control/controlclient: finish wiring up PingRequest TSMP support

Most of the code existed already but wasn't connected between two spots.

Updates tailscale/corp#754

Change-Id: I41c3386c4194bdcaabf4ce6b96eb6499ec0a513c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

.github/workflows/cross-android.yml

@@ -1,53 +0,0 @@
-name: Android-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.18
-      id: go
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Android build cmd
-      env:
-        GOOS: android
-        GOARCH: amd64
-      run: go build ./cmd/...
-
-    - name: Android build tests (does not run tests)
-      env:
-        GOOS: android
-        GOARCH: amd64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -run '^$' -c ); done
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

client/tailscale/apitype/apitype.go

@@ -11,9 +11,6 @@ import "tailscale.com/tailcfg"
 type WhoIsResponse struct {
 	Node        *tailcfg.Node
 	UserProfile *tailcfg.UserProfile
-
-	// Caps are extra capabilities that the remote Node has to this node.
-	Caps []string `json:",omitempty"`
 }
 
 // FileTarget is a node to which files can be sent, and the PeerAPI

client/tailscale/tailscale.go

@@ -381,21 +381,6 @@ func CheckIPForwarding(ctx context.Context) error {
 	return nil
 }
 
-// CheckPrefs validates the provided preferences, without making any changes.
-//
-// The CLI uses this before a Start call to fail fast if the preferences won't
-// work. Currently (2022-04-18) this only checks for SSH server compatibility.
-// Note that EditPrefs does the same validation as this, so call CheckPrefs before
-// EditPrefs is not necessary.
-func CheckPrefs(ctx context.Context, p *ipn.Prefs) error {
-	pj, err := json.Marshal(p)
-	if err != nil {
-		return err
-	}
-	_, err = send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, bytes.NewReader(pj))
-	return err
-}
-
 func GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
 	body, err := get200(ctx, "/localapi/v0/prefs")
 	if err != nil {

cmd/nginx-auth/README.md

@@ -117,32 +117,10 @@ header.
 
 The `Tailscale-Tailnet` header can help you identify which tailnet the session
 is coming from. If you are using node sharing, this can help you make sure that
-you aren't giving administrative access to people outside your tailnet.
-
-### Allow Requests From Only One Tailnet
-
-If you want to prevent node sharing from allowing users to access a service, add
-the `Expected-Tailnet` header to your auth request:
-
-```nginx
-location /auth {
-  # ...
-  proxy_set_header Expected-Tailnet "tailscale.com";
-}
-```
-
-If a user from a different tailnet tries to use that service, this will return a
-generic "forbidden" error page:
-
-```html
-<html>
-<head><title>403 Forbidden</title></head>
-<body>
-<center><h1>403 Forbidden</h1></center>
-<hr><center>nginx/1.18.0 (Ubuntu)</center>
-</body>
-</html>
-```
+you aren't giving administrative access to people outside your tailnet. You will
+need to be sure to check this in your application code. If you use OpenResty,
+you may be able to do more complicated access controls than you can with NGINX
+alone.
 
 ## Building
 

cmd/nginx-auth/deb/postinst.sh

@@ -1,14 +0,0 @@
-if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-	  deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
-	  if deb-systemd-helper --quiet was-enabled 'tailscale.nginx-auth.socket'; then
-		    deb-systemd-helper enable 'tailscale.nginx-auth.socket' >/dev/null || true
-	  else
-		    deb-systemd-helper update-state 'tailscale.nginx-auth.socket' >/dev/null || true
-	  fi
-
-    if systemctl is-active tailscale.nginx-auth.socket >/dev/null; then
-        systemctl --system daemon-reload >/dev/null || true
-        deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
-        deb-systemd-invoke restart 'tailscale.nginx-auth.socket' >/dev/null || true
-    fi
-fi

cmd/nginx-auth/deb/postrm.sh

@@ -1,19 +0,0 @@
-#!/bin/sh
-set -e
-if [ -d /run/systemd/system ] ; then
-	  systemctl --system daemon-reload >/dev/null || true
-fi
-
-if [ -x "/usr/bin/deb-systemd-helper" ]; then
-    if [ "$1" = "remove" ]; then
-		    deb-systemd-helper mask 'tailscale.nginx-auth.socket' >/dev/null || true
-		    deb-systemd-helper mask 'tailscale.nginx-auth.service' >/dev/null || true
-	  fi
-
-    if [ "$1" = "purge" ]; then
-		    deb-systemd-helper purge 'tailscale.nginx-auth.socket' >/dev/null || true
-		    deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
-		    deb-systemd-helper purge 'tailscale.nginx-auth.service' >/dev/null || true
-		    deb-systemd-helper unmask 'tailscale.nginx-auth.service' >/dev/null || true
-	  fi
-fi

cmd/nginx-auth/deb/prerm.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-set -e
-if [ "$1" = "remove" ]; then
-	  if [ -d /run/systemd/system ]; then
-		    deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
-		    deb-systemd-invoke stop 'tailscale.nginx-auth.socket' >/dev/null || true
-	  fi
-fi

cmd/nginx-auth/mkdeb.sh

@@ -4,28 +4,20 @@ set -e
 
 CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o tailscale.nginx-auth .
 
-VERSION=0.1.1
-
 mkpkg \
-    --out=tailscale-nginx-auth-${VERSION}-amd64.deb \
+    --out tailscale-nginx-auth-0.1.0-amd64.deb \
     --name=tailscale-nginx-auth \
-    --version=${VERSION} \
-    --type=deb \
+    --version=0.1.0 \
+    --type=deb\
     --arch=amd64 \
-    --postinst=deb/postinst.sh \
-    --postrm=deb/postrm.sh \
-    --prerm=deb/prerm.sh \
     --description="Tailscale NGINX authentication protocol handler" \
-    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service
 
 mkpkg \
-    --out=tailscale-nginx-auth-${VERSION}-amd64.rpm \
+    --out tailscale-nginx-auth-0.1.0-amd64.rpm \
     --name=tailscale-nginx-auth \
-    --version=${VERSION} \
+    --version=0.1.0 \
     --type=rpm \
     --arch=amd64 \
-    --postinst=rpm/postinst.sh \
-    --postrm=rpm/postrm.sh \
-    --prerm=rpm/prerm.sh \
     --description="Tailscale NGINX authentication protocol handler" \
-    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service

cmd/nginx-auth/nginx-auth.go

@@ -17,7 +17,6 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
-	"net/url"
 	"os"
 	"strings"
 
@@ -76,12 +75,6 @@ func main() {
 			return
 		}
 
-		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
-			w.WriteHeader(http.StatusForbidden)
-			log.Printf("user is part of tailnet %s, wanted: %s", tailnet, url.QueryEscape(expectedTailnet))
-			return
-		}
-
 		h := w.Header()
 		h.Set("Tailscale-Login", strings.Split(info.UserProfile.LoginName, "@")[0])
 		h.Set("Tailscale-User", info.UserProfile.LoginName)

cmd/nginx-auth/rpm/postrm.sh

@@ -1,9 +0,0 @@
-# $1 == 0 for uninstallation.
-# $1 == 1 for removing old package during upgrade.
-
-systemctl daemon-reload >/dev/null 2>&1 || :
-if [ $1 -ge 1 ] ; then
-    # Package upgrade, not uninstall
-    systemctl stop tailscale.nginx-auth.service >/dev/null 2>&1 || :
-    systemctl try-restart tailscale.nginx-auth.socket >/dev/null 2>&1 || :
-fi

cmd/nginx-auth/rpm/prerm.sh

@@ -1,9 +0,0 @@
-# $1 == 0 for uninstallation.
-# $1 == 1 for removing old package during upgrade.
-
-if [ $1 -eq 0 ] ; then
-    # Package removal, not upgrade
-    systemctl --no-reload disable tailscale.nginx-auth.socket > /dev/null 2>&1 || :
-    systemctl stop tailscale.nginx-auth.socket > /dev/null 2>&1 || :
-    systemctl stop tailscale.nginx-auth.service > /dev/null 2>&1 || :
-fi

cmd/proxy-to-grafana/proxy-to-grafana.go

@@ -86,12 +86,11 @@ func main() {
 			for i := 0; i < 60; i++ {
 				st, err := tailscale.Status(context.Background())
 				if err != nil {
-					log.Printf("error retrieving tailscale status; retrying: %v", err)
-				} else {
-					log.Printf("tailscale status: %v", st.BackendState)
-					if st.BackendState == "Running" {
-						break
-					}
+					log.Fatal(err)
+				}
+				log.Printf("tailscale status: %v", st.BackendState)
+				if st.BackendState == "Running" {
+					break
 				}
 				time.Sleep(time.Second)
 			}

cmd/tailscale/cli/debug.go

@@ -8,7 +8,6 @@ import (
 	"bufio"
 	"bytes"
 	"context"
-	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"flag"
@@ -22,11 +21,9 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
-	"tailscale.com/net/tsaddr"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 )
@@ -109,11 +106,6 @@ var debugCmd = &ffcli.Command{
 				return fs
 			})(),
 		},
-		{
-			Name:      "via",
-			Exec:      runVia,
-			ShortHelp: "convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
-		},
 	},
 }
 
@@ -356,46 +348,3 @@ func runDaemonMetrics(ctx context.Context, args []string) error {
 		time.Sleep(time.Second)
 	}
 }
-
-func runVia(ctx context.Context, args []string) error {
-	switch len(args) {
-	default:
-		return errors.New("expect either <site-id> <v4-cidr> or <v6-route>")
-	case 1:
-		ipp, err := netaddr.ParseIPPrefix(args[0])
-		if err != nil {
-			return err
-		}
-		if !ipp.IP().Is6() {
-			return errors.New("with one argument, expect an IPv6 CIDR")
-		}
-		if !tsaddr.TailscaleViaRange().Contains(ipp.IP()) {
-			return errors.New("not a via route")
-		}
-		if ipp.Bits() < 96 {
-			return errors.New("short length, want /96 or more")
-		}
-		v4 := tsaddr.UnmapVia(ipp.IP())
-		a := ipp.IP().As16()
-		siteID := binary.BigEndian.Uint32(a[8:12])
-		fmt.Printf("site %v (0x%x), %v\n", siteID, siteID, netaddr.IPPrefixFrom(v4, ipp.Bits()-96))
-	case 2:
-		siteID, err := strconv.ParseUint(args[0], 0, 32)
-		if err != nil {
-			return fmt.Errorf("invalid site-id %q; must be decimal or hex with 0x prefix", args[0])
-		}
-		if siteID > 0xff {
-			return fmt.Errorf("site-id values over 255 are currently reserved")
-		}
-		ipp, err := netaddr.ParseIPPrefix(args[1])
-		if err != nil {
-			return err
-		}
-		via, err := tsaddr.MapVia(uint32(siteID), ipp)
-		if err != nil {
-			return err
-		}
-		fmt.Println(via)
-	}
-	return nil
-}

cmd/tailscale/cli/ssh.go

@@ -79,13 +79,9 @@ func runSSH(ctx context.Context, args []string) error {
 	argv := append([]string{
 		ssh,
 
-		// Only trust SSH hosts that we know about.
 		"-o", fmt.Sprintf("UserKnownHostsFile %s",
 			shellescape.Quote(knownHostsFile),
 		),
-		"-o", "UpdateHostKeys no",
-		"-o", "StrictHostKeyChecking yes",
-
 		"-o", fmt.Sprintf("ProxyCommand %s --socket=%s nc %%h %%p",
 			shellescape.Quote(tailscaleBin),
 			shellescape.Quote(rootArgs.socket),

cmd/tailscale/cli/up.go

@@ -25,6 +25,7 @@ import (
 	qrcode "github.com/skip2/go-qrcode"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -99,7 +100,9 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf.StringVar(&upArgs.exitNodeIP, "exit-node", "", "Tailscale exit node (IP or base name) for internet traffic, or empty string to not use an exit node")
 	upf.BoolVar(&upArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
 	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
-	upf.BoolVar(&upArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
+	if envknob.UseWIPCode() || inTest() {
+		upf.BoolVar(&upArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
+	}
 	upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "comma-separated ACL tags to request; each must start with \"tag:\" (e.g. \"tag:eng,tag:montreal,tag:ssh\")")
 	upf.StringVar(&upArgs.authKeyOrFile, "auth-key", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
 	upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
@@ -592,10 +595,6 @@ func runUp(ctx context.Context, args []string) error {
 			return err
 		}
 	} else {
-		if err := tailscale.CheckPrefs(ctx, prefs); err != nil {
-			return err
-		}
-
 		authKey, err := upArgs.getAuthKey()
 		if err != nil {
 			return err

cmd/tailscaled/depaware.txt

@@ -231,7 +231,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
         tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
-  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
+  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/wgengine/netstack
         tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
   LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh

cmd/tailscaled/ssh.go

@@ -1,12 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux || darwin
-// +build linux darwin
-
-package main
-
-// Force registration of tailssh with LocalBackend.
-import _ "tailscale.com/ssh/tailssh"
-

control/controlclient/direct.go

@@ -34,7 +34,6 @@ import (
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
-	"tailscale.com/logtail"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/interfaces"
@@ -896,9 +895,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 				c.logf("exiting process with status %v per controlplane", *code)
 				os.Exit(*code)
 			}
-			if resp.Debug.DisableLogTail {
-				logtail.Disable()
-			}
 			if resp.Debug.LogHeapPprof {
 				go logheap.LogHeap(resp.Debug.LogHeapURL)
 			}
@@ -1196,13 +1192,8 @@ func answerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinge
 	}
 	for _, t := range strings.Split(pr.Types, ",") {
 		switch t {
-		case "TSMP", "disco":
-			go doPingerPing(logf, c, pr, pinger, t)
-		// TODO(tailscale/corp#754)
-		// case "host":
-		// case "peerapi":
-		default:
-			logf("unsupported ping request type: %q", t)
+		case "TSMP":
+			go tsmpPing(logf, c, pr, pinger)
 		}
 	}
 }
@@ -1398,27 +1389,26 @@ func (c *Direct) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 	return nc.Do(req)
 }
 
-// doPingerPing sends a Ping to pr.IP using pinger, and sends an http request back to
-// pr.URL with ping response data.
-func doPingerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger, pingType string) {
+// tsmpPing sends a Ping to pr.IP, and sends an http request back to pr.URL
+// with ping response data.
+func tsmpPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger) {
 	if pr.URL == "" || pr.IP.IsZero() || pinger == nil {
-		logf("invalid ping request: missing url, ip or pinger")
 		return
 	}
 	start := time.Now()
-	pinger.Ping(pr.IP, pingType == "TSMP", func(res *ipnstate.PingResult) {
+	pinger.Ping(pr.IP, true, func(res *ipnstate.PingResult) {
 		// Currently does not check for error since we just return if it fails.
-		postPingResult(start, logf, c, pr, res.ToPingResponse(pingType))
+		postPingResult(start, logf, c, pr, res)
 	})
 }
 
-func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, res *tailcfg.PingResponse) error {
-	duration := time.Since(start)
+func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, res *ipnstate.PingResult) error {
+	duration := time.Since(start).Round(time.Millisecond)
 	if pr.Log {
 		if res.Err == "" {
-			logf("ping to %v completed in %v. pinger.Ping took %v seconds", pr.IP, res.LatencySeconds, duration)
+			logf("TSMP ping to %v completed in %v. pinger.Ping took %v seconds", pr.IP, res.LatencySeconds, duration)
 		} else {
-			logf("ping to %v failed after %v: %v", pr.IP, duration, res.Err)
+			logf("TSMP ping to %v failed after %v: %v", pr.IP, duration, res.Err)
 		}
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
@@ -1434,7 +1424,7 @@ func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailc
 		return fmt.Errorf("http.NewRequestWithContext(%q): %w", pr.URL, err)
 	}
 	if pr.Log {
-		logf("postPingResult: sending ping results to %v ...", pr.URL)
+		logf("tsmpPing: sending ping results to %v ...", pr.URL)
 	}
 	t0 := time.Now()
 	_, err = c.Do(req)

control/controlclient/direct_test.go

@@ -113,8 +113,7 @@ func TestTsmpPing(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	pingRes := &tailcfg.PingResponse{
-		Type:     "TSMP",
+	pingRes := &ipnstate.PingResult{
 		IP:       "123.456.7890",
 		Err:      "",
 		NodeName: "testnode",

derp/derphttp/derphttp_client.go

@@ -538,17 +538,12 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 	return tls.Client(nc, tlsConf)
 }
 
