net/dns: add MagicDNS DNS-over-TLS support

For Android Private DNS in "Automatic" (opportunistic) mdoe.

Tested with:

    $ sudo apt-get install knot-dnsutils
    $ kdig @100.100.100.100 +tls google.com

Updates #915

Change-Id: I2d59e2d6698f93384b8b3b833b2a3375145ef5ce
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

VERSION.txt

@@ -1 +1 @@
-1.23.0
+1.25.0

api.md

@@ -22,9 +22,9 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
 * **[Tailnets](#tailnet)**
   - ACLs
     - [GET tailnet ACL](#tailnet-acl-get)
-    - [POST tailnet ACL](#tailnet-acl-post): set ACL for a tailnet
-    - [POST tailnet ACL preview](#tailnet-acl-preview-post): preview rule matches on an ACL for a resource
-	- [POST tailnet ACL validate](#tailnet-acl-validate-post): run validation tests against the tailnet's existing ACL
+    - [POST tailnet ACL](#tailnet-acl-post)
+    - [POST tailnet ACL preview](#tailnet-acl-preview-post)
+	- [POST tailnet ACL validate](#tailnet-acl-validate-post)
   - [Devices](#tailnet-devices)
     - [GET tailnet devices](#tailnet-devices-get)
   - [Keys](#tailnet-keys)
@@ -42,12 +42,12 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
 
 ## Device
 <!-- TODO: description about what devices are -->
-Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id". 
+Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id".
 You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.
 
-To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network. 
+To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network.
 Find the device you're looking for and get the "id" field.
-This is your deviceID. 
+This is your deviceID.
 
 <a name=device-get></a>
 
@@ -60,7 +60,7 @@ Use the `fields` query parameter to explicitly indicate which fields are returne
 ##### Parameters
 ##### Query Parameters
 `fields` - Controls which fields will be included in the returned response.
-Currently, supported options are: 
+Currently, supported options are:
 * `all`: returns all fields in the response.
 * `default`: return all fields except:
   * `enabledRoutes`
@@ -72,7 +72,7 @@ If more than one option is indicated, then the union is used.
 For example, for `fields=default,all`, all fields are returned.
 If the `fields` parameter is not provided, then the default option is used.
 
-##### Example 
+##### Example
 ```
 GET /api/v2/device/12345
 curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
@@ -102,10 +102,10 @@ Response
   "nodeKey":"nodekey:user1-node-key",
   "blocksIncomingConnections":false,
   "enabledRoutes":[
-    
+
   ],
   "advertisedRoutes":[
-    
+
   ],
   "clientConnectivity": {
     "endpoints":[
@@ -141,7 +141,7 @@ Response
 <a name=device-delete></a>
 
 #### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
-Deletes the provided device from its tailnet. 
+Deletes the provided device from its tailnet.
 The device must belong to the user's tailnet.
 Deleting shared/external devices is not supported.
 Supply the device of interest in the path using its ID.
@@ -159,7 +159,7 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
 
 Response
 
-If successful, the response should be empty: 
+If successful, the response should be empty:
 ```
 < HTTP/1.1 200 OK
 ...
@@ -167,7 +167,7 @@ If successful, the response should be empty:
 * Closing connection 0
 ```
 
-If the device is not owned by your tailnet: 
+If the device is not owned by your tailnet:
 ```
 < HTTP/1.1 501 Not Implemented
 ...
@@ -317,14 +317,9 @@ Allows for updating properties on the device key.
 - Provide `false` to enable the device's key expiry. Sets the key to expire at the original expiry time prior to disabling. The key may already have expired. In that case, the device must be re-authenticated.
 - Empty value will not change the key expiry.
 
-`preauthorized`
-
-- If `true`, don't require machine authorization (if enabled on the tailnet)
-
 ```
 {
-  "keyExpiryDisabled": true,
-  "preauthorized": true
+  "keyExpiryDisabled": true
 }
 ```
 
@@ -339,8 +334,8 @@ curl 'https://api.tailscale.com/api/v2/device/11055/key' \
 The response is 2xx on success. The response body is currently an empty JSON
 object.
 
-## Tailnet 
-A tailnet is the name of your Tailscale network. 
+## Tailnet
+A tailnet is the name of your Tailscale network.
 You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
 
 
@@ -620,7 +615,12 @@ Response:
 
 #### `POST /api/v2/tailnet/:tailnet/acl/validate` - run validation tests against the tailnet's active ACL
 
-Runs the provided ACL tests against the tailnet's existing ACL. This endpoint does not modify the ACL in any way.
+This endpoint works in one of two modes:
+
+1. with a request body that's a JSON array, the body is interpreted as ACL tests to run against the domain's current ACLs.
+2. with a request body that's a JSON object, the body is interpreted as a hypothetical new JSON (HuJSON) body with new ACLs, including any tests.
+
+In either case, this endpoint does not modify the ACL in any way.
 
 ##### Parameters
 
@@ -630,7 +630,7 @@ The POST body should be a JSON formatted array of ACL Tests.
 
 See https://tailscale.com/kb/1018/acls for more information on the format of ACL tests.
 
-##### Example
+##### Example with tests
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
@@ -641,11 +641,28 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
   ]'
 ```
 
-Response:
-If all the tests pass, the response will be empty, with an http status code of 200.
+##### Example with an ACL body
+```
+POST /api/v2/tailnet/example.com/acl/validate
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '
+  {
+    "ACLs": [
+     { "Action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] },
+    ],
+    "Tests", [
+      {"src": "100.105.106.107", "allow": ["1.2.3.4:80"]}
+    ],
+  }'
+```
+
+Response:
+
+The HTTP status code will be 200 if the request was well formed and there were no server errors, even in the case of failing tests or an invalid ACL. Look at the response body to determine whether there was a problem within your ACL or tests.
+
+If there's a problem, the response body will be a JSON object with a non-empty `message` property and optionally additional details in `data`:
 
-Failed test error response:
-A 400 http status code and the errors in the response body.  
 ```
 {
   "message":"test(s) failed",
@@ -658,6 +675,8 @@ A 400 http status code and the errors in the response body.
 }
 ```
 
+An empty body or a JSON object with no `message` is returned on success.
+
 <a name=tailnet-devices></a>
 
 ### Devices
@@ -665,7 +684,7 @@ A 400 http status code and the errors in the response body.
 <a name=tailnet-devices-get></a>
 
 #### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
-Lists the devices in a tailnet. 
+Lists the devices in a tailnet.
 Supply the tailnet of interest in the path.
 Use the `fields` query parameter to explicitly indicate which fields are returned.
 
@@ -674,7 +693,7 @@ Use the `fields` query parameter to explicitly indicate which fields are returne
 
 ###### Query Parameters
 `fields` - Controls which fields will be included in the returned response.
-Currently, supported options are: 
+Currently, supported options are:
 * `all`: Returns all fields in the response.
 * `default`: return all fields except:
   * `enabledRoutes`
@@ -694,7 +713,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
   -u "tskey-yourapikey123:"
 ```
 
-Response 
+Response
 ```
 {
   "devices":[
@@ -870,10 +889,22 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
 Response:
 ```
 {
-	"id":           "k123456CNTRL",
-	"created":      "2021-12-09T22:13:53Z",
-	"expires":      "2022-03-09T22:13:53Z",
-	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
+  "id": "k123456CNTRL",
+  "created": "2022-05-05T18:55:44Z",
+  "expires": "2022-08-03T18:55:44Z",
+  "capabilities": {
+    "devices": {
+      "create": {
+        "reusable": false,
+        "ephemeral": true,
+        "preauthorized": false,
+        "tags": [
+          "tag:bar",
+          "tag:foo"
+        ]
+      }
+    }
+  }
 }
 ```
 
@@ -904,13 +935,13 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k12345
 <a name=tailnet-dns-nameservers-get></a>
 
 #### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
-Lists the DNS nameservers for a tailnet. 
+Lists the DNS nameservers for a tailnet.
 Supply the tailnet of interest in the path.
 
 ##### Parameters
 No parameters.
 
-##### Example 
+##### Example
 
 ```
 GET /api/v2/tailnet/example.com/dns/nameservers
@@ -918,7 +949,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
   -u "tskey-yourapikey123:"
 ```
 
-Response 
+Response
 ```
 {
   "dns": ["8.8.8.8"],
@@ -928,7 +959,7 @@ Response
 <a name=tailnet-dns-nameservers-post></a>
 
 #### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
-Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user. 
+Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user.
 Supply the tailnet of interest in the path.
 Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).
 
@@ -942,7 +973,7 @@ Note that changing the list of DNS nameservers may also affect the status of Mag
 ```
 
 ##### Returns
-Returns the new list of nameservers and the status of MagicDNS. 
+Returns the new list of nameservers and the status of MagicDNS.
 
 If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).
 
@@ -986,31 +1017,31 @@ Retrieves the DNS preferences that are currently set for the given tailnet.
 Supply the tailnet of interest in the path.
 
 ##### Parameters
-No parameters. 
+No parameters.
 
 ##### Example
 ```
 GET /api/v2/tailnet/example.com/dns/preferences
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
-  -u "tskey-yourapikey123:" 
+  -u "tskey-yourapikey123:"
 ```
 
 Response:
 ```
 {
-  "magicDNS":false, 
+  "magicDNS":false,
 }
 ```
 
 <a name=tailnet-dns-preferences-post></a>
 
-#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet 
+#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet
 Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
-Note that MagicDNS is dependent on DNS servers. 
+Note that MagicDNS is dependent on DNS servers.
 
-If there is at least one DNS server, then MagicDNS can be enabled. 
+If there is at least one DNS server, then MagicDNS can be enabled.
 Otherwise, it returns an error.
-Note that removing all nameservers will turn off MagicDNS. 
+Note that removing all nameservers will turn off MagicDNS.
 To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.
 
 ##### Parameters
@@ -1041,7 +1072,7 @@ If there are no DNS servers, it returns an error message:
 }
 ```
 
