_INET vs AF_INET6:
-// MIB_TCPTABLE_OWNER_PID for v4 or MIB_TCP6TABLE_OWNER_PID for v6.
-const tcpTableOwnerPidAll = 5
-
-var (
-	iphlpapi    = syscall.NewLazyDLL("iphlpapi.dll")
-	getTCPTable = iphlpapi.NewProc("GetExtendedTcpTable")
-	// TODO: GetExtendedUdpTable also? if/when needed.
-)
-
-type _MIB_TCPROW_OWNER_PID struct {
-	state      uint32
-	localAddr  uint32
-	localPort  uint32
-	remoteAddr uint32
-	remotePort uint32
-	pid        uint32
-}
-
-type _MIB_TCP6ROW_OWNER_PID struct {
-	localAddr   [16]byte
-	localScope  uint32
-	localPort   uint32
-	remoteAddr  [16]byte
-	remoteScope uint32
-	remotePort  uint32
-	state       uint32
-	pid         uint32
-}
-
-func get() (*Table, error) {
-	t := new(Table)
-	if err := t.addEntries(windows.AF_INET); err != nil {
-		return nil, fmt.Errorf("failed to get IPv4 entries: %w", err)
-	}
-	if err := t.addEntries(windows.AF_INET6); err != nil {
-		return nil, fmt.Errorf("failed to get IPv6 entries: %w", err)
-	}
-	return t, nil
-}
-
-func (t *Table) addEntries(fam int) error {
-	var size uint32
-	var addr unsafe.Pointer
-	var buf []byte
-	for {
-		err, _, _ := getTCPTable.Call(
-			uintptr(addr),
-			uintptr(unsafe.Pointer(&size)),
-			1, // sorted
-			uintptr(fam),
-			tcpTableOwnerPidAll,
-			0, // reserved; "must be zero"
-		)
-		if err == 0 {
-			break
-		}
-		if err == uintptr(syscall.ERROR_INSUFFICIENT_BUFFER) {
-			const maxSize = 10 << 20
-			if size > maxSize || size < 4 {
-				return fmt.Errorf("unreasonable kernel-reported size %d", size)
-			}
-			buf = make([]byte, size)
-			addr = unsafe.Pointer(&buf[0])
-			continue
-		}
-		return syscall.Errno(err)
-	}
-	if len(buf) < int(size) {
-		return errors.New("unexpected size growth from system call")
-	}
-	buf = buf[:size]
-
-	numEntries := *(*uint32)(unsafe.Pointer(&buf[0]))
-	buf = buf[4:]
-
-	var recSize int
-	switch fam {
-	case windows.AF_INET:
-		recSize = 6 * 4
-	case windows.AF_INET6:
-		recSize = 6*4 + 16*2
-	}
-	dataLen := numEntries * uint32(recSize)
-	if uint32(len(buf)) > dataLen {
-		buf = buf[:dataLen]
-	}
-	for len(buf) >= recSize {
-		switch fam {
-		case windows.AF_INET:
-			row := (*_MIB_TCPROW_OWNER_PID)(unsafe.Pointer(&buf[0]))
-			t.Entries = append(t.Entries, Entry{
-				Local:  ipport4(row.localAddr, port(&row.localPort)),
-				Remote: ipport4(row.remoteAddr, port(&row.remotePort)),
-				Pid:    int(row.pid),
-				State:  state(row.state),
-			})
-		case windows.AF_INET6:
-			row := (*_MIB_TCP6ROW_OWNER_PID)(unsafe.Pointer(&buf[0]))
-			t.Entries = append(t.Entries, Entry{
-				Local:  ipport6(row.localAddr, row.localScope, port(&row.localPort)),
-				Remote: ipport6(row.remoteAddr, row.remoteScope, port(&row.remotePort)),
-				Pid:    int(row.pid),
-				State:  state(row.state),
-			})
-		}
-		buf = buf[recSize:]
-	}
-	return nil
-}
-
-var states = []string{
-	"",
-	"CLOSED",
-	"LISTEN",
-	"SYN-SENT",
-	"SYN-RECEIVED",
-	"ESTABLISHED",
-	"FIN-WAIT-1",
-	"FIN-WAIT-2",
-	"CLOSE-WAIT",
-	"CLOSING",
-	"LAST-ACK",
-	"DELETE-TCB",
-}
-
-func state(v uint32) string {
-	if v < uint32(len(states)) {
-		return states[v]
-	}
-	return fmt.Sprintf("unknown-state-%d", v)
-}
-
-func ipport4(addr uint32, port uint16) netaddr.IPPort {
-	a4 := (*[4]byte)(unsafe.Pointer(&addr))
-	return netaddr.IPPort{
-		IP:   netaddr.IPv4(a4[0], a4[1], a4[2], a4[3]),
-		Port: port,
-	}
-}
-
-func ipport6(addr [16]byte, scope uint32, port uint16) netaddr.IPPort {
-	ip := netaddr.IPFrom16(addr)
-	if scope != 0 {
-		// TODO: something better here?
-		ip = ip.WithZone(fmt.Sprint(scope))
-	}
-	return netaddr.IPPort{
-		IP:   ip,
-		Port: port,
-	}
-}
-
-func port(v *uint32) uint16 {
-	p := (*[4]byte)(unsafe.Pointer(v))
-	return binary.BigEndian.Uint16(p[:2])
-}

scripts/check_license_headers.sh

@@ -30,7 +30,7 @@ if [ $# != 1 ]; then
 fi
 
 fail=0
-for file in $(find $1 -name '*.go' -not -path '*/.git/*'); do
+for file in $(find $1 -name '*.go'); do
     case $file in
         $1/tempfork/*)
             # Skip, tempfork of third-party code

syncs/locked.go

@@ -1,58 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.13,!go1.16
-
-// This file makes assumptions about the inner workings of sync.Mutex and sync.RWMutex.
-// This includes not just their memory layout but their invariants and functionality.
-// To prevent accidents, it is limited to a known good subset of Go versions.
-
-package syncs
-
-import (
-	"sync"
-	"sync/atomic"
-	"unsafe"
-)
-
-const (
-	mutexLocked = 1
-
-	// sync.Mutex field offsets
-	stateOffset = 0
-
-	// sync.RWMutext field offsets
-	mutexOffset       = 0
-	readerCountOffset = 16
-)
-
-// add returns a pointer with value p + off.
-func add(p unsafe.Pointer, off uintptr) unsafe.Pointer {
-	return unsafe.Pointer(uintptr(p) + off)
-}
-
-// AssertLocked panics if m is not locked.
-func AssertLocked(m *sync.Mutex) {
-	p := add(unsafe.Pointer(m), stateOffset)
-	if atomic.LoadInt32((*int32)(p))&mutexLocked == 0 {
-		panic("mutex is not locked")
-	}
-}
-
-// AssertRLocked panics if rw is not locked for reading or writing.
-func AssertRLocked(rw *sync.RWMutex) {
-	p := add(unsafe.Pointer(rw), readerCountOffset)
-	if atomic.LoadInt32((*int32)(p)) != 0 {
-		// There are readers present or writers pending, so someone has a read lock.
-		return
-	}
-	// No readers.
-	AssertWLocked(rw)
-}
-
-// AssertWLocked panics if rw is not locked for writing.
-func AssertWLocked(rw *sync.RWMutex) {
-	m := (*sync.Mutex)(add(unsafe.Pointer(rw), mutexOffset))
-	AssertLocked(m)
-}