-// DialRegionTLS returns a TLS connection to a DERP node in the given region.
-//
-// DERP nodes for a region are tried in sequence according to their order
-// in the DERP map. TLS is initiated on the first node where a socket is
-// established.
-func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, node *tailcfg.DERPNode, err error) {
+func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, err error) {
 	tcpConn, node, err := c.dialRegion(ctx, reg)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
-	done := make(chan bool) // unbuffered
+	done := make(chan bool) // unbufferd
 	defer close(done)
 
 	tlsConn = c.tlsClient(tcpConn, node)
@@ -561,13 +556,13 @@ func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tl
 	}()
 	err = tlsConn.Handshake()
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 	select {
 	case done <- true:
-		return tlsConn, tcpConn, node, nil
+		return tlsConn, tcpConn, nil
 	case <-ctx.Done():
-		return nil, nil, nil, ctx.Err()
+		return nil, nil, ctx.Err()
 	}
 }
 

envknob/envknob.go

@@ -149,9 +149,3 @@ func UseWIPCode() bool { return Bool("TAILSCALE_USE_WIP_CODE") }
 // if already enabled and any attempt to re-enable it will result in
 // an error.
 func CanSSHD() bool { return !Bool("TS_DISABLE_SSH_SERVER") }
-
-// SSHPolicyFile returns the path, if any, to the SSHPolicy JSON file for development.
-func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }
-
-// SSHIgnoreTailnetPolicy is whether to ignore the Tailnet SSH policy for development.
-func SSHIgnoreTailnetPolicy() bool { return Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") }

go.mod

@@ -14,7 +14,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.21.0
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.17.1
 	github.com/coreos/go-iptables v0.6.0
-	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/creack/pty v1.1.17
 	github.com/dave/jennifer v1.4.1
 	github.com/frankban/quicktest v1.14.0
@@ -40,7 +39,7 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20220420224200-c602b5dfaa7f
+	github.com/tailscale/golang-x-crypto v0.0.0-20220330002111-62119522bbcf
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
@@ -49,10 +48,10 @@ require (
 	github.com/u-root/u-root v0.8.0
 	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
 	go4.org/mem v0.0.0-20210711025021-927187094b94
-	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4
+	golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064
 	golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
+	golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11-0.20220413170336-afc6aad76eb1
@@ -106,6 +105,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/charithe/durationcheck v0.0.9 // indirect
 	github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af // indirect
+	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf // indirect
 	github.com/daixiang0/gci v0.2.9 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/denis-tingajkin/go-header v0.4.2 // indirect
@@ -252,7 +252,7 @@ require (
 	golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect

go.sum

@@ -1067,8 +1067,8 @@ github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HP
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20220420224200-c602b5dfaa7f h1:3CuODoSnBXS+ZkQlGakDqtX1o2RteR1870yF+dS61PY=
-github.com/tailscale/golang-x-crypto v0.0.0-20220420224200-c602b5dfaa7f/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
+github.com/tailscale/golang-x-crypto v0.0.0-20220330002111-62119522bbcf h1:+DSoknr7gaiW2LlViX6+ko8TBdxTLkvOBbIWQtYyMaE=
+github.com/tailscale/golang-x-crypto v0.0.0-20220330002111-62119522bbcf/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83 h1:f7nwzdAHTUUOJjHZuDvLz9CEAlUM228amCRvwzlPvsA=
@@ -1227,8 +1227,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA=
-golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064 h1:S25/rfnfsMVgORT4/J61MJ7rdyseOZOyvLIrZEZ7s6s=
+golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1478,8 +1478,8 @@ golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f h1:8w7RhxzTVgUzw/AH/9mUV5q0vMgy40SQRursCcfmkCw=
+golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
@@ -1617,9 +1617,8 @@ golang.org/x/tools v0.1.11-0.20220413170336-afc6aad76eb1/go.mod h1:Uh6Zz+xoGYZom
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f h1:GGU+dLjvlC3qDwqYgL6UgRmHXhOOgns0bZu2Ty5mm6U=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=

go.toolchain.rev

@@ -1 +1 @@
-710a0d861098c07540ad073bb73a42ce81bf54a8
+5ce3ec4d89c72f2a2b6f6f5089c950d7a6a33530

hostinfo/hostinfo.go

@@ -17,14 +17,11 @@ import (
 
 	"go4.org/mem"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/opt"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/lineread"
 	"tailscale.com/version"
 )
 
-var started = time.Now()
-
 // New returns a partially populated Hostinfo for the current host.
 func New() *tailcfg.Hostinfo {
 	hostname, _ := os.Hostname()
@@ -34,7 +31,6 @@ func New() *tailcfg.Hostinfo {
 		Hostname:    hostname,
 		OS:          version.OS(),
 		OSVersion:   GetOSVersion(),
-		Desktop:     desktop(),
 		Package:     packageTypeCached(),
 		GoArch:      runtime.GOARCH,
 		DeviceModel: deviceModel(),
@@ -101,7 +97,6 @@ func GetEnvType() EnvType {
 var (
 	deviceModelAtomic atomic.Value // of string
 	osVersionAtomic   atomic.Value // of string
-	desktopAtomic     atomic.Value // of opt.Bool
 	packagingType     atomic.Value // of string
 )
 
@@ -122,31 +117,6 @@ func deviceModel() string {
 	return s
 }
 
-func desktop() (ret opt.Bool) {
-	if runtime.GOOS != "linux" {
-		return opt.Bool("")
-	}
-	if v := desktopAtomic.Load(); v != nil {
-		v, _ := v.(opt.Bool)
-		return v
-	}
-
-	seenDesktop := false
-	lineread.File("/proc/net/unix", func(line []byte) error {
-		seenDesktop = seenDesktop || mem.Contains(mem.B(line), mem.S(" @/tmp/dbus-"))
-		seenDesktop = seenDesktop || mem.Contains(mem.B(line), mem.S(".X11-unix"))
-		seenDesktop = seenDesktop || mem.Contains(mem.B(line), mem.S("/wayland-1"))
-		return nil
-	})
-	ret.Set(seenDesktop)
-
-	// Only cache after a minute - compositors might not have started yet.
-	if time.Since(started) > time.Minute {
-		desktopAtomic.Store(ret)
-	}
-	return ret
-}
-
 func getEnvType() EnvType {
 	if inKnative() {
 		return KNative

ipn/ipnlocal/dnsconfig_test.go

@@ -259,10 +259,10 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			want: &dns.Config{
 				Hosts: map[dnsname.FQDN][]netaddr.IP{},
 				DefaultResolvers: []dnstype.Resolver{
-					{Addr: "8.8.8.8"},
+					{Addr: "8.8.8.8:53"},
 				},
 				Routes: map[dnsname.FQDN][]dnstype.Resolver{
-					"foo.com.": {{Addr: "1.2.3.4"}},
+					"foo.com.": {{Addr: "1.2.3.4:53"}},
 				},
 			},
 		},
@@ -283,7 +283,7 @@ func TestDNSConfigForNetmap(t *testing.T) {
 				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
 				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
 				DefaultResolvers: []dnstype.Resolver{
-					{Addr: "8.8.4.4"},
+					{Addr: "8.8.4.4:53"},
 				},
 			},
 		},

ipn/ipnlocal/local.go

@@ -73,25 +73,6 @@ func getControlDebugFlags() []string {
 	return nil
 }
 
-// SSHServer is the interface of the conditionally linked ssh/tailssh.server.
-type SSHServer interface {
-	HandleSSHConn(net.Conn) error
-
-	// OnPolicyChange is called when the SSH access policy changes,
-	// so that existing sessions can be re-evaluated for validity
-	// and closed if they'd no longer be accepted.
-	OnPolicyChange()
-}
-
-type newSSHServerFunc func(logger.Logf, *LocalBackend) (SSHServer, error)
-
-var newSSHServer newSSHServerFunc // or nil
-
-// RegisterNewSSHServer lets the conditionally linked ssh/tailssh package register itself.
-func RegisterNewSSHServer(fn newSSHServerFunc) {
-	newSSHServer = fn
-}
-
 // LocalBackend is the glue between the major pieces of the Tailscale
 // network software: the cloud control plane (via controlclient), the
 // network data plane (via wgengine), and the user-facing UIs and CLIs
@@ -122,14 +103,14 @@ type LocalBackend struct {
 	newDecompressor       func() (controlclient.Decompressor, error)
 	varRoot               string // or empty if SetVarRoot never called
 	sshAtomicBool         syncs.AtomicBool
-	sshServer             SSHServer // or nil
+
+	filterHash deephash.Sum
 
 	filterAtomic            atomic.Value // of *filter.Filter
 	containsViaIPFuncAtomic atomic.Value // of func(netaddr.IP) bool
 
 	// The mutex protects the following elements.
 	mu             sync.Mutex
-	filterHash     deephash.Sum
 	httpTestClient *http.Client // for controlclient. nil by default, used by tests.
 	ccGen          clientGen    // function for producing controlclient; lazily populated
 	notify         func(ipn.Notify)
@@ -224,12 +205,6 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 		gotPortPollRes: make(chan struct{}),
 		loginFlags:     loginFlags,
 	}
-	if newSSHServer != nil {
-		b.sshServer, err = newSSHServer(logf, b)
-		if err != nil {
-			return nil, fmt.Errorf("newSSHServer: %w", err)
-		}
-	}
 
 	// Default filter blocks everything and logs nothing, until Start() is called.
 	b.setFilter(filter.NewAllowNone(logf, &netaddr.IPSet{}))
@@ -320,7 +295,7 @@ func (b *LocalBackend) linkChange(major bool, ifst *interfaces.State) {
 
 	// If the local network configuration has changed, our filter may
 	// need updating to tweak default routes.
-	b.updateFilterLocked(b.netMap, b.prefs)
+	b.updateFilter(b.netMap, b.prefs)
 
 	if peerAPIListenAsync && b.netMap != nil && b.state == ipn.Running {
 		want := len(b.netMap.Addresses)
@@ -344,7 +319,6 @@ func (b *LocalBackend) onHealthChange(sys health.Subsystem, err error) {
 func (b *LocalBackend) Shutdown() {
 	b.mu.Lock()
 	cc := b.cc
-	b.closePeerAPIListenersLocked()
 	b.mu.Unlock()
 
 	b.unregisterLinkMon()
@@ -531,30 +505,6 @@ func (b *LocalBackend) WhoIs(ipp netaddr.IPPort) (n *tailcfg.Node, u tailcfg.Use
 	return n, u, true
 }
 
-// PeerCaps returns the capabilities that remote src IP has to
-// ths current node.
-func (b *LocalBackend) PeerCaps(src netaddr.IP) []string {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.netMap == nil {
-		return nil
-	}
-	filt, ok := b.filterAtomic.Load().(*filter.Filter)
-	if !ok {
-		return nil
-	}
-	for _, a := range b.netMap.Addresses {
-		if !a.IsSingleIP() {
-			continue
-		}
-		dstIP := a.IP()
-		if dstIP.BitLen() == src.BitLen() {
-			return filt.AppendCaps(nil, src, a.IP())
-		}
-	}
-	return nil
-}
-
 // SetDecompressor sets a decompression function, which must be a zstd
 // reader.
 //
@@ -666,9 +616,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	if prefsChanged {
 		prefs = b.prefs.Clone()
 	}
-	if st.NetMap != nil {
-		b.updateFilterLocked(st.NetMap, prefs)
-	}
+
 	b.mu.Unlock()
 
 	// Now complete the lock-free parts of what we started while locked.
@@ -690,6 +638,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 			}
 		}
 
+		b.updateFilter(st.NetMap, prefs)
 		b.e.SetNetworkMap(st.NetMap)
 		b.e.SetDERPMap(st.NetMap.DERPMap)
 
@@ -974,9 +923,10 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 
 	b.setNetMapLocked(nil)
 	persistv := b.prefs.Persist
-	b.updateFilterLocked(nil, nil)
 	b.mu.Unlock()
 
+	b.updateFilter(nil, nil)
+
 	if b.portpoll != nil {
 		b.portpollOnce.Do(func() {
 			go b.portpoll.Run(b.ctx)
@@ -1074,11 +1024,9 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	return nil
 }
 
-// updateFilterLocked updates the packet filter in wgengine based on the
+// updateFilter updates the packet filter in wgengine based on the
 // given netMap and user preferences.
-//
-// b.mu must be held.
-func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs *ipn.Prefs) {
+func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs) {
 	// NOTE(danderson): keep change detection as the first thing in
 	// this function. Don't try to optimize by returning early, more
 	// likely than not you'll just end up breaking the change
@@ -1134,12 +1082,8 @@ func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs *ipn.
 	}
 	localNets, _ := localNetsB.IPSet()
 	logNets, _ := logNetsB.IPSet()
-	var sshPol tailcfg.SSHPolicy
-	if haveNetmap && netMap.SSHPolicy != nil {
-		sshPol = *netMap.SSHPolicy
-	}
 
-	changed := deephash.Update(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp, sshPol)
+	changed := deephash.Update(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
 	if !changed {
 		return
 	}
@@ -1158,10 +1102,6 @@ func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs *ipn.
 		b.logf("[v1] netmap packet filter: %v filters", len(packetFilter))
 		b.setFilter(filter.New(packetFilter, localNets, logNets, oldFilter, b.logf))
 	}
-
-	if b.sshServer != nil {
-		go b.sshServer.OnPolicyChange()
-	}
 }
 
 func (b *LocalBackend) setFilter(f *filter.Filter) {
@@ -1780,53 +1720,11 @@ func (b *LocalBackend) SetCurrentUserID(uid string) {
 	b.mu.Unlock()
 }
 
-func (b *LocalBackend) CheckPrefs(p *ipn.Prefs) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	return b.checkPrefsLocked(p)
-}
-
-func (b *LocalBackend) checkPrefsLocked(p *ipn.Prefs) error {
-	if p.Hostname == "badhostname.tailscale." {
-		// Keep this one just for testing.
-		return errors.New("bad hostname [test]")
-	}
-	if p.RunSSH {
-		switch runtime.GOOS {
-		case "linux":
-			// okay
-		case "darwin":
-			// okay only in tailscaled mode for now.
-			if version.IsSandboxedMacOS() {
-				return errors.New("The Tailscale SSH server does not run in sandboxed Tailscale GUI builds.")
-			}
-			if !envknob.UseWIPCode() {
-				return errors.New("The Tailscale SSH server is disabled on macOS tailscaled by default. To try, set env TAILSCALE_USE_WIP_CODE=1")
-			}
-		default:
-			return errors.New("The Tailscale SSH server is not supported on " + runtime.GOOS)
-		}
-		if !canSSH {
-			return errors.New("The Tailscale SSH server has been administratively disabled.")
-		}
-		if b.netMap != nil && b.netMap.SSHPolicy == nil &&
-			envknob.SSHPolicyFile() == "" && !envknob.SSHIgnoreTailnetPolicy() {
-			return errors.New("Unable to enable local Tailscale SSH server; not enabled/configured on Tailnet.")
-		}
-	}
-	return nil
-}
-
 func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
 	b.mu.Lock()
 	p0 := b.prefs.Clone()
 	p1 := b.prefs.Clone()
 	p1.ApplyEdits(mp)
-	if err := b.checkPrefsLocked(p1); err != nil {
-		b.mu.Unlock()
-		b.logf("EditPrefs check error: %v", err)
-		return nil, err
-	}
 	if p1.RunSSH && !canSSH {
 		b.mu.Unlock()
 		b.logf("EditPrefs requests SSH, but disabled by envknob; returning error")
@@ -1882,12 +1780,6 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 	userID := b.userID
 	cc := b.cc
 
-	// [GRINDER STATS LINE] - please don't remove (used for log parsing)
-	if caller == "SetPrefs" {
-		b.logf("SetPrefs: %v", newp.Pretty())
-	}
-	b.updateFilterLocked(netMap, newp)
-
 	b.mu.Unlock()
 
 	if stateKey != "" {
@@ -1897,6 +1789,10 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 	}
 	b.writeServerModeStartState(userID, newp)
 
+	// [GRINDER STATS LINE] - please don't remove (used for log parsing)
+	if caller == "SetPrefs" {
+		b.logf("SetPrefs: %v", newp.Pretty())
+	}
 	if netMap != nil {
 		if login := netMap.UserProfiles[netMap.User].LoginName; login != "" {
 			if newp.Persist == nil {
@@ -1916,6 +1812,8 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 		b.doSetHostinfoFilterServices(newHi)
 	}
 
+	b.updateFilter(netMap, newp)
+
 	if netMap != nil {
 		b.e.SetDERPMap(netMap.DERPMap)
 	}
@@ -2212,7 +2110,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 
 	addDefault := func(resolvers []dnstype.Resolver) {
 		for _, r := range resolvers {
-			dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, r)
+			dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, normalizeResolver(r))
 		}
 	}
 
@@ -2241,7 +2139,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 		dcfg.Routes[fqdn] = make([]dnstype.Resolver, 0, len(resolvers))
 
 		for _, r := range resolvers {
-			dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], r)
+			dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], normalizeResolver(r))
 		}
 	}
 
