net/portmapper: fix UPnP probing, work against all ports

Prior to Tailscale 1.12 it detected UPnP on any port. Starting with Tailscale 1.11.x, it stopped detecting UPnP on all ports. Then start plumbing its discovered Location header port number to the code that was assuming port 5000. Fixes #2109 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-08-04 08:36:50 -07:00
187 changed files with 3689 additions and 4804 deletions
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -31,28 +31,16 @@ jobs:
      run: "staticcheck -version"

    - name: Run staticcheck (linux/amd64)
-      env:
-        GOOS: linux
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+      run: "GOOS=linux GOARCH=amd64 staticcheck -- $(go list ./... | grep -v tempfork)"

    - name: Run staticcheck (darwin/amd64)
-      env:
-        GOOS: darwin
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+      run: "GOOS=darwin GOARCH=amd64 staticcheck -- $(go list ./... | grep -v tempfork)"

    - name: Run staticcheck (windows/amd64)
-      env:
-        GOOS: windows
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+      run: "GOOS=windows GOARCH=amd64 staticcheck -- $(go list ./... | grep -v tempfork)"

    - name: Run staticcheck (windows/386)
-      env:
-        GOOS: windows
-        GOARCH: "386"
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+      run: "GOOS=windows GOARCH=386 staticcheck -- $(go list ./... | grep -v tempfork)"

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/2
+++ b/2
@@ -61,6 +61,6 @@ RUN go install -tags=xversion -ldflags="\
      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
      -v ./cmd/...

-FROM alpine:3.14
+FROM alpine:3.11
 RUN apk add --no-cache ca-certificates iptables iproute2
 COPY --from=build-env /go/bin/* /usr/local/bin/
--- a/5
+++ b/5
@@ -18,10 +18,7 @@ buildwindows:
 build386:
 	GOOS=linux GOARCH=386 go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildlinuxarm:
-	GOOS=linux GOARCH=arm go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-check: staticcheck vet depaware buildwindows build386 buildlinuxarm
+check: staticcheck vet depaware buildwindows build386

 staticcheck:
 	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.15.0
+1.13.0
--- a/api.md
+++ b/api.md
@@ -18,7 +18,6 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
    - [GET tailnet ACL](#tailnet-acl-get)
    - [POST tailnet ACL](#tailnet-acl-post): set ACL for a tailnet
    - [POST tailnet ACL preview](#tailnet-acl-preview-post): preview rule matches on an ACL for a resource
-	- [POST tailnet ACL validate](#tailnet-acl-validate-post): run validation tests against the tailnet's existing ACL
  - [Devices](#tailnet-devices)
    - [GET tailnet devices](#tailnet-devices-get)
  - [DNS](#tailnet-dns)
@@ -474,7 +473,7 @@ Determines what rules match for a user on an ACL without saving the ACL to the s
 ###### Query Parameters
 `type` - can be 'user' or 'ipport'
 `previewFor` - if type=user, a user's email. If type=ipport, a IP address + port like "10.0.0.1:80".
-The provided ACL is queried with this parameter to determine which rules match.
+The provided ACL is queried with this paramater to determine which rules match.

 ###### POST Body
 ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)
@@ -511,50 +510,6 @@ Response:
 {"matches":[{"users":["*"],"ports":["*:*"],"lineNumber":19}],"user":"user1@example.com"}
 ```

-<a name=tailnet-acl-validate-post></a>
-
-#### `POST /api/v2/tailnet/:tailnet/acl/validate` - run validation tests against the tailnet's active ACL
-
-Runs the provided ACL tests against the tailnet's existing ACL. This endpoint does not modify the ACL in any way.
-
-##### Parameters
-
-###### POST Body
-
-The POST body should be a JSON formatted array of ACL Tests.
-
-See https://tailscale.com/kb/1018/acls for more information on the format of ACL tests.
-
-##### Example
-```
-POST /api/v2/tailnet/example.com/acl/validate
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
-  -u "tskey-yourapikey123:" \
-  --data-binary '
-{
-  [
-    {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]}
-  ]
-}'
-```
-
-Response:
-If all the tests pass, the response will be empty, with an http status code of 200.
-
-Failed test error response:
-A 400 http status code and the errors in the response body.  
-```
-{
-  "message":"test(s) failed",
-  "data":[
-           {
-             "user":"user1@example.com",
-             "errors":["address \"2.2.2.2:22\": want: Drop, got: Accept"]
-           }
-         ]
-}
-```
-
 <a name=tailnet-devices></a>

 ### Devices
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -8,7 +8,6 @@ package tailscale
 import (
 	"bytes"
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -17,19 +16,15 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"os"
 	"strconv"
 	"strings"
-	"time"

-	"go4.org/mem"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
-	"tailscale.com/version"
 )

 // TailscaledSocket is the tailscaled Unix socket.
@@ -96,9 +91,6 @@ func send(ctx context.Context, method, path string, wantStatus int, body io.Read
 		return nil, err
 	}
 	defer res.Body.Close()
-	if server := res.Header.Get("Tailscale-Version"); server != version.Long {
-		fmt.Fprintf(os.Stderr, "Warning: client version %q != tailscaled server version %q\n", version.Long, server)
-	}
 	slurp, err := ioutil.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
@@ -301,69 +293,3 @@ func CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
 	}
 	return &derpMap, nil
 }
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	res, err := send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	// with ?type=pair, the response PEM is first the one private
-	// key PEM block, then the cert PEM blocks.
-	i := mem.Index(mem.B(res), mem.S("--\n--"))
-	if i == -1 {
-		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
-	}
-	i += len("--\n")
-	keyPEM, certPEM = res[:i], res[i:]
-	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
-		return nil, nil, fmt.Errorf("unexpected output: key in cert")
-	}
-	return certPEM, keyPEM, nil
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi == nil || hi.ServerName == "" {
-		return nil, errors.New("no SNI ServerName")
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-
-	name := hi.ServerName
-	if !strings.Contains(name, ".") {
-		if v, ok := ExpandSNIName(ctx, name); ok {
-			name = v
-		}
-	}
-	certPEM, keyPEM, err := CertPair(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-	cert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
-	}
-	return &cert, nil
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	st, err := StatusWithoutPeers(ctx)
-	if err != nil {
-		return "", false
-	}
-	for _, d := range st.CertDomains {
-		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
-			return d, true
-		}
-	}
-	return "", false
-}
--- a/cmd/microproxy/microproxy.go
+++ b/cmd/microproxy/microproxy.go
@@ -0,0 +1,173 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// microproxy proxies incoming HTTPS connections to another
+// destination. Instead of managing its own TLS certificates, it
+// borrows issued certificates and keys from an autocert directory.
+package main
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"tailscale.com/logpolicy"
+	"tailscale.com/tsweb"
+)
+
+var (
+	addr          = flag.String("addr", ":4430", "server address")
+	certdir       = flag.String("certdir", "", "directory to borrow LetsEncrypt certificates from")
+	hostname      = flag.String("hostname", "", "hostname to serve")
+	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
+	nodeExporter  = flag.String("node-exporter", "http://localhost:9100", "URL of the local prometheus node exporter")
+	goVarsURL     = flag.String("go-vars-url", "http://localhost:8383/debug/vars", "URL of a local Go server's /debug/vars endpoint")
+	insecure      = flag.Bool("insecure", false, "serve over http, for development")
+)
+
+func main() {
+	flag.Parse()
+
+	if *logCollection != "" {
+		logpolicy.New(*logCollection)
+	}
+
+	ne, err := url.Parse(*nodeExporter)
+	if err != nil {
+		log.Fatalf("Couldn't parse URL %q: %v", *nodeExporter, err)
+	}
+	proxy := httputil.NewSingleHostReverseProxy(ne)
+	proxy.FlushInterval = time.Second
+
+	if _, err = url.Parse(*goVarsURL); err != nil {
+		log.Fatalf("Couldn't parse URL %q: %v", *goVarsURL, err)
+	}
+
+	mux := http.NewServeMux()
+	tsweb.Debugger(mux) // registers /debug/*
+	mux.Handle("/metrics", tsweb.Protected(proxy))
+	mux.Handle("/varz", tsweb.Protected(tsweb.StdHandler(&goVarsHandler{*goVarsURL}, tsweb.HandlerOptions{
+		Quiet200s: true,
+		Logf:      log.Printf,
+	})))
+
+	ch := &certHolder{
+		hostname: *hostname,
+		path:     filepath.Join(*certdir, *hostname),
+	}
+
+	httpsrv := &http.Server{
+		Addr:    *addr,
+		Handler: mux,
+	}
+
+	if !*insecure {
+		httpsrv.TLSConfig = &tls.Config{GetCertificate: ch.GetCertificate}
+		err = httpsrv.ListenAndServeTLS("", "")
+	} else {
+		err = httpsrv.ListenAndServe()
+	}
+	if err != nil && err != http.ErrServerClosed {
+		log.Fatal(err)
+	}
+}
+
+type goVarsHandler struct {
+	url string
+}
+
+func promPrint(w io.Writer, prefix string, obj map[string]interface{}) {
+	for k, i := range obj {
+		if prefix != "" {
+			k = prefix + "_" + k
+		}
+		switch v := i.(type) {
+		case map[string]interface{}:
+			promPrint(w, k, v)
+		case float64:
+			const saveConfigReject = "control_save_config_rejected_"
+			const saveConfig = "control_save_config_"
+			switch {
+			case strings.HasPrefix(k, saveConfigReject):
+				fmt.Fprintf(w, "control_save_config_rejected{reason=%q} %f\n", k[len(saveConfigReject):], v)
+			case strings.HasPrefix(k, saveConfig):
+				fmt.Fprintf(w, "control_save_config{reason=%q} %f\n", k[len(saveConfig):], v)
+			default:
+				fmt.Fprintf(w, "%s %f\n", k, v)
+			}
+		default:
+			fmt.Fprintf(w, "# Skipping key %q, unhandled type %T\n", k, v)
+		}
+	}
+}
+
+func (h *goVarsHandler) ServeHTTPReturn(w http.ResponseWriter, r *http.Request) error {
+	resp, err := http.Get(h.url)
+	if err != nil {
+		return tsweb.Error(http.StatusInternalServerError, "fetch failed", err)
+	}
+	defer resp.Body.Close()
+	var mon map[string]interface{}
+	if err := json.NewDecoder(resp.Body).Decode(&mon); err != nil {
+		return tsweb.Error(http.StatusInternalServerError, "fetch failed", err)
+	}
+
+	w.WriteHeader(http.StatusOK)
+	promPrint(w, "", mon)
+	return nil
+}
+
+// certHolder loads and caches a TLS certificate from disk, reloading
+// it every hour.
+type certHolder struct {
+	hostname string // only hostname allowed in SNI
+	path     string // path of certificate+key combined PEM file
+
+	mu     sync.Mutex
+	cert   *tls.Certificate // cached parsed cert+key
+	loaded time.Time
+}
+
+func (c *certHolder) GetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if ch.ServerName != c.hostname {
+		return nil, fmt.Errorf("wrong client SNI %q", ch.ServerName)
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if time.Since(c.loaded) > time.Hour {
+		if err := c.loadLocked(); err != nil {
+			log.Printf("Reloading cert %q: %v", c.path, err)
+			// continue anyway, we might be able to serve off the stale cert.
+		}
+	}
+	return c.cert, nil
+}
+
+// load reloads the TLS certificate and key from disk. Caller must
+// hold mu.
+func (c *certHolder) loadLocked() error {
+	bs, err := ioutil.ReadFile(c.path)
+	if err != nil {
+		return fmt.Errorf("reading %q: %v", c.path, err)
+	}
+	cert, err := tls.X509KeyPair(bs, bs)
+	if err != nil {
+		return fmt.Errorf("parsing %q: %v", c.path, err)
+	}
+
+	c.cert = &cert
+	c.loaded = time.Now()
+	return nil
+}
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -1,107 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"flag"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/peterbourgon/ff/v2/ffcli"
-	"tailscale.com/atomicfile"
-	"tailscale.com/client/tailscale"
-)
-
-var certCmd = &ffcli.Command{
-	Name:       "cert",
-	Exec:       runCert,
-	ShortHelp:  "get TLS certs",
-	ShortUsage: "cert [flags] <domain>",
-	FlagSet: (func() *flag.FlagSet {
-		fs := flag.NewFlagSet("cert", flag.ExitOnError)
-		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file; defaults to DOMAIN.crt")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file; defaults to DOMAIN.key")
-		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
-		return fs
-	})(),
-}
-
-var certArgs struct {
-	certFile string
-	keyFile  string
-	serve    bool
-}
-
-func runCert(ctx context.Context, args []string) error {
-	if certArgs.serve {
-		s := &http.Server{
-			TLSConfig: &tls.Config{
-				GetCertificate: tailscale.GetCertificate,
-			},
-			Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				if r.TLS != nil && !strings.Contains(r.Host, ".") && r.Method == "GET" {
-					if v, ok := tailscale.ExpandSNIName(r.Context(), r.Host); ok {
-						http.Redirect(w, r, "https://"+v+r.URL.Path, http.StatusTemporaryRedirect)
-						return
-					}
-				}
-				fmt.Fprintf(w, "<h1>Hello from Tailscale</h1>It works.")
-			}),
-		}
-		log.Printf("running TLS server on :443 ...")
-		return s.ListenAndServeTLS("", "")
-	}
-
-	if len(args) != 1 {
-		return fmt.Errorf("Usage: tailscale cert [flags] <domain>")
-	}
-	domain := args[0]
-
-	if certArgs.certFile == "" {
-		certArgs.certFile = domain + ".crt"
-	}
-	if certArgs.keyFile == "" {
-		certArgs.keyFile = domain + ".key"
-	}
-	certPEM, keyPEM, err := tailscale.CertPair(ctx, domain)
-	if err != nil {
-		return err
-	}
-	certChanged, err := writeIfChanged(certArgs.certFile, certPEM, 0644)
-	if err != nil {
-		return err
-	}
-	if certChanged {
-		fmt.Printf("Wrote public cert to %v\n", certArgs.certFile)
-	} else {
-		fmt.Printf("Public cert unchanged at %v\n", certArgs.certFile)
-	}
-	keyChanged, err := writeIfChanged(certArgs.keyFile, keyPEM, 0600)
-	if err != nil {
-		return err
-	}
-	if keyChanged {
-		fmt.Printf("Wrote private key to %v\n", certArgs.keyFile)
-	} else {
-		fmt.Printf("Private key unchanged at %v\n", certArgs.keyFile)
-	}
-	return nil
-}
-
-func writeIfChanged(filename string, contents []byte, mode os.FileMode) (changed bool, err error) {
-	if old, err := os.ReadFile(filename); err == nil && bytes.Equal(contents, old) {
-		return false, nil
-	}
-	if err := atomicfile.WriteFile(filename, contents, mode); err != nil {
-		return false, err
-	}
-	return true, nil
-}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -107,7 +107,6 @@ change in the future.
 			webCmd,
 			fileCmd,
 			bugReportCmd,
-			certCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
--- a/cmd/tailscale/cli/diag.go
+++ b/cmd/tailscale/cli/diag.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux || windows || darwin
 // +build linux windows darwin

 package cli
--- a/cmd/tailscale/cli/diag_other.go
+++ b/cmd/tailscale/cli/diag_other.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !linux && !windows && !darwin
 // +build !linux,!windows,!darwin

 package cli
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -14,6 +14,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"time"

 	"github.com/peterbourgon/ff/v2/ffcli"
 	"github.com/toqueteos/webbrowser"
@@ -22,6 +23,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/tstime/mono"
 	"tailscale.com/util/dnsname"
 )

@@ -61,7 +63,7 @@ func runStatus(ctx context.Context, args []string) error {
 	if statusArgs.json {
 		if statusArgs.active {
 			for peer, ps := range st.Peer {
-				if !ps.Active {
+				if !peerActive(ps) {
 					delete(st.Peer, peer)
 				}
 			}
@@ -129,6 +131,7 @@ func runStatus(ctx context.Context, args []string) error {
 	var buf bytes.Buffer
 	f := func(format string, a ...interface{}) { fmt.Fprintf(&buf, format, a...) }
 	printPS := func(ps *ipnstate.PeerStatus) {
+		active := peerActive(ps)
 		f("%-15s %-20s %-12s %-7s ",
 			firstIPString(ps.TailscaleIPs),
 			dnsOrQuoteHostname(st, ps),
@@ -137,7 +140,7 @@ func runStatus(ctx context.Context, args []string) error {
 		)
 		relay := ps.Relay
 		anyTraffic := ps.TxBytes != 0 || ps.RxBytes != 0
-		if !ps.Active {
+		if !active {
 			if ps.ExitNode {
 				f("idle; exit node")
 			} else if anyTraffic {
@@ -176,7 +179,8 @@ func runStatus(ctx context.Context, args []string) error {
 		}
 		ipnstate.SortPeers(peers)
 		for _, ps := range peers {
-			if statusArgs.active && !ps.Active {
+			active := peerActive(ps)
+			if statusArgs.active && !active {
 				continue
 			}
 			printPS(ps)
@@ -186,6 +190,13 @@ func runStatus(ctx context.Context, args []string) error {
 	return nil
 }

+// peerActive reports whether ps has recent activity.
+//
+// TODO: have the server report this bool instead.
+func peerActive(ps *ipnstate.PeerStatus) bool {
+	return !ps.LastWrite.IsZero() && mono.Since(ps.LastWrite) < 2*time.Minute
+}
+
 func dnsOrQuoteHostname(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	baseName := dnsname.TrimSuffix(ps.DNSName, st.MagicDNSSuffix)
 	if baseName != "" {
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -478,13 +478,6 @@ func runUp(ctx context.Context, args []string) error {
 		}
 	}

-	// This whole 'up' mechanism is too complicated and results in
-	// hairy stuff like this select. We're ultimately waiting for
-	// 'startingOrRunning' to be done, but even in the case where
-	// it succeeds, other parts may shut down concurrently so we
-	// need to prioritize reads from 'startingOrRunning' if it's
-	// readable; its send does happen before the pump mechanism
-	// shuts down. (Issue 2333)
 	select {
 	case <-startingOrRunning:
 		return nil
@@ -496,11 +489,6 @@ func runUp(ctx context.Context, args []string) error {
 		}
 		return pumpCtx.Err()
 	case err := <-pumpErr:
-		select {
-		case <-startingOrRunning:
-			return nil
-		default:
-		}
 		return err
 	}
 }
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@@ -28,7 +28,7 @@
 		<div class="flex items-center justify-end space-x-2 w-2/3">
 			{{ with .Profile.LoginName }}
 			<div class="text-right truncate leading-4">
-				<h4 class="truncate leading-normal">{{.}}</h4>
+				<h4 class="truncate">{{.}}</h4>
 				<a href="#" class="text-xs text-gray-500 hover:text-gray-700 js-loginButton">Switch account</a>
 			</div>
 			{{ end }}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -7,7 +7,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli
        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
        github.com/peterbourgon/ff/v2/ffcli                          from tailscale.com/cmd/tailscale/cli
-        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
+        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2
        github.com/tailscale/goupnp/dcps/internetgateway2            from tailscale.com/net/portmapper
        github.com/tailscale/goupnp/httpu                            from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
@@ -20,7 +20,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/atomicfile                                     from tailscale.com/ipn+
+        rsc.io/goversion/version                                     from tailscale.com/version
+        tailscale.com/atomicfile                                     from tailscale.com/ipn
        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli+
        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
@@ -45,19 +46,17 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
-     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
+     💣 tailscale.com/tstime/mono                                    from tailscale.com/cmd/tailscale/cli+
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
-        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
        tailscale.com/types/empty                                    from tailscale.com/ipn
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/derp+
        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
        tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
-        tailscale.com/types/pad32                                    from tailscale.com/derp
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/structs                                  from tailscale.com/ipn+
@@ -100,8 +99,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/time/rate                                       from tailscale.com/cmd/tailscale/cli+
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
-        compress/flate                                               from compress/gzip
+        compress/flate                                               from compress/gzip+
        compress/gzip                                                from net/http
+        compress/zlib                                                from debug/elf+
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
@@ -124,6 +124,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
+        debug/dwarf                                                  from debug/elf+
+        debug/elf                                                    from rsc.io/goversion/version
+        debug/macho                                                  from rsc.io/goversion/version
+        debug/pe                                                     from rsc.io/goversion/version
        embed                                                        from tailscale.com/cmd/tailscale/cli
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -137,7 +141,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        expvar                                                       from tailscale.com/derp+
        flag                                                         from github.com/peterbourgon/ff/v2+
        fmt                                                          from compress/flate+
-        hash                                                         from crypto+
+        hash                                                         from compress/zlib+
+        hash/adler32                                                 from compress/zlib
        hash/crc32                                                   from compress/gzip+
        hash/maphash                                                 from go4.org/mem
        html                                                         from tailscale.com/ipn/ipnstate+
@@ -164,10 +169,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        os/exec                                                      from github.com/toqueteos/webbrowser+
        os/signal                                                    from tailscale.com/cmd/tailscale/cli
        os/user                                                      from tailscale.com/util/groupmember
-        path                                                         from html/template+
+        path                                                         from debug/dwarf+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
-        regexp                                                       from github.com/tailscale/goupnp/httpu+
+        regexp                                                       from rsc.io/goversion/version+
        regexp/syntax                                                from regexp
        runtime/debug                                                from golang.org/x/sync/singleflight
        sort                                                         from compress/flate+
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -35,7 +35,6 @@ import (
 )

 var debugArgs struct {
-	ifconfig  bool // print network state once and exit
 	monitor   bool
 	getURL    string
 	derpCheck string
@@ -46,7 +45,6 @@ var debugModeFunc = debugMode // so it can be addressable

 func debugMode(args []string) error {
 	fs := flag.NewFlagSet("debug", flag.ExitOnError)
-	fs.BoolVar(&debugArgs.ifconfig, "ifconfig", false, "If true, print network interface state")
 	fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run link monitor forever. Precludes all other options.")
 	fs.BoolVar(&debugArgs.portmap, "portmap", false, "If true, run portmap debugging. Precludes all other options.")
 	fs.StringVar(&debugArgs.getURL, "get-url", "", "If non-empty, fetch provided URL.")