syncs/locked_test.go

@@ -1,123 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build go1.13,!go1.16
-
-//lint:file-ignore SA2001 the empty critical sections are part of triggering different internal mutex states
-
-package syncs
-
-import (
-	"sync"
-	"testing"
-	"time"
-)
-
-func wantPanic(t *testing.T, fn func()) {
-	t.Helper()
-	defer func() {
-		recover()
-	}()
-	fn()
-	t.Fatal("failed to panic")
-}
-
-func TestAssertLocked(t *testing.T) {
-	m := new(sync.Mutex)
-	wantPanic(t, func() { AssertLocked(m) })
-	m.Lock()
-	AssertLocked(m)
-	m.Unlock()
-	wantPanic(t, func() { AssertLocked(m) })
-	// Test correct handling of mutex with waiter.
-	m.Lock()
-	AssertLocked(m)
-	go func() {
-		m.Lock()
-		m.Unlock()
-	}()
-	// Give the goroutine above a few moments to get started.
-	// The test will pass whether or not we win the race,
-	// but we want to run sometimes, to get the test coverage.
-	time.Sleep(10 * time.Millisecond)
-	AssertLocked(m)
-}
-
-func TestAssertWLocked(t *testing.T) {
-	m := new(sync.RWMutex)
-	wantPanic(t, func() { AssertWLocked(m) })
-	m.Lock()
-	AssertWLocked(m)
-	m.Unlock()
-	wantPanic(t, func() { AssertWLocked(m) })
-	// Test correct handling of mutex with waiter.
-	m.Lock()
-	AssertWLocked(m)
-	go func() {
-		m.Lock()
-		m.Unlock()
-	}()
-	// Give the goroutine above a few moments to get started.
-	// The test will pass whether or not we win the race,
-	// but we want to run sometimes, to get the test coverage.
-	time.Sleep(10 * time.Millisecond)
-	AssertWLocked(m)
-}
-
-func TestAssertRLocked(t *testing.T) {
-	m := new(sync.RWMutex)
-	wantPanic(t, func() { AssertRLocked(m) })
-
-	m.Lock()
-	AssertRLocked(m)
-	m.Unlock()
-
-	m.RLock()
-	AssertRLocked(m)
-	m.RUnlock()
-
-	wantPanic(t, func() { AssertRLocked(m) })
-
-	// Test correct handling of mutex with waiter.
-	m.RLock()
-	AssertRLocked(m)
-	go func() {
-		m.RLock()
-		m.RUnlock()
-	}()
-	// Give the goroutine above a few moments to get started.
-	// The test will pass whether or not we win the race,
-	// but we want to run sometimes, to get the test coverage.
-	time.Sleep(10 * time.Millisecond)
-	AssertRLocked(m)
-	m.RUnlock()
-
-	// Test correct handling of rlock with write waiter.
-	m.RLock()
-	AssertRLocked(m)
-	go func() {
-		m.Lock()
-		m.Unlock()
-	}()
-	// Give the goroutine above a few moments to get started.
-	// The test will pass whether or not we win the race,
-	// but we want to run sometimes, to get the test coverage.
-	time.Sleep(10 * time.Millisecond)
-	AssertRLocked(m)
-	m.RUnlock()
-
-	// Test correct handling of rlock with other rlocks.
-	// This is a bit racy, but losing the race hurts nothing,
-	// and winning the race means correct test coverage.
-	m.RLock()
-	AssertRLocked(m)
-	go func() {
-		m.RLock()
-		time.Sleep(10 * time.Millisecond)
-		m.RUnlock()
-	}()
-	time.Sleep(5 * time.Millisecond)
-	AssertRLocked(m)
-	m.RUnlock()
-}

syncs/syncs.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package syncs contains additional sync types and functionality.
+// Package syncs contains addition sync types.
 package syncs
 
 import "sync/atomic"

syncs/watchdog.go

@@ -1,95 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package syncs
-
-import (
-	"context"
-	"sync"
-	"time"
-)
-
-// Watch monitors mu for contention.
-// On first call, and at every tick, Watch locks and unlocks mu.
-// (Tick should be large to avoid adding contention to mu.)
-// Max is the maximum length of time Watch will wait to acquire the lock.
-// The time required to lock mu is sent on the returned channel.
-// Watch exits when ctx is done, and closes the returned channel.
-func Watch(ctx context.Context, mu sync.Locker, tick, max time.Duration) chan time.Duration {
-	// Set up the return channel.
-	c := make(chan time.Duration)
-	var (
-		closemu sync.Mutex
-		closed  bool
-	)
-	sendc := func(d time.Duration) {
-		closemu.Lock()
-		defer closemu.Unlock()
-		if closed {
-			// Drop values written after c is closed.
-			return
-		}
-		c <- d
-	}
-	closec := func() {
-		closemu.Lock()
-		defer closemu.Unlock()
-		close(c)
-		closed = true
-	}
-
-	// check locks the mutex and writes how long it took to c.
-	// check returns ~immediately.
-	check := func() {
-		// Start a race between two goroutines.
-		// One locks the mutex; the other times out.
-		// Ensure that only one of the two gets to write its result.
-		// Since the common case is that locking the mutex is fast,
-		// let the timeout goroutine exit early when that happens.
-		var sendonce sync.Once
-		done := make(chan bool)
-		go func() {
-			start := time.Now()
-			mu.Lock()
-			mu.Unlock() //lint:ignore SA2001 ignore the empty critical section
-			elapsed := time.Since(start)
-			if elapsed > max {
-				elapsed = max
-			}
-			close(done)
-			sendonce.Do(func() { sendc(elapsed) })
-		}()
-		go func() {
-			select {
-			case <-time.After(max):
-				// the other goroutine may not have sent a value
-				sendonce.Do(func() { sendc(max) })
-			case <-done:
-				// the other goroutine sent a value
-			}
-		}()
-	}
-
-	// Check once at startup.
-	// This is mainly to make testing easier.
-	check()
-
-	// Start the watchdog goroutine.
-	// It checks the mutex every tick, until ctx is done.
-	go func() {
-		ticker := time.NewTicker(tick)
-		for {
-			select {
-			case <-ctx.Done():
-				closec()
-				ticker.Stop()
-				return
-			case <-ticker.C:
-				check()
-			}
-		}
-	}()
-
-	return c
-}

syncs/watchdog_test.go

@@ -1,71 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package syncs
-
-import (
-	"context"
-	"sync"
-	"testing"
-	"time"
-)
-
-// Time-based tests are fundamentally flaky.
-// We use exaggerated durations in the hopes of minimizing such issues.
-
-func TestWatchUncontended(t *testing.T) {
-	mu := new(sync.Mutex)
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	// Once an hour, and now, check whether we can lock mu in under an hour.
-	tick := time.Hour
-	max := time.Hour
-	c := Watch(ctx, mu, tick, max)
-	d := <-c
-	if d == max {
-		t.Errorf("uncontended mutex did not lock in under %v", max)
-	}
-}
-
-func TestWatchContended(t *testing.T) {
-	mu := new(sync.Mutex)
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	// Every hour, and now, check whether we can lock mu in under a millisecond,
-	// which is enough time for an uncontended mutex by several orders of magnitude.
-	tick := time.Hour
-	max := time.Millisecond
-	mu.Lock()
-	defer mu.Unlock()
-	c := Watch(ctx, mu, tick, max)
-	d := <-c
-	if d != max {
-		t.Errorf("contended mutex locked in under %v", max)
-	}
-}
-
-func TestWatchMultipleValues(t *testing.T) {
-	mu := new(sync.Mutex)
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel() // not necessary, but keep vet happy
-	// Check the mutex every millisecond.
-	// The goal is to see that we get a sufficient number of values out of the channel.
-	tick := time.Millisecond
-	max := time.Millisecond
-	c := Watch(ctx, mu, tick, max)
-	start := time.Now()
-	n := 0
-	for d := range c {
-		n++
-		if d == max {
-			t.Errorf("uncontended mutex did not lock in under %v", max)
-		}
-		if n == 10 {
-			cancel()
-		}
-	}
-	if elapsed := time.Since(start); elapsed > 100*time.Millisecond {
-		t.Errorf("expected 1 event per millisecond, got only %v events in %v", n, elapsed)
-	}
-}

tailcfg/tailcfg_clone.go

@@ -7,10 +7,6 @@
 package tailcfg
 
 import (
-	"github.com/tailscale/wireguard-go/wgcfg"
-	"inet.af/netaddr"
-	"tailscale.com/types/opt"
-	"tailscale.com/types/structs"
 	"time"
 )
 
@@ -27,19 +23,6 @@ func (src *User) Clone() *User {
 	return dst
 }
 
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig
-var _UserNeedsRegeneration = User(struct {
-	ID            UserID
-	LoginName     string
-	DisplayName   string
-	ProfilePicURL string
-	Domain        string
-	Logins        []LoginID
-	Roles         []RoleID
-	Created       time.Time
-}{})
-
 // Clone makes a deep copy of Node.
 // The result aliases no memory with the original.
 func (src *Node) Clone() *Node {
@@ -59,27 +42,6 @@ func (src *Node) Clone() *Node {
 	return dst
 }
 