@@ -2272,6 +2170,16 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 	return dcfg
 }
 
+func normalizeResolver(cfg dnstype.Resolver) dnstype.Resolver {
+	if ip, err := netaddr.ParseIP(cfg.Addr); err == nil {
+		// Add 53 here for bare IPs for consistency with previous data type.
+		return dnstype.Resolver{
+			Addr: netaddr.IPPortFrom(ip, 53).String(),
+		}
+	}
+	return cfg
+}
+
 // SetVarRoot sets the root directory of Tailscale's writable
 // storage area . (e.g. "/var/lib/tailscale")
 //
@@ -3317,10 +3225,3 @@ func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error)
 	}
 	return cc.DoNoiseRequest(req)
 }
-
-func (b *LocalBackend) HandleSSHConn(c net.Conn) error {
-	if b.sshServer == nil {
-		return errors.New("no SSH server")
-	}
-	return b.sshServer.HandleSSHConn(c)
-}

ipn/ipnlocal/peerapi.go

@@ -386,14 +386,6 @@ func (s *peerAPIServer) OpenFile(baseName string) (rc io.ReadCloser, size int64,
 }
 
 func (s *peerAPIServer) listen(ip netaddr.IP, ifState *interfaces.State) (ln net.Listener, err error) {
-	// Android for whatever reason often has problems creating the peerapi listener.
-	// But since we started intercepting it with netstack, it's not even important that
-	// we have a real kernel-level listener. So just create a dummy listener on Android
-	// and let netstack intercept it.
-	if runtime.GOOS == "android" {
-		return newFakePeerAPIListener(ip), nil
-	}
-
 	ipStr := ip.String()
 
 	var lc net.ListenConfig
@@ -436,15 +428,8 @@ func (s *peerAPIServer) listen(ip netaddr.IP, ifState *interfaces.State) (ln net
 			return ln, nil
 		}
 	}
-	// Fall back to some random ephemeral port.
-	ln, err = lc.Listen(context.Background(), tcp4or6, net.JoinHostPort(ipStr, "0"))
-
-	// And if we're on a platform with netstack (anything but iOS), then just fallback to netstack.
-	if err != nil && runtime.GOOS != "ios" {
-		s.b.logf("peerapi: failed to do peerAPI listen, harmless (netstack available) but error was: %v", err)
-		return newFakePeerAPIListener(ip), nil
-	}
-	return ln, err
+	// Fall back to random ephemeral port.
+	return lc.Listen(context.Background(), tcp4or6, net.JoinHostPort(ipStr, "0"))
 }
 
 type peerAPIListener struct {
@@ -635,29 +620,9 @@ func (f *incomingFile) PartialFile() ipn.PartialFile {
 	}
 }
 
-// canPutFile reports whether h can put a file ("Taildrop") to this node.
-func (h *peerAPIHandler) canPutFile() bool {
-	return h.isSelf || h.peerHasCap(tailcfg.CapabilityFileSharingSend)
-}
-
-// canDebug reports whether h can debug this node (goroutines, metrics,
-// magicsock internal state, etc).
-func (h *peerAPIHandler) canDebug() bool {
-	return h.isSelf || h.peerHasCap(tailcfg.CapabilityDebugPeer)
-}
-
-func (h *peerAPIHandler) peerHasCap(wantCap string) bool {
-	for _, hasCap := range h.ps.b.PeerCaps(h.remoteAddr.IP()) {
-		if hasCap == wantCap {
-			return true
-		}
-	}
-	return false
-}
-
 func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
-	if !h.canPutFile() {
-		http.Error(w, "Taildrop access denied", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	if !h.ps.b.hasCapFileSharing() {
@@ -776,8 +741,8 @@ func approxSize(n int64) string {
 }
 
 func (h *peerAPIHandler) handleServeGoroutines(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	var buf []byte
@@ -792,8 +757,8 @@ func (h *peerAPIHandler) handleServeGoroutines(w http.ResponseWriter, r *http.Re
 }
 
 func (h *peerAPIHandler) handleServeEnv(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	var data struct {
@@ -812,8 +777,8 @@ func (h *peerAPIHandler) handleServeEnv(w http.ResponseWriter, r *http.Request)
 }
 
 func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	eng := h.ps.b.e
@@ -827,8 +792,8 @@ func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Req
 }
 
 func (h *peerAPIHandler) handleServeMetrics(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
 		return
 	}
 	w.Header().Set("Content-Type", "text/plain")
@@ -1062,49 +1027,3 @@ func writePrettyDNSReply(w io.Writer, res []byte) (err error) {
 	w.Write(j)
 	return nil
 }
-
-// newFakePeerAPIListener creates a new net.Listener that acts like
-// it's listening on the provided IP address and on TCP port 1.
-//
-// See docs on fakePeerAPIListener.
-func newFakePeerAPIListener(ip netaddr.IP) net.Listener {
-	return &fakePeerAPIListener{
-		addr:   netaddr.IPPortFrom(ip, 1).TCPAddr(),
-		closed: make(chan struct{}),
-	}
-}
-
-// fakePeerAPIListener is a net.Listener that has an Addr method returning a TCPAddr
-// for a given IP on port 1 (arbitrary) and can be Closed, but otherwise Accept
-// just blocks forever until closed. The purpose of this is to let the rest
-// of the LocalBackend/PeerAPI code run and think it's talking to the kernel,
-// even if the kernel isn't cooperating (like on Android: Issue 4449, 4293, etc)
-// or we lack permission to listen on a port. It's okay to not actually listen via
-// the kernel because on almost all platforms (except iOS as of 2022-04-20) we
-// also intercept netstack TCP requests in to our peerapi port and hand it over
-// directly to peerapi, without involving the kernel. So this doesn't need to be
-// real. But the port number we return (1, in this case) is the port number we advertise
-// to peers and they connect to. 1 seems pretty safe to use. Even if the kernel's
-// using it, it doesn't matter, as we intercept it first in netstack and the kernel
-// never notices.
-//
-// Eventually we'll remove this code and do this on all platforms, when iOS also uses
-// netstack.
-type fakePeerAPIListener struct {
-	addr net.Addr
-
-	closeOnce sync.Once
-	closed    chan struct{}
-}
-
-func (fl *fakePeerAPIListener) Close() error {
-	fl.closeOnce.Do(func() { close(fl.closed) })
-	return nil
-}
-
-func (fl *fakePeerAPIListener) Accept() (net.Conn, error) {
-	<-fl.closed
-	return nil, io.EOF
-}
-
-func (fl *fakePeerAPIListener) Addr() net.Addr { return fl.addr }

ipn/ipnlocal/peerapi_test.go

@@ -158,7 +158,7 @@ func TestHandlePeerAPI(t *testing.T) {
 			req:        httptest.NewRequest("PUT", "/v0/put/foo", nil),
 			checks: checks(
 				httpStatus(http.StatusForbidden),
-				bodyContains("Taildrop access denied"),
+				bodyContains("not owner"),
 			),
 		},
 		{

ipn/ipnstate/ipnstate.go

@@ -480,8 +480,6 @@ func osEmoji(os string) string {
 
 // PingResult contains response information for the "tailscale ping" subcommand,
 // saying how Tailscale can reach a Tailscale IP or subnet-routed IP.
-// See tailcfg.PingResponse for a related response that is sent back to control
-// for remote diagnostic pings.
 type PingResult struct {
 	IP       string // ping destination
 	NodeIP   string // Tailscale IP of node handling IP (different for subnet routers)
@@ -515,22 +513,6 @@ type PingResult struct {
 	// TODO(bradfitz): details like whether port mapping was used on either side? (Once supported)
 }
 
-func (pr *PingResult) ToPingResponse(pingType string) *tailcfg.PingResponse {
-	return &tailcfg.PingResponse{
-		Type:           pingType,
-		IP:             pr.IP,
-		NodeIP:         pr.NodeIP,
-		NodeName:       pr.NodeName,
-		Err:            pr.Err,
-		LatencySeconds: pr.LatencySeconds,
-		Endpoint:       pr.Endpoint,
-		DERPRegionID:   pr.DERPRegionID,
-		DERPRegionCode: pr.DERPRegionCode,
-		PeerAPIPort:    pr.PeerAPIPort,
-		IsLocalIP:      pr.IsLocalIP,
-	}
-}
-
 func SortPeers(peers []*PeerStatus) {
 	sort.Slice(peers, func(i, j int) bool { return sortKey(peers[i]) < sortKey(peers[j]) })
 }

ipn/localapi/localapi.go

@@ -111,8 +111,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveLogout(w, r)
 	case "/localapi/v0/prefs":
 		h.servePrefs(w, r)
-	case "/localapi/v0/check-prefs":
-		h.serveCheckPrefs(w, r)
 	case "/localapi/v0/check-ip-forwarding":
 		h.serveCheckIPForwarding(w, r)
 	case "/localapi/v0/bugreport":
@@ -225,7 +223,6 @@ func (h *Handler) serveWhoIs(w http.ResponseWriter, r *http.Request) {
 	res := &apitype.WhoIsResponse{
 		Node:        n,
 		UserProfile: &u,
-		Caps:        b.PeerCaps(ipp.IP()),
 	}
 	j, err := json.MarshalIndent(res, "", "\t")
 	if err != nil {
@@ -378,9 +375,7 @@ func (h *Handler) servePrefs(w http.ResponseWriter, r *http.Request) {
 		var err error
 		prefs, err = h.b.EditPrefs(mp)
 		if err != nil {
-			w.Header().Set("Content-Type", "application/json")
-			w.WriteHeader(http.StatusBadRequest)
-			json.NewEncoder(w).Encode(resJSON{Error: err.Error()})
+			http.Error(w, err.Error(), 400)
 			return
 		}
 	case "GET", "HEAD":
@@ -395,33 +390,6 @@ func (h *Handler) servePrefs(w http.ResponseWriter, r *http.Request) {
 	e.Encode(prefs)
 }
 
-type resJSON struct {
-	Error string `json:",omitempty"`
-}
-
-func (h *Handler) serveCheckPrefs(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "checkprefs access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != "POST" {
-		http.Error(w, "unsupported method", http.StatusMethodNotAllowed)
-		return
-	}
-	p := new(ipn.Prefs)
-	if err := json.NewDecoder(r.Body).Decode(p); err != nil {
-		http.Error(w, "invalid JSON body", 400)
-		return
-	}
-	err := h.b.CheckPrefs(p)
-	var res resJSON
-	if err != nil {
-		res.Error = err.Error()
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(res)
-}
-
 func (h *Handler) serveFiles(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "file access denied", http.StatusForbidden)

logtail/logtail.go

@@ -20,7 +20,6 @@ import (
 
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/syncs"
 	tslogger "tailscale.com/types/logger"
 	"tailscale.com/wgengine/monitor"
 )
@@ -413,18 +412,7 @@ func (l *Logger) Flush() error {
 	return nil
 }
 
-// logtailDisabled is whether logtail uploads to logcatcher are disabled.
-var logtailDisabled syncs.AtomicBool
-
-// Disable disables logtail uploads for the lifetime of the process.
-func Disable() {
-	logtailDisabled.Set(true)
-}
-
 func (l *Logger) send(jsonBlob []byte) (int, error) {
-	if logtailDisabled.Get() {
-		return len(jsonBlob), nil
-	}
 	n, err := l.buffer.Write(jsonBlob)
 	if l.drainLogs == nil {
 		select {

net/dns/config.go

@@ -84,7 +84,10 @@ func (c Config) hasDefaultIPResolversOnly() bool {
 		return false
 	}
 	for _, r := range c.DefaultResolvers {
-		if ipp, ok := r.IPPort(); !ok || ipp.Port() != 53 {
+		if ipp, err := netaddr.ParseIPPort(r.Addr); err == nil && ipp.Port() == 53 {
+			continue
+		}
+		if _, err := netaddr.ParseIP(r.Addr); err != nil {
 			return false
 		}
 	}

net/dns/manager.go

@@ -174,7 +174,7 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 		}
 		var defaultRoutes []dnstype.Resolver
 		for _, ip := range bcfg.Nameservers {
-			defaultRoutes = append(defaultRoutes, dnstype.Resolver{Addr: ip.String()})
+			defaultRoutes = append(defaultRoutes, dnstype.ResolverFromIP(ip))
 		}
 		rcfg.Routes["."] = defaultRoutes
 		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
@@ -188,13 +188,23 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 // DoH or custom-port entries with something like hasDefaultIPResolversOnly.
 func toIPsOnly(resolvers []dnstype.Resolver) (ret []netaddr.IP) {
 	for _, r := range resolvers {
-		if ipp, ok := r.IPPort(); ok && ipp.Port() == 53 {
+		if ipp, err := netaddr.ParseIPPort(r.Addr); err == nil && ipp.Port() == 53 {
 			ret = append(ret, ipp.IP())
+		} else if ip, err := netaddr.ParseIP(r.Addr); err == nil {
+			ret = append(ret, ip)
 		}
 	}
 	return ret
 }
 
+func toIPPorts(ips []netaddr.IP) (ret []netaddr.IPPort) {
+	ret = make([]netaddr.IPPort, 0, len(ips))
+	for _, ip := range ips {
+		ret = append(ret, netaddr.IPPortFrom(ip, 53))
+	}
+	return ret
+}
+
 func (m *Manager) EnqueuePacket(bs []byte, proto ipproto.Proto, from, to netaddr.IPPort) error {
 	return m.resolver.EnqueuePacket(bs, proto, from, to)
 }

net/dns/manager_test.go

@@ -96,7 +96,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 			},
 			os: OSConfig{
@@ -107,7 +107,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp-split",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
@@ -119,7 +119,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp-magic",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
@@ -131,7 +131,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			rs: resolver.Config{
-				Routes: upstreams(".", "1.1.1.1", "9.9.9.9"),
+				Routes: upstreams(".", "1.1.1.1:53", "9.9.9.9:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -141,7 +141,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp-magic-split",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
@@ -154,7 +154,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			rs: resolver.Config{
-				Routes: upstreams(".", "1.1.1.1", "9.9.9.9"),
+				Routes: upstreams(".", "1.1.1.1:53", "9.9.9.9:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -164,8 +164,8 @@ func TestManager(t *testing.T) {
 		{
 			name: "corp-routes",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
-				Routes:           upstreams("corp.com", "2.2.2.2"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
+				Routes:           upstreams("corp.com", "2.2.2.2:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 			},
 			os: OSConfig{
@@ -174,15 +174,15 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					".", "1.1.1.1", "9.9.9.9",
-					"corp.com.", "2.2.2.2"),
+					".", "1.1.1.1:53", "9.9.9.9:53",
+					"corp.com.", "2.2.2.2:53"),
 			},
 		},
 		{
 			name: "corp-routes-split",
 			in: Config{
-				DefaultResolvers: mustRes("1.1.1.1", "9.9.9.9"),
-				Routes:           upstreams("corp.com", "2.2.2.2"),
+				DefaultResolvers: mustRes("1.1.1.1:53", "9.9.9.9:53"),
+				Routes:           upstreams("corp.com", "2.2.2.2:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
@@ -192,14 +192,14 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					".", "1.1.1.1", "9.9.9.9",
-					"corp.com.", "2.2.2.2"),
+					".", "1.1.1.1:53", "9.9.9.9:53",
+					"corp.com.", "2.2.2.2:53"),
 			},
 		},
 		{
 			name: "routes",
 			in: Config{
-				Routes:        upstreams("corp.com", "2.2.2.2"),
+				Routes:        upstreams("corp.com", "2.2.2.2:53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
@@ -212,14 +212,14 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					".", "8.8.8.8",
-					"corp.com.", "2.2.2.2"),
+					".", "8.8.8.8:53",
+					"corp.com.", "2.2.2.2:53"),
 			},
 		},
 		{
 			name: "routes-split",
 			in: Config{
-				Routes:        upstreams("corp.com", "2.2.2.2"),
+				Routes:        upstreams("corp.com", "2.2.2.2:53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
@@ -233,8 +233,8 @@ func TestManager(t *testing.T) {
 			name: "routes-multi",
 			in: Config{
 				Routes: upstreams(
-					"corp.com", "2.2.2.2",
-					"bigco.net", "3.3.3.3"),
+					"corp.com", "2.2.2.2:53",
+					"bigco.net", "3.3.3.3:53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
@@ -247,17 +247,17 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					".", "8.8.8.8",
-					"corp.com.", "2.2.2.2",
-					"bigco.net.", "3.3.3.3"),
+					".", "8.8.8.8:53",
+					"corp.com.", "2.2.2.2:53",
+					"bigco.net.", "3.3.3.3:53"),
 			},
 		},
 		{
 			name: "routes-multi-split",
 			in: Config{
 				Routes: upstreams(
-					"corp.com", "2.2.2.2",
-					"bigco.net", "3.3.3.3"),
+					"corp.com", "2.2.2.2:53",
+					"bigco.net", "3.3.3.3:53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
@@ -268,8 +268,8 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					"corp.com.", "2.2.2.2",
-					"bigco.net.", "3.3.3.3"),
+					"corp.com.", "2.2.2.2:53",
+					"bigco.net.", "3.3.3.3:53"),
 			},
 		},
 		{
@@ -290,7 +290,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
 			},
 			rs: resolver.Config{
-				Routes: upstreams(".", "8.8.8.8"),
+				Routes: upstreams(".", "8.8.8.8:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -322,7 +322,7 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic",
 			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2", "ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53", "ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -338,8 +338,8 @@ func TestManager(t *testing.T) {
 			},
 			rs: resolver.Config{
 				Routes: upstreams(
-					"corp.com.", "2.2.2.2",
-					".", "8.8.8.8"),
+					"corp.com.", "2.2.2.2:53",
+					".", "8.8.8.8:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -350,7 +350,7 @@ func TestManager(t *testing.T) {
 			name: "routes-magic-split",
 			in: Config{
 				Routes: upstreams(
-					"corp.com", "2.2.2.2",
+					"corp.com", "2.2.2.2:53",
 					"ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
@@ -364,7 +364,7 @@ func TestManager(t *testing.T) {
 				MatchDomains:  fqdns("corp.com", "ts.com"),
 			},
 			rs: resolver.Config{
-				Routes: upstreams("corp.com.", "2.2.2.2"),
+				Routes: upstreams("corp.com.", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
@@ -393,14 +393,6 @@ func TestManager(t *testing.T) {
 		},
 	}
 