@@ -61,11 +59,8 @@ func debugMode(args []string) error {
 	if debugArgs.derpCheck != "" {
 		return checkDerp(ctx, debugArgs.derpCheck)
 	}
-	if debugArgs.ifconfig {
-		return runMonitor(ctx, false)
-	}
 	if debugArgs.monitor {
-		return runMonitor(ctx, true)
+		return runMonitor(ctx)
 	}
 	if debugArgs.portmap {
 		return debugPortmap(ctx)
@@ -76,7 +71,7 @@ func debugMode(args []string) error {
 	return errors.New("only --monitor is available at the moment")
 }

-func runMonitor(ctx context.Context, loop bool) error {
+func runMonitor(ctx context.Context) error {
 	dump := func(st *interfaces.State) {
 		j, _ := json.MarshalIndent(st, "", "    ")
 		os.Stderr.Write(j)
@@ -93,13 +88,8 @@ func runMonitor(ctx context.Context, loop bool) error {
 		log.Printf("Link monitor fired. New state:")
 		dump(st)
 	})
-	if loop {
-		log.Printf("Starting link change monitor; initial state:")
-	}
+	log.Printf("Starting link change monitor; initial state:")
 	dump(mon.InterfaceState())
-	if !loop {
-		return nil
-	}
 	mon.Start()
 	log.Printf("Started link change monitor; waiting...")
 	select {}
@@ -217,20 +207,6 @@ func debugPortmap(ctx context.Context) error {
 	defer cancel()

 	portmapper.VerboseLogs = true
-	switch os.Getenv("TS_DEBUG_PORTMAP_TYPE") {
-	case "":
-	case "pmp":
-		portmapper.DisablePCP = true
-		portmapper.DisableUPnP = true
-	case "pcp":
-		portmapper.DisablePMP = true
-		portmapper.DisableUPnP = true
-	case "upnp":
-		portmapper.DisablePCP = true
-		portmapper.DisablePMP = true
-	default:
-		log.Fatalf("TS_DEBUG_PORTMAP_TYPE must be one of pmp,pcp,upnp")
-	}

 	done := make(chan bool, 1)

@@ -274,13 +250,6 @@ func debugPortmap(ctx context.Context) error {
 	}
 	logf("gw=%v; self=%v", gw, selfIP)

-	uc, err := net.ListenPacket("udp", "0.0.0.0:0")
-	if err != nil {
-		return err
-	}
-	defer uc.Close()
-	c.SetLocalPort(uint16(uc.LocalAddr().(*net.UDPAddr).Port))
-
 	res, err := c.Probe(ctx)
 	if err != nil {
 		return fmt.Errorf("Probe: %v", err)
@@ -292,6 +261,13 @@ func debugPortmap(ctx context.Context) error {
 		return nil
 	}

+	uc, err := net.ListenPacket("udp", "0.0.0.0:0")
+	if err != nil {
+		return err
+	}
+	defer uc.Close()
+	c.SetLocalPort(uint16(uc.LocalAddr().(*net.UDPAddr).Port))
+
 	if ext, ok := c.GetCachedMappingOrStartCreatingOne(); ok {
 		logf("mapping: %v", ext)
 	} else {
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -10,10 +10,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
        github.com/golang/snappy                                     from github.com/klauspost/compress/zstd
        github.com/google/btree                                      from inet.af/netstack/tcpip/header+
-   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
-   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
@@ -27,16 +23,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
-        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
+        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2
        github.com/tailscale/goupnp/dcps/internetgateway2            from tailscale.com/net/portmapper
        github.com/tailscale/goupnp/httpu                            from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
-   L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/u-root/uio/ubinary                                from github.com/u-root/uio/uio
-   L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/derp+
        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
@@ -73,7 +66,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/netstack/tcpip/network/hash                          from inet.af/netstack/tcpip/network/ipv4+
        inet.af/netstack/tcpip/network/internal/fragmentation        from inet.af/netstack/tcpip/network/ipv4+
        inet.af/netstack/tcpip/network/internal/ip                   from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/network/ipv4                          from tailscale.com/wgengine/netstack+
+        inet.af/netstack/tcpip/network/ipv4                          from tailscale.com/wgengine/netstack
        inet.af/netstack/tcpip/network/ipv6                          from tailscale.com/wgengine/netstack
        inet.af/netstack/tcpip/ports                                 from inet.af/netstack/tcpip/stack+
        inet.af/netstack/tcpip/seqnum                                from inet.af/netstack/tcpip/header+
@@ -87,6 +80,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/netstack/waiter                                      from inet.af/netstack/tcpip+
        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
   W 💣 inet.af/wf                                                   from tailscale.com/wf
+        rsc.io/goversion/version                                     from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
        tailscale.com/client/tailscale                               from tailscale.com/derp
        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
@@ -132,13 +126,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
        tailscale.com/safesocket                                     from tailscale.com/ipn/ipnserver+
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
-     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
-        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
@@ -147,7 +140,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
-        tailscale.com/types/pad32                                    from tailscale.com/net/tstun+
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
@@ -157,7 +149,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/dnsname                                   from tailscale.com/ipn/ipnstate+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
-        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
+        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
@@ -165,7 +157,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
        tailscale.com/util/winutil                                   from tailscale.com/logpolicy+
        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
-        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscaled+
+        tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
@@ -177,7 +169,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
-        golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
@@ -216,8 +207,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/time/rate                                       from inet.af/netstack/tcpip/stack+
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
-        compress/flate                                               from compress/gzip
+        compress/flate                                               from compress/gzip+
        compress/gzip                                                from internal/profile+
+        compress/zlib                                                from debug/elf+
        container/heap                                               from inet.af/netstack/tcpip/transport/tcp
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
@@ -241,6 +233,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
+        debug/dwarf                                                  from debug/elf+
+        debug/elf                                                    from rsc.io/goversion/version
+        debug/macho                                                  from rsc.io/goversion/version
+        debug/pe                                                     from rsc.io/goversion/version
        embed                                                        from tailscale.com/net/dns+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -254,7 +250,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        expvar                                                       from tailscale.com/derp+
        flag                                                         from tailscale.com/cmd/tailscaled+
        fmt                                                          from compress/flate+
-        hash                                                         from crypto+
+        hash                                                         from compress/zlib+
+        hash/adler32                                                 from compress/zlib
        hash/crc32                                                   from compress/gzip+
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
@@ -282,7 +279,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        os/exec                                                      from github.com/coreos/go-iptables/iptables+
        os/signal                                                    from tailscale.com/cmd/tailscaled+
        os/user                                                      from github.com/godbus/dbus/v5+
-        path                                                         from github.com/godbus/dbus/v5+
+        path                                                         from debug/dwarf+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/coreos/go-iptables/iptables+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -19,7 +19,6 @@ import (
 	"net/http"
 	"net/http/pprof"
 	"os"
-	"os/exec"
 	"os/signal"
 	"runtime"
 	"runtime/debug"
@@ -34,6 +33,7 @@ import (
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/socks5/tssocks"
+	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
@@ -68,13 +68,9 @@ func defaultTunName() string {
 }

 var args struct {
-	// tunname is a /dev/net/tun tunnel name ("tailscale0"), the
-	// string "userspace-networking", "tap:TAPNAME[:BRIDGENAME]"
-	// or comma-separated list thereof.
-	tunname string
-
 	cleanup    bool
 	debug      string
+	tunname    string // tun name, "userspace-networking", or comma-separated list thereof
 	port       uint16
 	statepath  string
 	socketpath string
@@ -142,7 +138,7 @@ func main() {
 		os.Exit(0)
 	}

-	if runtime.GOOS == "darwin" && os.Getuid() != 0 && !strings.Contains(args.tunname, "userspace-networking") && !args.cleanup {
+	if runtime.GOOS == "darwin" && os.Getuid() != 0 && !strings.Contains(args.tunname, "userspace-networking") {
 		log.SetFlags(0)
 		log.Fatalf("tailscaled requires root; use sudo tailscaled (or use --tun=userspace-networking)")
 	}
@@ -163,34 +159,6 @@ func main() {
 	}
 }

-func trySynologyMigration(p string) error {
-	if runtime.GOOS != "linux" || distro.Get() != distro.Synology {
-		return nil
-	}
-
-	fi, err := os.Stat(p)
-	if err == nil && fi.Size() > 0 || !os.IsNotExist(err) {
-		return err
-	}
-	// File is empty or doesn't exist, try reading from the old path.
-
-	const oldPath = "/var/packages/Tailscale/etc/tailscaled.state"
-	if _, err := os.Stat(oldPath); err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return err
-	}
-
-	if err := os.Chown(oldPath, os.Getuid(), os.Getgid()); err != nil {
-		return err
-	}
-	if err := os.Rename(oldPath, p); err != nil {
-		return err
-	}
-	return nil
-}
-
 func ipnServerOpts() (o ipnserver.Options) {
 	// Allow changing the OS-specific IPN behavior for tests
 	// so we can e.g. test Windows-specific behaviors on Linux.
@@ -253,9 +221,6 @@ func run() error {
 	if args.statepath == "" {
 		log.Fatalf("--state is required")
 	}
-	if err := trySynologyMigration(args.statepath); err != nil {
-		log.Printf("error in synology migration: %v", err)
-	}

 	var debugMux *http.ServeMux
 	if args.debug != "" {
@@ -366,9 +331,9 @@ func shouldWrapNetstack() bool {
 		return true
 	}
 	switch runtime.GOOS {
-	case "windows", "darwin", "freebsd":
+	case "windows", "darwin":
 		// Enable on Windows and tailscaled-on-macOS (this doesn't
-		// affect the GUI clients), and on FreeBSD.
+		// affect the GUI clients).
 		return true
 	}
 	return false
@@ -381,33 +346,18 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, name string) (e wgengine.
 	}
 	useNetstack = name == "userspace-networking"
 	if !useNetstack {
-		// dev, devName, err := tstun.New(logf, name)
-		// if err != nil {
-		// 	tstun.Diagnose(logf, name)
-		// 	return nil, false, err
-		// }
-		// conf.Tun = dev
-		// if strings.HasPrefix(name, "tap:") {
-		// 	conf.IsTAP = true
-		// 	e, err := wgengine.NewUserspaceEngine(logf, conf)
-		// 	return e, false, err
-		// }
-
-		// HACK
-		exec.Command("ip", "link", "del", "tailscale0").Run()
-		if err := exec.Command("ip", "link", "add", "tailscale0", "type", "wireguard").Run(); err != nil {
-			return nil, false, fmt.Errorf("create device: %v", err)
-		}
-		if err := exec.Command("ip", "link", "set", "tailscale0", "up").Run(); err != nil {
-			return nil, false, fmt.Errorf("create device: %v", err)
-		}
-
-		r, err := router.New(logf, nil, linkMon)
+		dev, devName, err := tstun.New(logf, name)
 		if err != nil {
-			//dev.Close()
+			tstun.Diagnose(logf, name)
 			return nil, false, err
 		}
-		d, err := dns.NewOSConfigurator(logf, "tailscale0")
+		conf.Tun = dev
+		r, err := router.New(logf, dev, linkMon)
+		if err != nil {
+			dev.Close()
+			return nil, false, err
+		}
+		d, err := dns.NewOSConfigurator(logf, devName)
 		if err != nil {
 			return nil, false, err
 		}
@@ -417,7 +367,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, name string) (e wgengine.
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
 		}
 	}
-	e, err = wgengine.NewKernelEngine(logf, conf)
+	e, err = wgengine.NewUserspaceEngine(logf, conf)
 	if err != nil {
 		return nil, useNetstack, err
 	}
--- a/cmd/tailscaled/tailscaled_notwindows.go
+++ b/cmd/tailscaled/tailscaled_notwindows.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
 // +build !windows

 package main // import "tailscale.com/cmd/tailscaled"
--- a/cmd/testcontrol/testcontrol.go
+++ b/cmd/testcontrol/testcontrol.go
@@ -1,98 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Program testcontrol runs a simple test control server.
-package main
-
-import (
-	"flag"
-	"log"
-	"net/http"
-	"testing"
-
-	"tailscale.com/tstest/integration"
-	"tailscale.com/tstest/integration/testcontrol"
-	"tailscale.com/types/logger"
-)
-
-var (
-	flagNFake = flag.Int("nfake", 0, "number of fake nodes to add to network")
-)
-
-func main() {
-	flag.Parse()
-
-	var t fakeTB
-	derpMap := integration.RunDERPAndSTUN(t, logger.Discard, "127.0.0.1")
-
-	control := &testcontrol.Server{
-		DERPMap:         derpMap,
-		ExplicitBaseURL: "http://127.0.0.1:9911",
-	}
-	for i := 0; i < *flagNFake; i++ {
-		control.AddFakeNode()
-	}
-	mux := http.NewServeMux()
-	mux.Handle("/", control)
-	addr := "127.0.0.1:9911"
-	log.Printf("listening on %s", addr)
-	err := http.ListenAndServe(addr, mux)
-	log.Fatal(err)
-}
-
-type fakeTB struct {
-	*testing.T
-}
-
-func (t fakeTB) Cleanup(_ func()) {}
-func (t fakeTB) Error(args ...interface{}) {
-	t.Fatal(args...)
-}
-func (t fakeTB) Errorf(format string, args ...interface{}) {
-	t.Fatalf(format, args...)
-}
-func (t fakeTB) Fail() {
-	t.Fatal("failed")
-}
-func (t fakeTB) FailNow() {
-	t.Fatal("failed")
-}
-func (t fakeTB) Failed() bool {
-	return false
-}
-func (t fakeTB) Fatal(args ...interface{}) {
-	log.Fatal(args...)
-}
-func (t fakeTB) Fatalf(format string, args ...interface{}) {
-	log.Fatalf(format, args...)
-}
-func (t fakeTB) Helper() {}
-func (t fakeTB) Log(args ...interface{}) {
-	log.Print(args...)
-}
-func (t fakeTB) Logf(format string, args ...interface{}) {
-	log.Printf(format, args...)
-}
-func (t fakeTB) Name() string {
-	return "faketest"
-}
-func (t fakeTB) Setenv(key string, value string) {
-	panic("not implemented")
-}
-func (t fakeTB) Skip(args ...interface{}) {
-	t.Fatal("skipped")
-}
-func (t fakeTB) SkipNow() {
-	t.Fatal("skipnow")
-}
-func (t fakeTB) Skipf(format string, args ...interface{}) {
-	t.Logf(format, args...)
-	t.Fatal("skipped")
-}
-func (t fakeTB) Skipped() bool {
-	return false
-}
-func (t fakeTB) TempDir() string {
-	panic("not implemented")
-}
--- a/cmd/tsshd/tsshd.go
+++ b/cmd/tsshd/tsshd.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
 // +build !windows

 // The tsshd binary is an SSH server that accepts connections
--- a/cmd/tsshd/tsshd_windows.go
+++ b/cmd/tsshd/tsshd_windows.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build windows
 // +build windows

 package main
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -75,3 +75,10 @@ func TestStatusEqual(t *testing.T) {
 		}
 	}
 }
+
+func TestOSVersion(t *testing.T) {
+	if osVersion == nil {
+		t.Skip("not available for OS")
+	}
+	t.Logf("Got: %#q", osVersion())
+}
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -20,6 +20,7 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"reflect"
 	"runtime"
 	"strconv"
@@ -32,7 +33,6 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/control/controlknobs"
 	"tailscale.com/health"
-	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
 	"tailscale.com/net/dnscache"
@@ -47,7 +47,9 @@ import (
 	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/wgkey"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/util/systemd"
+	"tailscale.com/version"
 	"tailscale.com/wgengine/monitor"
 )

@@ -182,13 +184,53 @@ func NewDirect(opts Options) (*Direct, error) {
 		pinger:                 opts.Pinger,
 	}
 	if opts.Hostinfo == nil {
-		c.SetHostinfo(hostinfo.New())
+		c.SetHostinfo(NewHostinfo())
 	} else {
 		c.SetHostinfo(opts.Hostinfo)
 	}
 	return c, nil
 }

+var osVersion func() string // non-nil on some platforms
+
+func NewHostinfo() *tailcfg.Hostinfo {
+	hostname, _ := os.Hostname()
+	hostname = dnsname.FirstLabel(hostname)
+	var osv string
+	if osVersion != nil {
+		osv = osVersion()
+	}
+	return &tailcfg.Hostinfo{
+		IPNVersion: version.Long,
+		Hostname:   hostname,
+		OS:         version.OS(),
+		OSVersion:  osv,
+		Package:    packageType(),
+		GoArch:     runtime.GOARCH,
+	}
+}
+
+func packageType() string {
+	switch runtime.GOOS {
+	case "windows":
+		if _, err := os.Stat(`C:\ProgramData\chocolatey\lib\tailscale`); err == nil {
+			return "choco"
+		}
+	case "darwin":
+		// Using tailscaled or IPNExtension?
+		exe, _ := os.Executable()
+		return filepath.Base(exe)
+	case "linux":
+		// Report whether this is in a snap.
+		// See https://snapcraft.io/docs/environment-variables
+		// We just look at two somewhat arbitrarily.
+		if os.Getenv("SNAP_NAME") != "" && os.Getenv("SNAP") != "" {
+			return "snap"
+		}
+	}
+	return ""
+}
+
 // SetHostinfo clones the provided Hostinfo and remembers it for the
 // next update. It reports whether the Hostinfo has changed.
 func (c *Direct) SetHostinfo(hi *tailcfg.Hostinfo) bool {
@@ -823,21 +865,22 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		}

 		// Get latest localPort. This might've changed if
-		// a lite map update occurred meanwhile. This only affects
+		// a lite map update occured meanwhile. This only affects
 		// the end-to-end test.
 		// TODO(bradfitz): remove the NetworkMap.LocalPort field entirely.
 		c.mu.Lock()
 		nm.LocalPort = c.localPort
 		c.mu.Unlock()

-		// Occasionally print the netmap header.
-		// This is handy for debugging, and our logs processing
-		// pipeline depends on it. (TODO: Remove this dependency.)
-		// Code elsewhere prints netmap diffs every time they are received.
+		// Printing the netmap can be extremely verbose, but is very
+		// handy for debugging. Let's limit how often we do it.
+		// Code elsewhere prints netmap diffs every time, so this
+		// occasional full dump, plus incremental diffs, should do
+		// the job.
 		now := c.timeNow()
 		if now.Sub(c.lastPrintMap) >= 5*time.Minute {
 			c.lastPrintMap = now
-			c.logf("[v1] new network map[%d]:\n%s", i, nm.VeryConcise())
+			c.logf("[v1] new network map[%d]:\n%s", i, nm.Concise())
 		}

 		c.mu.Lock()
@@ -1260,59 +1303,3 @@ func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {

 	return nil
 }
-
-// tsmpPing sends a Ping to pr.IP, and sends an http request back to pr.URL
-// with ping response data.
-func tsmpPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger) error {
-	var err error
-	if pr.URL == "" {
-		return errors.New("invalid PingRequest with no URL")
-	}
-	if pr.IP.IsZero() {
-		return errors.New("PingRequest without IP")
-	}
-	if !strings.Contains(pr.Types, "TSMP") {
-		return fmt.Errorf("PingRequest with no TSMP in Types, got %q", pr.Types)
-	}
-
-	now := time.Now()
-	pinger.Ping(pr.IP, true, func(res *ipnstate.PingResult) {
-		// Currently does not check for error since we just return if it fails.
-		err = postPingResult(now, logf, c, pr, res)
-	})
-	return err
-}
-
-func postPingResult(now time.Time, logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, res *ipnstate.PingResult) error {
-	if res.Err != "" {
-		return errors.New(res.Err)
-	}
-	duration := time.Since(now)
-	if pr.Log {
-		logf("TSMP ping to %v completed in %v seconds. pinger.Ping took %v seconds", pr.IP, res.LatencySeconds, duration.Seconds())
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
-	defer cancel()
-
-	jsonPingRes, err := json.Marshal(res)
-	if err != nil {
-		return err
-	}
-	// Send the results of the Ping, back to control URL.
-	req, err := http.NewRequestWithContext(ctx, "POST", pr.URL, bytes.NewBuffer(jsonPingRes))
-	if err != nil {
-		return fmt.Errorf("http.NewRequestWithContext(%q): %w", pr.URL, err)
-	}
-	if pr.Log {
-		logf("tsmpPing: sending ping results to %v ...", pr.URL)
-	}
-	t0 := time.Now()
-	_, err = c.Do(req)
-	d := time.Since(t0).Round(time.Millisecond)
-	if err != nil {
-		return fmt.Errorf("tsmpPing error: %w to %v (after %v)", err, pr.URL, d)
-	} else if pr.Log {
-		logf("tsmpPing complete to %v (after %v)", pr.URL, d)
-	}
-	return nil
-}
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -6,20 +6,15 @@ package controlclient

 import (
 	"encoding/json"
-	"net/http"
-	"net/http/httptest"
 	"testing"
-	"time"

 	"inet.af/netaddr"
-	"tailscale.com/hostinfo"
-	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/wgkey"
 )

 func TestNewDirect(t *testing.T) {
-	hi := hostinfo.New()
+	hi := NewHostinfo()
 	ni := tailcfg.NetInfo{LinkType: "wired"}
 	hi.NetInfo = &ni

@@ -61,7 +56,7 @@ func TestNewDirect(t *testing.T) {
 	if changed {
 		t.Errorf("c.SetHostinfo(hi) want false got %v", changed)
 	}
-	hi = hostinfo.New()
+	hi = NewHostinfo()
 	hi.Hostname = "different host name"
 	changed = c.SetHostinfo(hi)
 	if !changed {
@@ -97,55 +92,14 @@ func fakeEndpoints(ports ...uint16) (ret []tailcfg.Endpoint) {
 	return
 }

-func TestTsmpPing(t *testing.T) {
-	hi := hostinfo.New()
-	ni := tailcfg.NetInfo{LinkType: "wired"}
-	hi.NetInfo = &ni
-
-	key, err := wgkey.NewPrivate()
-	if err != nil {
-		t.Error(err)
+func TestNewHostinfo(t *testing.T) {
+	hi := NewHostinfo()
+	if hi == nil {
+		t.Fatal("no Hostinfo")
 	}
-	opts := Options{
-		ServerURL: "https://example.com",
-		Hostinfo:  hi,
-		GetMachinePrivateKey: func() (wgkey.Private, error) {
-			return key, nil
-		},
-	}
-
-	c, err := NewDirect(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	pingRes := &ipnstate.PingResult{
-		IP:       "123.456.7890",
-		Err:      "",
-		NodeName: "testnode",
-	}
-
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		defer r.Body.Close()
-		body := new(ipnstate.PingResult)
-		if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-			t.Fatal(err)
-		}
-		if pingRes.IP != body.IP {
-			t.Fatalf("PingResult did not have the correct IP : got %v, expected : %v", body.IP, pingRes.IP)
-		}
-		w.WriteHeader(200)
-	}))
-	defer ts.Close()
-
-	now := time.Now()
-
-	pr := &tailcfg.PingRequest{
-		URL: ts.URL,
-	}
-
-	err = postPingResult(now, t.Logf, c.httpc, pr, pingRes)
+	j, err := json.MarshalIndent(hi, "  ", "")
 	if err != nil {
 		t.Fatal(err)
 	}
+	t.Logf("Got: %s", j)
 }
--- a/control/controlclient/hostinfo_linux.go
+++ b/control/controlclient/hostinfo_linux.go
@@ -2,31 +2,24 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && !android
 // +build linux,!android

-package hostinfo
+package controlclient

 import (
 	"bytes"
 	"fmt"
 	"io/ioutil"
-	"os"
 	"strings"
 	"syscall"

+	"tailscale.com/hostinfo"
 	"tailscale.com/util/lineread"
 	"tailscale.com/version/distro"
 )

 func init() {
 	osVersion = osVersionLinux
-
-	if v, _ := os.ReadFile("/sys/firmware/devicetree/base/model"); len(v) > 0 {
-		// Look up "Raspberry Pi 4 Model B Rev 1.2",
-		// etc. Usually set on ARM SBCs.
-		SetDeviceModel(strings.Trim(string(v), "\x00\r\n\t "))
-	}
 }

 func osVersionLinux() string {
@@ -61,10 +54,10 @@ func osVersionLinux() string {
 		}
 		attrBuf.WriteByte(byte(b))
 	}
-	if inContainer() {
+	if hostinfo.InContainer() {
 		attrBuf.WriteString("; container")
 	}
-	if env := GetEnvType(); env != "" {
+	if env := hostinfo.GetEnvType(); env != "" {
 		fmt.Fprintf(&attrBuf, "; env=%s", env)
 	}
 	attr := attrBuf.String()
--- a/control/controlclient/hostinfo_windows.go
+++ b/control/controlclient/hostinfo_windows.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package hostinfo
+package controlclient

 import (
 	"os/exec"
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build windows && cgo
 // +build windows,cgo

 // darwin,cgo is also supported by certstore but machineCertificateSubject will
--- a/control/controlclient/sign_unsupported.go
+++ b/control/controlclient/sign_unsupported.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows || !cgo
 // +build !windows !cgo

 package controlclient
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -43,7 +43,6 @@ import (
 	"tailscale.com/metrics"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/pad32"
 	"tailscale.com/version"
 )

@@ -77,6 +76,13 @@ const (
 	writeTimeout            = 2 * time.Second
 )

+const host64bit = (^uint(0) >> 32) & 1 // 1 on 64-bit, 0 on 32-bit
+
+// pad32bit is 4 on 32-bit machines and 0 on 64-bit.