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig
-var _NodeNeedsRegeneration = Node(struct {
-	ID                NodeID
-	Name              string
-	User              UserID
-	Key               NodeKey
-	KeyExpiry         time.Time
-	Machine           MachineKey
-	DiscoKey          DiscoKey
-	Addresses         []wgcfg.CIDR
-	AllowedIPs        []wgcfg.CIDR
-	Endpoints         []string
-	DERP              string
-	Hostinfo          Hostinfo
-	Created           time.Time
-	LastSeen          *time.Time
-	KeepAlive         bool
-	MachineAuthorized bool
-}{})
-
 // Clone makes a deep copy of Hostinfo.
 // The result aliases no memory with the original.
 func (src *Hostinfo) Clone() *Hostinfo {
@@ -95,23 +57,6 @@ func (src *Hostinfo) Clone() *Hostinfo {
 	return dst
 }
 
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig
-var _HostinfoNeedsRegeneration = Hostinfo(struct {
-	IPNVersion    string
-	FrontendLogID string
-	BackendLogID  string
-	OS            string
-	OSVersion     string
-	DeviceModel   string
-	Hostname      string
-	GoArch        string
-	RoutableIPs   []wgcfg.CIDR
-	RequestTags   []string
-	Services      []Service
-	NetInfo       *NetInfo
-}{})
-
 // Clone makes a deep copy of NetInfo.
 // The result aliases no memory with the original.
 func (src *NetInfo) Clone() *NetInfo {
@@ -129,21 +74,6 @@ func (src *NetInfo) Clone() *NetInfo {
 	return dst
 }
 
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig
-var _NetInfoNeedsRegeneration = NetInfo(struct {
-	MappingVariesByDestIP opt.Bool
-	HairPinning           opt.Bool
-	WorkingIPv6           opt.Bool
-	WorkingUDP            opt.Bool
-	UPnP                  opt.Bool
-	PMP                   opt.Bool
-	PCP                   opt.Bool
-	PreferredDERP         int
-	LinkType              string
-	DERPLatency           map[string]float64
-}{})
-
 // Clone makes a deep copy of Group.
 // The result aliases no memory with the original.
 func (src *Group) Clone() *Group {
@@ -156,14 +86,6 @@ func (src *Group) Clone() *Group {
 	return dst
 }
 
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig
-var _GroupNeedsRegeneration = Group(struct {
-	ID      GroupID
-	Name    string
-	Members []ID
-}{})
-
 // Clone makes a deep copy of Role.
 // The result aliases no memory with the original.
 func (src *Role) Clone() *Role {
@@ -176,14 +98,6 @@ func (src *Role) Clone() *Role {
 	return dst
 }
 
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig
-var _RoleNeedsRegeneration = Role(struct {
-	ID           RoleID
-	Name         string
-	Capabilities []CapabilityID
-}{})
-
 // Clone makes a deep copy of Capability.
 // The result aliases no memory with the original.
 func (src *Capability) Clone() *Capability {
@@ -195,14 +109,6 @@ func (src *Capability) Clone() *Capability {
 	return dst
 }
 
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig
-var _CapabilityNeedsRegeneration = Capability(struct {
-	ID   CapabilityID
-	Type CapType
-	Val  ID
-}{})
-
 // Clone makes a deep copy of Login.
 // The result aliases no memory with the original.
 func (src *Login) Clone() *Login {
@@ -214,18 +120,6 @@ func (src *Login) Clone() *Login {
 	return dst
 }
 
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig
-var _LoginNeedsRegeneration = Login(struct {
-	_             structs.Incomparable
-	ID            LoginID
-	Provider      string
-	LoginName     string
-	DisplayName   string
-	ProfilePicURL string
-	Domain        string
-}{})
-
 // Clone makes a deep copy of DNSConfig.
 // The result aliases no memory with the original.
 func (src *DNSConfig) Clone() *DNSConfig {
@@ -238,102 +132,3 @@ func (src *DNSConfig) Clone() *DNSConfig {
 	dst.Domains = append(src.Domains[:0:0], src.Domains...)
 	return dst
 }
-
-// A compilation failure here means this code must be regenerated, with command:
-//   tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig
-var _DNSConfigNeedsRegeneration = DNSConfig(struct {
-	Nameservers []netaddr.IP
-	Domains     []string
-	PerDomain   bool
-	Proxied     bool
-}{})
-
-// Clone duplicates src into dst and reports whether it succeeded.
-// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,
-// where T is one of User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig.
-func Clone(dst, src interface{}) bool {
-	switch src := src.(type) {
-	case *User:
-		switch dst := dst.(type) {
-		case *User:
-			*dst = *src.Clone()
-			return true
-		case **User:
-			*dst = src.Clone()
-			return true
-		}
-	case *Node:
-		switch dst := dst.(type) {
-		case *Node:
-			*dst = *src.Clone()
-			return true
-		case **Node:
-			*dst = src.Clone()
-			return true
-		}
-	case *Hostinfo:
-		switch dst := dst.(type) {
-		case *Hostinfo:
-			*dst = *src.Clone()
-			return true
-		case **Hostinfo:
-			*dst = src.Clone()
-			return true
-		}
-	case *NetInfo:
-		switch dst := dst.(type) {
-		case *NetInfo:
-			*dst = *src.Clone()
-			return true
-		case **NetInfo:
-			*dst = src.Clone()
-			return true
-		}
-	case *Group:
-		switch dst := dst.(type) {
-		case *Group:
-			*dst = *src.Clone()
-			return true
-		case **Group:
-			*dst = src.Clone()
-			return true
-		}
-	case *Role:
-		switch dst := dst.(type) {
-		case *Role:
-			*dst = *src.Clone()
-			return true
-		case **Role:
-			*dst = src.Clone()
-			return true
-		}
-	case *Capability:
-		switch dst := dst.(type) {
-		case *Capability:
-			*dst = *src.Clone()
-			return true
-		case **Capability:
-			*dst = src.Clone()
-			return true
-		}
-	case *Login:
-		switch dst := dst.(type) {
-		case *Login:
-			*dst = *src.Clone()
-			return true
-		case **Login:
-			*dst = src.Clone()
-			return true
-		}
-	case *DNSConfig:
-		switch dst := dst.(type) {
-		case *DNSConfig:
-			*dst = *src.Clone()
-			return true
-		case **DNSConfig:
-			*dst = src.Clone()
-			return true
-		}
-	}
-	return false
-}

tsconst/interface.go

@@ -1,11 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package tsconst exports some constants used elsewhere in the
-// codebase.
-package tsconst
-
-// WintunInterfaceDesc is the description attached to Tailscale
-// interfaces on Windows. This is set by our modified WinTun driver.
-const WintunInterfaceDesc = "Tailscale Tunnel"

tstest/log.go

@@ -45,47 +45,46 @@ func PanicOnLog() {
 	log.SetOutput(panicLogWriter{})
 }
 
-// NewLogLineTracker produces a LogLineTracker wrapping a given logf that tracks whether expectedFormatStrings were seen.
-func NewLogLineTracker(logf logger.Logf, expectedFormatStrings []string) *LogLineTracker {
-	ret := &LogLineTracker{
+// ListenFor produces a LogListener wrapping a given logf with the given logStrings
+func ListenFor(logf logger.Logf, logStrings []string) *LogListener {
+	ret := LogListener{
 		logf:      logf,
-		listenFor: expectedFormatStrings,
+		listenFor: logStrings,
 		seen:      make(map[string]bool),
 	}
-	for _, line := range expectedFormatStrings {
+	for _, line := range logStrings {
 		ret.seen[line] = false
 	}
-	return ret
+	return &ret
 }
 
-// LogLineTracker is a logger that tracks which log format patterns it's
-// seen and can report which expected ones were not seen later.
-type LogLineTracker struct {
+// LogListener takes a list of log lines to listen for
+type LogListener struct {
 	logf      logger.Logf
 	listenFor []string
 
 	mu   sync.Mutex
-	seen map[string]bool // format string => false (if not yet seen but wanted) or true (once seen)
+	seen map[string]bool
 }
 
-// Logf logs to its underlying logger and also tracks that the given format pattern has been seen.
-func (lt *LogLineTracker) Logf(format string, args ...interface{}) {
-	lt.mu.Lock()
-	if v, ok := lt.seen[format]; ok && !v {
-		lt.seen[format] = true
+// Logf records and logs a given line
+func (ll *LogListener) Logf(format string, args ...interface{}) {
+	ll.mu.Lock()
+	if _, ok := ll.seen[format]; ok {
+		ll.seen[format] = true
 	}
-	lt.mu.Unlock()
-	lt.logf(format, args...)
+	ll.mu.Unlock()
+	ll.logf(format, args)
 }
 