-	trIP := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
-	trIPPort := cmp.Transformer("ippStr", func(ipp netaddr.IPPort) string {
-		if ipp.Port() == 53 {
-			return ipp.IP().String()
-		}
-		return ipp.String()
-	})
-
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			f := fakeOSConfigurator{
@@ -413,6 +405,8 @@ func TestManager(t *testing.T) {
 			if err := m.Set(test.in); err != nil {
 				t.Fatalf("m.Set: %v", err)
 			}
+			trIP := cmp.Transformer("ipStr", func(ip netaddr.IP) string { return ip.String() })
+			trIPPort := cmp.Transformer("ippStr", func(ipp netaddr.IPPort) string { return ipp.String() })
 			if diff := cmp.Diff(f.OSConfig, test.os, trIP, trIPPort, cmpopts.EquateEmpty()); diff != "" {
 				t.Errorf("wrong OSConfig (-got+want)\n%s", diff)
 			}
@@ -509,11 +503,6 @@ func upstreams(strs ...string) (ret map[dnsname.FQDN][]dnstype.Resolver) {
 				panic("IPPort provided before suffix")
 			}
 			ret[key] = append(ret[key], dnstype.Resolver{Addr: ipp.String()})
-		} else if _, err := netaddr.ParseIP(s); err == nil {
-			if key == "" {
-				panic("IPPort provided before suffix")
-			}
-			ret[key] = append(ret[key], dnstype.Resolver{Addr: s})
 		} else if strings.HasPrefix(s, "http") {
 			ret[key] = append(ret[key], dnstype.Resolver{Addr: s})
 		} else {

net/dns/resolver/doh_test.go

@@ -49,9 +49,9 @@ func TestDoH(t *testing.T) {
 		dohSem: make(chan struct{}, 10),
 	}
 
-	for urlBase := range publicdns.DoHIPsOfBase() {
-		t.Run(urlBase, func(t *testing.T) {
-			c, ok := f.getKnownDoHClientForProvider(urlBase)
+	for ip := range publicdns.KnownDoH() {
+		t.Run(ip.String(), func(t *testing.T) {
+			urlBase, c, ok := f.getKnownDoHClient(ip)
 			if !ok {
 				t.Fatal("expected DoH")
 			}

net/dns/resolver/forwarder.go

@@ -15,7 +15,6 @@ import (
 	"math/rand"
 	"net"
 	"net/http"
-	"net/url"
 	"runtime"
 	"sort"
 	"strconv"
@@ -25,10 +24,8 @@ import (
 
 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
-	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
 	"tailscale.com/net/dns/publicdns"
-	"tailscale.com/net/dnscache"
 	"tailscale.com/net/neterror"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tsdial"
@@ -50,11 +47,6 @@ const (
 	// arbitrary.
 	dohTransportTimeout = 30 * time.Second
 
-	// dohTransportTimeout is how much of a head start to give a DoH query
-	// that was upgraded from a well-known public DNS provider's IP before
-	// normal UDP mode is attempted as a fallback.
-	dohHeadStart = 500 * time.Millisecond
-
 	// wellKnownHostBackupDelay is how long to artificially delay upstream
 	// DNS queries to the "fallback" DNS server IP for a known provider
 	// (e.g. how long to wait to query Google's 8.8.4.4 after 8.8.8.8).
@@ -234,55 +226,65 @@ func (f *forwarder) Close() error {
 	return nil
 }
 
-// resolversWithDelays maps from a set of DNS server names to a slice of a type
-// that included a startDelay, upgrading any well-known DoH (DNS-over-HTTP)
-// servers in the process, insert a DoH lookup first before UDP fallbacks.
+// resolversWithDelays maps from a set of DNS server names to a slice of
+// a type that included a startDelay. So if resolvers contains e.g. four
+// Google DNS IPs (two IPv4 + twoIPv6), this function partition adds
+// delays to some.
 func resolversWithDelays(resolvers []dnstype.Resolver) []resolverAndDelay {
-	rr := make([]resolverAndDelay, 0, len(resolvers)+2)
-
-	// Add the known DoH ones first, starting immediately.
-	didDoH := map[string]bool{}
-	for _, r := range resolvers {
-		ipp, ok := r.IPPort()
-		if !ok {
-			continue
-		}
-		dohBase, ok := publicdns.KnownDoH()[ipp.IP()]
-		if !ok || didDoH[dohBase] {
-			continue
-		}
-		didDoH[dohBase] = true
-		rr = append(rr, resolverAndDelay{name: dnstype.Resolver{Addr: dohBase}})
-	}
-
 	type hostAndFam struct {
 		host string // some arbitrary string representing DNS host (currently the DoH base)
 		bits uint8  // either 32 or 128 for IPv4 vs IPv6s address family
 	}
-	done := map[hostAndFam]int{}
+
+	// Track how many of each known resolver host are in the list,
+	// per address family.
+	total := map[hostAndFam]int{}
+
+	rr := make([]resolverAndDelay, len(resolvers))
 	for _, r := range resolvers {
-		ipp, ok := r.IPPort()
-		if !ok {
-			// Pass non-IP ones through unchanged, without delay.
-			// (e.g. DNS-over-ExitDNS when using an exit node)
-			rr = append(rr, resolverAndDelay{name: r})
-			continue
-		}
-		ip := ipp.IP()
-		var startDelay time.Duration
-		if host, ok := publicdns.KnownDoH()[ip]; ok {
-			// We already did the DoH query early. These
-			startDelay = dohHeadStart
-			key := hostAndFam{host, ip.BitLen()}
-			if done[key] > 0 {
-				startDelay += wellKnownHostBackupDelay
+		if ip, err := netaddr.ParseIP(r.Addr); err == nil {
+			if host, ok := publicdns.KnownDoH()[ip]; ok {
+				total[hostAndFam{host, ip.BitLen()}]++
 			}
-			done[key]++
 		}
-		rr = append(rr, resolverAndDelay{
+	}
+
+	done := map[hostAndFam]int{}
+	for i, r := range resolvers {
+		var startDelay time.Duration
+		if ip, err := netaddr.ParseIP(r.Addr); err == nil {
+			if host, ok := publicdns.KnownDoH()[ip]; ok {
+				key4 := hostAndFam{host, 32}
+				key6 := hostAndFam{host, 128}
+				switch {
+				case ip.Is4():
+					if done[key4] > 0 {
+						startDelay += wellKnownHostBackupDelay
+					}
+				case ip.Is6():
+					total4 := total[key4]
+					if total4 >= 2 {
+						// If we have two IPv4 IPs of the same provider
+						// already in the set, delay the IPv6 queries
+						// until halfway through the timeout (so wait
+						// 2.5 seconds). Even the network is IPv6-only,
+						// the DoH dialer will fallback to IPv6
+						// immediately anyway.
+						startDelay = responseTimeout / 2
+					} else if total4 == 1 {
+						startDelay += wellKnownHostBackupDelay
+					}
+					if done[key6] > 0 {
+						startDelay += wellKnownHostBackupDelay
+					}
+				}
+				done[hostAndFam{host, ip.BitLen()}]++
+			}
+		}
+		rr[i] = resolverAndDelay{
 			name:       r,
 			startDelay: startDelay,
-		})
+		}
 	}
 	return rr
 }
@@ -330,30 +332,21 @@ func (f *forwarder) packetListener(ip netaddr.IP) (packetListener, error) {
 	return lc, nil
 }
 
-// getKnownDoHClientForProvider returns an HTTP client for a specific DoH
-// provider named by its DoH base URL (like "https://dns.google/dns-query").
-//
-// The returned client race/Happy Eyeballs dials all IPs for urlBase (usually
-// 4), as statically known by the publicdns package.
-func (f *forwarder) getKnownDoHClientForProvider(urlBase string) (c *http.Client, ok bool) {
+func (f *forwarder) getKnownDoHClient(ip netaddr.IP) (urlBase string, c *http.Client, ok bool) {
+	urlBase, ok = publicdns.KnownDoH()[ip]
+	if !ok {
+		return
+	}
+
 	f.mu.Lock()
 	defer f.mu.Unlock()
 	if c, ok := f.dohClient[urlBase]; ok {
-		return c, true
+		return urlBase, c, true
 	}
-	allIPs := publicdns.DoHIPsOfBase()[urlBase]
-	if len(allIPs) == 0 {
-		return nil, false
-	}
-	dohURL, err := url.Parse(urlBase)
-	if err != nil {
-		return nil, false
+	if f.dohClient == nil {
+		f.dohClient = map[string]*http.Client{}
 	}
 	nsDialer := netns.NewDialer(f.logf)
-	dialer := dnscache.Dialer(nsDialer.DialContext, &dnscache.Resolver{
-		SingleHost:             dohURL.Hostname(),
-		SingleHostStaticResult: allIPs,
-	})
 	c = &http.Client{
 		Transport: &http.Transport{
 			IdleConnTimeout: dohTransportTimeout,
@@ -361,15 +354,21 @@ func (f *forwarder) getKnownDoHClientForProvider(urlBase string) (c *http.Client
 				if !strings.HasPrefix(netw, "tcp") {
 					return nil, fmt.Errorf("unexpected network %q", netw)
 				}
-				return dialer(ctx, netw, addr)
+				c, err := nsDialer.DialContext(ctx, "tcp", net.JoinHostPort(ip.String(), "443"))
+				// If v4 failed, try an equivalent v6 also in the time remaining.
+				if err != nil && ctx.Err() == nil {
+					if ip6, ok := publicdns.DoHV6(urlBase); ok && ip.Is4() {
+						if c6, err := nsDialer.DialContext(ctx, "tcp", net.JoinHostPort(ip6.String(), "443")); err == nil {
+							return c6, nil
+						}
+					}
+				}
+				return c, err
 			},
 		},
 	}
-	if f.dohClient == nil {
-		f.dohClient = map[string]*http.Client{}
-	}
 	f.dohClient[urlBase] = c
-	return c, true
+	return urlBase, c, true
 }
 
 const dohType = "application/dns-message"
@@ -423,43 +422,34 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
 	return res, err
 }
 
-var verboseDNSForward = envknob.Bool("TS_DEBUG_DNS_FORWARD_SEND")
-
 // send sends packet to dst. It is best effort.
 //
 // send expects the reply to have the same txid as txidOut.
-func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) (ret []byte, err error) {
-	if verboseDNSForward {
-		f.logf("forwarder.send(%q) ...", rr.name.Addr)
-		defer func() {
-			f.logf("forwarder.send(%q) = %v, %v", rr.name.Addr, len(ret), err)
-		}()
-	}
+func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) ([]byte, error) {
 	if strings.HasPrefix(rr.name.Addr, "http://") {
 		return f.sendDoH(ctx, rr.name.Addr, f.dialer.PeerAPIHTTPClient(), fq.packet)
 	}
 	if strings.HasPrefix(rr.name.Addr, "https://") {
-		// Only known DoH providers are supported currently. Specifically, we
-		// only support DoH providers where we can TCP connect to them on port
-		// 443 at the same IP address they serve normal UDP DNS from (1.1.1.1,
-		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custon DoH providers
-		// aren't currently supported. There's no backup DNS resolution path for
-		// them.
-		urlBase := rr.name.Addr
-		if hc, ok := f.getKnownDoHClientForProvider(urlBase); ok {
-			return f.sendDoH(ctx, urlBase, hc, fq.packet)
-		}
 		metricDNSFwdErrorType.Add(1)
-		return nil, fmt.Errorf("arbitrary https:// resolvers not supported yet")
+		return nil, fmt.Errorf("https:// resolvers not supported yet")
 	}
 	if strings.HasPrefix(rr.name.Addr, "tls://") {
 		metricDNSFwdErrorType.Add(1)
 		return nil, fmt.Errorf("tls:// resolvers not supported yet")
 	}
-	ipp, ok := rr.name.IPPort()
-	if !ok {
-		metricDNSFwdErrorType.Add(1)
-		return nil, fmt.Errorf("unrecognized resolver type %q", rr.name.Addr)
+	ipp, err := netaddr.ParseIPPort(rr.name.Addr)
+	if err != nil {
+		return nil, err
+	}
+
+	// Upgrade known DNS IPs to DoH (DNS-over-HTTPs).
+	// All known DoH is over port 53.
+	if urlBase, dc, ok := f.getKnownDoHClient(ipp.IP()); ok {
+		res, err := f.sendDoH(ctx, urlBase, dc, fq.packet)
+		if err == nil || ctx.Err() != nil {
+			return res, err
+		}
+		f.logf("DoH error from %v: %v", ipp.IP(), err)
 	}
 
 	metricDNSFwdUDP.Add(1)
@@ -603,10 +593,6 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 		return err
 	}
 
-	// Guarantee that the ctx we use below is done when this function returns.
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
 	// Drop DNS service discovery spam, primarily for battery life
 	// on mobile.  Things like Spotify on iOS generate this traffic,
 	// when browsing for LAN devices.  But even when filtering this
@@ -647,8 +633,12 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 	}
 	defer fq.closeOnCtxDone.Close()
 
-	resc := make(chan []byte, 1) // it's fine buffered or not
-	errc := make(chan error, 1)  // it's fine buffered or not too
+	resc := make(chan []byte, 1)
+	var (
+		mu       sync.Mutex
+		firstErr error
+	)
+
 	for i := range resolvers {
 		go func(rr *resolverAndDelay) {
 			if rr.startDelay > 0 {
@@ -662,48 +652,39 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 			}
 			resb, err := f.send(ctx, fq, *rr)
 			if err != nil {
-				select {
-				case errc <- err:
-				case <-ctx.Done():
+				mu.Lock()
+				defer mu.Unlock()
+				if firstErr == nil {
+					firstErr = err
 				}
 				return
 			}
 			select {
 			case resc <- resb:
-			case <-ctx.Done():
+			default:
 			}
 		}(&resolvers[i])
 	}
 