+// It exists so the Server struct's atomic fields can be aligned to 8
+// byte boundaries. (As tested by GOARCH=386 go test, etc)
+const pad32bit = 4 - host64bit*4 // 0 on 64-bit, 4 on 32-bit
+
 // Server is a DERP server.
 type Server struct {
 	// WriteTimeout, if non-zero, specifies how long to wait
@@ -92,20 +98,20 @@ type Server struct {
 	metaCert    []byte // the encoded x509 cert to send after LetsEncrypt cert+intermediate

 	// Counters:
-	_                            pad32.Four
+	_                            [pad32bit]byte
 	packetsSent, bytesSent       expvar.Int
 	packetsRecv, bytesRecv       expvar.Int
 	packetsRecvByKind            metrics.LabelMap
 	packetsRecvDisco             *expvar.Int
 	packetsRecvOther             *expvar.Int
-	_                            pad32.Four
+	_                            [pad32bit]byte
 	packetsDropped               expvar.Int
 	packetsDroppedReason         metrics.LabelMap
 	packetsDroppedReasonCounters []*expvar.Int // indexed by dropReason
 	packetsDroppedType           metrics.LabelMap
 	packetsDroppedTypeDisco      *expvar.Int
 	packetsDroppedTypeOther      *expvar.Int
-	_                            pad32.Four
+	_                            [pad32bit]byte
 	packetsForwardedOut          expvar.Int
 	packetsForwardedIn           expvar.Int
 	peerGoneFrames               expvar.Int // number of peer gone frames sent
@@ -150,7 +156,7 @@ type Server struct {

 // PacketForwarder is something that can forward packets.
 //
-// It's mostly an interface for circular dependency reasons; the
+// It's mostly an inteface for circular dependency reasons; the
 // typical implementation is derphttp.Client. The other implementation
 // is a multiForwarder, which this package creates as needed if a
 // public key gets more than one PacketForwarder registered for it.
@@ -1275,7 +1281,7 @@ func (s *Server) AddPacketForwarder(dst key.Public, fwd PacketForwarder) {
 			return
 		}
 		if m, ok := prev.(multiForwarder); ok {
-			if _, ok := m[fwd]; ok {
+			if _, ok := m[fwd]; !ok {
 				// Duplicate registration of same forwarder in set; ignore.
 				return
 			}
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -712,7 +712,6 @@ func TestForwarderRegistration(t *testing.T) {
 	// Adding a dup for a user.
 	wantCounter(&s.multiForwarderCreated, 0)
 	s.AddPacketForwarder(u1, testFwd(100))
-	s.AddPacketForwarder(u1, testFwd(100)) // dup to trigger dup path
 	want(map[key.Public]PacketForwarder{
 		u1: multiForwarder{
 			testFwd(1):   1,
--- a/disco/disco_fuzzer.go
+++ b/disco/disco_fuzzer.go
@@ -1,7 +1,6 @@
 // Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-//go:build gofuzz
 // +build gofuzz

 package disco
--- a/go.mod
+++ b/go.mod
@@ -19,7 +19,6 @@ require (
 	github.com/google/uuid v1.1.2
 	github.com/goreleaser/nfpm v1.10.3
 	github.com/iancoleman/strcase v0.2.0
-	github.com/insomniacslk/dhcp v0.0.0-20210621130208-1cac67f12b1e
 	github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/klauspost/compress v1.12.2
@@ -40,16 +39,16 @@ require (
 	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e
 	golang.org/x/net v0.0.0-20210614182718-04defd469f4e
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2
+	golang.org/x/sys v0.0.0-20210616094352-59db8d763f22
 	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
 	golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6
 	golang.org/x/tools v0.1.2
 	golang.zx2c4.com/wireguard v0.0.0-20210624150102-15b24b6179e0
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c // indirect
 	golang.zx2c4.com/wireguard/windows v0.3.16
 	honnef.co/go/tools v0.1.4
 	inet.af/netaddr v0.0.0-20210721214506-ce7a8ad02cc1
 	inet.af/netstack v0.0.0-20210622165351-29b14ebc044e
 	inet.af/peercred v0.0.0-20210318190834-4259e17bb763
 	inet.af/wf v0.0.0-20210516214145-a5343001b756
+	rsc.io/goversion v1.2.0
 )
--- a/go.sum
+++ b/go.sum
@@ -102,7 +102,6 @@ github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.10.0 h1:s36xzo75JdqLaaWoiEHk767eHiwo0598uUxyfiPkDsg=
@@ -298,7 +297,6 @@ github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/J
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
 github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
 github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
@@ -306,8 +304,6 @@ github.com/imdario/mergo v0.3.11 h1:3tnifQM4i+fbajXKBHXWEH+KvNHqojZ778UH75j3bGA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/insomniacslk/dhcp v0.0.0-20210621130208-1cac67f12b1e h1:sgh63o+pm5kcdrgyYaCIoeD7mccyL6MscVmy+DvY6C4=
-github.com/insomniacslk/dhcp v0.0.0-20210621130208-1cac67f12b1e/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
@@ -330,7 +326,6 @@ github.com/josharian/native v0.0.0-20200817173448-b6b71def0850/go.mod h1:7X/rasw
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
 github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
-github.com/jsimonetti/rtnetlink v0.0.0-20201110080708-d2c240429e6c/go.mod h1:huN4d1phzjhlOsNIjFsw2SVRbwIHj3fJDMEU2SDPTmg=
 github.com/jsimonetti/rtnetlink v0.0.0-20201216134343-bde56ed16391/go.mod h1:cR77jAZG3Y3bsb8hF6fHJbFoyFukLFOkQ98S0pQz3xw=
 github.com/jsimonetti/rtnetlink v0.0.0-20201220180245-69540ac93943/go.mod h1:z4c53zj6Eex712ROyh8WI0ihysb5j2ROyV42iNogmAs=
 github.com/jsimonetti/rtnetlink v0.0.0-20210122163228-8d122574c736/go.mod h1:ZXpIyOK59ZnN7J0BV99cZUPmsqDRZ3eq5X+st7u/oSA=
@@ -396,7 +391,6 @@ github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpe
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mbilski/exhaustivestruct v1.1.0 h1:4ykwscnAFeHJruT+EY3M3vdeP8uXMh0VV2E61iR7XD8=
 github.com/mbilski/exhaustivestruct v1.1.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc=
-github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQobyTjI/tJyq2HG+i/dfSoFUt8/aZCM+GKtmFk/Y=
 github.com/mdlayher/ethtool v0.0.0-20210210192532-2b88debcdd43 h1:WgyLFv10Ov49JAQI/ZLUkCZ7VJS3r74hwFIGXJsgZlY=
 github.com/mdlayher/ethtool v0.0.0-20210210192532-2b88debcdd43/go.mod h1:+t7E0lkKfbBsebllff1xdTmyJt8lH37niI6kwFk9OTo=
 github.com/mdlayher/genetlink v1.0.0 h1:OoHN1OdyEIkScEmRgxLEe2M9U8ClMytqA5niynLtfj0=
@@ -412,8 +406,6 @@ github.com/mdlayher/netlink v1.3.0/go.mod h1:xK/BssKuwcRXHrtN04UBkwQ6dY9VviGGuri
 github.com/mdlayher/netlink v1.4.0/go.mod h1:dRJi5IABcZpBD2A3D0Mv/AiX8I9uDEu5oGkAVrekmf8=
 github.com/mdlayher/netlink v1.4.1 h1:I154BCU+mKlIf7BgcAJB2r7QjveNPty6uNY1g9ChVfI=
 github.com/mdlayher/netlink v1.4.1/go.mod h1:e4/KuJ+s8UhfUpO9z00/fDZZmhSrs+oxyqAS9cNgn6Q=
-github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
-github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697 h1:PBb7ld5cQGfxHF2pKvb/ydtuPwdRaltGI4e0QSCuiNI=
 github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697/go.mod h1:HtjVsQfsrBm1GDcDTUFn4ZXhftxTwO/hxrvEiRc61U4=
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00 h1:qEtkL8n1DAHpi5/AOgAckwGQUlMe4+jhL/GMt+GKIks=
@@ -421,7 +413,6 @@ github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.42 h1:gWGe42RGaIqXQZ+r3WUGEKBEtvPHY2SXo4dqixDNxuY=
 github.com/miekg/dns v1.1.42/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
-github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
@@ -613,8 +604,6 @@ github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa h1:RC4maTWLK
 github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
-github.com/u-root/uio v0.0.0-20210528114334-82958018845c h1:BFvcl34IGnw8yvJi8hlqLFo9EshRInwWBs2M5fGWzQA=
-github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/ulikunitz/xz v0.5.7 h1:YvTNdFzX6+W5m9msiYg/zpkSURPPtOlzbqYjrFn7Yt4=
 github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ultraware/funlen v0.0.3 h1:5ylVWm8wsNwH5aWo9438pwvsK0QiqVuUrt9bn7S/iLA=
@@ -667,7 +656,6 @@ golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -711,7 +699,6 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
@@ -735,7 +722,6 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210504132125-bbd867fde50d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -769,11 +755,9 @@ golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190418153312-f0ce4c0180be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606122018-79a91cf218c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -793,7 +777,6 @@ golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201109165425-215b40eba54c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201118182958-a01c418693c7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -807,17 +790,14 @@ golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210301091718-77cc2087c03b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210309040221-94ec62e08169/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210503173754-0981d6026fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 h1:c8PlLMqBbOHoqtjteWm5/kbe6rNY2pbRfbIMVnepueo=
-golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56 h1:b8jxX3zqjpqb2LklXPzKSGJhzyxCOZSz8ncv8Nv+y7w=
@@ -896,11 +876,8 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wireguard v0.0.0-20210427022245-097af6e1351b/go.mod h1:a057zjmoc00UN7gVkaJt2sXVK523kMJcogDTEvPIasg=
 golang.zx2c4.com/wireguard v0.0.0-20210624150102-15b24b6179e0 h1:qINUmOnDCCF7i14oomDDkGmlda7BSDTGfge77/aqdfk=
 golang.zx2c4.com/wireguard v0.0.0-20210624150102-15b24b6179e0/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c h1:ADNrRDI5NR23/TUCnEmlLZLt4u9DnZ2nwRkPrAcFvto=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c/go.mod h1:+1XihzyZUBJcSc5WO9SwNA7v26puQwOEDwanaxfNXPQ=
 golang.zx2c4.com/wireguard/windows v0.3.16 h1:S42i0kp3SFHZm1mMFTtiU3OnEQJ0GRVOVlMkBhSDTZI=
 golang.zx2c4.com/wireguard/windows v0.3.16/go.mod h1:f80rkFY2CKQklps1GHE15k/M4Tq78aofbr1iQM5MTVY=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
@@ -996,3 +973,5 @@ mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jC
 mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7 h1:kAREL6MPwpsk1/PQPFD3Eg7WAQR5mPTWZJaBiG5LDbY=
 mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7/go.mod h1:HGC5lll35J70Y5v7vCGb9oLhHoScFwkHDJm/05RdSTc=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=
+rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo=
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -4,64 +4,20 @@

 // Package hostinfo answers questions about the host environment that Tailscale is
 // running on.
+//
+// TODO(bradfitz): move more of control/controlclient/hostinfo_* into this package.
 package hostinfo

 import (
 	"io"
 	"os"
-	"path/filepath"
 	"runtime"
 	"sync/atomic"

 	"go4.org/mem"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/util/lineread"
-	"tailscale.com/version"
 )

-var osVersion func() string // non-nil on some platforms
-
-// New returns a partially populated Hostinfo for the current host.
-func New() *tailcfg.Hostinfo {
-	hostname, _ := os.Hostname()
-	hostname = dnsname.FirstLabel(hostname)
-	var osv string
-	if osVersion != nil {
-		osv = osVersion()
-	}
-	return &tailcfg.Hostinfo{
-		IPNVersion:  version.Long,
-		Hostname:    hostname,
-		OS:          version.OS(),
-		OSVersion:   osv,
-		Package:     packageType(),
-		GoArch:      runtime.GOARCH,
-		DeviceModel: deviceModel(),
-	}
-}
-
-func packageType() string {
-	switch runtime.GOOS {
-	case "windows":
-		if _, err := os.Stat(`C:\ProgramData\chocolatey\lib\tailscale`); err == nil {
-			return "choco"
-		}
-	case "darwin":
-		// Using tailscaled or IPNExtension?
-		exe, _ := os.Executable()
-		return filepath.Base(exe)
-	case "linux":
-		// Report whether this is in a snap.
-		// See https://snapcraft.io/docs/environment-variables
-		// We just look at two somewhat arbitrarily.
-		if os.Getenv("SNAP_NAME") != "" && os.Getenv("SNAP") != "" {
-			return "snap"
-		}
-	}
-	return ""
-}
-
 // EnvType represents a known environment type.
 // The empty string, the default, means unknown.
 type EnvType string
@@ -72,7 +28,6 @@ const (
 	Heroku          = EnvType("hr")
 	AzureAppService = EnvType("az")
 	AWSFargate      = EnvType("fg")
-	FlyDotIo        = EnvType("fly")
 )

 var envType atomic.Value // of EnvType
@@ -86,16 +41,6 @@ func GetEnvType() EnvType {
 	return e
 }

-var deviceModelAtomic atomic.Value // of string
-
-// SetDeviceModel sets the device model for use in Hostinfo updates.
-func SetDeviceModel(model string) { deviceModelAtomic.Store(model) }
-
-func deviceModel() string {
-	s, _ := deviceModelAtomic.Load().(string)
-	return s
-}
-
 func getEnvType() EnvType {
 	if inKnative() {
 		return KNative
@@ -112,14 +57,11 @@ func getEnvType() EnvType {
 	if inAWSFargate() {
 		return AWSFargate
 	}
-	if inFlyDotIo() {
-		return FlyDotIo
-	}
 	return ""
 }

-// inContainer reports whether we're running in a container.
-func inContainer() bool {
+// InContainer reports whether we're running in a container.
+func InContainer() bool {
 	if runtime.GOOS != "linux" {
 		return false
 	}
@@ -184,10 +126,3 @@ func inAWSFargate() bool {
 	}
 	return false
 }
-
-func inFlyDotIo() bool {
-	if os.Getenv("FLY_APP_NAME") != "" && os.Getenv("FLY_REGION") != "" {
-		return true
-	}
-	return false
-}
--- a/hostinfo/hostinfo_test.go
+++ b/hostinfo/hostinfo_test.go
@@ -1,29 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package hostinfo
-
-import (
-	"encoding/json"
-	"testing"
-)
-
-func TestNew(t *testing.T) {
-	hi := New()
-	if hi == nil {
-		t.Fatal("no Hostinfo")
-	}
-	j, err := json.MarshalIndent(hi, "  ", "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Logf("Got: %s", j)
-}
-
-func TestOSVersion(t *testing.T) {
-	if osVersion == nil {
-		t.Skip("not available for OS")
-	}
-	t.Logf("Got: %#q", osVersion())
-}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -29,7 +29,6 @@ import (
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/health"
-	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
@@ -39,7 +38,6 @@ import (
 	"tailscale.com/paths"
 	"tailscale.com/portlist"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -731,7 +729,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		return nil
 	}

-	hostinfo := hostinfo.New()
+	hostinfo := controlclient.NewHostinfo()
 	hostinfo.BackendLogID = b.backendLogID
 	hostinfo.FrontendLogID = opts.FrontendLogID

@@ -784,6 +782,8 @@ func (b *LocalBackend) Start(opts ipn.Options) error {

 	b.inServerMode = b.prefs.ForceDaemon
 	b.serverURL = b.prefs.ControlURLOrDefault()
+	hostinfo.RoutableIPs = append(hostinfo.RoutableIPs, b.prefs.AdvertiseRoutes...)
+	hostinfo.RequestTags = append(hostinfo.RequestTags, b.prefs.AdvertiseTags...)
 	if b.inServerMode || runtime.GOOS == "windows" {
 		b.logf("Start: serverMode=%v", b.inServerMode)
 	}
@@ -850,7 +850,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		DiscoPublicKey:       discoPublic,
 		DebugFlags:           debugFlags,
 		LinkMonitor:          b.e.GetLinkMonitor(),
-		Pinger:               b.e,

 		// Don't warn about broken Linux IP forwading when
 		// netstack is being used.
@@ -961,7 +960,7 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 		b.logf("netmap packet filter: (shields up)")
 		b.e.SetFilter(filter.NewShieldsUpFilter(localNets, logNets, oldFilter, b.logf))
 	} else {
-		b.logf("netmap packet filter: %v filters", len(packetFilter))
+		b.logf("netmap packet filter: %v", packetFilter)
 		b.e.SetFilter(filter.New(packetFilter, localNets, logNets, oldFilter, b.logf))
 	}
 }
@@ -1579,6 +1578,7 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {

 	oldHi := b.hostinfo
 	newHi := oldHi.Clone()
+	newHi.RoutableIPs = append([]netaddr.IPPrefix(nil), b.prefs.AdvertiseRoutes...)
 	applyPrefsToHostinfo(newHi, newp)
 	b.hostinfo = newHi
 	hostInfoChanged := !oldHi.Equal(newHi)
@@ -1820,7 +1820,7 @@ func (b *LocalBackend) authReconfig() {
 	}

 	if uc.CorpDNS {
-		addDefault := func(resolvers []dnstype.Resolver) {
+		addDefault := func(resolvers []tailcfg.DNSResolver) {
 			for _, resolver := range resolvers {
 				res, err := parseResolver(resolver)
 				if err != nil {
@@ -1837,17 +1837,6 @@ func (b *LocalBackend) authReconfig() {
 			if err != nil {
 				b.logf("[unexpected] non-FQDN route suffix %q", suffix)
 			}
-
-			// Create map entry even if len(resolvers) == 0; Issue 2706.
-			// This lets the control plane send ExtraRecords for which we
-			// can authoritatively answer "name not exists" for when the
-			// control plane also sends this explicit but empty route
-			// making it as something we handle.
-			//
-			// While we're already populating it, might as well size the
-			// slice appropriately.
-			dcfg.Routes[fqdn] = make([]netaddr.IPPort, 0, len(resolvers))
-
 			for _, resolver := range resolvers {
 				res, err := parseResolver(resolver)
 				if err != nil {
@@ -1907,7 +1896,7 @@ func (b *LocalBackend) authReconfig() {
 	b.initPeerAPIListener()
 }

-func parseResolver(cfg dnstype.Resolver) (netaddr.IPPort, error) {
+func parseResolver(cfg tailcfg.DNSResolver) (netaddr.IPPort, error) {
 	ip, err := netaddr.ParseIP(cfg.Addr)
 	if err != nil {
 		return netaddr.IPPort{}, fmt.Errorf("[unexpected] non-IP resolver %q", cfg.Addr)
@@ -2227,8 +2216,6 @@ func applyPrefsToHostinfo(hi *tailcfg.Hostinfo, prefs *ipn.Prefs) {
 	if m := prefs.DeviceModel; m != "" {
 		hi.DeviceModel = m
 	}
-	hi.RoutableIPs = append(prefs.AdvertiseRoutes[:0:0], prefs.AdvertiseRoutes...)
-	hi.RequestTags = append(prefs.AdvertiseTags[:0:0], prefs.AdvertiseTags...)
 	hi.ShieldsUp = prefs.ShieldsUp
 }

--- a/ipn/ipnlocal/peerapi_macios_ext.go
+++ b/ipn/ipnlocal/peerapi_macios_ext.go
@@ -2,9 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build ts_macext && (darwin || ios)
-// +build ts_macext
-// +build darwin ios
+// +build darwin,ts_macext ios,ts_macext

 package ipnlocal

--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -20,6 +20,7 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tstime/mono"
 	"tailscale.com/types/key"
 	"tailscale.com/util/dnsname"
 )
@@ -90,19 +91,12 @@ type PeerStatus struct {
 	RxBytes       int64
 	TxBytes       int64
 	Created       time.Time // time registered with tailcontrol
-	LastWrite     time.Time // time last packet sent
+	LastWrite     mono.Time // time last packet sent
 	LastSeen      time.Time // last seen to tailcontrol
 	LastHandshake time.Time // with local wireguard
 	KeepAlive     bool
 	ExitNode      bool // true if this is the currently selected exit node.

-	// Active is whether the node was recently active. The
-	// definition is somewhat undefined but has historically and
-	// currently means that there was some packet sent to this
-	// peer in the past two minutes. That definition is subject to
-	// change.
-	Active bool
-
 	PeerAPIURL   []string
 	Capabilities []string `json:",omitempty"`

@@ -284,9 +278,6 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 	if st.ShareeNode {
 		e.ShareeNode = true
 	}
-	if st.Active {
-		e.Active = true
-	}
 }

 type StatusUpdater interface {
@@ -330,7 +321,7 @@ table tbody tr:nth-child(even) td { background-color: #f5f5f5; }
 	f("<tr><th>Peer</th><th>OS</th><th>Node</th><th>Owner</th><th>Rx</th><th>Tx</th><th>Activity</th><th>Connection</th></tr>\n")
 	f("</thead>\n<tbody>\n")

-	now := time.Now()
+	now := mono.Now()

 	var peers []*PeerStatus
 	for _, peer := range st.Peers() {
@@ -387,7 +378,9 @@ table tbody tr:nth-child(even) td { background-color: #f5f5f5; }
 		)
 		f("<td>")

-		if ps.Active {
+		// TODO: let server report this active bool instead
+		active := !ps.LastWrite.IsZero() && mono.Since(ps.LastWrite) < 2*time.Minute
+		if active {
 			if ps.Relay != "" && ps.CurAddr == "" {
 				f("relay <b>%s</b>", html.EscapeString(ps.Relay))
 			} else if ps.CurAddr != "" {
--- a/ipn/localapi/cert.go
+++ b/ipn/localapi/cert.go
@@ -1,450 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !ios && !android
-// +build !ios,!android
-
-package localapi
-
-import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/json"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"log"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"golang.org/x/crypto/acme"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/paths"
-	"tailscale.com/types/logger"
-)
-
-// Process-wide cache. (A new *Handler is created per connection,
-// effectively per request)
-var (
-	// acmeMu guards all ACME operations, so concurrent requests
-	// for certs don't slam ACME. The first will go through and
-	// populate the on-disk cache and the rest should use that.
-	acmeMu sync.Mutex
-
-	renewMu        sync.Mutex // lock order: don't hold acmeMu and renewMu at the same time
-	lastRenewCheck = map[string]time.Time{}
-)
-
-func (h *Handler) certDir() (string, error) {
-	base := paths.DefaultTailscaledStateFile()
-	if base == "" {
-		return "", errors.New("no default DefaultTailscaledStateFile")
-	}
-	full := filepath.Join(filepath.Dir(base), "certs")
-	if err := os.MkdirAll(full, 0700); err != nil {
-		return "", err
-	}
-	return full, nil
-}
-
-var acmeDebug, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_ACME"))
-
-func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "cert access denied", http.StatusForbidden)
-		return
-	}
-	dir, err := h.certDir()
-	if err != nil {
-		h.logf("certDir: %v", err)
-		http.Error(w, "failed to get cert dir", 500)
-		return
-	}
-
-	domain := strings.TrimPrefix(r.URL.Path, "/localapi/v0/cert/")
-	if domain == r.URL.Path {
-		http.Error(w, "internal handler config wired wrong", 500)
-		return
-	}
-
-	now := time.Now()
-	logf := logger.WithPrefix(h.logf, fmt.Sprintf("cert(%q): ", domain))
-	traceACME := func(v interface{}) {
-		if !acmeDebug {
-			return
-		}
-		j, _ := json.MarshalIndent(v, "", "\t")
-		log.Printf("acme %T: %s", v, j)
-	}
-
-	if pair, ok := h.getCertPEMCached(dir, domain, now); ok {
-		future := now.AddDate(0, 0, 14)
-		if h.shouldStartDomainRenewal(dir, domain, future) {
-			logf("starting async renewal")
-			// Start renewal in the background.