-// Check returns which format strings haven't been logged yet.
-func (lt *LogLineTracker) Check() []string {
-	lt.mu.Lock()
-	defer lt.mu.Unlock()
+// Check returns which lines haven't been logged yet
+func (ll *LogListener) Check() []string {
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
 	var notSeen []string
-	for _, format := range lt.listenFor {
-		if !lt.seen[format] {
-			notSeen = append(notSeen, format)
+	for _, line := range ll.listenFor {
+		if !ll.seen[line] {
+			notSeen = append(notSeen, line)
 		}
 	}
 	return notSeen

tstest/log_test.go

@@ -4,45 +4,43 @@
 
 package tstest
 
-import (
-	"reflect"
-	"testing"
-)
+import "testing"
 
-func TestLogLineTracker(t *testing.T) {
-	const (
+func TestLogListener(t *testing.T) {
+	var (
 		l1 = "line 1: %s"
 		l2 = "line 2: %s"
 		l3 = "line 3: %s"
+
+		lineList = []string{l1, l2}
 	)
 
-	lt := NewLogLineTracker(t.Logf, []string{l1, l2})
+	ll := ListenFor(t.Logf, lineList)
 
-	if got, want := lt.Check(), []string{l1, l2}; !reflect.DeepEqual(got, want) {
-		t.Errorf("Check = %q; want %q", got, want)
+	if len(ll.Check()) != len(lineList) {
+		t.Errorf("expected %v, got %v", lineList, ll.Check())
 	}
 
-	lt.Logf(l3, "hi")
+	ll.Logf(l3, "hi")
 
-	if got, want := lt.Check(), []string{l1, l2}; !reflect.DeepEqual(got, want) {
-		t.Errorf("Check = %q; want %q", got, want)
+	if len(ll.Check()) != len(lineList) {
+		t.Errorf("expected %v, got %v", lineList, ll.Check())
 	}
 
-	lt.Logf(l1, "hi")
+	ll.Logf(l1, "hi")
 
-	if got, want := lt.Check(), []string{l2}; !reflect.DeepEqual(got, want) {
-		t.Errorf("Check = %q; want %q", got, want)
+	if len(ll.Check()) != len(lineList)-1 {
+		t.Errorf("expected %v, got %v", lineList, ll.Check())
 	}
 
-	lt.Logf(l1, "bye")
+	ll.Logf(l1, "bye")
 
-	if got, want := lt.Check(), []string{l2}; !reflect.DeepEqual(got, want) {
-		t.Errorf("Check = %q; want %q", got, want)
+	if len(ll.Check()) != len(lineList)-1 {
+		t.Errorf("expected %v, got %v", lineList, ll.Check())
 	}
 
-	lt.Logf(l2, "hi")
-
-	if got, want := lt.Check(), []string(nil); !reflect.DeepEqual(got, want) {
-		t.Errorf("Check = %q; want %q", got, want)
+	ll.Logf(l2, "hi")
+	if ll.Check() != nil {
+		t.Errorf("expected empty list, got ll.Check()")
 	}
 }

tstest/resource.go

@@ -68,4 +68,5 @@ func (r *ResourceCheck) Assert(t testing.TB) {
 			}
 		}
 	}
+	t.Logf("ResourceCheck ok: goroutines before=%d after=%d\n", got, want)
 }

tsweb/jsonhandler.go

@@ -6,7 +6,6 @@ package tsweb
 
 import (
 	"encoding/json"
-	"fmt"
 	"net/http"
 )
 
@@ -16,23 +15,23 @@ type response struct {
 	Data   interface{} `json:"data,omitempty"`
 }
 
-// JSONHandlerFunc is an HTTP ReturnHandler that writes JSON responses to the client.
-//
-// Return a HTTPError to show an error message, otherwise JSONHandlerFunc will
-// only report "internal server error" to the user.
+// TODO: Header
+
+// JSONHandlerFunc only take *http.Request as argument to avoid any misuse of http.ResponseWriter.
+// The function's results must be (status int, data interface{}, err error).
+// Return a HTTPError to show an error message, otherwise JSONHandler will only show "internal server error".
 type JSONHandlerFunc func(r *http.Request) (status int, data interface{}, err error)
 
-// ServeHTTPReturn implements the ReturnHandler interface.
+// ServeHTTP calls the JSONHandlerFunc and automatically marshals http responses.
 //
 // Use the following code to unmarshal the request body
-//
 //	body := new(DataType)
 //	if err := json.NewDecoder(r.Body).Decode(body); err != nil {
 //	  return http.StatusBadRequest, nil, err
 //	}
 //
-// See jsonhandler_text.go for examples.
-func (fn JSONHandlerFunc) ServeHTTPReturn(w http.ResponseWriter, r *http.Request) error {
+// Check jsonhandler_text.go for examples
+func (fn JSONHandlerFunc) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	var resp *response
 	status, data, err := fn(r)
@@ -54,13 +53,6 @@ func (fn JSONHandlerFunc) ServeHTTPReturn(w http.ResponseWriter, r *http.Request
 				Error:  werr.Msg,
 				Data:   data,
 			}
-			// Unwrap the HTTPError here because we are communicating with
-			// the client in this handler. We don't want the wrapping
-			// ReturnHandler to do it too.
-			err = werr.Err
-			if werr.Msg != "" {
-				err = fmt.Errorf("%s: %w", werr.Msg, err)
-			}
 		} else {
 			resp = &response{
 				Status: "error",
@@ -69,17 +61,13 @@ func (fn JSONHandlerFunc) ServeHTTPReturn(w http.ResponseWriter, r *http.Request
 		}
 	}
 
-	b, jerr := json.Marshal(resp)
-	if jerr != nil {
+	b, err := json.Marshal(resp)
+	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		w.Write([]byte(`{"status":"error","error":"json marshal error"}`))
-		if err != nil {
-			return fmt.Errorf("%w, and then we could not respond: %v", err, jerr)
-		}
-		return jerr
+		return
 	}
 
 	w.WriteHeader(status)
 	w.Write(b)
-	return err
 }

tsweb/jsonhandler_test.go

@@ -61,7 +61,7 @@ func TestNewJSONHandler(t *testing.T) {
 	t.Run("200 simple", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("GET", "/", nil)
-		h21.ServeHTTPReturn(w, r)
+		h21.ServeHTTP(w, r)
 		checkStatus(w, "success", http.StatusOK)
 	})
 
@@ -72,7 +72,7 @@ func TestNewJSONHandler(t *testing.T) {
 
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("GET", "/", nil)
-		h.ServeHTTPReturn(w, r)
+		h.ServeHTTP(w, r)
 		checkStatus(w, "error", http.StatusForbidden)
 	})
 
@@ -83,7 +83,7 @@ func TestNewJSONHandler(t *testing.T) {
 	t.Run("200 get data", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("GET", "/", nil)
-		h22.ServeHTTPReturn(w, r)
+		h22.ServeHTTP(w, r)
 		checkStatus(w, "success", http.StatusOK)
 	})
 