-	var firstErr error
-	var numErr int
-	for {
+	select {
+	case v := <-resc:
 		select {
-		case v := <-resc:
-			select {
-			case <-ctx.Done():
-				metricDNSFwdErrorContext.Add(1)
-				return ctx.Err()
-			case responseChan <- packet{v, query.addr}:
-				metricDNSFwdSuccess.Add(1)
-				return nil
-			}
-		case err := <-errc:
-			if firstErr == nil {
-				firstErr = err
-			}
-			numErr++
-			if numErr == len(resolvers) {
-				return firstErr
-			}
 		case <-ctx.Done():
 			metricDNSFwdErrorContext.Add(1)
-			if firstErr != nil {
-				metricDNSFwdErrorContextGotError.Add(1)
-				return firstErr
-			}
 			return ctx.Err()
+		case responseChan <- packet{v, query.addr}:
+			metricDNSFwdSuccess.Add(1)
+			return nil
 		}
+	case <-ctx.Done():
+		mu.Lock()
+		defer mu.Unlock()
+		metricDNSFwdErrorContext.Add(1)
+		if firstErr != nil {
+			metricDNSFwdErrorContextGotError.Add(1)
+			return firstErr
+		}
+		return ctx.Err()
 	}
 }
 

net/dns/resolver/forwarder_test.go

@@ -5,8 +5,8 @@
 package resolver
 
 import (
-	"flag"
 	"fmt"
+	"net"
 	"reflect"
 	"strings"
 	"testing"
@@ -24,7 +24,11 @@ func (rr resolverAndDelay) String() string {
 func TestResolversWithDelays(t *testing.T) {
 	// query
 	q := func(ss ...string) (ipps []dnstype.Resolver) {
-		for _, host := range ss {
+		for _, s := range ss {
+			host, _, err := net.SplitHostPort(s)
+			if err != nil {
+				t.Fatal(err)
+			}
 			ipps = append(ipps, dnstype.Resolver{Addr: host})
 		}
 		return
@@ -41,8 +45,12 @@ func TestResolversWithDelays(t *testing.T) {
 					panic(fmt.Sprintf("parsing duration in %q: %v", s, err))
 				}
 			}
+			host, _, err := net.SplitHostPort(s)
+			if err != nil {
+				t.Fatal(err)
+			}
 			rr = append(rr, resolverAndDelay{
-				name:       dnstype.Resolver{Addr: s},
+				name:       dnstype.Resolver{Addr: host},
 				startDelay: d,
 			})
 		}
@@ -56,28 +64,28 @@ func TestResolversWithDelays(t *testing.T) {
 	}{
 		{
 			name: "unknown-no-delays",
-			in:   q("1.2.3.4", "2.3.4.5"),
-			want: o("1.2.3.4", "2.3.4.5"),
+			in:   q("1.2.3.4:53", "2.3.4.5:53"),
+			want: o("1.2.3.4:53", "2.3.4.5:53"),
 		},
 		{
 			name: "google-all-ipv4",
-			in:   q("8.8.8.8", "8.8.4.4"),
-			want: o("https://dns.google/dns-query", "8.8.8.8+0.5s", "8.8.4.4+0.7s"),
+			in:   q("8.8.8.8:53", "8.8.4.4:53"),
+			want: o("8.8.8.8:53", "8.8.4.4:53+200ms"),
 		},
 		{
 			name: "google-only-ipv6",
-			in:   q("2001:4860:4860::8888", "2001:4860:4860::8844"),
-			want: o("https://dns.google/dns-query", "2001:4860:4860::8888+0.5s", "2001:4860:4860::8844+0.7s"),
+			in:   q("[2001:4860:4860::8888]:53", "[2001:4860:4860::8844]:53"),
+			want: o("[2001:4860:4860::8888]:53", "[2001:4860:4860::8844]:53+200ms"),
 		},
 		{
 			name: "google-all-four",
-			in:   q("8.8.8.8", "8.8.4.4", "2001:4860:4860::8888", "2001:4860:4860::8844"),
-			want: o("https://dns.google/dns-query", "8.8.8.8+0.5s", "8.8.4.4+0.7s", "2001:4860:4860::8888+0.5s", "2001:4860:4860::8844+0.7s"),
+			in:   q("8.8.8.8:53", "8.8.4.4:53", "[2001:4860:4860::8888]:53", "[2001:4860:4860::8844]:53"),
+			want: o("8.8.8.8:53", "8.8.4.4:53+200ms", "[2001:4860:4860::8888]:53+2.5s", "[2001:4860:4860::8844]:53+2.7s"),
 		},
 		{
 			name: "quad9-one-v4-one-v6",
-			in:   q("9.9.9.9", "2620:fe::fe"),
-			want: o("https://dns.quad9.net/dns-query", "9.9.9.9+0.5s", "2620:fe::fe+0.5s"),
+			in:   q("9.9.9.9:53", "[2620:fe::fe]:53"),
+			want: o("9.9.9.9:53", "[2620:fe::fe]:53+200ms"),
 		},
 	}
 
@@ -161,25 +169,6 @@ func TestMaxDoHInFlight(t *testing.T) {
 	}
 }
 
-var testDNS = flag.Bool("test-dns", false, "run tests that require a working DNS server")
-
-func TestGetKnownDoHClientForProvider(t *testing.T) {
-	var fwd forwarder
-	c, ok := fwd.getKnownDoHClientForProvider("https://dns.google/dns-query")
-	if !ok {
-		t.Fatal("not found")
-	}
-	if !*testDNS {
-		t.Skip("skipping without --test-dns")
-	}
-	res, err := c.Head("https://dns.google/")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer res.Body.Close()
-	t.Logf("Got: %+v", res)
-}
-
 func BenchmarkNameFromQuery(b *testing.B) {
 	builder := dns.NewBuilder(nil, dns.Header{})
 	builder.StartQuestions()

net/dns/resolver/tsdns.go

@@ -725,22 +725,6 @@ func (r *Resolver) resolveLocalReverse(name dnsname.FQDN) (dnsname.FQDN, dns.RCo
 		return "", dns.RCodeRefused
 	}
 
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	// If the requested IP is part of the IPv6 4-to-6 range, it might
-	// correspond to an IPv4 address (assuming IPv4 is enabled).
-	if ip4, ok := tsaddr.Tailscale6to4(ip); ok {
-		fqdn, code := r.fqdnForIPLocked(ip4, name)
-		if code == dns.RCodeSuccess {
-			return fqdn, code
-		}
-	}
-	return r.fqdnForIPLocked(ip, name)
-}
-
-// r.mu must be held.
-func (r *Resolver) fqdnForIPLocked(ip netaddr.IP, name dnsname.FQDN) (dnsname.FQDN, dns.RCode) {
 	// If someone curiously does a reverse lookup on the DNS IP, we
 	// return a domain that helps indicate that Tailscale is using
 	// this IP for a special purpose and it is not a node on their
@@ -749,6 +733,8 @@ func (r *Resolver) fqdnForIPLocked(ip netaddr.IP, name dnsname.FQDN) (dnsname.FQ
 		return dnsSymbolicFQDN, dns.RCodeSuccess
 	}
 
+	r.mu.Lock()
+	defer r.mu.Unlock()
 	ret, ok := r.ipToHost[ip]
 	if !ok {
 		for _, suffix := range r.localDomains {

net/dns/resolver/tsdns_test.go

@@ -382,7 +382,6 @@ func TestResolveLocalReverse(t *testing.T) {
 		{"ipv6_nxdomain", dnsname.FQDN("0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.ip6.arpa."), "", dns.RCodeNameError},
 		{"nxdomain", dnsname.FQDN("2.3.4.5.in-addr.arpa."), "", dns.RCodeRefused},
 		{"magicdns", dnsname.FQDN("100.100.100.100.in-addr.arpa."), dnsSymbolicFQDN, dns.RCodeSuccess},
-		{"ipv6_4to6", dnsname.FQDN("4.6.4.6.4.6.2.6.6.9.d.c.3.4.8.4.2.1.b.a.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), dnsSymbolicFQDN, dns.RCodeSuccess},
 	}
 
 	for _, tt := range tests {
@@ -756,9 +755,6 @@ func TestDelegateCollision(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	if len(ans) == 0 {
-		t.Fatal("no answers")
-	}
 
 	var wantType dns.Type
 	switch ans[0].Body.(type) {

net/dnscache/dnscache.go

@@ -72,15 +72,6 @@ type Resolver struct {
 	// if a refresh fails.
 	UseLastGood bool
 
-	// SingleHostStaticResult, if non-nil, is the static result of IPs that is returned
-	// by Resolver.LookupIP for any hostname. When non-nil, SingleHost must also be
-	// set with the expected name.
-	SingleHostStaticResult []netaddr.IP
-
-	// SingleHost is the hostname that SingleHostStaticResult is for.
-	// It is required when SingleHostStaticResult is present.
-	SingleHost string
-
 	sf singleflight.Group
 
 	mu      sync.Mutex
@@ -117,22 +108,6 @@ var debug = envknob.Bool("TS_DEBUG_DNS_CACHE")
 // If err is nil, ip will be non-nil. The v6 address may be nil even
 // with a nil error.
 func (r *Resolver) LookupIP(ctx context.Context, host string) (ip, v6 net.IP, allIPs []net.IPAddr, err error) {
-	if r.SingleHostStaticResult != nil {
-		if r.SingleHost != host {
-			return nil, nil, nil, fmt.Errorf("dnscache: unexpected hostname %q doesn't match expected %q", host, r.SingleHost)
-		}
-		for _, naIP := range r.SingleHostStaticResult {
-			ipa := naIP.IPAddr()
-			if ip == nil && naIP.Is4() {
-				ip = ipa.IP
-			}
-			if v6 == nil && naIP.Is6() {
-				v6 = ipa.IP
-			}
-			allIPs = append(allIPs, *ipa)
-		}
-		return
-	}
 	if ip := net.ParseIP(host); ip != nil {
 		if ip4 := ip.To4(); ip4 != nil {
 			return ip4, nil, []net.IPAddr{{IP: ip4}}, nil

net/dnscache/dnscache_test.go

@@ -8,7 +8,6 @@ import (
 	"context"
 	"errors"
 	"flag"
-	"fmt"
 	"net"
 	"reflect"
 	"testing"
@@ -111,33 +110,3 @@ func TestDialCall_uniqueIPs(t *testing.T) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 }
-
-func TestResolverAllHostStaticResult(t *testing.T) {
-	r := &Resolver{
-		SingleHost: "foo.bar",
-		SingleHostStaticResult: []netaddr.IP{
-			netaddr.MustParseIP("2001:4860:4860::8888"),
-			netaddr.MustParseIP("2001:4860:4860::8844"),
-			netaddr.MustParseIP("8.8.8.8"),
-			netaddr.MustParseIP("8.8.4.4"),
-		},
-	}
-	ip4, ip6, allIPs, err := r.LookupIP(context.Background(), "foo.bar")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if got, want := ip4.String(), "8.8.8.8"; got != want {
-		t.Errorf("ip4 got %q; want %q", got, want)
-	}
-	if got, want := ip6.String(), "2001:4860:4860::8888"; got != want {
-		t.Errorf("ip4 got %q; want %q", got, want)
-	}
-	if got, want := fmt.Sprintf("%q", allIPs), `[{"2001:4860:4860::8888" ""} {"2001:4860:4860::8844" ""} {"8.8.8.8" ""} {"8.8.4.4" ""}]`; got != want {
-		t.Errorf("allIPs got %q; want %q", got, want)
-	}
-
-	_, _, _, err = r.LookupIP(context.Background(), "bad")
-	if got, want := fmt.Sprint(err), `dnscache: unexpected hostname "bad" doesn't match expected "foo.bar"`; got != want {
-		t.Errorf("bad dial error got %q; want %q", got, want)
-	}
-}

net/dnsfallback/dns-fallback-servers.json

@@ -6,25 +6,18 @@
 			"RegionName": "r1",
 			"Nodes": [
 				{
-					"Name": "1c",
+					"Name": "1a",
 					"RegionID": 1,
-					"HostName": "derp1c.tailscale.com",
-					"IPv4": "104.248.8.210",
-					"IPv6": "2604:a880:800:10::7a0:e001"
+					"HostName": "derp1.tailscale.com",
+					"IPv4": "159.89.225.99",
+					"IPv6": "2604:a880:400:d1::828:b001"
 				},
 				{
-					"Name": "1d",
+					"Name": "1b",
 					"RegionID": 1,
-					"HostName": "derp1d.tailscale.com",
-					"IPv4": "165.22.33.71",
-					"IPv6": "2604:a880:800:10::7fe:f001"
-				},
-				{
-					"Name": "1e",
-					"RegionID": 1,
-					"HostName": "derp1e.tailscale.com",
-					"IPv4": "64.225.56.166",
-					"IPv6": "2604:a880:800:10::873:4001"
+					"HostName": "derp1b.tailscale.com",
+					"IPv4": "45.55.35.93",
+					"IPv6": "2604:a880:800:a1::f:2001"
 				}
 			]
 		},

net/netcheck/netcheck.go

@@ -979,21 +979,13 @@ func (c *Client) runHTTPOnlyChecks(ctx context.Context, last *Report, rs *report
 			// One warm-up one to get HTTP connection set
 			// up and get a connection from the browser's
 			// pool.
-			if r, err := http.DefaultClient.Do(req); err != nil || r.StatusCode > 299 {
-				if err != nil {
-					c.logf("probing %s: %v", node.HostName, err)
-				} else {
-					c.logf("probing %s: unexpected status %s", node.HostName, r.Status)
-				}
+			if _, err := http.DefaultClient.Do(req); err != nil {
+				c.logf("probing %s: %v", node.HostName, err)
 				return
 			}
 			t0 := c.timeNow()
-			if r, err := http.DefaultClient.Do(req); err != nil || r.StatusCode > 299 {
-				if err != nil {
-					c.logf("probing %s: %v", node.HostName, err)
-				} else {
-					c.logf("probing %s: unexpected status %s", node.HostName, r.Status)
-				}
+			if _, err := http.DefaultClient.Do(req); err != nil {
+				c.logf("probing %s: %v", node.HostName, err)
 				return
 			}
 			d := c.timeNow().Sub(t0)
@@ -1013,7 +1005,7 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	var ip netaddr.IP
 
 	dc := derphttp.NewNetcheckClient(c.logf)
-	tlsConn, tcpConn, node, err := dc.DialRegionTLS(ctx, reg)
+	tlsConn, tcpConn, err := dc.DialRegionTLS(ctx, reg)
 	if err != nil {
 		return 0, ip, err
 	}
@@ -1044,7 +1036,7 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	}
 	hc := &http.Client{Transport: tr}
 
-	req, err := http.NewRequestWithContext(ctx, "GET", "https://" + node.HostName + "/derp/latency-check", nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", "https://derp-unused-hostname.tld/derp/latency-check", nil)
 	if err != nil {
 		return 0, ip, err
 	}
@@ -1055,13 +1047,6 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	}
 	defer resp.Body.Close()
 
-	// DERPs should give us a nominal status code, so anything else is probably
-	// an access denied by a MITM proxy (or at the very least a signal not to
-	// trust this latency check).
-	if resp.StatusCode > 299 {
-		return 0, ip, fmt.Errorf("unexpected status code: %d (%s)", resp.StatusCode, resp.Status)
-	}
-
 	_, err = io.Copy(ioutil.Discard, io.LimitReader(resp.Body, 8<<10))
 	if err != nil {
 		return 0, ip, err

net/netns/netns_linux_test.go

@@ -2,9 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build linux && !android
-// +build linux,!android
-
 package netns
 
 import (

net/tsaddr/tsaddr.go

@@ -6,8 +6,6 @@
 package tsaddr
 
 import (
-	"encoding/binary"
-	"errors"
 	"sync"
 
 	"inet.af/netaddr"
@@ -128,18 +126,6 @@ func Tailscale4To6(ipv4 netaddr.IP) netaddr.IP {
 	return netaddr.IPFrom16(ret)
 }
 