-			go h.getCertPEM(context.Background(), logf, traceACME, dir, domain, future)
-		}
-		serveKeyPair(w, r, pair)
-		return
-	}
-
-	pair, err := h.getCertPEM(r.Context(), logf, traceACME, dir, domain, now)
-	if err != nil {
-		logf("getCertPEM: %v", err)
-		http.Error(w, fmt.Sprint(err), 500)
-		return
-	}
-	serveKeyPair(w, r, pair)
-}
-
-func (h *Handler) shouldStartDomainRenewal(dir, domain string, future time.Time) bool {
-	renewMu.Lock()
-	defer renewMu.Unlock()
-	now := time.Now()
-	if last, ok := lastRenewCheck[domain]; ok && now.Sub(last) < time.Minute {
-		// We checked very recently. Don't bother reparsing &
-		// validating the x509 cert.
-		return false
-	}
-	lastRenewCheck[domain] = now
-	_, ok := h.getCertPEMCached(dir, domain, future)
-	return !ok
-}
-
-func serveKeyPair(w http.ResponseWriter, r *http.Request, p *keyPair) {
-	w.Header().Set("Content-Type", "text/plain")
-	switch r.URL.Query().Get("type") {
-	case "", "crt", "cert":
-		w.Write(p.certPEM)
-	case "key":
-		w.Write(p.keyPEM)
-	case "pair":
-		w.Write(p.keyPEM)
-		w.Write(p.certPEM)
-	default:
-		http.Error(w, `invalid type; want "cert" (default), "key", or "pair"`, 400)
-	}
-}
-
-type keyPair struct {
-	certPEM []byte
-	keyPEM  []byte
-	cached  bool
-}
-
-func keyFile(dir, domain string) string  { return filepath.Join(dir, domain+".key") }
-func certFile(dir, domain string) string { return filepath.Join(dir, domain+".crt") }
-
-// getCertPEMCached returns a non-nil keyPair and true if a cached
-// keypair for domain exists on disk in dir that is valid at the
-// provided now time.
-func (h *Handler) getCertPEMCached(dir, domain string, now time.Time) (p *keyPair, ok bool) {
-	if keyPEM, err := os.ReadFile(keyFile(dir, domain)); err == nil {
-		certPEM, _ := os.ReadFile(certFile(dir, domain))
-		if validCertPEM(domain, keyPEM, certPEM, now) {
-			return &keyPair{certPEM: certPEM, keyPEM: keyPEM, cached: true}, true
-		}
-	}
-	return nil, false
-}
-
-func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME func(interface{}), dir, domain string, now time.Time) (*keyPair, error) {
-	acmeMu.Lock()
-	defer acmeMu.Unlock()
-
-	if p, ok := h.getCertPEMCached(dir, domain, now); ok {
-		return p, nil
-	}
-
-	key, err := acmeKey(dir)
-	if err != nil {
-		return nil, fmt.Errorf("acmeKey: %w", err)
-	}
-	ac := &acme.Client{Key: key}
-
-	a, err := ac.GetReg(ctx, "" /* pre-RFC param */)
-	switch {
-	case err == nil:
-		// Great, already registered.
-		logf("already had ACME account.")
-	case err == acme.ErrNoAccount:
-		a, err = ac.Register(ctx, new(acme.Account), acme.AcceptTOS)
-		if err == acme.ErrAccountAlreadyExists {
-			// Potential race. Double check.
-			a, err = ac.GetReg(ctx, "" /* pre-RFC param */)
-		}
-		if err != nil {
-			return nil, fmt.Errorf("acme.Register: %w", err)
-		}
-		logf("registered ACME account.")
-		traceACME(a)
-	default:
-		return nil, fmt.Errorf("acme.GetReg: %w", err)
-
-	}
-	if a.Status != acme.StatusValid {
-		return nil, fmt.Errorf("unexpected ACME account status %q", a.Status)
-	}
-
-	// Before hitting LetsEncrypt, see if this is a domain that Tailscale will do DNS challenges for.
-	st := h.b.StatusWithoutPeers()
-	if err := checkCertDomain(st, domain); err != nil {
-		return nil, err
-	}
-
-	order, err := ac.AuthorizeOrder(ctx, []acme.AuthzID{{Type: "dns", Value: domain}})
-	if err != nil {
-		return nil, err
-	}
-	traceACME(order)
-
-	for _, aurl := range order.AuthzURLs {
-		az, err := ac.GetAuthorization(ctx, aurl)
-		if err != nil {
-			return nil, err
-		}
-		traceACME(az)
-		for _, ch := range az.Challenges {
-			if ch.Type == "dns-01" {
-				rec, err := ac.DNS01ChallengeRecord(ch.Token)
-				if err != nil {
-					return nil, err
-				}
-				key := "_acme-challenge." + domain
-
-				var resolver net.Resolver
-				var ok bool
-				txts, _ := resolver.LookupTXT(ctx, key)
-				for _, txt := range txts {
-					if txt == rec {
-						ok = true
-						logf("TXT record already existed")
-						break
-					}
-				}
-				if !ok {
-					err = h.b.SetDNS(ctx, key, rec)
-					if err != nil {
-						return nil, fmt.Errorf("SetDNS %q => %q: %w", key, rec, err)
-					}
-					logf("did SetDNS")
-				}
-
-				chal, err := ac.Accept(ctx, ch)
-				if err != nil {
-					return nil, fmt.Errorf("Accept: %v", err)
-				}
-				traceACME(chal)
-				break
-			}
-		}
-	}
-
-	wait0 := time.Now()
-	orderURI := order.URI
-	for {
-		order, err = ac.WaitOrder(ctx, orderURI)
-		if err == nil {
-			break
-		}
-		if oe, ok := err.(*acme.OrderError); ok && oe.Status == acme.StatusInvalid {
-			if time.Since(wait0) > 2*time.Minute {
-				return nil, errors.New("timeout waiting for order to not be invalid")
-			}
-			log.Printf("order invalid; waiting...")
-			select {
-			case <-time.After(5 * time.Second):
-				continue
-			case <-ctx.Done():
-				return nil, ctx.Err()
-			}
-		}
-		return nil, fmt.Errorf("WaitOrder: %v", err)
-	}
-	traceACME(order)
-
-	certPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-	var privPEM bytes.Buffer
-	if err := encodeECDSAKey(&privPEM, certPrivKey); err != nil {
-		return nil, err
-	}
-	if err := ioutil.WriteFile(keyFile(dir, domain), privPEM.Bytes(), 0600); err != nil {
-		return nil, err
-	}
-
-	csr, err := certRequest(certPrivKey, domain, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	der, _, err := ac.CreateOrderCert(ctx, order.FinalizeURL, csr, true)
-	if err != nil {
-		return nil, fmt.Errorf("CreateOrder: %v", err)
-	}
-
-	var certPEM bytes.Buffer
-	for _, b := range der {
-		pb := &pem.Block{Type: "CERTIFICATE", Bytes: b}
-		if err := pem.Encode(&certPEM, pb); err != nil {
-			return nil, err
-		}
-	}
-	if err := ioutil.WriteFile(certFile(dir, domain), certPEM.Bytes(), 0644); err != nil {
-		return nil, err
-	}
-
-	return &keyPair{certPEM: certPEM.Bytes(), keyPEM: privPEM.Bytes()}, nil
-}
-
-// certRequest generates a CSR for the given common name cn and optional SANs.
-func certRequest(key crypto.Signer, cn string, ext []pkix.Extension, san ...string) ([]byte, error) {
-	req := &x509.CertificateRequest{
-		Subject:         pkix.Name{CommonName: cn},
-		DNSNames:        san,
-		ExtraExtensions: ext,
-	}
-	return x509.CreateCertificateRequest(rand.Reader, req, key)
-}
-
-func encodeECDSAKey(w io.Writer, key *ecdsa.PrivateKey) error {
-	b, err := x509.MarshalECPrivateKey(key)
-	if err != nil {
-		return err
-	}
-	pb := &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
-	return pem.Encode(w, pb)
-}
-
-// parsePrivateKey is a copy of x/crypto/acme's parsePrivateKey.
-//
-// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
-// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
-// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
-//
-// Inspired by parsePrivateKey in crypto/tls/tls.go.
-func parsePrivateKey(der []byte) (crypto.Signer, error) {
-	if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
-		return key, nil
-	}
-	if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
-		switch key := key.(type) {
-		case *rsa.PrivateKey:
-			return key, nil
-		case *ecdsa.PrivateKey:
-			return key, nil
-		default:
-			return nil, errors.New("acme/autocert: unknown private key type in PKCS#8 wrapping")
-		}
-	}
-	if key, err := x509.ParseECPrivateKey(der); err == nil {
-		return key, nil
-	}
-
-	return nil, errors.New("acme/autocert: failed to parse private key")
-}
-
-func acmeKey(dir string) (crypto.Signer, error) {
-	pemName := filepath.Join(dir, "acme-account.key.pem")
-	if v, err := ioutil.ReadFile(pemName); err == nil {
-		priv, _ := pem.Decode(v)
-		if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
-			return nil, errors.New("acme/autocert: invalid account key found in cache")
-		}
-		return parsePrivateKey(priv.Bytes)
-	}
-
-	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-	var pemBuf bytes.Buffer
-	if err := encodeECDSAKey(&pemBuf, privKey); err != nil {
-		return nil, err
-	}
-	if err := ioutil.WriteFile(pemName, pemBuf.Bytes(), 0600); err != nil {
-		return nil, err
-	}
-	return privKey, nil
-}
-
-func validCertPEM(domain string, keyPEM, certPEM []byte, now time.Time) bool {
-	if len(keyPEM) == 0 || len(certPEM) == 0 {
-		return false
-	}
-	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return false
-	}
-	var leaf *x509.Certificate
-	intermediates := x509.NewCertPool()
-	for i, certDER := range tlsCert.Certificate {
-		cert, err := x509.ParseCertificate(certDER)
-		if err != nil {
-			return false
-		}
-		if i == 0 {
-			leaf = cert
-		} else {
-			intermediates.AddCert(cert)
-		}
-	}
-	if leaf == nil {
-		return false
-	}
-	_, err = leaf.Verify(x509.VerifyOptions{
-		DNSName:       domain,
-		CurrentTime:   now,
-		Intermediates: intermediates,
-	})
-	return err == nil
-}
-
-func checkCertDomain(st *ipnstate.Status, domain string) error {
-	if domain == "" {
-		return errors.New("missing domain name")
-	}
-	for _, d := range st.CertDomains {
-		if d == domain {
-			return nil
-		}
-	}
-	// Transitional way while server doesn't yet populate CertDomains: also permit the client
-	// attempting Self.DNSName.
-	okay := st.CertDomains[:len(st.CertDomains):len(st.CertDomains)]
-	if st.Self != nil {
-		if v := strings.Trim(st.Self.DNSName, "."); v != "" {
-			if v == domain {
-				return nil
-			}
-			okay = append(okay, v)
-		}
-	}
-	switch len(okay) {
-	case 0:
-		return errors.New("your Tailscale account does not support getting TLS certs")
-	case 1:
-		return fmt.Errorf("invalid domain %q; only %q is permitted", domain, okay[0])
-	default:
-		return fmt.Errorf("invalid domain %q; must be one of %q", domain, okay)
-	}
-}
--- a/ipn/localapi/disabled_stubs.go
+++ b/ipn/localapi/disabled_stubs.go
@@ -1,17 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build ios || android
-// +build ios android
-
-package localapi
-
-import (
-	"net/http"
-	"runtime"
-)
-
-func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
-	http.Error(w, "disabled on "+runtime.GOOS, http.StatusNotFound)
-}
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -30,7 +30,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
-	"tailscale.com/version"
 )

 func randHex(n int) string {
@@ -65,7 +64,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "server has no local backend", http.StatusInternalServerError)
 		return
 	}
-	w.Header().Set("Tailscale-Version", version.Long)
 	if h.RequiredPassword != "" {
 		_, pass, ok := r.BasicAuth()
 		if !ok {
@@ -85,10 +83,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveFilePut(w, r)
 		return
 	}
-	if strings.HasPrefix(r.URL.Path, "/localapi/v0/cert/") {
-		h.serveCert(w, r)
-		return
-	}
 	switch r.URL.Path {
 	case "/localapi/v0/whois":
 		h.serveWhoIs(w, r)
--- a/logtail/filch/filch.go
+++ b/logtail/filch/filch.go
@@ -30,15 +30,6 @@ type Filch struct {
 	alt       *os.File
 	altscan   *bufio.Scanner
 	recovered int64
-	// buf is an initial buffer for altscan.
-	// As of August 2021, 99.96% of all log lines
-	// are below 4096 bytes in length.
-	// Since this cutoff is arbitrary, instead of using 4096,
-	// we subtract off the size of the rest of the struct
-	// so that the whole struct takes 4096 bytes
-	// (less on 32 bit platforms).
-	// This reduces allocation waste.
-	buf [4096 - 48]byte
 }

 // TryReadline implements the logtail.Buffer interface.
@@ -62,7 +53,6 @@ func (f *Filch) TryReadLine() ([]byte, error) {
 		return nil, err
 	}
 	f.altscan = bufio.NewScanner(f.alt)
-	f.altscan.Buffer(f.buf[:], bufio.MaxScanTokenSize)
 	f.altscan.Split(splitLines)
 	return f.scan()
 }
@@ -198,7 +188,6 @@ func New(filePrefix string, opts Options) (f *Filch, err error) {
 	}
 	if f.recovered > 0 {
 		f.altscan = bufio.NewScanner(f.alt)
-		f.altscan.Buffer(f.buf[:], bufio.MaxScanTokenSize)
 		f.altscan.Split(splitLines)
 	}

--- a/logtail/filch/filch_test.go
+++ b/logtail/filch/filch_test.go
@@ -12,7 +12,6 @@ import (
 	"strings"
 	"testing"
 	"unicode"
-	"unsafe"
 )

 type filchTest struct {
@@ -170,10 +169,3 @@ func TestFilchStderr(t *testing.T) {
 		t.Errorf("unexpected write to fake stderr: %s", b)
 	}
 }
-
-func TestSizeOf(t *testing.T) {
-	s := unsafe.Sizeof(Filch{})
-	if s > 4096 {
-		t.Fatalf("Filch{} has size %d on %v, decrease size of buf field", s, runtime.GOARCH)
-	}
-}
--- a/logtail/filch/filch_unix.go
+++ b/logtail/filch/filch_unix.go
@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
-// +build !windows
+//+build !windows

 package filch

--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -200,11 +200,9 @@ func (l *Logger) drainBlock() (shuttingDown bool) {
 }

 // drainPending drains and encodes a batch of logs from the buffer for upload.
-// It uses scratch as its initial buffer.
 // If no logs are available, drainPending blocks until logs are available.
-func (l *Logger) drainPending(scratch []byte) (res []byte) {
-	buf := bytes.NewBuffer(scratch[:0])
-	buf.WriteByte('[')
+func (l *Logger) drainPending() (res []byte) {
+	buf := new(bytes.Buffer)
 	entries := 0

 	var batchDone bool
@@ -244,15 +242,28 @@ func (l *Logger) drainPending(scratch []byte) (res []byte) {
 			b = l.encodeText(b, true)
 		}

-		if entries > 0 {
+		switch {
+		case entries == 0:
+			buf.Write(b)
+		case entries == 1:
+			buf2 := new(bytes.Buffer)
+			buf2.WriteByte('[')
+			buf2.Write(buf.Bytes())
+			buf2.WriteByte(',')
+			buf2.Write(b)
+			buf.Reset()
+			buf.Write(buf2.Bytes())
+		default:
 			buf.WriteByte(',')
+			buf.Write(b)
 		}
-		buf.Write(b)
 		entries++
 	}

-	buf.WriteByte(']')
-	if buf.Len() <= len("[]") {
+	if entries > 1 {
+		buf.WriteByte(']')
+	}
+	if buf.Len() == 0 {
 		return nil
 	}
 	return buf.Bytes()
@@ -262,9 +273,8 @@ func (l *Logger) drainPending(scratch []byte) (res []byte) {
 func (l *Logger) uploading(ctx context.Context) {
 	defer close(l.shutdownDone)

-	scratch := make([]byte, 4096) // reusable buffer to write into
 	for {
-		body := l.drainPending(scratch)
+		body := l.drainPending()
 		origlen := -1 // sentinel value: uncompressed
 		// Don't attempt to compress tiny bodies; not worth the CPU cycles.
 		if l.zstdEncoder != nil && len(body) > 256 {
--- a/logtail/logtail_test.go
+++ b/logtail/logtail_test.go
@@ -117,7 +117,12 @@ func TestEncodeAndUploadMessages(t *testing.T) {
 		io.WriteString(l, tt.log)
 		body := <-ts.uploaded

-		data := unmarshalOne(t, body)
+		data := make(map[string]interface{})
+		err := json.Unmarshal(body, &data)
+		if err != nil {
+			t.Error(err)
+		}
+
 		got := data["text"]
 		if got != tt.want {
 			t.Errorf("%s: got %q; want %q", tt.name, got.(string), tt.want)
@@ -149,7 +154,11 @@ func TestEncodeSpecialCases(t *testing.T) {
 	// JSON log message already contains a logtail field.
 	io.WriteString(l, `{"logtail": "LOGTAIL", "text": "text"}`)
 	body := <-ts.uploaded
-	data := unmarshalOne(t, body)
+	data := make(map[string]interface{})
+	err := json.Unmarshal(body, &data)
+	if err != nil {
+		t.Error(err)
+	}
 	errorHasLogtail, ok := data["error_has_logtail"]
 	if ok {
 		if errorHasLogtail != "LOGTAIL" {
@@ -177,7 +186,11 @@ func TestEncodeSpecialCases(t *testing.T) {
 	l.skipClientTime = true
 	io.WriteString(l, "text")
 	body = <-ts.uploaded
-	data = unmarshalOne(t, body)
+	data = make(map[string]interface{})
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		t.Error(err)
+	}
 	_, ok = data["logtail"]
 	if ok {
 		t.Errorf("skipClientTime: unexpected logtail map present: %v", data)
@@ -191,7 +204,11 @@ func TestEncodeSpecialCases(t *testing.T) {
 	longStr := strings.Repeat("0", 512)
 	io.WriteString(l, longStr)
 	body = <-ts.uploaded
-	data = unmarshalOne(t, body)
+	data = make(map[string]interface{})
+	err = json.Unmarshal(body, &data)
+	if err != nil {
+		t.Error(err)
+	}
 	text, ok := data["text"]
 	if !ok {
 		t.Errorf("lowMem: no text %v", data)
@@ -202,7 +219,7 @@ func TestEncodeSpecialCases(t *testing.T) {

 	// -------------------------------------------------------------------------

-	err := l.Shutdown(context.Background())
+	err = l.Shutdown(context.Background())
 	if err != nil {
 		t.Error(err)
 	}
@@ -309,16 +326,3 @@ func TestPublicIDUnmarshalText(t *testing.T) {
 		t.Errorf("allocs = %v; want 0", n)
 	}
 }
-
-func unmarshalOne(t *testing.T, body []byte) map[string]interface{} {
-	t.Helper()
-	var entries []map[string]interface{}
-	err := json.Unmarshal(body, &entries)
-	if err != nil {
-		t.Error(err)
-	}
-	if len(entries) != 1 {
-		t.Fatalf("expected one entry, got %d", len(entries))
-	}
-	return entries[0]
-}
--- a/net/dns/debian_resolvconf.go
+++ b/net/dns/debian_resolvconf.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux || freebsd || openbsd
 // +build linux freebsd openbsd

 package dns
--- a/net/dns/direct.go
+++ b/net/dns/direct.go
@@ -216,8 +216,7 @@ func (m directManager) restoreBackup() error {
 	if err != nil {
 		return err
 	}
-	_, err = m.fs.Stat(resolvConf)
-	if err != nil && !os.IsNotExist(err) {
+	if _, err := m.fs.Stat(resolvConf); err != nil && !os.IsNotExist(err) {
 		return err
 	}
 	resolvConfExists := !os.IsNotExist(err)
@@ -260,7 +259,7 @@ func (m directManager) SetDNS(config OSConfig) error {
 	// try to manage DNS through resolved when it's around, but as a
 	// best-effort fallback if we messed up the detection, try to
 	// restart resolved to make the system configuration consistent.
-	if isResolvedRunning() && !runningAsGUIDesktopUser() {
+	if isResolvedRunning() {
 		exec.Command("systemctl", "restart", "systemd-resolved.service").Run()
 	}

@@ -320,7 +319,7 @@ func (m directManager) Close() error {
 		return err
 	}

-	if isResolvedRunning() && !runningAsGUIDesktopUser() {
+	if isResolvedRunning() {
 		exec.Command("systemctl", "restart", "systemd-resolved.service").Run() // Best-effort.
 	}

@@ -386,12 +385,3 @@ func (fs directFS) ReadFile(name string) ([]byte, error) {
 func (fs directFS) WriteFile(name string, contents []byte, perm os.FileMode) error {
 	return ioutil.WriteFile(fs.path(name), contents, perm)
 }
-
-// runningAsGUIDesktopUser reports whether it seems that this code is
-// being run as a regular user on a Linux desktop. This is a quick
-// hack to fix Issue 2672 where PolicyKit pops up a GUI dialog asking
-// to proceed we do a best effort attempt to restart
-// systemd-resolved.service. There's surely a better way.
-func runningAsGUIDesktopUser() bool {
-	return os.Getuid() != 0 && os.Getenv("DISPLAY") != ""
-}
--- a/net/dns/ini.go
+++ b/net/dns/ini.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build windows
 // +build windows

 package dns
--- a/net/dns/ini_test.go
+++ b/net/dns/ini_test.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build windows
 // +build windows

 package dns
--- a/net/dns/manager_default.go
+++ b/net/dns/manager_default.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !linux && !freebsd && !openbsd && !windows
 // +build !linux,!freebsd,!openbsd,!windows

 package dns
--- a/net/dns/nm.go
+++ b/net/dns/nm.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux
 // +build linux

 package dns
--- a/net/dns/openresolv.go
+++ b/net/dns/openresolv.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux || freebsd || openbsd
 // +build linux freebsd openbsd

 package dns
--- a/net/dns/resolvconf.go
+++ b/net/dns/resolvconf.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux || freebsd || openbsd
 // +build linux freebsd openbsd

 package dns
--- a/net/dns/resolved.go
+++ b/net/dns/resolved.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux
 // +build linux

 package dns
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -10,6 +10,7 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
+	"hash/crc32"
 	"io"
 	"io/ioutil"
 	"math/rand"
@@ -64,13 +65,44 @@ func getTxID(packet []byte) txid {
 	}

 	dnsid := binary.BigEndian.Uint16(packet[0:2])
-	// Previously, we hashed the question and combined it with the original txid
-	// which was useful when concurrent queries were multiplexed on a single
-	// local source port. We encountered some situations where the DNS server
-	// canonicalizes the question in the response (uppercase converted to
-	// lowercase in this case), which resulted in responses that we couldn't
-	// match to the original request due to hash mismatches.
-	return txid(dnsid)
+	qcount := binary.BigEndian.Uint16(packet[4:6])
+	if qcount == 0 {
+		return txid(dnsid)
+	}
+
+	offset := headerBytes
+	for i := uint16(0); i < qcount; i++ {
+		// Note: this relies on the fact that names are not compressed in questions,
+		// so they are guaranteed to end with a NUL byte.
+		//
+		// Justification:
+		// RFC 1035 doesn't seem to explicitly prohibit compressing names in questions,
+		// but this is exceedingly unlikely to be done in practice. A DNS request
+		// with multiple questions is ill-defined (which questions do the header flags apply to?)
+		// and a single question would have to contain a pointer to an *answer*,
+		// which would be excessively smart, pointless (an answer can just as well refer to the question)
+		// and perhaps even prohibited: a draft RFC (draft-ietf-dnsind-local-compression-05) states:
+		//
+		// > It is important that these pointers always point backwards.