@@ -102,21 +102,21 @@ func TestNewJSONHandler(t *testing.T) {
 	t.Run("200 post data", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Name": "tailscale"}`))
-		h31.ServeHTTPReturn(w, r)
+		h31.ServeHTTP(w, r)
 		checkStatus(w, "success", http.StatusOK)
 	})
 
 	t.Run("400 bad json", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{`))
-		h31.ServeHTTPReturn(w, r)
+		h31.ServeHTTP(w, r)
 		checkStatus(w, "error", http.StatusBadRequest)
 	})
 
 	t.Run("400 post data error", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{}`))
-		h31.ServeHTTPReturn(w, r)
+		h31.ServeHTTP(w, r)
 		resp := checkStatus(w, "error", http.StatusBadRequest)
 		if resp.Error != "name is empty" {
 			t.Fatalf("wrong error")
@@ -141,7 +141,7 @@ func TestNewJSONHandler(t *testing.T) {
 	t.Run("200 post data", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Price": 10}`))
-		h32.ServeHTTPReturn(w, r)
+		h32.ServeHTTP(w, r)
 		resp := checkStatus(w, "success", http.StatusOK)
 		t.Log(resp.Data)
 		if resp.Data.Price != 20 {
@@ -152,7 +152,7 @@ func TestNewJSONHandler(t *testing.T) {
 	t.Run("400 post data error", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{}`))
-		h32.ServeHTTPReturn(w, r)
+		h32.ServeHTTP(w, r)
 		resp := checkStatus(w, "error", http.StatusBadRequest)
 		if resp.Error != "price is empty" {
 			t.Fatalf("wrong error")
@@ -162,7 +162,7 @@ func TestNewJSONHandler(t *testing.T) {
 	t.Run("500 internal server error", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Name": "root"}`))
-		h32.ServeHTTPReturn(w, r)
+		h32.ServeHTTP(w, r)
 		resp := checkStatus(w, "error", http.StatusInternalServerError)
 		if resp.Error != "internal server error" {
 			t.Fatalf("wrong error")
@@ -174,7 +174,7 @@ func TestNewJSONHandler(t *testing.T) {
 		r := httptest.NewRequest("POST", "/", nil)
 		JSONHandlerFunc(func(r *http.Request) (int, interface{}, error) {
 			return http.StatusOK, make(chan int), nil
-		}).ServeHTTPReturn(w, r)
+		}).ServeHTTP(w, r)
 		resp := checkStatus(w, "error", http.StatusInternalServerError)
 		if resp.Error != "json marshal error" {
 			t.Fatalf("wrong error")
@@ -186,7 +186,7 @@ func TestNewJSONHandler(t *testing.T) {
 		r := httptest.NewRequest("POST", "/", nil)
 		JSONHandlerFunc(func(r *http.Request) (status int, data interface{}, err error) {
 			return
-		}).ServeHTTPReturn(w, r)
+		}).ServeHTTP(w, r)
 		checkStatus(w, "error", http.StatusInternalServerError)
 	})
 }

tsweb/tsweb.go

@@ -236,13 +236,8 @@ func (h retHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case hErrOK:
 		// Handler asked us to send an error. Do so, if we haven't
 		// already sent a response.
-		msg.Err = hErr.Msg
 		if hErr.Err != nil {
-			if msg.Err == "" {
-				msg.Err = hErr.Err.Error()
-			} else {
-				msg.Err = msg.Err + ": " + hErr.Err.Error()
-			}
+			msg.Err = hErr.Err.Error()
 		}
 		if lw.code != 0 {
 			h.logf("[unexpected] handler returned HTTPError %v, but already sent a response with code %d", hErr, lw.code)

tsweb/tsweb_test.go

@@ -122,7 +122,7 @@ func TestStdHandler(t *testing.T) {
 				Host:       "example.com",
 				Method:     "GET",
 				RequestURI: "/foo",
-				Err:        "not found: " + testErr.Error(),
+				Err:        testErr.Error(),
 				Code:       404,
 			},
 		},
@@ -139,7 +139,6 @@ func TestStdHandler(t *testing.T) {
 				Host:       "example.com",
 				Method:     "GET",
 				RequestURI: "/foo",
-				Err:        "not found",
 				Code:       404,
 			},
 		},
@@ -190,7 +189,7 @@ func TestStdHandler(t *testing.T) {
 				Host:       "example.com",
 				Method:     "GET",
 				RequestURI: "/foo",
-				Err:        "not found: " + testErr.Error(),
+				Err:        testErr.Error(),
 				Code:       200,
 			},
 		},

util/pidowner/pidowner.go

@@ -1,25 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package pidowner handles lookups from process ID to its owning user.
-package pidowner
-
-import (
-	"errors"
-	"runtime"
-)
-
-var ErrNotImplemented = errors.New("not implemented for GOOS=" + runtime.GOOS)
-
-var ErrProcessNotFound = errors.New("process not found")
-
-// OwnerOfPID returns the user ID that owns the given process ID.
-//
-// The returned user ID is suitable to passing to os/user.LookupId.
-//
-// The returned error will be ErrNotImplemented for operating systems where
-// this isn't supported.
-func OwnerOfPID(pid int) (userID string, err error) {
-	return ownerOfPID(pid)
-}

util/pidowner/pidowner_linux.go

@@ -1,37 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pidowner
-
-import (
-	"fmt"
-	"os"
-	"strings"
-
-	"tailscale.com/util/lineread"
-)
-
-func ownerOfPID(pid int) (userID string, err error) {
-	file := fmt.Sprintf("/proc/%d/status", pid)
-	err = lineread.File(file, func(line []byte) error {
-		if len(line) < 4 || string(line[:4]) != "Uid:" {
-			return nil
-		}
-		f := strings.Fields(string(line))
-		if len(f) >= 2 {
-			userID = f[1] // real userid
-		}
-		return nil
-	})
-	if os.IsNotExist(err) {
-		return "", ErrProcessNotFound
-	}
-	if err != nil {
-		return
-	}
-	if userID == "" {
-		return "", fmt.Errorf("missing Uid line in %s", file)
-	}
-	return userID, nil
-}

util/pidowner/pidowner_noimpl.go

@@ -1,9 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !windows,!linux
-
-package pidowner
-
-func ownerOfPID(pid int) (userID string, err error) { return "", ErrNotImplemented }

util/pidowner/pidowner_test.go

@@ -1,51 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pidowner
-
-import (
-	"math/rand"
-	"os"
-	"os/user"
-	"testing"
-)
-
-func TestOwnerOfPID(t *testing.T) {
-	id, err := OwnerOfPID(os.Getpid())
-	if err == ErrNotImplemented {
-		t.Skip(err)
-	}
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Logf("id=%q", id)
-
-	u, err := user.LookupId(id)
-	if err != nil {
-		t.Fatalf("LookupId: %v", err)
-	}
-	t.Logf("Got: %+v", u)
-}
-
-// validate that OS implementation returns ErrProcessNotFound.
-func TestNotFoundError(t *testing.T) {
-	// Try a bunch of times to stumble upon a pid that doesn't exist...
-	const tries = 50
-	for i := 0; i < tries; i++ {
-		_, err := OwnerOfPID(rand.Intn(1e9))
-		if err == ErrNotImplemented {
-			t.Skip(err)
-		}
-		if err == nil {
-			// We got unlucky and this pid existed. Try again.
-			continue
-		}
-		if err == ErrProcessNotFound {
-			// Pass.
-			return
-		}
-		t.Fatalf("Error is not ErrProcessNotFound: %T %v", err, err)
-	}
-	t.Errorf("after %d tries, couldn't find a process that didn't exist", tries)
-}

util/pidowner/pidowner_windows.go

@@ -1,36 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package pidowner
-
-import (
-	"fmt"
-	"syscall"
-
-	"golang.org/x/sys/windows"
-)
-
-func ownerOfPID(pid int) (userID string, err error) {
-	procHnd, err := windows.OpenProcess(windows.PROCESS_QUERY_INFORMATION, false, uint32(pid))
-	if err == syscall.Errno(0x57) { // invalid parameter, for PIDs that don't exist
-		return "", ErrProcessNotFound
-	}
-	if err != nil {
-		return "", fmt.Errorf("OpenProcess: %T %#v", err, err)
-	}
-	defer windows.CloseHandle(procHnd)
-
-	var tok windows.Token
-	if err := windows.OpenProcessToken(procHnd, windows.TOKEN_QUERY, &tok); err != nil {
-		return "", fmt.Errorf("OpenProcessToken: %w", err)
-	}
-
-	tokUser, err := tok.GetTokenUser()
-	if err != nil {
-		return "", fmt.Errorf("GetTokenUser: %w", err)
-	}
-
-	sid := tokUser.User.Sid
-	return sid.String(), nil
-}

version/distro/distro.go

@@ -1,40 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package distro reports which distro we're running on.
-package distro
-
-import (
-	"os"
-	"runtime"
-)
-
-type Distro string
-
-const (
-	Debian   = Distro("debian")
-	Arch     = Distro("arch")
-	Synology = Distro("synology")
-)
-
-// Get returns the current distro, or the empty string if unknown.
-func Get() Distro {
-	if runtime.GOOS == "linux" {
-		return linuxDistro()
-	}
-	return ""
-}
-
-func linuxDistro() Distro {
-	if fi, err := os.Stat("/usr/syno"); err == nil && fi.IsDir() {
-		return Synology
-	}
-	if _, err := os.Stat("/etc/debian_version"); err == nil {
-		return Debian
-	}
-	if _, err := os.Stat("/etc/arch-release"); err == nil {
-		return Arch
-	}
-	return ""
-}