-// Tailscale6to4 returns the IPv4 address corresponding to the given
-// tailscale IPv6 address within the 4To6 range. The IPv4 address
-// and true are returned if the given address was in the correct range,
-// false if not.
-func Tailscale6to4(ipv6 netaddr.IP) (netaddr.IP, bool) {
-	if !ipv6.Is6() || !Tailscale4To6Range().Contains(ipv6) {
-		return netaddr.IP{}, false
-	}
-	v6 := ipv6.As16()
-	return netaddr.IPv4(100, v6[13], v6[14], v6[15]), true
-}
-
 func mustPrefix(v *netaddr.IPPrefix, prefix string) {
 	var err error
 	*v, err = netaddr.ParseIPPrefix(prefix)
@@ -294,17 +280,3 @@ func UnmapVia(ip netaddr.IP) netaddr.IP {
 	}
 	return ip
 }
-
-// MapVia returns an IPv6 "via" route for an IPv4 CIDR in a given siteID.
-func MapVia(siteID uint32, v4 netaddr.IPPrefix) (via netaddr.IPPrefix, err error) {
-	if !v4.IP().Is4() {
-		return via, errors.New("want IPv4 CIDR with a site ID")
-	}
-	viaRange16 := TailscaleViaRange().IP().As16()
-	var a [16]byte
-	copy(a[:], viaRange16[:8])
-	binary.BigEndian.PutUint32(a[8:], siteID)
-	ip4a := v4.IP().As4()
-	copy(a[12:], ip4a[:])
-	return netaddr.IPPrefixFrom(netaddr.IPFrom16(a), v4.Bits()+64+32), nil
-}

scripts/installer.sh

@@ -41,11 +41,16 @@ main() {
 		#  - ID: the short name of the OS (e.g. "debian", "freebsd")
 		#  - VERSION_ID: the numeric release version for the OS, if any (e.g. "18.04")
 		#  - VERSION_CODENAME: the codename of the OS release, if any (e.g. "buster")
+		#  - UBUNTU_CODENAME: if it exists, as in linuxmint, use instead of VERSION_CODENAME
 		. /etc/os-release
 		case "$ID" in
-			ubuntu|pop|neon|zorin|elementary)
+			ubuntu|pop|neon|zorin|elementary|linuxmint)
 				OS="ubuntu"
-				VERSION="$VERSION_CODENAME"
+				if [ "${UBUNTU_CODENAME:-}" != "" ]; then
+				    VERSION="$UBUNTU_CODENAME"
+				else
+				    VERSION="$VERSION_CODENAME"
+				fi
 				PACKAGETYPE="apt"
 				# Third-party keyrings became the preferred method of
 				# installation in Ubuntu 20.04.
@@ -67,35 +72,6 @@ main() {
 					APT_KEY_TYPE="keyring"
 				fi
 				;;
-			linuxmint)
-				if [ "${UBUNTU_CODENAME:-}" != "" ]; then
-				    OS="ubuntu"
-				    VERSION="$UBUNTU_CODENAME"
-				elif [ "${DEBIAN_CODENAME:-}" != "" ]; then
-				    OS="debian"
-				    VERSION="$DEBIAN_CODENAME"
-				else
-				    OS="ubuntu"
-				    VERSION="$VERSION_CODENAME"
-				fi
-				PACKAGETYPE="apt"
-				if [ "$VERSION_ID" -lt 5 ]; then
-					APT_KEY_TYPE="legacy"
-				else
-					APT_KEY_TYPE="keyring"
-				fi
-				;;
-			parrot)
-				OS="debian"
-				PACKAGETYPE="apt"
-				if [ "$VERSION_ID" -lt 5 ]; then
-					VERSION="buster"
-					APT_KEY_TYPE="legacy"
-				else
-					VERSION="bullseye"
-					APT_KEY_TYPE="keyring"
-				fi
-				;;
 			raspbian)
 				OS="$ID"
 				VERSION="$VERSION_CODENAME"
@@ -151,7 +127,7 @@ main() {
 				VERSION=""
 				PACKAGETYPE="dnf"
 				;;
-			rocky|almalinux)
+			rocky)
 				OS="fedora"
 				VERSION=""
 				PACKAGETYPE="dnf"
@@ -498,7 +474,7 @@ main() {
 			;;
 		emerge)
 			set -x
-			$SUDO emerge --ask=n net-vpn/tailscale
+			$SUDO emerge net-vpn/tailscale
 			set +x
 			;;
 		appstore)

ssh/tailssh/incubator.go

@@ -59,11 +59,11 @@ var maybeStartLoginSession = func(logf logger.Logf, uid uint32, localUser, remot
 // If ss.srv.tailscaledPath is empty, this method is equivalent to
 // exec.CommandContext.
 func (ss *sshSession) newIncubatorCommand(ctx context.Context, name string, args []string) *exec.Cmd {
-	if ss.conn.srv.tailscaledPath == "" {
+	if ss.srv.tailscaledPath == "" {
 		return exec.CommandContext(ctx, name, args...)
 	}
-	lu := ss.conn.localUser
-	ci := ss.conn.info
+	lu := ss.localUser
+	ci := ss.connInfo
 	remoteUser := ci.uprof.LoginName
 	if len(ci.node.Tags) > 0 {
 		remoteUser = strings.Join(ci.node.Tags, ",")
@@ -85,7 +85,7 @@ func (ss *sshSession) newIncubatorCommand(ctx context.Context, name string, args
 		incubatorArgs = append(incubatorArgs, args...)
 	}
 
-	return exec.CommandContext(ctx, ss.conn.srv.tailscaledPath, incubatorArgs...)
+	return exec.CommandContext(ctx, ss.srv.tailscaledPath, incubatorArgs...)
 }
 
 const debugIncubator = false
@@ -166,7 +166,7 @@ func beIncubator(args []string) error {
 //
 // It sets ss.cmd, stdin, stdout, and stderr.
 func (ss *sshSession) launchProcess(ctx context.Context) error {
-	shell := loginShell(ss.conn.localUser.Uid)
+	shell := loginShell(ss.localUser.Uid)
 	var args []string
 	if rawCmd := ss.RawCommand(); rawCmd != "" {
 		args = append(args, "-c", rawCmd)
@@ -174,10 +174,10 @@ func (ss *sshSession) launchProcess(ctx context.Context) error {
 		args = append(args, "-l") // login shell
 	}
 
-	ci := ss.conn.info
+	ci := ss.connInfo
 	cmd := ss.newIncubatorCommand(ctx, shell, args)
-	cmd.Dir = ss.conn.localUser.HomeDir
-	cmd.Env = append(cmd.Env, envForUser(ss.conn.localUser)...)
+	cmd.Dir = ss.localUser.HomeDir
+	cmd.Env = append(cmd.Env, envForUser(ss.localUser)...)
 	cmd.Env = append(cmd.Env, ss.Environ()...)
 	cmd.Env = append(cmd.Env,
 		fmt.Sprintf("SSH_CLIENT=%s %d %d", ci.src.IP(), ci.src.Port(), ci.dst.Port()),
@@ -330,7 +330,7 @@ func (ss *sshSession) startWithPTY() (ptyFile *os.File, err error) {
 			}
 			k, ok := opcodeShortName[c]
 			if !ok {
-				ss.vlogf("unknown opcode: %d", c)
+				ss.logf("unknown opcode: %d", c)
 				continue
 			}
 			if _, ok := tios.CC[k]; ok {
@@ -341,7 +341,7 @@ func (ss *sshSession) startWithPTY() (ptyFile *os.File, err error) {
 				tios.Opts[k] = v > 0
 				continue
 			}
-			ss.vlogf("unsupported opcode: %v(%d)=%v", k, c, v)
+			ss.logf("unsupported opcode: %v(%d)=%v", k, c, v)
 		}
 
 		// Save PTY settings.

ssh/tailssh/tailssh_test.go

@@ -9,19 +9,13 @@ package tailssh
 
 import (
 	"bytes"
-	"crypto/sha256"
 	"errors"
 	"fmt"
-	"io"
 	"net"
-	"net/http"
-	"net/http/httptest"
 	"os"
 	"os/exec"
 	"os/user"
-	"reflect"
 	"strings"
-	"sync/atomic"
 	"testing"
 	"time"
 
@@ -31,7 +25,6 @@ import (
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tempfork/gliderlabs/ssh"
-	"tailscale.com/tstest"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/cibuild"
 	"tailscale.com/util/lineread"
@@ -63,17 +56,14 @@ func TestMatchRule(t *testing.T) {
 				Action:      someAction,
 				RuleExpires: timePtr(time.Unix(100, 0)),
 			},
-			ci:      &sshConnInfo{},
+			ci:      &sshConnInfo{now: time.Unix(200, 0)},
 			wantErr: errRuleExpired,
 		},
 		{
 			name: "no-principal",
 			rule: &tailcfg.SSHRule{
 				Action: someAction,
-				SSHUsers: map[string]string{
-					"*": "ubuntu",
-				}},
-			ci:      &sshConnInfo{},
+			},
 			wantErr: errPrincipalMatch,
 		},
 		{
@@ -178,11 +168,7 @@ func TestMatchRule(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			c := &conn{
-				now:  time.Unix(200, 0),
-				info: tt.ci,
-			}
-			got, gotUser, err := c.matchRule(tt.rule, nil)
+			got, gotUser, err := matchRule(tt.rule, tt.ci)
 			if err != tt.wantErr {
 				t.Errorf("err = %v; want %v", err, tt.wantErr)
 			}
@@ -219,19 +205,17 @@ func TestSSH(t *testing.T) {
 		lb:   lb,
 		logf: logf,
 	}
-	sc, err := srv.newConn()
+	ss, err := srv.newSSHServer()
 	if err != nil {
 		t.Fatal(err)
 	}
-	// Remove the auth checks for the test
-	sc.insecureSkipTailscaleAuth = true
 
 	u, err := user.Current()
 	if err != nil {
 		t.Fatal(err)
 	}
-	sc.localUser = u
-	sc.info = &sshConnInfo{
+
+	ci := &sshConnInfo{
 		sshUser: "test",
 		src:     netaddr.MustParseIPPort("1.2.3.4:32342"),
 		dst:     netaddr.MustParseIPPort("1.2.3.5:22"),
@@ -239,8 +223,10 @@ func TestSSH(t *testing.T) {
 		uprof:   &tailcfg.UserProfile{},
 	}
 
-	sc.Handler = func(s ssh.Session) {
-		sc.newSSHSession(s, &tailcfg.SSHAction{Accept: true}).run()
+	ss.Handler = func(s ssh.Session) {
+		ss := srv.newSSHSession(s, ci, u)
+		ss.action = &tailcfg.SSHAction{Accept: true}
+		ss.run()
 	}
 
 	ln, err := net.Listen("tcp4", "127.0.0.1:0")
@@ -259,13 +245,12 @@ func TestSSH(t *testing.T) {
 				}
 				return
 			}
-			go sc.HandleConn(c)
+			go ss.HandleConn(c)
 		}
 	}()
 
 	execSSH := func(args ...string) *exec.Cmd {
 		cmd := exec.Command("ssh",
-			"-v",
 			"-p", fmt.Sprint(port),
 			"-o", "StrictHostKeyChecking=no",
 			"user@127.0.0.1")
@@ -281,7 +266,7 @@ func TestSSH(t *testing.T) {
 		cmd.Env = append(os.Environ(), "LOCAL_ENV=bar")
 		got, err := cmd.CombinedOutput()
 		if err != nil {
-			t.Fatal(err, string(got))
+			t.Fatal(err)
 		}
 		m := parseEnv(got)
 		if got := m["USER"]; got == "" || got != u.Username {
@@ -348,86 +333,3 @@ func parseEnv(out []byte) map[string]string {
 	})
 	return e
 }
-
-func TestPublicKeyFetching(t *testing.T) {
-	var reqsTotal, reqsIfNoneMatchHit, reqsIfNoneMatchMiss int32
-	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		atomic.AddInt32((&reqsTotal), 1)
-		etag := fmt.Sprintf("W/%q", sha256.Sum256([]byte(r.URL.Path)))
-		w.Header().Set("Etag", etag)
-		if v := r.Header.Get("If-None-Match"); v != "" {
-			if v == etag {
-				atomic.AddInt32(&reqsIfNoneMatchHit, 1)
-				w.WriteHeader(304)
-				return
-			}
-			atomic.AddInt32(&reqsIfNoneMatchMiss, 1)
-		}
-		io.WriteString(w, "foo\nbar\n"+string(r.URL.Path)+"\n")
-	}))
-	ts.StartTLS()
-	defer ts.Close()
-	keys := ts.URL
-
-	clock := &tstest.Clock{}
-	srv := &server{
-		pubKeyHTTPClient: ts.Client(),
-		timeNow:          clock.Now,
-	}
-	for i := 0; i < 2; i++ {
-		got, err := srv.fetchPublicKeysURL(keys + "/alice.keys")
-		if err != nil {
-			t.Fatal(err)
-		}
-		if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) {
-			t.Errorf("got %q; want %q", got, want)
-		}
-	}
-	if got, want := atomic.LoadInt32(&reqsTotal), int32(1); got != want {
-		t.Errorf("got %d requests; want %d", got, want)
-	}
-	if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(0); got != want {
-		t.Errorf("got %d etag hits; want %d", got, want)
-	}
-	clock.Advance(5 * time.Minute)
-	got, err := srv.fetchPublicKeysURL(keys + "/alice.keys")
-	if err != nil {
-		t.Fatal(err)
-	}
-	if want := []string{"foo", "bar", "/alice.keys"}; !reflect.DeepEqual(got, want) {
-		t.Errorf("got %q; want %q", got, want)
-	}
-	if got, want := atomic.LoadInt32(&reqsTotal), int32(2); got != want {
-		t.Errorf("got %d requests; want %d", got, want)
-	}
-	if got, want := atomic.LoadInt32(&reqsIfNoneMatchHit), int32(1); got != want {
-		t.Errorf("got %d etag hits; want %d", got, want)
-	}
-	if got, want := atomic.LoadInt32(&reqsIfNoneMatchMiss), int32(0); got != want {
-		t.Errorf("got %d etag misses; want %d", got, want)
-	}
-
-}
-
-func TestExpandPublicKeyURL(t *testing.T) {
-	c := &conn{
-		info: &sshConnInfo{
-			uprof: &tailcfg.UserProfile{
-				LoginName: "bar@baz.tld",
-			},
-		},
-	}
-	if got, want := c.expandPublicKeyURL("foo"), "foo"; got != want {
-		t.Errorf("basic: got %q; want %q", got, want)
-	}
-	if got, want := c.expandPublicKeyURL("https://example.com/$LOGINNAME_LOCALPART.keys"), "https://example.com/bar.keys"; got != want {
-		t.Errorf("localpart: got %q; want %q", got, want)
-	}
-	if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email=bar@baz.tld"; got != want {
-		t.Errorf("email: got %q; want %q", got, want)
-	}
-	c.info = new(sshConnInfo)
-	if got, want := c.expandPublicKeyURL("https://example.com/keys?email=$LOGINNAME_EMAIL"), "https://example.com/keys?email="; got != want {
-		t.Errorf("on empty: got %q; want %q", got, want)
-	}
-}

tailcfg/tailcfg.go

@@ -67,9 +67,8 @@ type CapabilityVersion int
 //    28: 2022-03-09: client can communicate over Noise.
 //    29: 2022-03-21: MapResponse.PopBrowserURL
 //    30: 2022-03-22: client can request id tokens.
-//    31: 2022-04-15: PingRequest & PingResponse TSMP & disco support
-//    32: 2022-04-17: client knows FilterRule.CapMatch
-const CurrentCapabilityVersion CapabilityVersion = 32
+//    31: 2022-04-15: PingRequest TSMP support
+const CurrentCapabilityVersion CapabilityVersion = 31
 
 type StableID string
 
@@ -460,7 +459,6 @@ type Hostinfo struct {
 	BackendLogID  string             `json:",omitempty"` // logtail ID of backend instance
 	OS            string             `json:",omitempty"` // operating system the client runs on (a version.OS value)
 	OSVersion     string             `json:",omitempty"` // operating system version, with optional distro prefix ("Debian 10.4", "Windows 10 Pro 10.0.19041")
-	Desktop       opt.Bool           `json:",omitempty"` // if a desktop was detected on Linux
 	Package       string             `json:",omitempty"` // Tailscale package to disambiguate ("choco", "appstore", etc; "" for unknown)
 	DeviceModel   string             `json:",omitempty"` // mobile phone model ("Pixel 3a", "iPhone12,3")
 	Hostname      string             `json:",omitempty"` // name of the host the client runs on
@@ -1053,18 +1051,6 @@ type NetPortRange struct {
 	Ports PortRange
 }
 
-// CapGrant grants capabilities in a FilterRule.
-type CapGrant struct {
-	// Dsts are the destination IP ranges that this capabilty
-	// grant matches.
-	Dsts []netaddr.IPPrefix
-
-	// Caps are the capabilities the source IP matched by
-	// FilterRule.SrcIPs are granted to the destination IP,
-	// matched by Dsts.
-	Caps []string `json:",omitempty"`
-}
-
 // FilterRule represents one rule in a packet filter.
 //
 // A rule is logically a set of source CIDRs to match (described by
@@ -1095,9 +1081,7 @@ type FilterRule struct {
 
 	// DstPorts are the port ranges to allow once a source IP
 	// matches (is in the CIDR described by SrcIPs & SrcBits).
-	//
-	// CapGrant and DstPorts are mutually exclusive: at most one can be non-nil.
-	DstPorts []NetPortRange `json:",omitempty"`
+	DstPorts []NetPortRange
 
 	// IPProto are the IP protocol numbers to match.
 	//
@@ -1109,18 +1093,6 @@ type FilterRule struct {
 	// Depending on the IPProto values, DstPorts may or may not be
 	// used.
 	IPProto []int `json:",omitempty"`
-
-	// CapGrant, if non-empty, are the capabilities to
-	// conditionally grant to the source IP in SrcIPs.
-	//
-	// Think of DstPorts as "capabilities for networking" and
-	// CapGrant as arbitrary application-defined capabilities
-	// defined between the admin's ACLs and the application
-	// doing WhoIs lookups, looking up the remote IP address's
-	// application-level capabilities.
-	//
-	// CapGrant and DstPorts are mutually exclusive: at most one can be non-nil.
-	CapGrant []CapGrant `json:",omitempty"`
 }
 
 var FilterAllowAll = []FilterRule{
@@ -1223,8 +1195,8 @@ type DNSRecord struct {
 
 // PingRequest with no IP and Types is a request to send an HTTP request to prove the
 // long-polling client is still connected.
-// PingRequest with Types and IP, will send a ping to the IP and send a POST
-// request containing a PingResponse to the URL containing results.
+// PingRequest with Types and IP, will send a ping to the IP and send a
+// POST request to the URL to prove that the ping succeeded.
 type PingRequest struct {
 	// URL is the URL to send a HEAD request to.
 	// It will be a unique URL each time. No auth headers are necessary.
@@ -1247,48 +1219,6 @@ type PingRequest struct {
 	IP netaddr.IP
 }
 