+		//
+		// This is said in summarizing RFC 1035, although that phrase does not appear in the original RFC.
+		// Additionally, (https://cr.yp.to/djbdns/notes.html) states:
+		//
+		// > The precise rule is that a name can be compressed if it is a response owner name,
+		// > the name in NS data, the name in CNAME data, the name in PTR data, the name in MX data,
+		// > or one of the names in SOA data.
+		namebytes := bytes.IndexByte(packet[offset:], 0)
+		// ... | name | NUL | type | class
+		//        ??     1      2      2
+		offset = offset + namebytes + 5
+		if len(packet) < offset {
+			// Corrupt packet; don't crash.
+			return txid(dnsid)
+		}
+	}
+
+	hash := crc32.ChecksumIEEE(packet[headerBytes:offset])
+	return (txid(hash) << 32) | txid(dnsid)
 }

 // clampEDNSSize attempts to limit the maximum EDNS response size. This is not
--- a/net/dns/resolver/macios_ext.go
+++ b/net/dns/resolver/macios_ext.go
@@ -2,9 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build ts_macext && (darwin || ios)
-// +build ts_macext
-// +build darwin ios
+// +build darwin,ts_macext ios,ts_macext

 package resolver

--- a/net/dns/resolver/neterr_other.go
+++ b/net/dns/resolver/neterr_other.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !darwin && !windows
 // +build !darwin,!windows

 package resolver
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -334,7 +334,7 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP,
 	case dns.TypeNS, dns.TypeSOA, dns.TypeAXFR, dns.TypeHINFO:
 		return netaddr.IP{}, dns.RCodeNotImplemented

-	// For everything except for the few types above that are explicitly not implemented, return no records.
+	// For everything except for the few types above that are explictly not implemented, return no records.
 	// This is what other DNS systems do: always return NOERROR
 	// without any records whenever the requested record type is unknown.
 	// You can try this with:
--- a/net/dns/resolver/tsdns_server_test.go
+++ b/net/dns/resolver/tsdns_server_test.go
@@ -6,7 +6,6 @@ package resolver

 import (
 	"fmt"
-	"strings"
 	"testing"

 	"github.com/miekg/dns"
@@ -67,58 +66,6 @@ func resolveToIP(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 	}
 }

-// resolveToIPLowercase returns a handler function which canonicalizes responses
-// by lowercasing the question and answer names, and responds
-// to queries of type A it receives with an A record containing ipv4,
-// to queries of type AAAA with an AAAA record containing ipv6,
-// to queries of type NS with an NS record containg name.
-func resolveToIPLowercase(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
-	return func(w dns.ResponseWriter, req *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(req)
-
-		if len(req.Question) != 1 {
-			panic("not a single-question request")
-		}
-		m.Question[0].Name = strings.ToLower(m.Question[0].Name)
-		question := req.Question[0]
-
-		var ans dns.RR
-		switch question.Qtype {
-		case dns.TypeA:
-			ans = &dns.A{
-				Hdr: dns.RR_Header{
-					Name:   question.Name,
-					Rrtype: dns.TypeA,
-					Class:  dns.ClassINET,
-				},
-				A: ipv4.IPAddr().IP,
-			}
-		case dns.TypeAAAA:
-			ans = &dns.AAAA{
-				Hdr: dns.RR_Header{
-					Name:   question.Name,
-					Rrtype: dns.TypeAAAA,
-					Class:  dns.ClassINET,
-				},
-				AAAA: ipv6.IPAddr().IP,
-			}
-		case dns.TypeNS:
-			ans = &dns.NS{
-				Hdr: dns.RR_Header{
-					Name:   question.Name,
-					Rrtype: dns.TypeNS,
-					Class:  dns.ClassINET,
-				},
-				Ns: ns,
-			}
-		}
-
-		m.Answer = append(m.Answer, ans)
-		w.WriteMsg(m)
-	}
-}
-
 // resolveToTXT returns a handler function which responds to queries of type TXT
 // it receives with the strings in txts.
 func resolveToTXT(txts []string, ednsMaxSize uint16) dns.HandlerFunc {
--- a/net/dns/resolver/tsdns_test.go
+++ b/net/dns/resolver/tsdns_test.go
@@ -440,8 +440,6 @@ func TestDelegate(t *testing.T) {
 	records := []interface{}{
 		"test.site.",
 		resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"LCtesT.SiTe.",
-		resolveToIPLowercase(testipv4, testipv6, "dns.test.site."),
 		"nxdomain.site.", resolveToNXDOMAIN,
 		"small.txt.", resolveToTXT(smallTXT, noEdns),
 		"smalledns.txt.", resolveToTXT(smallTXT, 512),
@@ -487,21 +485,6 @@ func TestDelegate(t *testing.T) {
 			dnspacket("test.site.", dns.TypeNS, noEdns),
 			dnsResponse{name: "dns.test.site.", rcode: dns.RCodeSuccess},
 		},
-		{
-			"ipv4",
-			dnspacket("LCtesT.SiTe.", dns.TypeA, noEdns),
-			dnsResponse{ip: testipv4, rcode: dns.RCodeSuccess},
-		},
-		{
-			"ipv6",
-			dnspacket("LCtesT.SiTe.", dns.TypeAAAA, noEdns),
-			dnsResponse{ip: testipv6, rcode: dns.RCodeSuccess},
-		},
-		{
-			"ns",
-			dnspacket("LCtesT.SiTe.", dns.TypeNS, noEdns),
-			dnsResponse{name: "dns.test.site.", rcode: dns.RCodeSuccess},
-		},
 		{
 			"nxdomain",
 			dnspacket("nxdomain.site.", dns.TypeA, noEdns),
--- a/net/dnsfallback/update-dns-fallbacks.go
+++ b/net/dnsfallback/update-dns-fallbacks.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build ignore
 // +build ignore

 package main
--- a/net/flowtrack/flowtrack.go
+++ b/net/flowtrack/flowtrack.go
@@ -49,7 +49,7 @@ type entry struct {
 	value interface{}
 }

-// Add adds a value to the cache, set or updating its associated
+// Add adds a value to the cache, set or updating its assoicated
 // value.
 //
 // If MaxEntries is non-zero and the length of the cache is greater
--- a/net/interfaces/interfaces_default_route_test.go
+++ b/net/interfaces/interfaces_default_route_test.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux || (darwin && !ts_macext)
 // +build linux darwin,!ts_macext

 package interfaces
--- a/net/interfaces/interfaces_defaultrouteif_todo.go
+++ b/net/interfaces/interfaces_defaultrouteif_todo.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !linux && !windows && !darwin
 // +build !linux,!windows,!darwin

 package interfaces
--- a/net/interfaces/interfaces_windows.go
+++ b/net/interfaces/interfaces_windows.go
@@ -112,36 +112,22 @@ func NonTailscaleMTUs() (map[winipcfg.LUID]uint32, error) {
 	return mtus, err
 }

-func notTailscaleInterface(iface *winipcfg.IPAdapterAddresses) bool {
-	// TODO(bradfitz): do this without the Description method's
-	// utf16-to-string allocation. But at least we only do it for
-	// the virtual interfaces, for which there won't be many.
-	return !(iface.IfType == winipcfg.IfTypePropVirtual &&
-		iface.Description() == tsconst.WintunInterfaceDesc)
-}
-
 // NonTailscaleInterfaces returns a map of interface LUID to interface
 // for all interfaces except Tailscale tunnels.
 func NonTailscaleInterfaces() (map[winipcfg.LUID]*winipcfg.IPAdapterAddresses, error) {
-	return getInterfaces(windows.AF_UNSPEC, winipcfg.GAAFlagIncludeAllInterfaces, notTailscaleInterface)
-}
-
-// getInterfaces returns a map of interfaces keyed by their LUID for
-// all interfaces matching the provided match predicate.
-//
-// The family (AF_UNSPEC, AF_INET, or AF_INET6) and flags are passed
-// to winipcfg.GetAdaptersAddresses.
-func getInterfaces(family winipcfg.AddressFamily, flags winipcfg.GAAFlags, match func(*winipcfg.IPAdapterAddresses) bool) (map[winipcfg.LUID]*winipcfg.IPAdapterAddresses, error) {
-	ifs, err := winipcfg.GetAdaptersAddresses(family, flags)
+	ifs, err := winipcfg.GetAdaptersAddresses(windows.AF_UNSPEC, winipcfg.GAAFlagIncludeAllInterfaces)
 	if err != nil {
 		return nil, err
 	}
+
 	ret := map[winipcfg.LUID]*winipcfg.IPAdapterAddresses{}
 	for _, iface := range ifs {
-		if match(iface) {
-			ret[iface.LUID] = iface
+		if iface.Description() == tsconst.WintunInterfaceDesc {
+			continue
 		}
+		ret[iface.LUID] = iface
 	}
+
 	return ret, nil
 }

@@ -149,26 +135,8 @@ func getInterfaces(family winipcfg.AddressFamily, flags winipcfg.GAAFlags, match
 // default route for the given address family.
 //
 // It returns (nil, nil) if no interface is found.
-//
-// The family must be one of AF_INET or AF_INET6.
 func GetWindowsDefault(family winipcfg.AddressFamily) (*winipcfg.IPAdapterAddresses, error) {
-	ifs, err := getInterfaces(family, winipcfg.GAAFlagIncludeAllInterfaces, func(iface *winipcfg.IPAdapterAddresses) bool {
-		switch iface.IfType {
-		case winipcfg.IfTypeSoftwareLoopback:
-			return false
-		}
-		switch family {
-		case windows.AF_INET:
-			if iface.Flags&winipcfg.IPAAFlagIpv4Enabled == 0 {
-				return false
-			}
-		case windows.AF_INET6:
-			if iface.Flags&winipcfg.IPAAFlagIpv6Enabled == 0 {
-				return false
-			}
-		}
-		return iface.OperStatus == winipcfg.IfOperStatusUp && notTailscaleInterface(iface)
-	})
+	ifs, err := NonTailscaleInterfaces()
 	if err != nil {
 		return nil, err
 	}
@@ -181,31 +149,12 @@ func GetWindowsDefault(family winipcfg.AddressFamily) (*winipcfg.IPAdapterAddres
 	bestMetric := ^uint32(0)
 	var bestIface *winipcfg.IPAdapterAddresses
 	for _, route := range routes {
-		if route.DestinationPrefix.PrefixLength != 0 {
-			// Not a default route.
-			continue
-		}
 		iface := ifs[route.InterfaceLUID]
-		if iface == nil {
+		if route.DestinationPrefix.PrefixLength != 0 || iface == nil {
 			continue
 		}
-
-		// Microsoft docs say:
-		//
-		// "The actual route metric used to compute the route
-		// preferences for IPv4 is the summation of the route
-		// metric offset specified in the Metric member of the
-		// MIB_IPFORWARD_ROW2 structure and the interface
-		// metric specified in this member for IPv4"
-		metric := route.Metric
-		switch family {
-		case windows.AF_INET:
-			metric += iface.Ipv4Metric
-		case windows.AF_INET6:
-			metric += iface.Ipv6Metric
-		}
-		if metric < bestMetric {
-			bestMetric = metric
+		if iface.OperStatus == winipcfg.IfOperStatusUp && route.Metric < bestMetric {
+			bestMetric = route.Metric
 			bestIface = iface
 		}
 	}
@@ -214,9 +163,6 @@ func GetWindowsDefault(family winipcfg.AddressFamily) (*winipcfg.IPAdapterAddres
 }

 func DefaultRouteInterface() (string, error) {
-	// We always return the IPv4 default route.
-	// TODO(bradfitz): adjust API if/when anything cares. They could in theory differ, though,
-	// in which case we might send traffic to the wrong interface.
 	iface, err := GetWindowsDefault(windows.AF_INET)
 	if err != nil {
 		return "", err
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -362,7 +362,7 @@ func makeProbePlan(dm *tailcfg.DERPMap, ifState *interfaces.State, last *Report)
 			tries = 2
 		} else if hadBoth {
 			// For dual stack machines, make the 3rd & slower nodes alternate
-			// between.
+			// beetween.
 			if ri%2 == 0 {
 				do4, do6 = true, false
 			} else {
--- a/net/netns/netns_android.go
+++ b/net/netns/netns_android.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build android
 // +build android

 package netns
--- a/net/netns/netns_darwin_tailscaled.go
+++ b/net/netns/netns_darwin_tailscaled.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build darwin && !ts_macext
 // +build darwin,!ts_macext

 package netns
--- a/net/netns/netns_default.go
+++ b/net/netns/netns_default.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build (!linux && !windows && !darwin) || (darwin && ts_macext)
 // +build !linux,!windows,!darwin darwin,ts_macext

 package netns
--- a/net/netns/netns_linux.go
+++ b/net/netns/netns_linux.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && !android
 // +build linux,!android

 package netns
--- a/net/netns/netns_macios.go
+++ b/net/netns/netns_macios.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build darwin || ios
 // +build darwin ios

 package netns
--- a/net/netns/socks.go
+++ b/net/netns/socks.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !ios
 // +build !ios

 package netns
--- a/net/netstat/netstat_noimpl.go
+++ b/net/netstat/netstat_noimpl.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
 // +build !windows

 package netstat
--- a/net/portmapper/disabled_stubs.go
+++ b/net/portmapper/disabled_stubs.go
@@ -2,9 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build ios
 // +build ios
-
 // (https://github.com/tailscale/tailscale/issues/2495)

 package portmapper
@@ -17,12 +15,6 @@ import (

 type upnpClient interface{}

-type uPnPDiscoResponse struct{}
-
-func parseUPnPDiscoResponse([]byte) (uPnPDiscoResponse, error) {
-	return uPnPDiscoResponse{}, nil
-}
-
 func (c *Client) getUPnPPortMapping(
 	ctx context.Context,
 	gw netaddr.IP,
--- a/net/portmapper/igd_test.go
+++ b/net/portmapper/igd_test.go
@@ -1,254 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package portmapper
-
-import (
-	"bytes"
-	"fmt"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"sync"
-	"testing"
-
-	"inet.af/netaddr"
-	"tailscale.com/syncs"
-	"tailscale.com/types/logger"
-)
-
-// TestIGD is an IGD (Intenet Gateway Device) for testing. It supports fake
-// implementations of NAT-PMP, PCP, and/or UPnP to test clients against.
-type TestIGD struct {
-	upnpConn net.PacketConn // for UPnP discovery
-	pxpConn  net.PacketConn // for NAT-PMP and/or PCP
-	ts       *httptest.Server
-	logf     logger.Logf
-	closed   syncs.AtomicBool
-
-	// do* will log which packets are sent, but will not reply to unexpected packets.
-
-	doPMP  bool
-	doPCP  bool
-	doUPnP bool
-
-	mu       sync.Mutex // guards below
-	counters igdCounters
-}
-
-// TestIGDOptions are options
-type TestIGDOptions struct {
-	PMP  bool
-	PCP  bool
-	UPnP bool // TODO: more options for 3 flavors of UPnP services
-}
-
-type igdCounters struct {
-	numUPnPDiscoRecv     int32
-	numUPnPOtherUDPRecv  int32
-	numUPnPHTTPRecv      int32
-	numPMPRecv           int32
-	numPMPDiscoRecv      int32
-	numPCPRecv           int32
-	numPCPDiscoRecv      int32
-	numPCPMapRecv        int32
-	numPCPOtherRecv      int32
-	numPMPPublicAddrRecv int32
-	numPMPBogusRecv      int32
-
-	numFailedWrites  int32
-	invalidPCPMapPkt int32
-}
-
-func NewTestIGD(logf logger.Logf, t TestIGDOptions) (*TestIGD, error) {
-	d := &TestIGD{
-		logf:   logf,
-		doPMP:  t.PMP,
-		doPCP:  t.PCP,
-		doUPnP: t.UPnP,
-	}
-	var err error
-	if d.upnpConn, err = testListenUDP(); err != nil {
-		return nil, err
-	}
-	if d.pxpConn, err = testListenUDP(); err != nil {
-		d.upnpConn.Close()
-		return nil, err
-	}
-	d.ts = httptest.NewServer(http.HandlerFunc(d.serveUPnPHTTP))
-	go d.serveUPnPDiscovery()
-	go d.servePxP()
-	return d, nil
-}
-
-func testListenUDP() (net.PacketConn, error) {
-	return net.ListenPacket("udp4", "127.0.0.1:0")
-}
-
-func (d *TestIGD) TestPxPPort() uint16 {
-	return uint16(d.pxpConn.LocalAddr().(*net.UDPAddr).Port)
-}
-
-func (d *TestIGD) TestUPnPPort() uint16 {
-	return uint16(d.upnpConn.LocalAddr().(*net.UDPAddr).Port)
-}
-
-func testIPAndGateway() (gw, ip netaddr.IP, ok bool) {
-	return netaddr.IPv4(127, 0, 0, 1), netaddr.IPv4(1, 2, 3, 4), true
-}
-
-func (d *TestIGD) Close() error {
-	d.closed.Set(true)
-	d.ts.Close()
-	d.upnpConn.Close()
-	d.pxpConn.Close()
-	return nil
-}
-
-func (d *TestIGD) inc(p *int32) {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	(*p)++
-}
-
-func (d *TestIGD) stats() igdCounters {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	return d.counters
-}
-
-func (d *TestIGD) serveUPnPHTTP(w http.ResponseWriter, r *http.Request) {
-	http.NotFound(w, r) // TODO
-}
-
-func (d *TestIGD) serveUPnPDiscovery() {
-	buf := make([]byte, 1500)
-	for {
-		n, src, err := d.upnpConn.ReadFrom(buf)
-		if err != nil {
-			if !d.closed.Get() {
-				d.logf("serveUPnP failed: %v", err)
-			}
-			return
-		}
-		pkt := buf[:n]
-		if bytes.Equal(pkt, uPnPPacket) { // a super lazy "parse"
-			d.inc(&d.counters.numUPnPDiscoRecv)
-			resPkt := []byte(fmt.Sprintf("HTTP/1.1 200 OK\r\nCACHE-CONTROL: max-age=120\r\nST: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nUSN: uuid:bee7052b-49e8-3597-b545-55a1e38ac11::urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nEXT:\r\nSERVER: Tailscale-Test/1.0 UPnP/1.1 MiniUPnPd/2.2.1\r\nLOCATION: %s\r\nOPT: \"http://schemas.upnp.org/upnp/1/0/\"; ns=01\r\n01-NLS: 1627958564\r\nBOOTID.UPNP.ORG: 1627958564\r\nCONFIGID.UPNP.ORG: 1337\r\n\r\n", d.ts.URL+"/rootDesc.xml"))
-			if d.doUPnP {
-				_, err = d.upnpConn.WriteTo(resPkt, src)
-				if err != nil {
-					d.inc(&d.counters.numFailedWrites)
-				}
-			}
-		} else {
-			d.inc(&d.counters.numUPnPOtherUDPRecv)
-		}
-	}
-}
-
-// servePxP serves NAT-PMP and PCP, which share a port number.
-func (d *TestIGD) servePxP() {
-	buf := make([]byte, 1500)
-	for {
-		n, a, err := d.pxpConn.ReadFrom(buf)
-		if err != nil {
-			if !d.closed.Get() {
-				d.logf("servePxP failed: %v", err)
-			}
-			return
-		}
-		ua := a.(*net.UDPAddr)
-		src, ok := netaddr.FromStdAddr(ua.IP, ua.Port, ua.Zone)
-		if !ok {
-			panic("bogus addr")
-		}
-		pkt := buf[:n]
-		if len(pkt) < 2 {
-			continue
-		}
-		ver := pkt[0]
-		switch ver {
-		default:
-			continue
-		case pmpVersion:
-			d.handlePMPQuery(pkt, src)
-		case pcpVersion:
-			d.handlePCPQuery(pkt, src)
-		}
-	}
-}
-
-func (d *TestIGD) handlePMPQuery(pkt []byte, src netaddr.IPPort) {
-	d.inc(&d.counters.numPMPRecv)
-	if len(pkt) < 2 {
-		return
-	}
-	op := pkt[1]
-	switch op {
-	case pmpOpMapPublicAddr:
-		if len(pkt) != 2 {
-			d.inc(&d.counters.numPMPBogusRecv)
-			return
-		}
-		d.inc(&d.counters.numPMPPublicAddrRecv)
-
-	}
-	// TODO
-}
-
-func (d *TestIGD) handlePCPQuery(pkt []byte, src netaddr.IPPort) {
-	d.inc(&d.counters.numPCPRecv)
-	if len(pkt) < 24 {
-		return
-	}
-	op := pkt[1]
-	pktSrcBytes := [16]byte{}
-	copy(pktSrcBytes[:], pkt[8:24])
-	pktSrc := netaddr.IPFrom16(pktSrcBytes)
-	if pktSrc != src.IP() {
-		// TODO this error isn't fatal but should be rejected by server.
-		// Since it's a test it's difficult to get them the same though.
-		d.logf("mismatch of packet source and source IP: got %v, expected %v", pktSrc, src.IP())
-	}
-	switch op {
-	case pcpOpAnnounce:
-		d.inc(&d.counters.numPCPDiscoRecv)
-		if !d.doPCP {
-			return
-		}
-		resp := buildPCPDiscoResponse(pkt)
-		if _, err := d.pxpConn.WriteTo(resp, src.UDPAddr()); err != nil {
-			d.inc(&d.counters.numFailedWrites)
-		}
-	case pcpOpMap:
-		if len(pkt) < 60 {
-			d.logf("got too short packet for pcp op map: %v", pkt)
-			d.inc(&d.counters.invalidPCPMapPkt)
-			return
-		}
-		d.inc(&d.counters.numPCPMapRecv)
-		if !d.doPCP {
-			return
-		}
-		resp := buildPCPMapResponse(pkt)
-		d.pxpConn.WriteTo(resp, src.UDPAddr())
-	default:
-		// unknown op code, ignore it for now.
-		d.inc(&d.counters.numPCPOtherRecv)
-		return
-	}
-}
-
-func newTestClient(t *testing.T, igd *TestIGD) *Client {
-	var c *Client
-	c = NewClient(t.Logf, func() {
-		t.Logf("port map changed")
-		t.Logf("have mapping: %v", c.HaveMapping())
-	})
-	c.testPxPPort = igd.TestPxPPort()
-	c.testUPnPPort = igd.TestUPnPPort()
-	c.SetGatewayLookupFunc(testIPAndGateway)
-	return c
-}
--- a/net/portmapper/pcp.go
+++ b/net/portmapper/pcp.go
@@ -1,157 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package portmapper
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/binary"
-	"fmt"
-	"time"
-
-	"inet.af/netaddr"
-)
-
-// References:
-//
-// https://www.rfc-editor.org/rfc/pdfrfc/rfc6887.txt.pdf
-// https://tools.ietf.org/html/rfc6887
-
-// PCP constants
-const (
-	pcpVersion     = 2
-	pcpDefaultPort = 5351
-
-	pcpMapLifetimeSec = 7200 // TODO does the RFC recommend anything? This is taken from PMP.
-
-	pcpCodeOK            = 0
-	pcpCodeNotAuthorized = 2
-
-	pcpOpReply    = 0x80 // OR'd into request's op code on response
-	pcpOpAnnounce = 0
-	pcpOpMap      = 1
-
-	pcpUDPMapping = 17 // portmap UDP
-	pcpTCPMapping = 6  // portmap TCP
-)
-
-type pcpMapping struct {
-	c        *Client
-	gw       netaddr.IPPort
-	internal netaddr.IPPort
-	external netaddr.IPPort
-
-	renewAfter time.Time
-	goodUntil  time.Time
-
-	// TODO should this also contain an epoch?
-	// Doesn't seem to be used elsewhere, but can use it for validation at some point.