-If there are DNS servers: 
+If there are DNS servers:
 ```
 {
   "magicDNS":true,
@@ -1050,8 +1081,8 @@ If there are DNS servers:
 
 <a name=tailnet-dns-searchpaths-get></a>
 
-#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet 
-Retrieves the list of search paths that is currently set for the given tailnet. 
+#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet
+Retrieves the list of search paths that is currently set for the given tailnet.
 Supply the tailnet of interest in the path.
 
 
@@ -1062,7 +1093,7 @@ No parameters.
 ```
 GET /api/v2/tailnet/example.com/dns/searchpaths
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
-  -u "tskey-yourapikey123:" 
+  -u "tskey-yourapikey123:"
 ```
 
 Response:
@@ -1074,7 +1105,7 @@ Response:
 
 <a name=tailnet-dns-searchpaths-post></a>
 
-#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet 
+#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet
 Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.
 
 ##### Parameters

client/tailscale/acl.go

@@ -0,0 +1,469 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"inet.af/netaddr"
+)
+
+// ACLRow defines a rule that grants access by a set of users or groups to a set of servers and ports.
+type ACLRow struct {
+	Action string   `json:"action,omitempty"` // valid values: "accept"
+	Users  []string `json:"users,omitempty"`
+	Ports  []string `json:"ports,omitempty"`
+}
+
+// ACLTest defines a test for your ACLs to prevent accidental exposure or revoking of access to key servers and ports.
+type ACLTest struct {
+	User  string   `json:"user,omitempty"`  // source
+	Allow []string `json:"allow,omitempty"` // expected destination ip:port that user can access
+	Deny  []string `json:"deny,omitempty"`  // expected destination ip:port that user cannot access
+}
+
+// ACLDetails contains all the details for an ACL.
+type ACLDetails struct {
+	Tests     []ACLTest           `json:"tests,omitempty"`
+	ACLs      []ACLRow            `json:"acls,omitempty"`
+	Groups    map[string][]string `json:"groups,omitempty"`
+	TagOwners map[string][]string `json:"tagowners,omitempty"`
+	Hosts     map[string]string   `json:"hosts,omitempty"`
+}
+
+// ACL contains an ACLDetails and metadata.
+type ACL struct {
+	ACL  ACLDetails
+	ETag string // to check with version on server
+}
+
+// ACLHuJSON contains the HuJSON string of the ACL and metadata.
+type ACLHuJSON struct {
+	ACL      string
+	Warnings []string
+	ETag     string // to check with version on server
+}
+
+// ACL makes a call to the Tailscale server to get a JSON-parsed version of the ACL.
+// The JSON-parsed version of the ACL contains no comments as proper JSON does not support
+// comments.
+func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.ACL: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Accept", "application/json")
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	// Otherwise, try to decode the response.
+	var aclDetails ACLDetails
+	if err = json.Unmarshal(b, &aclDetails); err != nil {
+		return nil, err
+	}
+	acl = &ACL{
+		ACL:  aclDetails,
+		ETag: resp.Header.Get("ETag"),
+	}
+	return acl, nil
+}
+
+// ACLHuJSON makes a call to the Tailscale server to get the ACL HuJSON and returns
+// it as a string.
+// HuJSON is JSON with a few modifications to make it more human-friendly. The primary
+// changes are allowing comments and trailing comments. See the following links for more info:
+// https://tailscale.com/kb/1018/acls?q=acl#tailscale-acl-policy-format
+// https://github.com/tailscale/hujson
+func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.ACLHuJSON: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Accept", "application/hujson")
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	data := struct {
+		ACL      []byte   `json:"acl"`
+		Warnings []string `json:"warnings"`
+	}{}
+	if err := json.Unmarshal(b, &data); err != nil {
+		return nil, err
+	}
+
+	acl = &ACLHuJSON{
+		ACL:      string(data.ACL),
+		Warnings: data.Warnings,
+		ETag:     resp.Header.Get("ETag"),
+	}
+	return acl, nil
+}
+
+// ACLTestFailureSummary specifies a user for which ACL tests
+// failed and the related user-friendly error messages.
+//
+// ACLTestFailureSummary specifies the JSON format sent to the
+// JavaScript client to be rendered in the HTML.
+type ACLTestFailureSummary struct {
+	User   string   `json:"user"`
+	Errors []string `json:"errors"`
+}
+
+// ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
+type ACLTestError struct {
+	ErrResponse
+	Data []ACLTestFailureSummary `json:"data"`
+}
+
+func (e ACLTestError) Error() string {
+	return fmt.Sprintf("%s, Data: %+v", e.ErrResponse.Error(), e.Data)
+}
+
+func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, "", err
+	}
+
+	if avoidCollisions {
+		req.Header.Set("If-Match", etag)
+	}
+	req.Header.Set("Accept", acceptHeader)
+	req.Header.Set("Content-Type", "application/hujson")
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, "", err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		// check if test error
+		var ate ACLTestError
+		if err := json.Unmarshal(b, &ate); err != nil {
+			return nil, "", err
+		}
+		ate.Status = resp.StatusCode
+		return nil, "", ate
+	}
+	return b, resp.Header.Get("ETag"), nil
+}
+
+// SetACL sends a POST request to update the ACL according to the provided ACL object. If
+// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
+// header to check if the previously obtained ACL was the latest version and that no updates
+// were missed.
+//
+// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
+// Returns error if ACL has tests that fail.
+// Returns error if there are other errors with the ACL.
+func (c *Client) SetACL(ctx context.Context, acl ACL, avoidCollisions bool) (res *ACL, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetACL: %w", err)
+		}
+	}()
+	postData, err := json.Marshal(acl.ACL)
+	if err != nil {
+		return nil, err
+	}
+	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/json")
+	if err != nil {
+		return nil, err
+	}
+
+	// Otherwise, try to decode the response.
+	var aclDetails ACLDetails
+	if err = json.Unmarshal(b, &aclDetails); err != nil {
+		return nil, err
+	}
+	res = &ACL{
+		ACL:  aclDetails,
+		ETag: etag,
+	}
+	return res, nil
+}
+
+// SetACLHuJSON sends a POST request to update the ACL according to the provided ACL object. If
+// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
+// header to check if the previously obtained ACL was the latest version and that no updates
+// were missed.
+//
+// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
+// Returns error if the HuJSON is invalid.
+// Returns error if ACL has tests that fail.
+// Returns error if there are other errors with the ACL.
+func (c *Client) SetACLHuJSON(ctx context.Context, acl ACLHuJSON, avoidCollisions bool) (res *ACLHuJSON, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetACLHuJSON: %w", err)
+		}
+	}()
+
+	postData := []byte(acl.ACL)
+	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/hujson")
+	if err != nil {
+		return nil, err
+	}
+
+	res = &ACLHuJSON{
+		ACL:  string(b),
+		ETag: etag,
+	}
+	return res, nil
+}
+
+// UserRuleMatch specifies the source users/groups/hosts that a rule targets
+// and the destination ports that they can access.
+// LineNumber is only useful for requests provided in HuJSON form.
+// While JSON requests will have LineNumber, the value is not useful.
+type UserRuleMatch struct {
+	Users      []string `json:"users"`
+	Ports      []string `json:"ports"`
+	LineNumber int      `json:"lineNumber"`
+}
+
+// ACLPreviewResponse is the response type of previewACLPostRequest
+type ACLPreviewResponse struct {
+	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
+	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
+	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
+}
+
+// ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
+type ACLPreview struct {
+	Matches []UserRuleMatch `json:"matches"`
+	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
+	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
+}
+
+func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, err
+	}
+
+	q := req.URL.Query()
+	q.Add("type", previewType)
+	q.Add("previewFor", previewFor)
+	req.URL.RawQuery = q.Encode()
+
+	req.Header.Set("Content-Type", "application/hujson")
+	c.setAuth(req)
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+	if err = json.Unmarshal(b, &res); err != nil {
+		return nil, err
+	}
+
+	return res, nil
+}
+
+// PreviewACLForUser determines what rules match a given ACL for a user.
+// The ACL can be a locally modified or clean ACL obtained from server.
+//
+// Returns ACLPreview on success with matches in a slice. If there are no matches,
+// the call is still successful but Matches will be an empty slice.
+// Returns error if the provided ACL is invalid.
+func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (res *ACLPreview, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.PreviewACLForUser: %w", err)
+		}
+	}()
+	postData, err := json.Marshal(acl.ACL)
+	if err != nil {
+		return nil, err
+	}
+	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ACLPreview{
+		Matches: b.Matches,
+		User:    b.PreviewFor,
+	}, nil
+}
+
+// PreviewACLForIPPort determines what rules match a given ACL for a ipport.
+// The ACL can be a locally modified or clean ACL obtained from server.
+//
+// Returns ACLPreview on success with matches in a slice. If there are no matches,
+// the call is still successful but Matches will be an empty slice.
+// Returns error if the provided ACL is invalid.
+func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netaddr.IPPort) (res *ACLPreview, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.PreviewACLForIPPort: %w", err)
+		}
+	}()
+	postData, err := json.Marshal(acl.ACL)
+	if err != nil {
+		return nil, err
+	}
+	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport.String())
+	if err != nil {
+		return nil, err
+	}
+
+	return &ACLPreview{
+		Matches: b.Matches,
+		IPPort:  b.PreviewFor,
+	}, nil
+}
+
+// PreviewACLHuJSONForUser determines what rules match a given ACL for a user.
+// The ACL can be a locally modified or clean ACL obtained from server.
+//
+// Returns ACLPreview on success with matches in a slice. If there are no matches,
+// the call is still successful but Matches will be an empty slice.
+// Returns error if the provided ACL is invalid.
+func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, user string) (res *ACLPreview, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.PreviewACLHuJSONForUser: %w", err)
+		}
+	}()
+	postData := []byte(acl.ACL)
+	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ACLPreview{
+		Matches: b.Matches,
+		User:    b.PreviewFor,
+	}, nil
+}
+
+// PreviewACLHuJSONForIPPort determines what rules match a given ACL for a ipport.
+// The ACL can be a locally modified or clean ACL obtained from server.
+//
+// Returns ACLPreview on success with matches in a slice. If there are no matches,
+// the call is still successful but Matches will be an empty slice.
+// Returns error if the provided ACL is invalid.
+func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, ipport string) (res *ACLPreview, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.PreviewACLHuJSONForIPPort: %w", err)
+		}
+	}()
+	postData := []byte(acl.ACL)
+	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ACLPreview{
+		Matches: b.Matches,
+		IPPort:  b.PreviewFor,
+	}, nil
+}
+
+// ValidateACLJSON takes in the given source and destination (in this situation,
+// it is assumed that you are checking whether the source can connect to destination)
+// and creates an ACLTest from that. It then sends the ACLTest to the control api acl
+// validate endpoint, where the test is run. It returns a nil ACLTestError pointer if
+// no test errors occur.
+func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (testErr *ACLTestError, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.ValidateACLJSON: %w", err)
+		}
+	}()
+
+	tests := []ACLTest{ACLTest{User: source, Allow: []string{dest}}}
+	postData, err := json.Marshal(tests)
+	if err != nil {
+		return nil, err
+	}
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	c.setAuth(req)
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
+	}
+
+	// The test ran without fail
+	if len(b) == 0 {
+		return nil, nil
+	}
+
+	var res ACLTestError
+	// The test returned errors.
+	if err = json.Unmarshal(b, &res); err != nil {
+		// failed to unmarshal
+		return nil, err
+	}
+	return &res, nil
+}

client/tailscale/apitype/apitype.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package apitype contains types for the Tailscale local API.
+// Package apitype contains types for the Tailscale local API and control plane API.
 package apitype
 
 import "tailscale.com/tailcfg"

client/tailscale/apitype/controltype.go

@@ -0,0 +1,20 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package apitype
+
+type DNSConfig struct {
+	Resolvers         []DNSResolver            `json:"resolvers"`
+	FallbackResolvers []DNSResolver            `json:"fallbackResolvers"`
+	Routes            map[string][]DNSResolver `json:"routes"`
+	Domains           []string                 `json:"domains"`
+	Nameservers       []string                 `json:"nameservers"`
+	Proxied           bool                     `json:"proxied"`
+	PerDomain         bool                     `json:",omitempty"`
+}
+
+type DNSResolver struct {
+	Addr                string   `json:"addr"`
+	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
+}

client/tailscale/devices.go

@@ -0,0 +1,262 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"tailscale.com/types/opt"
+)
+
+type GetDevicesResponse struct {
+	Devices []*Device `json:"devices"`
+}
+
+type DerpRegion struct {
+	Preferred           bool    `json:"preferred,omitempty"`
+	LatencyMilliseconds float64 `json:"latencyMs"`
+}
+
+type ClientConnectivity struct {
+	Endpoints             []string `json:"endpoints"`
+	DERP                  string   `json:"derp"`
+	MappingVariesByDestIP opt.Bool `json:"mappingVariesByDestIP"`
+	// DERPLatency is mapped by region name (e.g. "New York City", "Seattle").
+	DERPLatency    map[string]DerpRegion `json:"latency"`
+	ClientSupports map[string]opt.Bool   `json:"clientSupports"`
+}
+
+type Device struct {
+	// Addresses is a list of the devices's Tailscale IP addresses.
+	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
+	Addresses []string `json:"addresses"`
+	DeviceID  string   `json:"id"`
+	User      string   `json:"user"`
+	Name      string   `json:"name"`
+	Hostname  string   `json:"hostname"`
+
+	ClientVersion     string `json:"clientVersion"`   // Empty for external devices.
+	UpdateAvailable   bool   `json:"updateAvailable"` // Empty for external devices.
+	OS                string `json:"os"`
+	Created           string `json:"created"` // Empty for external devices.
+	LastSeen          string `json:"lastSeen"`
+	KeyExpiryDisabled bool   `json:"keyExpiryDisabled"`
+	Expires           string `json:"expires"`
+	Authorized        bool   `json:"authorized"`
+	IsExternal        bool   `json:"isExternal"`
+	MachineKey        string `json:"machineKey"` // Empty for external devices.
+	NodeKey           string `json:"nodeKey"`
+
+	// BlocksIncomingConnections is configured via the device's
+	// Tailscale client preferences. This field is only reported
+	// to the API starting with Tailscale 1.3.x clients.
+	BlocksIncomingConnections bool `json:"blocksIncomingConnections"`
+
+	// The following fields are not included by default:
+
+	// EnabledRoutes are the previously-approved subnet routes
+	// (e.g. "192.168.4.16/24", "10.5.2.4/32").
+	EnabledRoutes []string `json:"enabledRoutes"` // Empty for external devices.
+	// AdvertisedRoutes are the subnets (both enabled and not enabled)
+	// being requested from the node.
+	AdvertisedRoutes []string `json:"advertisedRoutes"` // Empty for external devices.
+
+	ClientConnectivity *ClientConnectivity `json:"clientConnectivity"`
+}
+
+// DeviceFieldsOpts determines which fields should be returned in the response.
+//
+// Please only use DeviceAllFields and DeviceDefaultFields.
+// Other DeviceFieldsOpts are not supported.
+//
+// TODO: Support other DeviceFieldsOpts.
+// In the future, users should be able to create their own DeviceFieldsOpts
+// as valid arguments by setting the fields they want returned to a "non-nil"
+// value. For example, DeviceFieldsOpts{NodeID: "true"} should only return NodeIDs.
+type DeviceFieldsOpts Device
+
+func (d *DeviceFieldsOpts) addFieldsToQueryParameter() string {
+	if d == DeviceDefaultFields || d == nil {
+		return "default"
+	}
+	if d == DeviceAllFields {
+		return "all"
+	}
+
+	return ""
+}
+
+var (
+	DeviceAllFields = &DeviceFieldsOpts{}
+
+	// DeviceDefaultFields specifies that the following fields are returned:
+	//   Addresses, NodeID, User, Name, Hostname, ClientVersion, UpdateAvailable,
+	//   OS, Created, LastSeen, KeyExpiryDisabled, Expires, Authorized, IsExternal
+	//   MachineKey, NodeKey, BlocksIncomingConnections.
+	DeviceDefaultFields = &DeviceFieldsOpts{}
+)
+
+// Devices retrieves the list of devices for a tailnet.
+//
+// See the Device structure for the list of fields hidden for external devices.
+// The optional fields parameter specifies which fields of the devices to return; currently
+// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
+// Other values are currently undefined.
+func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceList []*Device, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.Devices: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	// Add fields.
+	fieldStr := fields.addFieldsToQueryParameter()
+	q := req.URL.Query()
+	q.Add("fields", fieldStr)
+	req.URL.RawQuery = q.Encode()
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var devices GetDevicesResponse
+	err = json.Unmarshal(b, &devices)
+	return devices.Devices, err
+}
+
+// Device retrieved the details for a specific device.
+//
+// See the Device structure for the list of fields hidden for an external device.
+// The optional fields parameter specifies which fields of the devices to return; currently
+// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
+// Other values are currently undefined.
+func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFieldsOpts) (device *Device, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.Device: %w", err)
+		}
+	}()
+	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), deviceID)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	// Add fields.
+	fieldStr := fields.addFieldsToQueryParameter()
+	q := req.URL.Query()
+	q.Add("fields", fieldStr)
+	req.URL.RawQuery = q.Encode()
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	err = json.Unmarshal(b, &device)
+	return device, err
+}
+
+// DeleteDevice deletes the specified device from the Client's tailnet.
+// NOTE: Only devices that belong to the Client's tailnet can be deleted.
+// Deleting external devices is not supported.
+func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DeleteDevice: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), url.PathEscape(deviceID))
+	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
+	if err != nil {
+		return err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}
+
+// AuthorizeDevice marks a device as authorized.
+func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
+	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
+	if err != nil {
+		return err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+
+	return nil
+}
+
+// SetTags updates the ACL tags on a device.
+func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) error {
+	params := &struct {
+		Tags []string `json:"tags"`
+	}{Tags: tags}
+	data, err := json.Marshal(params)
+	if err != nil {
+		return err
+	}
+	path := fmt.Sprintf("%s/api/v2/device/%s/tags", c.baseURL(), url.PathEscape(deviceID))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	if err != nil {
+		return err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+
+	return nil
+}

client/tailscale/dns.go

@@ -0,0 +1,235 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"tailscale.com/client/tailscale/apitype"
+)
+
+// DNSNameServers is returned when retrieving the list of nameservers.
+// It is also the structure provided when setting nameservers.
+type DNSNameServers struct {
+	DNS []string `json:"dns"` // DNS name servers
+}
+
+// DNSNameServersPostResponse is returned when setting the list of DNS nameservers.
+//
+// It includes the MagicDNS status since nameservers changes may affect MagicDNS.
+type DNSNameServersPostResponse struct {
+	DNS      []string `json:"dns"`      // DNS name servers
+	MagicDNS bool     `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
+}
+
+// DNSSearchpaths is the list of search paths for a given domain.
+type DNSSearchPaths struct {
+	SearchPaths []string `json:"searchPaths"` // DNS search paths
+}
+
+// DNSPreferences is the preferences set for a given tailnet.
+//
+// It includes MagicDNS which can be turned on or off. To enable MagicDNS,
+// there must be at least one nameserver. When all nameservers are removed,
+// MagicDNS is disabled.
+type DNSPreferences struct {
+	MagicDNS bool `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
+}
+
+func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	return b, nil
+}
+
+func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData interface{}) ([]byte, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+	data, err := json.Marshal(&postData)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	req.Header.Set("Content-Type", "application/json")
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	return b, nil
+}
+
+// DNSConfig retrieves the DNSConfig settings for a domain.
+func (c *Client) DNSConfig(ctx context.Context) (cfg *apitype.DNSConfig, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DNSConfig: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "config")
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp apitype.DNSConfig
+	err = json.Unmarshal(b, &dnsResp)
+	return &dnsResp, err
+}
+
+func (c *Client) SetDNSConfig(ctx context.Context, cfg apitype.DNSConfig) (resp *apitype.DNSConfig, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetDNSConfig: %w", err)
+		}
+	}()
+	var dnsResp apitype.DNSConfig
+	b, err := c.dnsPOSTRequest(ctx, "config", cfg)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return &dnsResp, err
+}
+
+// NameServers retrieves the list of nameservers set for a domain.
+func (c *Client) NameServers(ctx context.Context) (nameservers []string, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.NameServers: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "nameservers")
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp DNSNameServers
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp.DNS, err
+}
+
+// SetNameServers sets the list of nameservers for a tailnet to the list provided
+// by the user.
+//
+// It returns the new list of nameservers and the MagicDNS status in case it was
+// affected by the change. For example, removing all nameservers will turn off
+// MagicDNS.
+func (c *Client) SetNameServers(ctx context.Context, nameservers []string) (dnsResp *DNSNameServersPostResponse, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetNameServers: %w", err)
+		}
+	}()
+	dnsReq := DNSNameServers{DNS: nameservers}
+	b, err := c.dnsPOSTRequest(ctx, "nameservers", dnsReq)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp, err
+}
+
+// DNSPreferences retrieves the DNS preferences set for a tailnet.
+//
+// It returns the status of MagicDNS.
+func (c *Client) DNSPreferences(ctx context.Context) (dnsResp *DNSPreferences, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DNSPreferences: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "preferences")
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp, err
+}
+
+// SetDNSPreferences sets the DNS preferences for a tailnet.
+//
+// MagicDNS can only be enabled when there is at least one nameserver provided.
+// When all nameservers are removed, MagicDNS is disabled and will stay disabled,
+// unless explicitly enabled by a user again.
+func (c *Client) SetDNSPreferences(ctx context.Context, magicDNS bool) (dnsResp *DNSPreferences, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetDNSPreferences: %w", err)
+		}
+	}()
+	dnsReq := DNSPreferences{MagicDNS: magicDNS}
+	b, err := c.dnsPOSTRequest(ctx, "preferences", dnsReq)
+	if err != nil {
+		return
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp, err
+}
+
+// SearchPaths retrieves the list of searchpaths set for a tailnet.
+func (c *Client) SearchPaths(ctx context.Context) (searchpaths []string, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SearchPaths: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "searchpaths")
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp *DNSSearchPaths
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp.SearchPaths, err
+}
+
+// SetSearchPaths sets the list of searchpaths for a tailnet.
+func (c *Client) SetSearchPaths(ctx context.Context, searchpaths []string) (newSearchPaths []string, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetSearchPaths: %w", err)
+		}
+	}()
+	dnsReq := DNSSearchPaths{SearchPaths: searchpaths}
+	b, err := c.dnsPOSTRequest(ctx, "searchpaths", dnsReq)
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp DNSSearchPaths
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp.SearchPaths, err
+}

client/tailscale/localclient.go

@@ -0,0 +1,711 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptrace"
+	"net/url"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"go4.org/mem"
+	"inet.af/netaddr"
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/netutil"
+	"tailscale.com/paths"
+	"tailscale.com/safesocket"
+	"tailscale.com/tailcfg"
+)
+
+// defaultLocalClient is the default LocalClient when using the legacy
+// package-level functions.
+var defaultLocalClient LocalClient
+
+// LocalClient is a client to Tailscale's "local API", communicating with the
+// Tailscale daemon on the local machine. Its API is not necessarily stable and
+// subject to changes between releases. Some API calls have stricter
+// compatibility guarantees, once they've been widely adopted. See method docs
+// for details.
+//
+// Its zero value is valid to use.
+//
+// Any exported fields should be set before using methods on the type
+// and not changed thereafter.
+type LocalClient struct {
+	// Dial optionally specifies an alternate func that connects to the local
+	// machine's tailscaled or equivalent. If nil, a default is used.
+	Dial func(ctx context.Context, network, addr string) (net.Conn, error)
+
+	// Socket specifies an alternate path to the local Tailscale socket.
+	// If empty, a platform-specific default is used.
+	Socket string
+
+	// UseSocketOnly, if true, tries to only connect to tailscaled via the
+	// Unix socket and not via fallback mechanisms as done on macOS when
+	// connecting to the GUI client variants.
+	UseSocketOnly bool
+
+	// tsClient does HTTP requests to the local Tailscale daemon.
+	// It's lazily initialized on first use.
+	tsClient     *http.Client
+	tsClientOnce sync.Once
+}
+
+func (lc *LocalClient) socket() string {
+	if lc.Socket != "" {
+		return lc.Socket
+	}
+	return paths.DefaultTailscaledSocket()
+}
+
+func (lc *LocalClient) dialer() func(ctx context.Context, network, addr string) (net.Conn, error) {
+	if lc.Dial != nil {
+		return lc.Dial
+	}
+	return lc.defaultDialer
+}
+
+func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
+	if addr != "local-tailscaled.sock:80" {
+		return nil, fmt.Errorf("unexpected URL address %q", addr)
+	}
+	if !lc.UseSocketOnly {
+		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
+		// a TCP server on a random port, find the random port. For HTTP connections,
+		// we don't send the token. It gets added in an HTTP Basic-Auth header.
+		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
+			var d net.Dialer
+			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
+		}
+	}
+	s := safesocket.DefaultConnectionStrategy(lc.socket())
+	// The user provided a non-default tailscaled socket address.
+	// Connect only to exactly what they provided.
+	s.UseFallback(false)
+	return safesocket.Connect(s)
+}
+
+// DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
+//
+// URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
+//
+// The hostname must be "local-tailscaled.sock", even though it
+// doesn't actually do any DNS lookup. The actual means of connecting to and
+// authenticating to the local Tailscale daemon vary by platform.
+//
+// DoLocalRequest may mutate the request to add Authorization headers.
+func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error) {
+	lc.tsClientOnce.Do(func() {
+		lc.tsClient = &http.Client{
+			Transport: &http.Transport{
+				DialContext: lc.dialer(),
+			},
+		}
+	})
+	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
+		req.SetBasicAuth("", token)
+	}
+	return lc.tsClient.Do(req)
+}
+
+func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
+	res, err := lc.DoLocalRequest(req)
+	if err == nil {
+		if server := res.Header.Get("Tailscale-Version"); server != "" && server != ipn.IPCVersion() && onVersionMismatch != nil {
+			onVersionMismatch(ipn.IPCVersion(), server)
+		}
+		if res.StatusCode == 403 {
+			all, _ := ioutil.ReadAll(res.Body)
+			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
+		}
+		return res, nil
+	}
+	if ue, ok := err.(*url.Error); ok {
+		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
+			path := req.URL.Path
+			pathPrefix, _, _ := strings.Cut(path, "?")
+			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
+		}
+	}
+	return nil, err
+}
+
+type errorJSON struct {
+	Error string
+}
+
+// AccessDeniedError is an error due to permissions.
+type AccessDeniedError struct {
+	err error
+}
+
+func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
+func (e *AccessDeniedError) Unwrap() error { return e.err }
+
+// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
+func IsAccessDeniedError(err error) bool {
+	var ae *AccessDeniedError
+	return errors.As(err, &ae)
+}
+
+// bestError returns either err, or if body contains a valid JSON
+// object of type errorJSON, its non-empty error body.
+func bestError(err error, body []byte) error {
+	var j errorJSON
+	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
+		return errors.New(j.Error)
+	}
+	return err
+}
+
+func errorMessageFromBody(body []byte) string {
+	var j errorJSON
+	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
+		return j.Error
+	}
+	return strings.TrimSpace(string(body))
+}
+
+var onVersionMismatch func(clientVer, serverVer string)
+
+// SetVersionMismatchHandler sets f as the version mismatch handler
+// to be called when the client (the current process) has a version
+// number that doesn't match the server's declared version.
+func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
+	onVersionMismatch = f
+}
+
+func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
+	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
+	if err != nil {
+		return nil, err
+	}
+	res, err := lc.doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	slurp, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != wantStatus {
+		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
+		return nil, bestError(err, slurp)
+	}
+	return slurp, nil
+}
+
+func (lc *LocalClient) get200(ctx context.Context, path string) ([]byte, error) {
+	return lc.send(ctx, "GET", path, 200, nil)
+}
+
+// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
+//
+// Deprecated: use LocalClient.WhoIs.
+func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
+	return defaultLocalClient.WhoIs(ctx, remoteAddr)
+}
+
+// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
+func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
+	if err != nil {
+		return nil, err
+	}
+	r := new(apitype.WhoIsResponse)
+	if err := json.Unmarshal(body, r); err != nil {
+		if max := 200; len(body) > max {
+			body = append(body[:max], "..."...)
+		}
+		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
+	}
+	return r, nil
+}
+
+// Goroutines returns a dump of the Tailscale daemon's current goroutines.
+func (lc *LocalClient) Goroutines(ctx context.Context) ([]byte, error) {
+	return lc.get200(ctx, "/localapi/v0/goroutines")
+}
+
+// DaemonMetrics returns the Tailscale daemon's metrics in
+// the Prometheus text exposition format.
+func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
+	return lc.get200(ctx, "/localapi/v0/metrics")
+}
+
+// Profile returns a pprof profile of the Tailscale daemon.
+func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
+	var secArg string
+	if sec < 0 || sec > 300 {
+		return nil, errors.New("duration out of range")
+	}
+	if sec != 0 || pprofType == "profile" {
+		secArg = fmt.Sprint(sec)
+	}
+	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
+}
+
+// BugReport logs and returns a log marker that can be shared by the user with support.
+func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(body)), nil
+}
+
+// DebugAction invokes a debug action, such as "rebind" or "restun".
+// These are development tools and subject to change or removal over time.
+func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	return nil
+}
+
+// Status returns the Tailscale daemon's status.
+func Status(ctx context.Context) (*ipnstate.Status, error) {
+	return defaultLocalClient.Status(ctx)
+}
+
+// Status returns the Tailscale daemon's status.
+func (lc *LocalClient) Status(ctx context.Context) (*ipnstate.Status, error) {
+	return lc.status(ctx, "")
+}
+
+// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
+func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
+	return defaultLocalClient.StatusWithoutPeers(ctx)
+}
+
+// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
+func (lc *LocalClient) StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
+	return lc.status(ctx, "?peers=false")
+}
+
+func (lc *LocalClient) status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/status"+queryString)
+	if err != nil {
+		return nil, err
+	}
+	st := new(ipnstate.Status)
+	if err := json.Unmarshal(body, st); err != nil {
+		return nil, err
+	}
+	return st, nil
+}
+
+// IDToken is a request to get an OIDC ID token for an audience.
+// The token can be presented to any resource provider which offers OIDC
+// Federation.
+func (lc *LocalClient) IDToken(ctx context.Context, aud string) (*tailcfg.TokenResponse, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/id-token?aud="+url.QueryEscape(aud))
+	if err != nil {
+		return nil, err
+	}
+	tr := new(tailcfg.TokenResponse)
+	if err := json.Unmarshal(body, tr); err != nil {
+		return nil, err
+	}
+	return tr, nil
+}
+
+func (lc *LocalClient) WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/files/")
+	if err != nil {
+		return nil, err
+	}
+	var wfs []apitype.WaitingFile
+	if err := json.Unmarshal(body, &wfs); err != nil {
+		return nil, err
+	}
+	return wfs, nil
+}
+
+func (lc *LocalClient) DeleteWaitingFile(ctx context.Context, baseName string) error {
+	_, err := lc.send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
+	return err
+}
+
+func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	res, err := lc.doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, 0, err
+	}
+	if res.ContentLength == -1 {
+		res.Body.Close()
+		return nil, 0, fmt.Errorf("unexpected chunking")
+	}
+	if res.StatusCode != 200 {
+		body, _ := ioutil.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
+	}
+	return res.Body, res.ContentLength, nil
+}
+
+func (lc *LocalClient) FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/file-targets")
+	if err != nil {
+		return nil, err
+	}
+	var fts []apitype.FileTarget
+	if err := json.Unmarshal(body, &fts); err != nil {
+		return nil, fmt.Errorf("invalid JSON: %w", err)
+	}
+	return fts, nil
+}
+
+// PushFile sends Taildrop file r to target.
+//
+// A size of -1 means unknown.
+// The name parameter is the original filename, not escaped.
+func (lc *LocalClient) PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
+	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
+	if err != nil {
+		return err
+	}
+	if size != -1 {
+		req.ContentLength = size
+	}
+	res, err := lc.doLocalRequestNiceError(req)
+	if err != nil {
+		return err
+	}
+	if res.StatusCode == 200 {
+		io.Copy(io.Discard, res.Body)
+		return nil
+	}
+	all, _ := io.ReadAll(res.Body)
+	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
+}
+
+// CheckIPForwarding asks the local Tailscale daemon whether it looks like the
+// machine is properly configured to forward IP packets as a subnet router
+// or exit node.
+func (lc *LocalClient) CheckIPForwarding(ctx context.Context) error {
+	body, err := lc.get200(ctx, "/localapi/v0/check-ip-forwarding")
+	if err != nil {
+		return err
+	}
+	var jres struct {
+		Warning string
+	}
+	if err := json.Unmarshal(body, &jres); err != nil {
+		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
+	}
+	if jres.Warning != "" {
+		return errors.New(jres.Warning)
+	}
+	return nil
+}
+
+// CheckPrefs validates the provided preferences, without making any changes.
+//
+// The CLI uses this before a Start call to fail fast if the preferences won't
+// work. Currently (2022-04-18) this only checks for SSH server compatibility.
+// Note that EditPrefs does the same validation as this, so call CheckPrefs before
+// EditPrefs is not necessary.
+func (lc *LocalClient) CheckPrefs(ctx context.Context, p *ipn.Prefs) error {
+	pj, err := json.Marshal(p)
+	if err != nil {
+		return err
+	}
+	_, err = lc.send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, bytes.NewReader(pj))
+	return err
+}
+
+func (lc *LocalClient) GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/prefs")
+	if err != nil {
+		return nil, err
+	}
+	var p ipn.Prefs
+	if err := json.Unmarshal(body, &p); err != nil {
+		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
+	}
+	return &p, nil
+}
+
+func (lc *LocalClient) EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
+	mpj, err := json.Marshal(mp)
+	if err != nil {
+		return nil, err
+	}
+	body, err := lc.send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
+	if err != nil {
+		return nil, err
+	}
+	var p ipn.Prefs
+	if err := json.Unmarshal(body, &p); err != nil {
+		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
+	}
+	return &p, nil
+}
+
+func (lc *LocalClient) Logout(ctx context.Context) error {
+	_, err := lc.send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
+	return err
+}
+
+// SetDNS adds a DNS TXT record for the given domain name, containing
+// the provided TXT value. The intended use case is answering
+// LetsEncrypt/ACME dns-01 challenges.
+//
+// The control plane will only permit SetDNS requests with very
+// specific names and values. The name should be
+// "_acme-challenge." + your node's MagicDNS name. It's expected that
+// clients cache the certs from LetsEncrypt (or whichever CA is
+// providing them) and only request new ones as needed; the control plane
+// rate limits SetDNS requests.
+//
+// This is a low-level interface; it's expected that most Tailscale
+// users use a higher level interface to getting/using TLS
+// certificates.
+func (lc *LocalClient) SetDNS(ctx context.Context, name, value string) error {
+	v := url.Values{}
+	v.Set("name", name)
+	v.Set("value", value)
+	_, err := lc.send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
+	return err
+}
+
+// DialTCP connects to the host's port via Tailscale.
+//
+// The host may be a base DNS name (resolved from the netmap inside
+// tailscaled), a FQDN, or an IP address.
+//
+// The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
+func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
+	connCh := make(chan net.Conn, 1)
+	trace := httptrace.ClientTrace{
+		GotConn: func(info httptrace.GotConnInfo) {
+			connCh <- info.Conn
+		},
+	}
+	ctx = httptrace.WithClientTrace(ctx, &trace)
+	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/dial", nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header = http.Header{
+		"Upgrade":    []string{"ts-dial"},
+		"Connection": []string{"upgrade"},
+		"Dial-Host":  []string{host},
+		"Dial-Port":  []string{fmt.Sprint(port)},
+	}
+	res, err := lc.DoLocalRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != http.StatusSwitchingProtocols {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
+	}
+	// From here on, the underlying net.Conn is ours to use, but there
+	// is still a read buffer attached to it within resp.Body. So, we
+	// must direct I/O through resp.Body, but we can still use the
+	// underlying net.Conn for stuff like deadlines.
+	var switchedConn net.Conn
+	select {
+	case switchedConn = <-connCh:
+	default:
+	}
+	if switchedConn == nil {
+		res.Body.Close()
+		return nil, fmt.Errorf("httptrace didn't provide a connection")
+	}
+	rwc, ok := res.Body.(io.ReadWriteCloser)
+	if !ok {
+		res.Body.Close()
+		return nil, errors.New("http Transport did not provide a writable body")
+	}
+	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
+}
+
+// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
+// It is intended to be used with netcheck to see availability of DERPs.
+func (lc *LocalClient) CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
+	var derpMap tailcfg.DERPMap
+	res, err := lc.send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
+	if err != nil {
+		return nil, err
+	}
+	if err = json.Unmarshal(res, &derpMap); err != nil {
+		return nil, fmt.Errorf("invalid derp map json: %w", err)
+	}
+	return &derpMap, nil
+}
+
+// CertPair returns a cert and private key for the provided DNS domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// Deprecated: use LocalClient.CertPair.
+func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
+	return defaultLocalClient.CertPair(ctx, domain)
+}
+
+// CertPair returns a cert and private key for the provided DNS domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// API maturity: this is considered a stable API.
+func (lc *LocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
+	res, err := lc.send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	// with ?type=pair, the response PEM is first the one private
+	// key PEM block, then the cert PEM blocks.
+	i := mem.Index(mem.B(res), mem.S("--\n--"))
+	if i == -1 {
+		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
+	}
+	i += len("--\n")
+	keyPEM, certPEM = res[:i], res[i:]
+	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
+		return nil, nil, fmt.Errorf("unexpected output: key in cert")
+	}
+	return certPEM, keyPEM, nil
+}
+
+// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// It's the right signature to use as the value of
+// tls.Config.GetCertificate.
+//
+// Deprecated: use LocalClient.GetCertificate.
+func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return defaultLocalClient.GetCertificate(hi)
+}
+
+// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// It's the right signature to use as the value of
+// tls.Config.GetCertificate.
+//
+// API maturity: this is considered a stable API.
+func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if hi == nil || hi.ServerName == "" {
+		return nil, errors.New("no SNI ServerName")
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	name := hi.ServerName
+	if !strings.Contains(name, ".") {
+		if v, ok := lc.ExpandSNIName(ctx, name); ok {
+			name = v
+		}
+	}
+	certPEM, keyPEM, err := lc.CertPair(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, err
+	}
+	return &cert, nil
+}
+
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+//
+// Deprecated: use LocalClient.ExpandSNIName.
+func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
+	return defaultLocalClient.ExpandSNIName(ctx, name)
+}
+
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
+	st, err := lc.StatusWithoutPeers(ctx)
+	if err != nil {
+		return "", false
+	}
+	for _, d := range st.CertDomains {
+		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
+			return d, true
+		}
+	}
+	return "", false
+}
+
+// Ping sends a ping of the provided type to the provided IP and waits
+// for its response.
+func (lc *LocalClient) Ping(ctx context.Context, ip netaddr.IP, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
+	v := url.Values{}
+	v.Set("ip", ip.String())
+	v.Set("type", string(pingtype))
+	body, err := lc.send(ctx, "POST", "/localapi/v0/ping?"+v.Encode(), 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error %w: %s", err, body)
+	}
+	pr := new(ipnstate.PingResult)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
+// tailscaledConnectHint gives a little thing about why tailscaled (or
+// platform equivalent) is not answering localapi connections.
+//
+// It ends in a punctuation. See caller.
+func tailscaledConnectHint() string {
+	if runtime.GOOS != "linux" {
+		// TODO(bradfitz): flesh this out
+		return "not running?"
+	}
+	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
+	if err != nil {
+		return "not running?"
+	}
+	// Parse:
+	// LoadState=loaded
+	// ActiveState=inactive
+	// SubState=dead
+	st := map[string]string{}
+	for _, line := range strings.Split(string(out), "\n") {
+		if k, v, ok := strings.Cut(line, "="); ok {
+			st[k] = strings.TrimSpace(v)
+		}
+	}
+	if st["LoadState"] == "loaded" &&
+		(st["SubState"] != "running" || st["ActiveState"] != "active") {
+		return "systemd tailscaled.service not running."
+	}
+	return "not running?"
+}

client/tailscale/routes.go

@@ -0,0 +1,98 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"inet.af/netaddr"
+)
+
+// Routes contains the lists of subnet routes that are currently advertised by a device,
+// as well as the subnets that are enabled to be routed by the device.
+type Routes struct {
+	AdvertisedRoutes []netaddr.IPPrefix `json:"advertisedRoutes"`
+	EnabledRoutes    []netaddr.IPPrefix `json:"enabledRoutes"`
+}
+
+// Routes retrieves the list of subnet routes that have been enabled for a device.
+// The routes that are returned are not necessarily advertised by the device,
+// they have only been preapproved.
+func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.Routes: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var sr Routes
+	err = json.Unmarshal(b, &sr)
+	return &sr, err
+}
+
+type postRoutesParams struct {
+	Routes []netaddr.IPPrefix `json:"routes"`
+}
+
+// SetRoutes updates the list of subnets that are enabled for a device.
+// Subnets must be parsable by inet.af/netaddr.ParseIPPrefix.
+// Subnets do not have to be currently advertised by a device, they may be pre-enabled.
+// Returns the updated list of enabled and advertised subnet routes in a *Routes object.
+func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netaddr.IPPrefix) (routes *Routes, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
+		}
+	}()
+	params := &postRoutesParams{Routes: subnets}
+	data, err := json.Marshal(params)
+	if err != nil {
+		return nil, err
+	}
+	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var srr *Routes
+	if err := json.Unmarshal(b, &srr); err != nil {
+		return nil, err
+	}
+	return srr, err
+}

client/tailscale/tailnet.go

@@ -0,0 +1,42 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/url"
+)
+
+// TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
+func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DeleteTailnet: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
+	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, path, nil)
+	if err != nil {
+		return err
+	}
+
+	c.setAuth(req)
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+
+	return nil
+}

client/tailscale/tailscale.go

@@ -1,616 +1,160 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
 //go:build go1.18
 // +build go1.18
 