wgengine/magicsock/discopingpurpose_string.go

@@ -1,29 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Code generated by "stringer -type=discoPingPurpose -trimprefix=ping"; DO NOT EDIT.
-
-package magicsock
-
-import "strconv"
-
-func _() {
-	// An "invalid array index" compiler error signifies that the constant values have changed.
-	// Re-run the stringer command to generate them again.
-	var x [1]struct{}
-	_ = x[pingDiscovery-0]
-	_ = x[pingHeartbeat-1]
-	_ = x[pingCLI-2]
-}
-
-const _discoPingPurpose_name = "DiscoveryHeartbeatCLI"
-
-var _discoPingPurpose_index = [...]uint8{0, 9, 18, 21}
-
-func (i discoPingPurpose) String() string {
-	if i < 0 || i >= discoPingPurpose(len(_discoPingPurpose_index)-1) {
-		return "discoPingPurpose(" + strconv.FormatInt(int64(i), 10) + ")"
-	}
-	return _discoPingPurpose_name[_discoPingPurpose_index[i]:_discoPingPurpose_index[i+1]]
-}

wgengine/magicsock/magicsock.go

@@ -648,8 +648,8 @@ func (c *Conn) Ping(ip netaddr.IP, cb func(*ipnstate.PingResult)) {
 	}
 
 	dk, ok := c.discoOfNode[peer.Key]
-	if !ok { // peer is using outdated Tailscale version (pre-0.100)
-		res.Err = "no discovery key for peer (pre Tailscale 0.100 version?). Try: ping 100.x.y.z"
+	if !ok {
+		res.Err = "no discovery key for peer (pre 0.100?)"
 		cb(res)
 		return
 	}
@@ -3465,7 +3465,6 @@ func (de *discoEndpoint) sendDiscoPing(ep netaddr.IPPort, txid stun.TxID, logLev
 // discoPingPurpose is the reason why a discovery ping message was sent.
 type discoPingPurpose int
 
-//go:generate stringer -type=discoPingPurpose -trimprefix=ping
 const (
 	// pingDiscovery means that purpose of a ping was to see if a
 	// path was valid.

wgengine/magicsock/magicsock_test.go

@@ -783,8 +783,7 @@ func testActiveDiscovery(t *testing.T, d *devices) {
 
 	start := time.Now()
 	logf := func(msg string, args ...interface{}) {
-		t.Helper()
-		msg = fmt.Sprintf("%s: %s", time.Since(start).Truncate(time.Microsecond), msg)
+		msg = fmt.Sprintf("%s: %s", time.Since(start), msg)
 		tlogf(msg, args...)
 	}
 
@@ -812,8 +811,7 @@ func testActiveDiscovery(t *testing.T, d *devices) {
 
 	mustDirect := func(m1, m2 *magicStack) {
 		lastLog := time.Now().Add(-time.Minute)
-		// See https://github.com/tailscale/tailscale/issues/654 for a discussion of this deadline.
-		for deadline := time.Now().Add(10 * time.Second); time.Now().Before(deadline); time.Sleep(10 * time.Millisecond) {
+		for deadline := time.Now().Add(5 * time.Second); time.Now().Before(deadline); time.Sleep(10 * time.Millisecond) {
 			pst := m1.Status().Peer[m2.Public()]
 			if pst.CurAddr != "" {
 				logf("direct link %s->%s found with addr %s", m1, m2, pst.CurAddr)

wgengine/router/dns/manager.go

@@ -10,18 +10,12 @@ import (
 	"tailscale.com/types/logger"
 )
 
-// We use file-ignore below instead of ignore because on some platforms,
-// the lint exception is necessary and on others it is not,
-// and plain ignore complains if the exception is unnecessary.
-
-//lint:file-ignore U1000 reconfigTimeout is used on some platforms but not others
-
 // reconfigTimeout is the time interval within which Manager.{Up,Down} should complete.
 //
 // This is particularly useful because certain conditions can cause indefinite hangs
 // (such as improper dbus auth followed by contextless dbus.Object.Call).
 // Such operations should be wrapped in a timeout context.
-const reconfigTimeout = time.Second
+const reconfigTimeout = time.Second //lint:ignore U1000 used on Linux at least, maybe others later
 
 type managerImpl interface {
 	// Up updates system DNS settings to match the given configuration.

wgengine/router/ifconfig_windows.go

@@ -7,49 +7,114 @@ package router
 
 import (
 	"bytes"
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"log"
 	"net"
-	"os"
 	"sort"
 	"time"
+	"unsafe"
 
 	ole "github.com/go-ole/go-ole"
 	winipcfg "github.com/tailscale/winipcfg-go"
+	"github.com/tailscale/wireguard-go/conn"
+	"github.com/tailscale/wireguard-go/device"
 	"github.com/tailscale/wireguard-go/tun"
 	"golang.org/x/sys/windows"
-	"tailscale.com/net/interfaces"
 	"tailscale.com/wgengine/winnet"
 )
 
-// monitorDefaultRoutes subscribes to route change events and updates
-// the Tailscale tunnel interface's MTU to match that of the
-// underlying default route.
-//
-// This is an attempt at making the MTU mostly correct, but in
-// practice this entire piece of code ends up just using the 1280
-// value passed in at device construction time. This code might make
-// the MTU go lower due to very low-MTU IPv4 interfaces.
-//
-// TODO: this code is insufficient to control the MTU correctly. The
-// correct way to do it is per-peer PMTU discovery, and synthesizing
-// ICMP fragmentation-needed messages within tailscaled. This code may
-// address a few rare corner cases, but is unlikely to significantly
-// help with MTU issues compared to a static 1280B implementation.
-func monitorDefaultRoutes(tun *tun.NativeTun) (*winipcfg.RouteChangeCallback, error) {
+const (
+	sockoptIP_UNICAST_IF   = 31
+	sockoptIPV6_UNICAST_IF = 31
+)
+
+func htonl(val uint32) uint32 {
+	bytes := make([]byte, 4)
+	binary.BigEndian.PutUint32(bytes, val)
+	return *(*uint32)(unsafe.Pointer(&bytes[0]))
+}
+
+func bindSocketRoute(family winipcfg.AddressFamily, device *device.Device, ourLuid uint64, lastLuid *uint64) error {
+	routes, err := winipcfg.GetRoutes(family)
+	if err != nil {
+		return err
+	}
+	lowestMetric := ^uint32(0)
+	index := uint32(0) // Zero is "unspecified", which for IP_UNICAST_IF resets the value, which is what we want.
+	luid := uint64(0)  // Hopefully luid zero is unspecified, but hard to find docs saying so.
+	for _, route := range routes {
+		if route.DestinationPrefix.PrefixLength != 0 || route.InterfaceLuid == ourLuid {
+			continue
+		}
+		if route.Metric < lowestMetric {
+			lowestMetric = route.Metric
+			index = route.InterfaceIndex
+			luid = route.InterfaceLuid
+		}
+	}
+	if luid == *lastLuid {
+		return nil
+	}
+	*lastLuid = luid
+	if false {
+		bind, ok := device.Bind().(conn.BindSocketToInterface)
+		if !ok {
+			return fmt.Errorf("unexpected device.Bind type %T", device.Bind())
+		}
+		// TODO(apenwarr): doesn't work with magic socket yet.
+		if family == winipcfg.AF_INET {
+			return bind.BindSocketToInterface4(index, false)
+		} else if family == winipcfg.AF_INET6 {
+			return bind.BindSocketToInterface6(index, false)
+		}
+	} else {
+		log.Printf("WARNING: skipping windows socket binding.")
+	}
+	return nil
+}
+
+func monitorDefaultRoutes(device *device.Device, autoMTU bool, tun *tun.NativeTun) (*winipcfg.RouteChangeCallback, error) {
 	guid := tun.GUID()
 	ourLuid, err := winipcfg.InterfaceGuidToLuid(&guid)
+	lastLuid4 := uint64(0)
+	lastLuid6 := uint64(0)
 	lastMtu := uint32(0)
 	if err != nil {
 		return nil, err
 	}
 	doIt := func() error {
-		mtu, err := getDefaultRouteMTU()
+		err = bindSocketRoute(winipcfg.AF_INET, device, ourLuid, &lastLuid4)
 		if err != nil {
 			return err
 		}
-
+		err = bindSocketRoute(winipcfg.AF_INET6, device, ourLuid, &lastLuid6)
+		if err != nil {
+			return err
+		}
+		if !autoMTU {
+			return nil
+		}
+		mtu := uint32(0)
+		if lastLuid4 != 0 {
+			iface, err := winipcfg.InterfaceFromLUID(lastLuid4)
+			if err != nil {
+				return err
+			}
+			if iface.Mtu > 0 {
+				mtu = iface.Mtu
+			}
+		}
+		if lastLuid6 != 0 {
+			iface, err := winipcfg.InterfaceFromLUID(lastLuid6)
+			if err != nil {
+				return err
+			}
+			if iface.Mtu > 0 && iface.Mtu < mtu {
+				mtu = iface.Mtu
+			}
+		}
 		if mtu > 0 && (lastMtu == 0 || lastMtu != mtu) {
 			iface, err := winipcfg.GetIpInterface(ourLuid, winipcfg.AF_INET)
 			if err != nil {
@@ -70,21 +135,18 @@ func monitorDefaultRoutes(tun *tun.NativeTun) (*winipcfg.RouteChangeCallback, er
 			if err != nil {
 				return err
 			}
-			tun.ForceMTU(int(iface.NlMtu))
+			tun.ForceMTU(int(iface.NlMtu)) //TODO: it sort of breaks the model with v6 mtu and v4 mtu being different. Just set v4 one for now.
 			iface, err = winipcfg.GetIpInterface(ourLuid, winipcfg.AF_INET6)
 			if err != nil {
-				if !isMissingIPv6Err(err) {
-					return err
-				}
-			} else {
-				iface.NlMtu = mtu - 80
-				if iface.NlMtu < 1280 {
-					iface.NlMtu = 1280
-				}
-				err = iface.Set()
-				if err != nil {
-					return err
-				}
+				return err
+			}
+			iface.NlMtu = mtu - 80
+			if iface.NlMtu < 1280 {
+				iface.NlMtu = 1280
+			}
+			err = iface.Set()
+			if err != nil {
+				return err
 			}
 			lastMtu = mtu
 		}
@@ -106,67 +168,10 @@ func monitorDefaultRoutes(tun *tun.NativeTun) (*winipcfg.RouteChangeCallback, er
 	return cb, nil
 }
 