-}
-
-func (p *pcpMapping) GoodUntil() time.Time     { return p.goodUntil }
-func (p *pcpMapping) RenewAfter() time.Time    { return p.renewAfter }
-func (p *pcpMapping) External() netaddr.IPPort { return p.external }
-func (p *pcpMapping) Release(ctx context.Context) {
-	uc, err := p.c.listenPacket(ctx, "udp4", ":0")
-	if err != nil {
-		return
-	}
-	defer uc.Close()
-	pkt := buildPCPRequestMappingPacket(p.internal.IP(), p.internal.Port(), p.external.Port(), 0, p.external.IP())
-	uc.WriteTo(pkt, p.gw.UDPAddr())
-}
-
-// buildPCPRequestMappingPacket generates a PCP packet with a MAP opcode.
-// To create a packet which deletes a mapping, lifetimeSec should be set to 0.
-// If prevPort is not known, it should be set to 0.
-// If prevExternalIP is not known, it should be set to 0.0.0.0.
-func buildPCPRequestMappingPacket(
-	myIP netaddr.IP,
-	localPort, prevPort uint16,
-	lifetimeSec uint32,
-	prevExternalIP netaddr.IP,
-) (pkt []byte) {
-	// 24 byte common PCP header + 36 bytes of MAP-specific fields
-	pkt = make([]byte, 24+36)
-	pkt[0] = pcpVersion
-	pkt[1] = pcpOpMap
-	binary.BigEndian.PutUint32(pkt[4:8], lifetimeSec)
-	myIP16 := myIP.As16()
-	copy(pkt[8:24], myIP16[:])
-
-	mapOp := pkt[24:]
-	rand.Read(mapOp[:12]) // 96 bit mapping nonce
-
-	// TODO: should this be a UDP mapping? It looks like it supports "all protocols" with 0, but
-	// also doesn't support a local port then.
-	mapOp[12] = pcpUDPMapping
-	binary.BigEndian.PutUint16(mapOp[16:18], localPort)
-	binary.BigEndian.PutUint16(mapOp[18:20], prevPort)
-
-	prevExternalIP16 := prevExternalIP.As16()
-	copy(mapOp[20:], prevExternalIP16[:])
-	return pkt
-}
-
-// parsePCPMapResponse parses resp into a partially populated pcpMapping.
-// In particular, its Client is not populated.
-func parsePCPMapResponse(resp []byte) (*pcpMapping, error) {
-	if len(resp) < 60 {
-		return nil, fmt.Errorf("Does not appear to be PCP MAP response")
-	}
-	res, ok := parsePCPResponse(resp[:24])
-	if !ok {
-		return nil, fmt.Errorf("Invalid PCP common header")
-	}
-	if res.ResultCode != pcpCodeOK {
-		return nil, fmt.Errorf("PCP response not ok, code %d", res.ResultCode)
-	}
-	// TODO: don't ignore the nonce and make sure it's the same?
-	externalPort := binary.BigEndian.Uint16(resp[42:44])
-	externalIPBytes := [16]byte{}
-	copy(externalIPBytes[:], resp[44:])
-	externalIP := netaddr.IPFrom16(externalIPBytes)
-
-	external := netaddr.IPPortFrom(externalIP, externalPort)
-
-	lifetime := time.Second * time.Duration(res.Lifetime)
-	now := time.Now()
-	mapping := &pcpMapping{
-		external:   external,
-		renewAfter: now.Add(lifetime / 2),
-		goodUntil:  now.Add(lifetime),
-	}
-
-	return mapping, nil
-}
-
-// pcpAnnounceRequest generates a PCP packet with an ANNOUNCE opcode.
-func pcpAnnounceRequest(myIP netaddr.IP) []byte {
-	// See https://tools.ietf.org/html/rfc6887#section-7.1
-	pkt := make([]byte, 24)
-	pkt[0] = pcpVersion
-	pkt[1] = pcpOpAnnounce
-	myIP16 := myIP.As16()
-	copy(pkt[8:], myIP16[:])
-	return pkt
-}
-
-type pcpResponse struct {
-	OpCode     uint8
-	ResultCode uint8
-	Lifetime   uint32
-	Epoch      uint32
-}
-
-func parsePCPResponse(b []byte) (res pcpResponse, ok bool) {
-	if len(b) < 24 || b[0] != pcpVersion {
-		return
-	}
-	res.OpCode = b[1]
-	res.ResultCode = b[3]
-	res.Lifetime = binary.BigEndian.Uint32(b[4:])
-	res.Epoch = binary.BigEndian.Uint32(b[8:])
-	return res, true
-}
--- a/net/portmapper/pcp_test.go
+++ b/net/portmapper/pcp_test.go
@@ -1,62 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package portmapper
-
-import (
-	"encoding/binary"
-	"testing"
-
-	"inet.af/netaddr"
-)
-
-var examplePCPMapResponse = []byte{2, 129, 0, 0, 0, 0, 28, 32, 0, 2, 155, 237, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 129, 112, 9, 24, 241, 208, 251, 45, 157, 76, 10, 188, 17, 0, 0, 0, 4, 210, 4, 210, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 135, 180, 175, 246}
-
-func TestParsePCPMapResponse(t *testing.T) {
-	mapping, err := parsePCPMapResponse(examplePCPMapResponse)
-	if err != nil {
-		t.Fatalf("failed to parse PCP Map Response: %v", err)
-	}
-	if mapping == nil {
-		t.Fatalf("got nil mapping when expected non-nil")
-	}
-	expectedAddr := netaddr.MustParseIPPort("135.180.175.246:1234")
-	if mapping.external != expectedAddr {
-		t.Errorf("mismatched external address, got: %v, want: %v", mapping.external, expectedAddr)
-	}
-}
-
-const (
-	serverResponseBit = 1 << 7
-	fakeLifetimeSec   = 1<<31 - 1
-)
-
-func buildPCPDiscoResponse(req []byte) []byte {
-	out := make([]byte, 24)
-	out[0] = pcpVersion
-	out[1] = req[1] | serverResponseBit
-	out[3] = 0
-	// Do not put an epoch time in 8:12, when we start using it, tests that use it should fail.
-	return out
-}
-
-func buildPCPMapResponse(req []byte) []byte {
-	out := make([]byte, 24+36)
-	out[0] = pcpVersion
-	out[1] = req[1] | serverResponseBit
-	out[3] = 0
-	binary.BigEndian.PutUint32(out[4:8], 1<<30)
-	// Do not put an epoch time in 8:12, when we start using it, tests that use it should fail.
-	mapResp := out[24:]
-	mapReq := req[24:]
-	// copy nonce, protocol and internal port
-	copy(mapResp[:13], mapReq[:13])
-	copy(mapResp[16:18], mapReq[16:18])
-	// assign external port
-	binary.BigEndian.PutUint16(mapResp[18:20], 4242)
-	assignedIP := netaddr.IPv4(127, 0, 0, 1)
-	assignedIP16 := assignedIP.As16()
-	copy(mapResp[20:36], assignedIP16[:])
-	return out
-}
--- a/net/portmapper/portmapper.go
+++ b/net/portmapper/portmapper.go
@@ -3,18 +3,18 @@
 // license that can be found in the LICENSE file.

 // Package portmapper is a UDP port mapping client. It currently allows for mapping over
-// NAT-PMP, UPnP, and PCP.
+// NAT-PMP and UPnP, but will perhaps do PCP later.
 package portmapper

 import (
 	"context"
+	"crypto/rand"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
-	"os"
 	"sync"
 	"time"

@@ -25,20 +25,10 @@ import (
 	"tailscale.com/types/logger"
 )

-// Debug knobs for "tailscaled debug --portmap".
-var (
-	VerboseLogs bool
-
-	// Disable* disables a specific service from mapping.
-
-	DisableUPnP bool
-	DisablePMP  bool
-	DisablePCP  bool
-)
-
 // References:
 //
 // NAT-PMP: https://tools.ietf.org/html/rfc6886
+// PCP: https://tools.ietf.org/html/rfc6887

 // portMapServiceTimeout is the time we wait for port mapping
 // services (UPnP, NAT-PMP, PCP) to respond before we give up and
@@ -56,8 +46,6 @@ type Client struct {
 	logf         logger.Logf
 	ipAndGateway func() (gw, ip netaddr.IP, ok bool)
 	onChange     func() // or nil
-	testPxPPort  uint16 // if non-zero, pxpPort to use for tests
-	testUPnPPort uint16 // if non-zero, uPnPPort to use for tests

 	mu sync.Mutex // guards following, and all fields thereof

@@ -80,7 +68,7 @@ type Client struct {

 	uPnPSawTime    time.Time         // time we last saw UPnP was available
 	uPnPMeta       uPnPDiscoResponse // Location header from UPnP UDP discovery response
-	uPnPHTTPClient *http.Client      // netns-configured HTTP client for UPnP; nil until needed
+	uPnPHTTPClient *http.Client      // nil until needed

 	localPort uint16

@@ -116,8 +104,7 @@ func (c *Client) HaveMapping() bool {
 //
 // All fields are immutable once created.
 type pmpMapping struct {
-	c          *Client
-	gw         netaddr.IPPort
+	gw         netaddr.IP
 	external   netaddr.IPPort
 	internal   netaddr.IPPort
 	renewAfter time.Time // the time at which we want to renew the mapping
@@ -136,13 +123,13 @@ func (p *pmpMapping) External() netaddr.IPPort { return p.external }

 // Release does a best effort fire-and-forget release of the PMP mapping m.
 func (m *pmpMapping) Release(ctx context.Context) {
-	uc, err := m.c.listenPacket(ctx, "udp4", ":0")
+	uc, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
 	if err != nil {
 		return
 	}
 	defer uc.Close()
 	pkt := buildPMPRequestMappingPacket(m.internal.Port(), m.external.Port(), pmpMapLifetimeDelete)
-	uc.WriteTo(pkt, m.gw.UDPAddr())
+	uc.WriteTo(pkt, netaddr.IPPortFrom(m.gw, pmpPort).UDPAddr())
 }

 // NewClient returns a new portmapping client.
@@ -217,44 +204,6 @@ func (c *Client) gatewayAndSelfIP() (gw, myIP netaddr.IP, ok bool) {
 	return
 }

-// pxpPort returns the NAT-PMP and PCP port number.
-// It returns 5351, except for in tests where it varies by run.
-func (c *Client) pxpPort() uint16 {
-	if c.testPxPPort != 0 {
-		return c.testPxPPort
-	}
-	return pmpDefaultPort
-}
-
-// upnpPort returns the UPnP discovery port number.
-// It returns 1900, except for in tests where it varies by run.
-func (c *Client) upnpPort() uint16 {
-	if c.testUPnPPort != 0 {
-		return c.testUPnPPort
-	}
-	return upnpDefaultPort
-}
-
-func (c *Client) listenPacket(ctx context.Context, network, addr string) (net.PacketConn, error) {
-	// When running under testing conditions, we bind the IGD server
-	// to localhost, and may be running in an environment where our
-	// netns code would decide that binding the portmapper client
-	// socket to the default route interface is the correct way to
-	// ensure connectivity. This can result in us trying to send
-	// packets for 127.0.0.1 out the machine's LAN interface, which
-	// obviously gets dropped on the floor.
-	//
-	// So, under those testing conditions, do _not_ use netns to
-	// create listening sockets. Such sockets are vulnerable to
-	// routing loops, but it's tests that don't set up routing loops,
-	// so we don't care.
-	if c.testPxPPort != 0 || c.testUPnPPort != 0 || os.Getenv("GITHUB_ACTIONS") == "true" {
-		var lc net.ListenConfig
-		return lc.ListenPacket(ctx, network, addr)
-	}
-	return netns.Listener().ListenPacket(ctx, network, addr)
-}
-
 func (c *Client) invalidateMappingsLocked(releaseOld bool) {
 	if c.mapping != nil {
 		if releaseOld {
@@ -266,7 +215,6 @@ func (c *Client) invalidateMappingsLocked(releaseOld bool) {
 	c.pmpPubIPTime = time.Time{}
 	c.pcpSawTime = time.Time{}
 	c.uPnPSawTime = time.Time{}
-	c.uPnPMeta = uPnPDiscoResponse{}
 }

 func (c *Client) sawPMPRecently() bool {
@@ -282,10 +230,6 @@ func (c *Client) sawPMPRecentlyLocked() bool {
 func (c *Client) sawPCPRecently() bool {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	return c.sawPCPRecentlyLocked()
-}
-
-func (c *Client) sawPCPRecentlyLocked() bool {
 	return c.pcpSawTime.After(time.Now().Add(-trustServiceStillAvailableDuration))
 }

@@ -384,18 +328,12 @@ func (c *Client) createMapping() {
 	}
 }

-// wildcardIP is used when the previous external IP is not known for PCP port mapping.
-var wildcardIP = netaddr.MustParseIP("0.0.0.0")
-
 // createOrGetMapping either creates a new mapping or returns a cached
 // valid one.
 //
 // If no mapping is available, the error will be of type
 // NoMappingError; see IsNoMappingError.
 func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPort, err error) {
-	if DisableUPnP && DisablePCP && DisablePMP {
-		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
-	}
 	gw, myIP, ok := c.gatewayAndSelfIP()
 	if !ok {
 		return netaddr.IPPort{}, NoMappingError{ErrGatewayRange}
@@ -404,6 +342,10 @@ func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	c.mu.Lock()
 	localPort := c.localPort
 	internalAddr := netaddr.IPPortFrom(myIP, localPort)
+	m := &pmpMapping{
+		gw:       gw,
+		internal: internalAddr,
+	}

 	// prevPort is the port we had most previously, if any. We try
 	// to ask for the same port. 0 means to give us any port.
@@ -420,45 +362,25 @@ func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPor
 		prevPort = m.External().Port()
 	}

-	if DisablePCP && DisablePMP {
-		c.mu.Unlock()
-		if external, ok := c.getUPnPPortMapping(ctx, gw, internalAddr, prevPort); ok {
-			return external, nil
-		}
-		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
-	}
-
 	// If we just did a Probe (e.g. via netchecker) but didn't
 	// find a PMP service, bail out early rather than probing
 	// again. Cuts down latency for most clients.
 	haveRecentPMP := c.sawPMPRecentlyLocked()
-	haveRecentPCP := c.sawPCPRecentlyLocked()
-
-	// Since PMP mapping may require multiple calls, and it's not clear from the outset
-	// whether we're doing a PCP or PMP call, initialize the PMP mapping here,
-	// and only return it once completed.
-	//
-	// PCP returns all the information necessary for a mapping in a single packet, so we can
-	// construct it upon receiving that packet.
-	m := &pmpMapping{
-		c:        c,
-		gw:       netaddr.IPPortFrom(gw, c.pxpPort()),
-		internal: internalAddr,
-	}
 	if haveRecentPMP {
 		m.external = m.external.WithIP(c.pmpPubIP)
 	}
-	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentPMP && !haveRecentPCP {
+	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentPMP {
 		c.mu.Unlock()
 		// fallback to UPnP portmapping
-		if external, ok := c.getUPnPPortMapping(ctx, gw, internalAddr, prevPort); ok {
-			return external, nil
+		if mapping, ok := c.getUPnPPortMapping(ctx, gw, internalAddr, prevPort); ok {
+			return mapping, nil
 		}
 		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
 	}
+
 	c.mu.Unlock()

-	uc, err := c.listenPacket(ctx, "udp4", ":0")
+	uc, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
 	if err != nil {
 		return netaddr.IPPort{}, err
 	}
@@ -467,31 +389,20 @@ func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	uc.SetReadDeadline(time.Now().Add(portMapServiceTimeout))
 	defer closeCloserOnContextDone(ctx, uc)()

-	pxpAddr := netaddr.IPPortFrom(gw, c.pxpPort())
-	pxpAddru := pxpAddr.UDPAddr()
+	pmpAddr := netaddr.IPPortFrom(gw, pmpPort)
+	pmpAddru := pmpAddr.UDPAddr()

-	preferPCP := !DisablePCP && (DisablePMP || (!haveRecentPMP && haveRecentPCP))
-
-	// Create a mapping, defaulting to PMP unless only PCP was seen recently.
-	if preferPCP {
-		// TODO replace wildcardIP here with previous external if known.
-		// Only do PCP mapping in the case when PMP did not appear to be available recently.
-		pkt := buildPCPRequestMappingPacket(myIP, localPort, prevPort, pcpMapLifetimeSec, wildcardIP)
-		if _, err := uc.WriteTo(pkt, pxpAddru); err != nil {
+	// Ask for our external address if needed.
+	if m.external.IP().IsZero() {
+		if _, err := uc.WriteTo(pmpReqExternalAddrPacket, pmpAddru); err != nil {
 			return netaddr.IPPort{}, err
 		}
-	} else {
-		// Ask for our external address if needed.
-		if m.external.IP().IsZero() {
-			if _, err := uc.WriteTo(pmpReqExternalAddrPacket, pxpAddru); err != nil {
-				return netaddr.IPPort{}, err
-			}
-		}
+	}

-		pkt := buildPMPRequestMappingPacket(localPort, prevPort, pmpMapLifetimeSec)
-		if _, err := uc.WriteTo(pkt, pxpAddru); err != nil {
-			return netaddr.IPPort{}, err
-		}
+	// And ask for a mapping.
+	pmpReqMapping := buildPMPRequestMappingPacket(localPort, prevPort, pmpMapLifetimeSec)
+	if _, err := uc.WriteTo(pmpReqMapping, pmpAddru); err != nil {
+		return netaddr.IPPort{}, err
 	}

 	res := make([]byte, 1500)
@@ -512,46 +423,25 @@ func (c *Client) createOrGetMapping(ctx context.Context) (external netaddr.IPPor
 		if !ok {
 			continue
 		}
-		if src == pxpAddr {
-			version := res[0]
-			switch version {
-			case pmpVersion:
-				pres, ok := parsePMPResponse(res[:n])
-				if !ok {
-					c.logf("unexpected PMP response: % 02x", res[:n])
-					continue
-				}
-				if pres.ResultCode != 0 {
-					return netaddr.IPPort{}, NoMappingError{fmt.Errorf("PMP response Op=0x%x,Res=0x%x", pres.OpCode, pres.ResultCode)}
-				}
-				if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr {
-					m.external = m.external.WithIP(pres.PublicAddr)
-				}
-				if pres.OpCode == pmpOpReply|pmpOpMapUDP {
-					m.external = m.external.WithPort(pres.ExternalPort)
-					d := time.Duration(pres.MappingValidSeconds) * time.Second
-					now := time.Now()
-					m.goodUntil = now.Add(d)
-					m.renewAfter = now.Add(d / 2) // renew in half the time
-					m.epoch = pres.SecondsSinceEpoch
-				}
-			case pcpVersion:
-				pcpMapping, err := parsePCPMapResponse(res[:n])
-				if err != nil {
-					c.logf("failed to get PCP mapping: %v", err)
-					// PCP should only have a single packet response
-					return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
-				}
-				pcpMapping.c = c
-				pcpMapping.internal = m.internal
-				pcpMapping.gw = netaddr.IPPortFrom(gw, c.pxpPort())
-				c.mu.Lock()
-				defer c.mu.Unlock()
-				c.mapping = pcpMapping
-				return pcpMapping.external, nil
-			default:
-				c.logf("unknown PMP/PCP version number: %d %v", version, res[:n])
-				return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
+		if src == pmpAddr {
+			pres, ok := parsePMPResponse(res[:n])
+			if !ok {
+				c.logf("unexpected PMP response: % 02x", res[:n])
+				continue
+			}
+			if pres.ResultCode != 0 {
+				return netaddr.IPPort{}, NoMappingError{fmt.Errorf("PMP response Op=0x%x,Res=0x%x", pres.OpCode, pres.ResultCode)}
+			}
+			if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr {
+				m.external = m.external.WithIP(pres.PublicAddr)
+			}
+			if pres.OpCode == pmpOpReply|pmpOpMapUDP {
+				m.external = m.external.WithPort(pres.ExternalPort)
+				d := time.Duration(pres.MappingValidSeconds) * time.Second
+				now := time.Now()
+				m.goodUntil = now.Add(d)
+				m.renewAfter = now.Add(d / 2) // renew in half the time
+				m.epoch = pres.SecondsSinceEpoch
 			}
 		}

@@ -568,11 +458,10 @@ type pmpResultCode uint16

 // NAT-PMP constants.
 const (
-	pmpDefaultPort       = 5351
+	pmpPort              = 5351
 	pmpMapLifetimeSec    = 7200 // RFC recommended 2 hour map duration
 	pmpMapLifetimeDelete = 0    // 0 second lifetime deletes

-	pmpVersion         = 0
 	pmpOpMapPublicAddr = 0
 	pmpOpMapUDP        = 1
 	pmpOpReply         = 0x80 // OR'd into request's op code on response
@@ -666,7 +555,7 @@ func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
 		}
 	}()

-	uc, err := c.listenPacket(context.Background(), "udp4", ":0")
+	uc, err := netns.Listener().ListenPacket(context.Background(), "udp4", ":0")
 	if err != nil {
 		c.logf("ProbePCP: %v", err)
 		return res, err
@@ -676,25 +565,26 @@ func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
 	defer cancel()
 	defer closeCloserOnContextDone(ctx, uc)()

-	pxpAddr := netaddr.IPPortFrom(gw, c.pxpPort()).UDPAddr()
-	upnpAddr := netaddr.IPPortFrom(gw, c.upnpPort()).UDPAddr()
+	pcpAddr := netaddr.IPPortFrom(gw, pcpPort).UDPAddr()
+	pmpAddr := netaddr.IPPortFrom(gw, pmpPort).UDPAddr()
+	upnpAddr := netaddr.IPPortFrom(gw, upnpPort).UDPAddr()

 	// Don't send probes to services that we recently learned (for
 	// the same gw/myIP) are available. See
 	// https://github.com/tailscale/tailscale/issues/1001
 	if c.sawPMPRecently() {
 		res.PMP = true
-	} else if !DisablePMP {
-		uc.WriteTo(pmpReqExternalAddrPacket, pxpAddr)
+	} else {
+		uc.WriteTo(pmpReqExternalAddrPacket, pmpAddr)
 	}
 	if c.sawPCPRecently() {
 		res.PCP = true
-	} else if !DisablePCP {
-		uc.WriteTo(pcpAnnounceRequest(myIP), pxpAddr)
+	} else {
+		uc.WriteTo(pcpAnnounceRequest(myIP), pcpAddr)
 	}
 	if c.sawUPnPRecently() {
 		res.UPnP = true
-	} else if !DisableUPnP {
+	} else {
 		uc.WriteTo(uPnPPacket, upnpAddr)
 	}

@@ -712,27 +602,22 @@ func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
 			}
 			return res, err
 		}
-		port := uint16(addr.(*net.UDPAddr).Port)
+		port := addr.(*net.UDPAddr).Port
 		switch port {
-		case c.upnpPort():
+		case upnpPort:
 			if mem.Contains(mem.B(buf[:n]), mem.S(":InternetGatewayDevice:")) {
 				meta, err := parseUPnPDiscoResponse(buf[:n])
 				if err != nil {
 					c.logf("unrecognized UPnP discovery response; ignoring")
 				}
-				if VerboseLogs {
-					c.logf("UPnP reply %+v, %q", meta, buf[:n])
-				}
+				// log.Printf("UPnP reply %+v, %q", meta, buf[:n])
 				res.UPnP = true
 				c.mu.Lock()
 				c.uPnPSawTime = time.Now()
-				if c.uPnPMeta != meta {
-					c.logf("UPnP meta changed: %+v", meta)
-					c.uPnPMeta = meta
-				}
+				c.uPnPMeta = meta
 				c.mu.Unlock()
 			}
-		case c.pxpPort(): // same value for PMP and PCP
+		case pcpPort: // same as pmpPort
 			if pres, ok := parsePCPResponse(buf[:n]); ok {
 				if pres.OpCode == pcpOpReply|pcpOpAnnounce {
 					pcpHeard = true
@@ -772,13 +657,83 @@ func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
 	}
 }

-var pmpReqExternalAddrPacket = []byte{pmpVersion, pmpOpMapPublicAddr} // 0, 0
-
 const (
-	upnpDefaultPort = 1900 // for UDP discovery only; TCP port discovered later
+	pcpVersion = 2
+	pcpPort    = 5351
+
+	pcpCodeOK            = 0
+	pcpCodeNotAuthorized = 2
+
+	pcpOpReply    = 0x80 // OR'd into request's op code on response
+	pcpOpAnnounce = 0
+	pcpOpMap      = 1
+)
+
+// pcpAnnounceRequest generates a PCP packet with an ANNOUNCE opcode.