-// Package tailscale contains Tailscale client code.
+// Package tailscale contains Go clients for the Tailscale Local API and
+// Tailscale control plane API.
+//
+// Warning: this package is in development and makes no API compatibility
+// promises as of 2022-04-29. It is subject to change at any time.
 package tailscale
 
 import (
-	"bytes"
-	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
-	"net"
 	"net/http"
-	"net/http/httptrace"
-	"net/url"
-	"os/exec"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"go4.org/mem"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/netutil"
-	"tailscale.com/paths"
-	"tailscale.com/safesocket"
-	"tailscale.com/tailcfg"
-	"tailscale.com/version"
 )
 
-var (
-	// TailscaledSocket is the tailscaled Unix socket. It's used by the TailscaledDialer.
-	TailscaledSocket = paths.DefaultTailscaledSocket()
-
-	// TailscaledSocketSetExplicitly reports whether the user explicitly set TailscaledSocket.
-	TailscaledSocketSetExplicitly bool
-
-	// TailscaledDialer is the DialContext func that connects to the local machine's
-	// tailscaled or equivalent.
-	TailscaledDialer = defaultDialer
-)
-
-func defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
-	if addr != "local-tailscaled.sock:80" {
-		return nil, fmt.Errorf("unexpected URL address %q", addr)
-	}
-	// TODO: make this part of a safesocket.ConnectionStrategy
-	if !TailscaledSocketSetExplicitly {
-		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
-		// a TCP server on a random port, find the random port. For HTTP connections,
-		// we don't send the token. It gets added in an HTTP Basic-Auth header.
-		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
-			var d net.Dialer
-			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
-		}
-	}
-	s := safesocket.DefaultConnectionStrategy(TailscaledSocket)
-	// The user provided a non-default tailscaled socket address.
-	// Connect only to exactly what they provided.
-	s.UseFallback(false)
-	return safesocket.Connect(s)
-}
-
-var (
-	// tsClient does HTTP requests to the local Tailscale daemon.
-	// We lazily initialize the client in case the caller wants to
-	// override TailscaledDialer.
-	tsClient     *http.Client
-	tsClientOnce sync.Once
-)
-
-// DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
+// I_Acknowledge_This_API_Is_Unstable must be set true to use this package
+// for now. It was added 2022-04-29 when it was moved to this git repo
+// and will be removed when the public API has settled.
 //
-// URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
+// TODO(bradfitz): remove this after the we're happy with the public API.
+var I_Acknowledge_This_API_Is_Unstable = false
+
+// TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
+
+const defaultAPIBase = "https://api.tailscale.com"
+
+// maxSize is the maximum read size (10MB) of responses from the server.
+const maxReadSize = 10 << 20
+
+// Client makes API calls to the Tailscale control plane API server.
 //
-// The hostname must be "local-tailscaled.sock", even though it
-// doesn't actually do any DNS lookup. The actual means of connecting to and
-// authenticating to the local Tailscale daemon vary by platform.
+// Use NewClient to instantiate one. Exported fields should be set before
+// the client is used and not changed thereafter.
+type Client struct {
+	// tailnet is the globally unique identifier for a Tailscale network, such
+	// as "example.com" or "user@gmail.com".
+	tailnet string
+	// auth is the authentication method to use for this client.
+	// nil means none, which generally won't work, but won't crash.
+	auth AuthMethod
+
+	// BaseURL optionally specifies an alternate API server to use.
+	// If empty, "https://api.tailscale.com" is used.
+	BaseURL string
+
+	// HTTPClient optionally specifies an alternate HTTP client to use.
+	// If nil, http.DefaultClient is used.
+	HTTPClient *http.Client
+}
+
+func (c *Client) httpClient() *http.Client {
+	if c.HTTPClient != nil {
+		return c.HTTPClient
+	}
+	return http.DefaultClient
+}
+
+func (c *Client) baseURL() string {
+	if c.BaseURL != "" {
+		return c.BaseURL
+	}
+	return defaultAPIBase
+}
+
+// AuthMethod is the interface for API authentication methods.
 //
-// DoLocalRequest may mutate the request to add Authorization headers.
-func DoLocalRequest(req *http.Request) (*http.Response, error) {
-	tsClientOnce.Do(func() {
-		tsClient = &http.Client{
-			Transport: &http.Transport{
-				DialContext: TailscaledDialer,
-			},
-		}
-	})
-	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
-		req.SetBasicAuth("", token)
-	}
-	return tsClient.Do(req)
+// Most users will use AuthKey.
+type AuthMethod interface {
+	modifyRequest(req *http.Request)
 }
 
-func doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
-	res, err := DoLocalRequest(req)
-	if err == nil {
-		if server := res.Header.Get("Tailscale-Version"); server != "" && server != version.Long && onVersionMismatch != nil {
-			onVersionMismatch(version.Long, server)
-		}
-		if res.StatusCode == 403 {
-			all, _ := ioutil.ReadAll(res.Body)
-			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
-		}
-		return res, nil
-	}
-	if ue, ok := err.(*url.Error); ok {
-		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
-			path := req.URL.Path
-			pathPrefix, _, _ := strings.Cut(path, "?")
-			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
-		}
-	}
-	return nil, err
+// APIKey is an AuthMethod for NewClient that authenticates requests
+// using an authkey.
+type APIKey string
+
+func (ak APIKey) modifyRequest(req *http.Request) {
+	req.SetBasicAuth(string(ak), "")
 }
 
-type errorJSON struct {
-	Error string
+func (c *Client) setAuth(r *http.Request) {
+	if c.auth != nil {
+		c.auth.modifyRequest(r)
+	}
 }
 
-// AccessDeniedError is an error due to permissions.
-type AccessDeniedError struct {
-	err error
-}
-
-func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
-func (e *AccessDeniedError) Unwrap() error { return e.err }
-
-// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
-func IsAccessDeniedError(err error) bool {
-	var ae *AccessDeniedError
-	return errors.As(err, &ae)
-}
-
-// bestError returns either err, or if body contains a valid JSON
-// object of type errorJSON, its non-empty error body.
-func bestError(err error, body []byte) error {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return errors.New(j.Error)
-	}
-	return err
-}
-
-func errorMessageFromBody(body []byte) string {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return j.Error
-	}
-	return strings.TrimSpace(string(body))
-}
-
-var onVersionMismatch func(clientVer, serverVer string)
-
-// SetVersionMismatchHandler sets f as the version mismatch handler
-// to be called when the client (the current process) has a version
-// number that doesn't match the server's declared version.
-func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
-	onVersionMismatch = f
-}
-
-func send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
-	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
-	if err != nil {
-		return nil, err
-	}
-	res, err := doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	slurp, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != wantStatus {
-		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
-		return nil, bestError(err, slurp)
-	}
-	return slurp, nil
-}
-
-func get200(ctx context.Context, path string) ([]byte, error) {
-	return send(ctx, "GET", path, 200, nil)
-}
-
-// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	body, err := get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
-	if err != nil {
-		return nil, err
-	}
-	r := new(apitype.WhoIsResponse)
-	if err := json.Unmarshal(body, r); err != nil {
-		if max := 200; len(body) > max {
-			body = append(body[:max], "..."...)
-		}
-		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
-	}
-	return r, nil
-}
-
-// Goroutines returns a dump of the Tailscale daemon's current goroutines.
-func Goroutines(ctx context.Context) ([]byte, error) {
-	return get200(ctx, "/localapi/v0/goroutines")
-}
-
-// DaemonMetrics returns the Tailscale daemon's metrics in
-// the Prometheus text exposition format.
-func DaemonMetrics(ctx context.Context) ([]byte, error) {
-	return get200(ctx, "/localapi/v0/metrics")
-}
-
-// Profile returns a pprof profile of the Tailscale daemon.
-func Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
-	var secArg string
-	if sec < 0 || sec > 300 {
-		return nil, errors.New("duration out of range")
-	}
-	if sec != 0 || pprofType == "profile" {
-		secArg = fmt.Sprint(sec)
-	}
-	return get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
-}
-
-// BugReport logs and returns a log marker that can be shared by the user with support.
-func BugReport(ctx context.Context, note string) (string, error) {
-	body, err := send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
-	if err != nil {
-		return "", err
-	}
-	return strings.TrimSpace(string(body)), nil
-}
-
-// DebugAction invokes a debug action, such as "rebind" or "restun".
-// These are development tools and subject to change or removal over time.
-func DebugAction(ctx context.Context, action string) error {
-	body, err := send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
-	if err != nil {
-		return fmt.Errorf("error %w: %s", err, body)
-	}
-	return nil
-}
-
-// Status returns the Tailscale daemon's status.
-func Status(ctx context.Context) (*ipnstate.Status, error) {
-	return status(ctx, "")
-}
-
-// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
-func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return status(ctx, "?peers=false")
-}
-
-func status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
-	body, err := get200(ctx, "/localapi/v0/status"+queryString)
-	if err != nil {
-		return nil, err
-	}
-	st := new(ipnstate.Status)
-	if err := json.Unmarshal(body, st); err != nil {
-		return nil, err
-	}
-	return st, nil
-}
-
-// IDToken is a request to get an OIDC ID token for an audience.
-// The token can be presented to any resource provider which offers OIDC
-// Federation.
-func IDToken(ctx context.Context, aud string) (*tailcfg.TokenResponse, error) {
-	body, err := get200(ctx, "/localapi/v0/id-token?aud="+url.QueryEscape(aud))
-	if err != nil {
-		return nil, err
-	}
-	tr := new(tailcfg.TokenResponse)
-	if err := json.Unmarshal(body, tr); err != nil {
-		return nil, err
-	}
-	return tr, nil
-}
-
-func WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
-	body, err := get200(ctx, "/localapi/v0/files/")
-	if err != nil {
-		return nil, err
-	}
-	var wfs []apitype.WaitingFile
-	if err := json.Unmarshal(body, &wfs); err != nil {
-		return nil, err
-	}
-	return wfs, nil
-}
-
-func DeleteWaitingFile(ctx context.Context, baseName string) error {
-	_, err := send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
-	return err
-}
-
-func GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
-	if err != nil {
-		return nil, 0, err
-	}
-	res, err := doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, 0, err
-	}
-	if res.ContentLength == -1 {
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("unexpected chunking")
-	}
-	if res.StatusCode != 200 {
-		body, _ := ioutil.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
-	}
-	return res.Body, res.ContentLength, nil
-}
-
-func FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
-	body, err := get200(ctx, "/localapi/v0/file-targets")
-	if err != nil {
-		return nil, err
-	}
-	var fts []apitype.FileTarget
-	if err := json.Unmarshal(body, &fts); err != nil {
-		return nil, fmt.Errorf("invalid JSON: %w", err)
-	}
-	return fts, nil
-}
-
-// PushFile sends Taildrop file r to target.
+// NewClient is a convenience method for instantiating a new Client.
 //
-// A size of -1 means unknown.
-// The name parameter is the original filename, not escaped.
-func PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
+// tailnet is the globally unique identifier for a Tailscale network, such
+// as "example.com" or "user@gmail.com".
+// If httpClient is nil, then http.DefaultClient is used.
+// "api.tailscale.com" is set as the BaseURL for the returned client
+// and can be changed manually by the user.
+func NewClient(tailnet string, auth AuthMethod) *Client {
+	return &Client{
+		tailnet: tailnet,
+		auth:    auth,
+	}
+}
+
+func (c *Client) Tailnet() string { return c.tailnet }
+
+// Do sends a raw HTTP request, after adding any authentication headers.
+func (c *Client) Do(req *http.Request) (*http.Response, error) {
+	if !I_Acknowledge_This_API_Is_Unstable {
+		return nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
+	}
+	c.setAuth(req)
+	return c.httpClient().Do(req)
+}
+
+// sendRequest add the authenication key to the request and sends it. It
+// receives the response and reads up to 10MB of it.
+func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
+	if !I_Acknowledge_This_API_Is_Unstable {
+		return nil, nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
+	}
+	c.setAuth(req)
+	resp, err := c.httpClient().Do(req)
 	if err != nil {
+		return nil, resp, err
+	}
+	defer resp.Body.Close()
+
+	// Read response. Limit the response to 10MB.
+	body := io.LimitReader(resp.Body, maxReadSize+1)
+	b, err := ioutil.ReadAll(body)
+	if len(b) > maxReadSize {
+		err = errors.New("API response too large")
+	}
+	return b, resp, err
+}
+
+// ErrResponse is the HTTP error returned by the Tailscale server.
+type ErrResponse struct {
+	Status  int
+	Message string
+}
+
+func (e ErrResponse) Error() string {
+	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
+}
+
+// handleErrorResponse decodes the error message from the server and returns
+// an ErrResponse from it.
+func handleErrorResponse(b []byte, resp *http.Response) error {
+	var errResp ErrResponse
+	if err := json.Unmarshal(b, &errResp); err != nil {
 		return err
 	}
-	if size != -1 {
-		req.ContentLength = size
-	}
-	res, err := doLocalRequestNiceError(req)
-	if err != nil {
-		return err
-	}
-	if res.StatusCode == 200 {
-		io.Copy(io.Discard, res.Body)
-		return nil
-	}
-	all, _ := io.ReadAll(res.Body)
-	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
-}
-
-func CheckIPForwarding(ctx context.Context) error {
-	body, err := get200(ctx, "/localapi/v0/check-ip-forwarding")
-	if err != nil {
-		return err
-	}
-	var jres struct {
-		Warning string
-	}
-	if err := json.Unmarshal(body, &jres); err != nil {
-		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
-	}
-	if jres.Warning != "" {
-		return errors.New(jres.Warning)
-	}
-	return nil
-}
-
-// CheckPrefs validates the provided preferences, without making any changes.
-//
-// The CLI uses this before a Start call to fail fast if the preferences won't
-// work. Currently (2022-04-18) this only checks for SSH server compatibility.
-// Note that EditPrefs does the same validation as this, so call CheckPrefs before
-// EditPrefs is not necessary.
-func CheckPrefs(ctx context.Context, p *ipn.Prefs) error {
-	pj, err := json.Marshal(p)
-	if err != nil {
-		return err
-	}
-	_, err = send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, bytes.NewReader(pj))
-	return err
-}
-
-func GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
-	body, err := get200(ctx, "/localapi/v0/prefs")
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
-	mpj, err := json.Marshal(mp)
-	if err != nil {
-		return nil, err
-	}
-	body, err := send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func Logout(ctx context.Context) error {
-	_, err := send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
-	return err
-}
-
-// SetDNS adds a DNS TXT record for the given domain name, containing
-// the provided TXT value. The intended use case is answering
-// LetsEncrypt/ACME dns-01 challenges.
-//
-// The control plane will only permit SetDNS requests with very
-// specific names and values. The name should be
-// "_acme-challenge." + your node's MagicDNS name. It's expected that
-// clients cache the certs from LetsEncrypt (or whichever CA is
-// providing them) and only request new ones as needed; the control plane
-// rate limits SetDNS requests.
-//
-// This is a low-level interface; it's expected that most Tailscale
-// users use a higher level interface to getting/using TLS
-// certificates.
-func SetDNS(ctx context.Context, name, value string) error {
-	v := url.Values{}
-	v.Set("name", name)
-	v.Set("value", value)
-	_, err := send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
-	return err
-}
-
-// DialTCP connects to the host's port via Tailscale.
-//
-// The host may be a base DNS name (resolved from the netmap inside
-// tailscaled), a FQDN, or an IP address.
-//
-// The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
-func DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
-	connCh := make(chan net.Conn, 1)
-	trace := httptrace.ClientTrace{
-		GotConn: func(info httptrace.GotConnInfo) {
-			connCh <- info.Conn
-		},
-	}
-	ctx = httptrace.WithClientTrace(ctx, &trace)
-	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/dial", nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header = http.Header{
-		"Upgrade":    []string{"ts-dial"},
-		"Connection": []string{"upgrade"},
-		"Dial-Host":  []string{host},
-		"Dial-Port":  []string{fmt.Sprint(port)},
-	}
-	res, err := DoLocalRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != http.StatusSwitchingProtocols {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
-	}
-	// From here on, the underlying net.Conn is ours to use, but there
-	// is still a read buffer attached to it within resp.Body. So, we
-	// must direct I/O through resp.Body, but we can still use the
-	// underlying net.Conn for stuff like deadlines.
-	var switchedConn net.Conn
-	select {
-	case switchedConn = <-connCh:
-	default:
-	}
-	if switchedConn == nil {
-		res.Body.Close()
-		return nil, fmt.Errorf("httptrace didn't provide a connection")
-	}
-	rwc, ok := res.Body.(io.ReadWriteCloser)
-	if !ok {
-		res.Body.Close()
-		return nil, errors.New("http Transport did not provide a writable body")
-	}
-	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
-}
-
-// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
-// It is intended to be used with netcheck to see availability of DERPs.
-func CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
-	var derpMap tailcfg.DERPMap
-	res, err := send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
-	if err != nil {
-		return nil, err
-	}
-	if err = json.Unmarshal(res, &derpMap); err != nil {
-		return nil, fmt.Errorf("invalid derp map json: %w", err)
-	}
-	return &derpMap, nil
-}
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	res, err := send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	// with ?type=pair, the response PEM is first the one private
-	// key PEM block, then the cert PEM blocks.
-	i := mem.Index(mem.B(res), mem.S("--\n--"))
-	if i == -1 {
-		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
-	}
-	i += len("--\n")
-	keyPEM, certPEM = res[:i], res[i:]
-	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
-		return nil, nil, fmt.Errorf("unexpected output: key in cert")
-	}
-	return certPEM, keyPEM, nil
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi == nil || hi.ServerName == "" {
-		return nil, errors.New("no SNI ServerName")
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-
-	name := hi.ServerName
-	if !strings.Contains(name, ".") {
-		if v, ok := ExpandSNIName(ctx, name); ok {
-			name = v
-		}
-	}
-	certPEM, keyPEM, err := CertPair(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-	cert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
-	}
-	return &cert, nil
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	st, err := StatusWithoutPeers(ctx)
-	if err != nil {
-		return "", false
-	}
-	for _, d := range st.CertDomains {
-		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
-			return d, true
-		}
-	}
-	return "", false
-}
-
-// tailscaledConnectHint gives a little thing about why tailscaled (or
-// platform equivalent) is not answering localapi connections.
-//
-// It ends in a punctuation. See caller.
-func tailscaledConnectHint() string {
-	if runtime.GOOS != "linux" {
-		// TODO(bradfitz): flesh this out
-		return "not running?"
-	}
-	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
-	if err != nil {
-		return "not running?"
-	}
-	// Parse:
-	// LoadState=loaded
-	// ActiveState=inactive
-	// SubState=dead
-	st := map[string]string{}
-	for _, line := range strings.Split(string(out), "\n") {
-		if k, v, ok := strings.Cut(line, "="); ok {
-			st[k] = strings.TrimSpace(v)
-		}
-	}
-	if st["LoadState"] == "loaded" &&
-		(st["SubState"] != "running" || st["ActiveState"] != "active") {
-		return "systemd tailscaled.service not running."
-	}
-	return "not running?"
+	errResp.Status = resp.StatusCode
+	return errResp
 }

cmd/cloner/cloner.go

@@ -22,13 +22,11 @@ import (
 	"os"
 	"strings"
 
-	"golang.org/x/tools/go/packages"
 	"tailscale.com/util/codegen"
 )
 
 var (
 	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
-	flagOutput    = flag.String("output", "", "output file; required")
 	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
 	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
 )
@@ -43,30 +41,18 @@ func main() {
 	}
 	typeNames := strings.Split(*flagTypes, ",")
 
-	cfg := &packages.Config{
-		Mode:  packages.NeedTypes | packages.NeedTypesInfo | packages.NeedSyntax | packages.NeedName,
-		Tests: false,
-	}
-	if *flagBuildTags != "" {
-		cfg.BuildFlags = []string{"-tags=" + *flagBuildTags}
-	}
-	pkgs, err := packages.Load(cfg, ".")
+	pkg, namedTypes, err := codegen.LoadTypes(*flagBuildTags, ".")
 	if err != nil {
 		log.Fatal(err)
 	}
-	if len(pkgs) != 1 {
-		log.Fatalf("wrong number of packages: %d", len(pkgs))
-	}
-	pkg := pkgs[0]
+	it := codegen.NewImportTracker(pkg.Types)
 	buf := new(bytes.Buffer)
-	imports := make(map[string]struct{})
-	namedTypes := codegen.NamedTypes(pkg)
 	for _, typeName := range typeNames {
 		typ, ok := namedTypes[typeName]
 		if !ok {
 			log.Fatalf("could not find type %s", typeName)
 		}
-		gen(buf, imports, typ, pkg.Types)
+		gen(buf, it, typ)
 	}
 
 	w := func(format string, args ...any) {
@@ -93,62 +79,13 @@ func main() {
 		w("	return false")
 		w("}")
 	}
-
-	contents := new(bytes.Buffer)
-	var flagArgs []string
-	if *flagTypes != "" {
-		flagArgs = append(flagArgs, "-type="+*flagTypes)
-	}
-	if *flagOutput != "" {
-		flagArgs = append(flagArgs, "-output="+*flagOutput)
-	}
-	if *flagBuildTags != "" {
-		flagArgs = append(flagArgs, "-tags="+*flagBuildTags)
-	}
-	if *flagCloneFunc {
-		flagArgs = append(flagArgs, "-clonefunc")
-	}
-	fmt.Fprintf(contents, header, strings.Join(flagArgs, " "), pkg.Name)
-	fmt.Fprintf(contents, "import (\n")
-	for s := range imports {
-		fmt.Fprintf(contents, "\t%q\n", s)
-	}
-	fmt.Fprintf(contents, ")\n\n")
-	contents.Write(buf.Bytes())
-
-	output := *flagOutput
-	if output == "" {
-		flag.Usage()
-		os.Exit(2)
-	}
-	if err := codegen.WriteFormatted(contents.Bytes(), output); err != nil {
+	cloneOutput := pkg.Name + "_clone.go"
+	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
 		log.Fatal(err)
 	}
 }
 
-const header = `// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
-//` + `go:generate` + ` go run tailscale.com/cmd/cloner %s
-
-package %s
-
-`
-
-func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisPkg *types.Package) {
-	pkgQual := func(pkg *types.Package) string {
-		if thisPkg == pkg {
-			return ""
-		}
-		imports[pkg.Path()] = struct{}{}
-		return pkg.Name()
-	}
-	importedName := func(t types.Type) string {
-		return types.TypeString(t, pkgQual)
-	}
-
+func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	t, ok := typ.Underlying().(*types.Struct)
 	if !ok {
 		return
@@ -169,11 +106,11 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 	for i := 0; i < t.NumFields(); i++ {
 		fname := t.Field(i).Name()
 		ft := t.Field(i).Type()
-		if !codegen.ContainsPointers(ft) {
+		if !codegen.ContainsPointers(ft) || codegen.HasNoClone(t.Tag(i)) {
 			continue
 		}
 		if named, _ := ft.(*types.Named); named != nil {
-			if isViewType(ft) {
+			if codegen.IsViewType(ft) {
 				writef("dst.%s = src.%s", fname, fname)
 				continue
 			}
@@ -185,11 +122,16 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 		switch ft := ft.Underlying().(type) {
 		case *types.Slice:
 			if codegen.ContainsPointers(ft.Elem()) {
-				n := importedName(ft.Elem())
+				n := it.QualifiedName(ft.Elem())
 				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
 				writef("for i := range dst.%s {", fname)
-				if _, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
+					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
+						writef("\tx := *src.%s[i]", fname)
+						writef("\tdst.%s[i] = &x", fname)
+					} else {
+						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+					}
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
@@ -202,7 +144,7 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 				writef("dst.%s = src.%s.Clone()", fname, fname)
 				continue
 			}
-			n := importedName(ft.Elem())
+			n := it.QualifiedName(ft.Elem())
 			writef("if dst.%s != nil {", fname)
 			writef("\tdst.%s = new(%s)", fname, n)
 			writef("\t*dst.%s = *src.%s", fname, fname)
@@ -212,9 +154,9 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 			writef("}")
 		case *types.Map:
 			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = map[%s]%s{}", fname, importedName(ft.Key()), importedName(ft.Elem()))
+			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(ft.Elem()))
 			if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
-				n := importedName(sliceType.Elem())
+				n := it.QualifiedName(sliceType.Elem())
 				writef("\tfor k := range src.%s {", fname)
 				// use zero-length slice instead of nil to ensure
 				// the key is always copied.
@@ -237,20 +179,10 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 	writef("return dst")
 	fmt.Fprintf(buf, "}\n\n")
 
-	buf.Write(codegen.AssertStructUnchanged(t, thisPkg, name, "Clone", imports))
-}
-
-func isViewType(typ types.Type) bool {
-	t, ok := typ.Underlying().(*types.Struct)
-	if !ok {
-		return false
-	}
-	if t.NumFields() != 1 {
-		return false
-	}
-	return t.Field(0).Name() == "ж"
+	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
 }
 
+// hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
 func hasBasicUnderlying(typ types.Type) bool {
 	switch typ.Underlying().(type) {
 	case *types.Slice, *types.Map:

cmd/proxy-to-grafana/proxy-to-grafana.go

@@ -62,6 +62,12 @@ func main() {
 		Hostname: *hostname,
 	}
 
+	// TODO(bradfitz,maisem): move this to a method on tsnet.Server probably.
+	if err := ts.Start(); err != nil {
+		log.Fatalf("Error starting tsnet.Server: %v", err)
+	}
+	localClient, _ := ts.LocalClient()
+
 	url, err := url.Parse(fmt.Sprintf("http://%s", *backendAddr))
 	if err != nil {
 		log.Fatalf("couldn't parse backend address: %v", err)
@@ -71,7 +77,7 @@ func main() {
 	originalDirector := proxy.Director
 	proxy.Director = func(req *http.Request) {
 		originalDirector(req)
-		modifyRequest(req)
+		modifyRequest(req, localClient)
 	}
 
 	var ln net.Listener
@@ -84,7 +90,7 @@ func main() {
 		go func() {
 			// wait for tailscale to start before trying to fetch cert names
 			for i := 0; i < 60; i++ {
-				st, err := tailscale.Status(context.Background())
+				st, err := localClient.Status(context.Background())
 				if err != nil {
 					log.Printf("error retrieving tailscale status; retrying: %v", err)
 				} else {
@@ -100,7 +106,7 @@ func main() {
 			if err != nil {
 				log.Fatal(err)
 			}
-			name, ok := tailscale.ExpandSNIName(context.Background(), *hostname)
+			name, ok := localClient.ExpandSNIName(context.Background(), *hostname)
 			if !ok {
 				log.Fatalf("can't get hostname for https redirect")
 			}
@@ -120,14 +126,14 @@ func main() {
 	log.Fatal(http.Serve(ln, proxy))
 }
 
-func modifyRequest(req *http.Request) {
+func modifyRequest(req *http.Request, localClient *tailscale.LocalClient) {
 	// with enable_login_token set to true, we get a cookie that handles
 	// auth for paths that are not /login
 	if req.URL.Path != "/login" {
 		return
 	}
 
-	user, err := getTailscaleUser(req.Context(), req.RemoteAddr)
+	user, err := getTailscaleUser(req.Context(), localClient, req.RemoteAddr)
 	if err != nil {
 		log.Printf("error getting Tailscale user: %v", err)
 		return
@@ -137,8 +143,8 @@ func modifyRequest(req *http.Request) {
 	req.Header.Set("X-Webauth-Name", user.DisplayName)
 }
 
-func getTailscaleUser(ctx context.Context, ipPort string) (*tailcfg.UserProfile, error) {
-	whois, err := tailscale.WhoIs(ctx, ipPort)
+func getTailscaleUser(ctx context.Context, localClient *tailscale.LocalClient, ipPort string) (*tailcfg.UserProfile, error) {
+	whois, err := localClient.WhoIs(ctx, ipPort)
 	if err != nil {
 		return nil, fmt.Errorf("failed to identify remote host: %w", err)
 	}

cmd/tailscale/cli/bugreport.go

@@ -9,7 +9,6 @@ import (
 	"errors"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 )
 
 var bugReportCmd = &ffcli.Command{
@@ -28,7 +27,7 @@ func runBugReport(ctx context.Context, args []string) error {
 	default:
 		return errors.New("unknown argumets")
 	}
-	logMarker, err := tailscale.BugReport(ctx, note)
+	logMarker, err := localClient.BugReport(ctx, note)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/cert.go

@@ -50,7 +50,7 @@ func runCert(ctx context.Context, args []string) error {
 			},
 			Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				if r.TLS != nil && !strings.Contains(r.Host, ".") && r.Method == "GET" {
-					if v, ok := tailscale.ExpandSNIName(r.Context(), r.Host); ok {
+					if v, ok := localClient.ExpandSNIName(r.Context(), r.Host); ok {
 						http.Redirect(w, r, "https://"+v+r.URL.Path, http.StatusTemporaryRedirect)
 						return
 					}
@@ -64,7 +64,7 @@ func runCert(ctx context.Context, args []string) error {
 
 	if len(args) != 1 {
 		var hint bytes.Buffer
-		if st, err := tailscale.Status(ctx); err == nil {
+		if st, err := localClient.Status(ctx); err == nil {
 			if st.BackendState != ipn.Running.String() {
 				fmt.Fprintf(&hint, "\nTailscale is not running.\n")
 			} else if len(st.CertDomains) == 0 {

cmd/tailscale/cli/cli.go

@@ -125,6 +125,8 @@ func CleanUpArgs(args []string) []string {
 	return out
 }
 
+var localClient tailscale.LocalClient
+
 // Run runs the CLI. The args do not include the binary name.
 func Run(args []string) (err error) {
 	if len(args) == 1 && (args[0] == "-V" || args[0] == "--version") {
@@ -193,10 +195,10 @@ change in the future.
 		return err
 	}
 
-	tailscale.TailscaledSocket = rootArgs.socket
+	localClient.Socket = rootArgs.socket
 	rootfs.Visit(func(f *flag.Flag) {
 		if f.Name == "socket" {
-			tailscale.TailscaledSocketSetExplicitly = true
+			localClient.UseSocketOnly = true
 		}
 	})
 

cmd/tailscale/cli/cli_test.go

@@ -664,11 +664,11 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			goos: "linux",
 			args: upArgsT{
 				advertiseRoutes: "fd7a:115c:a1e0:b1a::bb:10.0.0.0/112",
-				netfilterMode: "off",
+				netfilterMode:   "off",
 			},
 			want: &ipn.Prefs{
-				WantRunning:   true,
-				NoSNAT:        true,
+				WantRunning: true,
+				NoSNAT:      true,
 				AdvertiseRoutes: []netaddr.IPPrefix{
 					netaddr.MustParseIPPrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
 				},
@@ -679,7 +679,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			goos: "linux",
 			args: upArgsT{
 				advertiseRoutes: "fd7a:115c:a1e0:b1a::/64",
-				netfilterMode: "off",
+				netfilterMode:   "off",
 			},
 			wantErr: "fd7a:115c:a1e0:b1a::/64 4-in-6 prefix must be at least a /96",
 		},
@@ -688,7 +688,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			goos: "linux",
 			args: upArgsT{
 				advertiseRoutes: "fd7a:115c:a1e0:b1a:1234:5678::/112",
-				netfilterMode: "off",
+				netfilterMode:   "off",
 			},
 			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xff or less",
 		},

cmd/tailscale/cli/debug.go

@@ -23,7 +23,6 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/net/tsaddr"
@@ -69,6 +68,11 @@ var debugCmd = &ffcli.Command{
 			Exec:      runEnv,
 			ShortHelp: "print cmd/tailscale environment",
 		},
+		{
+			Name:      "stat",
+			Exec:      runStat,
+			ShortHelp: "stat a file",
+		},
 		{
 			Name:      "hostinfo",
 			Exec:      runHostinfo,
@@ -150,7 +154,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if out := debugArgs.cpuFile; out != "" {
 		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing CPU profile for %v seconds ...", debugArgs.cpuSec)
-		if v, err := tailscale.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
+		if v, err := localClient.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -162,7 +166,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if out := debugArgs.memFile; out != "" {
 		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing memory profile ...")
-		if v, err := tailscale.Profile(ctx, "heap", 0); err != nil {
+		if v, err := localClient.Profile(ctx, "heap", 0); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -174,7 +178,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if debugArgs.file != "" {
 		usedFlag = true // TODO(bradfitz): add "file" subcommand
 		if debugArgs.file == "get" {
-			wfs, err := tailscale.WaitingFiles(ctx)
+			wfs, err := localClient.WaitingFiles(ctx)
 			if err != nil {
 				fatalf("%v\n", err)
 			}
@@ -185,9 +189,9 @@ func runDebug(ctx context.Context, args []string) error {
 		}
 		delete := strings.HasPrefix(debugArgs.file, "delete:")
 		if delete {
-			return tailscale.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
+			return localClient.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
 		}
-		rc, size, err := tailscale.GetWaitingFile(ctx, debugArgs.file)
+		rc, size, err := localClient.GetWaitingFile(ctx, debugArgs.file)
 		if err != nil {
 			return err
 		}
@@ -222,7 +226,7 @@ var prefsArgs struct {
 }
 
 func runPrefs(ctx context.Context, args []string) error {
-	prefs, err := tailscale.GetPrefs(ctx)
+	prefs, err := localClient.GetPrefs(ctx)
 	if err != nil {
 		return err
 	}
@@ -256,7 +260,7 @@ func runWatchIPN(ctx context.Context, args []string) error {
 }
 
 func runDERPMap(ctx context.Context, args []string) error {
-	dm, err := tailscale.CurrentDERPMap(ctx)
+	dm, err := localClient.CurrentDERPMap(ctx)
 	if err != nil {
 		return fmt.Errorf(
 			"failed to get local derp map, instead `curl %s/derpmap/default`: %w", ipn.DefaultControlURL, err,
@@ -273,7 +277,7 @@ func localAPIAction(action string) func(context.Context, []string) error {
 		if len(args) > 0 {
 			return errors.New("unexpected arguments")
 		}
-		return tailscale.DebugAction(ctx, action)
+		return localClient.DebugAction(ctx, action)
 	}
 }
 
@@ -284,6 +288,28 @@ func runEnv(ctx context.Context, args []string) error {
 	return nil
 }
 
+func runStat(ctx context.Context, args []string) error {
+	for _, a := range args {
+		fi, err := os.Lstat(a)
+		if err != nil {
+			fmt.Printf("%s: %v\n", a, err)
+			continue
+		}
+		fmt.Printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
+		if fi.IsDir() {
+			ents, _ := os.ReadDir(a)
+			for i, ent := range ents {
+				if i == 25 {
+					fmt.Printf("  ...\n")
+					break
+				}
+				fmt.Printf("  - %s\n", ent.Name())
+			}
+		}
+	}
+	return nil
+}
+
 func runHostinfo(ctx context.Context, args []string) error {
 	hi := hostinfo.New()
 	j, _ := json.MarshalIndent(hi, "", "  ")
@@ -292,7 +318,7 @@ func runHostinfo(ctx context.Context, args []string) error {
 }
 
 func runDaemonGoroutines(ctx context.Context, args []string) error {
-	goroutines, err := tailscale.Goroutines(ctx)
+	goroutines, err := localClient.Goroutines(ctx)
 	if err != nil {
 		return err
 	}
@@ -307,7 +333,7 @@ var metricsArgs struct {
 func runDaemonMetrics(ctx context.Context, args []string) error {
 	last := map[string]int64{}
 	for {
-		out, err := tailscale.DaemonMetrics(ctx)
+		out, err := localClient.DaemonMetrics(ctx)
 		if err != nil {
 			return err
 		}

cmd/tailscale/cli/down.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 )
 
@@ -26,7 +25,7 @@ func runDown(ctx context.Context, args []string) error {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
 
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return fmt.Errorf("error fetching current status: %w", err)
 	}
@@ -34,7 +33,7 @@ func runDown(ctx context.Context, args []string) error {
 		fmt.Fprintf(Stderr, "Tailscale was already stopped.\n")
 		return nil
 	}
-	_, err = tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
+	_, err = localClient.EditPrefs(ctx, &ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
 			WantRunning: false,
 		},

cmd/tailscale/cli/file.go

@@ -24,7 +24,6 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/time/rate"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -157,7 +156,7 @@ func runCp(ctx context.Context, args []string) error {
 		if cpArgs.verbose {
 			log.Printf("sending %q to %v/%v/%v ...", name, target, ip, stableID)
 		}
-		err := tailscale.PushFile(ctx, stableID, contentLength, name, fileContents)
+		err := localClient.PushFile(ctx, stableID, contentLength, name, fileContents)
 		if err != nil {
 			return err
 		}
@@ -173,7 +172,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 	if err != nil {
 		return "", false, err
 	}
-	fts, err := tailscale.FileTargets(ctx)
+	fts, err := localClient.FileTargets(ctx)
 	if err != nil {
 		return "", false, err
 	}
@@ -194,7 +193,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 // invalid file sharing target.
 func fileTargetErrorDetail(ctx context.Context, ip netaddr.IP) error {
 	found := false
-	if st, err := tailscale.Status(ctx); err == nil && st.Self != nil {
+	if st, err := localClient.Status(ctx); err == nil && st.Self != nil {
 		for _, peer := range st.Peer {
 			for _, pip := range peer.TailscaleIPs {
 				if pip == ip {
@@ -261,7 +260,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("invalid arguments with --targets")
 	}
-	fts, err := tailscale.FileTargets(ctx)
+	fts, err := localClient.FileTargets(ctx)
 	if err != nil {
 		return err
 	}
@@ -385,7 +384,7 @@ func openFileOrSubstitute(dir, base string, action onConflict) (*os.File, error)
 }
 
 func receiveFile(ctx context.Context, wf apitype.WaitingFile, dir string) (targetFile string, size int64, err error) {
-	rc, size, err := tailscale.GetWaitingFile(ctx, wf.Name)
+	rc, size, err := localClient.GetWaitingFile(ctx, wf.Name)
 	if err != nil {
 		return "", 0, fmt.Errorf("opening inbox file %q: %w", wf.Name, err)
 	}
@@ -407,7 +406,7 @@ func runFileGetOneBatch(ctx context.Context, dir string) []error {
 	var err error
 	var errs []error
 	for len(errs) == 0 {
-		wfs, err = tailscale.WaitingFiles(ctx)
+		wfs, err = localClient.WaitingFiles(ctx)
 		if err != nil {
 			errs = append(errs, fmt.Errorf("getting WaitingFiles: %w", err))
 			break
@@ -428,7 +427,7 @@ func runFileGetOneBatch(ctx context.Context, dir string) []error {
 		if len(errs) > 100 {
 			// Likely, everything is broken.
 			// Don't try to receive any more files in this batch.
-			errs = append(errs, fmt.Errorf("too many errors in runFileGetOneBatch(). %d files unexamined", len(wfs) - i))
+			errs = append(errs, fmt.Errorf("too many errors in runFileGetOneBatch(). %d files unexamined", len(wfs)-i))
 			break
 		}
 		writtenFile, size, err := receiveFile(ctx, wf, dir)
@@ -439,7 +438,7 @@ func runFileGetOneBatch(ctx context.Context, dir string) []error {
 		if getArgs.verbose {
 			printf("wrote %v as %v (%d bytes)\n", wf.Name, writtenFile, size)
 		}
-		if err = tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
+		if err = localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
 			errs = append(errs, fmt.Errorf("deleting %q from inbox: %v", wf.Name, err))
 			continue
 		}
@@ -503,7 +502,7 @@ func wipeInbox(ctx context.Context) error {
 	if getArgs.wait {
 		return errors.New("can't use --wait with /dev/null target")
 	}
-	wfs, err := tailscale.WaitingFiles(ctx)
+	wfs, err := localClient.WaitingFiles(ctx)
 	if err != nil {
 		return fmt.Errorf("getting WaitingFiles: %w", err)
 	}
@@ -512,7 +511,7 @@ func wipeInbox(ctx context.Context) error {
 		if getArgs.verbose {
 			log.Printf("deleting %v ...", wf.Name)
 		}
-		if err := tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
+		if err := localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
 			return fmt.Errorf("deleting %q: %v", wf.Name, err)
 		}
 		deleted++

cmd/tailscale/cli/id-token.go

@@ -10,7 +10,6 @@ import (
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 )
 
 var idTokenCmd = &ffcli.Command{
@@ -25,7 +24,7 @@ func runIDToken(ctx context.Context, args []string) error {
 		return errors.New("usage: id-token <aud>")
 	}
 
-	tr, err := tailscale.IDToken(ctx, args[0])
+	tr, err := localClient.IDToken(ctx, args[0])
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/ip.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn/ipnstate"
 )
 
@@ -59,7 +58,7 @@ func runIP(ctx context.Context, args []string) error {
 	if !v4 && !v6 {
 		v4, v6 = true, true
 	}
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/logout.go

@@ -10,7 +10,6 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 )
 
 var logoutCmd = &ffcli.Command{
@@ -30,5 +29,5 @@ func runLogout(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
-	return tailscale.Logout(ctx)
+	return localClient.Logout(ctx)
 }

cmd/tailscale/cli/nc.go

@@ -13,7 +13,6 @@ import (
 	"strconv"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 )
 
 var ncCmd = &ffcli.Command{
@@ -24,7 +23,7 @@ var ncCmd = &ffcli.Command{
 }
 
 func runNC(ctx context.Context, args []string) error {
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -45,7 +44,7 @@ func runNC(ctx context.Context, args []string) error {
 	}
 
 	// TODO(bradfitz): also add UDP too, via flag?
-	c, err := tailscale.DialTCP(ctx, hostOrIP, uint16(port))
+	c, err := localClient.DialTCP(ctx, hostOrIP, uint16(port))
 	if err != nil {
 		return fmt.Errorf("Dial(%q, %v): %w", hostOrIP, port, err)
 	}

cmd/tailscale/cli/netcheck.go

@@ -18,7 +18,6 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
@@ -63,7 +62,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 		fmt.Fprintln(Stderr, "# Warning: this JSON format is not yet considered a stable interface")
 	}
 
-	dm, err := tailscale.CurrentDERPMap(ctx)
+	dm, err := localClient.CurrentDERPMap(ctx)
 	noRegions := dm != nil && len(dm.Regions) == 0
 	if noRegions {
 		log.Printf("No DERP map from tailscaled; using default.")

cmd/tailscale/cli/ping.go

@@ -16,9 +16,9 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
+	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
 )
 
 var pingCmd = &ffcli.Command{
@@ -27,7 +27,7 @@ var pingCmd = &ffcli.Command{
 	ShortHelp:  "Ping a host at the Tailscale layer, see how it routed",
 	LongHelp: strings.TrimSpace(`
 
-The 'tailscale ping' command pings a peer node at the Tailscale layer
+The 'tailscale ping' command pings a peer node from the Tailscale layer
 and reports which route it took for each response. The first ping or
 so will likely go over DERP (Tailscale's TCP relay protocol) while NAT
 traversal finds a direct path through.
@@ -49,7 +49,8 @@ relay node.
 		fs := newFlagSet("ping")
 		fs.BoolVar(&pingArgs.verbose, "verbose", false, "verbose output")
 		fs.BoolVar(&pingArgs.untilDirect, "until-direct", true, "stop once a direct path is established")
-		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through IP + wireguard, but not involving host OS stack)")
+		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through WireGuard, but not either host OS stack)")
+		fs.BoolVar(&pingArgs.icmp, "icmp", false, "do a ICMP-level ping (through WireGuard, but not the local host OS stack)")
 		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
 		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
 		return fs
@@ -61,11 +62,22 @@ var pingArgs struct {
 	untilDirect bool
 	verbose     bool
 	tsmp        bool
+	icmp        bool
 	timeout     time.Duration
 }
 
+func pingType() tailcfg.PingType {
+	if pingArgs.tsmp {
+		return tailcfg.PingTSMP
+	}
+	if pingArgs.icmp {
+		return tailcfg.PingICMP
+	}
+	return tailcfg.PingDisco
+}
+
 func runPing(ctx context.Context, args []string) error {
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -75,24 +87,10 @@ func runPing(ctx context.Context, args []string) error {
 		os.Exit(1)
 	}
 
-	c, bc, ctx, cancel := connect(ctx)
-	defer cancel()
-
 	if len(args) != 1 || args[0] == "" {
 		return errors.New("usage: ping <hostname-or-IP>")
 	}
 	var ip string
-	prc := make(chan *ipnstate.PingResult, 1)
-	bc.SetNotifyCallback(func(n ipn.Notify) {
-		if n.ErrMessage != nil {
-			fatalf("Notify.ErrMessage: %v", *n.ErrMessage)
-		}
-		if pr := n.PingResult; pr != nil && pr.IP == ip {
-			prc <- pr
-		}
-	})
-	pumpErr := make(chan error, 1)
-	go func() { pumpErr <- pump(ctx, bc, c) }()
 
 	hostOrIP := args[0]
 	ip, self, err := tailscaleIPFromArg(ctx, hostOrIP)
@@ -112,48 +110,47 @@ func runPing(ctx context.Context, args []string) error {
 	anyPong := false
 	for {
 		n++
-		bc.Ping(ip, pingArgs.tsmp)
-		timer := time.NewTimer(pingArgs.timeout)
-		select {
-		case <-timer.C:
-			printf("timeout waiting for ping reply\n")
-		case err := <-pumpErr:
+		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
+		pr, err := localClient.Ping(ctx, netaddr.MustParseIP(ip), pingType())
+		cancel()
+		if err != nil {
+			if errors.Is(err, context.DeadlineExceeded) {
+				printf("ping %q timed out\n", ip)
+				continue
+			}
 			return err
-		case pr := <-prc:
-			timer.Stop()
-			if pr.Err != "" {
-				if pr.IsLocalIP {
-					outln(pr.Err)
-					return nil
-				}
-				return errors.New(pr.Err)
-			}
-			latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
-			via := pr.Endpoint
-			if pr.DERPRegionID != 0 {
-				via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
-			}
-			if pingArgs.tsmp {
-				// TODO(bradfitz): populate the rest of ipnstate.PingResult for TSMP queries?
-				// For now just say it came via TSMP.
-				via = "TSMP"
-			}
-			anyPong = true
-			extra := ""
-			if pr.PeerAPIPort != 0 {
-				extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
-			}
-			printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
-			if pingArgs.tsmp {
-				return nil
-			}
-			if pr.Endpoint != "" && pingArgs.untilDirect {
-				return nil
-			}
-			time.Sleep(time.Second)
-		case <-ctx.Done():
-			return ctx.Err()
 		}
+		if pr.Err != "" {
+			if pr.IsLocalIP {
+				outln(pr.Err)
+				return nil
+			}
+			return errors.New(pr.Err)
+		}
+		latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
+		via := pr.Endpoint
+		if pr.DERPRegionID != 0 {
+			via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
+		}
+		if via == "" {
+			// TODO(bradfitz): populate the rest of ipnstate.PingResult for TSMP queries?
+			// For now just say which protocol it used.
+			via = string(pingType())
+		}
+		anyPong = true
+		extra := ""
+		if pr.PeerAPIPort != 0 {
+			extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
+		}
+		printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
+		if pingArgs.tsmp || pingArgs.icmp {
+			return nil
+		}
+		if pr.Endpoint != "" && pingArgs.untilDirect {
+			return nil
+		}
+		time.Sleep(time.Second)
+
 		if n == pingArgs.num {
 			if !anyPong {
 				return errors.New("no reply")
@@ -173,7 +170,7 @@ func tailscaleIPFromArg(ctx context.Context, hostOrIP string) (ip string, self b
 	}
 
 	// Otherwise, try to resolve it first from the network peer list.
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return "", false, err
 	}

cmd/tailscale/cli/ssh.go

@@ -18,10 +18,8 @@ import (
 	"strings"
 	"syscall"
 
-	"github.com/alessio/shellescape"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 )
@@ -48,7 +46,7 @@ func runSSH(ctx context.Context, args []string) error {