-// PingResponse provides result information for a TSMP or Disco PingRequest.
-// Typically populated from an ipnstate.PingResult used in `tailscale ping`.
-type PingResponse struct {
-	Type string // ping type, such as TSMP or disco.
-
-	IP       string `json:",omitempty"` // ping destination
-	NodeIP   string `json:",omitempty"` // Tailscale IP of node handling IP (different for subnet routers)
-	NodeName string `json:",omitempty"` // DNS name base or (possibly not unique) hostname
-
-	// Err contains a short description of error conditions if the PingRequest
-	// could not be fulfilled for some reason.
-	// e.g. "100.1.2.3 is local Tailscale IP"
-	Err string `json:",omitempty"`
-
-	// LatencySeconds reports measurement of the round-trip time of a message to
-	// the requested target, if it could be determined. If LatencySeconds is
-	// omitted, Err should contain information as to the cause.
-	LatencySeconds float64 `json:",omitempty"`
-
-	// Endpoint is the ip:port if direct UDP was used.
-	// It is not currently set for TSMP pings.
-	Endpoint string `json:",omitempty"`
-
-	// DERPRegionID is non-zero DERP region ID if DERP was used.
-	// It is not currently set for TSMP pings.
-	DERPRegionID int `json:",omitempty"`
-
-	// DERPRegionCode is the three-letter region code
-	// corresponding to DERPRegionID.
-	// It is not currently set for TSMP pings.
-	DERPRegionCode string `json:",omitempty"`
-
-	// PeerAPIPort is set by TSMP ping responses for peers that
-	// are running a peerapi server. This is the port they're
-	// running the server on.
-	PeerAPIPort uint16 `json:",omitempty"`
-
-	// IsLocalIP is whether the ping request error is due to it being
-	// a ping to the local node.
-	IsLocalIP bool `json:",omitempty"`
-}
-
 type MapResponse struct {
 	// KeepAlive, if set, represents an empty message just to keep
 	// the connection alive. When true, all other fields except
@@ -1459,10 +1389,6 @@ type Debug struct {
 	// new attempts at UPnP connections.
 	DisableUPnP opt.Bool `json:",omitempty"`
 
-	// DisableLogTail disables the logtail package. Once disabled it can't be
-	// re-enabled for the lifetime of the process.
-	DisableLogTail bool `json:",omitempty"`
-
 	// Exit optionally specifies that the client should os.Exit
 	// with this code.
 	Exit *int `json:",omitempty"`
@@ -1582,19 +1508,8 @@ type Oauth2Token struct {
 }
 
 const (
-	// MapResponse.Node self capabilities.
-
 	CapabilityFileSharing = "https://tailscale.com/cap/file-sharing"
 	CapabilityAdmin       = "https://tailscale.com/cap/is-admin"
-
-	// Inter-node capabilities.
-
-	// CapabilityFileSharingSend grants the ability to receive files from a
-	// node that's owned by a different user.
-	CapabilityFileSharingSend = "https://tailscale.com/cap/file-send"
-	// CapabilityDebugPeer grants the ability for a peer to read this node's
-	// goroutines, metrics, magicsock internal state, etc.
-	CapabilityDebugPeer = "https://tailscale.com/cap/debug-peer"
 )
 
 // SetDNSRequest is a request to add a DNS record.
@@ -1636,21 +1551,9 @@ type SetDNSResponse struct{}
 // SSHPolicy is the policy for how to handle incoming SSH connections
 // over Tailscale.
 type SSHPolicy struct {
-	// Rules are the rules to process for an incoming SSH connection. The first
-	// matching rule takes its action and stops processing further rules.
-	//
-	// When an incoming connection first starts, all rules are evaluated in
-	// "none" auth mode, where the client hasn't even been asked to send a
-	// public key. All SSHRule.Principals requiring a public key won't match. If
-	// a rule matches on the first pass and its Action is reject, the
-	// authentication fails with that action's rejection message, if any.
-	//
-	// If the first pass rule evaluation matches nothing without matching an
-	// Action with Reject set, the rules are considered to see whether public
-	// keys might still result in a match. If not, "none" auth is terminated
-	// before proceeding to public key mode. If so, the client is asked to try
-	// public key authentication and the rules are evaluated again for each of
-	// the client's present keys.
+	// Rules are the rules to process for an incoming SSH
+	// connection. The first matching rule takes its action and
+	// stops processing further rules.
 	Rules []*SSHRule `json:"rules"`
 }
 
@@ -1691,26 +1594,16 @@ type SSHRule struct {
 }
 
 // SSHPrincipal is either a particular node or a user on any node.
+// Any matching field causes a match.
 type SSHPrincipal struct {
-	// Matching any one of the following four field causes a match.
-	// It must also match Certs, if non-empty.
-
 	Node      StableNodeID `json:"node,omitempty"`
 	NodeIP    string       `json:"nodeIP,omitempty"`
 	UserLogin string       `json:"userLogin,omitempty"` // email-ish: foo@example.com, bar@github
-	Any       bool         `json:"any,omitempty"`       // if true, match any connection
-	// TODO(bradfitz): add StableUserID, once that exists
 
-	// PubKeys, if non-empty, means that this SSHPrincipal only
-	// matches if one of these public keys is presented by the user.
-	//
-	// As a special case, if len(PubKeys) == 1 and PubKeys[0] starts
-	// with "https://", then it's fetched (like https://github.com/username.keys).
-	// In that case, the following variable expansions are also supported
-	// in the URL:
-	//   * $LOGINNAME_EMAIL ("foo@bar.com" or "foo@github")
-	//   * $LOGINNAME_LOCALPART (the "foo" from either of the above)
-	PubKeys []string `json:"pubKeys,omitempty"`
+	// Any, if true, matches any user.
+	Any bool `json:"any,omitempty"`
+
+	// TODO(bradfitz): add StableUserID, once that exists
 }
 
 // SSHAction is how to handle an incoming connection.

tailcfg/tailcfg_clone.go

@@ -117,7 +117,6 @@ var _HostinfoCloneNeedsRegeneration = Hostinfo(struct {
 	BackendLogID  string
 	OS            string
 	OSVersion     string
-	Desktop       opt.Bool
 	Package       string
 	DeviceModel   string
 	Hostname      string

tailcfg/tailcfg_test.go

@@ -28,7 +28,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 func TestHostinfoEqual(t *testing.T) {
 	hiHandles := []string{
 		"IPNVersion", "FrontendLogID", "BackendLogID",
-		"OS", "OSVersion", "Desktop", "Package", "DeviceModel", "Hostname",
+		"OS", "OSVersion", "Package", "DeviceModel", "Hostname",
 		"ShieldsUp", "ShareeNode",
 		"GoArch",
 		"RoutableIPs", "RequestTags",

tempfork/gliderlabs/ssh/example_test.go

@@ -1,7 +1,6 @@
 package ssh_test
 
 import (
-	"errors"
 	"io"
 	"io/ioutil"
 
@@ -28,19 +27,10 @@ func ExampleNoPty() {
 
 func ExamplePublicKeyAuth() {
 	ssh.ListenAndServe(":2222", nil,
-		ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) error {
-			data, err := ioutil.ReadFile("/path/to/allowed/key.pub")
-			if err != nil {
-				return err
-			}
-			allowed, _, _, _, err := ssh.ParseAuthorizedKey(data)
-			if err != nil {
-				return err
-			}
-			if !ssh.KeysEqual(key, allowed) {
-				return errors.New("some error")
-			}
-			return nil
+		ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool {
+			data, _ := ioutil.ReadFile("/path/to/allowed/key.pub")
+			allowed, _, _, _, _ := ssh.ParseAuthorizedKey(data)
+			return ssh.KeysEqual(key, allowed)
 		}),
 	)
 }

tempfork/gliderlabs/ssh/server.go

@@ -38,6 +38,8 @@ type Server struct {
 	HostSigners []Signer // private keys for the host key, must have at least one
 	Version     string   // server version to be sent before the initial handshake
 
+	NoClientAuthCallback func(gossh.ConnMetadata) (*gossh.Permissions, error)
+
 	KeyboardInteractiveHandler    KeyboardInteractiveHandler    // keyboard-interactive authentication handler
 	PasswordHandler               PasswordHandler               // password authentication handler
 	PublicKeyHandler              PublicKeyHandler              // public key authentication handler
@@ -129,6 +131,10 @@ func (srv *Server) config(ctx Context) *gossh.ServerConfig {
 	if srv.PasswordHandler == nil && srv.PublicKeyHandler == nil && srv.KeyboardInteractiveHandler == nil {
 		config.NoClientAuth = true
 	}
+	if srv.NoClientAuthCallback != nil {
+		config.NoClientAuth = true
+		config.NoClientAuthCallback = srv.NoClientAuthCallback
+	}
 	if srv.Version != "" {
 		config.ServerVersion = "SSH-2.0-" + srv.Version
 	}
@@ -144,8 +150,8 @@ func (srv *Server) config(ctx Context) *gossh.ServerConfig {
 	if srv.PublicKeyHandler != nil {
 		config.PublicKeyCallback = func(conn gossh.ConnMetadata, key gossh.PublicKey) (*gossh.Permissions, error) {
 			applyConnMetadata(ctx, conn)
-			if err := srv.PublicKeyHandler(ctx, key); err != nil {
-				return ctx.Permissions().Permissions, err
+			if ok := srv.PublicKeyHandler(ctx, key); !ok {
+				return ctx.Permissions().Permissions, fmt.Errorf("permission denied")
 			}
 			ctx.SetValue(ContextKeyPublicKey, key)
 			return ctx.Permissions().Permissions, nil

tempfork/gliderlabs/ssh/ssh.go

@@ -36,7 +36,7 @@ type Option func(*Server) error
 type Handler func(Session)
 
 // PublicKeyHandler is a callback for performing public key authentication.
-type PublicKeyHandler func(ctx Context, key PublicKey) error
+type PublicKeyHandler func(ctx Context, key PublicKey) bool
 
 // PasswordHandler is a callback for performing password authentication.
 type PasswordHandler func(ctx Context, password string) bool

tstest/integration/tailscaled_deps_test_darwin.go

@@ -33,7 +33,6 @@ import (
 	_ "tailscale.com/net/tstun"
 	_ "tailscale.com/paths"
 	_ "tailscale.com/safesocket"
-	_ "tailscale.com/ssh/tailssh"
 	_ "tailscale.com/tailcfg"
 	_ "tailscale.com/tsweb"
 	_ "tailscale.com/types/flagtype"

tstest/integration/tailscaled_deps_test_linux.go

@@ -33,7 +33,6 @@ import (
 	_ "tailscale.com/net/tstun"
 	_ "tailscale.com/paths"
 	_ "tailscale.com/safesocket"
-	_ "tailscale.com/ssh/tailssh"
 	_ "tailscale.com/tailcfg"
 	_ "tailscale.com/tsweb"
 	_ "tailscale.com/types/flagtype"

tstest/iosdeps/iosdeps.go

@@ -1,62 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package iosdeps is a just a list of the packages we import on iOS, to let us
-// test that our transitive closure of dependencies on iOS doesn't accidentally
-// grow too large, as we've historically been memory constrained there.
-package iosdeps
-
-import (
-	_ "bufio"
-	_ "bytes"
-	_ "context"
-	_ "crypto/rand"
-	_ "crypto/sha256"
-	_ "encoding/json"
-	_ "errors"
-	_ "fmt"
-	_ "io"
-	_ "io/fs"
-	_ "io/ioutil"
-	_ "log"
-	_ "math"
-	_ "net"
-	_ "net/http"
-	_ "os"
-	_ "os/signal"
-	_ "path/filepath"
-	_ "runtime"
-	_ "runtime/debug"
-	_ "strings"
-	_ "sync"
-	_ "sync/atomic"
-	_ "syscall"
-	_ "time"
-	_ "unsafe"
-
-	_ "go4.org/mem"
-	_ "golang.org/x/sys/unix"
-	_ "golang.zx2c4.com/wireguard/device"
-	_ "golang.zx2c4.com/wireguard/tun"
-	_ "inet.af/netaddr"
-	_ "tailscale.com/hostinfo"
-	_ "tailscale.com/ipn"
-	_ "tailscale.com/ipn/ipnlocal"
-	_ "tailscale.com/ipn/localapi"
-	_ "tailscale.com/log/logheap"
-	_ "tailscale.com/logtail"
-	_ "tailscale.com/logtail/filch"
-	_ "tailscale.com/net/dns"
-	_ "tailscale.com/net/tsdial"
-	_ "tailscale.com/net/tstun"
-	_ "tailscale.com/paths"
-	_ "tailscale.com/tempfork/pprof"
-	_ "tailscale.com/types/empty"
-	_ "tailscale.com/types/logger"
-	_ "tailscale.com/util/clientmetric"
-	_ "tailscale.com/util/dnsname"
-	_ "tailscale.com/version"
-	_ "tailscale.com/wgengine"
-	_ "tailscale.com/wgengine/router"
-)

tstest/iosdeps/iosdeps_test.go

@@ -1,42 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// No need to run this on Windows where CI's slow enough. Then we don't need to
-// worry about "go.exe" etc.
-
-//go:build !windows
-// +build !windows
-
-package iosdeps
-
-import (
-	"encoding/json"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"runtime"
-	"testing"
-)
-
-func TestDeps(t *testing.T) {
-	cmd := exec.Command(filepath.Join(runtime.GOROOT(), "bin", "go"), "list", "-json", ".")
-	cmd.Env = append(os.Environ(), "GOOS=ios", "GOARCH=arm64")
-	out, err := cmd.Output()
-	if err != nil {
-		t.Fatal(err)
-	}
-	var res struct {
-		Deps []string
-	}
-	if err := json.Unmarshal(out, &res); err != nil {
-		t.Fatal(err)
-	}
-	for _, dep := range res.Deps {
-		switch dep {
-		case "regexp", "regexp/syntax", "text/template", "html/template":
-			t.Errorf("package %q is not allowed as a dependency on iOS", dep)
-		}
-	}
-	t.Logf("got %d dependencies", len(res.Deps))
-}

types/dnstype/dnstype.go

@@ -12,9 +12,7 @@ import "inet.af/netaddr"
 // Resolver is the configuration for one DNS resolver.
 type Resolver struct {
 	// Addr is the address of the DNS resolver, one of:
-	//  - A plain IP address for a "classic" UDP+TCP DNS resolver.
-	//    This is the common format as sent by the control plane.
-	//  - An IP:port, for tests.
+	//  - A plain IP address for a "classic" UDP+TCP DNS resolver
 	//  - [TODO] "tls://resolver.com" for DNS over TCP+TLS
 	//  - [TODO] "https://resolver.com/query-tmpl" for DNS over HTTPS
 	Addr string `json:",omitempty"`
@@ -28,20 +26,7 @@ type Resolver struct {
 	BootstrapResolution []netaddr.IP `json:",omitempty"`
 }
 
-// IPPort returns r.Addr as an IP address and port if either
-// r.Addr is an IP address (the common case) or if r.Addr
-// is an IP:port (as done in tests).
-func (r *Resolver) IPPort() (ipp netaddr.IPPort, ok bool) {
-	if r.Addr == "" || r.Addr[0] == 'h' || r.Addr[0] == 't' {
-		// Fast path to avoid ParseIP error allocation for obviously not IP
-		// cases.
-		return
-	}
-	if ip, err := netaddr.ParseIP(r.Addr); err == nil {
-		return netaddr.IPPortFrom(ip, 53), true
-	}
-	if ipp, err := netaddr.ParseIPPort(r.Addr); err == nil {
-		return ipp, true
-	}
-	return
+// ResolverFromIP defines a Resolver for ip on port 53.
+func ResolverFromIP(ip netaddr.IP) Resolver {
+	return Resolver{Addr: netaddr.IPPortFrom(ip, 53).String()}
 }

wgengine/filter/filter.go

@@ -27,12 +27,10 @@ type Filter struct {
 	// destination within local, regardless of the policy filter
 	// below.
 	local *netaddr.IPSet
-
 	// logIPs is the set of IPs that are allowed to appear in flow
 	// logs. If a packet is to or from an IP not in logIPs, it will
 	// never be logged.
 	logIPs *netaddr.IPSet
-
 	// matches4 and matches6 are lists of match->action rules
 	// applied to all packets arriving over tailscale
 	// tunnels. Matches are checked in order, and processing stops
@@ -40,11 +38,6 @@ type Filter struct {
 	// match is to drop the packet.
 	matches4 matches
 	matches6 matches
-
-	// cap4 and cap6 are the subsets of the matches that are about
-	// capability grants, partitioned by source IP address family.
-	cap4, cap6 matches
-
 	// state is the connection tracking state attached to this
 	// filter. It is used to allow incoming traffic that is a response
 	// to an outbound connection that this node made, even if those
@@ -181,8 +174,6 @@ func New(matches []Match, localNets *netaddr.IPSet, logIPs *netaddr.IPSet, share
 		logf:     logf,
 		matches4: matchesFamily(matches, netaddr.IP.Is4),
 		matches6: matchesFamily(matches, netaddr.IP.Is6),
-		cap4:     capMatchesFunc(matches, netaddr.IP.Is4),
-		cap6:     capMatchesFunc(matches, netaddr.IP.Is6),
 		local:    localNets,
 		logIPs:   logIPs,
 		state:    state,
@@ -214,27 +205,6 @@ func matchesFamily(ms matches, keep func(netaddr.IP) bool) matches {
 	return ret
 }
 