+func pcpAnnounceRequest(myIP netaddr.IP) []byte {
+	// See https://tools.ietf.org/html/rfc6887#section-7.1
+	pkt := make([]byte, 24)
+	pkt[0] = pcpVersion // version
+	pkt[1] = pcpOpAnnounce
+	myIP16 := myIP.As16()
+	copy(pkt[8:], myIP16[:])
+	return pkt
+}
+
+// pcpMapRequest generates a PCP packet with a MAP opcode.
+func pcpMapRequest(myIP netaddr.IP, mapToLocalPort int, delete bool) []byte {
+	const udpProtoNumber = 17
+	lifetimeSeconds := uint32(1)
+	if delete {
+		lifetimeSeconds = 0
+	}
+	const opMap = 1
+
+	// 24 byte header + 36 byte map opcode
+	pkt := make([]byte, (32+32+128)/8+(96+8+24+16+16+128)/8)
+
+	// The header (https://tools.ietf.org/html/rfc6887#section-7.1)
+	pkt[0] = 2 // version
+	pkt[1] = opMap
+	binary.BigEndian.PutUint32(pkt[4:8], lifetimeSeconds)
+	myIP16 := myIP.As16()
+	copy(pkt[8:], myIP16[:])
+
+	// The map opcode body (https://tools.ietf.org/html/rfc6887#section-11.1)
+	mapOp := pkt[24:]
+	rand.Read(mapOp[:12]) // 96 bit mappping nonce
+	mapOp[12] = udpProtoNumber
+	binary.BigEndian.PutUint16(mapOp[16:], uint16(mapToLocalPort))
+	v4unspec := netaddr.MustParseIP("0.0.0.0")
+	v4unspec16 := v4unspec.As16()
+	copy(mapOp[20:], v4unspec16[:])
+	return pkt
+}
+
+type pcpResponse struct {
+	OpCode     uint8
+	ResultCode uint8
+	Lifetime   uint32
+	Epoch      uint32
+}
+
+func parsePCPResponse(b []byte) (res pcpResponse, ok bool) {
+	if len(b) < 24 || b[0] != pcpVersion {
+		return
+	}
+	res.OpCode = b[1]
+	res.ResultCode = b[3]
+	res.Lifetime = binary.BigEndian.Uint32(b[4:])
+	res.Epoch = binary.BigEndian.Uint32(b[8:])
+	return res, true
+}
+
+var pmpReqExternalAddrPacket = []byte{0, 0} // version 0, opcode 0 = "Public address request"
+
+const (
+	upnpPort = 1900
 )

-// uPnPPacket is the UPnP UDP discovery packet's request body.
 var uPnPPacket = []byte("M-SEARCH * HTTP/1.1\r\n" +
 	"HOST: 239.255.255.250:1900\r\n" +
 	"ST: ssdp:all\r\n" +
--- a/net/portmapper/portmapper_test.go
+++ b/net/portmapper/portmapper_test.go
@@ -7,7 +7,6 @@ package portmapper
 import (
 	"context"
 	"os"
-	"reflect"
 	"strconv"
 	"testing"
 	"time"
@@ -56,70 +55,3 @@ func TestClientProbeThenMap(t *testing.T) {
 	ext, err := c.createOrGetMapping(context.Background())
 	t.Logf("createOrGetMapping: %v, %v", ext, err)
 }
-
-func TestProbeIntegration(t *testing.T) {
-	igd, err := NewTestIGD(t.Logf, TestIGDOptions{PMP: true, PCP: true, UPnP: true})
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer igd.Close()
-
-	c := newTestClient(t, igd)
-	t.Logf("Listening on pxp=%v, upnp=%v", c.testPxPPort, c.testUPnPPort)
-	defer c.Close()
-
-	res, err := c.Probe(context.Background())
-	if err != nil {
-		t.Fatalf("Probe: %v", err)
-	}
-	if !res.UPnP {
-		t.Errorf("didn't detect UPnP")
-	}
-	st := igd.stats()
-	want := igdCounters{
-		numUPnPDiscoRecv:     1,
-		numPMPRecv:           1,
-		numPCPRecv:           1,
-		numPCPDiscoRecv:      1,
-		numPMPPublicAddrRecv: 1,
-	}
-	if !reflect.DeepEqual(st, want) {
-		t.Errorf("unexpected stats:\n got: %+v\nwant: %+v", st, want)
-	}
-
-	t.Logf("Probe: %+v", res)
-	t.Logf("IGD stats: %+v", st)
-	// TODO(bradfitz): finish
-}
-
-func TestPCPIntegration(t *testing.T) {
-	igd, err := NewTestIGD(t.Logf, TestIGDOptions{PMP: false, PCP: true, UPnP: false})
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer igd.Close()
-
-	c := newTestClient(t, igd)
-	defer c.Close()
-	res, err := c.Probe(context.Background())
-	if err != nil {
-		t.Fatalf("probe failed: %v", err)
-	}
-	if res.UPnP || res.PMP {
-		t.Errorf("probe unexpectedly saw upnp or pmp: %+v", res)
-	}
-	if !res.PCP {
-		t.Fatalf("probe did not see pcp: %+v", res)
-	}
-
-	external, err := c.createOrGetMapping(context.Background())
-	if err != nil {
-		t.Fatalf("failed to get mapping: %v", err)
-	}
-	if external.IsZero() {
-		t.Errorf("got zero IP, expected non-zero")
-	}
-	if c.mapping == nil {
-		t.Errorf("got nil mapping after successful createOrGetMapping")
-	}
-}
--- a/net/portmapper/upnp.go
+++ b/net/portmapper/upnp.go
@@ -2,9 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !ios
 // +build !ios
-
 // (https://github.com/tailscale/tailscale/issues/2495)

 package portmapper
@@ -14,10 +12,10 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"log"
 	"math/rand"
 	"net/http"
 	"net/url"
-	"strings"
 	"time"

 	"github.com/tailscale/goupnp"
@@ -25,9 +23,12 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/control/controlknobs"
 	"tailscale.com/net/netns"
-	"tailscale.com/types/logger"
 )

+// VerboseLogs controls verbose debug logging.
+// It exists for use by "tailscaled debug --portmap".
+var VerboseLogs bool
+
 // References:
 //
 // WANIP Connection v2: http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf
@@ -153,8 +154,8 @@ func addAnyPortMapping(
 //
 // The provided ctx is not retained in the returned upnpClient, but
 // its associated HTTP client is (if set via goupnp.WithHTTPClient).
-func getUPnPClient(ctx context.Context, logf logger.Logf, gw netaddr.IP, meta uPnPDiscoResponse) (client upnpClient, err error) {
-	if controlknobs.DisableUPnP() || DisableUPnP {
+func getUPnPClient(ctx context.Context, gw netaddr.IP, meta uPnPDiscoResponse) (upnpClient, error) {
+	if controlknobs.DisableUPnP() {
 		return nil, nil
 	}

@@ -163,7 +164,7 @@ func getUPnPClient(ctx context.Context, logf logger.Logf, gw netaddr.IP, meta uP
 	}

 	if VerboseLogs {
-		logf("fetching %v", meta.Location)
+		log.Printf("fetching %v", meta.Location)
 	}
 	u, err := url.Parse(meta.Location)
 	if err != nil {
@@ -179,11 +180,7 @@ func getUPnPClient(ctx context.Context, logf logger.Logf, gw netaddr.IP, meta uP
 			meta.Location, gw)
 	}

-	// We're fetching a smallish XML document over plain HTTP
-	// across the local LAN, without using DNS.  There should be
-	// very few round trips and low latency, so one second is a
-	// long time.
-	ctx, cancel := context.WithTimeout(ctx, time.Second)
+	ctx, cancel := context.WithTimeout(ctx, 500*time.Millisecond)
 	defer cancel()

 	// This part does a network fetch.
@@ -192,15 +189,6 @@ func getUPnPClient(ctx context.Context, logf logger.Logf, gw netaddr.IP, meta uP
 		return nil, err
 	}

-	defer func() {
-		if client == nil {
-			return
-		}
-		logf("saw UPnP type %v at %v; %v (%v)",
-			strings.TrimPrefix(fmt.Sprintf("%T", client), "*internetgateway2."),
-			meta.Location, root.Device.FriendlyName, root.Device.Manufacturer)
-	}()
-
 	// These parts don't do a network fetch.
 	// Pick the best service type available.
 	if cc, _ := internetgateway2.NewWANIPConnection2ClientsFromRootDevice(ctx, root, u); len(cc) > 0 {
@@ -236,7 +224,7 @@ func (c *Client) getUPnPPortMapping(
 	internal netaddr.IPPort,
 	prevPort uint16,
 ) (external netaddr.IPPort, ok bool) {
-	if controlknobs.DisableUPnP() || DisableUPnP {
+	if controlknobs.DisableUPnP() {
 		return netaddr.IPPort{}, false
 	}
 	now := time.Now()
@@ -256,9 +244,9 @@ func (c *Client) getUPnPPortMapping(
 		client = oldMapping.client
 	} else {
 		ctx := goupnp.WithHTTPClient(ctx, httpClient)
-		client, err = getUPnPClient(ctx, c.logf, gw, meta)
+		client, err = getUPnPClient(ctx, gw, meta)
 		if VerboseLogs {
-			c.logf("getUPnPClient: %T, %v", client, err)
+			log.Printf("getUPnPClient: %T, %v", client, err)
 		}
 		if err != nil {
 			return netaddr.IPPort{}, false
@@ -278,7 +266,7 @@ func (c *Client) getUPnPPortMapping(
 		time.Second*pmpMapLifetimeSec,
 	)
 	if VerboseLogs {
-		c.logf("addAnyPortMapping: %v, %v", newPort, err)
+		log.Printf("addAnyPortMapping: %v, %v", newPort, err)
 	}
 	if err != nil {
 		return netaddr.IPPort{}, false
@@ -286,7 +274,7 @@ func (c *Client) getUPnPPortMapping(
 	// TODO cache this ip somewhere?
 	extIP, err := client.GetExternalIPAddress(ctx)
 	if VerboseLogs {
-		c.logf("client.GetExternalIPAddress: %v, %v", extIP, err)
+		log.Printf("client.GetExternalIPAddress: %v, %v", extIP, err)
 	}
 	if err != nil {
 		// TODO this doesn't seem right
@@ -311,11 +299,6 @@ func (c *Client) getUPnPPortMapping(

 type uPnPDiscoResponse struct {
 	Location string
-	// Server describes what version the UPnP is, such as MiniUPnPd/2.x.x
-	Server string
-	// USN is the serial number of the device, which also contains
-	// what kind of UPnP service is being offered, i.e. InternetGatewayDevice:2
-	USN string
 }

 // parseUPnPDiscoResponse parses a UPnP HTTP-over-UDP discovery response.
@@ -326,7 +309,5 @@ func parseUPnPDiscoResponse(body []byte) (uPnPDiscoResponse, error) {
 		return r, err
 	}
 	r.Location = res.Header.Get("Location")
-	r.Server = res.Header.Get("Server")
-	r.USN = res.Header.Get("Usn")
 	return r, nil
 }
--- a/net/portmapper/upnp_test.go
+++ b/net/portmapper/upnp_test.go
@@ -5,7 +5,6 @@
 package portmapper

 import (
-	"bytes"
 	"context"
 	"fmt"
 	"io"
@@ -13,7 +12,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"reflect"
-	"regexp"
 	"testing"

 	"inet.af/netaddr"
@@ -43,13 +41,9 @@ func TestParseUPnPDiscoResponse(t *testing.T) {
 	}{
 		{"google", googleWifiUPnPDisco, uPnPDiscoResponse{
 			Location: "http://192.168.86.1:5000/rootDesc.xml",
-			Server:   "Linux/5.4.0-1034-gcp UPnP/1.1 MiniUPnPd/1.9",
-			USN:      "uuid:a9708184-a6c0-413a-bbac-11bcf7e30ece::urn:schemas-upnp-org:device:InternetGatewayDevice:2",
 		}},
 		{"pfsense", pfSenseUPnPDisco, uPnPDiscoResponse{
 			Location: "http://192.168.1.1:2189/rootDesc.xml",
-			Server:   "FreeBSD/12.2-STABLE UPnP/1.1 MiniUPnPd/2.2.1",
-			USN:      "uuid:bee7052b-49e8-3597-b545-55a1e38ac11::urn:schemas-upnp-org:device:InternetGatewayDevice:1",
 		}},
 	}
 	for _, tt := range tests {
@@ -70,20 +64,9 @@ func TestGetUPnPClient(t *testing.T) {
 		name    string
 		xmlBody string
 		want    string
-		wantLog string
 	}{
-		{
-			"google",
-			googleWifiRootDescXML,
-			"*internetgateway2.WANIPConnection2",
-			"saw UPnP type WANIPConnection2 at http://127.0.0.1:NNN/rootDesc.xml; OnHub (Google)\n",
-		},
-		{
-			"pfsense",
-			pfSenseRootDescXML,
-			"*internetgateway2.WANIPConnection1",
-			"saw UPnP type WANIPConnection1 at http://127.0.0.1:NNN/rootDesc.xml; FreeBSD router (FreeBSD)\n",
-		},
+		{"google", googleWifiRootDescXML, "*internetgateway2.WANIPConnection2"},
+		{"pfsense", pfSenseRootDescXML, "*internetgateway2.WANIPConnection1"},
 		// TODO(bradfitz): find a PPP one in the wild
 	}
 	for _, tt := range tests {
@@ -97,12 +80,7 @@ func TestGetUPnPClient(t *testing.T) {
 			}))
 			defer ts.Close()
 			gw, _ := netaddr.FromStdIP(ts.Listener.Addr().(*net.TCPAddr).IP)
-			var logBuf bytes.Buffer
-			logf := func(format string, a ...interface{}) {
-				fmt.Fprintf(&logBuf, format, a...)
-				logBuf.WriteByte('\n')
-			}
-			c, err := getUPnPClient(context.Background(), logf, gw, uPnPDiscoResponse{
+			c, err := getUPnPClient(context.Background(), gw, uPnPDiscoResponse{
 				Location: ts.URL + "/rootDesc.xml",
 			})
 			if err != nil {
@@ -112,10 +90,6 @@ func TestGetUPnPClient(t *testing.T) {
 			if got != tt.want {
 				t.Errorf("got %v; want %v", got, tt.want)
 			}
-			gotLog := regexp.MustCompile(`127\.0\.0\.1:\d+`).ReplaceAllString(logBuf.String(), "127.0.0.1:NNN")
-			if gotLog != tt.wantLog {
-				t.Errorf("logged %q; want %q", gotLog, tt.wantLog)
-			}
 		})
 	}
 }
--- a/net/stun/stun_fuzzer.go
+++ b/net/stun/stun_fuzzer.go
@@ -1,7 +1,6 @@
 // Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-//go:build gofuzz
 // +build gofuzz

 package stun
--- a/net/tshttpproxy/tshttpproxy_future.go
+++ b/net/tshttpproxy/tshttpproxy_future.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build tailscale_go
 // +build tailscale_go

 // We want to use https://github.com/golang/go/issues/41048 but it's only in the
--- a/net/tstun/ifstatus_noop.go
+++ b/net/tstun/ifstatus_noop.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
 // +build !windows

 package tstun
--- a/net/tstun/tap_linux.go
+++ b/net/tstun/tap_linux.go
@@ -1,365 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tstun
-
-import (
-	"fmt"
-	"net"
-	"os"
-	"os/exec"
-
-	"github.com/insomniacslk/dhcp/dhcpv4"
-	"golang.org/x/sys/unix"
-	"golang.zx2c4.com/wireguard/tun"
-	"inet.af/netaddr"
-	"inet.af/netstack/tcpip"
-	"inet.af/netstack/tcpip/buffer"
-	"inet.af/netstack/tcpip/header"
-	"inet.af/netstack/tcpip/network/ipv4"
-	"inet.af/netstack/tcpip/transport/udp"
-	"tailscale.com/net/packet"
-	"tailscale.com/types/ipproto"
-)
-
-// TODO: this was randomly generated once. Maybe do it per process start? But
-// then an upgraded tailscaled would be visible to devices behind it. So
-// maybe instead make it a function of the tailscaled's wireguard public key?
-// For now just hard code it.
-var ourMAC = net.HardwareAddr{0x30, 0x2D, 0x66, 0xEC, 0x7A, 0x93}
-
-func init() { createTAP = createTAPLinux }
-
-func createTAPLinux(tapName, bridgeName string) (tun.Device, error) {
-	fd, err := unix.Open("/dev/net/tun", unix.O_RDWR, 0)
-	if err != nil {
-		return nil, err
-	}
-
-	dev, err := openDevice(fd, tapName, bridgeName)
-	if err != nil {
-		unix.Close(fd)
-		return nil, err
-	}
-
-	return dev, nil
-}
-
-func openDevice(fd int, tapName, bridgeName string) (tun.Device, error) {
-	ifr, err := unix.NewIfreq(tapName)
-	if err != nil {
-		return nil, err
-	}
-
-	// Flags are stored as a uint16 in the ifreq union.
-	ifr.SetUint16(unix.IFF_TAP | unix.IFF_NO_PI)
-	if err := unix.IoctlIfreq(fd, unix.TUNSETIFF, ifr); err != nil {
-		return nil, err
-	}
-
-	if err := run("ip", "link", "set", "dev", tapName, "up"); err != nil {
-		return nil, err
-	}
-	if bridgeName != "" {
-		if err := run("brctl", "addif", bridgeName, tapName); err != nil {
-			return nil, err
-		}
-	}
-
-	// Also sets non-blocking I/O on fd when creating tun.Device.
-	dev, _, err := tun.CreateUnmonitoredTUNFromFD(fd) // TODO: MTU
-	if err != nil {
-		return nil, err
-	}
-
-	return dev, nil
-}
-
-type etherType [2]byte
-
-var (
-	etherTypeARP  = etherType{0x08, 0x06}
-	etherTypeIPv4 = etherType{0x08, 0x00}
-	etherTypeIPv6 = etherType{0x86, 0xDD}
-)
-
-const ipv4HeaderLen = 20
-
-const (
-	consumePacket = true
-	passOnPacket  = false
-)
-
-// handleTAPFrame handles receiving a raw TAP ethernet frame and reports whether
-// it's been handled (that is, whether it should NOT be passed to wireguard).
-func (t *Wrapper) handleTAPFrame(ethBuf []byte) bool {
-
-	if len(ethBuf) < ethernetFrameSize {
-		// Corrupt. Ignore.
-		if tapDebug {
-			t.logf("tap: short TAP frame")
-		}
-		return consumePacket
-	}
-	ethDstMAC, ethSrcMAC := ethBuf[:6], ethBuf[6:12]
-	_ = ethDstMAC
-	et := etherType{ethBuf[12], ethBuf[13]}
-	switch et {
-	default:
-		if tapDebug {
-			t.logf("tap: ignoring etherType %v", et)
-		}
-		return consumePacket // filter out packet we should ignore
-	case etherTypeIPv6:
-		// TODO: support DHCPv6/ND/etc later. For now pass all to WireGuard.
-		if tapDebug {
-			t.logf("tap: ignoring IPv6 %v", et)
-		}
-		return passOnPacket
-	case etherTypeIPv4:
-		if len(ethBuf) < ethernetFrameSize+ipv4HeaderLen {
-			// Bogus IPv4. Eat.
-			if tapDebug {
-				t.logf("tap: short ipv4")
-			}
-			return consumePacket
-		}
-		return t.handleDHCPRequest(ethBuf)
-	case etherTypeARP:
-		arpPacket := header.ARP(ethBuf[ethernetFrameSize:])
-		if !arpPacket.IsValid() {
-			// Bogus ARP. Eat.
-			return consumePacket
-		}
-		switch arpPacket.Op() {
-		case header.ARPRequest:
-			req := arpPacket // better name at this point
-			buf := make([]byte, header.EthernetMinimumSize+header.ARPSize)
-
-			// Our ARP "Table" of one:
-			var srcMAC [6]byte
-			copy(srcMAC[:], ethSrcMAC)
-			if old := t.destMAC(); old != srcMAC {
-				t.destMACAtomic.Store(srcMAC)
-			}
-
-			eth := header.Ethernet(buf)
-			eth.Encode(&header.EthernetFields{
-				SrcAddr: tcpip.LinkAddress(ourMAC[:]),
-				DstAddr: tcpip.LinkAddress(ethSrcMAC),
-				Type:    0x0806, // arp
-			})
-			res := header.ARP(buf[header.EthernetMinimumSize:])
-			res.SetIPv4OverEthernet()
-			res.SetOp(header.ARPReply)
-
-			// If the client's asking about their own IP, tell them it's
-			// their own MAC. TODO(bradfitz): remove String allocs.
-			if net.IP(req.ProtocolAddressTarget()).String() == theClientIP {
-				copy(res.HardwareAddressSender(), ethSrcMAC)
-			} else {
-				copy(res.HardwareAddressSender(), ourMAC[:])
-			}
-
-			copy(res.ProtocolAddressSender(), req.ProtocolAddressTarget())
-			copy(res.HardwareAddressTarget(), req.HardwareAddressSender())
-			copy(res.ProtocolAddressTarget(), req.ProtocolAddressSender())
-
-			n, err := t.tdev.Write(buf, 0)
-			if tapDebug {
-				t.logf("tap: wrote ARP reply %v, %v", n, err)
-			}
-		}
-
-		return consumePacket
-	}
-}
-
-// TODO(bradfitz): remove these hard-coded values and move from a /24 to a /10 CGNAT as the range.
-const theClientIP = "100.70.145.3" // TODO: make dynamic from netmap
-const routerIP = "100.70.145.1"    // must be in same netmask (currently hack at /24) as theClientIP
-
-// handleDHCPRequest handles receiving a raw TAP ethernet frame and reports whether
-// it's been handled as a DHCP request. That is, it reports whether the frame should
-// be ignored by the caller and not passed on.
-func (t *Wrapper) handleDHCPRequest(ethBuf []byte) bool {
-	const udpHeader = 8
-	if len(ethBuf) < ethernetFrameSize+ipv4HeaderLen+udpHeader {
-		if tapDebug {
-			t.logf("tap: DHCP short")
-		}
-		return passOnPacket
-	}
-	ethDstMAC, ethSrcMAC := ethBuf[:6], ethBuf[6:12]
-
-	if string(ethDstMAC) != "\xff\xff\xff\xff\xff\xff" {
-		// Not a broadcast
-		if tapDebug {
-			t.logf("tap: dhcp no broadcast")
-		}
-		return passOnPacket
-	}
-
-	p := parsedPacketPool.Get().(*packet.Parsed)
-	defer parsedPacketPool.Put(p)
-	p.Decode(ethBuf[ethernetFrameSize:])
-
-	if p.IPProto != ipproto.UDP || p.Src.Port() != 68 || p.Dst.Port() != 67 {
-		// Not a DHCP request.
-		if tapDebug {
-			t.logf("tap: DHCP wrong meta")
-		}
-		return passOnPacket
-	}
-
-	dp, err := dhcpv4.FromBytes(ethBuf[ethernetFrameSize+ipv4HeaderLen+udpHeader:])
-	if err != nil {
-		// Bogus. Trash it.