 		username = lu.Username
 	}
 
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return err
 	}
@@ -76,38 +74,52 @@ func runSSH(ctx context.Context, args []string) error {
 		return err
 	}
 
-	argv := append([]string{
-		ssh,
+	argv := []string{ssh}
 
+	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
+		argv = append(argv, "-vvv")
+	}
+	argv = append(argv,
 		// Only trust SSH hosts that we know about.
-		"-o", fmt.Sprintf("UserKnownHostsFile %s",
-			shellescape.Quote(knownHostsFile),
-		),
+		"-o", fmt.Sprintf("UserKnownHostsFile %q", knownHostsFile),
 		"-o", "UpdateHostKeys no",
 		"-o", "StrictHostKeyChecking yes",
+	)
 
-		"-o", fmt.Sprintf("ProxyCommand %s --socket=%s nc %%h %%p",
-			shellescape.Quote(tailscaleBin),
-			shellescape.Quote(rootArgs.socket),
-		),
+	// TODO(bradfitz): nc is currently broken on macOS:
+	// https://github.com/tailscale/tailscale/issues/4529
+	// So don't use it for now. MagicDNS is usually working on macOS anyway
+	// and they're not in userspace mode, so 'nc' isn't very useful.
+	if runtime.GOOS != "darwin" {
+		argv = append(argv,
+			"-o", fmt.Sprintf("ProxyCommand %q --socket=%q nc %%h %%p",
+				tailscaleBin,
+				rootArgs.socket,
+			))
+	}
 
-		// Explicitly rebuild the user@host argument rather than
-		// passing it through.  In general, the use of OpenSSH's ssh
-		// binary is a crutch for now.  We don't want to be
-		// Hyrum-locked into passing through all OpenSSH flags to the
-		// OpenSSH client forever. We try to make our flags and args
-		// be compatible, but only a subset. The "tailscale ssh"
-		// command should be a simple and portable one. If they want
-		// to use a different one, we'll later be making stock ssh
-		// work well by default too. (doing things like automatically
-		// setting known_hosts, etc)
-		username + "@" + hostForSSH,
-	}, argRest...)
+	// Explicitly rebuild the user@host argument rather than
+	// passing it through.  In general, the use of OpenSSH's ssh
+	// binary is a crutch for now.  We don't want to be
+	// Hyrum-locked into passing through all OpenSSH flags to the
+	// OpenSSH client forever. We try to make our flags and args
+	// be compatible, but only a subset. The "tailscale ssh"
+	// command should be a simple and portable one. If they want
+	// to use a different one, we'll later be making stock ssh
+	// work well by default too. (doing things like automatically
+	// setting known_hosts, etc)
+	argv = append(argv, username+"@"+hostForSSH)
+
+	argv = append(argv, argRest...)
+
+	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
+		log.Printf("Running: %q, %q ...", ssh, argv)
+	}
 
 	if runtime.GOOS == "windows" {
 		// Don't use syscall.Exec on Windows.
 		cmd := exec.Command(ssh, argv[1:]...)
-		cmd.Stderr = os.Stderr
+		cmd.Stdin = os.Stdin
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 		var ee *exec.ExitError
@@ -118,9 +130,6 @@ func runSSH(ctx context.Context, args []string) error {
 		return err
 	}
 
-	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
-		log.Printf("Running: %q, %q ...", ssh, argv)
-	}
 	if err := syscall.Exec(ssh, argv, os.Environ()); err != nil {
 		return err
 	}

cmd/tailscale/cli/status.go

@@ -19,7 +19,6 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/toqueteos/webbrowser"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
@@ -73,9 +72,9 @@ func runStatus(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("unexpected non-flag arguments to 'tailscale status'")
 	}
-	getStatus := tailscale.Status
+	getStatus := localClient.Status
 	if !statusArgs.peers {
-		getStatus = tailscale.StatusWithoutPeers
+		getStatus = localClient.StatusWithoutPeers
 	}
 	st, err := getStatus(ctx)
 	if err != nil {
@@ -115,7 +114,7 @@ func runStatus(ctx context.Context, args []string) error {
 				http.NotFound(w, r)
 				return
 			}
-			st, err := tailscale.Status(ctx)
+			st, err := localClient.Status(ctx)
 			if err != nil {
 				http.Error(w, err.Error(), 500)
 				return

cmd/tailscale/cli/up.go

@@ -24,7 +24,6 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -52,7 +51,7 @@ down").
 If flags are specified, the flags must be the complete set of desired
 settings. An error is returned if any setting would be changed as a
 result of an unspecified flag's default value, unless the --reset flag
-is also used. (The flags --authkey, --force-reauth, and --qr are not
+is also used. (The flags --auth-key, --force-reauth, and --qr are not
 considered settings that need to be re-specified when modifying
 settings.)
 `),
@@ -406,7 +405,7 @@ func runUp(ctx context.Context, args []string) error {
 		fatalf("too many non-flag arguments: %q", args)
 	}
 
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -447,12 +446,12 @@ func runUp(ctx context.Context, args []string) error {
 	}
 
 	if len(prefs.AdvertiseRoutes) > 0 {
-		if err := tailscale.CheckIPForwarding(context.Background()); err != nil {
+		if err := localClient.CheckIPForwarding(context.Background()); err != nil {
 			warnf("%v", err)
 		}
 	}
 
-	curPrefs, err := tailscale.GetPrefs(ctx)
+	curPrefs, err := localClient.GetPrefs(ctx)
 	if err != nil {
 		return err
 	}
@@ -471,7 +470,7 @@ func runUp(ctx context.Context, args []string) error {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		_, err := tailscale.EditPrefs(ctx, justEditMP)
+		_, err := localClient.EditPrefs(ctx, justEditMP)
 		return err
 	}
 
@@ -582,7 +581,7 @@ func runUp(ctx context.Context, args []string) error {
 	// Special case: bare "tailscale up" means to just start
 	// running, if there's ever been a login.
 	if simpleUp {
-		_, err := tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
+		_, err := localClient.EditPrefs(ctx, &ipn.MaskedPrefs{
 			Prefs: ipn.Prefs{
 				WantRunning: true,
 			},
@@ -592,7 +591,7 @@ func runUp(ctx context.Context, args []string) error {
 			return err
 		}
 	} else {
-		if err := tailscale.CheckPrefs(ctx, prefs); err != nil {
+		if err := localClient.CheckPrefs(ctx, prefs); err != nil {
 			return err
 		}
 

cmd/tailscale/cli/version.go

@@ -10,7 +10,6 @@ import (
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/version"
 )
 
@@ -41,7 +40,7 @@ func runVersion(ctx context.Context, args []string) error {
 
 	printf("Client: %s\n", version.String())
 
-	st, err := tailscale.StatusWithoutPeers(ctx)
+	st, err := localClient.StatusWithoutPeers(ctx)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/web.go

@@ -28,7 +28,6 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
@@ -318,7 +317,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
-		prefs, err := tailscale.GetPrefs(r.Context())
+		prefs, err := localClient.GetPrefs(r.Context())
 		if err != nil && !postData.Reauthenticate {
 			w.WriteHeader(http.StatusInternalServerError)
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
@@ -348,12 +347,12 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	st, err := tailscale.Status(r.Context())
+	st, err := localClient.Status(r.Context())
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	prefs, err := tailscale.GetPrefs(r.Context())
+	prefs, err := localClient.GetPrefs(r.Context())
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -406,7 +405,7 @@ func tailscaleUp(ctx context.Context, prefs *ipn.Prefs, forceReauth bool) (authU
 		prefs.NetfilterMode = preftype.NetfilterOff
 	}
 
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return "", fmt.Errorf("can't fetch status: %v", err)
 	}

cmd/tailscale/depaware.txt

@@ -1,6 +1,5 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)
 
-        github.com/alessio/shellescape                               from tailscale.com/cmd/tailscale/cli
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy

cmd/tailscaled/depaware.txt

@@ -82,6 +82,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
         github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
         github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
+        github.com/kortschak/wol                                     from tailscale.com/ipn/ipnlocal
+  LD    github.com/kr/fs                                             from github.com/pkg/sftp
    L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
    L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
    L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
@@ -89,6 +91,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
    W    github.com/pkg/errors                                        from github.com/tailscale/certstore
+  LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
+  LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
    W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
   LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
   LD 💣 github.com/tailscale/golang-x-crypto/internal/subtle         from github.com/tailscale/golang-x-crypto/chacha20
@@ -261,6 +265,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
+        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
         tailscale.com/util/multierr                                  from tailscale.com/cmd/tailscaled+
         tailscale.com/util/netconv                                   from tailscale.com/wgengine/magicsock
         tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
@@ -270,7 +275,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
         tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
    W 💣 tailscale.com/util/winutil/vss                               from tailscale.com/util/winutil
-        tailscale.com/version                                        from tailscale.com/client/tailscale+
+        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
         tailscale.com/version/distro                                 from tailscale.com/cmd/tailscaled+
    W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
         tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
@@ -298,7 +303,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh
+  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -318,6 +323,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
    W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
    W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
+   W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
    W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
         golang.org/x/term                                            from tailscale.com/logpolicy
         golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna

cmd/tailscaled/ssh.go

@@ -9,4 +9,3 @@ package main
 
 // Force registration of tailssh with LocalBackend.
 import _ "tailscale.com/ssh/tailssh"
-

cmd/tailscaled/tailscaled.go

@@ -332,6 +332,7 @@ func run() error {
 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)
 
 	dialer := new(tsdial.Dialer) // mutated below (before used)
+	dialer.Logf = logf
 	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return fmt.Errorf("createEngine: %w", err)
@@ -341,7 +342,7 @@ func run() error {
 	}
 	if debugMux != nil {
 		if ig, ok := e.(wgengine.InternalsGetter); ok {
-			if _, mc, ok := ig.GetInternals(); ok {
+			if _, mc, _, ok := ig.GetInternals(); ok {
 				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
 			}
 		}
@@ -394,6 +395,7 @@ func run() error {
 	// want to keep running.
 	signal.Ignore(syscall.SIGPIPE)
 	go func() {
+		defer dialer.Close()
 		select {
 		case s := <-interrupt:
 			logf("tailscaled got signal %v; shutting down", s)
@@ -564,11 +566,11 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 }
 
 func newNetstack(logf logger.Logf, dialer *tsdial.Dialer, e wgengine.Engine) (*netstack.Impl, error) {
-	tunDev, magicConn, ok := e.(wgengine.InternalsGetter).GetInternals()
+	tunDev, magicConn, dns, ok := e.(wgengine.InternalsGetter).GetInternals()
 	if !ok {
 		return nil, fmt.Errorf("%T is not a wgengine.InternalsGetter", e)
 	}
-	return netstack.Create(logf, tunDev, e, magicConn, dialer)
+	return netstack.Create(logf, tunDev, e, magicConn, dialer, dns)
 }
 
 // mustStartProxyListeners creates listeners for local SOCKS and HTTP

cmd/tailscaled/tailscaled_windows.go

@@ -30,6 +30,7 @@ import (
 
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc"
+	"golang.org/x/sys/windows/svc/eventlog"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
 	"tailscale.com/envknob"
@@ -60,12 +61,31 @@ func isWindowsService() bool {
 	return v
 }
 
+// syslogf is a logger function that writes to the Windows event log (ie, the
+// one that you see in the Windows Event Viewer). tailscaled may optionally
+// generate diagnostic messages in the same event timeline as the Windows
+// Service Control Manager to assist with diagnosing issues with tailscaled's
+// lifetime (such as slow shutdowns).
+var syslogf logger.Logf = logger.Discard
+
 // runWindowsService starts running Tailscale under the Windows
 // Service environment.
 //
 // At this point we're still the parent process that
 // Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
+	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
+		syslog, err := eventlog.Open(serviceName)
+		if err == nil {
+			syslogf = func(format string, args ...any) {
+				syslog.Info(0, fmt.Sprintf(format, args...))
+			}
+			defer syslog.Close()
+		}
+	}
+
+	syslogf("Service entering svc.Run")
+	defer syslogf("Service exiting svc.Run")
 	return svc.Run(serviceName, &ipnService{Policy: pol})
 }
 
@@ -75,7 +95,10 @@ type ipnService struct {
 
 // Called by Windows to execute the windows service.
 func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, changes chan<- svc.Status) (bool, uint32) {
+	defer syslogf("SvcStopped notification imminent")
+
 	changes <- svc.Status{State: svc.StartPending}
+	syslogf("Service start pending")
 
 	svcAccepts := svc.AcceptStop
 	if winutil.GetPolicyInteger("FlushDNSOnSessionUnlock", 0) != 0 {
@@ -98,26 +121,29 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	}()
 
 	changes <- svc.Status{State: svc.Running, Accepts: svcAccepts}
+	syslogf("Service running")
 
-	for ctx.Err() == nil {
+	for {
 		select {
 		case <-doneCh:
+			return false, windows.NO_ERROR
 		case cmd := <-r:
 			log.Printf("Got Windows Service event: %v", cmdName(cmd.Cmd))
 			switch cmd.Cmd {
 			case svc.Stop:
-				cancel()
+				changes <- svc.Status{State: svc.StopPending}
+				syslogf("Service stop pending")
+				cancel() // so BabysitProc will kill the child process
 			case svc.Interrogate:
+				syslogf("Service interrogation")
 				changes <- cmd.CurrentStatus
 			case svc.SessionChange:
+				syslogf("Service session change notification")
 				handleSessionChange(cmd)
 				changes <- cmd.CurrentStatus
 			}
 		}
 	}
-
-	changes <- svc.Status{State: svc.StopPending}
-	return false, windows.NO_ERROR
 }
 
 func cmdName(c svc.Cmd) string {

cmd/viewer/tests/tests.go

@@ -0,0 +1,48 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package tests serves a list of tests for tailscale.com/cmd/viewer.
+package tests
+
+import (
+	"fmt"
+
+	"inet.af/netaddr"
+)
+
+//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices
+
+type StructWithoutPtrs struct {
+	Int int
+	Pfx netaddr.IPPrefix
+}
+
+type Map struct {
+	M map[string]int
+}
+
+type StructWithPtrs struct {
+	Value *StructWithoutPtrs
+	Int   *int
+
+	NoCloneValue *StructWithoutPtrs `codegen:"noclone"`
+}
+
+func (v *StructWithPtrs) String() string { return fmt.Sprintf("%v", v.Int) }
+
+func (v *StructWithPtrs) Equal(v2 *StructWithPtrs) bool {
+	return v.Value == v2.Value
+}
+
+type StructWithSlices struct {
+	Values         []StructWithoutPtrs
+	ValuePointers  []*StructWithoutPtrs
+	StructPointers []*StructWithPtrs
+	Structs        []StructWithPtrs
+	Ints           []*int
+
+	Slice    []string
+	Prefixes []netaddr.IPPrefix
+	Data     []byte
+}

cmd/viewer/tests/tests_clone.go

@@ -0,0 +1,120 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
+
+package tests
+
+import (
+	"inet.af/netaddr"
+)
+
+// Clone makes a deep copy of StructWithPtrs.
+// The result aliases no memory with the original.
+func (src *StructWithPtrs) Clone() *StructWithPtrs {
+	if src == nil {
+		return nil
+	}
+	dst := new(StructWithPtrs)
+	*dst = *src
+	if dst.Value != nil {
+		dst.Value = new(StructWithoutPtrs)
+		*dst.Value = *src.Value
+	}
+	if dst.Int != nil {
+		dst.Int = new(int)
+		*dst.Int = *src.Int
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithPtrsCloneNeedsRegeneration = StructWithPtrs(struct {
+	Value        *StructWithoutPtrs
+	Int          *int
+	NoCloneValue *StructWithoutPtrs
+}{})
+
+// Clone makes a deep copy of StructWithoutPtrs.
+// The result aliases no memory with the original.
+func (src *StructWithoutPtrs) Clone() *StructWithoutPtrs {
+	if src == nil {
+		return nil
+	}
+	dst := new(StructWithoutPtrs)
+	*dst = *src
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithoutPtrsCloneNeedsRegeneration = StructWithoutPtrs(struct {
+	Int int
+	Pfx netaddr.IPPrefix
+}{})
+
+// Clone makes a deep copy of Map.
+// The result aliases no memory with the original.
+func (src *Map) Clone() *Map {
+	if src == nil {
+		return nil
+	}
+	dst := new(Map)
+	*dst = *src
+	if dst.M != nil {
+		dst.M = map[string]int{}
+		for k, v := range src.M {
+			dst.M[k] = v
+		}
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _MapCloneNeedsRegeneration = Map(struct {
+	M map[string]int
+}{})
+
+// Clone makes a deep copy of StructWithSlices.
+// The result aliases no memory with the original.
+func (src *StructWithSlices) Clone() *StructWithSlices {
+	if src == nil {
+		return nil
+	}
+	dst := new(StructWithSlices)
+	*dst = *src
+	dst.Values = append(src.Values[:0:0], src.Values...)
+	dst.ValuePointers = make([]*StructWithoutPtrs, len(src.ValuePointers))
+	for i := range dst.ValuePointers {
+		dst.ValuePointers[i] = src.ValuePointers[i].Clone()
+	}
+	dst.StructPointers = make([]*StructWithPtrs, len(src.StructPointers))
+	for i := range dst.StructPointers {
+		dst.StructPointers[i] = src.StructPointers[i].Clone()
+	}
+	dst.Structs = make([]StructWithPtrs, len(src.Structs))
+	for i := range dst.Structs {
+		dst.Structs[i] = *src.Structs[i].Clone()
+	}
+	dst.Ints = make([]*int, len(src.Ints))
+	for i := range dst.Ints {
+		x := *src.Ints[i]
+		dst.Ints[i] = &x
+	}
+	dst.Slice = append(src.Slice[:0:0], src.Slice...)
+	dst.Prefixes = append(src.Prefixes[:0:0], src.Prefixes...)
+	dst.Data = append(src.Data[:0:0], src.Data...)
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithSlicesCloneNeedsRegeneration = StructWithSlices(struct {
+	Values         []StructWithoutPtrs
+	ValuePointers  []*StructWithoutPtrs
+	StructPointers []*StructWithPtrs
+	Structs        []StructWithPtrs
+	Ints           []*int
+	Slice          []string
+	Prefixes       []netaddr.IPPrefix
+	Data           []byte
+}{})

cmd/viewer/tests/tests_view.go

@@ -0,0 +1,268 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale/cmd/viewer; DO NOT EDIT.
+
+package tests
+
+import (
+	"encoding/json"
+	"errors"
+
+	"go4.org/mem"
+	"inet.af/netaddr"
+	"tailscale.com/types/views"
+)
+
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices
+
+// View returns a readonly view of StructWithPtrs.
+func (p *StructWithPtrs) View() StructWithPtrsView {
+	return StructWithPtrsView{ж: p}
+}
+
+// StructWithPtrsView provides a read-only view over StructWithPtrs.
+//
+// Its methods should only be called if `Valid()` returns true.
+type StructWithPtrsView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *StructWithPtrs
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v StructWithPtrsView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v StructWithPtrsView) AsStruct() *StructWithPtrs {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v StructWithPtrsView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *StructWithPtrsView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x StructWithPtrs
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v StructWithPtrsView) Value() *StructWithoutPtrs {
+	if v.ж.Value == nil {
+		return nil
+	}
+	x := *v.ж.Value
+	return &x
+}
+
+func (v StructWithPtrsView) Int() *int {
+	if v.ж.Int == nil {
+		return nil
+	}
+	x := *v.ж.Int
+	return &x
+}
+
+func (v StructWithPtrsView) NoCloneValue() *StructWithoutPtrs { return v.ж.NoCloneValue }
+func (v StructWithPtrsView) String() string                   { return v.ж.String() }
+func (v StructWithPtrsView) Equal(v2 StructWithPtrsView) bool { return v.ж.Equal(v2.ж) }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithPtrsViewNeedsRegeneration = StructWithPtrs(struct {
+	Value        *StructWithoutPtrs
+	Int          *int
+	NoCloneValue *StructWithoutPtrs
+}{})
+
+// View returns a readonly view of StructWithoutPtrs.
+func (p *StructWithoutPtrs) View() StructWithoutPtrsView {
+	return StructWithoutPtrsView{ж: p}
+}
+
+// StructWithoutPtrsView provides a read-only view over StructWithoutPtrs.
+//
+// Its methods should only be called if `Valid()` returns true.
+type StructWithoutPtrsView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *StructWithoutPtrs
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v StructWithoutPtrsView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v StructWithoutPtrsView) AsStruct() *StructWithoutPtrs {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v StructWithoutPtrsView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *StructWithoutPtrsView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x StructWithoutPtrs
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v StructWithoutPtrsView) Int() int              { return v.ж.Int }
+func (v StructWithoutPtrsView) Pfx() netaddr.IPPrefix { return v.ж.Pfx }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithoutPtrsViewNeedsRegeneration = StructWithoutPtrs(struct {
+	Int int
+	Pfx netaddr.IPPrefix
+}{})
+
+// View returns a readonly view of Map.
+func (p *Map) View() MapView {
+	return MapView{ж: p}
+}
+
+// MapView provides a read-only view over Map.
+//
+// Its methods should only be called if `Valid()` returns true.
+type MapView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *Map
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v MapView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v MapView) AsStruct() *Map {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v MapView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *MapView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x Map
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _MapViewNeedsRegeneration = Map(struct {
+	M map[string]int
+}{})
+
+// View returns a readonly view of StructWithSlices.
+func (p *StructWithSlices) View() StructWithSlicesView {
+	return StructWithSlicesView{ж: p}
+}
+
+// StructWithSlicesView provides a read-only view over StructWithSlices.
+//
+// Its methods should only be called if `Valid()` returns true.
+type StructWithSlicesView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *StructWithSlices
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v StructWithSlicesView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v StructWithSlicesView) AsStruct() *StructWithSlices {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v StructWithSlicesView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *StructWithSlicesView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x StructWithSlices
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v StructWithSlicesView) Values() views.Slice[StructWithoutPtrs] {
+	return views.SliceOf(v.ж.Values)
+}
+func (v StructWithSlicesView) ValuePointers() views.SliceView[*StructWithoutPtrs, StructWithoutPtrsView] {
+	return views.SliceOfViews[*StructWithoutPtrs, StructWithoutPtrsView](v.ж.ValuePointers)
+}
+func (v StructWithSlicesView) StructPointers() views.SliceView[*StructWithPtrs, StructWithPtrsView] {
+	return views.SliceOfViews[*StructWithPtrs, StructWithPtrsView](v.ж.StructPointers)
+}
+func (v StructWithSlicesView) Structs() StructWithPtrs    { panic("unsupported") }
+func (v StructWithSlicesView) Ints() *int                 { panic("unsupported") }
+func (v StructWithSlicesView) Slice() views.Slice[string] { return views.SliceOf(v.ж.Slice) }
+func (v StructWithSlicesView) Prefixes() views.IPPrefixSlice {
+	return views.IPPrefixSliceOf(v.ж.Prefixes)
+}
+func (v StructWithSlicesView) Data() mem.RO { return mem.B(v.ж.Data) }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithSlicesViewNeedsRegeneration = StructWithSlices(struct {
+	Values         []StructWithoutPtrs
+	ValuePointers  []*StructWithoutPtrs
+	StructPointers []*StructWithPtrs
+	Structs        []StructWithPtrs
+	Ints           []*int
+	Slice          []string
+	Prefixes       []netaddr.IPPrefix
+	Data           []byte
+}{})

cmd/viewer/viewer.go

@@ -0,0 +1,316 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Viewer is a tool to automate the creation of "view" wrapper types that
+// provide read-only accessor methods to underlying fields.
+package main
+
+import (
+	"bytes"
+	"flag"
+	"fmt"
+	"go/types"
+	"html/template"
+	"log"
+	"os"
+	"strings"
+
+	"tailscale.com/util/codegen"
+)
+
+const viewTemplateStr = `{{define "common"}}
+// View returns a readonly view of {{.StructName}}.
+func (p *{{.StructName}}) View() {{.ViewName}} {
+	return {{.ViewName}}{ж: p}
+}
+
+// {{.ViewName}} provides a read-only view over {{.StructName}}.
+//
+// Its methods should only be called if ` + "`Valid()`" + ` returns true.
+type {{.ViewName}} struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *{{.StructName}}
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v {{.ViewName}}) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v {{.ViewName}}) AsStruct() *{{.StructName}}{ 
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v {{.ViewName}}) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *{{.ViewName}}) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x {{.StructName}}
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж=&x
+	return nil
+}
+
+{{end}}
+{{define "valueField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} { return v.ж.{{.FieldName}} }
+{{end}}
+{{define "byteSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() mem.RO { return mem.B(v.ж.{{.FieldName}}) }
+{{end}}
+{{define "ipPrefixSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.IPPrefixSlice { return views.IPPrefixSliceOf(v.ж.{{.FieldName}}) }
+{{end}}
+{{define "sliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.Slice[{{.FieldType}}] { return views.SliceOf(v.ж.{{.FieldName}}) }
+{{end}}
+{{define "viewSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.SliceView[{{.FieldType}},{{.FieldViewName}}] { return views.SliceOfViews[{{.FieldType}},{{.FieldViewName}}](v.ж.{{.FieldName}}) }
+{{end}}
+{{define "viewField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}}View { return v.ж.{{.FieldName}}.View() }
+{{end}}
+{{define "valuePointerField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {
+	if v.ж.{{.FieldName}} == nil {
+		return nil
+	}
+	x := *v.ж.{{.FieldName}}
+	return &x
+}
+
+{{end}}
+{{define "mapField"}}
+// Unsupported, panics.
+func(v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {panic("unsupported")}
+{{end}}
+{{define "unsupportedField"}}func(v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {panic("unsupported")}
+{{end}}
+{{define "stringFunc"}}func(v {{.ViewName}}) String() string { return v.ж.String() }
+{{end}}
+{{define "equalFunc"}}func(v {{.ViewName}}) Equal(v2 {{.ViewName}}) bool { return v.ж.Equal(v2.ж) }
+{{end}}
+`
+
+var viewTemplate *template.Template
+
+func init() {
+	viewTemplate = template.Must(template.New("view").Parse(viewTemplateStr))
+}
+
+func requiresCloning(t types.Type) (shallow, deep bool, base types.Type) {
+	switch v := t.(type) {
+	case *types.Pointer:
+		_, deep, base = requiresCloning(v.Elem())
+		return true, deep, base
+	case *types.Slice:
+		_, deep, base = requiresCloning(v.Elem())
+		return true, deep, base
+	}
+	p := codegen.ContainsPointers(t)
+	return p, p, t
+}
+
+func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thisPkg *types.Package) {
+	t, ok := typ.Underlying().(*types.Struct)
+	if !ok || codegen.IsViewType(t) {
+		return
+	}
+	it.Import("encoding/json")
+	it.Import("errors")
+
+	args := struct {
+		StructName    string
+		ViewName      string
+		FieldName     string
+		FieldType     string
+		FieldViewName string
+	}{
+		StructName: typ.Obj().Name(),
+		ViewName:   typ.Obj().Name() + "View",
+	}
+
+	writeTemplate := func(name string) {
+		if err := viewTemplate.ExecuteTemplate(buf, name, args); err != nil {
+			log.Fatal(err)
+		}
+	}
+	writeTemplate("common")
+	for i := 0; i < t.NumFields(); i++ {
+		f := t.Field(i)
+		fname := f.Name()
+		if !f.Exported() {
+			continue
+		}
+		args.FieldName = fname
+		fieldType := f.Type()
+		if codegen.IsInvalid(fieldType) {
+			continue
+		}
+		if !codegen.ContainsPointers(fieldType) || codegen.IsViewType(fieldType) || codegen.HasNoClone(t.Tag(i)) {
+			args.FieldType = it.QualifiedName(fieldType)
+			writeTemplate("valueField")
+			continue
+		}
+		switch underlying := fieldType.Underlying().(type) {
+		case *types.Slice:
+			slice := underlying
+			elem := slice.Elem()
+			args.FieldType = it.QualifiedName(elem)
+			switch elem.String() {
+			case "byte":
+				it.Import("go4.org/mem")
+				writeTemplate("byteSliceField")
+			case "inet.af/netaddr.IPPrefix":
+				it.Import("tailscale.com/types/views")
+				writeTemplate("ipPrefixSliceField")
+			default:
+				it.Import("tailscale.com/types/views")
+				shallow, deep, base := requiresCloning(elem)
+				if deep {
+					if _, isPtr := elem.(*types.Pointer); isPtr {
+						args.FieldViewName = it.QualifiedName(base) + "View"
+						writeTemplate("viewSliceField")
+					} else {
+						writeTemplate("unsupportedField")
+					}
+					continue
+				} else if shallow {
+					if _, isBasic := base.(*types.Basic); isBasic {
+						writeTemplate("unsupportedField")
+					} else {
+						args.FieldViewName = it.QualifiedName(base) + "View"
+						writeTemplate("viewSliceField")
+					}
+					continue
+				}
+				writeTemplate("sliceField")
+			}
+			continue
+		case *types.Struct:
+			strucT := underlying
+			args.FieldType = it.QualifiedName(fieldType)
+			if codegen.ContainsPointers(strucT) {
+				writeTemplate("viewField")
+				continue
+			}
+			writeTemplate("valueField")
+			continue
+		case *types.Map:
+			// TODO(maisem): support this.
+			// args.FieldType = importedName(ft)
+			// writeTemplate("mapField")
+			continue
+		case *types.Pointer:
+			ptr := underlying
+			_, deep, base := requiresCloning(ptr)
+			if deep {
+				args.FieldType = it.QualifiedName(base)
+				writeTemplate("viewField")
+			} else {
+				args.FieldType = it.QualifiedName(ptr)
+				writeTemplate("valuePointerField")
+			}
+			continue
+		}
+		writeTemplate("unsupportedField")
+	}
+	for i := 0; i < typ.NumMethods(); i++ {
+		f := typ.Method(i)
+		if !f.Exported() {
+			continue
+		}
+		sig, ok := f.Type().(*types.Signature)
+		if !ok {
+			continue
+		}
+
+		switch f.Name() {
+		case "Clone", "View":
+			continue // "AsStruct"
+		case "String":
+			writeTemplate("stringFunc")
+			continue
+		case "Equal":
+			if sig.Results().Len() == 1 && sig.Results().At(0).Type().String() == "bool" {
+				writeTemplate("equalFunc")
+				continue
+			}
+		}
+	}
+	fmt.Fprintf(buf, "\n")
+	buf.Write(codegen.AssertStructUnchanged(t, args.StructName, "View", it))
+}
+
+var (
+	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
+	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
+	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
+)
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("viewer: ")
+	flag.Parse()
+	if len(*flagTypes) == 0 {
+		flag.Usage()
+		os.Exit(2)
+	}
+	typeNames := strings.Split(*flagTypes, ",")
+
+	var flagArgs []string
+	flagArgs = append(flagArgs, fmt.Sprintf("-clonefunc=%v", *flagCloneFunc))
+	if *flagTypes != "" {
+		flagArgs = append(flagArgs, "-type="+*flagTypes)
+	}
+	if *flagBuildTags != "" {
+		flagArgs = append(flagArgs, "-tags="+*flagBuildTags)
+	}
+	pkg, namedTypes, err := codegen.LoadTypes(*flagBuildTags, ".")
+	if err != nil {
+		log.Fatal(err)
+	}
+	it := codegen.NewImportTracker(pkg.Types)
+
+	buf := new(bytes.Buffer)
+	fmt.Fprintf(buf, `//go:generate go run tailscale.com/cmd/cloner  %s`, strings.Join(flagArgs, " "))
+	fmt.Fprintln(buf)
+	runCloner := false
+	for _, typeName := range typeNames {
+		typ, ok := namedTypes[typeName]
+		if !ok {
+			log.Fatalf("could not find type %s", typeName)
+		}
+		var hasClone bool
+		for i, n := 0, typ.NumMethods(); i < n; i++ {
+			if typ.Method(i).Name() == "Clone" {
+				hasClone = true
+				break
+			}
+		}
+		if !hasClone {
+			runCloner = true
+		}
+		genView(buf, it, typ, pkg.Types)
+	}
+	out := pkg.Name + "_view.go"
+	if err := codegen.WritePackageFile("tailscale/cmd/viewer", pkg, out, it, buf); err != nil {
+		log.Fatal(err)
+	}
+	if runCloner {
+		// When a new pacakge is added or when existing generated files have
+		// been deleted, we might run into a case where tailscale.com/cmd/cloner
+		// has not run yet. We detect this by verifying that all the structs we
+		// interacted with have had Clone method already generated. If they
+		// haven't we ask the caller to rerun generation again so that those get
+		// generated.
+		log.Printf("%v requires regeneration. Please run go generate again", pkg.Name+"_clone.go")
+	}
+}

control/controlclient/auto.go

@@ -61,10 +61,9 @@ type Auto struct {
 	loggedIn        bool       // true if currently logged in
 	loginGoal       *LoginGoal // non-nil if some login activity is desired
 	synced          bool       // true if our netmap is up-to-date
-	hostinfo        *tailcfg.Hostinfo
-	inPollNetMap    bool // true if currently running a PollNetMap
-	inLiteMapUpdate bool // true if a lite (non-streaming) map request is outstanding
-	inSendStatus    int  // number of sendStatus calls currently in progress
+	inPollNetMap    bool       // true if currently running a PollNetMap
+	inLiteMapUpdate bool       // true if a lite (non-streaming) map request is outstanding
+	inSendStatus    int        // number of sendStatus calls currently in progress
 	state           State
 
 	authCtx    context.Context // context used for auth requests
@@ -555,9 +554,8 @@ func (c *Auto) SetNetInfo(ni *tailcfg.NetInfo) {
 	if !c.direct.SetNetInfo(ni) {
 		return
 	}
-	c.logf("NetInfo: %v", ni)
 
-	// Send new Hostinfo (which includes NetInfo) to server
+	// Send new NetInfo to server
 	c.sendNewMapRequest()
 }
 
@@ -567,7 +565,6 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	loggedIn := c.loggedIn
 	synced := c.synced
 	statusFunc := c.statusFunc
-	hi := c.hostinfo
 	c.inSendStatus++
 	c.mu.Unlock()
 
@@ -595,7 +592,6 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		URL:            url,
 		Persist:        p,
 		NetMap:         nm,
-		Hostinfo:       hi,
 		State:          state,
 		Err:            err,
 	}

control/controlclient/controlclient_test.go

@@ -22,7 +22,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 
 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
+	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)

control/controlclient/direct.go

@@ -38,9 +38,9 @@ import (
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/net/netns"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -57,7 +57,8 @@ import (
 // Direct is the client that connects to a tailcontrol server for a node.
 type Direct struct {
 	httpc                  *http.Client // HTTP client used to talk to tailcontrol
-	serverURL              string       // URL of the tailcontrol server
+	dialer                 *tsdial.Dialer
+	serverURL              string // URL of the tailcontrol server
 	timeNow                func() time.Time
 	lastPrintMap           time.Time
 	newDecompressor        func() (Decompressor, error)
@@ -79,12 +80,12 @@ type Direct struct {
 	sfGroup     singleflight.Group // protects noiseClient creation.
 	noiseClient *noiseClient
 
-	persist      persist.Persist
-	authKey      string
-	tryingNewKey key.NodePrivate
-	expiry       *time.Time
-	// hostinfo is mutated in-place while mu is held.
+	persist       persist.Persist
+	authKey       string
+	tryingNewKey  key.NodePrivate
+	expiry        *time.Time
 	hostinfo      *tailcfg.Hostinfo // always non-nil
+	netinfo       *tailcfg.NetInfo
 	endpoints     []tailcfg.Endpoint
 	everEndpoints bool   // whether we've ever had non-empty endpoints
 	localPort     uint16 // or zero to mean auto
@@ -106,6 +107,7 @@ type Options struct {
 	DebugFlags           []string         // debug settings to send to control
 	LinkMonitor          *monitor.Mon     // optional link monitor
 	PopBrowserURL        func(url string) // optional func to open browser
+	Dialer               *tsdial.Dialer   // non-nil
 
 	// KeepSharerAndUserSplit controls whether the client
 	// understands Node.Sharer. If false, the Sharer is mapped to the User.
@@ -124,9 +126,9 @@ type Options struct {
 
 // Pinger is a subset of the wgengine.Engine interface, containing just the Ping method.
 type Pinger interface {
-	// Ping is a request to start a discovery or TSMP ping with the peer handling
-	// the given IP and then call cb with its ping latency & method.
-	Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.PingResult))
+	// Ping is a request to start a ping with the peer handling the given IP and
+	// then call cb with its ping latency & method.
+	Ping(ip netaddr.IP, pingType tailcfg.PingType, cb func(*ipnstate.PingResult))
 }
 
 type Decompressor interface {
@@ -170,13 +172,12 @@ func NewDirect(opts Options) (*Direct, error) {
 			UseLastGood:      true,
 			LookupIPFallback: dnsfallback.Lookup,
 		}
-		dialer := netns.NewDialer(opts.Logf)
 		tr := http.DefaultTransport.(*http.Transport).Clone()
 		tr.Proxy = tshttpproxy.ProxyFromEnvironment
 		tshttpproxy.SetTransportGetProxyConnectHeader(tr)
 		tr.TLSClientConfig = tlsdial.Config(serverURL.Hostname(), tr.TLSClientConfig)
-		tr.DialContext = dnscache.Dialer(dialer.DialContext, dnsCache)
-		tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dnsCache, tr.TLSClientConfig)
+		tr.DialContext = dnscache.Dialer(opts.Dialer.SystemDial, dnsCache)
+		tr.DialTLSContext = dnscache.TLSDialer(opts.Dialer.SystemDial, dnsCache, tr.TLSClientConfig)
 		tr.ForceAttemptHTTP2 = true
 		// Disable implicit gzip compression; the various
 		// handlers (register, map, set-dns, etc) do their own
@@ -202,11 +203,17 @@ func NewDirect(opts Options) (*Direct, error) {
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
 		pinger:                 opts.Pinger,
 		popBrowser:             opts.PopBrowserURL,
+		dialer:                 opts.Dialer,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(hostinfo.New())
 	} else {
+		ni := opts.Hostinfo.NetInfo
+		opts.Hostinfo.NetInfo = nil
 		c.SetHostinfo(opts.Hostinfo)
+		if ni != nil {
+			c.SetNetInfo(ni)
+		}
 	}
 	return c, nil
 }
@@ -251,14 +258,11 @@ func (c *Direct) SetNetInfo(ni *tailcfg.NetInfo) bool {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
-	if c.hostinfo == nil {
-		c.logf("[unexpected] SetNetInfo called with no HostInfo; ignoring NetInfo update: %+v", ni)
+	if reflect.DeepEqual(ni, c.netinfo) {
 		return false
 	}
-	if reflect.DeepEqual(ni, c.hostinfo.NetInfo) {
-		return false
-	}
-	c.hostinfo.NetInfo = ni.Clone()
+	c.netinfo = ni.Clone()
+	c.logf("NetInfo: %v", ni)
 	return true
 }
 
@@ -335,6 +339,14 @@ type httpClient interface {
 	Do(req *http.Request) (*http.Response, error)
 }
 
+// hostInfoLocked returns a Clone of c.hostinfo and c.netinfo.
+// It must only be called with c.mu held.
+func (c *Direct) hostInfoLocked() *tailcfg.Hostinfo {
+	hi := c.hostinfo.Clone()
+	hi.NetInfo = c.netinfo.Clone()
+	return hi
+}
+
 func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
 	c.mu.Lock()
 	persist := c.persist
@@ -342,7 +354,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	serverKey := c.serverKey
 	serverNoiseKey := c.serverNoiseKey
 	authKey := c.authKey
-	hi := c.hostinfo.Clone()
+	hi := c.hostInfoLocked()
 	backendLogID := hi.BackendLogID
 	expired := c.expiry != nil && !c.expiry.IsZero() && c.expiry.Before(c.timeNow())
 	c.mu.Unlock()
@@ -376,7 +388,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		if err != nil {
 			return regen, opt.URL, err
 		}
-		c.logf("control server key %s from %s", serverKey.ShortString(), c.serverURL)
+		c.logf("control server key from %s: ts2021=%s, legacy=%v", c.serverURL, keys.PublicKey.ShortString(), keys.LegacyPublicKey.ShortString())
 
 		c.mu.Lock()
 		c.serverKey = keys.LegacyPublicKey
@@ -644,7 +656,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	serverURL := c.serverURL
 	serverKey := c.serverKey
 	serverNoiseKey := c.serverNoiseKey
-	hi := c.hostinfo.Clone()
+	hi := c.hostInfoLocked()
 	backendLogID := hi.BackendLogID
 	localPort := c.localPort
 	var epStrs []string
@@ -1195,11 +1207,10 @@ func answerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinge
 		return
 	}
 	for _, t := range strings.Split(pr.Types, ",") {
-		switch t {
-		case "TSMP", "disco":
-			go doPingerPing(logf, c, pr, pinger, t)
+		switch pt := tailcfg.PingType(t); pt {
+		case tailcfg.PingTSMP, tailcfg.PingDisco, tailcfg.PingICMP:
+			go doPingerPing(logf, c, pr, pinger, pt)
 		// TODO(tailscale/corp#754)
-		// case "host":
 		// case "peerapi":
 		default:
 			logf("unsupported ping request type: %q", t)
@@ -1278,7 +1289,7 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 			return nil, err
 		}
 
-		nc, err = newNoiseClient(k, serverNoiseKey, c.serverURL)
+		nc, err = newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer)
 		if err != nil {
 			return nil, err
 		}
@@ -1400,13 +1411,13 @@ func (c *Direct) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 
 // doPingerPing sends a Ping to pr.IP using pinger, and sends an http request back to
 // pr.URL with ping response data.
-func doPingerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger, pingType string) {
+func doPingerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger, pingType tailcfg.PingType) {
 	if pr.URL == "" || pr.IP.IsZero() || pinger == nil {
 		logf("invalid ping request: missing url, ip or pinger")
 		return
 	}
 	start := time.Now()
-	pinger.Ping(pr.IP, pingType == "TSMP", func(res *ipnstate.PingResult) {
+	pinger.Ping(pr.IP, pingType, func(res *ipnstate.PingResult) {
 		// Currently does not check for error since we just return if it fails.
 		postPingResult(start, logf, c, pr, res.ToPingResponse(pingType))
 	})

control/controlclient/direct_test.go

@@ -14,6 +14,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
@@ -30,6 +31,7 @@ func TestNewDirect(t *testing.T) {
 		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
 			return k, nil
 		},
+		Dialer: new(tsdial.Dialer),
 	}
 	c, err := NewDirect(opts)
 	if err != nil {
@@ -106,6 +108,7 @@ func TestTsmpPing(t *testing.T) {
 		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
 			return k, nil
 		},
+		Dialer: new(tsdial.Dialer),
 	}
 
 	c, err := NewDirect(opts)

control/controlclient/noise.go

@@ -18,8 +18,10 @@ import (
 	"golang.org/x/net/http2"
 	"tailscale.com/control/controlbase"
 	"tailscale.com/control/controlhttp"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
+	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
 )
 
@@ -45,6 +47,7 @@ func (c *noiseConn) Close() error {
 // the ts2021 protocol.
 type noiseClient struct {
 	*http.Client // HTTP client used to talk to tailcontrol
+	dialer       *tsdial.Dialer
 	privKey      key.MachinePrivate
 	serverPubKey key.MachinePublic
 	serverHost   string // the host:port part of serverURL
@@ -57,7 +60,7 @@ type noiseClient struct {
 
 // newNoiseClient returns a new noiseClient for the provided server and machine key.
 // serverURL is of the form https://<host>:<port> (no trailing slash).
-func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string) (*noiseClient, error) {
+func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer) (*noiseClient, error) {
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		return nil, err
@@ -74,6 +77,7 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 		serverPubKey: serverPubKey,
 		privKey:      priKey,
 		serverHost:   host,
+		dialer:       dialer,
 	}
 
 	// Create the HTTP/2 Transport using a net/http.Transport
@@ -137,9 +141,6 @@ func (nc *noiseClient) Close() error {
 func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.mu.Lock()
 	connID := nc.nextID
-	if nc.connPool == nil {
-		nc.connPool = make(map[int]*noiseConn)
-	}
 	nc.nextID++
 	nc.mu.Unlock()
 
@@ -153,7 +154,7 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 		// thousand version numbers before getting to this point.
 		panic("capability version is too high to fit in the wire protocol")
 	}
-	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion))
+	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion), nc.dialer.SystemDial)
 	if err != nil {
 		return nil, err
 	}
@@ -161,6 +162,6 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.mu.Lock()
 	defer nc.mu.Unlock()
 	ncc := &noiseConn{Conn: conn, id: connID, pool: nc}
-	nc.connPool[ncc.id] = ncc
+	mak.Set(&nc.connPool, ncc.id, ncc)
 	return ncc, nil
 }

control/controlclient/status.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"reflect"
 
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
@@ -75,9 +74,8 @@ type Status struct {
 	// package, but we have some automated tests elsewhere that need to
 	// use them. Please don't use these fields.
 	// TODO(apenwarr): Unexport or remove these.
-	State    State
-	Persist  *persist.Persist  // locally persisted configuration
-	Hostinfo *tailcfg.Hostinfo // current Hostinfo data
+	State   State
+	Persist *persist.Persist // locally persisted configuration
 }
 
 // Equal reports whether s and s2 are equal.
@@ -92,7 +90,6 @@ func (s *Status) Equal(s2 *Status) bool {
 		s.URL == s2.URL &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
 		reflect.DeepEqual(s.NetMap, s2.NetMap) &&
-		reflect.DeepEqual(s.Hostinfo, s2.Hostinfo) &&
 		s.State == s2.State
 }
 

control/controlhttp/client.go

@@ -25,16 +25,15 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 	"net"
 	"net/http"
 	"net/http/httptrace"
 	"net/url"
+	"time"
 
 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
-	"tailscale.com/net/netns"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
@@ -65,13 +64,12 @@ const (
 //
 // The provided ctx is only used for the initial connection, until
 // Dial returns. It does not affect the connection once established.
-func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16) (*controlbase.Conn, error) {
+func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
 	host, port, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil, err
 	}
 	a := &dialParams{
-		ctx:        ctx,
 		host:       host,
 		httpPort:   port,
 		httpsPort:  "443",
@@ -79,12 +77,12 @@ func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, contr
 		controlKey: controlKey,
 		version:    protocolVersion,
 		proxyFunc:  tshttpproxy.ProxyFromEnvironment,
+		dialer:     dialer,
 	}
-	return a.dial()
+	return a.dial(ctx)
 }
 
 type dialParams struct {
-	ctx        context.Context
 	host       string
 	httpPort   string
 	httpsPort  string
@@ -92,65 +90,132 @@ type dialParams struct {
 	controlKey key.MachinePublic
 	version    uint16
 	proxyFunc  func(*http.Request) (*url.URL, error) // or nil
+	dialer     dnscache.DialContextFunc
 
 	// For tests only
-	insecureTLS bool
+	insecureTLS       bool
+	testFallbackDelay time.Duration
 }
 
-func (a *dialParams) dial() (*controlbase.Conn, error) {
-	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
-	if err != nil {
-		return nil, err
+// httpsFallbackDelay is how long we'll wait for a.httpPort to work before
+// starting to try a.httpsPort.
+func (a *dialParams) httpsFallbackDelay() time.Duration {
+	if v := a.testFallbackDelay; v != 0 {
+		return v
 	}
+	return 500 * time.Millisecond
+}
 
-	u := &url.URL{
