WIP

Signed-off-by: Andrew Dunham <andrew@tailscale.com>

VERSION.txt

@@ -1 +1 @@
-1.29.0
+1.31.0

cmd/gitops-pusher/gitops-pusher.go

@@ -8,6 +8,7 @@
 package main
 
 import (
+	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/json"
@@ -264,13 +265,16 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
 }
 
 func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error {
-	fin, err := os.Open(policyFname)
+	data, err := os.ReadFile(policyFname)
+	if err != nil {
+		return err
+	}
+	data, err = hujson.Standardize(data)
 	if err != nil {
 		return err
 	}
-	defer fin.Close()
 
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), fin)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}

cmd/nginx-auth/nginx-auth.go

@@ -75,12 +75,7 @@ func main() {
 				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
 				return
 			}
-			tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net")
-			if !ok {
-				w.WriteHeader(http.StatusUnauthorized)
-				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
-				return
-			}
+			tailnet = strings.TrimSuffix(tailnet, ".beta.tailscale.net")
 		}
 
 		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {

cmd/tailscale/cli/cert.go

@@ -29,7 +29,7 @@ var certCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("cert")
 		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
+		fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
 		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
 		return fs
 	})(),

cmd/tailscaled/depaware.txt

@@ -290,7 +290,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
         tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-        tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
+     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
         tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
         tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+

cmd/tsconnect/src/lib/ssh.ts

@@ -30,7 +30,7 @@ export function runSSHSession(
   let resizeObserver: ResizeObserver | undefined
   let handleBeforeUnload: ((e: BeforeUnloadEvent) => void) | undefined
 
-  const sshSession = ipn.ssh(def.hostname + "2", def.username, {
+  const sshSession = ipn.ssh(def.hostname, def.username, {
     writeFn(input) {
       term.write(input)
     },

control/controlclient/direct.go

@@ -133,6 +133,12 @@ type Options struct {
 	// MapResponse.PingRequest queries from the control plane.
 	// If nil, PingRequest queries are not answered.
 	Pinger Pinger
+
+	// GetTailscaleRoutes is a function that should return any Tailscale
+	// routes that are currently known; if any are returned, we test the IP
+	// address of the control server against these routes and use our
+	// fallback DNS server in those cases.
+	GetTailscaleRoutes func() []netip.Prefix
 }
 
 // Pinger is the LocalBackend.Ping method.

go.mod

@@ -64,7 +64,7 @@ require (
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11
 	golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478
-	golang.zx2c4.com/wireguard/windows v0.4.10
+	golang.zx2c4.com/wireguard/windows v0.5.3
 	gvisor.dev/gvisor v0.0.0-20220801230058-850e42eb4444
 	honnef.co/go/tools v0.4.0-0.dev.0.20220404092545-59d7a2877f83
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
@@ -266,7 +266,7 @@ require (
 	github.com/yeya24/promlinter v0.1.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect

go.sum

@@ -729,8 +729,6 @@ github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
-github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
@@ -1352,7 +1350,6 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -1449,7 +1446,6 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201109165425-215b40eba54c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1508,8 +1504,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 h1:GLw7MR8AfAG2GmGcmVgObFOHXYypgGjnGno25RDwn3Y=
+golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1636,11 +1633,10 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
 golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478 h1:vDy//hdR+GnROE3OdYbQKt9rdtNdHkDtONvpRwmls/0=
 golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
-golang.zx2c4.com/wireguard/windows v0.4.10 h1:HmjzJnb+G4NCdX+sfjsQlsxGPuYaThxRbZUZFLyR0/s=
-golang.zx2c4.com/wireguard/windows v0.4.10/go.mod h1:v7w/8FC48tTBm1IzScDVPEEb0/GjLta+T0ybpP9UWRg=
+golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
+golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=

ipn/ipnlocal/local.go

@@ -132,6 +132,7 @@ type LocalBackend struct {
 
 	filterAtomic            atomic.Pointer[filter.Filter]
 	containsViaIPFuncAtomic syncs.AtomicValue[func(netip.Addr) bool]
+	tailscaleRoutesAtomic   syncs.AtomicValue[[]netip.Prefix]
 
 	// The mutex protects the following elements.
 	mu             sync.Mutex
@@ -884,6 +885,10 @@ func (b *LocalBackend) getNewControlClientFunc() clientGen {
 	return b.ccGen
 }
 
+func (b *LocalBackend) getTailscaleRoutes() []netip.Prefix {
+	return b.tailscaleRoutesAtomic.Load()
+}
+
 // startIsNoopLocked reports whether a Start call on this LocalBackend
 // with the provided Start Options would be a useless no-op.
 //
@@ -1078,6 +1083,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		Dialer:               b.Dialer(),
 		Status:               b.setClientStatus,
 		C2NHandler:           http.HandlerFunc(b.handleC2N),
+		GetTailscaleRoutes:   b.getTailscaleRoutes,
 
 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
@@ -2315,6 +2321,7 @@ func (b *LocalBackend) authReconfig() {
 	}
 	b.logf("[v1] authReconfig: ra=%v dns=%v 0x%02x: %v", prefs.RouteAll, prefs.CorpDNS, flags, err)
 