-		if tapDebug {
-			t.logf("tap: DHCP FromBytes bad")
-		}
-		return consumePacket
-	}
-	if tapDebug {
-		t.logf("tap: DHCP request: %+v", dp)
-	}
-	switch dp.MessageType() {
-	case dhcpv4.MessageTypeDiscover:
-		offer, err := dhcpv4.New(
-			dhcpv4.WithReply(dp),
-			dhcpv4.WithMessageType(dhcpv4.MessageTypeOffer),
-			dhcpv4.WithRouter(net.ParseIP(routerIP)), // the default route
-			dhcpv4.WithDNS(net.ParseIP("100.100.100.100")),
-			dhcpv4.WithServerIP(net.ParseIP("100.100.100.100")), // TODO: what is this?
-			dhcpv4.WithOption(dhcpv4.OptServerIdentifier(net.ParseIP("100.100.100.100"))),
-			dhcpv4.WithYourIP(net.ParseIP(theClientIP)),
-			dhcpv4.WithLeaseTime(3600), // hour works
-			//dhcpv4.WithHwAddr(ethSrcMAC),
-			dhcpv4.WithNetmask(net.IPMask(net.ParseIP("255.255.255.0").To4())), // TODO: wrong
-			//dhcpv4.WithTransactionID(dp.TransactionID),
-		)
-		if err != nil {
-			t.logf("error building DHCP offer: %v", err)
-			return consumePacket
-		}
-		// Make a layer 2 packet to write out:
-		pkt := packLayer2UDP(
-			offer.ToBytes(),
-			ourMAC, ethSrcMAC,
-			netaddr.IPPortFrom(netaddr.IPv4(100, 100, 100, 100), 67), // src
-			netaddr.IPPortFrom(netaddr.IPv4(255, 255, 255, 255), 68), // dst
-		)
-		n, err := t.tdev.Write(pkt, 0)
-		if tapDebug {
-			t.logf("tap: wrote DHCP OFFER %v, %v", n, err)
-		}
-	case dhcpv4.MessageTypeRequest:
-		ack, err := dhcpv4.New(
-			dhcpv4.WithReply(dp),
-			dhcpv4.WithMessageType(dhcpv4.MessageTypeAck),
-			dhcpv4.WithDNS(net.ParseIP("100.100.100.100")),
-			dhcpv4.WithRouter(net.ParseIP(routerIP)),            // the default route
-			dhcpv4.WithServerIP(net.ParseIP("100.100.100.100")), // TODO: what is this?
-			dhcpv4.WithOption(dhcpv4.OptServerIdentifier(net.ParseIP("100.100.100.100"))),
-			dhcpv4.WithYourIP(net.ParseIP(theClientIP)), // Hello world
-			dhcpv4.WithLeaseTime(3600),                  // hour works
-			dhcpv4.WithNetmask(net.IPMask(net.ParseIP("255.255.255.0").To4())),
-		)
-		if err != nil {
-			t.logf("error building DHCP ack: %v", err)
-			return consumePacket
-		}
-		// Make a layer 2 packet to write out:
-		pkt := packLayer2UDP(
-			ack.ToBytes(),
-			ourMAC, ethSrcMAC,
-			netaddr.IPPortFrom(netaddr.IPv4(100, 100, 100, 100), 67), // src
-			netaddr.IPPortFrom(netaddr.IPv4(255, 255, 255, 255), 68), // dst
-		)
-		n, err := t.tdev.Write(pkt, 0)
-		if tapDebug {
-			t.logf("tap: wrote DHCP ACK %v, %v", n, err)
-		}
-	default:
-		if tapDebug {
-			t.logf("tap: unknown DHCP type")
-		}
-	}
-	return consumePacket
-}
-
-func packLayer2UDP(payload []byte, srcMAC, dstMAC net.HardwareAddr, src, dst netaddr.IPPort) []byte {
-	buf := buffer.NewView(header.EthernetMinimumSize + header.UDPMinimumSize + header.IPv4MinimumSize + len(payload))
-	payloadStart := len(buf) - len(payload)
-	copy(buf[payloadStart:], payload)
-	srcB := src.IP().As4()
-	srcIP := tcpip.Address(srcB[:])
-	dstB := dst.IP().As4()
-	dstIP := tcpip.Address(dstB[:])
-	// Ethernet header
-	eth := header.Ethernet(buf)
-	eth.Encode(&header.EthernetFields{
-		SrcAddr: tcpip.LinkAddress(srcMAC),
-		DstAddr: tcpip.LinkAddress(dstMAC),
-		Type:    ipv4.ProtocolNumber,
-	})
-	// IP header
-	ipbuf := buf[header.EthernetMinimumSize:]
-	ip := header.IPv4(ipbuf)
-	ip.Encode(&header.IPv4Fields{
-		TotalLength: uint16(len(ipbuf)),
-		TTL:         65,
-		Protocol:    uint8(udp.ProtocolNumber),
-		SrcAddr:     srcIP,
-		DstAddr:     dstIP,
-	})
-	ip.SetChecksum(^ip.CalculateChecksum())
-	// UDP header
-	u := header.UDP(buf[header.EthernetMinimumSize+header.IPv4MinimumSize:])
-	u.Encode(&header.UDPFields{
-		SrcPort: src.Port(),
-		DstPort: dst.Port(),
-		Length:  uint16(header.UDPMinimumSize + len(payload)),
-	})
-	// Calculate the UDP pseudo-header checksum.
-	xsum := header.PseudoHeaderChecksum(udp.ProtocolNumber, srcIP, dstIP, uint16(len(u)))
-	// Calculate the UDP checksum and set it.
-	xsum = header.Checksum(payload, xsum)
-	u.SetChecksum(^u.CalculateChecksum(xsum))
-	return []byte(buf)
-}
-
-func run(prog string, args ...string) error {
-	cmd := exec.Command(prog, args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("error running %v: %v", cmd, err)
-	}
-	return nil
-}
-
-func (t *Wrapper) destMAC() [6]byte {
-	mac, _ := t.destMACAtomic.Load().([6]byte)
-	return mac
-}
-
-func (t *Wrapper) tapWrite(buf []byte, offset int) (int, error) {
-	if offset < ethernetFrameSize {
-		return 0, fmt.Errorf("[unexpected] weird offset %d for TAP write", offset)
-	}
-	eth := buf[offset-ethernetFrameSize:]
-	dst := t.destMAC()
-	copy(eth[:6], dst[:])
-	copy(eth[6:12], ourMAC[:])
-	et := etherTypeIPv4
-	if buf[offset]>>4 == 6 {
-		et = etherTypeIPv6
-	}
-	eth[12], eth[13] = et[0], et[1]
-	if tapDebug {
-		t.logf("tap: tapWrite off=%v % x", offset, buf)
-	}
-	return t.tdev.Write(buf, offset-ethernetFrameSize)
-}
--- a/net/tstun/tap_unsupported.go
+++ b/net/tstun/tap_unsupported.go
@@ -1,11 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !linux
-// +build !linux
-
-package tstun
-
-func (*Wrapper) handleTAPFrame([]byte) bool        { panic("unreachable") }
-func (*Wrapper) tapWrite([]byte, int) (int, error) { panic("unreachable") }
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -7,15 +7,16 @@
 package tstun

 import (
-	"errors"
+	"bytes"
 	"os"
+	"os/exec"
 	"runtime"
 	"strconv"
-	"strings"
 	"time"

 	"golang.zx2c4.com/wireguard/tun"
 	"tailscale.com/types/logger"
+	"tailscale.com/version/distro"
 )

 // tunMTU is the MTU we set on tailscale's TUN interface. wireguard-go
@@ -34,32 +35,10 @@ func init() {
 	}
 }

-// createTAP is non-nil on Linux.
-var createTAP func(tapName, bridgeName string) (tun.Device, error)
-
 // New returns a tun.Device for the requested device name, along with
 // the OS-dependent name that was allocated to the device.
 func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
-	var dev tun.Device
-	var err error
-	if strings.HasPrefix(tunName, "tap:") {
-		if runtime.GOOS != "linux" {
-			return nil, "", errors.New("tap only works on Linux")
-		}
-		f := strings.Split(tunName, ":")
-		var tapName, bridgeName string
-		switch len(f) {
-		case 2:
-			tapName = f[1]
-		case 3:
-			tapName, bridgeName = f[1], f[2]
-		default:
-			return nil, "", errors.New("bogus tap argument")
-		}
-		dev, err = createTAP(tapName, bridgeName)
-	} else {
-		dev, err = tun.CreateTUN(tunName, tunMTU)
-	}
+	dev, err := tun.CreateTUN(tunName, tunMTU)
 	if err != nil {
 		return nil, "", err
 	}
@@ -75,18 +54,90 @@ func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
 	return dev, name, nil
 }

-// tunDiagnoseFailure, if non-nil, does OS-specific diagnostics of why
-// TUN failed to work.
-var tunDiagnoseFailure func(tunName string, logf logger.Logf)
-
 // Diagnose tries to explain a tuntap device creation failure.
 // It pokes around the system and logs some diagnostic info that might
 // help debug why tun creation failed. Because device creation has
 // already failed and the program's about to end, log a lot.
 func Diagnose(logf logger.Logf, tunName string) {
-	if tunDiagnoseFailure != nil {
-		tunDiagnoseFailure(tunName, logf)
-	} else {
+	switch runtime.GOOS {
+	case "linux":
+		diagnoseLinuxTUNFailure(tunName, logf)
+	case "darwin":
+		diagnoseDarwinTUNFailure(tunName, logf)
+	default:
 		logf("no TUN failure diagnostics for OS %q", runtime.GOOS)
 	}
 }
+
+func diagnoseDarwinTUNFailure(tunName string, logf logger.Logf) {
+	if os.Getuid() != 0 {
+		logf("failed to create TUN device as non-root user; use 'sudo tailscaled', or run under launchd with 'sudo tailscaled install-system-daemon'")
+	}
+	if tunName != "utun" {
+		logf("failed to create TUN device %q; try using tun device \"utun\" instead for automatic selection", tunName)
+	}
+}
+
+func diagnoseLinuxTUNFailure(tunName string, logf logger.Logf) {
+	kernel, err := exec.Command("uname", "-r").Output()
+	kernel = bytes.TrimSpace(kernel)
+	if err != nil {
+		logf("no TUN, and failed to look up kernel version: %v", err)
+		return
+	}
+	logf("Linux kernel version: %s", kernel)
+
+	modprobeOut, err := exec.Command("/sbin/modprobe", "tun").CombinedOutput()
+	if err == nil {
+		logf("'modprobe tun' successful")
+		// Either tun is currently loaded, or it's statically
+		// compiled into the kernel (which modprobe checks
+		// with /lib/modules/$(uname -r)/modules.builtin)
+		//
+		// So if there's a problem at this point, it's
+		// probably because /dev/net/tun doesn't exist.
+		const dev = "/dev/net/tun"
+		if fi, err := os.Stat(dev); err != nil {
+			logf("tun module loaded in kernel, but %s does not exist", dev)
+		} else {
+			logf("%s: %v", dev, fi.Mode())
+		}
+
+		// We failed to find why it failed. Just let our
+		// caller report the error it got from wireguard-go.
+		return
+	}
+	logf("is CONFIG_TUN enabled in your kernel? `modprobe tun` failed with: %s", modprobeOut)
+
+	switch distro.Get() {
+	case distro.Debian:
+		dpkgOut, err := exec.Command("dpkg", "-S", "kernel/drivers/net/tun.ko").CombinedOutput()
+		if len(bytes.TrimSpace(dpkgOut)) == 0 || err != nil {
+			logf("tun module not loaded nor found on disk")
+			return
+		}
+		if !bytes.Contains(dpkgOut, kernel) {
+			logf("kernel/drivers/net/tun.ko found on disk, but not for current kernel; are you in middle of a system update and haven't rebooted? found: %s", dpkgOut)
+		}
+	case distro.Arch:
+		findOut, err := exec.Command("find", "/lib/modules/", "-path", "*/net/tun.ko*").CombinedOutput()
+		if len(bytes.TrimSpace(findOut)) == 0 || err != nil {
+			logf("tun module not loaded nor found on disk")
+			return
+		}
+		if !bytes.Contains(findOut, kernel) {
+			logf("kernel/drivers/net/tun.ko found on disk, but not for current kernel; are you in middle of a system update and haven't rebooted? found: %s", findOut)
+		}
+	case distro.OpenWrt:
+		out, err := exec.Command("opkg", "list-installed").CombinedOutput()
+		if err != nil {
+			logf("error querying OpenWrt installed packages: %s", out)
+			return
+		}
+		for _, pkg := range []string{"kmod-tun", "ca-bundle"} {
+			if !bytes.Contains(out, []byte(pkg+" - ")) {
+				logf("Missing required package %s; run: opkg install %s", pkg, pkg)
+			}
+		}
+	}
+}
--- a/net/tstun/tun_linux.go
+++ b/net/tstun/tun_linux.go
@@ -1,96 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tstun
-
-import (
-	"bytes"
-	"os"
-	"os/exec"
-	"strings"
-	"syscall"
-
-	"tailscale.com/types/logger"
-	"tailscale.com/version/distro"
-)
-
-func init() {
-	tunDiagnoseFailure = diagnoseLinuxTUNFailure
-}
-
-func diagnoseLinuxTUNFailure(tunName string, logf logger.Logf) {
-	var un syscall.Utsname
-	err := syscall.Uname(&un)
-	if err != nil {
-		logf("no TUN, and failed to look up kernel version: %v", err)
-		return
-	}
-	kernel := utsReleaseField(&un)
-	logf("Linux kernel version: %s", kernel)
-
-	modprobeOut, err := exec.Command("/sbin/modprobe", "tun").CombinedOutput()
-	if err == nil {
-		logf("'modprobe tun' successful")
-		// Either tun is currently loaded, or it's statically
-		// compiled into the kernel (which modprobe checks
-		// with /lib/modules/$(uname -r)/modules.builtin)
-		//
-		// So if there's a problem at this point, it's
-		// probably because /dev/net/tun doesn't exist.
-		const dev = "/dev/net/tun"
-		if fi, err := os.Stat(dev); err != nil {
-			logf("tun module loaded in kernel, but %s does not exist", dev)
-		} else {
-			logf("%s: %v", dev, fi.Mode())
-		}
-
-		// We failed to find why it failed. Just let our
-		// caller report the error it got from wireguard-go.
-		return
-	}
-	logf("is CONFIG_TUN enabled in your kernel? `modprobe tun` failed with: %s", modprobeOut)
-
-	switch distro.Get() {
-	case distro.Debian:
-		dpkgOut, err := exec.Command("dpkg", "-S", "kernel/drivers/net/tun.ko").CombinedOutput()
-		if len(bytes.TrimSpace(dpkgOut)) == 0 || err != nil {
-			logf("tun module not loaded nor found on disk")
-			return
-		}
-		if !bytes.Contains(dpkgOut, []byte(kernel)) {
-			logf("kernel/drivers/net/tun.ko found on disk, but not for current kernel; are you in middle of a system update and haven't rebooted? found: %s", dpkgOut)
-		}
-	case distro.Arch:
-		findOut, err := exec.Command("find", "/lib/modules/", "-path", "*/net/tun.ko*").CombinedOutput()
-		if len(bytes.TrimSpace(findOut)) == 0 || err != nil {
-			logf("tun module not loaded nor found on disk")
-			return
-		}
-		if !bytes.Contains(findOut, []byte(kernel)) {
-			logf("kernel/drivers/net/tun.ko found on disk, but not for current kernel; are you in middle of a system update and haven't rebooted? found: %s", findOut)
-		}
-	case distro.OpenWrt:
-		out, err := exec.Command("opkg", "list-installed").CombinedOutput()
-		if err != nil {
-			logf("error querying OpenWrt installed packages: %s", out)
-			return
-		}
-		for _, pkg := range []string{"kmod-tun", "ca-bundle"} {
-			if !bytes.Contains(out, []byte(pkg+" - ")) {
-				logf("Missing required package %s; run: opkg install %s", pkg, pkg)
-			}
-		}
-	}
-}
-
-func utsReleaseField(u *syscall.Utsname) string {
-	var sb strings.Builder
-	for _, v := range u.Release {
-		if v == 0 {
-			break
-		}
-		sb.WriteByte(byte(v))
-	}
-	return strings.TrimSpace(sb.String())
-}
--- a/net/tstun/tun_macos.go
+++ b/net/tstun/tun_macos.go
@@ -1,27 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build darwin && !ios
-// +build darwin,!ios
-
-package tstun
-
-import (
-	"os"
-
-	"tailscale.com/types/logger"
-)
-
-func init() {
-	tunDiagnoseFailure = diagnoseDarwinTUNFailure
-}
-
-func diagnoseDarwinTUNFailure(tunName string, logf logger.Logf) {
-	if os.Getuid() != 0 {
-		logf("failed to create TUN device as non-root user; use 'sudo tailscaled', or run under launchd with 'sudo tailscaled install-system-daemon'")
-	}
-	if tunName != "utun" {
-		logf("failed to create TUN device %q; try using tun device \"utun\" instead for automatic selection", tunName)
-	}
-}
--- a/net/tstun/tun_notwindows.go
+++ b/net/tstun/tun_notwindows.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
 // +build !windows

 package tstun
--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -8,10 +8,8 @@ package tstun

 import (
 	"errors"
-	"fmt"
 	"io"
 	"os"
-	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -23,7 +21,6 @@ import (
 	"tailscale.com/tstime/mono"
 	"tailscale.com/types/ipproto"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/pad32"
 	"tailscale.com/wgengine/filter"
 )

@@ -38,8 +35,6 @@ const PacketStartOffset = device.MessageTransportHeaderSize
 // of a packet that can be injected into a tstun.Wrapper.
 const MaxPacketSize = device.MaxContentSize

-const tapDebug = false // for super verbose TAP debugging
-
 var (
 	// ErrClosed is returned when attempting an operation on a closed Wrapper.
 	ErrClosed = errors.New("device closed")
@@ -66,16 +61,13 @@ type FilterFunc func(*packet.Parsed, *Wrapper) filter.Response
 type Wrapper struct {
 	logf logger.Logf
 	// tdev is the underlying Wrapper device.
-	tdev  tun.Device
-	isTAP bool // whether tdev is a TAP device
+	tdev tun.Device

 	closeOnce sync.Once

-	_                  pad32.Four
 	lastActivityAtomic mono.Time // time of last send or receive

 	destIPActivity atomic.Value // of map[netaddr.IP]func()
-	destMACAtomic  atomic.Value // of [6]byte

 	// buffer stores the oldest unconsumed packet from tdev.
 	// It is made a static buffer in order to avoid allocations.
@@ -154,19 +146,10 @@ type tunReadResult struct {
 	err  error
 }

-func WrapTAP(logf logger.Logf, tdev tun.Device) *Wrapper {
-	return wrap(logf, tdev, true)
-}
-
 func Wrap(logf logger.Logf, tdev tun.Device) *Wrapper {
-	return wrap(logf, tdev, false)
-}
-
-func wrap(logf logger.Logf, tdev tun.Device, isTAP bool) *Wrapper {
 	tun := &Wrapper{
-		logf:  logger.WithPrefix(logf, "tstun: "),
-		isTAP: isTAP,
-		tdev:  tdev,
+		logf: logger.WithPrefix(logf, "tstun: "),
+		tdev: tdev,
 		// bufferConsumed is conceptually a condition variable:
 		// a goroutine should not block when setting it, even with no listeners.
 		bufferConsumed: make(chan struct{}, 1),
@@ -301,14 +284,11 @@ func allowSendOnClosedChannel() {
 	panic(r)
 }

-const ethernetFrameSize = 14 // 2 six byte MACs, 2 bytes ethertype
-
 // poll polls t.tdev.Read, placing the oldest unconsumed packet into t.buffer.
 // This is needed because t.tdev.Read in general may block (it does on Windows),
 // so packets may be stuck in t.outbound if t.Read called t.tdev.Read directly.
 func (t *Wrapper) poll() {
 	for range t.bufferConsumed {
-	DoRead:
 		var n int
 		var err error
 		// Read may use memory in t.buffer before PacketStartOffset for mandatory headers.
@@ -323,33 +303,7 @@ func (t *Wrapper) poll() {
 			if t.isClosed() {
 				return
 			}
-			if t.isTAP {
-				n, err = t.tdev.Read(t.buffer[:], PacketStartOffset-ethernetFrameSize)
-				if tapDebug {
-					s := fmt.Sprintf("% x", t.buffer[:])
-					for strings.HasSuffix(s, " 00") {
-						s = strings.TrimSuffix(s, " 00")
-					}
-					t.logf("TAP read %v, %v: %s", n, err, s)
-				}
-			} else {
-				n, err = t.tdev.Read(t.buffer[:], PacketStartOffset)
-			}
-		}
-		if t.isTAP {
-			if err == nil {
-				ethernetFrame := t.buffer[PacketStartOffset-ethernetFrameSize:][:n]
-				if t.handleTAPFrame(ethernetFrame) {
-					goto DoRead
-				}
-			}
-			// Fall through. We got an IP packet.
-			if n >= ethernetFrameSize {
-				n -= ethernetFrameSize
-			}
-			if tapDebug {
-				t.logf("tap regular frame: %x", t.buffer[PacketStartOffset:PacketStartOffset+n])
-			}
+			n, err = t.tdev.Read(t.buffer[:], PacketStartOffset)
 		}
 		t.sendOutbound(tunReadResult{data: t.buffer[PacketStartOffset : PacketStartOffset+n], err: err})
 	}
@@ -567,13 +521,6 @@ func (t *Wrapper) Write(buf []byte, offset int) (int, error) {
 	}

 	t.noteActivity()
-	return t.tdevWrite(buf, offset)
-}
-
-func (t *Wrapper) tdevWrite(buf []byte, offset int) (int, error) {
-	if t.isTAP {
-		return t.tapWrite(buf, offset)
-	}
 	return t.tdev.Write(buf, offset)
 }

@@ -606,7 +553,7 @@ func (t *Wrapper) InjectInboundDirect(buf []byte, offset int) error {
 	}

 	// Write to the underlying device to skip filters.
-	_, err := t.tdevWrite(buf, offset)
+	_, err := t.tdev.Write(buf, offset)
 	return err
 }

--- a/paths/paths_unix.go
+++ b/paths/paths_unix.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
 // +build !windows

 package paths
--- a/portlist/netstat.go
+++ b/portlist/netstat.go
@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !ios
-// +build !ios
+// +build go1.16,!ios !go1.16,!darwin !go1.16,!arm64

 package portlist

--- a/portlist/netstat_exec.go
+++ b/portlist/netstat_exec.go
@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build (windows || freebsd || openbsd || darwin) && !ios
-// +build windows freebsd openbsd darwin
+// +build windows freebsd openbsd darwin,go1.16 darwin,!go1.16,!arm64
 // +build !ios

 package portlist
--- a/portlist/portlist_ios.go
+++ b/portlist/portlist_ios.go
@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build ios
-// +build ios
+// +build go1.16,ios !go1.16,darwin,!amd64

 package portlist

--- a/portlist/portlist_macos.go
+++ b/portlist/portlist_macos.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build darwin && !ios
-// +build darwin,!ios
+// +build darwin,amd64,!go1.16 darwin,go1.16
+// +build !ios

 package portlist

--- a/portlist/portlist_other.go
+++ b/portlist/portlist_other.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !linux && !windows && !darwin
 // +build !linux,!windows,!darwin

 package portlist
--- a/safesocket/unixsocket.go
+++ b/safesocket/unixsocket.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
 // +build !windows

 package safesocket
@@ -113,7 +112,7 @@ func socketPermissionsForOS() os.FileMode {
 // connectMacOSAppSandbox connects to the Tailscale Network Extension,
 // which is necessarily running within the macOS App Sandbox.  Our
 // little dance to connect a regular user binary to the sandboxed
-// network extension is:
+// nework extension is:
 //
 //   * the sandboxed IPNExtension picks a random localhost:0 TCP port
 //     to listen on
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .15.0
 .13.0