+func (a *dialParams) dial(ctx context.Context) (*controlbase.Conn, error) {
+	// Create one shared context used by both port 80 and port 443 dials.
+	// If port 80 is still in flight when 443 returns, this deferred cancel
+	// will stop the port 80 dial.
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	// u80 and u443 are the URLs we'll try to hit over HTTP or HTTPS,
+	// respectively, in order to do the HTTP upgrade to a net.Conn over which
+	// we'll speak Noise.
+	u80 := &url.URL{
 		Scheme: "http",
 		Host:   net.JoinHostPort(a.host, a.httpPort),
 		Path:   serverUpgradePath,
 	}
-	conn, httpErr := a.tryURL(u, init)
-	if httpErr == nil {
-		ret, err := cont(a.ctx, conn)
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-		return ret, nil
+	u443 := &url.URL{
+		Scheme: "https",
+		Host:   net.JoinHostPort(a.host, a.httpsPort),
+		Path:   serverUpgradePath,
 	}
 
-	// Connecting over plain HTTP failed, assume it's an HTTP proxy
-	// being difficult and see if we can get through over HTTPS.
-	u.Scheme = "https"
-	u.Host = net.JoinHostPort(a.host, a.httpsPort)
-	init, cont, err = controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
+	type tryURLRes struct {
+		u    *url.URL          // input (the URL conn+err are for/from)
+		conn *controlbase.Conn // result (mutually exclusive with err)
+		err  error
+	}
+	ch := make(chan tryURLRes) // must be unbuffered
+	try := func(u *url.URL) {
+		cbConn, err := a.dialURL(ctx, u)
+		select {
+		case ch <- tryURLRes{u, cbConn, err}:
+		case <-ctx.Done():
+			if cbConn != nil {
+				cbConn.Close()
+			}
+		}
+	}
+
+	// Start the plaintext HTTP attempt first.
+	go try(u80)
+
+	// In case outbound port 80 blocked or MITM'ed poorly, start a backup timer
+	// to dial port 443 if port 80 doesn't either succeed or fail quickly.
+	try443Timer := time.AfterFunc(a.httpsFallbackDelay(), func() { try(u443) })
+	defer try443Timer.Stop()
+
+	var err80, err443 error
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, fmt.Errorf("connection attempts aborted by context: %w", ctx.Err())
+		case res := <-ch:
+			if res.err == nil {
+				return res.conn, nil
+			}
+			switch res.u {
+			case u80:
+				// Connecting over plain HTTP failed; assume it's an HTTP proxy
+				// being difficult and see if we can get through over HTTPS.
+				err80 = res.err
+				// Stop the fallback timer and run it immediately. We don't use
+				// Timer.Reset(0) here because on AfterFuncs, that can run it
+				// again.
+				if try443Timer.Stop() {
+					go try(u443)
+				} // else we lost the race and it started already which is what we want
+			case u443:
+				err443 = res.err
+			default:
+				panic("invalid")
+			}
+			if err80 != nil && err443 != nil {
+				return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", err80, err443)
+			}
+		}
+	}
+}
+
+// dialURL attempts to connect to the given URL.
+func (a *dialParams) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, error) {
+	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
 	if err != nil {
 		return nil, err
 	}
-	conn, tlsErr := a.tryURL(u, init)
-	if tlsErr == nil {
-		ret, err := cont(a.ctx, conn)
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-		return ret, nil
+	netConn, err := a.tryURLUpgrade(ctx, u, init)
+	if err != nil {
+		return nil, err
 	}
-
-	return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", httpErr, tlsErr)
+	cbConn, err := cont(ctx, netConn)
+	if err != nil {
+		netConn.Close()
+		return nil, err
+	}
+	return cbConn, nil
 }
 
-func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
+// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn.
+//
+// Only the provided ctx is used, not a.ctx.
+func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte) (net.Conn, error) {
 	dns := &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward,
 		LookupIPFallback: dnsfallback.Lookup,
 		UseLastGood:      true,
 	}
-	dialer := netns.NewDialer(log.Printf)
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	defer tr.CloseIdleConnections()
 	tr.Proxy = a.proxyFunc
 	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
-	tr.DialContext = dnscache.Dialer(dialer.DialContext, dns)
+	tr.DialContext = dnscache.Dialer(a.dialer, dns)
 	// Disable HTTP2, since h2 can't do protocol switching.
 	tr.TLSClientConfig.NextProtos = []string{}
 	tr.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
@@ -159,7 +224,7 @@ func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
 		tr.TLSClientConfig.InsecureSkipVerify = true
 		tr.TLSClientConfig.VerifyConnection = nil
 	}
-	tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dns, tr.TLSClientConfig)
+	tr.DialTLSContext = dnscache.TLSDialer(a.dialer, dns, tr.TLSClientConfig)
 	tr.DisableCompression = true
 
 	// (mis)use httptrace to extract the underlying net.Conn from the
@@ -189,7 +254,7 @@ func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
 			connCh <- info.Conn
 		},
 	}
-	ctx := httptrace.WithClientTrace(a.ctx, &trace)
+	ctx = httptrace.WithClientTrace(ctx, &trace)
 	req := &http.Request{
 		Method: "POST",
 		URL:    u,

control/controlhttp/http_test.go

@@ -17,22 +17,36 @@ import (
 	"strconv"
 	"sync"
 	"testing"
+	"time"
 
 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/socks5"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/types/key"
 )
 
+type httpTestParam struct {
+	name  string
+	proxy proxy
+
+	// makeHTTPHangAfterUpgrade makes the HTTP response hang after sending a
+	// 101 switching protocols.
+	makeHTTPHangAfterUpgrade bool
+}
+
 func TestControlHTTP(t *testing.T) {
-	tests := []struct {
-		name  string
-		proxy proxy
-	}{
+	tests := []httpTestParam{
 		// direct connection
 		{
 			name:  "no_proxy",
 			proxy: nil,
 		},
+		// direct connection but port 80 is MITM'ed and broken
+		{
+			name:                     "port80_broken_mitm",
+			proxy:                    nil,
+			makeHTTPHangAfterUpgrade: true,
+		},
 		// SOCKS5
 		{
 			name:  "socks5",
@@ -96,12 +110,13 @@ func TestControlHTTP(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			testControlHTTP(t, test.proxy)
+			testControlHTTP(t, test)
 		})
 	}
 }
 
-func testControlHTTP(t *testing.T, proxy proxy) {
+func testControlHTTP(t *testing.T, param httpTestParam) {
+	proxy := param.proxy
 	client, server := key.NewMachine(), key.NewMachine()
 
 	const testProtocolVersion = 1
@@ -132,7 +147,11 @@ func testControlHTTP(t *testing.T, proxy proxy) {
 		t.Fatalf("HTTPS listen: %v", err)
 	}
 
-	httpServer := &http.Server{Handler: handler}
+	var httpHandler http.Handler = handler
+	if param.makeHTTPHangAfterUpgrade {
+		httpHandler = http.HandlerFunc(brokenMITMHandler)
+	}
+	httpServer := &http.Server{Handler: httpHandler}
 	go httpServer.Serve(httpLn)
 	defer httpServer.Close()
 
@@ -143,18 +162,24 @@ func testControlHTTP(t *testing.T, proxy proxy) {
 	go httpsServer.ServeTLS(httpsLn, "", "")
 	defer httpsServer.Close()
 
-	//ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	//defer cancel()
+	ctx := context.Background()
+	const debugTimeout = false
+	if debugTimeout {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+	}
 
 	a := dialParams{
-		ctx:         context.Background(), //ctx,
-		host:        "localhost",
-		httpPort:    strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
-		httpsPort:   strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
-		machineKey:  client,
-		controlKey:  server.Public(),
-		version:     testProtocolVersion,
-		insecureTLS: true,
+		host:              "localhost",
+		httpPort:          strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
+		httpsPort:         strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
+		machineKey:        client,
+		controlKey:        server.Public(),
+		version:           testProtocolVersion,
+		insecureTLS:       true,
+		dialer:            new(tsdial.Dialer).SystemDial,
+		testFallbackDelay: 50 * time.Millisecond,
 	}
 
 	if proxy != nil {
@@ -173,7 +198,7 @@ func testControlHTTP(t *testing.T, proxy proxy) {
 		}
 	}
 
-	conn, err := a.dial()
+	conn, err := a.dial(ctx)
 	if err != nil {
 		t.Fatalf("dialing controlhttp: %v", err)
 	}
@@ -215,6 +240,7 @@ type proxy interface {
 
 type socksProxy struct {
 	sync.Mutex
+	closed          bool
 	proxy           socks5.Server
 	ln              net.Listener
 	clientConnAddrs map[string]bool // addrs of the local end of outgoing conns from proxy
@@ -230,7 +256,14 @@ func (s *socksProxy) Start(t *testing.T) (url string) {
 	}
 	s.ln = ln
 	s.clientConnAddrs = map[string]bool{}
-	s.proxy.Logf = t.Logf
+	s.proxy.Logf = func(format string, a ...any) {
+		s.Lock()
+		defer s.Unlock()
+		if s.closed {
+			return
+		}
+		t.Logf(format, a...)
+	}
 	s.proxy.Dialer = s.dialAndRecord
 	go s.proxy.Serve(ln)
 	return fmt.Sprintf("socks5://%s", ln.Addr().String())
@@ -239,6 +272,10 @@ func (s *socksProxy) Start(t *testing.T) (url string) {
 func (s *socksProxy) Close() {
 	s.Lock()
 	defer s.Unlock()
+	if s.closed {
+		return
+	}
+	s.closed = true
 	s.ln.Close()
 }
 
@@ -398,3 +435,11 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		Certificates: []tls.Certificate{cert},
 	}
 }
+
+func brokenMITMHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Upgrade", upgradeHeaderValue)
+	w.Header().Set("Connection", "upgrade")
+	w.WriteHeader(http.StatusSwitchingProtocols)
+	w.(http.Flusher).Flush()
+	<-r.Context().Done()
+}

derp/derp_client.go

@@ -485,7 +485,7 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 			c.peeked = int(n)
 		} else {
 			// But if for some reason we read a large DERP message (which isn't necessarily
-			// a Wireguard packet), then just allocate memory for it.
+			// a WireGuard packet), then just allocate memory for it.
 			// TODO(bradfitz): use a pool if large frames ever happen in practice.
 			b = make([]byte, n)
 			_, err = io.ReadFull(c.br, b)

go.mod

@@ -5,7 +5,6 @@ go 1.18
 require (
 	filippo.io/mkcert v1.4.3
 	github.com/akutz/memconn v0.1.0
-	github.com/alessio/shellescape v1.4.1
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
 	github.com/aws/aws-sdk-go-v2 v1.11.2
@@ -21,7 +20,7 @@ require (
 	github.com/go-ole/go-ole v1.2.6
 	github.com/godbus/dbus/v5 v5.0.6
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
-	github.com/google/go-cmp v0.5.7
+	github.com/google/go-cmp v0.5.8
 	github.com/google/uuid v1.3.0
 	github.com/goreleaser/nfpm v1.10.3
 	github.com/iancoleman/strcase v0.2.0
@@ -29,6 +28,7 @@ require (
 	github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/klauspost/compress v1.13.6
+	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a
 	github.com/mdlayher/genetlink v1.2.0
 	github.com/mdlayher/netlink v1.6.0
 	github.com/mdlayher/sdnotify v1.0.0
@@ -40,19 +40,19 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20220420224200-c602b5dfaa7f
+	github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
-	github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83
+	github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	github.com/u-root/u-root v0.8.0
 	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
 	go4.org/mem v0.0.0-20210711025021-927187094b94
-	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4
+	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
 	golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
+	golang.org/x/sys v0.0.0-20220422013727-9388b58f7150
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11-0.20220413170336-afc6aad76eb1

go.sum

@@ -104,8 +104,6 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
-github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/alexkohler/prealloc v1.0.0 h1:Hbq0/3fJPQhNkN0dR95AVrr6R7tou91y0uHG5pOcUuw=
@@ -469,8 +467,9 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 h1:CVuJwN34x4xM2aT4sIKhmeib40NeBPhRihNjQmpJsA4=
 github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2/go.mod h1:nOFQdrUlIlx6M6ODdSpBj1NVA+VgLC6kmw60mkw34H4=
@@ -682,6 +681,8 @@ github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47e
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
+github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
@@ -1067,12 +1068,12 @@ github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HP
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20220420224200-c602b5dfaa7f h1:3CuODoSnBXS+ZkQlGakDqtX1o2RteR1870yF+dS61PY=
-github.com/tailscale/golang-x-crypto v0.0.0-20220420224200-c602b5dfaa7f/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
+github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1 h1:vsFV6BKSIgjRd8m8UfrGW4r+cc28fRF71K6IRo46rKs=
+github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
-github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83 h1:f7nwzdAHTUUOJjHZuDvLz9CEAlUM228amCRvwzlPvsA=
-github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83/go.mod h1:iTDXJsA6A2wNNjurgic2rk+is6uzU4U2NLm4T+edr6M=
+github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17 h1:QaQrUggZ7U2lE3HhoPx6bDK7fO385FR7pHRYSPEv70Q=
+github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
@@ -1227,8 +1228,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA=
-golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f h1:OeJjE6G4dgCY4PIXvIRQbE8+RX+uXZyGhUy/ksMGJoc=
+golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1478,8 +1479,8 @@ golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc=
+golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=

ipn/backend.go

@@ -65,14 +65,13 @@ type Notify struct {
 	// For State InUseOtherUser, ErrMessage is not critical and just contains the details.
 	ErrMessage *string
 
-	LoginFinished *empty.Message       // non-nil when/if the login process succeeded
-	State         *State               // if non-nil, the new or current IPN state
-	Prefs         *Prefs               // if non-nil, the new or current preferences
-	NetMap        *netmap.NetworkMap   // if non-nil, the new or current netmap
-	Engine        *EngineStatus        // if non-nil, the new or urrent wireguard stats
-	BrowseToURL   *string              // if non-nil, UI should open a browser right now
-	BackendLogID  *string              // if non-nil, the public logtail ID used by backend
-	PingResult    *ipnstate.PingResult // if non-nil, a ping response arrived
+	LoginFinished *empty.Message     // non-nil when/if the login process succeeded
+	State         *State             // if non-nil, the new or current IPN state
+	Prefs         *Prefs             // if non-nil, the new or current preferences
+	NetMap        *netmap.NetworkMap // if non-nil, the new or current netmap
+	Engine        *EngineStatus      // if non-nil, the new or urrent wireguard stats
+	BrowseToURL   *string            // if non-nil, UI should open a browser right now
+	BackendLogID  *string            // if non-nil, the public logtail ID used by backend
 
 	// FilesWaiting if non-nil means that files are buffered in
 	// the Tailscale daemon and ready for local transfer to the
@@ -122,9 +121,6 @@ func (n Notify) String() string {
 	if n.BackendLogID != nil {
 		sb.WriteString("BackendLogID ")
 	}
-	if n.PingResult != nil {
-		fmt.Fprintf(&sb, "ping=%v ", *n.PingResult)
-	}
 	if n.FilesWaiting != nil {
 		sb.WriteString("FilesWaiting ")
 	}
@@ -245,13 +241,4 @@ type Backend interface {
 	// counts. Connection events are emitted automatically without
 	// polling.
 	RequestEngineStatus()
-	// FakeExpireAfter pretends that the current key is going to
-	// expire after duration x. This is useful for testing GUIs to
-	// make sure they react properly with keys that are going to
-	// expire.
-	FakeExpireAfter(x time.Duration)
-	// Ping attempts to start connecting to the given IP and sends a Notify
-	// with its PingResult. If the host is down, there might never
-	// be a PingResult sent. The cmd/tailscale CLI client adds a timeout.
-	Ping(ip string, useTSMP bool)
 }

ipn/fake_test.go

@@ -5,9 +5,6 @@
 package ipn
 
 import (
-	"time"
-
-	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/netmap"
 )
@@ -101,15 +98,3 @@ func (b *FakeBackend) RequestEngineStatus() {
 		b.notify(Notify{Engine: &EngineStatus{}})
 	}
 }
-
-func (b *FakeBackend) FakeExpireAfter(x time.Duration) {
-	if b.notify != nil {
-		b.notify(Notify{NetMap: &netmap.NetworkMap{}})
-	}
-}
-
-func (b *FakeBackend) Ping(ip string, useTSMP bool) {
-	if b.notify != nil {
-		b.notify(Notify{PingResult: &ipnstate.PingResult{}})
-	}
-}

ipn/handle.go

@@ -174,7 +174,3 @@ func (h *Handle) Logout() {
 func (h *Handle) RequestEngineStatus() {
 	h.b.RequestEngineStatus()
 }
-
-func (h *Handle) FakeExpireAfter(x time.Duration) {
-	h.b.FakeExpireAfter(x)
-}

ipn/ipn_clone.go

@@ -1,9 +1,8 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
 // Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
-//go:generate go run tailscale.com/cmd/cloner -type=Prefs -output=prefs_clone.go
 
 package ipn
 

ipn/ipnlocal/dnsconfig_test.go

@@ -51,7 +51,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			nm:    &netmap.NetworkMap{},
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
 				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
 			},
 		},
@@ -77,7 +77,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
 				Hosts: map[dnsname.FQDN][]netaddr.IP{
 					"b.net.":       ips("100.102.0.1", "100.102.0.2"),
 					"myname.net.":  ips("100.101.101.101"),
@@ -112,7 +112,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
 				OnlyIPv6: true,
-				Routes:   map[dnsname.FQDN][]dnstype.Resolver{},
+				Routes:   map[dnsname.FQDN][]*dnstype.Resolver{},
 				Hosts: map[dnsname.FQDN][]netaddr.IP{
 					"b.net.":       ips("fe75::2"),
 					"myname.net.":  ips("fe75::1"),
@@ -136,7 +136,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
 				Hosts: map[dnsname.FQDN][]netaddr.IP{
 					"myname.net.": ips("100.101.101.101"),
 					"foo.com.":    ips("1.2.3.4"),
@@ -158,7 +158,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			want: &dns.Config{
 				Hosts: map[dnsname.FQDN][]netaddr.IP{},
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{
+				Routes: map[dnsname.FQDN][]*dnstype.Resolver{
 					"0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.": nil,
 					"100.100.in-addr.arpa.":             nil,
 					"101.100.in-addr.arpa.":             nil,
@@ -242,13 +242,13 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			os:   "android",
 			nm: &netmap.NetworkMap{
 				DNS: tailcfg.DNSConfig{
-					Resolvers: []dnstype.Resolver{
+					Resolvers: []*dnstype.Resolver{
 						{Addr: "8.8.8.8"},
 					},
-					FallbackResolvers: []dnstype.Resolver{
+					FallbackResolvers: []*dnstype.Resolver{
 						{Addr: "8.8.4.4"},
 					},
-					Routes: map[string][]dnstype.Resolver{
+					Routes: map[string][]*dnstype.Resolver{
 						"foo.com.": {{Addr: "1.2.3.4"}},
 					},
 				},
@@ -258,10 +258,10 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			want: &dns.Config{
 				Hosts: map[dnsname.FQDN][]netaddr.IP{},
-				DefaultResolvers: []dnstype.Resolver{
+				DefaultResolvers: []*dnstype.Resolver{
 					{Addr: "8.8.8.8"},
 				},
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{
+				Routes: map[dnsname.FQDN][]*dnstype.Resolver{
 					"foo.com.": {{Addr: "1.2.3.4"}},
 				},
 			},
@@ -270,7 +270,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			name: "exit_nodes_need_fallbacks",
 			nm: &netmap.NetworkMap{
 				DNS: tailcfg.DNSConfig{
-					FallbackResolvers: []dnstype.Resolver{
+					FallbackResolvers: []*dnstype.Resolver{
 						{Addr: "8.8.4.4"},
 					},
 				},
@@ -281,8 +281,8 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			want: &dns.Config{
 				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
-				DefaultResolvers: []dnstype.Resolver{
+				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
+				DefaultResolvers: []*dnstype.Resolver{
 					{Addr: "8.8.4.4"},
 				},
 			},
@@ -291,7 +291,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			name: "not_exit_node_NOT_need_fallbacks",
 			nm: &netmap.NetworkMap{
 				DNS: tailcfg.DNSConfig{
-					FallbackResolvers: []dnstype.Resolver{
+					FallbackResolvers: []*dnstype.Resolver{
 						{Addr: "8.8.4.4"},
 					},
 				},
@@ -301,7 +301,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			want: &dns.Config{
 				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+				Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
 			},
 		},
 	}

ipn/ipnlocal/local.go

@@ -123,6 +123,7 @@ type LocalBackend struct {
 	varRoot               string // or empty if SetVarRoot never called
 	sshAtomicBool         syncs.AtomicBool
 	sshServer             SSHServer // or nil
+	shutdownCalled        bool      // if Shutdown has been called
 
 	filterAtomic            atomic.Value // of *filter.Filter
 	containsViaIPFuncAtomic atomic.Value // of func(netaddr.IP) bool
@@ -248,7 +249,7 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 
 	wiredPeerAPIPort := false
 	if ig, ok := e.(wgengine.InternalsGetter); ok {
-		if tunWrap, _, ok := ig.GetInternals(); ok {
+		if tunWrap, _, _, ok := ig.GetInternals(); ok {
 			tunWrap.PeerAPIPort = b.GetPeerAPIPort
 			wiredPeerAPIPort = true
 		}
@@ -343,6 +344,7 @@ func (b *LocalBackend) onHealthChange(sys health.Subsystem, err error) {
 // can no longer be used after Shutdown returns.
 func (b *LocalBackend) Shutdown() {
 	b.mu.Lock()
+	b.shutdownCalled = true
 	cc := b.cc
 	b.closePeerAPIListenersLocked()
 	b.mu.Unlock()
@@ -933,8 +935,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	httpTestClient := b.httpTestClient
 
 	if b.hostinfo != nil {
-		hostinfo.Services = b.hostinfo.Services // keep any previous session and netinfo
-		hostinfo.NetInfo = b.hostinfo.NetInfo
+		hostinfo.Services = b.hostinfo.Services // keep any previous services
 	}
 	b.hostinfo = hostinfo
 	b.state = ipn.NoState
@@ -1034,6 +1035,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		LinkMonitor:          b.e.GetLinkMonitor(),
 		Pinger:               b.e,
 		PopBrowserURL:        b.tellClientToBrowseToURL,
+		Dialer:               b.Dialer(),
 
 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
@@ -1614,7 +1616,7 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 	case err != nil:
 		return fmt.Errorf("backend prefs: store.ReadState(%q): %v", key, err)
 	}
-	b.prefs, err = ipn.PrefsFromBytes(bs, false)
+	b.prefs, err = ipn.PrefsFromBytes(bs)
 	if err != nil {
 		b.logf("using backend prefs for %q", key)
 		return fmt.Errorf("PrefsFromBytes: %v", err)
@@ -1696,37 +1698,20 @@ func (b *LocalBackend) StartLoginInteractive() {
 	}
 }
 
-// FakeExpireAfter implements Backend.
-func (b *LocalBackend) FakeExpireAfter(x time.Duration) {
-	b.logf("FakeExpireAfter: %v", x)
-
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if b.netMap == nil {
-		return
-	}
-
-	// This function is called very rarely,
-	// so we prefer to fully copy the netmap over introducing in-place modification here.
-	mapCopy := *b.netMap
-	e := mapCopy.Expiry
-	if e.IsZero() || time.Until(e) > x {
-		mapCopy.Expiry = time.Now().Add(x)
-	}
-	b.setNetMapLocked(&mapCopy)
-	b.send(ipn.Notify{NetMap: b.netMap})
-}
-
-func (b *LocalBackend) Ping(ipStr string, useTSMP bool) {
-	ip, err := netaddr.ParseIP(ipStr)
-	if err != nil {
-		b.logf("ignoring Ping request to invalid IP %q", ipStr)
-		return
-	}
-	b.e.Ping(ip, useTSMP, func(pr *ipnstate.PingResult) {
-		b.send(ipn.Notify{PingResult: pr})
+func (b *LocalBackend) Ping(ctx context.Context, ip netaddr.IP, pingType tailcfg.PingType) (*ipnstate.PingResult, error) {
+	ch := make(chan *ipnstate.PingResult, 1)
+	b.e.Ping(ip, pingType, func(pr *ipnstate.PingResult) {
+		select {
+		case ch <- pr:
+		default:
+		}
 	})
+	select {
+	case pr := <-ch:
+		return pr, nil
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	}
 }
 
 // parseWgStatusLocked returns an EngineStatus based on s.
@@ -1931,6 +1916,10 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 		b.authReconfig()
 	}
 
+	if oldp.RunSSH && !newp.RunSSH && b.sshServer != nil {
+		go b.sshServer.OnPolicyChange()
+	}
+
 	b.send(ipn.Notify{Prefs: newp})
 }
 
@@ -2123,7 +2112,7 @@ func (b *LocalBackend) authReconfig() {
 // a runtime.GOOS.
 func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Logf, versionOS string) *dns.Config {
 	dcfg := &dns.Config{
-		Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+		Routes: map[dnsname.FQDN][]*dnstype.Resolver{},
 		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
 	}
 
@@ -2210,8 +2199,9 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 		}
 	}
 
-	addDefault := func(resolvers []dnstype.Resolver) {
+	addDefault := func(resolvers []*dnstype.Resolver) {
 		for _, r := range resolvers {
+			r := r
 			dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, r)
 		}
 	}
@@ -2219,7 +2209,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 	// If we're using an exit node and that exit node is new enough (1.19.x+)
 	// to run a DoH DNS proxy, then send all our DNS traffic through it.
 	if dohURL, ok := exitNodeCanProxyDNS(nm, prefs.ExitNodeID); ok {
-		addDefault([]dnstype.Resolver{{Addr: dohURL}})
+		addDefault([]*dnstype.Resolver{{Addr: dohURL}})
 		return dcfg
 	}
 
@@ -2238,7 +2228,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 		//
 		// While we're already populating it, might as well size the
 		// slice appropriately.
-		dcfg.Routes[fqdn] = make([]dnstype.Resolver, 0, len(resolvers))
+		dcfg.Routes[fqdn] = make([]*dnstype.Resolver, 0, len(resolvers))
 
 		for _, r := range resolvers {
 			dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], r)
@@ -2341,6 +2331,9 @@ const peerAPIListenAsync = runtime.GOOS == "windows" || runtime.GOOS == "android
 func (b *LocalBackend) initPeerAPIListener() {
 	b.mu.Lock()
 	defer b.mu.Unlock()
+	if b.shutdownCalled {
+		return
+	}
 
 	if b.netMap == nil {
 		// We're called from authReconfig which checks that
@@ -2882,9 +2875,6 @@ func (b *LocalBackend) assertClientLocked() {
 func (b *LocalBackend) setNetInfo(ni *tailcfg.NetInfo) {
 	b.mu.Lock()
 	cc := b.cc
-	if b.hostinfo != nil {
-		b.hostinfo.NetInfo = ni.Clone()
-	}
 	b.mu.Unlock()
 
 	if cc == nil {
@@ -3299,7 +3289,7 @@ func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
 	if !ok {
 		return nil, errors.New("engine isn't InternalsGetter")
 	}
-	_, mc, ok := ig.GetInternals()
+	_, mc, _, ok := ig.GetInternals()
 	if !ok {
 		return nil, errors.New("failed to get internals")
 	}
@@ -3324,3 +3314,38 @@ func (b *LocalBackend) HandleSSHConn(c net.Conn) error {
 	}
 	return b.sshServer.HandleSSHConn(c)
 }
+
+// HandleQuad100Port80Conn serves http://100.100.100.100/ on port 80 (and
+// the equivalent tsaddr.TailscaleServiceIPv6 address).
+func (b *LocalBackend) HandleQuad100Port80Conn(c net.Conn) {
+	var s http.Server
+	s.Handler = http.HandlerFunc(b.handleQuad100Port80Conn)
+	s.Serve(netutil.NewOneConnListener(c, nil))
+}
+
+func (b *LocalBackend) handleQuad100Port80Conn(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("Content-Security-Policy", "default-src 'self';")
+	if r.Method != "GET" && r.Method != "HEAD" {
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	io.WriteString(w, "<h1>Tailscale</h1>\n")
+	if b.netMap == nil {
+		io.WriteString(w, "No netmap.\n")
+		return
+	}
+	if len(b.netMap.Addresses) == 0 {
+		io.WriteString(w, "No local addresses.\n")
+		return
+	}
+	io.WriteString(w, "<p>Local addresses:</p><ul>\n")
+	for _, ipp := range b.netMap.Addresses {
+		fmt.Fprintf(w, "<li>%v</li>\n", ipp.IP())
+	}
+	io.WriteString(w, "</ul>\n")
+}

ipn/ipnlocal/peerapi.go

@@ -29,6 +29,7 @@ import (
 	"unicode"
 	"unicode/utf8"
 
+	"github.com/kortschak/wol"
 	"golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
@@ -563,6 +564,12 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case "/v0/dnsfwd":
 		h.handleServeDNSFwd(w, r)
 		return
+	case "/v0/wol":
+		h.handleWakeOnLAN(w, r)
+		return
+	case "/v0/interfaces":
+		h.handleServeInterfaces(w, r)
+		return
 	}
 	who := h.peerUser.DisplayName
 	fmt.Fprintf(w, `<html>
@@ -577,6 +584,40 @@ This is my Tailscale device. Your device is %v.
 	}
 }
 
+func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {
+	if !h.canDebug() {
+		http.Error(w, "denied; no debug access", http.StatusForbidden)
+		return
+	}
+	i, err := interfaces.GetList()
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+	}
+
+	dr, err := interfaces.DefaultRoute()
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	fmt.Fprintln(w, "<h1>Interfaces</h1>")
+	fmt.Fprintf(w, "<h3>Default route is %q(%d)</h3>\n", dr.InterfaceName, dr.InterfaceIndex)
+
+	fmt.Fprintln(w, "<table>")
+	fmt.Fprint(w, "<tr>")
+	for _, v := range []any{"Index", "Name", "MTU", "Flags", "Addrs"} {
+		fmt.Fprintf(w, "<th>%v</th> ", v)
+	}
+	fmt.Fprint(w, "</tr>\n")
+	i.ForeachInterface(func(iface interfaces.Interface, ipps []netaddr.IPPrefix) {
+		fmt.Fprint(w, "<tr>")
+		for _, v := range []any{iface.Index, iface.Name, iface.MTU, iface.Flags, ipps} {
+			fmt.Fprintf(w, "<td>%v</td> ", v)
+		}
+		fmt.Fprint(w, "</tr>\n")
+	})
+	fmt.Fprintln(w, "</table>")
+}
+
 type incomingFile struct {
 	name        string // "foo.jpg"
 	started     time.Time
@@ -646,6 +687,11 @@ func (h *peerAPIHandler) canDebug() bool {
 	return h.isSelf || h.peerHasCap(tailcfg.CapabilityDebugPeer)
 }
 
+// canWakeOnLAN reports whether h can send a Wake-on-LAN packet from this node.
+func (h *peerAPIHandler) canWakeOnLAN() bool {
+	return h.isSelf || h.peerHasCap(tailcfg.CapabilityWakeOnLAN)
+}
+
 func (h *peerAPIHandler) peerHasCap(wantCap string) bool {
 	for _, hasCap := range h.ps.b.PeerCaps(h.remoteAddr.IP()) {
 		if hasCap == wantCap {
@@ -818,7 +864,7 @@ func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Req
 	}
 	eng := h.ps.b.e
 	if ig, ok := eng.(wgengine.InternalsGetter); ok {
-		if _, mc, ok := ig.GetInternals(); ok {
+		if _, mc, _, ok := ig.GetInternals(); ok {
 			mc.ServeHTTPDebug(w, r)
 			return
 		}
@@ -836,8 +882,8 @@ func (h *peerAPIHandler) handleServeMetrics(w http.ResponseWriter, r *http.Reque
 }
 
 func (h *peerAPIHandler) handleServeDNSFwd(w http.ResponseWriter, r *http.Request) {
-	if !h.isSelf {
-		http.Error(w, "not owner", http.StatusForbidden)
+	if !h.canDebug() {
+		http.Error(w, "denied; no debug access", http.StatusForbidden)
 		return
 	}
 	dh := health.DebugHandler("dnsfwd")
@@ -848,6 +894,62 @@ func (h *peerAPIHandler) handleServeDNSFwd(w http.ResponseWriter, r *http.Reques
 	dh.ServeHTTP(w, r)
 }
 
+func (h *peerAPIHandler) handleWakeOnLAN(w http.ResponseWriter, r *http.Request) {
+	if !h.canWakeOnLAN() {
+		http.Error(w, "no WoL access", http.StatusForbidden)
+		return
+	}
+	if r.Method != "POST" {
+		http.Error(w, "bad method", http.StatusMethodNotAllowed)
+		return
+	}
+	macStr := r.FormValue("mac")
+	if macStr == "" {
+		http.Error(w, "missing 'mac' param", http.StatusBadRequest)
+		return
+	}
+	mac, err := net.ParseMAC(macStr)
+	if err != nil {
+		http.Error(w, "bad 'mac' param", http.StatusBadRequest)
+		return
+	}
+	var password []byte // TODO(bradfitz): support?
+	st, err := interfaces.GetState()
+	if err != nil {
+		http.Error(w, "failed to get interfaces state", http.StatusInternalServerError)
+		return
+	}
+	var res struct {
+		SentTo []string
+		Errors []string
+	}
+	for ifName, ips := range st.InterfaceIPs {
+		for _, ip := range ips {
+			if ip.IP().IsLoopback() || ip.IP().Is6() {
+				continue
+			}
+			ipa := ip.IP().IPAddr()
+			local := &net.UDPAddr{
+				IP:   ipa.IP,
+				Port: 0,
+			}
+			remote := &net.UDPAddr{
+				IP:   net.IPv4bcast,
+				Port: 0,
+			}
+			if err := wol.Wake(mac, password, local, remote); err != nil {
+				res.Errors = append(res.Errors, err.Error())
+			} else {
+				res.SentTo = append(res.SentTo, ifName)
+			}
+			break // one per interface is enough
+		}
+	}
+	sort.Strings(res.SentTo)
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(res)
+}
+
 func (h *peerAPIHandler) replyToDNSQueries() bool {
 	if h.isSelf {
 		// If the peer is owned by the same user, just allow it
@@ -1104,7 +1206,7 @@ func (fl *fakePeerAPIListener) Close() error {
 
 func (fl *fakePeerAPIListener) Accept() (net.Conn, error) {
 	<-fl.closed
-	return nil, io.EOF
+	return nil, net.ErrClosed
 }
 
 func (fl *fakePeerAPIListener) Addr() net.Addr { return fl.addr }

ipn/ipnstate/ipnstate.go

@@ -515,7 +515,7 @@ type PingResult struct {
 	// TODO(bradfitz): details like whether port mapping was used on either side? (Once supported)
 }
 
-func (pr *PingResult) ToPingResponse(pingType string) *tailcfg.PingResponse {
+func (pr *PingResult) ToPingResponse(pingType tailcfg.PingType) *tailcfg.PingResponse {
 	return &tailcfg.PingResponse{
 		Type:           pingType,
 		IP:             pr.IP,

ipn/localapi/localapi.go

@@ -111,6 +111,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveLogout(w, r)
 	case "/localapi/v0/prefs":
 		h.servePrefs(w, r)
+	case "/localapi/v0/ping":
+		h.servePing(w, r)
 	case "/localapi/v0/check-prefs":
 		h.serveCheckPrefs(w, r)
 	case "/localapi/v0/check-ip-forwarding":
@@ -625,6 +627,36 @@ func (h *Handler) serveSetExpirySooner(w http.ResponseWriter, r *http.Request) {
 	io.WriteString(w, "done\n")
 }
 
+func (h *Handler) servePing(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	if r.Method != "POST" {
+		http.Error(w, "want POST", 400)
+		return
+	}
+	ipStr := r.FormValue("ip")
+	if ipStr == "" {
+		http.Error(w, "missing 'ip' parameter", 400)
+		return
+	}
+	ip, err := netaddr.ParseIP(ipStr)
+	if err != nil {
+		http.Error(w, "invalid IP", 400)
+		return
+	}
+	pingTypeStr := r.FormValue("type")
+	if ipStr == "" {
+		http.Error(w, "missing 'type' parameter", 400)
+		return
+	}
+	res, err := h.b.Ping(ctx, ip, tailcfg.PingType(pingTypeStr))
+	if err != nil {
+		writeErrorJSON(w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(res)
+}
+
 func (h *Handler) serveDial(w http.ResponseWriter, r *http.Request) {
 	if r.Method != "POST" {
 		http.Error(w, "POST required", http.StatusMethodNotAllowed)

ipn/message.go

@@ -13,8 +13,8 @@ import (
 	"fmt"
 	"io"
 	"log"
-	"time"
 
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/structs"
@@ -51,15 +51,6 @@ type SetPrefsArgs struct {
 	New *Prefs
 }
 
-type FakeExpireAfterArgs struct {
-	Duration time.Duration
-}
-
-type PingArgs struct {
-	IP      string
-	UseTSMP bool
-}
-
 // Command is a command message that is JSON encoded and sent by a
 // frontend to a backend.
 type Command struct {
@@ -82,8 +73,6 @@ type Command struct {
 	SetPrefs              *SetPrefsArgs
 	RequestEngineStatus   *NoArgs
 	RequestStatus         *NoArgs
-	FakeExpireAfter       *FakeExpireAfterArgs
-	Ping                  *PingArgs
 }
 
 type BackendServer struct {
@@ -116,7 +105,7 @@ func (bs *BackendServer) send(n Notify) {
 	if bs.sendNotifyMsg == nil {
 		return
 	}
-	n.Version = version.Long
+	n.Version = ipcVersion
 	bs.sendNotifyMsg(n)
 }
 
@@ -153,9 +142,9 @@ func (bs *BackendServer) GotCommandMsg(ctx context.Context, b []byte) error {
 const ErrMsgPermissionDenied = "permission denied"
 
 func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
-	if cmd.Version != version.Long && !cmd.AllowVersionSkew {
+	if cmd.Version != ipcVersion && !cmd.AllowVersionSkew {
 		vs := fmt.Sprintf("GotCommand: Version mismatch! frontend=%#v backend=%#v",
-			cmd.Version, version.Long)
+			cmd.Version, ipcVersion)
 		bs.logf("%s", vs)
 		// ignore the command, but send a message back to the
 		// caller so it can realize the version mismatch too.
@@ -175,9 +164,6 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	if c := cmd.RequestEngineStatus; c != nil {
 		bs.b.RequestEngineStatus()
 		return nil
-	} else if c := cmd.Ping; c != nil {
-		bs.b.Ping(c.IP, c.UseTSMP)
-		return nil
 	}
 
 	if IsReadonlyContext(ctx) {
@@ -204,9 +190,6 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	} else if c := cmd.SetPrefs; c != nil {
 		bs.b.SetPrefs(c.New)
 		return nil
-	} else if c := cmd.FakeExpireAfter; c != nil {
-		bs.b.FakeExpireAfter(c.Duration)
-		return nil
 	}
 	return fmt.Errorf("BackendServer.Do: no command specified")
 }
@@ -228,6 +211,19 @@ func NewBackendClient(logf logger.Logf, sendCommandMsg func(jsonb []byte)) *Back
 	}
 }
 
+// IPCVersion returns version.Long usually, unless TS_DEBUG_FAKE_IPC_VERSION is
+// set, in which it contains that value. This is only used for weird development
+// cases when testing mismatched versions and you want the client to act like it's
+// compatible with the server.
+func IPCVersion() string {
+	if v := envknob.String("TS_DEBUG_FAKE_IPC_VERSION"); v != "" {
+		return v
+	}
+	return version.Long
+}
+
+var ipcVersion = IPCVersion()
+
 func (bc *BackendClient) GotNotifyMsg(b []byte) {
 	if len(b) == 0 {
 		// not interesting
@@ -240,9 +236,9 @@ func (bc *BackendClient) GotNotifyMsg(b []byte) {
 	if err := json.Unmarshal(b, &n); err != nil {
 		log.Fatalf("BackendClient.Notify: cannot decode message (length=%d, %#q): %v", len(b), b, err)
 	}
-	if n.Version != version.Long && !bc.AllowVersionSkew {
+	if n.Version != ipcVersion && !bc.AllowVersionSkew {
 		vs := fmt.Sprintf("GotNotify: Version mismatch! frontend=%#v backend=%#v",
-			version.Long, n.Version)
+			ipcVersion, n.Version)
 		bc.logf("%s", vs)
 		// delete anything in the notification except the version,
 		// to prevent incorrect operation.
@@ -257,7 +253,7 @@ func (bc *BackendClient) GotNotifyMsg(b []byte) {
 }
 
 func (bc *BackendClient) send(cmd Command) {
-	cmd.Version = version.Long
+	cmd.Version = ipcVersion
 	b, err := json.Marshal(cmd)
 	if err != nil {
 		log.Fatalf("Failed json.Marshal(cmd): %v\n", err)
@@ -306,17 +302,6 @@ func (bc *BackendClient) RequestStatus() {
 	bc.send(Command{AllowVersionSkew: true, RequestStatus: &NoArgs{}})
 }
 
-func (bc *BackendClient) FakeExpireAfter(x time.Duration) {
-	bc.send(Command{FakeExpireAfter: &FakeExpireAfterArgs{Duration: x}})
-}
-
-func (bc *BackendClient) Ping(ip string, useTSMP bool) {
-	bc.send(Command{Ping: &PingArgs{
-		IP:      ip,
-		UseTSMP: useTSMP,
-	}})
-}
-
 // MaxMessageSize is the maximum message size, in bytes.
 const MaxMessageSize = 10 << 20
 

ipn/prefs.go

@@ -27,7 +27,7 @@ import (
 	"tailscale.com/util/dnsname"
 )
 
-//go:generate go run tailscale.com/cmd/cloner -type=Prefs -output=prefs_clone.go
+//go:generate go run tailscale.com/cmd/cloner -type=Prefs
 
 // DefaultControlURL is the URL base of the control plane
 // ("coordination server") for use when no explicit one is configured.
@@ -428,9 +428,14 @@ func NewPrefs() *Prefs {
 }
 
 // ControlURLOrDefault returns the coordination server's URL base.
-// If not configured, DefaultControlURL is returned instead.
+//
+// If not configured, or if the configured value is a legacy name equivalent to
+// the default, then DefaultControlURL is returned instead.
 func (p *Prefs) ControlURLOrDefault() string {
 	if p.ControlURL != "" {
+		if p.ControlURL != DefaultControlURL && IsLoginServerSynonym(p.ControlURL) {
+			return DefaultControlURL
+		}
 		return p.ControlURL
 	}
 	return DefaultControlURL
@@ -579,10 +584,8 @@ func (p *Prefs) SetExitNodeIP(s string, st *ipnstate.Status) error {
 	return err
 }
 
-// PrefsFromBytes deserializes Prefs from a JSON blob. If
-// enforceDefaults is true, Prefs.RouteAll and Prefs.AllowSingleHosts
-// are forced on.
-func PrefsFromBytes(b []byte, enforceDefaults bool) (*Prefs, error) {
+// PrefsFromBytes deserializes Prefs from a JSON blob.
+func PrefsFromBytes(b []byte) (*Prefs, error) {
 	p := NewPrefs()
 	if len(b) == 0 {
 		return p, nil
@@ -598,10 +601,6 @@ func PrefsFromBytes(b []byte, enforceDefaults bool) (*Prefs, error) {
 			log.Printf("Prefs parse: %v: %v\n", err, b)
 		}
 	}
-	if enforceDefaults {
-		p.RouteAll = true
-		p.AllowSingleHosts = true
-	}
 	return p, err
 }
 
@@ -620,7 +619,7 @@ func LoadPrefs(filename string) (*Prefs, error) {
 		// to log in again. (better than crashing)
 		return nil, os.ErrNotExist
 	}
-	p, err := PrefsFromBytes(data, false)
+	p, err := PrefsFromBytes(data)
 	if err != nil {
 		return nil, fmt.Errorf("LoadPrefs(%q) decode: %w", filename, err)
 	}

ipn/prefs_test.go

@@ -302,7 +302,7 @@ func checkPrefs(t *testing.T, p Prefs) {
 	if p.Equals(p2) {
 		t.Fatalf("p == p2\n")
 	}
-	p2b, err = PrefsFromBytes(p2.ToBytes(), false)
+	p2b, err = PrefsFromBytes(p2.ToBytes())
 	if err != nil {
 		t.Fatalf("PrefsFromBytes(p2) failed\n")
 	}
@@ -810,3 +810,18 @@ func TestExitNodeIPOfArg(t *testing.T) {
 		})
 	}
 }
+
+func TestControlURLOrDefault(t *testing.T) {
+	var p Prefs
+	if got, want := p.ControlURLOrDefault(), DefaultControlURL; got != want {
+		t.Errorf("got %q; want %q", got, want)
+	}
+	p.ControlURL = "http://foo.bar"
+	if got, want := p.ControlURLOrDefault(), "http://foo.bar"; got != want {
+		t.Errorf("got %q; want %q", got, want)
+	}
+	p.ControlURL = "https://login.tailscale.com"
+	if got, want := p.ControlURLOrDefault(), DefaultControlURL; got != want {
+		t.Errorf("got %q; want %q", got, want)
+	}
+}

ipn/store/stores.go

@@ -21,6 +21,7 @@ import (
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/paths"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/mak"
 )
 
 // Provider returns a StateStore for the provided path.
@@ -82,10 +83,7 @@ func Register(prefix string, fn Provider) {
 	if _, ok := knownStores[prefix]; ok {
 		panic(fmt.Sprintf("%q already registered", prefix))
 	}
-	if knownStores == nil {
-		knownStores = make(map[string]Provider)
-	}
-	knownStores[prefix] = fn
+	mak.Set(&knownStores, prefix, fn)
 }
 
 // TryWindowsAppDataMigration attempts to copy the Windows state file

net/dns/config.go

@@ -22,14 +22,14 @@ type Config struct {
 	// which aren't covered by more specific per-domain routes below.
 	// If empty, the OS's default resolvers (the ones that predate
 	// Tailscale altering the configuration) are used.
-	DefaultResolvers []dnstype.Resolver
+	DefaultResolvers []*dnstype.Resolver
 	// Routes maps a DNS suffix to the resolvers that should be used
 	// for queries that fall within that suffix.
 	// If a query doesn't match any entry in Routes, the
 	// DefaultResolvers are used.
 	// A Routes entry with no resolvers means the route should be
 	// authoritatively answered using the contents of Hosts.
-	Routes map[dnsname.FQDN][]dnstype.Resolver
+	Routes map[dnsname.FQDN][]*dnstype.Resolver
 	// SearchDomains are DNS suffixes to try when expanding
 	// single-label queries.
 	SearchDomains []dnsname.FQDN
@@ -98,9 +98,9 @@ func (c Config) hasDefaultResolvers() bool {
 // singleResolverSet returns the resolvers used by c.Routes if all
 // routes use the same resolvers, or nil if multiple sets of resolvers
 // are specified.
-func (c Config) singleResolverSet() []dnstype.Resolver {
+func (c Config) singleResolverSet() []*dnstype.Resolver {
 	var (
-		prev            []dnstype.Resolver
+		prev            []*dnstype.Resolver
 		prevInitialized bool
 	)
 	for _, resolvers := range c.Routes {
@@ -128,7 +128,7 @@ func (c Config) matchDomains() []dnsname.FQDN {
 	return ret
 }
 
-func sameResolverNames(a, b []dnstype.Resolver) bool {
+func sameResolverNames(a, b []*dnstype.Resolver) bool {
 	if len(a) != len(b) {
 		return false
 	}

net/dns/manager.go

@@ -6,20 +6,64 @@ package dns
 
 import (
 	"bufio"
+	"bytes"
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/binary"
+	"encoding/pem"
+	"errors"
+	"io"
+	"math/big"
+	"net"
 	"runtime"
+	"sync"
+	"sync/atomic"
 	"time"
 
 	"inet.af/netaddr"
 	"tailscale.com/health"
 	"tailscale.com/net/dns/resolver"
+	"tailscale.com/net/packet"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tsdial"
+	"tailscale.com/net/tstun"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/ipproto"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/wgengine/monitor"
 )
 
+var (
+	magicDNSIP   = tsaddr.TailscaleServiceIP()
+	magicDNSIPv6 = tsaddr.TailscaleServiceIPv6()
+)
+
+var (
+	errFullQueue = errors.New("request queue full")
+)
+
+// maxActiveQueries returns the maximal number of DNS requests that be
+// can running.
+// If EnqueueRequest is called when this many requests are already pending,
+// the request will be dropped to avoid blocking the caller.
+func maxActiveQueries() int32 {
+	if runtime.GOOS == "ios" {
+		// For memory paranoia reasons on iOS, match the
+		// historical Tailscale 1.x..1.8 behavior for now
+		// (just before the 1.10 release).
+		return 64
+	}
+	// But for other platforms, allow more burstiness:
+	return 256
+}
+
 // We use file-ignore below instead of ignore because on some platforms,
 // the lint exception is necessary and on others it is not,
 // and plain ignore complains if the exception is unnecessary.
@@ -31,10 +75,32 @@ import (
 // Such operations should be wrapped in a timeout context.
 const reconfigTimeout = time.Second
 
+type response struct {
+	pkt []byte
+	to  netaddr.IPPort // response destination (request source)
+}
+
 // Manager manages system DNS settings.
 type Manager struct {
 	logf logger.Logf
 
+	// When netstack is not used, Manager implements magic DNS.
+	// In this case, responses tracks completed DNS requests
+	// which need a response, and NextPacket() synthesizes a
+	// fake IP+UDP header to finish assembling the response.
+	//
+	// TODO(tom): Rip out once all platforms use netstack.
+	responses           chan response
+	activeQueriesAtomic int32
+
+	// DNS-over-TLS cached value.
+	dotCertMu   sync.Mutex
+	dotCertLast time.Time
+	dotCertVal  tls.Certificate
+
+	ctx       context.Context    // good until Down
+	ctxCancel context.CancelFunc // closes ctx
+
 	resolver *resolver.Resolver
 	os       OSConfigurator
 }
@@ -46,10 +112,12 @@ func NewManager(logf logger.Logf, oscfg OSConfigurator, linkMon *monitor.Mon, di
 	}
 	logf = logger.WithPrefix(logf, "dns: ")
 	m := &Manager{
-		logf:     logf,
-		resolver: resolver.New(logf, linkMon, linkSel, dialer),
-		os:       oscfg,
+		logf:      logf,
+		resolver:  resolver.New(logf, linkMon, linkSel, dialer),
+		os:        oscfg,
+		responses: make(chan response),
 	}
+	m.ctx, m.ctxCancel = context.WithCancel(context.Background())
 	m.logf("using %T", m.os)
 	return m
 }
@@ -91,7 +159,7 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// authoritative suffixes, even if we don't propagate MagicDNS to
 	// the OS.
 	rcfg.Hosts = cfg.Hosts
-	routes := map[dnsname.FQDN][]dnstype.Resolver{} // assigned conditionally to rcfg.Routes below.
+	routes := map[dnsname.FQDN][]*dnstype.Resolver{} // assigned conditionally to rcfg.Routes below.
 	for suffix, resolvers := range cfg.Routes {
 		if len(resolvers) == 0 {
 			rcfg.LocalDomains = append(rcfg.LocalDomains, suffix)
@@ -172,9 +240,9 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 			health.SetDNSOSHealth(err)
 			return resolver.Config{}, OSConfig{}, err
 		}
-		var defaultRoutes []dnstype.Resolver
+		var defaultRoutes []*dnstype.Resolver
 		for _, ip := range bcfg.Nameservers {
-			defaultRoutes = append(defaultRoutes, dnstype.Resolver{Addr: ip.String()})
+			defaultRoutes = append(defaultRoutes, &dnstype.Resolver{Addr: ip.String()})
 		}
 		rcfg.Routes["."] = defaultRoutes
 		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
@@ -186,7 +254,7 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 // toIPsOnly returns only the IP portion of dnstype.Resolver.
 // Only safe to use if the resolvers slice has been cleared of
 // DoH or custom-port entries with something like hasDefaultIPResolversOnly.
-func toIPsOnly(resolvers []dnstype.Resolver) (ret []netaddr.IP) {
+func toIPsOnly(resolvers []*dnstype.Resolver) (ret []netaddr.IP) {
 	for _, r := range resolvers {
 		if ipp, ok := r.IPPort(); ok && ipp.Port() == 53 {
 			ret = append(ret, ipp.IP())
@@ -195,15 +263,295 @@ func toIPsOnly(resolvers []dnstype.Resolver) (ret []netaddr.IP) {
 	return ret
 }
 
+// EnqueuePacket is the legacy path for handling magic DNS traffic, and is
+// called with a DNS request payload.
+//
+// TODO(tom): Rip out once all platforms use netstack.
 func (m *Manager) EnqueuePacket(bs []byte, proto ipproto.Proto, from, to netaddr.IPPort) error {
-	return m.resolver.EnqueuePacket(bs, proto, from, to)
+	if to.Port() != 53 || proto != ipproto.UDP {
+		return nil
+	}
+