-// capMatchesFunc returns a copy of the subset of ms for which keep(srcNet.IP)
-// and the match is a capability grant.
-func capMatchesFunc(ms matches, keep func(netaddr.IP) bool) matches {
-	var ret matches
-	for _, m := range ms {
-		if len(m.Caps) == 0 {
-			continue
-		}
-		retm := Match{Caps: m.Caps}
-		for _, src := range m.Srcs {
-			if keep(src.IP()) {
-				retm.Srcs = append(retm.Srcs, src)
-			}
-		}
-		if len(retm.Srcs) > 0 {
-			ret = append(ret, retm)
-		}
-	}
-	return ret
-}
-
 func maybeHexdump(flag RunFlags, b []byte) string {
 	if flag == 0 {
 		return ""
@@ -321,30 +291,6 @@ func (f *Filter) CheckTCP(srcIP, dstIP netaddr.IP, dstPort uint16) Response {
 	return f.RunIn(pkt, 0)
 }
 
-// AppendCaps appends to base the capabilities that srcIP has talking
-// to dstIP.
-func (f *Filter) AppendCaps(base []string, srcIP, dstIP netaddr.IP) []string {
-	ret := base
-	var mm matches
-	switch {
-	case srcIP.Is4():
-		mm = f.cap4
-	case srcIP.Is6():
-		mm = f.cap6
-	}
-	for _, m := range mm {
-		if !ipInList(srcIP, m.Srcs) {
-			continue
-		}
-		for _, cm := range m.Caps {
-			if cm.Cap != "" && cm.Dst.Contains(dstIP) {
-				ret = append(ret, cm.Cap)
-			}
-		}
-	}
-	return ret
-}
-
 // ShieldsUp reports whether this is a "shields up" (block everything
 // incoming) filter.
 func (f *Filter) ShieldsUp() bool { return f.shieldsUp }

wgengine/filter/filter_test.go

@@ -872,83 +872,3 @@ func TestMatchesMatchProtoAndIPsOnlyIfAllPorts(t *testing.T) {
 		})
 	}
 }
-
-func TestCaps(t *testing.T) {
-	mm, err := MatchesFromFilterRules([]tailcfg.FilterRule{
-		{
-			SrcIPs: []string{"*"},
-			CapGrant: []tailcfg.CapGrant{{
-				Dsts: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-				},
-				Caps: []string{"is_ipv4"},
-			}},
-		},
-		{
-			SrcIPs: []string{"*"},
-			CapGrant: []tailcfg.CapGrant{{
-				Dsts: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("::/0"),
-				},
-				Caps: []string{"is_ipv6"},
-			}},
-		},
-		{
-			SrcIPs: []string{"100.199.0.0/16"},
-			CapGrant: []tailcfg.CapGrant{{
-				Dsts: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("100.200.0.0/16"),
-				},
-				Caps: []string{"some_super_admin"},
-			}},
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	filt := New(mm, nil, nil, nil, t.Logf)
-	tests := []struct {
-		name     string
-		src, dst string // IP
-		want     []string
-	}{
-		{
-			name: "v4",
-			src:  "1.2.3.4",
-			dst:  "2.4.5.5",
-			want: []string{"is_ipv4"},
-		},
-		{
-			name: "v6",
-			src:  "1::1",
-			dst:  "2::2",
-			want: []string{"is_ipv6"},
-		},
-		{
-			name: "admin",
-			src:  "100.199.1.2",
-			dst:  "100.200.3.4",
-			want: []string{"is_ipv4", "some_super_admin"},
-		},
-		{
-			name: "not_admin_bad_src",
-			src:  "100.198.1.2", // 198, not 199
-			dst:  "100.200.3.4",
-			want: []string{"is_ipv4"},
-		},
-		{
-			name: "not_admin_bad_dst",
-			src:  "100.199.1.2",
-			dst:  "100.201.3.4", // 201, not 200
-			want: []string{"is_ipv4"},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got := filt.AppendCaps(nil, netaddr.MustParseIP(tt.src), netaddr.MustParseIP(tt.dst))
-			if !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("got %q; want %q", got, tt.want)
-			}
-		})
-	}
-}

wgengine/filter/match.go

@@ -47,24 +47,12 @@ func (npr NetPortRange) String() string {
 	return fmt.Sprintf("%v:%v", npr.Net, npr.Ports)
 }
 
-// CapMatch is a capability grant match predicate.
-type CapMatch struct {
-	// Dst is the IP prefix that the destination IP address matches against
-	// to get the capability.
-	Dst netaddr.IPPrefix
-
-	// Cap is the capability that's granted if the destination IP addresses
-	// matches Dst.
-	Cap string
-}
-
 // Match matches packets from any IP address in Srcs to any ip:port in
 // Dsts.
 type Match struct {
 	IPProto []ipproto.Proto // required set (no default value at this layer)
+	Dsts    []NetPortRange
 	Srcs    []netaddr.IPPrefix
-	Dsts    []NetPortRange // optional, if Srcs match
-	Caps    []CapMatch     // optional, if Srcs match
 }
 
 func (m Match) String() string {

wgengine/filter/match_clone.go

@@ -21,16 +21,14 @@ func (src *Match) Clone() *Match {
 	dst := new(Match)
 	*dst = *src
 	dst.IPProto = append(src.IPProto[:0:0], src.IPProto...)
-	dst.Srcs = append(src.Srcs[:0:0], src.Srcs...)
 	dst.Dsts = append(src.Dsts[:0:0], src.Dsts...)
-	dst.Caps = append(src.Caps[:0:0], src.Caps...)
+	dst.Srcs = append(src.Srcs[:0:0], src.Srcs...)
 	return dst
 }
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _MatchCloneNeedsRegeneration = Match(struct {
 	IPProto []ipproto.Proto
-	Srcs    []netaddr.IPPrefix
 	Dsts    []NetPortRange
-	Caps    []CapMatch
+	Srcs    []netaddr.IPPrefix
 }{})

wgengine/filter/tailcfg.go

@@ -70,16 +70,6 @@ func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error) {
 				})
 			}
 		}
-		for _, cm := range r.CapGrant {
-			for _, dstNet := range cm.Dsts {
-				for _, cap := range cm.Caps {
-					m.Caps = append(m.Caps, CapMatch{
-						Dst: dstNet,
-						Cap: cap,
-					})
-				}
-			}
-		}
 
 		mm = append(mm, m)
 	}

wgengine/monitor/monitor.go

@@ -42,10 +42,6 @@ type osMon interface {
 	// until the osMon is closed. After a Close, the returned
 	// error is ignored.
 	Receive() (message, error)
-
-	// IsInterestingInterface reports whether the provided interface should
-	// be considered for network change events.
-	IsInterestingInterface(iface string) bool
 }
 
 // ChangeFunc is a callback function that's called when the network
@@ -189,7 +185,13 @@ func (m *Mon) Start() {
 	}
 	m.started = true
 
-	if shouldMonitorTimeJump {
+	switch runtime.GOOS {
+	case "ios", "android":
+		// For battery reasons, and because these platforms
+		// don't really sleep in the same way, don't poll
+		// for the wall time to detect for wake-for-sleep
+		// walltime jumps.
+	default:
 		m.wallTimer = time.AfterFunc(pollWallTimeInterval, m.pollWallTime)
 	}
 
@@ -286,13 +288,6 @@ func (m *Mon) notifyRuleDeleted(rdm ipRuleDeletedMessage) {
 	}
 }
 
-// isInterestingInterface reports whether the provided interface should be
-// considered when checking for network state changes.
-// The ips parameter should be the IPs of the provided interface.
-func (m *Mon) isInterestingInterface(i interfaces.Interface, ips []netaddr.IPPrefix) bool {
-	return m.om.IsInterestingInterface(i.Name) && interfaces.UseInterestingInterfaces(i, ips)
-}
-
 // debounce calls the callback function with a delay between events
 // and exits when a stop is issued.
 func (m *Mon) debounce() {
@@ -309,26 +304,27 @@ func (m *Mon) debounce() {
 		} else {
 			m.mu.Lock()
 
+			// See if we have a queued or new time jump signal.
+			m.checkWallTimeAdvanceLocked()
+			timeJumped := m.timeJumped
+			if timeJumped {
+				m.logf("time jumped (probably wake from sleep); synthesizing major change event")
+			}
+
 			oldState := m.ifState
-			changed := !curState.EqualFiltered(oldState, m.isInterestingInterface, interfaces.UseInterestingIPs)
-			if changed {
+			ifChanged := !curState.EqualFiltered(oldState, interfaces.UseInterestingInterfaces, interfaces.UseInterestingIPs)
+			if ifChanged {
 				m.gwValid = false
 				m.ifState = curState
 
 				if s1, s2 := oldState.String(), curState.String(); s1 == s2 {
-					m.logf("[unexpected] network state changed, but stringification didn't: %v", s1)
-					m.logf("[unexpected] old: %s", jsonSummary(oldState))
-					m.logf("[unexpected] new: %s", jsonSummary(curState))
+					m.logf("[unexpected] network state changed, but stringification didn't: %v\nold: %s\nnew: %s\n", s1,
+						jsonSummary(oldState), jsonSummary(curState))
 				}
 			}
-			// See if we have a queued or new time jump signal.
-			if shouldMonitorTimeJump && m.checkWallTimeAdvanceLocked() {
-				m.resetTimeJumpedLocked()
-				if !changed {
-					// Only log if it wasn't an interesting change.
-					m.logf("time jumped (probably wake from sleep); synthesizing major change event")
-					changed = true
-				}
+			changed := ifChanged || timeJumped
+			if changed {
+				m.timeJumped = false
 			}
 			for _, cb := range m.cbs {
 				go cb(changed, m.ifState)
@@ -364,37 +360,22 @@ func (m *Mon) pollWallTime() {
 	if m.closed {
 		return
 	}
-	if m.checkWallTimeAdvanceLocked() {
+	m.checkWallTimeAdvanceLocked()
+	if m.timeJumped {
 		m.InjectEvent()
 	}
 	m.wallTimer.Reset(pollWallTimeInterval)
 }
 
-// shouldMonitorTimeJump is whether we keep a regular periodic timer running in
-// the background watching for jumps in wall time.
-//
-// We don't do this on mobile platforms for battery reasons, and because these
-// platforms don't really sleep in the same way.
-const shouldMonitorTimeJump = runtime.GOOS != "android" && runtime.GOOS != "ios"
-
-// checkWallTimeAdvanceLocked reports whether wall time jumped more than 150% of
-// pollWallTimeInterval, indicating we probably just came out of sleep. Once a
-// time jump is detected it must be reset by calling resetTimeJumpedLocked.
-func (m *Mon) checkWallTimeAdvanceLocked() bool {
-	if !shouldMonitorTimeJump {
-		panic("unreachable") // if callers are correct
-	}
+// checkWallTimeAdvanceLocked updates m.timeJumped, if wall time jumped
+// more than 150% of pollWallTimeInterval, indicating we probably just
+// came out of sleep.
+func (m *Mon) checkWallTimeAdvanceLocked() {
 	now := wallTime()
 	if now.Sub(m.lastWall) > pollWallTimeInterval*3/2 {
-		m.timeJumped = true // it is reset by debounce.
+		m.timeJumped = true
 	}
 	m.lastWall = now
-	return m.timeJumped
-}
-
-// resetTimeJumpedLocked consumes the signal set by checkWallTimeAdvanceLocked.
-func (m *Mon) resetTimeJumpedLocked() {
-	m.timeJumped = false
 }
 
 type ipRuleDeletedMessage struct {

wgengine/monitor/monitor_darwin.go

@@ -112,18 +112,11 @@ func addrType(addrs []route.Addr, rtaxType int) route.Addr {
 	return nil
 }
 
-func (m *darwinRouteMon) IsInterestingInterface(iface string) bool {
-	baseName := strings.TrimRight(iface, "0123456789")
-	switch baseName {
-	case "llw", "awdl", "pdp_ip", "ipsec":
-		return false
-	}
-	return true
-}
-
 func (m *darwinRouteMon) skipInterfaceAddrMessage(msg *route.InterfaceAddrMessage) bool {
 	if la, ok := addrType(msg.Addrs, unix.RTAX_IFP).(*route.LinkAddr); ok {
-		if !m.IsInterestingInterface(la.Name) {
+		baseName := strings.TrimRight(la.Name, "0123456789")
+		switch baseName {
+		case "llw", "awdl", "pdp_ip", "ipsec":
 			return true
 		}
 	}

wgengine/monitor/monitor_freebsd.go

@@ -34,8 +34,6 @@ func newOSMon(logf logger.Logf, m *Mon) (osMon, error) {
 	return &devdConn{conn}, nil
 }
 
-func (c *devdConn) IsInterestingInterface(iface string) bool { return true }
-
 func (c *devdConn) Close() error {
 	return c.conn.Close()
 }

wgengine/monitor/monitor_linux.go

@@ -64,8 +64,6 @@ func newOSMon(logf logger.Logf, m *Mon) (osMon, error) {
 	return &nlConn{logf: logf, conn: conn, addrCache: make(map[uint32]map[netaddr.IP]bool)}, nil
 }
 
-func (c *nlConn) IsInterestingInterface(iface string) bool { return true }
-
 func (c *nlConn) Close() error { return c.conn.Close() }
 
 func (c *nlConn) Receive() (message, error) {

wgengine/monitor/monitor_linux_test.go

@@ -2,9 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !android
-// +build !android
-
 package monitor
 
 import (

wgengine/monitor/monitor_windows.go

@@ -72,8 +72,6 @@ func newOSMon(logf logger.Logf, _ *Mon) (osMon, error) {
 	return m, nil
 }
 
-func (m *winMon) IsInterestingInterface(iface string) bool { return true }
-
 func (m *winMon) Close() (ret error) {
 	m.cancel()
 	m.noDeadlockTicker.Stop()

wgengine/monitor/polling.go

@@ -38,10 +38,6 @@ type pollingMon struct {
 	stop      chan struct{}
 }
 
-func (pm *pollingMon) IsInterestingInterface(iface string) bool {
-	return true
-}
-
 func (pm *pollingMon) Close() error {
 	pm.closeOnce.Do(func() {
 		close(pm.stop)

wgengine/netstack/netstack.go

@@ -662,9 +662,12 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 	c := gonet.NewTCPConn(&wq, ep)
 
 	if ns.lb != nil {
-		if reqDetails.LocalPort == 22 && ns.processSSH() && ns.isLocalIP(dialIP) {
-			if err := ns.lb.HandleSSHConn(c); err != nil {
+		if reqDetails.LocalPort == 22 && ns.processSSH() && ns.isLocalIP(dialIP) && handleSSH != nil {
+			ns.logf("handling SSH connection....")
+			if err := handleSSH(ns.logf, ns.lb, c); err != nil {
 				ns.logf("ssh error: %v", err)
+			} else {
+				ns.logf("ssh: ok")
 			}
 			return
 		}

wgengine/netstack/ssh.go

@@ -0,0 +1,14 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux || (darwin && !ios)
+// +build linux darwin,!ios
+
+package netstack
+
+import "tailscale.com/ssh/tailssh"
+
+func init() {
+	handleSSH = tailssh.Handle
+}

wgengine/router/router_linux.go

@@ -1514,14 +1514,8 @@ func supportsV6NAT() bool {
 		// Can't read the file. Assume SNAT works.
 		return true
 	}
-	if bytes.Contains(bs, []byte("nat\n")) {
-		return true
-	}
-	// In nftables mode, that proc file will be empty. Try another thing:
-	if exec.Command("modprobe", "ip6table_nat").Run() == nil {
-		return true
-	}
-	return false
+
+	return bytes.Contains(bs, []byte("nat\n"))
 }
 
 func checkIPRuleSupportsV6(logf logger.Logf) error {