-func getDefaultRouteMTU() (uint32, error) {
-	mtus, err := interfaces.NonTailscaleMTUs()
+func setFirewall(ifcGUID *windows.GUID) (bool, error) {
+	c := ole.Connection{}
+	err := c.Initialize()
 	if err != nil {
-		return 0, err
-	}
-
-	routes, err := winipcfg.GetRoutes(winipcfg.AF_INET)
-	if err != nil {
-		return 0, err
-	}
-	best := ^uint32(0)
-	mtu := uint32(0)
-	for _, route := range routes {
-		if route.DestinationPrefix.PrefixLength != 0 {
-			continue
-		}
-		routeMTU := mtus[route.InterfaceLuid]
-		if routeMTU == 0 {
-			continue
-		}
-		if route.Metric < best {
-			best = route.Metric
-			mtu = routeMTU
-		}
-	}
-
-	routes, err = winipcfg.GetRoutes(winipcfg.AF_INET6)
-	if err != nil {
-		return 0, err
-	}
-	best = ^uint32(0)
-	for _, route := range routes {
-		if route.DestinationPrefix.PrefixLength != 0 {
-			continue
-		}
-		routeMTU := mtus[route.InterfaceLuid]
-		if routeMTU == 0 {
-			continue
-		}
-		if route.Metric < best {
-			best = route.Metric
-			if routeMTU < mtu {
-				mtu = routeMTU
-			}
-		}
-	}
-
-	return mtu, nil
-}
-
-// setPrivateNetwork marks the provided network adapter's category to private.
-// It returns (false, nil) if the adapter was not found.
-func setPrivateNetwork(ifcGUID *windows.GUID) (bool, error) {
-	// NLM_NETWORK_CATEGORY values.
-	const (
-		categoryPublic  = 0
-		categoryPrivate = 1
-		categoryDomain  = 2
-	)
-	var c ole.Connection
-	if err := c.Initialize(); err != nil {
 		return false, fmt.Errorf("c.Initialize: %v", err)
 	}
 	defer c.Uninitialize()
@@ -189,8 +194,10 @@ func setPrivateNetwork(ifcGUID *windows.GUID) (bool, error) {
 			return false, fmt.Errorf("nco.GetAdapterId: %v", err)
 		}
 		if aid != ifcGUID.String() {
+			log.Printf("skipping adapter id: %v", aid)
 			continue
 		}
+		log.Printf("found! adapter id: %v", aid)
 
 		n, err := nco.GetNetwork()
 		if err != nil {
@@ -203,11 +210,15 @@ func setPrivateNetwork(ifcGUID *windows.GUID) (bool, error) {
 			return false, fmt.Errorf("GetCategory: %v", err)
 		}
 
-		if cat != categoryPrivate {
-			if err := n.SetCategory(categoryPrivate); err != nil {
+		if cat == 0 {
+			err = n.SetCategory(1)
+			if err != nil {
 				return false, fmt.Errorf("SetCategory: %v", err)
 			}
+		} else {
+			log.Printf("setFirewall: already category %v", cat)
 		}
+
 		return true, nil
 	}
 
@@ -217,6 +228,7 @@ func setPrivateNetwork(ifcGUID *windows.GUID) (bool, error) {
 func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 	const mtu = 0
 	guid := tun.GUID()
+	log.Printf("wintun GUID is %v", guid)
 	iface, err := winipcfg.InterfaceFromGUID(&guid)
 	if err != nil {
 		return err
@@ -226,20 +238,17 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 		// It takes a weirdly long time for Windows to notice the
 		// new interface has come up. Poll periodically until it
 		// does.
-		const tries = 20
-		for i := 0; i < tries; i++ {
-			found, err := setPrivateNetwork(&guid)
+		for i := 0; i < 20; i++ {
+			found, err := setFirewall(&guid)
 			if err != nil {
-				log.Printf("setPrivateNetwork(try=%d): %v", i, err)
-			} else {
-				if found {
-					return
-				}
-				log.Printf("setPrivateNetwork(try=%d): not found", i)
+				log.Printf("setFirewall: %v", err)
+				// fall through anyway, this isn't fatal.
+			}
+			if found {
+				break
 			}
 			time.Sleep(1 * time.Second)
 		}
-		log.Printf("setPrivateNetwork: adapter %v not found after %d tries, giving up", guid, tries)
 	}()
 
 	routes := []winipcfg.RouteData{}
@@ -319,6 +328,7 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 		}
 		deduplicatedRoutes = append(deduplicatedRoutes, &routes[i])
 	}
+	log.Printf("routes: %v", routes)
 
 	var errAcc error
 	err = iface.SyncRoutes(deduplicatedRoutes)
@@ -332,6 +342,7 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 		log.Printf("getipif: %v", err)
 		return err
 	}
+	log.Printf("foundDefault4: %v", foundDefault4)
 	if foundDefault4 {
 		ipif.UseAutomaticMetric = false
 		ipif.Metric = 0
@@ -347,44 +358,28 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 
 	ipif, err = iface.GetIpInterface(winipcfg.AF_INET6)
 	if err != nil {
-		if !isMissingIPv6Err(err) {
-			return err
-		}
-	} else {
-		if foundDefault6 {
-			ipif.UseAutomaticMetric = false
-			ipif.Metric = 0
-		}
-		if mtu > 0 {
-			ipif.NlMtu = uint32(mtu)
-		}
-		ipif.DadTransmits = 0
-		ipif.RouterDiscoveryBehavior = winipcfg.RouterDiscoveryDisabled
-		err = ipif.Set()
-		if err != nil && errAcc == nil {
-			errAcc = err
-		}
+		return err
+	}
+	if err != nil && errAcc == nil {
+		errAcc = err
+	}
+	if foundDefault6 {
+		ipif.UseAutomaticMetric = false
+		ipif.Metric = 0
+	}
+	if mtu > 0 {
+		ipif.NlMtu = uint32(mtu)
+	}
+	ipif.DadTransmits = 0
+	ipif.RouterDiscoveryBehavior = winipcfg.RouterDiscoveryDisabled
+	err = ipif.Set()
+	if err != nil && errAcc == nil {
+		errAcc = err
 	}
 
 	return errAcc
 }
 
-// isMissingIPv6Err reports whether err is due to IPv6 not being enabled on the machine.
-//
-// It only currently supports the errors returned by winipcfg.Interface.GetIpInterface.
-func isMissingIPv6Err(err error) bool {
-	if se, ok := err.(*os.SyscallError); ok {
-		switch se.Syscall {
-		case "iphlpapi.GetIpInterfaceEntry":
-			// ERROR_NOT_FOUND from means the address family (IPv6) is not found.
-			// (ERROR_FILE_NOT_FOUND means that the interface doesn't exist.)
-			// https://docs.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-getipinterfaceentry
-			return se.Err == windows.ERROR_NOT_FOUND
-		}
-	}
-	return false
-}
-
 // routeLess reports whether ri should sort before rj.
 // The actual sort order doesn't appear to matter. The caller just
 // wants them sorted to be able to de-dup.