+	if n := atomic.AddInt32(&m.activeQueriesAtomic, 1); n > maxActiveQueries() {
+		atomic.AddInt32(&m.activeQueriesAtomic, -1)
+		metricDNSQueryErrorQueue.Add(1)
+		return errFullQueue
+	}
+
+	go func() {
+		resp, err := m.resolver.Query(m.ctx, bs, from)
+		if err != nil {
+			atomic.AddInt32(&m.activeQueriesAtomic, -1)
+			m.logf("dns query: %v", err)
+			return
+		}
+
+		select {
+		case <-m.ctx.Done():
+			return
+		case m.responses <- response{resp, from}:
+		}
+	}()
+	return nil
 }
 
+// NextPacket is the legacy path for obtaining DNS results in response to
+// magic DNS queries. It blocks until a response is available.
+//
+// TODO(tom): Rip out once all platforms use netstack.
 func (m *Manager) NextPacket() ([]byte, error) {
-	return m.resolver.NextPacket()
+	var resp response
+	select {
+	case <-m.ctx.Done():
+		return nil, net.ErrClosed
+	case resp = <-m.responses:
+		// continue
+	}
+
+	// Unused space is needed further down the stack. To avoid extra
+	// allocations/copying later on, we allocate such space here.
+	const offset = tstun.PacketStartOffset
+
+	var buf []byte
+	switch {
+	case resp.to.IP().Is4():
+		h := packet.UDP4Header{
+			IP4Header: packet.IP4Header{
+				Src: magicDNSIP,
+				Dst: resp.to.IP(),
+			},
+			SrcPort: 53,
+			DstPort: resp.to.Port(),
+		}
+		hlen := h.Len()
+		buf = make([]byte, offset+hlen+len(resp.pkt))
+		copy(buf[offset+hlen:], resp.pkt)
+		h.Marshal(buf[offset:])
+	case resp.to.IP().Is6():
+		h := packet.UDP6Header{
+			IP6Header: packet.IP6Header{
+				Src: magicDNSIPv6,
+				Dst: resp.to.IP(),
+			},
+			SrcPort: 53,
+			DstPort: resp.to.Port(),
+		}
+		hlen := h.Len()
+		buf = make([]byte, offset+hlen+len(resp.pkt))
+		copy(buf[offset+hlen:], resp.pkt)
+		h.Marshal(buf[offset:])
+	}
+
+	atomic.AddInt32(&m.activeQueriesAtomic, -1)
+	return buf, nil
+}
+
+func (m *Manager) Query(ctx context.Context, bs []byte, from netaddr.IPPort) ([]byte, error) {
+	select {
+	case <-m.ctx.Done():
+		return nil, net.ErrClosed
+	default:
+		// continue
+	}
+
+	if n := atomic.AddInt32(&m.activeQueriesAtomic, 1); n > maxActiveQueries() {
+		atomic.AddInt32(&m.activeQueriesAtomic, -1)
+		metricDNSQueryErrorQueue.Add(1)
+		return nil, errFullQueue
+	}
+	defer atomic.AddInt32(&m.activeQueriesAtomic, -1)
+	return m.resolver.Query(ctx, bs, from)
+}
+
+const (
+	// RFC 7766 6.2 recommends connection reuse & request pipelining
+	// be undertaken, and the connection be closed by the server
+	// using an idle timeout on the order of seconds.
+	idleTimeoutTCP = 45 * time.Second
+	// The RFCs don't specify the max size of a TCP-based DNS query,
+	// but we want to keep this reasonable. Given payloads are typically
+	// much larger and all known client send a single query, I've arbitrarily
+	// chosen 2k.
+	maxReqSizeTCP = 2048
+)
+
+// dnsTCPSession services DNS requests sent over TCP.
+type dnsTCPSession struct {
+	m *Manager
+
+	conn    net.Conn
+	srcAddr netaddr.IPPort
+
+	readClosing chan struct{}
+	responses   chan []byte // DNS replies pending writing
+
+	ctx      context.Context
+	closeCtx context.CancelFunc
+}
+
+func (s *dnsTCPSession) handleWrites() {
+	defer s.conn.Close()
+	defer close(s.responses)
+	defer s.closeCtx()
+
+	for {
+		select {
+		case <-s.readClosing:
+			return // connection closed or timeout, teardown time
+
+		case resp := <-s.responses:
+			s.conn.SetWriteDeadline(time.Now().Add(idleTimeoutTCP))
+			if err := binary.Write(s.conn, binary.BigEndian, uint16(len(resp))); err != nil {
+				s.m.logf("tcp write (len): %v", err)
+				return
+			}
+			if _, err := s.conn.Write(resp); err != nil {
+				s.m.logf("tcp write (response): %v", err)
+				return
+			}
+		}
+	}
+}
+
+func (s *dnsTCPSession) handleQuery(q []byte) {
+	resp, err := s.m.Query(s.ctx, q, s.srcAddr)
+	if err != nil {
+		s.m.logf("tcp query: %v", err)
+		return
+	}
+
+	select {
+	case <-s.ctx.Done():
+	case s.responses <- resp:
+	}
+}
+
+func (s *dnsTCPSession) handleReads() {
+	defer close(s.readClosing)
+
+	for {
+		select {
+		case <-s.ctx.Done():
+			return
+
+		default:
+			s.conn.SetReadDeadline(time.Now().Add(idleTimeoutTCP))
+			var reqLen uint16
+			if err := binary.Read(s.conn, binary.BigEndian, &reqLen); err != nil {
+				if err == io.EOF || err == io.ErrClosedPipe {
+					return // connection closed nominally, we gucci
+				}
+				s.m.logf("tcp read (len): %v", err)
+				return
+			}
+			if int(reqLen) > maxReqSizeTCP {
+				s.m.logf("tcp request too large (%d > %d)", reqLen, maxReqSizeTCP)
+				return
+			}
+
+			buf := make([]byte, int(reqLen))
+			if _, err := io.ReadFull(s.conn, buf); err != nil {
+				s.m.logf("tcp read (payload): %v", err)
+				return
+			}
+
+			select {
+			case <-s.ctx.Done():
+				return
+			default:
+				go s.handleQuery(buf)
+			}
+		}
+	}
+}
+
+// HandleTCPConn implements magicDNS over TCP, taking a connection and
+// servicing DNS requests sent down it.
+func (m *Manager) HandleTCPConn(conn net.Conn, srcAddr netaddr.IPPort) {
+	s := dnsTCPSession{
+		m:           m,
+		conn:        conn,
+		srcAddr:     srcAddr,
+		responses:   make(chan []byte),
+		readClosing: make(chan struct{}),
+	}
+	s.ctx, s.closeCtx = context.WithCancel(context.Background())
+	go s.handleReads()
+	s.handleWrites()
+}
+
+const dotCertValidity = time.Hour * 24 * 30 // arbitrary; LetsEncrypt-ish
+
+func (m *Manager) dotCert() (tls.Certificate, error) {
+	m.dotCertMu.Lock()
+	defer m.dotCertMu.Unlock()
+
+	if !m.dotCertLast.IsZero() && time.Since(m.dotCertLast) < dotCertValidity {
+		return m.dotCertVal, nil
+	}
+
+	cert, err := genSelfSignedDoTCert()
+	if err == nil {
+		m.dotCertVal = cert
+		m.dotCertLast = time.Now()
+	}
+	return cert, err
+}
+
+// genSelfSignedDoTCert generates a self-signed certificate for DNS-over-TLS
+// (DoT) queries on 100.100.100.100.
+//
+// This exists for Android Private DNS, which in "Automatic" (aka opportunistic)
+// mode doesn't verify certs.
+//
+// See https://github.com/tailscale/tailscale/issues/915.
+func genSelfSignedDoTCert() (tls.Certificate, error) {
+	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Tailscale MagicDNS"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(dotCertValidity),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	privKeyBytes, _ := x509.MarshalECPrivateKey(privKey)
+	pemCert := new(bytes.Buffer)
+	pemKey := new(bytes.Buffer)
+	pem.Encode(pemCert, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	pem.Encode(pemKey, &pem.Block{Type: "EC PRIVATE KEY", Bytes: privKeyBytes})
+	return tls.X509KeyPair(pemCert.Bytes(), pemKey.Bytes())
+}
+
+// HandleDNSoverTLSConn implements magicDNS over DNS-over-TLS, taking a
+// connection and servicing DNS requests sent down it.
+//
+// It uses a self-signed cert; see genSelfSignedDoTCert for backbground.
+func (m *Manager) HandleDNSoverTLSConn(conn net.Conn, srcAddr netaddr.IPPort) {
+	tlsCert, err := m.dotCert()
+	if err != nil {
+		m.logf("[unexpected] HandleDNSoverTLSConn.dotCert: %v", err)
+		conn.Close()
+	}
+	tlsConn := tls.Server(conn, &tls.Config{
+		Certificates: []tls.Certificate{tlsCert},
+	})
+	m.HandleTCPConn(tlsConn, srcAddr)
 }
 
 func (m *Manager) Down() error {
+	m.ctxCancel()
 	if err := m.os.Close(); err != nil {
 		return err
 	}
@@ -229,3 +577,7 @@ func Cleanup(logf logger.Logf, interfaceName string) {
 		logf("dns down: %v", err)
 	}
 }
+
+var (
+	metricDNSQueryErrorQueue = clientmetric.NewCounter("dns_query_local_error_queue")
+)

net/dns/manager_darwin.go

@@ -0,0 +1,127 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package dns
+
+import (
+	"bytes"
+	"errors"
+	"os"
+
+	"go4.org/mem"
+	"tailscale.com/types/logger"
+	"tailscale.com/util/mak"
+)
+
+func NewOSConfigurator(logf logger.Logf, ifName string) (OSConfigurator, error) {
+	return &darwinConfigurator{logf: logf, ifName: ifName}, nil
+}
+
+// darwinConfigurator is the tailscaled-on-macOS DNS OS configurator that
+// maintains the Split DNS nameserver entries pointing MagicDNS DNS suffixes
+// to 100.100.100.100 using the macOS /etc/resolver/$SUFFIX files.
+type darwinConfigurator struct {
+	logf   logger.Logf
+	ifName string
+}
+
+func (c *darwinConfigurator) Close() error {
+	c.removeResolverFiles(func(domain string) bool { return true })
+	return nil
+}
+
+func (c *darwinConfigurator) SupportsSplitDNS() bool {
+	return true
+}
+
+func (c *darwinConfigurator) SetDNS(cfg OSConfig) error {
+	var buf bytes.Buffer
+	buf.WriteString(macResolverFileHeader)
+	for i, ip := range cfg.Nameservers {
+		if i == 0 {
+			buf.WriteString("nameserver ")
+		} else {
+			buf.WriteString(" ")
+		}
+		buf.WriteString(ip.String())
+	}
+	buf.WriteString("\n")
+
+	if err := os.MkdirAll("/etc/resolver", 0755); err != nil {
+		return err
+	}
+
+	var keep map[string]bool
+
+	// Add a dummy file to /etc/resolver with a "search ..." directive if we have
+	// search suffixes to add.
+	if len(cfg.SearchDomains) > 0 {
+		const searchFile = "search.tailscale" // fake DNS suffix+TLD to put our search
+		mak.Set(&keep, searchFile, true)
+		var sbuf bytes.Buffer
+		sbuf.WriteString(macResolverFileHeader)
+		sbuf.WriteString("search")
+		for _, d := range cfg.SearchDomains {
+			sbuf.WriteString(" ")
+			sbuf.WriteString(string(d.WithoutTrailingDot()))
+		}
+		sbuf.WriteString("\n")
+		if err := os.WriteFile("/etc/resolver/"+searchFile, sbuf.Bytes(), 0644); err != nil {
+			return err
+		}
+	}
+
+	for _, d := range cfg.MatchDomains {
+		fileBase := string(d.WithoutTrailingDot())
+		mak.Set(&keep, fileBase, true)
+		fullPath := "/etc/resolver/" + fileBase
+
+		if err := os.WriteFile(fullPath, buf.Bytes(), 0644); err != nil {
+			return err
+		}
+	}
+	return c.removeResolverFiles(func(domain string) bool { return !keep[domain] })
+}
+
+func (c *darwinConfigurator) GetBaseConfig() (OSConfig, error) {
+	return OSConfig{}, errors.New("[unexpected] unreachable")
+}
+
+const macResolverFileHeader = "# Added by tailscaled\n"
+
+// removeResolverFiles deletes all files in /etc/resolver for which the shouldDelete
+// func returns true.
+func (c *darwinConfigurator) removeResolverFiles(shouldDelete func(domain string) bool) error {
+	dents, err := os.ReadDir("/etc/resolver")
+	if os.IsNotExist(err) {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+	for _, de := range dents {
+		if !de.Type().IsRegular() {
+			continue
+		}
+		name := de.Name()
+		if !shouldDelete(name) {
+			continue
+		}
+		fullPath := "/etc/resolver/" + name
+		contents, err := os.ReadFile(fullPath)
+		if err != nil {
+			if os.IsNotExist(err) { // race?
+				continue
+			}
+			return err
+		}
+		if !mem.HasPrefix(mem.B(contents), mem.S(macResolverFileHeader)) {
+			continue
+		}
+		if err := os.Remove(fullPath); err != nil {
+			return err
+		}
+	}
+	return nil
+}

net/dns/manager_default.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !linux && !freebsd && !openbsd && !windows
-// +build !linux,!freebsd,!openbsd,!windows
+//go:build !linux && !freebsd && !openbsd && !windows && !darwin
+// +build !linux,!freebsd,!openbsd,!windows,!darwin
 
 package dns
 

net/dns/manager_tcp_test.go

@@ -0,0 +1,136 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package dns
+
+import (
+	"encoding/binary"
+	"io"
+	"net"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	dns "golang.org/x/net/dns/dnsmessage"
+	"inet.af/netaddr"
+	"tailscale.com/net/tsdial"
+	"tailscale.com/util/dnsname"
+)
+
+func mkDNSRequest(domain dnsname.FQDN, tp dns.Type) []byte {
+	var dnsHeader dns.Header
+	question := dns.Question{
+		Name:  dns.MustNewName(domain.WithTrailingDot()),
+		Type:  tp,
+		Class: dns.ClassINET,
+	}
+
+	builder := dns.NewBuilder(nil, dnsHeader)
+	if err := builder.StartQuestions(); err != nil {
+		panic(err)
+	}
+	if err := builder.Question(question); err != nil {
+		panic(err)
+	}
+
+	if err := builder.StartAdditionals(); err != nil {
+		panic(err)
+	}
+
+	ednsHeader := dns.ResourceHeader{
+		Name:  dns.MustNewName("."),
+		Type:  dns.TypeOPT,
+		Class: dns.Class(4095),
+	}
+
+	if err := builder.OPTResource(ednsHeader, dns.OPTResource{}); err != nil {
+		panic(err)
+	}
+
+	payload, _ := builder.Finish()
+
+	return payload
+}
+
+func TestDNSOverTCP(t *testing.T) {
+	f := fakeOSConfigurator{
+		SplitDNS: true,
+		BaseConfig: OSConfig{
+			Nameservers:   mustIPs("8.8.8.8"),
+			SearchDomains: fqdns("coffee.shop"),
+		},
+	}
+	m := NewManager(t.Logf, &f, nil, new(tsdial.Dialer), nil)
+	m.resolver.TestOnlySetHook(f.SetResolver)
+	m.Set(Config{
+		Hosts: hosts(
+			"dave.ts.com.", "1.2.3.4",
+			"bradfitz.ts.com.", "2.3.4.5"),
+		Routes:        upstreams("ts.com", ""),
+		SearchDomains: fqdns("tailscale.com", "universe.tf"),
+	})
+	defer m.Down()
+
+	c, s := net.Pipe()
+	defer s.Close()
+	go m.HandleTCPConn(s, netaddr.IPPort{})
+	defer c.Close()
+
+	wantResults := map[dnsname.FQDN]string{
+		"dave.ts.com.":     "1.2.3.4",
+		"bradfitz.ts.com.": "2.3.4.5",
+	}
+
+	for domain, _ := range wantResults {
+		b := mkDNSRequest(domain, dns.TypeA)
+		binary.Write(c, binary.BigEndian, uint16(len(b)))
+		c.Write(b)
+	}
+
+	results := map[dnsname.FQDN]string{}
+	for i := 0; i < len(wantResults); i++ {
+		var respLength uint16
+		if err := binary.Read(c, binary.BigEndian, &respLength); err != nil {
+			t.Fatalf("reading len: %v", err)
+		}
+		resp := make([]byte, int(respLength))
+		if _, err := io.ReadFull(c, resp); err != nil {
+			t.Fatalf("reading data: %v", err)
+		}
+
+		var parser dns.Parser
+		if _, err := parser.Start(resp); err != nil {
+			t.Errorf("parser.Start() failed: %v", err)
+			continue
+		}
+		q, err := parser.Question()
+		if err != nil {
+			t.Errorf("parser.Question(): %v", err)
+			continue
+		}
+		if err := parser.SkipAllQuestions(); err != nil {
+			t.Errorf("parser.SkipAllQuestions(): %v", err)
+			continue
+		}
+		ah, err := parser.AnswerHeader()
+		if err != nil {
+			t.Errorf("parser.AnswerHeader(): %v", err)
+			continue
+		}
+		if ah.Type != dns.TypeA {
+			t.Errorf("unexpected answer type: got %v, want %v", ah.Type, dns.TypeA)
+			continue
+		}
+		res, err := parser.AResource()
+		if err != nil {
+			t.Errorf("parser.AResource(): %v", err)
+			continue
+		}
+		results[dnsname.FQDN(q.Name.String())] = net.IP(res.A[:]).String()
+	}
+	c.Close()
+
+	if diff := cmp.Diff(wantResults, results); diff != "" {
+		t.Errorf("wrong results (-got+want)\n%s", diff)
+	}
+}

net/dns/manager_test.go

@@ -437,9 +437,9 @@ func mustIPPs(strs ...string) (ret []netaddr.IPPort) {
 	return ret
 }
 
-func mustRes(strs ...string) (ret []dnstype.Resolver) {
+func mustRes(strs ...string) (ret []*dnstype.Resolver) {
 	for _, s := range strs {
-		ret = append(ret, dnstype.Resolver{Addr: s})
+		ret = append(ret, &dnstype.Resolver{Addr: s})
 	}
 	return ret
 }
@@ -495,9 +495,9 @@ func hostsR(strs ...string) (ret map[dnsname.FQDN][]dnstype.Resolver) {
 	return ret
 }
 
-func upstreams(strs ...string) (ret map[dnsname.FQDN][]dnstype.Resolver) {
+func upstreams(strs ...string) (ret map[dnsname.FQDN][]*dnstype.Resolver) {
 	var key dnsname.FQDN
-	ret = map[dnsname.FQDN][]dnstype.Resolver{}
+	ret = map[dnsname.FQDN][]*dnstype.Resolver{}
 	for _, s := range strs {
 		if s == "" {
 			if key == "" {
@@ -508,14 +508,14 @@ func upstreams(strs ...string) (ret map[dnsname.FQDN][]dnstype.Resolver) {
 			if key == "" {
 				panic("IPPort provided before suffix")
 			}
-			ret[key] = append(ret[key], dnstype.Resolver{Addr: ipp.String()})
+			ret[key] = append(ret[key], &dnstype.Resolver{Addr: ipp.String()})
 		} else if _, err := netaddr.ParseIP(s); err == nil {
 			if key == "" {
 				panic("IPPort provided before suffix")
 			}
-			ret[key] = append(ret[key], dnstype.Resolver{Addr: s})
+			ret[key] = append(ret[key], &dnstype.Resolver{Addr: s})
 		} else if strings.HasPrefix(s, "http") {
-			ret[key] = append(ret[key], dnstype.Resolver{Addr: s})
+			ret[key] = append(ret[key], &dnstype.Resolver{Addr: s})
 		} else {
 			fqdn, err := dnsname.ToFQDN(s)
 			if err != nil {

net/dns/resolver/forwarder.go

@@ -41,6 +41,19 @@ import (
 // headerBytes is the number of bytes in a DNS message header.
 const headerBytes = 12
 
+// dnsFlagTruncated is set in the flags word when the packet is truncated.
+const dnsFlagTruncated = 0x200
+
+// truncatedFlagSet returns true if the DNS packet signals that it has
+// been truncated. False is also returned if the packet was too small
+// to be valid.
+func truncatedFlagSet(pkt []byte) bool {
+	if len(pkt) < headerBytes {
+		return false
+	}
+	return (binary.BigEndian.Uint16(pkt[2:4]) & dnsFlagTruncated) != 0
+}
+
 const (
 	// responseTimeout is the maximal amount of time to wait for a DNS response.
 	responseTimeout = 5 * time.Second
@@ -157,7 +170,7 @@ type route struct {
 // long to wait before querying it.
 type resolverAndDelay struct {
 	// name is the upstream resolver.
-	name dnstype.Resolver
+	name *dnstype.Resolver
 
 	// startDelay is an amount to delay this resolver at
 	// start. It's used when, say, there are four Google or
@@ -177,9 +190,6 @@ type forwarder struct {
 	ctx       context.Context    // good until Close
 	ctxCancel context.CancelFunc // closes ctx
 
-	// responses is a channel by which responses are returned.
-	responses chan packet
-
 	mu sync.Mutex // guards following
 
 	dohClient map[string]*http.Client // urlBase -> client
@@ -216,14 +226,13 @@ func maxDoHInFlight(goos string) int {
 	return 1000
 }
 
-func newForwarder(logf logger.Logf, responses chan packet, linkMon *monitor.Mon, linkSel ForwardLinkSelector, dialer *tsdial.Dialer) *forwarder {
+func newForwarder(logf logger.Logf, linkMon *monitor.Mon, linkSel ForwardLinkSelector, dialer *tsdial.Dialer) *forwarder {
 	f := &forwarder{
-		logf:      logger.WithPrefix(logf, "forward: "),
-		linkMon:   linkMon,
-		linkSel:   linkSel,
-		dialer:    dialer,
-		responses: responses,
-		dohSem:    make(chan struct{}, maxDoHInFlight(runtime.GOOS)),
+		logf:    logger.WithPrefix(logf, "forward: "),
+		linkMon: linkMon,
+		linkSel: linkSel,
+		dialer:  dialer,
+		dohSem:  make(chan struct{}, maxDoHInFlight(runtime.GOOS)),
 	}
 	f.ctx, f.ctxCancel = context.WithCancel(context.Background())
 	return f
@@ -237,7 +246,7 @@ func (f *forwarder) Close() error {
 // resolversWithDelays maps from a set of DNS server names to a slice of a type
 // that included a startDelay, upgrading any well-known DoH (DNS-over-HTTP)
 // servers in the process, insert a DoH lookup first before UDP fallbacks.
-func resolversWithDelays(resolvers []dnstype.Resolver) []resolverAndDelay {
+func resolversWithDelays(resolvers []*dnstype.Resolver) []resolverAndDelay {
 	rr := make([]resolverAndDelay, 0, len(resolvers)+2)
 
 	// Add the known DoH ones first, starting immediately.
@@ -252,7 +261,7 @@ func resolversWithDelays(resolvers []dnstype.Resolver) []resolverAndDelay {
 			continue
 		}
 		didDoH[dohBase] = true
-		rr = append(rr, resolverAndDelay{name: dnstype.Resolver{Addr: dohBase}})
+		rr = append(rr, resolverAndDelay{name: &dnstype.Resolver{Addr: dohBase}})
 	}
 
 	type hostAndFam struct {
@@ -291,7 +300,7 @@ func resolversWithDelays(resolvers []dnstype.Resolver) []resolverAndDelay {
 // Resolver.SetConfig on reconfig.
 //
 // The memory referenced by routesBySuffix should not be modified.
-func (f *forwarder) setRoutes(routesBySuffix map[dnsname.FQDN][]dnstype.Resolver) {
+func (f *forwarder) setRoutes(routesBySuffix map[dnsname.FQDN][]*dnstype.Resolver) {
 	routes := make([]route, 0, len(routesBySuffix))
 	for suffix, rs := range routesBySuffix {
 		routes = append(routes, route{
@@ -420,6 +429,9 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
 	if err != nil {
 		metricDNSFwdDoHErrorBody.Add(1)
 	}
+	if truncatedFlagSet(res) {
+		metricDNSFwdTruncated.Add(1)
+	}
 	return res, err
 }
 
@@ -456,13 +468,18 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 		metricDNSFwdErrorType.Add(1)
 		return nil, fmt.Errorf("tls:// resolvers not supported yet")
 	}
+
+	return f.sendUDP(ctx, fq, rr)
+}
+
+func (f *forwarder) sendUDP(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) (ret []byte, err error) {
 	ipp, ok := rr.name.IPPort()
 	if !ok {
 		metricDNSFwdErrorType.Add(1)
 		return nil, fmt.Errorf("unrecognized resolver type %q", rr.name.Addr)
 	}
-
 	metricDNSFwdUDP.Add(1)
+
 	ln, err := f.packetListener(ipp.IP())
 	if err != nil {
 		return nil, err
@@ -522,7 +539,7 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 	}
 
 	if truncated {
-		const dnsFlagTruncated = 0x200
+		// Set the truncated bit if it wasn't already.
 		flags := binary.BigEndian.Uint16(out[2:4])
 		flags |= dnsFlagTruncated
 		binary.BigEndian.PutUint16(out[2:4], flags)
@@ -534,6 +551,10 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 		// best we can do.
 	}
 
+	if truncatedFlagSet(out) {
+		metricDNSFwdTruncated.Add(1)
+	}
+
 	clampEDNSSize(out, maxResponseBytes)
 	metricDNSFwdUDPSuccess.Add(1)
 	return out, nil
@@ -576,17 +597,6 @@ type forwardQuery struct {
 	// ...
 }
 
-// forward forwards the query to all upstream nameservers and waits for
-// the first response.
-//
-// It either sends to f.responses and returns nil, or returns a
-// non-nil error (without sending to the channel).
-func (f *forwarder) forward(query packet) error {
-	ctx, cancel := context.WithTimeout(f.ctx, responseTimeout)
-	defer cancel()
-	return f.forwardWithDestChan(ctx, query, f.responses)
-}
-
 // forwardWithDestChan forwards the query to all upstream nameservers
 // and waits for the first response.
 //

net/dns/resolver/forwarder_test.go

@@ -23,9 +23,9 @@ func (rr resolverAndDelay) String() string {
 
 func TestResolversWithDelays(t *testing.T) {
 	// query
-	q := func(ss ...string) (ipps []dnstype.Resolver) {
+	q := func(ss ...string) (ipps []*dnstype.Resolver) {
 		for _, host := range ss {
-			ipps = append(ipps, dnstype.Resolver{Addr: host})
+			ipps = append(ipps, &dnstype.Resolver{Addr: host})
 		}
 		return
 	}
@@ -42,7 +42,7 @@ func TestResolversWithDelays(t *testing.T) {
 				}
 			}
 			rr = append(rr, resolverAndDelay{
-				name:       dnstype.Resolver{Addr: s},
+				name:       &dnstype.Resolver{Addr: s},
 				startDelay: d,
 			})
 		}
@@ -51,7 +51,7 @@ func TestResolversWithDelays(t *testing.T) {
 
 	tests := []struct {
 		name string
-		in   []dnstype.Resolver
+		in   []*dnstype.Resolver
 		want []resolverAndDelay
 	}{
 		{

net/dns/resolver/tsdns.go

@@ -17,6 +17,7 @@ import (
 	"os"
 	"runtime"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -25,12 +26,9 @@ import (
 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/net/dns/resolvconffile"
-	tspacket "tailscale.com/net/packet"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tsdial"
-	"tailscale.com/net/tstun"
 	"tailscale.com/types/dnstype"
-	"tailscale.com/types/ipproto"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/dnsname"
@@ -39,41 +37,15 @@ import (
 
 const dnsSymbolicFQDN = "magicdns.localhost-tailscale-daemon."
 
-var (
-	magicDNSIP   = tsaddr.TailscaleServiceIP()
-	magicDNSIPv6 = tsaddr.TailscaleServiceIPv6()
-)
-
-const magicDNSPort = 53
-
 // maxResponseBytes is the maximum size of a response from a Resolver. The
 // actual buffer size will be one larger than this so that we can detect
 // truncation in a platform-agnostic way.
 const maxResponseBytes = 4095
 
-// maxActiveQueries returns the maximal number of DNS requests that be
-// can running.
-// If EnqueueRequest is called when this many requests are already pending,
-// the request will be dropped to avoid blocking the caller.
-func maxActiveQueries() int32 {
-	if runtime.GOOS == "ios" {
-		// For memory paranoia reasons on iOS, match the
-		// historical Tailscale 1.x..1.8 behavior for now
-		// (just before the 1.10 release).
-		return 64
-	}
-	// But for other platforms, allow more burstiness:
-	return 256
-}
-
 // defaultTTL is the TTL of all responses from Resolver.
 const defaultTTL = 600 * time.Second
 
-// ErrClosed indicates that the resolver has been closed and readers should exit.
-var ErrClosed = errors.New("closed")
-
 var (
-	errFullQueue  = errors.New("request queue full")
 	errNotQuery   = errors.New("not a DNS query")
 	errNotOurName = errors.New("not a Tailscale DNS name")
 )
@@ -94,7 +66,7 @@ type Config struct {
 	// queries within that suffix.
 	// Queries only match the most specific suffix.
 	// To register a "default route", add an entry for ".".
-	Routes map[dnsname.FQDN][]dnstype.Resolver
+	Routes map[dnsname.FQDN][]*dnstype.Resolver
 	// LocalHosts is a map of FQDNs to corresponding IPs.
 	Hosts map[dnsname.FQDN][]netaddr.IP
 	// LocalDomains is a list of DNS name suffixes that should not be
@@ -143,7 +115,7 @@ func WriteIPPorts(w *bufio.Writer, vv []netaddr.IPPort) {
 }
 
 // WriteDNSResolver writes r to w.
-func WriteDNSResolver(w *bufio.Writer, r dnstype.Resolver) {
+func WriteDNSResolver(w *bufio.Writer, r *dnstype.Resolver) {
 	io.WriteString(w, r.Addr)
 	if len(r.BootstrapResolution) > 0 {
 		w.WriteByte('(')
@@ -157,7 +129,7 @@ func WriteDNSResolver(w *bufio.Writer, r dnstype.Resolver) {
 }
 
 // WriteDNSResolvers writes resolvers to w.
-func WriteDNSResolvers(w *bufio.Writer, resolvers []dnstype.Resolver) {
+func WriteDNSResolvers(w *bufio.Writer, resolvers []*dnstype.Resolver) {
 	w.WriteByte('[')
 	for i, r := range resolvers {
 		if i > 0 {
@@ -170,7 +142,7 @@ func WriteDNSResolvers(w *bufio.Writer, resolvers []dnstype.Resolver) {
 
 // WriteRoutes writes routes to w, omitting *.arpa routes and instead
 // summarizing how many of them there were.
-func WriteRoutes(w *bufio.Writer, routes map[dnsname.FQDN][]dnstype.Resolver) {
+func WriteRoutes(w *bufio.Writer, routes map[dnsname.FQDN][]*dnstype.Resolver) {
 	var kk []dnsname.FQDN
 	arpa := 0
 	for k := range routes {
@@ -208,12 +180,6 @@ type Resolver struct {
 	// forwarder forwards requests to upstream nameservers.
 	forwarder *forwarder
 
-	activeQueriesAtomic int32 // number of DNS queries in flight
-
-	// responses is an unbuffered channel to which responses are returned.
-	responses chan packet
-	// errors is an unbuffered channel to which errors are returned.
-	errors chan error
 	// closed signals all goroutines to stop.
 	closed chan struct{}
 	// wg signals when all goroutines have stopped.
@@ -240,16 +206,14 @@ func New(logf logger.Logf, linkMon *monitor.Mon, linkSel ForwardLinkSelector, di
 		panic("nil Dialer")
 	}
 	r := &Resolver{
-		logf:      logger.WithPrefix(logf, "resolver: "),
-		linkMon:   linkMon,
-		responses: make(chan packet),
-		errors:    make(chan error),
-		closed:    make(chan struct{}),
-		hostToIP:  map[dnsname.FQDN][]netaddr.IP{},
-		ipToHost:  map[netaddr.IP]dnsname.FQDN{},
-		dialer:    dialer,
+		logf:     logger.WithPrefix(logf, "resolver: "),
+		linkMon:  linkMon,
+		closed:   make(chan struct{}),
+		hostToIP: map[dnsname.FQDN][]netaddr.IP{},
+		ipToHost: map[netaddr.IP]dnsname.FQDN{},
+		dialer:   dialer,
 	}
-	r.forwarder = newForwarder(r.logf, r.responses, linkMon, linkSel, dialer)
+	r.forwarder = newForwarder(r.logf, linkMon, linkSel, dialer)
 	return r
 }
 
@@ -292,94 +256,29 @@ func (r *Resolver) Close() {
 	r.forwarder.Close()
 }
 
-// EnqueuePacket handles a packet to the magicDNS endpoint.
-// It takes ownership of the payload and does not block.
-// If the queue is full, the request will be dropped and an error will be returned.
-func (r *Resolver) EnqueuePacket(bs []byte, proto ipproto.Proto, from, to netaddr.IPPort) error {
-	if to.Port() != magicDNSPort || proto != ipproto.UDP {
-		return nil
-	}
-
-	return r.enqueueRequest(bs, proto, from, to)
-}
-
-// enqueueRequest places the given DNS request in the resolver's queue.
-// If the queue is full, the request will be dropped and an error will be returned.
-func (r *Resolver) enqueueRequest(bs []byte, proto ipproto.Proto, from, to netaddr.IPPort) error {
+func (r *Resolver) Query(ctx context.Context, bs []byte, from netaddr.IPPort) ([]byte, error) {
 	metricDNSQueryLocal.Add(1)
 	select {
 	case <-r.closed:
 		metricDNSQueryErrorClosed.Add(1)
-		return ErrClosed
+		return nil, net.ErrClosed
 	default:
 	}
-	if n := atomic.AddInt32(&r.activeQueriesAtomic, 1); n > maxActiveQueries() {
-		atomic.AddInt32(&r.activeQueriesAtomic, -1)
-		metricDNSQueryErrorQueue.Add(1)
-		return errFullQueue
-	}
-	go r.handleQuery(packet{bs, from})
-	return nil
-}
 
-// NextPacket returns the next packet to service traffic for magicDNS. The returned
-// packet is prefixed with unused space consistent with the semantics of injection
-// into tstun.Wrapper.
-// It blocks until a response is available and gives up ownership of the response payload.
-func (r *Resolver) NextPacket() (ipPacket []byte, err error) {
-	bs, to, err := r.nextResponse()
-	if err != nil {
-		return nil, err
-	}
-
-	// Unused space is needed further down the stack. To avoid extra
-	// allocations/copying later on, we allocate such space here.
-	const offset = tstun.PacketStartOffset
-
-	var buf []byte
-	switch {
-	case to.IP().Is4():
-		h := tspacket.UDP4Header{
-			IP4Header: tspacket.IP4Header{
-				Src: magicDNSIP,
-				Dst: to.IP(),
-			},
-			SrcPort: magicDNSPort,
-			DstPort: to.Port(),
+	out, err := r.respond(bs)
+	if err == errNotOurName {
+		responses := make(chan packet, 1)
+		ctx, cancel := context.WithCancel(ctx)
+		defer close(responses)
+		defer cancel()
+		err = r.forwarder.forwardWithDestChan(ctx, packet{bs, from}, responses)
+		if err != nil {
+			return nil, err
 		}
-		hlen := h.Len()
-		buf = make([]byte, offset+hlen+len(bs))
-		copy(buf[offset+hlen:], bs)
-		h.Marshal(buf[offset:])
-	case to.IP().Is6():
-		h := tspacket.UDP6Header{
-			IP6Header: tspacket.IP6Header{
-				Src: magicDNSIPv6,
-				Dst: to.IP(),
-			},
-			SrcPort: magicDNSPort,
-			DstPort: to.Port(),
-		}
-		hlen := h.Len()
-		buf = make([]byte, offset+hlen+len(bs))
-		copy(buf[offset+hlen:], bs)
-		h.Marshal(buf[offset:])
+		return (<-responses).bs, nil
 	}
 
-	return buf, nil
-}
-
-// nextResponse returns a DNS response to a previously enqueued request.
-// It blocks until a response is available and gives up ownership of the response payload.
-func (r *Resolver) nextResponse() (packet []byte, to netaddr.IPPort, err error) {
-	select {
-	case <-r.closed:
-		return nil, netaddr.IPPort{}, ErrClosed
-	case resp := <-r.responses:
-		return resp.bs, resp.addr, nil
-	case err := <-r.errors:
-		return nil, netaddr.IPPort{}, err
-	}
+	return out, err
 }
 
 // parseExitNodeQuery parses a DNS request packet.
@@ -448,7 +347,7 @@ func (r *Resolver) HandleExitNodeDNSQuery(ctx context.Context, q []byte, from ne
 			// will use its default ones from our DNS config.
 		} else {
 			resolvers = []resolverAndDelay{{
-				name: dnstype.Resolver{Addr: net.JoinHostPort(nameserver.String(), "53")},
+				name: &dnstype.Resolver{Addr: net.JoinHostPort(nameserver.String(), "53")},
 			}}
 		}
 
@@ -633,6 +532,10 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP,
 			return tsaddr.TailscaleServiceIPv6(), dns.RCodeSuccess
 		}
 	}
+	// Special-case: 'via-<siteid>.<ipv4>' queries.
+	if ip, ok := r.parseViaDomain(domain, typ); ok {
+		return ip, dns.RCodeSuccess
+	}
 
 	r.mu.Lock()
 	hosts := r.hostToIP
@@ -708,6 +611,46 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP,
 	}
 }
 
+// parseViaDomain synthesizes an IP address for quad-A DNS requests of
+// the form 'via-<X>.<IPv4-address>', where X is a decimal, or hex-encoded
+// number with a '0x' prefix.
+//
+// This exists as a convenient mapping into Tailscales 'Via Range'.
+func (r *Resolver) parseViaDomain(domain dnsname.FQDN, typ dns.Type) (netaddr.IP, bool) {
+	fqdn := string(domain.WithoutTrailingDot())
+	if typ != dns.TypeAAAA {
+		return netaddr.IP{}, false
+	}
+	if len(fqdn) < len("via-X.0.0.0.0") {
+		return netaddr.IP{}, false // too short to be valid
+	}
+	if !strings.HasPrefix(fqdn, "via-") {
+		return netaddr.IP{}, false
+	}
+
+	firstDot := strings.Index(fqdn, ".")
+	if firstDot < 0 {
+		return netaddr.IP{}, false // missing dot delimiters
+	}
+
+	siteID := fqdn[len("via-"):firstDot]
+	ip4Str := fqdn[firstDot+1:]
+
+	ip4, err := netaddr.ParseIP(ip4Str)
+	if err != nil {
+		return netaddr.IP{}, false // badly formed, dont respond
+	}
+
+	prefix, err := strconv.ParseUint(siteID, 0, 32)
+	if err != nil {
+		return netaddr.IP{}, false // badly formed, dont respond
+	}
+
+	// MapVia will never error when given an ipv4 netaddr.IPPrefix.
+	out, _ := tsaddr.MapVia(uint32(prefix), netaddr.IPPrefixFrom(ip4, ip4.BitLen()))
+	return out.IP(), true
+}
+
 // resolveReverse returns the unique domain name that maps to the given address.
 func (r *Resolver) resolveLocalReverse(name dnsname.FQDN) (dnsname.FQDN, dns.RCode) {
 	var ip netaddr.IP
@@ -763,30 +706,6 @@ func (r *Resolver) fqdnForIPLocked(ip netaddr.IP, name dnsname.FQDN) (dnsname.FQ
 	return ret, dns.RCodeSuccess
 }
 
-func (r *Resolver) handleQuery(pkt packet) {
-	defer atomic.AddInt32(&r.activeQueriesAtomic, -1)
-
-	out, err := r.respond(pkt.bs)
-	if err == errNotOurName {
-		err = r.forwarder.forward(pkt)
-		if err == nil {
-			// forward will send response into r.responses, nothing to do.
-			return
-		}
-	}
-	if err != nil {
-		select {
-		case <-r.closed:
-		case r.errors <- err:
-		}
-	} else {
-		select {
-		case <-r.closed:
-		case r.responses <- packet{out, pkt.addr}:
-		}
-	}
-}
-
 type response struct {
 	Header   dns.Header
 	Question dns.Question
@@ -1271,7 +1190,6 @@ func unARPA(a string) (ipStr string, ok bool) {
 var (
 	metricDNSQueryLocal       = clientmetric.NewCounter("dns_query_local")
 	metricDNSQueryErrorClosed = clientmetric.NewCounter("dns_query_local_error_closed")
-	metricDNSQueryErrorQueue  = clientmetric.NewCounter("dns_query_local_error_queue")
 
 	metricDNSErrorParseNoQ   = clientmetric.NewCounter("dns_query_respond_error_no_question")
 	metricDNSErrorParseQuery = clientmetric.NewCounter("dns_query_respond_error_parse")
@@ -1295,6 +1213,7 @@ var (
 
 	metricDNSFwdErrorType      = clientmetric.NewCounter("dns_query_fwd_error_type")
 	metricDNSFwdErrorParseAddr = clientmetric.NewCounter("dns_query_fwd_error_parse_addr")
+	metricDNSFwdTruncated      = clientmetric.NewCounter("dns_query_fwd_truncated")
 
 	metricDNSFwdUDP            = clientmetric.NewCounter("dns_query_fwd_udp")       // on entry
 	metricDNSFwdUDPWrote       = clientmetric.NewCounter("dns_query_fwd_udp_wrote") // sent UDP packet

net/dns/resolver/tsdns_test.go

@@ -27,7 +27,6 @@ import (
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tstest"
 	"tailscale.com/types/dnstype"
-	"tailscale.com/types/ipproto"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/wgengine/monitor"
 )
@@ -234,11 +233,7 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 }
 
 func syncRespond(r *Resolver, query []byte) ([]byte, error) {
-	if err := r.enqueueRequest(query, ipproto.UDP, netaddr.IPPort{}, magicDNSv4Port); err != nil {
-		return nil, fmt.Errorf("enqueueRequest: %w", err)
-	}
-	payload, _, err := r.nextResponse()
-	return payload, err
+	return r.Query(context.Background(), query, netaddr.IPPort{})
 }
 
 func mustIP(str string) netaddr.IP {
@@ -348,6 +343,9 @@ func TestResolveLocal(t *testing.T) {
 		{"ns-nxdomain", "test3.ipn.dev.", dns.TypeNS, netaddr.IP{}, dns.RCodeNameError},
 		{"onion-domain", "footest.onion.", dns.TypeA, netaddr.IP{}, dns.RCodeNameError},
 		{"magicdns", dnsSymbolicFQDN, dns.TypeA, netaddr.MustParseIP("100.100.100.100"), dns.RCodeSuccess},
+		{"via_hex", dnsname.FQDN("via-0xff.1.2.3.4."), dns.TypeAAAA, netaddr.MustParseIP("fd7a:115c:a1e0:b1a:0:ff:102:304"), dns.RCodeSuccess},
+		{"via_dec", dnsname.FQDN("via-1.10.0.0.1."), dns.TypeAAAA, netaddr.MustParseIP("fd7a:115c:a1e0:b1a:0:1:a00:1"), dns.RCodeSuccess},
+		{"via_invalid", dnsname.FQDN("via-."), dns.TypeA, netaddr.IP{}, dns.RCodeRefused},
 	}
 
 	for _, tt := range tests {
@@ -482,10 +480,10 @@ func TestDelegate(t *testing.T) {
 	defer r.Close()
 
 	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]dnstype.Resolver{
+	cfg.Routes = map[dnsname.FQDN][]*dnstype.Resolver{
 		".": {
-			dnstype.Resolver{Addr: v4server.PacketConn.LocalAddr().String()},
-			dnstype.Resolver{Addr: v6server.PacketConn.LocalAddr().String()},
+			&dnstype.Resolver{Addr: v4server.PacketConn.LocalAddr().String()},
+			&dnstype.Resolver{Addr: v6server.PacketConn.LocalAddr().String()},
 		},
 	}
 	r.SetConfig(cfg)
@@ -657,7 +655,7 @@ func TestDelegateSplitRoute(t *testing.T) {
 	defer r.Close()
 
 	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]dnstype.Resolver{
+	cfg.Routes = map[dnsname.FQDN][]*dnstype.Resolver{
 		".":      {{Addr: server1.PacketConn.LocalAddr().String()}},
 		"other.": {{Addr: server2.PacketConn.LocalAddr().String()}},
 	}
@@ -705,78 +703,6 @@ func TestDelegateSplitRoute(t *testing.T) {
 	}
 }
 
-func TestDelegateCollision(t *testing.T) {
-	server := serveDNS(t, "127.0.0.1:0",
-		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
-	defer server.Shutdown()
-
-	r := newResolver(t)
-	defer r.Close()
-
-	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]dnstype.Resolver{
-		".": {{Addr: server.PacketConn.LocalAddr().String()}},
-	}
-	r.SetConfig(cfg)
-
-	packets := []struct {
-		qname dnsname.FQDN
-		qtype dns.Type
-		addr  netaddr.IPPort
-	}{
-		{"test.site.", dns.TypeA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1001)},
-		{"test.site.", dns.TypeAAAA, netaddr.IPPortFrom(netaddr.IPv4(1, 1, 1, 1), 1002)},
-	}
-
-	// packets will have the same dns txid.
-	for _, p := range packets {
-		payload := dnspacket(p.qname, p.qtype, noEdns)
-		err := r.enqueueRequest(payload, ipproto.UDP, p.addr, magicDNSv4Port)
-		if err != nil {
-			t.Error(err)
-		}
-	}
-
-	// Despite the txid collision, the answer(s) should still match the query.
-	resp, addr, err := r.nextResponse()
-	if err != nil {
-		t.Error(err)
-	}
-
-	var p dns.Parser
-	_, err = p.Start(resp)
-	if err != nil {
-		t.Error(err)
-	}
-	err = p.SkipAllQuestions()
-	if err != nil {
-		t.Error(err)
-	}
-	ans, err := p.AllAnswers()
-	if err != nil {
-		t.Error(err)
-	}
-	if len(ans) == 0 {
-		t.Fatal("no answers")
-	}
-
-	var wantType dns.Type
-	switch ans[0].Body.(type) {
-	case *dns.AResource:
-		wantType = dns.TypeA
-	case *dns.AAAAResource:
-		wantType = dns.TypeAAAA
-	default:
-		t.Errorf("unexpected answer type: %T", ans[0].Body)
-	}
-
-	for _, p := range packets {
-		if p.qtype == wantType && p.addr != addr {
-			t.Errorf("addr = %v; want %v", addr, p.addr)
-		}
-	}
-}
-
 var allResponse = []byte{
 	0x00, 0x00, // transaction id: 0
 	0x84, 0x00, // flags: response, authoritative, no error
@@ -1021,7 +947,7 @@ func BenchmarkFull(b *testing.B) {
 	defer r.Close()
 
 	cfg := dnsCfg
-	cfg.Routes = map[dnsname.FQDN][]dnstype.Resolver{
+	cfg.Routes = map[dnsname.FQDN][]*dnstype.Resolver{
 		".": {{Addr: server.PacketConn.LocalAddr().String()}},
 	}
 
@@ -1073,7 +999,7 @@ func TestForwardLinkSelection(t *testing.T) {
 	// routes differently.
 	specialIP := netaddr.IPv4(1, 2, 3, 4)
 
-	fwd := newForwarder(t.Logf, nil, nil, linkSelFunc(func(ip netaddr.IP) string {
+	fwd := newForwarder(t.Logf, nil, linkSelFunc(func(ip netaddr.IP) string {
 		if ip == netaddr.IPv4(1, 2, 3, 4) {
 			return "special"
 		}

net/netcheck/netcheck.go

@@ -1044,7 +1044,7 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	}
 	hc := &http.Client{Transport: tr}
 
-	req, err := http.NewRequestWithContext(ctx, "GET", "https://" + node.HostName + "/derp/latency-check", nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", "https://"+node.HostName+"/derp/latency-check", nil)
 	if err != nil {
 		return 0, ip, err
 	}

net/packet/icmp.go

@@ -0,0 +1,29 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package packet
+
+import (
+	crand "crypto/rand"
+
+	"encoding/binary"
+)
+
+// ICMPEchoPayload generates a new random ID/Sequence pair, and returns a uint32
+// derived from them, along with the id, sequence and given payload in a buffer.
+// It returns an error if the random source could not be read.
+func ICMPEchoPayload(payload []byte) (idSeq uint32, buf []byte) {
+	buf = make([]byte, len(payload)+4)
+
+	// make a completely random id/sequence combo, which is very unlikely to
+	// collide with a running ping sequence on the host system. Errors are
+	// ignored, that would result in collisions, but errors reading from the
+	// random device are rare, and will cause this process universe to soon end.
+	crand.Read(buf[:4])
+
+	idSeq = binary.LittleEndian.Uint32(buf)
+	copy(buf[4:], payload)
+
+	return
+}

net/packet/packet.go

@@ -434,6 +434,29 @@ func (q *Parsed) IsEchoResponse() bool {
 	}
 }
 
+// EchoIDSeq extracts the identifier/sequence bytes from an ICMP Echo response,
+// and returns them as a uint32, used to lookup internally routed ICMP echo
+// responses. This function is intentionally lightweight as it is called on
+// every incoming ICMP packet.
+func (q *Parsed) EchoIDSeq() uint32 {
+	switch q.IPProto {
+	case ipproto.ICMPv4:
+		offset := ip4HeaderLength + icmp4HeaderLength
+		if len(q.b) < offset+4 {
+			return 0
+		}
+		return binary.LittleEndian.Uint32(q.b[offset:])
+	case ipproto.ICMPv6:
+		offset := ip6HeaderLength + icmp6HeaderLength
+		if len(q.b) < offset+4 {
+			return 0
+		}
+		return binary.LittleEndian.Uint32(q.b[offset:])
+	default:
+		return 0
+	}
+}
+
 func Hexdump(b []byte) string {
 	out := new(strings.Builder)
 	for i := 0; i < len(b); i += 16 {

net/packet/tsmp.go

@@ -5,7 +5,7 @@
 // TSMP is our ICMP-like "Tailscale Message Protocol" for signaling
 // Tailscale-specific messages between nodes. It uses IP protocol 99
 // (reserved for "any private encryption scheme") within
-// Wireguard's normal encryption between peers and never hits the host
+// WireGuard's normal encryption between peers and never hits the host
 // network stack.
 
 package packet

net/tsdial/tsdial.go

@@ -20,8 +20,12 @@ import (
 
 	"inet.af/netaddr"
 	"tailscale.com/net/dnscache"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netknob"
+	"tailscale.com/net/netns"
+	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
+	"tailscale.com/util/mak"
 	"tailscale.com/wgengine/monitor"
 )
 
@@ -30,6 +34,7 @@ import (
 // (TUN, netstack), the OS network sandboxing style (macOS/iOS
 // Extension, none), user-selected route acceptance prefs, etc.
 type Dialer struct {
+	Logf logger.Logf
 	// UseNetstackForIP if non-nil is whether NetstackDialTCP (if
 	// it's non-nil) should be used to dial the provided IP.
 	UseNetstackForIP func(netaddr.IP) bool
@@ -46,12 +51,33 @@ type Dialer struct {
 	peerDialerOnce sync.Once
 	peerDialer     *net.Dialer
 
-	mu             sync.Mutex
-	dns            dnsMap
-	tunName        string // tun device name
-	linkMon        *monitor.Mon
-	exitDNSDoHBase string                 // non-empty if DoH-proxying exit node in use; base URL+path (without '?')
-	dnsCache       *dnscache.MessageCache // nil until first first non-empty SetExitDNSDoH
+	netnsDialerOnce sync.Once
+	netnsDialer     netns.Dialer
+
+	mu                sync.Mutex
+	closed            bool
+	dns               dnsMap
+	tunName           string // tun device name
+	linkMon           *monitor.Mon
+	linkMonUnregister func()
+	exitDNSDoHBase    string                 // non-empty if DoH-proxying exit node in use; base URL+path (without '?')
+	dnsCache          *dnscache.MessageCache // nil until first first non-empty SetExitDNSDoH
+	nextSysConnID     int
+	activeSysConns    map[int]net.Conn // active connections not yet closed
+}
+
+// sysConn wraps a net.Conn that was created using d.SystemDial.
+// It exists to track which connections are still open, and should be
+// closed on major link changes.
+type sysConn struct {
+	net.Conn
+	id int
+	d  *Dialer
+}
+
+func (c sysConn) Close() error {
+	c.d.closeSysConn(c.id)
+	return nil
 }
 
 // SetTUNName sets the name of the tun device in use ("tailscale0", "utun6",
@@ -91,10 +117,53 @@ func (d *Dialer) SetExitDNSDoH(doh string) {
 	}
 }
 
+func (d *Dialer) Close() error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	d.closed = true
+	if d.linkMonUnregister != nil {
+		d.linkMonUnregister()
+		d.linkMonUnregister = nil
+	}
+	for _, c := range d.activeSysConns {
+		c.Close()
+	}
+	d.activeSysConns = nil
+	return nil
+}
+
 func (d *Dialer) SetLinkMonitor(mon *monitor.Mon) {
 	d.mu.Lock()
 	defer d.mu.Unlock()
+	if d.linkMonUnregister != nil {
+		go d.linkMonUnregister()
+		d.linkMonUnregister = nil
+	}
 	d.linkMon = mon
+	d.linkMonUnregister = d.linkMon.RegisterChangeCallback(d.linkChanged)
+}
+
+func (d *Dialer) linkChanged(major bool, state *interfaces.State) {
+	if !major {
+		return
+	}
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	for id, c := range d.activeSysConns {
+		go c.Close()
+		delete(d.activeSysConns, id)
+	}
+}
+
+func (d *Dialer) closeSysConn(id int) {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	c, ok := d.activeSysConns[id]
+	if !ok {
+		return
+	}
+	delete(d.activeSysConns, id)
+	go c.Close() // ignore the error
 }
 
 func (d *Dialer) interfaceIndexLocked(ifName string) (index int, ok bool) {
@@ -197,6 +266,42 @@ func ipNetOfNetwork(n string) string {
 	return "ip"
 }
 
+// SystemDial connects to the provided network address without going over
+// Tailscale. It prefers going over the default interface and closes existing
+// connections if the default interface changes. It is used to connect to
+// Control and (in the future, as of 2022-04-27) DERPs..
+func (d *Dialer) SystemDial(ctx context.Context, network, addr string) (net.Conn, error) {
+	d.mu.Lock()
+	closed := d.closed
+	d.mu.Unlock()
+	if closed {
+		return nil, net.ErrClosed
+	}
+
+	d.netnsDialerOnce.Do(func() {
+		logf := d.Logf
+		if logf == nil {
+			logf = logger.Discard
+		}
+		d.netnsDialer = netns.NewDialer(logf)
+	})
+	c, err := d.netnsDialer.DialContext(ctx, network, addr)
+	if err != nil {
+		return nil, err
+	}
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	id := d.nextSysConnID
+	d.nextSysConnID++
+	mak.Set(&d.activeSysConns, id, c)
+
+	return sysConn{
+		id:   id,
+		d:    d,
+		Conn: c,
+	}, nil
+}
+
 // UserDial connects to the provided network address as if a user were initiating the dial.
 // (e.g. from a SOCKS or HTTP outbound proxy)
 func (d *Dialer) UserDial(ctx context.Context, network, addr string) (net.Conn, error) {

net/tshttpproxy/tshttpproxy_linux.go

@@ -0,0 +1,26 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+// +build linux
+
+package tshttpproxy
+
+import (
+	"net/http"
+	"net/url"
+
+	"tailscale.com/version/distro"
+)
+
+func init() {
+	sysProxyFromEnv = linuxSysProxyFromEnv
+}
+
+func linuxSysProxyFromEnv(req *http.Request) (*url.URL, error) {
+	if distro.Get() == distro.Synology {
+		return synologyProxyFromConfigCached(req)
+	}
+	return nil, nil
+}

net/tshttpproxy/tshttpproxy_synology.go

@@ -0,0 +1,142 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+// +build linux
+
+package tshttpproxy
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"tailscale.com/util/lineread"
+)
+
+// These vars are overridden for tests.
+var (
+	synologyProxyConfigPath = "/etc/proxy.conf"
+
+	openSynologyProxyConf = func() (io.ReadCloser, error) {
+		return os.Open(synologyProxyConfigPath)
+	}
+)
+
+var cache struct {
+	sync.Mutex
+	httpProxy  *url.URL
+	httpsProxy *url.URL
+	updated    time.Time
+}
+
+func synologyProxyFromConfigCached(req *http.Request) (*url.URL, error) {
+	if req.URL == nil {
+		return nil, nil
+	}
+
+	cache.Lock()
+	defer cache.Unlock()
+
+	var err error
+	modtime := mtime(synologyProxyConfigPath)
+
+	if modtime != cache.updated {
+		cache.httpProxy, cache.httpsProxy, err = synologyProxiesFromConfig()
+		cache.updated = modtime
+	}
+
+	if req.URL.Scheme == "https" {
+		return cache.httpsProxy, err
+	}
+	return cache.httpProxy, err
+}
+
+func synologyProxiesFromConfig() (*url.URL, *url.URL, error) {
+	r, err := openSynologyProxyConf()
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil, nil
+		}
+		return nil, nil, err
+	}
+	defer r.Close()
+
+	return parseSynologyConfig(r)
+}
+
+// parseSynologyConfig parses the Synology proxy configuration, and returns any
+// http proxy, and any https proxy respectively, or an error if parsing fails.
+func parseSynologyConfig(r io.Reader) (*url.URL, *url.URL, error) {
+	cfg := map[string]string{}
+
+	if err := lineread.Reader(r, func(line []byte) error {
+		// accept and skip over empty lines
+		line = bytes.TrimSpace(line)
+		if len(line) == 0 {
+			return nil
+		}
+
+		key, value, ok := strings.Cut(string(line), "=")
+		if !ok {
+			return fmt.Errorf("missing \"=\" in proxy.conf line: %q", line)
+		}
+		cfg[string(key)] = string(value)
+		return nil
+	}); err != nil {
+		return nil, nil, err
+	}
+
+	if cfg["proxy_enabled"] != "yes" {
+		return nil, nil, nil
+	}
+
+	httpProxyURL := new(url.URL)
+	httpsProxyURL := new(url.URL)
+	if cfg["auth_enabled"] == "yes" {
+		httpProxyURL.User = url.UserPassword(cfg["proxy_user"], cfg["proxy_pwd"])
+		httpsProxyURL.User = url.UserPassword(cfg["proxy_user"], cfg["proxy_pwd"])
+	}
+
+	// As far as we are aware, synology does not support tls proxies.
+	httpProxyURL.Scheme = "http"
+	httpsProxyURL.Scheme = "http"
+
+	httpsProxyURL = addHostPort(httpsProxyURL, cfg["https_host"], cfg["https_port"])
+	httpProxyURL = addHostPort(httpProxyURL, cfg["http_host"], cfg["http_port"])
+
+	return httpProxyURL, httpsProxyURL, nil
+}
+
+// addHostPort adds to u the given host and port and returns the updated url, or
+// if host is empty, it returns nil.
+func addHostPort(u *url.URL, host, port string) *url.URL {
+	if host == "" {
+		return nil
+	}
+
+	if port == "" {
+		u.Host = host
+	} else {
+		u.Host = net.JoinHostPort(host, port)
+	}
+	return u
+}
+
+// mtime stat's path and returns its modification time. If path does not exist,
+// it returns the unix epoch.
+func mtime(path string) time.Time {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return time.Unix(0, 0)
+	}
+	return fi.ModTime()
+}

net/tshttpproxy/tshttpproxy_synology_test.go

@@ -0,0 +1,381 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+// +build linux
+
+package tshttpproxy
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestSynologyProxyFromConfigCached(t *testing.T) {
+	req, err := http.NewRequest("GET", "http://example.org/", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var orig string
+	orig, synologyProxyConfigPath = synologyProxyConfigPath, filepath.Join(t.TempDir(), "proxy.conf")
+	defer func() { synologyProxyConfigPath = orig }()
+
+	t.Run("no config file", func(t *testing.T) {
+		if _, err := os.Stat(synologyProxyConfigPath); err == nil {
+			t.Fatalf("%s must not exist for this test", synologyProxyConfigPath)
+		}
+
+		cache.updated = time.Time{}
+		cache.httpProxy = nil
+		cache.httpsProxy = nil
+
+		if val, err := synologyProxyFromConfigCached(req); val != nil || err != nil {
+			t.Fatalf("got %s, %v; want nil, nil", val, err)
+		}
+
+		if got, want := cache.updated, time.Unix(0, 0); got != want {
+			t.Fatalf("got %s, want %s", got, want)
+		}
+		if cache.httpProxy != nil {
+			t.Fatalf("got %s, want nil", cache.httpProxy)
+		}
+		if cache.httpsProxy != nil {
+			t.Fatalf("got %s, want nil", cache.httpsProxy)
+		}
+	})
+
+	t.Run("config file updated", func(t *testing.T) {
+		cache.updated = time.Now()
+		cache.httpProxy = nil
+		cache.httpsProxy = nil
+
+		if err := ioutil.WriteFile(synologyProxyConfigPath, []byte(`
+proxy_enabled=yes
+http_host=10.0.0.55
+http_port=80
+https_host=10.0.0.66
+https_port=443
+		`), 0600); err != nil {
+			t.Fatal(err)
+		}
+
+		val, err := synologyProxyFromConfigCached(req)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if cache.httpProxy == nil {
+			t.Fatal("http proxy was not cached")
+		}
+		if cache.httpsProxy == nil {
+			t.Fatal("https proxy was not cached")
+		}
+
+		if want := urlMustParse("http://10.0.0.55:80"); val.String() != want.String() {
+			t.Fatalf("got %s; want %s", val, want)
+		}
+	})
+
+	t.Run("config file removed", func(t *testing.T) {
+		cache.updated = time.Now()
+		cache.httpProxy = urlMustParse("http://127.0.0.1/")
+		cache.httpsProxy = urlMustParse("http://127.0.0.1/")
+
+		if err := os.Remove(synologyProxyConfigPath); err != nil && !os.IsNotExist(err) {
+			t.Fatal(err)
+		}
+
+		val, err := synologyProxyFromConfigCached(req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if val != nil {
+			t.Fatalf("got %s; want nil", val)
+		}
+		if cache.httpProxy != nil {
+			t.Fatalf("got %s, want nil", cache.httpProxy)
+		}
+		if cache.httpsProxy != nil {
+			t.Fatalf("got %s, want nil", cache.httpsProxy)
+		}
+	})
+
+	t.Run("picks proxy from request scheme", func(t *testing.T) {
+		cache.updated = time.Now()
+		cache.httpProxy = nil
+		cache.httpsProxy = nil
+
+		if err := ioutil.WriteFile(synologyProxyConfigPath, []byte(`
+proxy_enabled=yes
+http_host=10.0.0.55
+http_port=80
+https_host=10.0.0.66
+https_port=443
+		`), 0600); err != nil {
+			t.Fatal(err)
+		}
+
+		httpReq, err := http.NewRequest("GET", "http://example.com", nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		val, err := synologyProxyFromConfigCached(httpReq)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if val == nil {
+			t.Fatalf("got nil, want an http URL")
+		}
+		if got, want := val.String(), "http://10.0.0.55:80"; got != want {
+			t.Fatalf("got %q, want %q", got, want)
+		}
+
+		httpsReq, err := http.NewRequest("GET", "https://example.com", nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		val, err = synologyProxyFromConfigCached(httpsReq)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if val == nil {
+			t.Fatalf("got nil, want an http URL")
+		}
+		if got, want := val.String(), "http://10.0.0.66:443"; got != want {
+			t.Fatalf("got %q, want %q", got, want)
+		}
+	})
+}
+
+func TestSynologyProxiesFromConfig(t *testing.T) {
+	var (
+		openReader io.ReadCloser
+		openErr    error
+	)
+	var origOpen func() (io.ReadCloser, error)
+	origOpen, openSynologyProxyConf = openSynologyProxyConf, func() (io.ReadCloser, error) {
+		return openReader, openErr
+	}
+	defer func() { openSynologyProxyConf = origOpen }()
+
+	t.Run("with config", func(t *testing.T) {
+		mc := &mustCloser{Reader: strings.NewReader(`
+proxy_user=foo
+proxy_pwd=bar
+proxy_enabled=yes
+adv_enabled=yes
+bypass_enabled=yes
+auth_enabled=yes
+https_host=10.0.0.66
+https_port=8443
+http_host=10.0.0.55
+http_port=80
+	`)}
+		defer mc.check(t)
+		openReader = mc
+
+		httpProxy, httpsProxy, err := synologyProxiesFromConfig()
+
+		if got, want := err, openErr; got != want {
+			t.Fatalf("got %s, want %s", got, want)
+		}
+
+		if got, want := httpsProxy, urlMustParse("http://foo:bar@10.0.0.66:8443"); got.String() != want.String() {
+			t.Fatalf("got %s, want %s", got, want)
+		}
+
+		if got, want := err, openErr; got != want {
+			t.Fatalf("got %s, want %s", got, want)
+		}
+
+		if got, want := httpProxy, urlMustParse("http://foo:bar@10.0.0.55:80"); got.String() != want.String() {
+			t.Fatalf("got %s, want %s", got, want)
+		}
+
+	})
+
+	t.Run("non-existent config", func(t *testing.T) {
+		openReader = nil
+		openErr = os.ErrNotExist
+
+		httpProxy, httpsProxy, err := synologyProxiesFromConfig()
+		if err != nil {
+			t.Fatalf("expected no error, got %s", err)
+		}
+		if httpProxy != nil {
+			t.Fatalf("expected no url, got %s", httpProxy)
+		}
+		if httpsProxy != nil {
+			t.Fatalf("expected no url, got %s", httpsProxy)
+		}
+	})
+
+	t.Run("error opening config", func(t *testing.T) {
+		openReader = nil
+		openErr = errors.New("example error")
+
+		httpProxy, httpsProxy, err := synologyProxiesFromConfig()
+		if err != openErr {
+			t.Fatalf("expected %s, got %s", openErr, err)
+		}
+		if httpProxy != nil {
+			t.Fatalf("expected no url, got %s", httpProxy)
+		}
+		if httpsProxy != nil {
+			t.Fatalf("expected no url, got %s", httpsProxy)
+		}
+	})
+
+}
+
+func TestParseSynologyConfig(t *testing.T) {
+	cases := map[string]struct {
+		input      string
+		httpProxy  *url.URL
+		httpsProxy *url.URL
+		err        error
+	}{
+		"populated": {
+			input: `
+proxy_user=foo
+proxy_pwd=bar
+proxy_enabled=yes
+adv_enabled=yes
+bypass_enabled=yes
+auth_enabled=yes
+https_host=10.0.0.66
+https_port=8443
+http_host=10.0.0.55
+http_port=80
+`,
+			httpProxy:  urlMustParse("http://foo:bar@10.0.0.55:80"),
+			httpsProxy: urlMustParse("http://foo:bar@10.0.0.66:8443"),
+			err:        nil,
+		},
+		"no-auth": {
+			input: `
+proxy_user=foo
+proxy_pwd=bar
+proxy_enabled=yes
+adv_enabled=yes
+bypass_enabled=yes
+auth_enabled=no
+https_host=10.0.0.66
+https_port=8443
+http_host=10.0.0.55
+http_port=80
+`,
+			httpProxy:  urlMustParse("http://10.0.0.55:80"),
+			httpsProxy: urlMustParse("http://10.0.0.66:8443"),
+			err:        nil,
+		},
+		"http-only": {
+			input: `
+proxy_user=foo
+proxy_pwd=bar
+proxy_enabled=yes
+adv_enabled=yes
+bypass_enabled=yes
+auth_enabled=yes
+https_host=
+https_port=8443
+http_host=10.0.0.55
+http_port=80
+`,
+			httpProxy:  urlMustParse("http://foo:bar@10.0.0.55:80"),
+			httpsProxy: nil,
+			err:        nil,
+		},
+		"empty": {
+			input: `
+proxy_user=
+proxy_pwd=
+proxy_enabled=
+adv_enabled=
+bypass_enabled=
+auth_enabled=
+https_host=
+https_port=
+http_host=
+http_port=
+`,
+			httpProxy:  nil,
+			httpsProxy: nil,
+			err:        nil,
+		},
+	}
+
+	for name, example := range cases {
+		t.Run(name, func(t *testing.T) {
+			httpProxy, httpsProxy, err := parseSynologyConfig(strings.NewReader(example.input))
+			if err != example.err {
+				t.Fatal(err)
+			}
+			if example.err != nil {
+				return
+			}
+
+			if example.httpProxy == nil && httpProxy != nil {
+				t.Fatalf("got %s, want nil", httpProxy)
+			}
+
+			if example.httpProxy != nil {
+				if httpProxy == nil {
+					t.Fatalf("got nil, want %s", example.httpProxy)
+				}
+
+				if got, want := example.httpProxy.String(), httpProxy.String(); got != want {
+					t.Fatalf("got %s, want %s", got, want)
+				}
+			}
+
+			if example.httpsProxy == nil && httpsProxy != nil {
+				t.Fatalf("got %s, want nil", httpProxy)
+			}
+
+			if example.httpsProxy != nil {
+				if httpsProxy == nil {
+					t.Fatalf("got nil, want %s", example.httpsProxy)
+				}
+
+				if got, want := example.httpsProxy.String(), httpsProxy.String(); got != want {
+					t.Fatalf("got %s, want %s", got, want)
+				}
+			}
+		})
+	}
+}
+func urlMustParse(u string) *url.URL {
+	r, err := url.Parse(u)
+	if err != nil {
+		panic(fmt.Sprintf("urlMustParse: %s", err))
+	}
+	return r
+}
+
+type mustCloser struct {
+	io.Reader
+	closed bool
+}
+
+func (m *mustCloser) Close() error {
+	m.closed = true
+	return nil
+}
+
+func (m *mustCloser) check(t *testing.T) {
+	if !m.closed {
+		t.Errorf("mustCloser wrapping %#v was not closed at time of check", m.Reader)
+	}
+}

net/tstun/wrap.go

@@ -110,9 +110,9 @@ type Wrapper struct {
 	// inbound packets arrive via UDP and are written into the TUN device;
 	// outbound packets are read from the TUN device and sent out via UDP.
 	// This queue is needed because although inbound writes are synchronous,
-	// the other direction must wait on a Wireguard goroutine to poll it.
+	// the other direction must wait on a WireGuard goroutine to poll it.
 	//
-	// Empty reads are skipped by Wireguard, so it is always legal
+	// Empty reads are skipped by WireGuard, so it is always legal
 	// to discard an empty packet instead of sending it through t.outbound.
 	//
 	// Close closes outbound. There may be outstanding sends to outbound
@@ -135,15 +135,27 @@ type Wrapper struct {
 	PreFilterIn FilterFunc
 	// PostFilterIn is the inbound filter function that runs after the main filter.
 	PostFilterIn FilterFunc
-	// PreFilterOut is the outbound filter function that runs before the main filter
-	// and therefore sees the packets that may be later dropped by it.
-	PreFilterOut FilterFunc
+	// PreFilterFromTunToNetstack is a filter function that runs before the main filter
+	// for packets from the local system. This filter is populated by netstack to hook
+	// packets that should be handled by netstack. If set, this filter runs before
+	// PreFilterFromTunToEngine.
+	PreFilterFromTunToNetstack FilterFunc
+	// PreFilterFromTunToEngine is a filter function that runs before the main filter
+	// for packets from the local system. This filter is populated by wgengine to hook
+	// packets which it handles internally. If both this and PreFilterFromTunToNetstack
+	// filter functions are non-nil, this filter runs second.
+	PreFilterFromTunToEngine FilterFunc
 	// PostFilterOut is the outbound filter function that runs after the main filter.
 	PostFilterOut FilterFunc
 
 	// OnTSMPPongReceived, if non-nil, is called whenever a TSMP pong arrives.
 	OnTSMPPongReceived func(packet.TSMPPongReply)
 
+	// OnICMPEchoResponseReceived, if non-nil, is called whenever a ICMP echo response
+	// arrives. If the packet is to be handled internally this returns true,
+	// false otherwise.
+	OnICMPEchoResponseReceived func(*packet.Parsed) bool
+
 	// PeerAPIPort, if non-nil, returns the peerapi port that's
 	// running for the given IP address.
 	PeerAPIPort func(netaddr.IP) (port uint16, ok bool)
@@ -451,9 +463,16 @@ func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
 		return filter.DropSilently
 	}
 
-	if t.PreFilterOut != nil {
-		if res := t.PreFilterOut(p, t); res.IsDrop() {
-			// Handled by userspaceEngine.handleLocalPackets (quad-100 DNS primarily).
+	if t.PreFilterFromTunToNetstack != nil {
+		if res := t.PreFilterFromTunToNetstack(p, t); res.IsDrop() {
+			// Handled by netstack.Impl.handleLocalPackets (quad-100 DNS primarily)
+			return res
+		}
+	}
+	if t.PreFilterFromTunToEngine != nil {
+		if res := t.PreFilterFromTunToEngine(p, t); res.IsDrop() {
+			// Handled by userspaceEngine.handleLocalPackets (primarily handles
+			// quad-100 if netstack is not installed).
 			return res
 		}
 	}
@@ -535,7 +554,7 @@ func (t *Wrapper) Read(buf []byte, offset int) (int, error) {
 		response := t.filterOut(p)
 		if response != filter.Accept {
 			metricPacketOutDrop.Add(1)
-			// Wireguard considers read errors fatal; pretend nothing was read
+			// WireGuard considers read errors fatal; pretend nothing was read
 			return 0, nil
 		}
 	}
@@ -561,6 +580,14 @@ func (t *Wrapper) filterIn(buf []byte) filter.Response {
 		}
 	}
 
+	if p.IsEchoResponse() {
+		if f := t.OnICMPEchoResponseReceived; f != nil && f(p) {
+			// Note: this looks dropped in metrics, even though it was
+			// handled internally.
+			return filter.DropSilently
+		}
+	}
+
 	// Issue 1526 workaround: if we see disco packets over
 	// Tailscale from ourselves, then drop them, as that shouldn't
 	// happen unless a networking stack is confused, as it seems
@@ -678,6 +705,27 @@ func (t *Wrapper) SetFilter(filt *filter.Filter) {
 	t.filter.Store(filt)
 }
 
+// InjectInboundPacketBuffer makes the Wrapper device behave as if a packet
+// with the given contents was received from the network.
+// It takes ownership of one reference count on the packet. The injected
+// packet will not pass through inbound filters.
+//
+// This path is typically used to deliver synthesized packets to the
+// host networking stack.
+func (t *Wrapper) InjectInboundPacketBuffer(pkt *stack.PacketBuffer) error {
+	buf := make([]byte, PacketStartOffset+pkt.Size())
+
+	n := copy(buf[PacketStartOffset:], pkt.NetworkHeader().View())
+	n += copy(buf[PacketStartOffset+n:], pkt.TransportHeader().View())
+	n += copy(buf[PacketStartOffset+n:], pkt.Data().AsRange().AsView())
+	if n != pkt.Size() {
+		panic("unexpected packet size after copy")
+	}
+	pkt.DecRef()
+
+	return t.InjectInboundDirect(buf, PacketStartOffset)
+}
+
 // InjectInboundDirect makes the Wrapper device behave as if a packet
 // with the given contents was received from the network.
 // It blocks and does not take ownership of the packet.
@@ -685,7 +733,7 @@ func (t *Wrapper) SetFilter(filt *filter.Filter) {
 //
 // The packet contents are to start at &buf[offset].
 // offset must be greater or equal to PacketStartOffset.
-// The space before &buf[offset] will be used by Wireguard.
+// The space before &buf[offset] will be used by WireGuard.
 func (t *Wrapper) InjectInboundDirect(buf []byte, offset int) error {
 	if len(buf) > MaxPacketSize {
 		return errPacketTooBig

safesocket/safesocket_darwin.go

@@ -15,6 +15,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 )
 
 func init() {
@@ -49,6 +50,8 @@ func localTCPPortAndTokenMacsys() (port int, token string, err error) {
 	return port, auth, nil
 }
 
+var warnAboutRootOnce sync.Once
+
 func localTCPPortAndTokenDarwin() (port int, token string, err error) {
 	// There are two ways this binary can be run: as the Mac App Store sandboxed binary,
 	// or a normal binary that somebody built or download and are being run from outside
@@ -83,6 +86,14 @@ func localTCPPortAndTokenDarwin() (port int, token string, err error) {
 				}
 			}
 		}
+		if os.Geteuid() == 0 {
+			// Log a warning as the clue to the user, in case the error
+			// message is swallowed. Only do this once since we may retry
+			// multiple times to connect, and don't want to spam.
+			warnAboutRootOnce.Do(func() {
+				fmt.Fprintf(os.Stderr, "Warning: The CLI is running as root from within a sandboxed binary. It cannot reach the local tailscaled, please try again as a regular user.\n")
+			})
+		}
 		return 0, "", fmt.Errorf("failed to find sandboxed sameuserproof-* file in TS_MACOS_CLI_SHARED_DIR %q", dir)
 	}
 

safesocket/unixsocket.go

@@ -11,7 +11,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"net"
 	"os"
@@ -19,7 +18,6 @@ import (
 	"path/filepath"
 	"runtime"
 	"strconv"
-	"strings"
 )
 
 // TODO(apenwarr): handle magic cookie auth
@@ -114,77 +112,30 @@ func socketPermissionsForOS() os.FileMode {
 	return 0600
 }
 
-// connectMacOSAppSandbox connects to the Tailscale Network Extension,
-// which is necessarily running within the macOS App Sandbox.  Our
-// little dance to connect a regular user binary to the sandboxed
-// network extension is:
+// connectMacOSAppSandbox connects to the Tailscale Network Extension (macOS App
+// Store build) or App Extension (macsys standalone build), where the CLI itself
+// is either running within the macOS App Sandbox or built separately (e.g.
+// homebrew or go install). This little dance to connect a regular user binary
+// to the sandboxed network extension is:
 //
 //   * the sandboxed IPNExtension picks a random localhost:0 TCP port
 //     to listen on
 //   * it also picks a random hex string that acts as an auth token
-//   * it then creates a file named "sameuserproof-$PORT-$TOKEN" and leaves
-//     that file descriptor open forever.
-//
-// Then, we do different things depending on whether the user is
-// running cmd/tailscale that they built themselves (running as
-// themselves, outside the App Sandbox), or whether the user is
-// running the CLI via the GUI binary
-// (e.g. /Applications/Tailscale.app/Contents/MacOS/Tailscale <args>),
-// in which case we're running within the App Sandbox.
-//
-// If we're outside the App Sandbox:
-//
-//   * then we come along here, running as the same UID, but outside
-//     of the sandbox, and look for it. We can run lsof on our own processes,
-//     but other users on the system can't.
-//   * we parse out the localhost port number and the auth token
-//   * we connect to TCP localhost:$PORT
-//   * we send $TOKEN + "\n"
-//   * server verifies $TOKEN, sends "#IPN\n" if okay.
-//   * server is now protocol switched
-//   * we return the net.Conn and the caller speaks the normal protocol
-//
-// If we're inside the App Sandbox, then TS_MACOS_CLI_SHARED_DIR has
-// been set to our shared directory. We now have to find the most
-// recent "sameuserproof" file (there should only be 1, but previous
-// versions of the macOS app didn't clean them up).
+//   * the CLI looks on disk for that TCP port + auth token (see localTCPPortAndTokenDarwin)
+//   * we send it upon TCP connect to prove to the Tailscale daemon that
+//     we're a suitably privileged user to have access the files on disk
+//     which the Network/App Extension wrote.
 func connectMacOSAppSandbox() (net.Conn, error) {
-	// Are we running the Tailscale.app GUI binary as a CLI, running within the App Sandbox?
-	if d := os.Getenv("TS_MACOS_CLI_SHARED_DIR"); d != "" {
-		fis, err := ioutil.ReadDir(d)
-		if err != nil {
-			return nil, fmt.Errorf("reading TS_MACOS_CLI_SHARED_DIR: %w", err)
-		}
-		var best os.FileInfo
-		for _, fi := range fis {
-			if !strings.HasPrefix(fi.Name(), "sameuserproof-") || strings.Count(fi.Name(), "-") != 2 {
-				continue
-			}
-			if best == nil || fi.ModTime().After(best.ModTime()) {
-				best = fi
-			}
-		}
-		if best == nil {
-			return nil, fmt.Errorf("no sameuserproof token found in TS_MACOS_CLI_SHARED_DIR %q", d)
-		}
-		f := strings.SplitN(best.Name(), "-", 3)
-		portStr, token := f[1], f[2]
-		port, err := strconv.Atoi(portStr)
-		if err != nil {
-			return nil, fmt.Errorf("invalid port %q", portStr)
-		}
-		return connectMacTCP(port, token)
-	}
-
-	// Otherwise, assume we're running the cmd/tailscale binary from outside the
-	// App Sandbox.
 	port, token, err := LocalTCPPortAndToken()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to find local Tailscale daemon: %w", err)
 	}
 	return connectMacTCP(port, token)
 }
 
+// connectMacTCP creates an authenticated net.Conn to the local macOS Tailscale
+// daemon for used by the "IPN" JSON message bus protocol (Tailscale's original
+// local non-HTTP IPC protocol).
 func connectMacTCP(port int, token string) (net.Conn, error) {
 	c, err := net.Dial("tcp", "localhost:"+strconv.Itoa(port))
 	if err != nil {

shell.nix

@@ -14,8 +14,8 @@
 {
 	pkgs ? import <nixpkgs> {},
 	nixosUnstable ? import (fetchTarball https://github.com/NixOS/nixpkgs/archive/refs/heads/nixpkgs-unstable.tar.gz) { },
-	tailscale-go-rev ? "5ce3ec4d89c72f2a2b6f6f5089c950d7a6a33530",
-	tailscale-go-sha ? "sha256-KMOfzmikh30vEkViEkWUsOHczUifSTiRL6rhKQpHCRI=",
+	tailscale-go-rev ? "710a0d861098c07540ad073bb73a42ce81bf54a8",
+	tailscale-go-sha ? "sha256-hnyddxiyqMFHGwV3I4wkBcYNd56schYFi0SL5/0PnMI=",
 }:
 let
 	tailscale-go = pkgs.lib.overrideDerivation nixosUnstable.go_1_18 (attrs: rec {

ssh/tailssh/ctxreader.go

@@ -0,0 +1,112 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tailssh
+
+import (
+	"context"
+	"io"
+	"sync"
+
+	"tailscale.com/tempfork/gliderlabs/ssh"
+)
+
+// readResult is a result from a io.Reader.Read call,
+// as used by contextReader.
+type readResult struct {
+	buf []byte // ownership passed on chan send
+	err error
+}
+
+// contextReader wraps an io.Reader, providing a ReadContext method
+// that can be aborted before yielding bytes. If it's aborted, subsequent
+// reads can get those byte(s) later.
+type contextReader struct {
+	r io.Reader
+
+	// buffered is leftover data from a previous read call that wasn't entirely
+	// consumed.
+	buffered []byte
+	// readErr is a previous read error that was seen while filling buffered. It
+	// should be returned to the caller after bufffered is consumed.
+	readErr error
+
+	mu sync.Mutex // guards ch only
+
+	// ch is non-nil if a goroutine had been started and has a result to be
+	// read. The goroutine may be either still running or done and has
+	// send to the channel.
+	ch chan readResult
+}
+
+// HasOutstandingRead reports whether there's an oustanding Read call that's
+// either currently blocked in a Read or whose result hasn't been consumed.
+func (w *contextReader) HasOutstandingRead() bool {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	return w.ch != nil
+}
+
+func (w *contextReader) setChan(c chan readResult) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	w.ch = c
+}
+
+// ReadContext is like Read, but takes a context permitting the read to be canceled.
+//
+// If the context becomes done, the underlying Read call continues and its result
+// will be given to the next caller to ReadContext.
+func (w *contextReader) ReadContext(ctx context.Context, p []byte) (n int, err error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+
+	n = copy(p, w.buffered)
+	if n > 0 {
+		w.buffered = w.buffered[n:]
+		if len(w.buffered) == 0 {
+			err = w.readErr
+		}
+		return n, err
+	}
+
+	if w.ch == nil {
+		ch := make(chan readResult, 1)
+		w.setChan(ch)
+		go func() {
+			rbuf := make([]byte, len(p))
+			n, err := w.r.Read(rbuf)
+			ch <- readResult{rbuf[:n], err}
+		}()
+	}
+
+	select {
+	case <-ctx.Done():
+		return 0, ctx.Err()
+	case rr := <-w.ch:
+		w.setChan(nil)
+		n = copy(p, rr.buf)
+		w.buffered = rr.buf[n:]
+		w.readErr = rr.err
+		if len(w.buffered) == 0 {
+			err = rr.err
+		}
+		return n, err
+	}
+}
+
+// contextReaderSesssion implements ssh.Session, wrapping another
+// ssh.Session but changing its Read method to use contextReader.
+type contextReaderSesssion struct {
+	ssh.Session
+	cr *contextReader
+}
+
+func (a contextReaderSesssion) Read(p []byte) (n int, err error) {
+	if a.cr.HasOutstandingRead() {
+		return a.cr.ReadContext(context.Background(), p)
+	}
+	return a.Session.Read(p)
+}

ssh/tailssh/incubator.go

@@ -2,10 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// This file contains the code for the incubator process.
-// Taiscaled launches the incubator as the same user as it was launched as.
-// The incbuator then registers a new session with the OS, sets its own UID to
-// the specified `--uid`` and then lauches the requested `--cmd`.
+// This file contains the code for the incubator process.  Taiscaled
+// launches the incubator as the same user as it was launched as.  The
+// incubator then registers a new session with the OS, sets its UID
+// and groups to the specified `--uid`, `--gid` and `--groups`, and
+// then lauches the requested `--cmd`.
 
 //go:build linux || (darwin && !ios)
 // +build linux darwin,!ios
@@ -13,7 +14,6 @@
 package tailssh
 
 import (
-	"context"
 	"errors"
 	"flag"
 	"fmt"
@@ -25,10 +25,12 @@ import (
 	"os/user"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 	"syscall"
 
 	"github.com/creack/pty"
+	"github.com/pkg/sftp"
 	"github.com/u-root/u-root/pkg/termios"
 	gossh "golang.org/x/crypto/ssh"
 	"golang.org/x/sys/unix"
@@ -58,9 +60,29 @@ var maybeStartLoginSession = func(logf logger.Logf, uid uint32, localUser, remot
 //
 // If ss.srv.tailscaledPath is empty, this method is equivalent to
 // exec.CommandContext.
-func (ss *sshSession) newIncubatorCommand(ctx context.Context, name string, args []string) *exec.Cmd {
+func (ss *sshSession) newIncubatorCommand() *exec.Cmd {
+	var (
+		name   string
+		args   []string
+		isSFTP bool
+	)
+	switch ss.Subsystem() {
+	case "sftp":
+		isSFTP = true
+	case "":
+		name = loginShell(ss.conn.localUser.Uid)
+		if rawCmd := ss.RawCommand(); rawCmd != "" {
+			args = append(args, "-c", rawCmd)
+		} else {
+			args = append(args, "-l") // login shell
+		}
+	default:
+		panic(fmt.Sprintf("unexpected subsystem: %v", ss.Subsystem()))
+	}
+
 	if ss.conn.srv.tailscaledPath == "" {
-		return exec.CommandContext(ctx, name, args...)
+		// TODO(maisem): this doesn't work with sftp
+		return exec.CommandContext(ss.ctx, name, args...)
 	}
 	lu := ss.conn.localUser
 	ci := ss.conn.info
@@ -73,41 +95,66 @@ func (ss *sshSession) newIncubatorCommand(ctx context.Context, name string, args
 		"be-child",
 		"ssh",
 		"--uid=" + lu.Uid,
+		"--gid=" + lu.Gid,
+		"--groups=" + strings.Join(ss.conn.userGroupIDs, ","),
 		"--local-user=" + lu.Username,
 		"--remote-user=" + remoteUser,
 		"--remote-ip=" + ci.src.IP().String(),
-		"--cmd=" + name,
 		"--has-tty=false", // updated in-place by startWithPTY
 		"--tty-name=",     // updated in-place by startWithPTY
 	}
-	if len(args) > 0 {
-		incubatorArgs = append(incubatorArgs, "--")
-		incubatorArgs = append(incubatorArgs, args...)
-	}
 
-	return exec.CommandContext(ctx, ss.conn.srv.tailscaledPath, incubatorArgs...)
+	if isSFTP {
+		incubatorArgs = append(incubatorArgs, "--sftp")
+	} else {
+		incubatorArgs = append(incubatorArgs, "--cmd="+name)
+		if len(args) > 0 {
+			incubatorArgs = append(incubatorArgs, "--")
+			incubatorArgs = append(incubatorArgs, args...)
+		}
+	}
+	return exec.CommandContext(ss.ctx, ss.conn.srv.tailscaledPath, incubatorArgs...)
 }
 
 const debugIncubator = false
 
+type stdRWC struct{}
+
+func (stdRWC) Read(p []byte) (n int, err error) {
+	return os.Stdin.Read(p)
+}
+
+func (stdRWC) Write(b []byte) (n int, err error) {
+	return os.Stdout.Write(b)
+}
+
+func (stdRWC) Close() error {
+	os.Exit(0)
+	return nil
+}
+
 // beIncubator is the entrypoint to the `tailscaled be-child ssh` subcommand.
 // It is responsible for informing the system of a new login session for the user.
 // This is sometimes necessary for mounting home directories and decrypting file
 // systems.
 //
-// Taiscaled launches the incubator as the same user as it was launched as.
-// The incbuator then registers a new session with the OS, sets its own UID to
-// the specified `--uid`` and then lauches the requested `--cmd`.
+// Tailscaled launches the incubator as the same user as it was
+// launched as.  The incubator then registers a new session with the
+// OS, sets its UID and groups to the specified `--uid`, `--gid` and
+// `--groups` and then launches the requested `--cmd`.
 func beIncubator(args []string) error {
 	var (
 		flags      = flag.NewFlagSet("", flag.ExitOnError)
 		uid        = flags.Uint64("uid", 0, "the uid of local-user")
+		gid        = flags.Int("gid", 0, "the gid of local-user")
+		groups     = flags.String("groups", "", "comma-separated list of gids of local-user")
 		localUser  = flags.String("local-user", "", "the user to run as")
 		remoteUser = flags.String("remote-user", "", "the remote user/tags")
 		remoteIP   = flags.String("remote-ip", "", "the remote Tailscale IP")
 		ttyName    = flags.String("tty-name", "", "the tty name (pts/3)")
 		hasTTY     = flags.Bool("has-tty", false, "is the output attached to a tty")
-		cmdName    = flags.String("cmd", "", "the cmd to launch")
+		cmdName    = flags.String("cmd", "", "the cmd to launch (ignored in sftp mode)")
+		sftpMode   = flags.Bool("sftp", false, "run sftp server (cmd is ignored)")
 	)
 	if err := flags.Parse(args); err != nil {
 		return err
@@ -126,11 +173,28 @@ func beIncubator(args []string) error {
 	// Inform the system that we are about to log someone in.
 	// We can only do this if we are running as root.
 	// This is best effort to still allow running on machines where
-	// we don't support starting session, e.g. darwin.
+	// we don't support starting sessions, e.g. darwin.
 	sessionCloser, err := maybeStartLoginSession(logf, uint32(*uid), *localUser, *remoteUser, *remoteIP, *ttyName)
 	if err == nil && sessionCloser != nil {
 		defer sessionCloser()
 	}
+	var groupIDs []int
+	for _, g := range strings.Split(*groups, ",") {
+		gid, err := strconv.ParseInt(g, 10, 32)
+		if err != nil {
+			return err
+		}
+		groupIDs = append(groupIDs, int(gid))
+	}
+	if err := syscall.Setgroups(groupIDs); err != nil {
+		return err
+	}
+	if egid := os.Getegid(); egid != *gid {
+		if err := syscall.Setgid(int(*gid)); err != nil {
+			logf(err.Error())
+			os.Exit(1)
+		}
+	}
 	if euid != *uid {
 		// Switch users if required before starting the desired process.
 		if err := syscall.Setuid(int(*uid)); err != nil {
@@ -138,6 +202,15 @@ func beIncubator(args []string) error {
 			os.Exit(1)
 		}
 	}
+	if *sftpMode {
+		logf("handling sftp")
+
+		server, err := sftp.NewServer(stdRWC{})
+		if err != nil {
+			return err
+		}
+		return server.Serve()
+	}
 
 	cmd := exec.Command(*cmdName, cmdArgs...)
 	cmd.Stdin = os.Stdin
@@ -165,27 +238,24 @@ func beIncubator(args []string) error {
 // The caller can wait for the process to exit by calling cmd.Wait().
 //
 // It sets ss.cmd, stdin, stdout, and stderr.
-func (ss *sshSession) launchProcess(ctx context.Context) error {
-	shell := loginShell(ss.conn.localUser.Uid)
-	var args []string
-	if rawCmd := ss.RawCommand(); rawCmd != "" {
-		args = append(args, "-c", rawCmd)
-	} else {
-		args = append(args, "-l") // login shell
+func (ss *sshSession) launchProcess() error {
+	ss.cmd = ss.newIncubatorCommand()
+
+	cmd := ss.cmd
+	cmd.Dir = ss.conn.localUser.HomeDir
+	cmd.Env = append(cmd.Env, envForUser(ss.conn.localUser)...)
+	for _, kv := range ss.Environ() {
+		if acceptEnvPair(kv) {
+			cmd.Env = append(cmd.Env, kv)
+		}
 	}
 
 	ci := ss.conn.info
-	cmd := ss.newIncubatorCommand(ctx, shell, args)
-	cmd.Dir = ss.conn.localUser.HomeDir
-	cmd.Env = append(cmd.Env, envForUser(ss.conn.localUser)...)
-	cmd.Env = append(cmd.Env, ss.Environ()...)
 	cmd.Env = append(cmd.Env,
 		fmt.Sprintf("SSH_CLIENT=%s %d %d", ci.src.IP(), ci.src.Port(), ci.dst.Port()),
 		fmt.Sprintf("SSH_CONNECTION=%s %d %s %d", ci.src.IP(), ci.src.Port(), ci.dst.IP(), ci.dst.Port()),
 	)
 
-	ss.cmd = cmd
-
 	if ss.agentListener != nil {
 		cmd.Env = append(cmd.Env, fmt.Sprintf("SSH_AUTH_SOCK=%s", ss.agentListener.Addr()))
 	}
@@ -217,7 +287,7 @@ func resizeWindow(f *os.File, winCh <-chan ssh.Window) {
 }
 
 // opcodeShortName is a mapping of SSH opcode
-// to mnemonic names expected by the termios packaage.
+// to mnemonic names expected by the termios package.
 // These are meant to be platform independent.
 var opcodeShortName = map[uint8]string{
 	gossh.VINTR:         "intr",
@@ -430,7 +500,7 @@ func loginShell(uid string) string {
 	if e := os.Getenv("SHELL"); e != "" {
 		return e
 	}
-	return "/bin/bash"
+	return "/bin/sh"
 }
 
 func envForUser(u *user.User) []string {
@@ -451,3 +521,14 @@ func updateStringInSlice(ss []string, a, b string) {
 		}
 	}
 }
+
+// acceptEnvPair reports whether the environment variable key=value pair
+// should be accepted from the client. It uses the same default as OpenSSH
+// AcceptEnv.
+func acceptEnvPair(kv string) bool {
+	k, _, ok := strings.Cut(kv, "=")
+	if !ok {
+		return false
+	}
+	return k == "TERM" || k == "LANG" || strings.HasPrefix(k, "LC_")
+}

ssh/tailssh/tailssh.go

@@ -37,9 +37,11 @@ import (
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/tsaddr"
+	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tempfork/gliderlabs/ssh"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/mak"
 )
 
 var (
@@ -118,10 +120,11 @@ type conn struct {
 	// purposes of rule evaluation.
 	now time.Time
 
-	action0   *tailcfg.SSHAction // first matching action
-	srv       *server
-	info      *sshConnInfo // set by setInfo
-	localUser *user.User   // set by checkAuth
+	action0      *tailcfg.SSHAction // first matching action
+	srv          *server
+	info         *sshConnInfo // set by setInfo
+	localUser    *user.User   // set by checkAuth
+	userGroupIDs []string     // set by checkAuth
 
 	insecureSkipTailscaleAuth bool // used by tests.
 }
@@ -191,6 +194,11 @@ func (c *conn) checkAuth(pubKey ssh.PublicKey) error {
 				Message: fmt.Sprintf("failed to lookup %v\r\n", localUser),
 			}
 		}
+		gids, err := lu.GroupIds()
+		if err != nil {
+			return err
+		}
+		c.userGroupIDs = gids
 		c.localUser = lu
 		return nil
 	}
@@ -221,10 +229,12 @@ func (c *conn) ServerConfig(ctx ssh.Context) *gossh.ServerConfig {
 func (srv *server) newConn() (*conn, error) {
 	c := &conn{srv: srv, now: srv.now()}
 	c.Server = &ssh.Server{
-		Version:           "Tailscale",
-		Handler:           c.handleConnPostSSHAuth,
-		RequestHandlers:   map[string]ssh.RequestHandler{},
-		SubsystemHandlers: map[string]ssh.SubsystemHandler{},
+		Version:         "Tailscale",
+		Handler:         c.handleConnPostSSHAuth,
+		RequestHandlers: map[string]ssh.RequestHandler{},
+		SubsystemHandlers: map[string]ssh.SubsystemHandler{
+			"sftp": c.handleConnPostSSHAuth,
+		},
 
 		// Note: the direct-tcpip channel handler and LocalPortForwardingCallback
 		// only adds support for forwarding ports from the local machine.
@@ -298,6 +308,9 @@ func (c *conn) havePubKeyPolicy(ci *sshConnInfo) bool {
 // if one is defined.
 func (c *conn) sshPolicy() (_ *tailcfg.SSHPolicy, ok bool) {
 	lb := c.srv.lb
+	if !lb.ShouldRunSSH() {
+		return nil, false
+	}
 	nm := lb.NetMap()
 	if nm == nil {
 		return nil, false
@@ -359,10 +372,8 @@ func (c *conn) setInfo(cm gossh.ConnMetadata) error {
 	return nil
 }
 
-// evaluatePolicy returns the SSHAction, sshConnInfo and localUser after
-// evaluating the sshUser and remoteAddr against the SSHPolicy. The remoteAddr
-// and localAddr params must be Tailscale IPs. The pubKey may be nil for "none"
-// auth.
+// evaluatePolicy returns the SSHAction and localUser after evaluating
+// the SSHPolicy for this conn. The pubKey may be nil for "none" auth.
 func (c *conn) evaluatePolicy(pubKey gossh.PublicKey) (_ *tailcfg.SSHAction, localUser string, _ error) {
 	pol, ok := c.sshPolicy()
 	if !ok {
@@ -465,7 +476,7 @@ func (srv *server) fetchPublicKeysURL(url string) ([]string, error) {
 
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
-	mapSet(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{
+	mak.Set(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{
 		at:    srv.now(),
 		lines: lines,
 		etag:  etag,
@@ -475,10 +486,11 @@ func (srv *server) fetchPublicKeysURL(url string) ([]string, error) {
 
 // handleConnPostSSHAuth runs an SSH session after the SSH-level authentication,
 // but not necessarily before all the Tailscale-level extra verification has
-// completed.
+// completed. It also handles SFTP requests.
 func (c *conn) handleConnPostSSHAuth(s ssh.Session) {
 	sshUser := s.User()
-	action, err := c.resolveTerminalAction(s)
+	cr := &contextReader{r: s}
+	action, err := c.resolveTerminalAction(s, cr)
 	if err != nil {
 		c.logf("resolveTerminalAction: %v", err)
 		io.WriteString(s.Stderr(), "Access Denied: failed during authorization check.\r\n")
@@ -491,6 +503,19 @@ func (c *conn) handleConnPostSSHAuth(s ssh.Session) {
 		return
 	}
 
+	if cr.HasOutstandingRead() {
+		s = contextReaderSesssion{s, cr}
+	}
+
+	// Do this check after auth, but before starting the session.
+	switch s.Subsystem() {
+	case "sftp", "":
+	default:
+		fmt.Fprintf(s.Stderr(), "Unsupported subsystem %q \r\n", s.Subsystem())
+		s.Exit(1)
+		return
+	}
+
 	ss := c.newSSHSession(s, action)
 	ss.logf("handling new SSH connection from %v (%v) to ssh-user %q", c.info.uprof.LoginName, c.info.src.IP(), sshUser)
 	ss.logf("access granted to %v as ssh-user %q", c.info.uprof.LoginName, sshUser)
@@ -503,8 +528,17 @@ func (c *conn) handleConnPostSSHAuth(s ssh.Session) {
 // Any action with a Message in the chain will be printed to s.
 //
 // The returned SSHAction will be either Reject or Accept.
-func (c *conn) resolveTerminalAction(s ssh.Session) (*tailcfg.SSHAction, error) {
+func (c *conn) resolveTerminalAction(s ssh.Session, cr *contextReader) (*tailcfg.SSHAction, error) {
 	action := c.action0
+
+	var awaitReadOnce sync.Once // to start Reads on cr
+	var sawInterrupt syncs.AtomicBool
+	var wg sync.WaitGroup
+	defer wg.Wait() // wait for awaitIntrOnce's goroutine to exit
+
+	ctx, cancel := context.WithCancel(s.Context())
+	defer cancel()
+
 	// Loop processing/fetching Actions until one reaches a
 	// terminal state (Accept, Reject, or invalid Action), or
 	// until fetchSSHAction times out due to the context being
@@ -522,10 +556,32 @@ func (c *conn) resolveTerminalAction(s ssh.Session) (*tailcfg.SSHAction, error)
 		if url == "" {
 			return nil, errors.New("reached Action that lacked Accept, Reject, and HoldAndDelegate")
 		}
+		awaitReadOnce.Do(func() {
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				buf := make([]byte, 1)
+				for {
+					n, err := cr.ReadContext(ctx, buf)
+					if err != nil {
+						return
+					}
+					if n > 0 && buf[0] == 0x03 { // Ctrl-C
+						sawInterrupt.Set(true)
+						s.Stderr().Write([]byte("Canceled.\r\n"))
+						s.Exit(1)
+						return
+					}
+				}
+			}()
+		})
 		url = c.expandDelegateURL(url)
 		var err error
-		action, err = c.fetchSSHAction(s.Context(), url)
+		action, err = c.fetchSSHAction(ctx, url)
 		if err != nil {
+			if sawInterrupt.Get() {
+				return nil, fmt.Errorf("aborted by user")
+			}
 			return nil, fmt.Errorf("fetching SSHAction from %s: %w", url, err)
 		}
 	}
@@ -675,7 +731,7 @@ func (c *conn) fetchSSHAction(ctx context.Context, url string) (*tailcfg.SSHActi
 // unless the process has already exited.
 func (ss *sshSession) killProcessOnContextDone() {
 	<-ss.ctx.Done()
-	// Either the process has already existed, in which case this does nothing.
+	// Either the process has already exited, in which case this does nothing.
 	// Or, the process is still running in which case this will kill it.
 	ss.exitOnce.Do(func() {
 		err := ss.ctx.Err()
@@ -686,6 +742,8 @@ func (ss *sshSession) killProcessOnContextDone() {
 			}
 		}
 		ss.logf("terminating SSH session from %v: %v", ss.conn.info.src.IP(), err)
+		// We don't need to Process.Wait here, sshSession.run() does
+		// the waiting regardless of termination reason.
 		ss.cmd.Process.Kill()
 	})
 }
@@ -714,8 +772,8 @@ func (srv *server) startSession(ss *sshSession) {
 	if _, dup := srv.activeSessionBySharedID[ss.sharedID]; dup {
 		panic("dup sharedID")
 	}
-	mapSet(&srv.activeSessionByH, ss.idH, ss)
-	mapSet(&srv.activeSessionBySharedID, ss.sharedID, ss)
+	mak.Set(&srv.activeSessionByH, ss.idH, ss)
+	mak.Set(&srv.activeSessionBySharedID, ss.sharedID, ss)
 }
 
 // endSession unregisters s from the list of active sessions.
@@ -729,7 +787,7 @@ func (srv *server) endSession(ss *sshSession) {
 var errSessionDone = errors.New("session is done")
 
 // handleSSHAgentForwarding starts a Unix socket listener and in the background
-// forwards agent connections between the listenr and the ssh.Session.
+// forwards agent connections between the listener and the ssh.Session.
 // On success, it assigns ss.agentListener.
 func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) error {
 	if !ssh.AgentRequested(ss) || !ss.action.AllowAgentForwarding {
@@ -756,10 +814,14 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) err
 	}
 	socket := ln.Addr().String()
 	dir := filepath.Dir(socket)
-	// Make sure the socket is accessible by the user.
+	// Make sure the socket is accessible only by the user.
+	if err := os.Chmod(socket, 0600); err != nil {
+		return err
+	}
 	if err := os.Chown(socket, int(uid), int(gid)); err != nil {
 		return err
 	}
+	// Make sure the dir is also accessible.
 	if err := os.Chmod(dir, 0755); err != nil {
 		return err
 	}
@@ -786,10 +848,10 @@ func (ss *sshSession) run() {
 
 	defer ss.ctx.CloseWithError(errSessionDone)
 
-	if ss.action.SesssionDuration != 0 {
-		t := time.AfterFunc(ss.action.SesssionDuration, func() {
+	if ss.action.SessionDuration != 0 {
+		t := time.AfterFunc(ss.action.SessionDuration, func() {
 			ss.ctx.CloseWithError(userVisibleError{
-				fmt.Sprintf("Session timeout of %v elapsed.", ss.action.SesssionDuration),
+				fmt.Sprintf("Session timeout of %v elapsed.", ss.action.SessionDuration),
 				context.DeadlineExceeded,
 			})
 		})
@@ -813,27 +875,29 @@ func (ss *sshSession) run() {
 	// See https://github.com/tailscale/tailscale/issues/4146
 	ss.DisablePTYEmulation()
 
-	if err := ss.handleSSHAgentForwarding(ss, lu); err != nil {
-		ss.logf("agent forwarding failed: %v", err)
-	} else if ss.agentListener != nil {
-		// TODO(maisem/bradfitz): add a way to close all session resources
-		defer ss.agentListener.Close()
-	}
-
 	var rec *recording // or nil if disabled
-	if ss.shouldRecord() {
-		var err error
-		rec, err = ss.startNewRecording()
-		if err != nil {
-			fmt.Fprintf(ss, "can't start new recording\r\n")
-			ss.logf("startNewRecording: %v", err)
-			ss.Exit(1)
-			return
+	if ss.Subsystem() != "sftp" {
+		if err := ss.handleSSHAgentForwarding(ss, lu); err != nil {
+			ss.logf("agent forwarding failed: %v", err)
+		} else if ss.agentListener != nil {
+			// TODO(maisem/bradfitz): add a way to close all session resources
+			defer ss.agentListener.Close()
+		}
+
+		if ss.shouldRecord() {
+			var err error
+			rec, err = ss.startNewRecording()
+			if err != nil {
+				fmt.Fprintf(ss, "can't start new recording\r\n")
+				ss.logf("startNewRecording: %v", err)
+				ss.Exit(1)
+				return
+			}
+			defer rec.Close()
 		}
-		defer rec.Close()
 	}
 
-	err := ss.launchProcess(ss.ctx)
+	err := ss.launchProcess()
 	if err != nil {
 		logf("start failed: %v", err.Error())
 		ss.Exit(1)
@@ -873,7 +937,6 @@ func (ss *sshSession) run() {
 	ss.exitOnce.Do(func() {})
 
 	if err == nil {
-		ss.logf("Wait: ok")
 		ss.Exit(0)
 		return
 	}
@@ -953,7 +1016,10 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg
 	if c.ruleExpired(r) {
 		return nil, "", errRuleExpired
 	}
-	if !r.Action.Reject || r.SSHUsers != nil {
+	if !r.Action.Reject {
+		// For all but Reject rules, SSHUsers is required.
+		// If SSHUsers is nil or empty, mapLocalUser will return an
+		// empty string anyway.
 		localUser = mapLocalUser(r.SSHUsers, c.info.sshUser)
 		if localUser == "" {
 			return nil, "", errUserMatch
@@ -1188,7 +1254,7 @@ func (w loggingWriter) Write(p []byte) (n int, err error) {
 	}
 	j = append(j, '\n')
 	if err := w.writeCastLine(j); err != nil {
-		return 0, nil
+		return 0, err
 	}
 	return w.w.Write(p)
 }
@@ -1223,11 +1289,3 @@ func envEq(a, b string) bool {
 	}
 	return a == b
 }
-
-// mapSet assigns m[k] = v, making m if necessary.
-func mapSet[K comparable, V any](m *map[K]V, k K, v V) {
-	if *m == nil {
-		*m = make(map[K]V)
-	}
-	(*m)[k] = v
-}

ssh/tailssh/tailssh_test.go

@@ -265,6 +265,8 @@ func TestSSH(t *testing.T) {
 
 	execSSH := func(args ...string) *exec.Cmd {
 		cmd := exec.Command("ssh",
+			"-F",
+			"none",
 			"-v",
 			"-p", fmt.Sprint(port),
 			"-o", "StrictHostKeyChecking=no",
@@ -431,3 +433,22 @@ func TestExpandPublicKeyURL(t *testing.T) {
 		t.Errorf("on empty: got %q; want %q", got, want)
 	}
 }
+
+func TestAcceptEnvPair(t *testing.T) {
+	tests := []struct {
+		in   string
+		want bool
+	}{
+		{"TERM=x", true},
+		{"term=x", false},
+		{"TERM", false},
+		{"LC_FOO=x", true},
+		{"LD_PRELOAD=naah", false},
+		{"TERM=screen-256color", true},
+	}
+	for _, tt := range tests {
+		if got := acceptEnvPair(tt.in); got != tt.want {
+			t.Errorf("for %q, got %v; want %v", tt.in, got, tt.want)
+		}
+	}
+}

tailcfg/tailcfg.go

@@ -4,11 +4,10 @@
 
 package tailcfg
 
-//go:generate go run tailscale.com/cmd/cloner --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode --clonefunc=true --output=tailcfg_clone.go
+//go:generate go run tailscale.com/cmd/viewer --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode --clonefunc
 
 import (
 	"encoding/hex"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"reflect"
@@ -20,7 +19,6 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
-	"tailscale.com/types/views"
 	"tailscale.com/util/dnsname"
 )
 
@@ -477,132 +475,6 @@ type Hostinfo struct {
 	//       require changes to Hostinfo.Equal.
 }
 
-// View returns a read-only accessor for hi.
-func (hi *Hostinfo) View() HostinfoView { return HostinfoView{hi} }
-
-// HostinfoView is a read-only accessor for Hostinfo.
-// See Hostinfo.
-type HostinfoView struct {
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *Hostinfo
-}
-
-func (v HostinfoView) MarshalJSON() ([]byte, error) {
-	return json.Marshal(v.ж)
-}
-
-func (v *HostinfoView) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("HostinfoView is already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	hi := &Hostinfo{}
-	if err := json.Unmarshal(b, hi); err != nil {
-		return err
-	}
-	v.ж = hi
-	return nil
-}
-
-// Valid reports whether the underlying value is not nil.
-func (v HostinfoView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a deep-copy of the underlying value.
-func (v HostinfoView) AsStruct() *Hostinfo { return v.ж.Clone() }
-
-func (v HostinfoView) IPNVersion() string         { return v.ж.IPNVersion }
-func (v HostinfoView) FrontendLogID() string      { return v.ж.FrontendLogID }
-func (v HostinfoView) BackendLogID() string       { return v.ж.BackendLogID }
-func (v HostinfoView) OS() string                 { return v.ж.OS }
-func (v HostinfoView) OSVersion() string          { return v.ж.OSVersion }
-func (v HostinfoView) Package() string            { return v.ж.Package }