wgengine/router/router_linux.go

@@ -15,7 +15,6 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
-	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/router/dns"
 )
 
@@ -173,18 +172,18 @@ func (r *linuxRouter) Set(cfg *Config) error {
 		return err
 	}
 
-	newRoutes, err := cidrDiff("route", r.routes, cfg.Routes, r.addRoute, r.delRoute, r.logf)
-	if err != nil {
-		return err
-	}
-	r.routes = newRoutes
-
 	newAddrs, err := cidrDiff("addr", r.addrs, cfg.LocalAddrs, r.addAddress, r.delAddress, r.logf)
 	if err != nil {
 		return err
 	}
 	r.addrs = newAddrs
 
+	newRoutes, err := cidrDiff("route", r.routes, cfg.Routes, r.addRoute, r.delRoute, r.logf)
+	if err != nil {
+		return err
+	}
+	r.routes = newRoutes
+
 	switch {
 	case cfg.SNATSubnetRoutes == r.snatSubnetRoutes:
 		// state already correct, nothing to do.
@@ -211,9 +210,6 @@ func (r *linuxRouter) Set(cfg *Config) error {
 // reflect the new mode, and r.snatSubnetRoutes is updated to reflect
 // the current state of subnet SNATing.
 func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
-	if distro.Get() == distro.Synology {
-		mode = NetfilterOff
-	}
 	if r.netfilterMode == mode {
 		return nil
 	}

wgengine/router/router_windows.go

@@ -7,9 +7,6 @@ package router
 import (
 	"fmt"
 	"log"
-	"os/exec"
-	"sync"
-	"syscall"
 
 	winipcfg "github.com/tailscale/winipcfg-go"
 	"github.com/tailscale/wireguard-go/device"
@@ -25,9 +22,6 @@ type winRouter struct {
 	wgdev               *device.Device
 	routeChangeCallback *winipcfg.RouteChangeCallback
 	dns                 *dns.Manager
-
-	mu             sync.Mutex
-	firewallRuleIP string // the IP rule exists for, or "" if rule doesn't exist
 }
 
 func newUserspaceRouter(logf logger.Logf, wgdev *device.Device, tundev tun.Device) (Router, error) {
@@ -53,70 +47,21 @@ func newUserspaceRouter(logf logger.Logf, wgdev *device.Device, tundev tun.Devic
 }
 
 func (r *winRouter) Up() error {
-	r.removeFirewallAcceptRule()
-
+	// MonitorDefaultRoutes handles making sure our wireguard UDP
+	// traffic goes through the old route, not recursively through the VPN.
 	var err error
-	r.routeChangeCallback, err = monitorDefaultRoutes(r.nativeTun)
+	r.routeChangeCallback, err = monitorDefaultRoutes(r.wgdev, true, r.nativeTun)
 	if err != nil {
 		log.Fatalf("MonitorDefaultRoutes: %v", err)
 	}
 	return nil
 }
 
-// removeFirewallAcceptRule removes the "Tailscale-In" firewall rule.
-//
-// If it doesn't already exist, this currently returns an error but TODO: it should not.
-//
-// So callers should ignore its error for now.
-func (r *winRouter) removeFirewallAcceptRule() error {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	r.firewallRuleIP = ""
-
-	cmd := exec.Command("netsh", "advfirewall", "firewall", "delete", "rule", "name=Tailscale-In", "dir=in")
-	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
-	return cmd.Run()
-}
-
-// addFirewallAcceptRule adds a firewall rule to allow all incoming
-// traffic to the given IP (the Tailscale adapter's IP) for network
-// adapters in category private. (as previously set by
-// setPrivateNetwork)
-//
-// It returns (false, nil) if the firewall rule was already previously  existed with this IP.
-func (r *winRouter) addFirewallAcceptRule(ipStr string) (added bool, err error) {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if ipStr == r.firewallRuleIP {
-		return false, nil
-	}
-	cmd := exec.Command("netsh", "advfirewall", "firewall", "add", "rule", "name=Tailscale-In", "dir=in", "action=allow", "localip="+ipStr, "profile=private", "enable=yes")
-	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
-	err = cmd.Run()
-	if err != nil {
-		return false, err
-	}
-	r.firewallRuleIP = ipStr
-	return true, nil
-}
-
 func (r *winRouter) Set(cfg *Config) error {
 	if cfg == nil {
 		cfg = &shutdownConfig
 	}
 
-	if len(cfg.LocalAddrs) == 1 && cfg.LocalAddrs[0].Bits == 32 {
-		ipStr := cfg.LocalAddrs[0].IP.String()
-		if ok, err := r.addFirewallAcceptRule(ipStr); err != nil {
-			r.logf("addFirewallRule(%q): %v", ipStr, err)
-		} else if ok {
-			r.logf("added firewall rule Tailscale-In for %v", ipStr)
-		}
-	} else {
-		r.removeFirewallAcceptRule()
-	}
-
 	err := configureInterface(cfg, r.nativeTun)
 	if err != nil {
 		r.logf("ConfigureInterface: %v", err)
@@ -131,15 +76,12 @@ func (r *winRouter) Set(cfg *Config) error {
 }
 
 func (r *winRouter) Close() error {
-	r.removeFirewallAcceptRule()
-
 	if err := r.dns.Down(); err != nil {
 		return fmt.Errorf("dns down: %w", err)
 	}
 	if r.routeChangeCallback != nil {
 		r.routeChangeCallback.Unregister()
 	}
-
 	return nil
 }
 

wgengine/userspace.go

@@ -37,7 +37,6 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
-	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/magicsock"
 	"tailscale.com/wgengine/monitor"
@@ -1245,8 +1244,9 @@ func diagnoseLinuxTUNFailure(logf logger.Logf) {
 	}
 	logf("is CONFIG_TUN enabled in your kernel? `modprobe tun` failed with: %s", modprobeOut)
 
-	switch distro.Get() {
-	case distro.Debian:
+	distro := linuxDistro()
+	switch distro {
+	case "debian":
 		dpkgOut, err := exec.Command("dpkg", "-S", "kernel/drivers/net/tun.ko").CombinedOutput()
 		if len(bytes.TrimSpace(dpkgOut)) == 0 || err != nil {
 			logf("tun module not loaded nor found on disk")
@@ -1255,7 +1255,7 @@ func diagnoseLinuxTUNFailure(logf logger.Logf) {
 		if !bytes.Contains(dpkgOut, kernel) {
 			logf("kernel/drivers/net/tun.ko found on disk, but not for current kernel; are you in middle of a system update and haven't rebooted? found: %s", dpkgOut)
 		}
-	case distro.Arch:
+	case "arch":
 		findOut, err := exec.Command("find", "/lib/modules/", "-path", "*/net/tun.ko*").CombinedOutput()
 		if len(bytes.TrimSpace(findOut)) == 0 || err != nil {
 			logf("tun module not loaded nor found on disk")
@@ -1266,3 +1266,13 @@ func diagnoseLinuxTUNFailure(logf logger.Logf) {
 		}
 	}
 }
+
+func linuxDistro() string {
+	if _, err := os.Stat("/etc/debian_version"); err == nil {
+		return "debian"
+	}
+	if _, err := os.Stat("/etc/arch-release"); err == nil {
+		return "arch"
+	}
+	return ""
+}