-func (v HostinfoView) DeviceModel() string        { return v.ж.DeviceModel }
-func (v HostinfoView) Hostname() string           { return v.ж.Hostname }
-func (v HostinfoView) ShieldsUp() bool            { return v.ж.ShieldsUp }
-func (v HostinfoView) ShareeNode() bool           { return v.ж.ShareeNode }
-func (v HostinfoView) GoArch() string             { return v.ж.GoArch }
-func (v HostinfoView) Equal(v2 HostinfoView) bool { return v.ж.Equal(v2.ж) }
-
-func (v HostinfoView) RoutableIPs() views.IPPrefixSlice {
-	return views.IPPrefixSliceOf(v.ж.RoutableIPs)
-}
-
-func (v HostinfoView) RequestTags() views.Slice[string] {
-	return views.SliceOf(v.ж.RequestTags)
-}
-
-func (v HostinfoView) SSH_HostKeys() views.Slice[string] {
-	return views.SliceOf(v.ж.SSH_HostKeys)
-}
-
-func (v HostinfoView) Services() ServiceSlice {
-	return ServiceSliceOf(v.ж.Services)
-}
-
-func (v HostinfoView) NetInfo() NetInfoView { return v.ж.NetInfo.View() }
-
-// ServiceSlice is a read-only accessor for a slice of Services
-type ServiceSlice struct {
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж []Service
-}
-
-// ServiceSliceOf returns a ServiceSlice for the provided slice.
-func ServiceSliceOf(x []Service) ServiceSlice { return ServiceSlice{x} }
-
-// Len returns the length of the slice.
-func (v ServiceSlice) Len() int { return len(v.ж) }
-
-// At returns the Service at index `i` of the slice.
-func (v ServiceSlice) At(i int) Service { return v.ж[i] }
-
-// Append appends the underlying slice values to dst.
-func (v ServiceSlice) Append(dst []Service) []Service {
-	return append(dst, v.ж...)
-}
-
-// AsSlice returns a copy of underlying slice.
-func (v ServiceSlice) AsSlice() []Service {
-	return v.Append(v.ж[:0:0])
-}
-
-// NetInfoView is a read-only accessor for NetInfo.
-// See NetInfo.
-type NetInfoView struct {
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *NetInfo
-}
-
-// Valid reports whether the underlying value is not nil.
-func (v NetInfoView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a deep-copy of the underlying value.
-func (v NetInfoView) AsStruct() *NetInfo { return v.ж.Clone() }
-
-func (v NetInfoView) MappingVariesByDestIP() opt.Bool { return v.ж.MappingVariesByDestIP }
-func (v NetInfoView) HairPinning() opt.Bool           { return v.ж.HairPinning }
-func (v NetInfoView) WorkingIPv6() opt.Bool           { return v.ж.WorkingIPv6 }
-func (v NetInfoView) WorkingUDP() opt.Bool            { return v.ж.WorkingUDP }
-func (v NetInfoView) HavePortMap() bool               { return v.ж.HavePortMap }
-func (v NetInfoView) UPnP() opt.Bool                  { return v.ж.UPnP }
-func (v NetInfoView) PMP() opt.Bool                   { return v.ж.PMP }
-func (v NetInfoView) PCP() opt.Bool                   { return v.ж.PCP }
-func (v NetInfoView) PreferredDERP() int              { return v.ж.PreferredDERP }
-func (v NetInfoView) LinkType() string                { return v.ж.LinkType }
-func (v NetInfoView) String() string                  { return v.ж.String() }
-
-// DERPLatencyForEach calls fn for each value in the DERPLatency map.
-func (v NetInfoView) DERPLatencyForEach(fn func(k string, v float64)) {
-	for k, v := range v.ж.DERPLatency {
-		fn(k, v)
-	}
-}
-
 // NetInfo contains information about the host's network state.
 type NetInfo struct {
 	// MappingVariesByDestIP says whether the host's NAT mappings
@@ -659,6 +531,13 @@ type NetInfo struct {
 	// Update BasicallyEqual when adding fields.
 }
 
+// DERPLatencyForEach calls fn for each value in the DERPLatency map.
+func (v NetInfoView) DERPLatencyForEach(fn func(k string, v float64)) {
+	for k, v := range v.ж.DERPLatency {
+		fn(k, v)
+	}
+}
+
 func (ni *NetInfo) String() string {
 	if ni == nil {
 		return "NetInfo(nil)"
@@ -681,9 +560,6 @@ func (ni *NetInfo) portMapSummary() string {
 	return prefix + conciseOptBool(ni.UPnP, "U") + conciseOptBool(ni.PMP, "M") + conciseOptBool(ni.PCP, "C")
 }
 
-// View returns a read-only accessor for ni.
-func (ni *NetInfo) View() NetInfoView { return NetInfoView{ni} }
-
 func conciseOptBool(b opt.Bool, trueVal string) string {
 	if b == "" {
 		return "_"
@@ -1030,10 +906,6 @@ type MapRequest struct {
 	//       router but their IP forwarding is broken.
 	//     * "warn-router-unhealthy": client's Router implementation is
 	//       having problems.
-	//     * "v6-overlay": IPv6 development flag to have control send
-	//       v6 node addrs
-	//     * "minimize-netmap": have control minimize the netmap, removing
-	//       peers that are unreachable per ACLS.
 	DebugFlags []string `json:",omitempty"`
 }
 
@@ -1138,7 +1010,7 @@ var FilterAllowAll = []FilterRule{
 // DNSConfig is the DNS configuration.
 type DNSConfig struct {
 	// Resolvers are the DNS resolvers to use, in order of preference.
-	Resolvers []dnstype.Resolver `json:",omitempty"`
+	Resolvers []*dnstype.Resolver `json:",omitempty"`
 
 	// Routes maps DNS name suffixes to a set of DNS resolvers to
 	// use. It is used to implement "split DNS" and other advanced DNS
@@ -1150,13 +1022,13 @@ type DNSConfig struct {
 	// If the value is an empty slice, that means the suffix should still
 	// be handled by Tailscale's built-in resolver (100.100.100.100), such
 	// as for the purpose of handling ExtraRecords.
-	Routes map[string][]dnstype.Resolver `json:",omitempty"`
+	Routes map[string][]*dnstype.Resolver `json:",omitempty"`
 
 	// FallbackResolvers is like Resolvers, but is only used if a
 	// split DNS configuration is requested in a configuration that
 	// doesn't work yet without explicit default resolvers.
 	// https://github.com/tailscale/tailscale/issues/1743
-	FallbackResolvers []dnstype.Resolver `json:",omitempty"`
+	FallbackResolvers []*dnstype.Resolver `json:",omitempty"`
 	// Domains are the search domains to use.
 	// Search domains must be FQDNs, but *without* the trailing dot.
 	Domains []string `json:",omitempty"`
@@ -1221,6 +1093,19 @@ type DNSRecord struct {
 	Value string
 }
 
+// PingType is a string representing the kind of ping to perform.
+type PingType string
+
+const (
+	// PingDisco performs a ping, without involving IP at either end.
+	PingDisco PingType = "disco"
+	// PingTSMP performs a ping, using the IP layer, but avoiding the OS IP stack.
+	PingTSMP PingType = "TSMP"
+	// PingICMP performs a ping between two tailscale nodes using ICMP that is
+	// received by the target systems IP stack.
+	PingICMP PingType = "ICMP"
+)
+
 // PingRequest with no IP and Types is a request to send an HTTP request to prove the
 // long-polling client is still connected.
 // PingRequest with Types and IP, will send a ping to the IP and send a POST
@@ -1238,8 +1123,8 @@ type PingRequest struct {
 	// For failure cases, the client will log regardless.
 	Log bool `json:",omitempty"`
 
-	// Types is the types of ping that is initiated. Can be TSMP, ICMP or disco.
-	// Types will be comma separated, such as TSMP,disco.
+	// Types is the types of ping that are initiated. Can be any PingType, comma
+	// separated, e.g. "disco,TSMP"
 	Types string
 
 	// IP is the ping target.
@@ -1250,7 +1135,7 @@ type PingRequest struct {
 // PingResponse provides result information for a TSMP or Disco PingRequest.
 // Typically populated from an ipnstate.PingResult used in `tailscale ping`.
 type PingResponse struct {
-	Type string // ping type, such as TSMP or disco.
+	Type PingType // ping type, such as TSMP or disco.
 
 	IP       string `json:",omitempty"` // ping destination
 	NodeIP   string `json:",omitempty"` // Tailscale IP of node handling IP (different for subnet routers)
@@ -1595,6 +1480,8 @@ const (
 	// CapabilityDebugPeer grants the ability for a peer to read this node's
 	// goroutines, metrics, magicsock internal state, etc.
 	CapabilityDebugPeer = "https://tailscale.com/cap/debug-peer"
+	// CapabilityWakeOnLAN grants the ability to send a Wake-On-LAN packet.
+	CapabilityWakeOnLAN = "https://tailscale.com/cap/wake-on-lan"
 )
 
 // SetDNSRequest is a request to add a DNS record.
@@ -1730,9 +1617,9 @@ type SSHAction struct {
 	// without further prompts.
 	Accept bool `json:"accept,omitempty"`
 
-	// SesssionDuration, if non-zero, is how long the session can stay open
+	// SessionDuration, if non-zero, is how long the session can stay open
 	// before being forcefully terminated.
-	SesssionDuration time.Duration `json:"sessionDuration,omitempty"`
+	SessionDuration time.Duration `json:"sessionDuration,omitempty"`
 
 	// AllowAgentForwarding, if true, allows accepted connections to forward
 	// the ssh agent if requested.

tailcfg/tailcfg_clone.go

@@ -1,19 +1,19 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
 // Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
-//go:generate go run tailscale.com/cmd/cloner -type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode -output=tailcfg_clone.go -clonefunc
 
 package tailcfg
 
 import (
+	"time"
+
 	"inet.af/netaddr"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
-	"time"
 )
 
 // Clone makes a deep copy of User.
@@ -193,19 +193,19 @@ func (src *DNSConfig) Clone() *DNSConfig {
 	}
 	dst := new(DNSConfig)
 	*dst = *src
-	dst.Resolvers = make([]dnstype.Resolver, len(src.Resolvers))
+	dst.Resolvers = make([]*dnstype.Resolver, len(src.Resolvers))
 	for i := range dst.Resolvers {
-		dst.Resolvers[i] = *src.Resolvers[i].Clone()
+		dst.Resolvers[i] = src.Resolvers[i].Clone()
 	}
 	if dst.Routes != nil {
-		dst.Routes = map[string][]dnstype.Resolver{}
+		dst.Routes = map[string][]*dnstype.Resolver{}
 		for k := range src.Routes {
-			dst.Routes[k] = append([]dnstype.Resolver{}, src.Routes[k]...)
+			dst.Routes[k] = append([]*dnstype.Resolver{}, src.Routes[k]...)
 		}
 	}
-	dst.FallbackResolvers = make([]dnstype.Resolver, len(src.FallbackResolvers))
+	dst.FallbackResolvers = make([]*dnstype.Resolver, len(src.FallbackResolvers))
 	for i := range dst.FallbackResolvers {
-		dst.FallbackResolvers[i] = *src.FallbackResolvers[i].Clone()
+		dst.FallbackResolvers[i] = src.FallbackResolvers[i].Clone()
 	}
 	dst.Domains = append(src.Domains[:0:0], src.Domains...)
 	dst.Nameservers = append(src.Nameservers[:0:0], src.Nameservers...)
@@ -217,9 +217,9 @@ func (src *DNSConfig) Clone() *DNSConfig {
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _DNSConfigCloneNeedsRegeneration = DNSConfig(struct {
-	Resolvers           []dnstype.Resolver
-	Routes              map[string][]dnstype.Resolver
-	FallbackResolvers   []dnstype.Resolver
+	Resolvers           []*dnstype.Resolver
+	Routes              map[string][]*dnstype.Resolver
+	FallbackResolvers   []*dnstype.Resolver
 	Domains             []string
 	Proxied             bool
 	Nameservers         []netaddr.IP

tailcfg/tailcfg_view.go

@@ -0,0 +1,748 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale/cmd/viewer; DO NOT EDIT.
+
+package tailcfg
+
+import (
+	"encoding/json"
+	"errors"
+	"time"
+
+	"inet.af/netaddr"
+	"tailscale.com/types/dnstype"
+	"tailscale.com/types/key"
+	"tailscale.com/types/opt"
+	"tailscale.com/types/structs"
+	"tailscale.com/types/views"
+)
+
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode
+
+// View returns a readonly view of User.
+func (p *User) View() UserView {
+	return UserView{ж: p}
+}
+
+// UserView provides a read-only view over User.
+//
+// Its methods should only be called if `Valid()` returns true.
+type UserView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *User
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v UserView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v UserView) AsStruct() *User {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v UserView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *UserView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x User
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v UserView) ID() UserID                   { return v.ж.ID }
+func (v UserView) LoginName() string            { return v.ж.LoginName }
+func (v UserView) DisplayName() string          { return v.ж.DisplayName }
+func (v UserView) ProfilePicURL() string        { return v.ж.ProfilePicURL }
+func (v UserView) Domain() string               { return v.ж.Domain }
+func (v UserView) Logins() views.Slice[LoginID] { return views.SliceOf(v.ж.Logins) }
+func (v UserView) Created() time.Time           { return v.ж.Created }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _UserViewNeedsRegeneration = User(struct {
+	ID            UserID
+	LoginName     string
+	DisplayName   string
+	ProfilePicURL string
+	Domain        string
+	Logins        []LoginID
+	Created       time.Time
+}{})
+
+// View returns a readonly view of Node.
+func (p *Node) View() NodeView {
+	return NodeView{ж: p}
+}
+
+// NodeView provides a read-only view over Node.
+//
+// Its methods should only be called if `Valid()` returns true.
+type NodeView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *Node
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v NodeView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v NodeView) AsStruct() *Node {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v NodeView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *NodeView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x Node
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v NodeView) ID() NodeID                      { return v.ж.ID }
+func (v NodeView) StableID() StableNodeID          { return v.ж.StableID }
+func (v NodeView) Name() string                    { return v.ж.Name }
+func (v NodeView) User() UserID                    { return v.ж.User }
+func (v NodeView) Sharer() UserID                  { return v.ж.Sharer }
+func (v NodeView) Key() key.NodePublic             { return v.ж.Key }
+func (v NodeView) KeyExpiry() time.Time            { return v.ж.KeyExpiry }
+func (v NodeView) Machine() key.MachinePublic      { return v.ж.Machine }
+func (v NodeView) DiscoKey() key.DiscoPublic       { return v.ж.DiscoKey }
+func (v NodeView) Addresses() views.IPPrefixSlice  { return views.IPPrefixSliceOf(v.ж.Addresses) }
+func (v NodeView) AllowedIPs() views.IPPrefixSlice { return views.IPPrefixSliceOf(v.ж.AllowedIPs) }
+func (v NodeView) Endpoints() views.Slice[string]  { return views.SliceOf(v.ж.Endpoints) }
+func (v NodeView) DERP() string                    { return v.ж.DERP }
+func (v NodeView) Hostinfo() HostinfoView          { return v.ж.Hostinfo }
+func (v NodeView) Created() time.Time              { return v.ж.Created }
+func (v NodeView) Tags() views.Slice[string]       { return views.SliceOf(v.ж.Tags) }
+func (v NodeView) PrimaryRoutes() views.IPPrefixSlice {
+	return views.IPPrefixSliceOf(v.ж.PrimaryRoutes)
+}
+func (v NodeView) LastSeen() *time.Time {
+	if v.ж.LastSeen == nil {
+		return nil
+	}
+	x := *v.ж.LastSeen
+	return &x
+}
+
+func (v NodeView) Online() *bool {
+	if v.ж.Online == nil {
+		return nil
+	}
+	x := *v.ж.Online
+	return &x
+}
+
+func (v NodeView) KeepAlive() bool                   { return v.ж.KeepAlive }
+func (v NodeView) MachineAuthorized() bool           { return v.ж.MachineAuthorized }
+func (v NodeView) Capabilities() views.Slice[string] { return views.SliceOf(v.ж.Capabilities) }
+func (v NodeView) ComputedName() string              { return v.ж.ComputedName }
+func (v NodeView) ComputedNameWithHost() string      { return v.ж.ComputedNameWithHost }
+func (v NodeView) Equal(v2 NodeView) bool            { return v.ж.Equal(v2.ж) }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _NodeViewNeedsRegeneration = Node(struct {
+	ID                      NodeID
+	StableID                StableNodeID
+	Name                    string
+	User                    UserID
+	Sharer                  UserID
+	Key                     key.NodePublic
+	KeyExpiry               time.Time
+	Machine                 key.MachinePublic
+	DiscoKey                key.DiscoPublic
+	Addresses               []netaddr.IPPrefix
+	AllowedIPs              []netaddr.IPPrefix
+	Endpoints               []string
+	DERP                    string
+	Hostinfo                HostinfoView
+	Created                 time.Time
+	Tags                    []string
+	PrimaryRoutes           []netaddr.IPPrefix
+	LastSeen                *time.Time
+	Online                  *bool
+	KeepAlive               bool
+	MachineAuthorized       bool
+	Capabilities            []string
+	ComputedName            string
+	computedHostIfDifferent string
+	ComputedNameWithHost    string
+}{})
+
+// View returns a readonly view of Hostinfo.
+func (p *Hostinfo) View() HostinfoView {
+	return HostinfoView{ж: p}
+}
+
+// HostinfoView provides a read-only view over Hostinfo.
+//
+// Its methods should only be called if `Valid()` returns true.
+type HostinfoView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *Hostinfo
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v HostinfoView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v HostinfoView) AsStruct() *Hostinfo {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v HostinfoView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *HostinfoView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x Hostinfo
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v HostinfoView) IPNVersion() string    { return v.ж.IPNVersion }
+func (v HostinfoView) FrontendLogID() string { return v.ж.FrontendLogID }
+func (v HostinfoView) BackendLogID() string  { return v.ж.BackendLogID }
+func (v HostinfoView) OS() string            { return v.ж.OS }
+func (v HostinfoView) OSVersion() string     { return v.ж.OSVersion }
+func (v HostinfoView) Desktop() opt.Bool     { return v.ж.Desktop }
+func (v HostinfoView) Package() string       { return v.ж.Package }
+func (v HostinfoView) DeviceModel() string   { return v.ж.DeviceModel }
+func (v HostinfoView) Hostname() string      { return v.ж.Hostname }
+func (v HostinfoView) ShieldsUp() bool       { return v.ж.ShieldsUp }
+func (v HostinfoView) ShareeNode() bool      { return v.ж.ShareeNode }
+func (v HostinfoView) GoArch() string        { return v.ж.GoArch }
+func (v HostinfoView) RoutableIPs() views.IPPrefixSlice {
+	return views.IPPrefixSliceOf(v.ж.RoutableIPs)
+}
+func (v HostinfoView) RequestTags() views.Slice[string]  { return views.SliceOf(v.ж.RequestTags) }
+func (v HostinfoView) Services() views.Slice[Service]    { return views.SliceOf(v.ж.Services) }
+func (v HostinfoView) NetInfo() NetInfoView              { return v.ж.NetInfo.View() }
+func (v HostinfoView) SSH_HostKeys() views.Slice[string] { return views.SliceOf(v.ж.SSH_HostKeys) }
+func (v HostinfoView) Equal(v2 HostinfoView) bool        { return v.ж.Equal(v2.ж) }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _HostinfoViewNeedsRegeneration = Hostinfo(struct {
+	IPNVersion    string
+	FrontendLogID string
+	BackendLogID  string
+	OS            string
+	OSVersion     string
+	Desktop       opt.Bool
+	Package       string
+	DeviceModel   string
+	Hostname      string
+	ShieldsUp     bool
+	ShareeNode    bool
+	GoArch        string
+	RoutableIPs   []netaddr.IPPrefix
+	RequestTags   []string
+	Services      []Service
+	NetInfo       *NetInfo
+	SSH_HostKeys  []string
+}{})
+
+// View returns a readonly view of NetInfo.
+func (p *NetInfo) View() NetInfoView {
+	return NetInfoView{ж: p}
+}
+
+// NetInfoView provides a read-only view over NetInfo.
+//
+// Its methods should only be called if `Valid()` returns true.
+type NetInfoView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *NetInfo
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v NetInfoView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v NetInfoView) AsStruct() *NetInfo {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v NetInfoView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *NetInfoView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x NetInfo
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v NetInfoView) MappingVariesByDestIP() opt.Bool { return v.ж.MappingVariesByDestIP }
+func (v NetInfoView) HairPinning() opt.Bool           { return v.ж.HairPinning }
+func (v NetInfoView) WorkingIPv6() opt.Bool           { return v.ж.WorkingIPv6 }
+func (v NetInfoView) WorkingUDP() opt.Bool            { return v.ж.WorkingUDP }
+func (v NetInfoView) HavePortMap() bool               { return v.ж.HavePortMap }
+func (v NetInfoView) UPnP() opt.Bool                  { return v.ж.UPnP }
+func (v NetInfoView) PMP() opt.Bool                   { return v.ж.PMP }
+func (v NetInfoView) PCP() opt.Bool                   { return v.ж.PCP }
+func (v NetInfoView) PreferredDERP() int              { return v.ж.PreferredDERP }
+func (v NetInfoView) LinkType() string                { return v.ж.LinkType }
+func (v NetInfoView) String() string                  { return v.ж.String() }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _NetInfoViewNeedsRegeneration = NetInfo(struct {
+	MappingVariesByDestIP opt.Bool
+	HairPinning           opt.Bool
+	WorkingIPv6           opt.Bool
+	WorkingUDP            opt.Bool
+	HavePortMap           bool
+	UPnP                  opt.Bool
+	PMP                   opt.Bool
+	PCP                   opt.Bool
+	PreferredDERP         int
+	LinkType              string
+	DERPLatency           map[string]float64
+}{})
+
+// View returns a readonly view of Login.
+func (p *Login) View() LoginView {
+	return LoginView{ж: p}
+}
+
+// LoginView provides a read-only view over Login.
+//
+// Its methods should only be called if `Valid()` returns true.
+type LoginView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *Login
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v LoginView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v LoginView) AsStruct() *Login {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v LoginView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *LoginView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x Login
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v LoginView) ID() LoginID           { return v.ж.ID }
+func (v LoginView) Provider() string      { return v.ж.Provider }
+func (v LoginView) LoginName() string     { return v.ж.LoginName }
+func (v LoginView) DisplayName() string   { return v.ж.DisplayName }
+func (v LoginView) ProfilePicURL() string { return v.ж.ProfilePicURL }
+func (v LoginView) Domain() string        { return v.ж.Domain }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _LoginViewNeedsRegeneration = Login(struct {
+	_             structs.Incomparable
+	ID            LoginID
+	Provider      string
+	LoginName     string
+	DisplayName   string
+	ProfilePicURL string
+	Domain        string
+}{})
+
+// View returns a readonly view of DNSConfig.
+func (p *DNSConfig) View() DNSConfigView {
+	return DNSConfigView{ж: p}
+}
+
+// DNSConfigView provides a read-only view over DNSConfig.
+//
+// Its methods should only be called if `Valid()` returns true.
+type DNSConfigView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *DNSConfig
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v DNSConfigView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v DNSConfigView) AsStruct() *DNSConfig {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v DNSConfigView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *DNSConfigView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x DNSConfig
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v DNSConfigView) Resolvers() views.SliceView[*dnstype.Resolver, dnstype.ResolverView] {
+	return views.SliceOfViews[*dnstype.Resolver, dnstype.ResolverView](v.ж.Resolvers)
+}
+func (v DNSConfigView) FallbackResolvers() views.SliceView[*dnstype.Resolver, dnstype.ResolverView] {
+	return views.SliceOfViews[*dnstype.Resolver, dnstype.ResolverView](v.ж.FallbackResolvers)
+}
+func (v DNSConfigView) Domains() views.Slice[string]         { return views.SliceOf(v.ж.Domains) }
+func (v DNSConfigView) Proxied() bool                        { return v.ж.Proxied }
+func (v DNSConfigView) Nameservers() views.Slice[netaddr.IP] { return views.SliceOf(v.ж.Nameservers) }
+func (v DNSConfigView) PerDomain() bool                      { return v.ж.PerDomain }
+func (v DNSConfigView) CertDomains() views.Slice[string]     { return views.SliceOf(v.ж.CertDomains) }
+func (v DNSConfigView) ExtraRecords() views.Slice[DNSRecord] { return views.SliceOf(v.ж.ExtraRecords) }
+func (v DNSConfigView) ExitNodeFilteredSet() views.Slice[string] {
+	return views.SliceOf(v.ж.ExitNodeFilteredSet)
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _DNSConfigViewNeedsRegeneration = DNSConfig(struct {
+	Resolvers           []*dnstype.Resolver
+	Routes              map[string][]*dnstype.Resolver
+	FallbackResolvers   []*dnstype.Resolver
+	Domains             []string
+	Proxied             bool
+	Nameservers         []netaddr.IP
+	PerDomain           bool
+	CertDomains         []string
+	ExtraRecords        []DNSRecord
+	ExitNodeFilteredSet []string
+}{})
+
+// View returns a readonly view of RegisterResponse.
+func (p *RegisterResponse) View() RegisterResponseView {
+	return RegisterResponseView{ж: p}
+}
+
+// RegisterResponseView provides a read-only view over RegisterResponse.
+//
+// Its methods should only be called if `Valid()` returns true.
+type RegisterResponseView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *RegisterResponse
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v RegisterResponseView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v RegisterResponseView) AsStruct() *RegisterResponse {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v RegisterResponseView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *RegisterResponseView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x RegisterResponse
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v RegisterResponseView) User() UserView          { return v.ж.User.View() }
+func (v RegisterResponseView) Login() Login            { return v.ж.Login }
+func (v RegisterResponseView) NodeKeyExpired() bool    { return v.ж.NodeKeyExpired }
+func (v RegisterResponseView) MachineAuthorized() bool { return v.ж.MachineAuthorized }
+func (v RegisterResponseView) AuthURL() string         { return v.ж.AuthURL }
+func (v RegisterResponseView) Error() string           { return v.ж.Error }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _RegisterResponseViewNeedsRegeneration = RegisterResponse(struct {
+	User              User
+	Login             Login
+	NodeKeyExpired    bool
+	MachineAuthorized bool
+	AuthURL           string
+	Error             string
+}{})
+
+// View returns a readonly view of DERPRegion.
+func (p *DERPRegion) View() DERPRegionView {
+	return DERPRegionView{ж: p}
+}
+
+// DERPRegionView provides a read-only view over DERPRegion.
+//
+// Its methods should only be called if `Valid()` returns true.
+type DERPRegionView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *DERPRegion
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v DERPRegionView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v DERPRegionView) AsStruct() *DERPRegion {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v DERPRegionView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *DERPRegionView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x DERPRegion
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v DERPRegionView) RegionID() int      { return v.ж.RegionID }
+func (v DERPRegionView) RegionCode() string { return v.ж.RegionCode }
+func (v DERPRegionView) RegionName() string { return v.ж.RegionName }
+func (v DERPRegionView) Avoid() bool        { return v.ж.Avoid }
+func (v DERPRegionView) Nodes() views.SliceView[*DERPNode, DERPNodeView] {
+	return views.SliceOfViews[*DERPNode, DERPNodeView](v.ж.Nodes)
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _DERPRegionViewNeedsRegeneration = DERPRegion(struct {
+	RegionID   int
+	RegionCode string
+	RegionName string
+	Avoid      bool
+	Nodes      []*DERPNode
+}{})
+
+// View returns a readonly view of DERPMap.
+func (p *DERPMap) View() DERPMapView {
+	return DERPMapView{ж: p}
+}
+
+// DERPMapView provides a read-only view over DERPMap.
+//
+// Its methods should only be called if `Valid()` returns true.
+type DERPMapView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *DERPMap
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v DERPMapView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v DERPMapView) AsStruct() *DERPMap {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v DERPMapView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *DERPMapView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x DERPMap
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v DERPMapView) OmitDefaultRegions() bool { return v.ж.OmitDefaultRegions }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _DERPMapViewNeedsRegeneration = DERPMap(struct {
+	Regions            map[int]*DERPRegion
+	OmitDefaultRegions bool
+}{})
+
+// View returns a readonly view of DERPNode.
+func (p *DERPNode) View() DERPNodeView {
+	return DERPNodeView{ж: p}
+}
+
+// DERPNodeView provides a read-only view over DERPNode.
+//
+// Its methods should only be called if `Valid()` returns true.
+type DERPNodeView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *DERPNode
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v DERPNodeView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v DERPNodeView) AsStruct() *DERPNode {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v DERPNodeView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *DERPNodeView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x DERPNode
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v DERPNodeView) Name() string           { return v.ж.Name }
+func (v DERPNodeView) RegionID() int          { return v.ж.RegionID }
+func (v DERPNodeView) HostName() string       { return v.ж.HostName }
+func (v DERPNodeView) CertName() string       { return v.ж.CertName }
+func (v DERPNodeView) IPv4() string           { return v.ж.IPv4 }
+func (v DERPNodeView) IPv6() string           { return v.ж.IPv6 }
+func (v DERPNodeView) STUNPort() int          { return v.ж.STUNPort }
+func (v DERPNodeView) STUNOnly() bool         { return v.ж.STUNOnly }
+func (v DERPNodeView) DERPPort() int          { return v.ж.DERPPort }
+func (v DERPNodeView) InsecureForTests() bool { return v.ж.InsecureForTests }
+func (v DERPNodeView) STUNTestIP() string     { return v.ж.STUNTestIP }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _DERPNodeViewNeedsRegeneration = DERPNode(struct {
+	Name             string
+	RegionID         int
+	HostName         string
+	CertName         string
+	IPv4             string
+	IPv6             string
+	STUNPort         int
+	STUNOnly         bool
+	DERPPort         int
+	InsecureForTests bool
+	STUNTestIP       string
+}{})

tsnet/tsnet.go

@@ -75,6 +75,7 @@ type Server struct {
 	hostname         string
 	shutdownCtx      context.Context
 	shutdownCancel   context.CancelFunc
+	localClient      *tailscale.LocalClient
 
 	mu        sync.Mutex
 	listeners map[listenKey]*listener
@@ -90,6 +91,17 @@ func (s *Server) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return s.dialer.UserDial(ctx, network, address)
 }
 
+// LocalClient returns a LocalClient that speaks to s.
+//
+// It will start the server if it has not been started yet. If the server's
+// already been started successfully, it doesn't return an error.
+func (s *Server) LocalClient() (*tailscale.LocalClient, error) {
+	if err := s.Start(); err != nil {
+		return nil, err
+	}
+	return s.localClient, nil
+}
+
 // Start connects the server to the tailnet.
 // Optional: any calls to Dial/Listen will also call Start.
 func (s *Server) Start() error {
@@ -105,6 +117,7 @@ func (s *Server) Close() error {
 	s.shutdownCancel()
 	s.lb.Shutdown()
 	s.linkMon.Close()
+	s.dialer.Close()
 	s.localAPIListener.Close()
 
 	s.mu.Lock()
@@ -137,8 +150,9 @@ func (s *Server) start() error {
 	}
 
 	s.rootPath = s.Dir
-	if s.Store != nil && !s.Ephemeral {
-		if _, ok := s.Store.(*mem.Store); !ok {
+	if s.Store != nil {
+		_, isMemStore := s.Store.(*mem.Store)
+		if isMemStore && !s.Ephemeral {
 			return fmt.Errorf("in-memory store is only supported for Ephemeral nodes")
 		}
 	}
@@ -182,12 +196,12 @@ func (s *Server) start() error {
 		return err
 	}
 
-	tunDev, magicConn, ok := eng.(wgengine.InternalsGetter).GetInternals()
+	tunDev, magicConn, dns, ok := eng.(wgengine.InternalsGetter).GetInternals()
 	if !ok {
 		return fmt.Errorf("%T is not a wgengine.InternalsGetter", eng)
 	}
 
-	ns, err := netstack.Create(logf, tunDev, eng, magicConn, s.dialer)
+	ns, err := netstack.Create(logf, tunDev, eng, magicConn, s.dialer, dns)
 	if err != nil {
 		return fmt.Errorf("netstack.Create: %w", err)
 	}
@@ -259,9 +273,7 @@ func (s *Server) start() error {
 	// TODO(maisem): Rename nettest package to remove "test".
 	lal := nettest.Listen("local-tailscaled.sock:80")
 	s.localAPIListener = lal
-
-	// Override the Tailscale client to use the in-process listener.
-	tailscale.TailscaledDialer = lal.Dial
+	s.localClient = &tailscale.LocalClient{Dial: lal.Dial}
 	go func() {
 		if err := http.Serve(lal, lah); err != nil {
 			logf("localapi serve error: %v", err)

tstest/integration/tailscaled_deps_test_windows.go

@@ -13,6 +13,7 @@ import (
 	// process and can cache a prior success when a dependency changes.
 	_ "golang.org/x/sys/windows"
 	_ "golang.org/x/sys/windows/svc"
+	_ "golang.org/x/sys/windows/svc/eventlog"
 	_ "golang.org/x/sys/windows/svc/mgr"
 	_ "golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	_ "inet.af/netaddr"

tstest/integration/vms/distros.go

@@ -6,6 +6,7 @@ package vms
 
 import (
 	_ "embed"
+	"encoding/json"
 	"log"
 
 	"github.com/tailscale/hujson"
@@ -53,10 +54,12 @@ var distroData string
 
 var Distros []Distro = func() []Distro {
 	var result []Distro
-	err := hujson.Unmarshal([]byte(distroData), &result)
+	b, err := hujson.Standardize([]byte(distroData))
 	if err != nil {
 		log.Fatalf("error decoding distros: %v", err)
 	}
-
+	if err := json.Unmarshal(b, &result); err != nil {
+		log.Fatalf("error decoding distros: %v", err)
+	}
 	return result
 }()

tstest/integration/vms/harness_test.go

@@ -64,7 +64,7 @@ func newHarness(t *testing.T) *Harness {
 			// TODO: this is wrong.
 			// It is also only one of many configurations.
 			// Figure out how to scale it up.
-			Resolvers:    []dnstype.Resolver{{Addr: "100.100.100.100"}, {Addr: "8.8.8.8"}},
+			Resolvers:    []*dnstype.Resolver{{Addr: "100.100.100.100"}, {Addr: "8.8.8.8"}},
 			Domains:      []string{"record"},
 			Proxied:      true,
 			ExtraRecords: []tailcfg.DNSRecord{{Name: "extratest.record", Type: "A", Value: "1.2.3.4"}},

tsweb/jsonhandler.go

@@ -1,157 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tsweb
-
-import (
-	"bytes"
-	"compress/gzip"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"strconv"
-	"strings"
-	"sync"
-
-	"go4.org/mem"
-)
-
-type response struct {
-	Status string `json:"status"`
-	Error  string `json:"error,omitempty"`
-	Data   any    `json:"data,omitempty"`
-}
-
-// JSONHandlerFunc is an HTTP ReturnHandler that writes JSON responses to the client.
-//
-// Return a HTTPError to show an error message, otherwise JSONHandlerFunc will
-// only report "internal server error" to the user with status code 500.
-type JSONHandlerFunc func(r *http.Request) (status int, data any, err error)
-
-// ServeHTTPReturn implements the ReturnHandler interface.
-//
-// Use the following code to unmarshal the request body
-//
-//	body := new(DataType)
-//	if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-//	  return http.StatusBadRequest, nil, err
-//	}
-//
-// See jsonhandler_test.go for examples.
-func (fn JSONHandlerFunc) ServeHTTPReturn(w http.ResponseWriter, r *http.Request) error {
-	w.Header().Set("Content-Type", "application/json")
-	var resp *response
-	status, data, err := fn(r)
-	if err != nil {
-		if werr, ok := err.(HTTPError); ok {
-			resp = &response{
-				Status: "error",
-				Error:  werr.Msg,
-				Data:   data,
-			}
-			// Unwrap the HTTPError here because we are communicating with
-			// the client in this handler. We don't want the wrapping
-			// ReturnHandler to do it too.
-			err = werr.Err
-			if werr.Msg != "" {
-				err = fmt.Errorf("%s: %w", werr.Msg, err)
-			}
-			// take status from the HTTPError to encourage error handling in one location
-			if status != 0 && status != werr.Code {
-				err = fmt.Errorf("[unexpected] non-zero status that does not match HTTPError status, status: %d, HTTPError.code: %d: %w", status, werr.Code, err)
-			}
-			status = werr.Code
-		} else {
-			status = http.StatusInternalServerError
-			resp = &response{
-				Status: "error",
-				Error:  "internal server error",
-			}
-		}
-	} else if status == 0 {
-		status = http.StatusInternalServerError
-		resp = &response{
-			Status: "error",
-			Error:  "internal server error",
-		}
-	} else if err == nil {
-		resp = &response{
-			Status: "success",
-			Data:   data,
-		}
-	}
-
-	b, jerr := json.Marshal(resp)
-	if jerr != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		w.Write([]byte(`{"status":"error","error":"json marshal error"}`))
-		if err != nil {
-			return fmt.Errorf("%w, and then we could not respond: %v", err, jerr)
-		}
-		return jerr
-	}
-
-	if AcceptsEncoding(r, "gzip") {
-		encb, err := gzipBytes(b)
-		if err != nil {
-			return err
-		}
-		w.Header().Set("Content-Encoding", "gzip")
-		w.Header().Set("Content-Length", strconv.Itoa(len(encb)))
-		w.WriteHeader(status)
-		w.Write(encb)
-	} else {
-		w.Header().Set("Content-Length", strconv.Itoa(len(b)))
-		w.WriteHeader(status)
-		w.Write(b)
-	}
-	return err
-}
-
-var gzWriterPool sync.Pool // of *gzip.Writer
-
-// gzipBytes returns the gzipped encoding of b.
-func gzipBytes(b []byte) (zb []byte, err error) {
-	var buf bytes.Buffer
-	zw, ok := gzWriterPool.Get().(*gzip.Writer)
-	if ok {
-		zw.Reset(&buf)
-	} else {
-		zw = gzip.NewWriter(&buf)
-	}
-	defer gzWriterPool.Put(zw)
-	if _, err := zw.Write(b); err != nil {
-		return nil, err
-	}
-	if err := zw.Close(); err != nil {
-		return nil, err
-	}
-	zb = buf.Bytes()
-	zw.Reset(ioutil.Discard)
-	return zb, nil
-}
-
-// AcceptsEncoding reports whether r accepts the named encoding
-// ("gzip", "br", etc).
-func AcceptsEncoding(r *http.Request, enc string) bool {
-	h := r.Header.Get("Accept-Encoding")
-	if h == "" {
-		return false
-	}
-	if !strings.Contains(h, enc) && !mem.ContainsFold(mem.S(h), mem.S(enc)) {
-		return false
-	}
-	remain := h
-	for len(remain) > 0 {
-		var part string
-		part, remain, _ = strings.Cut(remain, ",")
-		part = strings.TrimSpace(part)
-		part, _, _ = strings.Cut(part, ";")
-		if part == enc {
-			return true
-		}
-	}
-	return false
-}

tsweb/jsonhandler_test.go

@@ -1,307 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tsweb
-
-import (
-	"bytes"
-	"compress/gzip"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-)
-
-type Data struct {
-	Name  string
-	Price int
-}
-
-type Response struct {
-	Status string
-	Error  string
-	Data   *Data
-}
-
-func TestNewJSONHandler(t *testing.T) {
-	checkStatus := func(t *testing.T, w *httptest.ResponseRecorder, status string, code int) *Response {
-		d := &Response{
-			Data: &Data{},
-		}
-
-		bodyBytes := w.Body.Bytes()
-		if w.Result().Header.Get("Content-Encoding") == "gzip" {
-			zr, err := gzip.NewReader(bytes.NewReader(bodyBytes))
-			if err != nil {
-				t.Fatalf("gzip read error at start: %v", err)
-			}
-			bodyBytes, err = io.ReadAll(zr)
-			if err != nil {
-				t.Fatalf("gzip read error: %v", err)
-			}
-		}
-
-		t.Logf("%s", bodyBytes)
-		err := json.Unmarshal(bodyBytes, d)
-		if err != nil {
-			t.Logf(err.Error())
-			return nil
-		}
-
-		if d.Status == status {
-			t.Logf("ok: %s", d.Status)
-		} else {
-			t.Fatalf("wrong status: got: %s, want: %s", d.Status, status)
-		}
-
-		if w.Code != code {
-			t.Fatalf("wrong status code: got: %d, want: %d", w.Code, code)
-		}
-
-		if w.Header().Get("Content-Type") != "application/json" {
-			t.Fatalf("wrong content type: %s", w.Header().Get("Content-Type"))
-		}
-
-		return d
-	}
-
-	h21 := JSONHandlerFunc(func(r *http.Request) (int, any, error) {
-		return http.StatusOK, nil, nil
-	})
-
-	t.Run("200 simple", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("GET", "/", nil)
-		h21.ServeHTTPReturn(w, r)
-		checkStatus(t, w, "success", http.StatusOK)
-	})
-
-	t.Run("403 HTTPError", func(t *testing.T) {
-		h := JSONHandlerFunc(func(r *http.Request) (int, any, error) {
-			return 0, nil, Error(http.StatusForbidden, "forbidden", nil)
-		})
-
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("GET", "/", nil)
-		h.ServeHTTPReturn(w, r)
-		checkStatus(t, w, "error", http.StatusForbidden)
-	})
-
-	h22 := JSONHandlerFunc(func(r *http.Request) (int, any, error) {
-		return http.StatusOK, &Data{Name: "tailscale"}, nil
-	})
-
-	t.Run("200 get data", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("GET", "/", nil)
-		h22.ServeHTTPReturn(w, r)
-		checkStatus(t, w, "success", http.StatusOK)
-	})
-
-	h31 := JSONHandlerFunc(func(r *http.Request) (int, any, error) {
-		body := new(Data)
-		if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-			return 0, nil, Error(http.StatusBadRequest, err.Error(), err)
-		}
-
-		if body.Name == "" {
-			return 0, nil, Error(http.StatusBadRequest, "name is empty", nil)
-		}
-
-		return http.StatusOK, nil, nil
-	})
-	t.Run("200 post data", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Name": "tailscale"}`))
-		h31.ServeHTTPReturn(w, r)
-		checkStatus(t, w, "success", http.StatusOK)
-	})
-
-	t.Run("400 bad json", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", strings.NewReader(`{`))
-		h31.ServeHTTPReturn(w, r)
-		checkStatus(t, w, "error", http.StatusBadRequest)
-	})
-
-	t.Run("400 post data error", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", strings.NewReader(`{}`))
-		h31.ServeHTTPReturn(w, r)
-		resp := checkStatus(t, w, "error", http.StatusBadRequest)
-		if resp.Error != "name is empty" {
-			t.Fatalf("wrong error")
-		}
-	})
-
-	h32 := JSONHandlerFunc(func(r *http.Request) (int, any, error) {
-		body := new(Data)
-		if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-			return 0, nil, Error(http.StatusBadRequest, err.Error(), err)
-		}
-		if body.Name == "root" {
-			return 0, nil, fmt.Errorf("invalid name")
-		}
-		if body.Price == 0 {
-			return 0, nil, Error(http.StatusBadRequest, "price is empty", nil)
-		}
-
-		return http.StatusOK, &Data{Price: body.Price * 2}, nil
-	})
-
-	t.Run("200 post data", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Price": 10}`))
-		h32.ServeHTTPReturn(w, r)
-		resp := checkStatus(t, w, "success", http.StatusOK)
-		t.Log(resp.Data)
-		if resp.Data.Price != 20 {
-			t.Fatalf("wrong price: %d %d", resp.Data.Price, 10)
-		}
-	})
-
-	t.Run("gzipped", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Price": 10}`))
-		r.Header.Set("Accept-Encoding", "gzip")
-		h32.ServeHTTPReturn(w, r)
-		res := w.Result()
-		if ct := res.Header.Get("Content-Encoding"); ct != "gzip" {
-			t.Fatalf("encoding = %q; want gzip", ct)
-		}
-		resp := checkStatus(t, w, "success", http.StatusOK)
-		t.Log(resp.Data)
-		if resp.Data.Price != 20 {
-			t.Fatalf("wrong price: %d %d", resp.Data.Price, 10)
-		}
-	})
-
-	t.Run("gzipped_400", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Price": 10}`))
-		r.Header.Set("Accept-Encoding", "gzip")
-		value := []string{"foo", "foo", "foo"}
-		JSONHandlerFunc(func(r *http.Request) (int, any, error) {
-			return 400, value, nil
-		}).ServeHTTPReturn(w, r)
-		res := w.Result()
-		if ct := res.Header.Get("Content-Encoding"); ct != "gzip" {
-			t.Fatalf("encoding = %q; want gzip", ct)
-		}
-		if res.StatusCode != 400 {
-			t.Errorf("Status = %v; want 400", res.StatusCode)
-		}
-	})
-
-	t.Run("400 post data error", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", strings.NewReader(`{}`))
-		h32.ServeHTTPReturn(w, r)
-		resp := checkStatus(t, w, "error", http.StatusBadRequest)
-		if resp.Error != "price is empty" {
-			t.Fatalf("wrong error")
-		}
-	})
-
-	t.Run("500 internal server error (unspecified error, not of type HTTPError)", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Name": "root"}`))
-		h32.ServeHTTPReturn(w, r)
-		resp := checkStatus(t, w, "error", http.StatusInternalServerError)
-		if resp.Error != "internal server error" {
-			t.Fatalf("wrong error")
-		}
-	})
-
-	t.Run("500 misuse", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", nil)
-		JSONHandlerFunc(func(r *http.Request) (int, any, error) {
-			return http.StatusOK, make(chan int), nil
-		}).ServeHTTPReturn(w, r)
-		resp := checkStatus(t, w, "error", http.StatusInternalServerError)
-		if resp.Error != "json marshal error" {
-			t.Fatalf("wrong error")
-		}
-	})
-
-	t.Run("500 empty status code", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", nil)
-		JSONHandlerFunc(func(r *http.Request) (status int, data any, err error) {
-			return
-		}).ServeHTTPReturn(w, r)
-		checkStatus(t, w, "error", http.StatusInternalServerError)
-	})
-
-	t.Run("403 forbidden, status returned by JSONHandlerFunc and HTTPError agree", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", nil)
-		JSONHandlerFunc(func(r *http.Request) (int, any, error) {
-			return http.StatusForbidden, nil, Error(http.StatusForbidden, "403 forbidden", nil)
-		}).ServeHTTPReturn(w, r)
-		want := &Response{
-			Status: "error",
-			Data:   &Data{},
-			Error:  "403 forbidden",
-		}
-		got := checkStatus(t, w, "error", http.StatusForbidden)
-		if diff := cmp.Diff(want, got); diff != "" {
-			t.Fatalf(diff)
-		}
-	})
-
-	t.Run("403 forbidden, status returned by JSONHandlerFunc and HTTPError do not agree", func(t *testing.T) {
-		w := httptest.NewRecorder()
-		r := httptest.NewRequest("POST", "/", nil)
-		err := JSONHandlerFunc(func(r *http.Request) (int, any, error) {
-			return http.StatusInternalServerError, nil, Error(http.StatusForbidden, "403 forbidden", nil)
-		}).ServeHTTPReturn(w, r)
-		if !strings.HasPrefix(err.Error(), "[unexpected]") {
-			t.Fatalf("returned error should have `[unexpected]` to note the disagreeing status codes: %v", err)
-		}
-		want := &Response{
-			Status: "error",
-			Data:   &Data{},
-			Error:  "403 forbidden",
-		}
-		got := checkStatus(t, w, "error", http.StatusForbidden)
-		if diff := cmp.Diff(want, got); diff != "" {
-			t.Fatalf("(-want,+got):\n%s", diff)
-		}
-	})
-}
-
-func TestAcceptsEncoding(t *testing.T) {
-	tests := []struct {
-		in, enc string
-		want    bool
-	}{
-		{"", "gzip", false},
-		{"gzip", "gzip", true},
-		{"foo,gzip", "gzip", true},
-		{"foo, gzip", "gzip", true},
-		{"foo, gzip ", "gzip", true},
-		{"gzip, foo ", "gzip", true},
-		{"gzip, foo ", "br", false},
-		{"gzip, foo ", "fo", false},
-		{"gzip;q=1.2, foo ", "gzip", true},
-		{" gzip;q=1.2, foo ", "gzip", true},
-	}
-	for i, tt := range tests {
-		h := make(http.Header)
-		if tt.in != "" {
-			h.Set("Accept-Encoding", tt.in)
-		}
-		got := AcceptsEncoding(&http.Request{Header: h}, tt.enc)
-		if got != tt.want {
-			t.Errorf("%d. got %v; want %v", i, got, tt.want)
-		}
-	}
-}

tsweb/tsweb.go

@@ -24,6 +24,7 @@ import (
 	"strings"
 	"time"
 
+	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/metrics"
@@ -87,6 +88,30 @@ func AllowDebugAccess(r *http.Request) bool {
 	return false
 }
 
+
+// AcceptsEncoding reports whether r accepts the named encoding
+// ("gzip", "br", etc).
+func AcceptsEncoding(r *http.Request, enc string) bool {
+	h := r.Header.Get("Accept-Encoding")
+	if h == "" {
+		return false
+	}
+	if !strings.Contains(h, enc) && !mem.ContainsFold(mem.S(h), mem.S(enc)) {
+		return false
+	}
+	remain := h
+	for len(remain) > 0 {
+		var part string
+		part, remain, _ = strings.Cut(remain, ",")
+		part = strings.TrimSpace(part)
+		part, _, _ = strings.Cut(part, ";")
+		if part == enc {
+			return true
+		}
+	}
+	return false
+}
+
 // Protected wraps a provided debug handler, h, returning a Handler
 // that enforces AllowDebugAccess and returns forbidden replies for
 // unauthorized requests.