+	b.tailscaleRoutesAtomic.Store(rcfg.Routes)
 	b.initPeerAPIListener()
 }
 

ipn/ipnlocal/network-lock.go

@@ -147,7 +147,7 @@ func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeK
 		SigKind:        tka.SigDirect,
 		KeyID:          signer.KeyID(),
 		Pubkey:         p,
-		RotationPubkey: nodeInfo.RotationPubkey,
+		WrappingPubkey: nodeInfo.RotationPubkey,
 	}
 	sig.Signature, err = signer.SignNKS(sig.SigHash())
 	if err != nil {

licenses/android.md

@@ -59,7 +59,7 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
  - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.3.7:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
  - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=c31a7b1ab478))
  - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/850e42eb4444/LICENSE))

licenses/apple.md

@@ -42,7 +42,7 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.3.7:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
  - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=c31a7b1ab478))
  - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/850e42eb4444/LICENSE))

licenses/tailscale.md

@@ -75,11 +75,11 @@ Some packages may only be included on certain architectures or operating systems
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
  - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.3.7:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
  - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
  - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=c31a7b1ab478))
- - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.4.10))
+ - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
  - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/850e42eb4444/LICENSE))
  - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
  - [inet.af/wf](https://pkg.go.dev/inet.af/wf) ([BSD-3-Clause](https://github.com/inetaf/wf/blob/50d96caab2f6/LICENSE))

licenses/windows.md

@@ -36,7 +36,7 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
  - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
  - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
- - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.4.10))
+ - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
  - [gopkg.in/Knetic/govaluate.v3](https://pkg.go.dev/gopkg.in/Knetic/govaluate.v3) ([MIT](https://github.com/Knetic/govaluate/blob/v3.0.0/LICENSE))
  - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))
 

net/dns/manager_windows.go

@@ -485,11 +485,7 @@ func (m windowsManager) getBasePrimaryResolver() (resolvers []netip.Addr, err er
 		}
 
 	ipLoop:
-		for _, stdip := range ips {
-			ip, ok := netip.AddrFromSlice(stdip)
-			if !ok {
-				continue
-			}
+		for _, ip := range ips {
 			ip = ip.Unmap()
 			// Skip IPv6 site-local resolvers. These are an ancient
 			// and obsolete IPv6 RFC, which Windows still faithfully

net/interfaces/interfaces_windows.go

@@ -6,7 +6,6 @@ package interfaces
 
 import (
 	"log"
-	"net"
 	"net/netip"
 	"net/url"
 	"strings"
@@ -54,22 +53,21 @@ func likelyHomeRouterIPWindows() (ret netip.Addr, ok bool) {
 		return
 	}
 
-	unspec := net.IPv4(0, 0, 0, 0)
+	v4unspec := netip.IPv4Unspecified()
 	var best *winipcfg.MibIPforwardRow2 // best (lowest metric) found so far, or nil
 
 	for i := range rs {
 		r := &rs[i]
-		if r.Loopback || r.DestinationPrefix.PrefixLength != 0 || !r.DestinationPrefix.Prefix.IP().Equal(unspec) {
+		if r.Loopback || r.DestinationPrefix.PrefixLength != 0 || r.DestinationPrefix.Prefix().Addr().Unmap() != v4unspec {
 			// Not a default route, so skip
 			continue
 		}
 
-		ip, ok := netip.AddrFromSlice(r.NextHop.IP())
-		if !ok {
+		ip := r.NextHop.Addr().Unmap()
+		if !ip.IsValid() {
 			// Not a valid gateway, so skip (won't happen though)
 			continue
 		}
-		ip = ip.Unmap()
 
 		if best == nil {
 			best = r

tka/sig.go

@@ -33,6 +33,19 @@ const (
 	// SigRotation signature and sign it again with their rotation key. That
 	// way, SigRotation nesting should only be 2 deep in the common case.
 	SigRotation
+	// SigCredential describes a signature over a specifi public key, signed
+	// by a key in the tailnet key authority referenced by the specified keyID.
+	// In effect, SigCredential delegates the ability to make a signature to
+	// a different public/private key pair.
+	//
+	// It is intended that a different public/private key pair be generated
+	// for each different SigCredential that is created. Implementors must
+	// take care that the private side is only known to the entity that needs
+	// to generate the wrapping SigRotation signature, and it is immediately
+	// discarded after use.
+	//
+	// SigCredential is expected to be nested in a SigRotation signature.
+	SigCredential
 )
 
 func (s SigKind) String() string {
@@ -43,6 +56,8 @@ func (s SigKind) String() string {
 		return "direct"
 	case SigRotation:
 		return "rotation"
+	case SigCredential:
+		return "credential"
 	default:
 		return fmt.Sprintf("Sig?<%d>", int(s))
 	}
@@ -53,8 +68,9 @@ func (s SigKind) String() string {
 type NodeKeySignature struct {
 	// SigKind identifies the variety of signature.
 	SigKind SigKind `cbor:"1,keyasint"`
-	// Pubkey identifies the public key which is being authorized.
-	Pubkey []byte `cbor:"2,keyasint"`
+	// Pubkey identifies the key.NodePublic which is being authorized.
+	// SigCredential signatures do not use this field.
+	Pubkey []byte `cbor:"2,keyasint,omitempty"`
 
 	// KeyID identifies which key in the tailnet key authority should
 	// be used to verify this signature. Only set for SigDirect and
@@ -69,19 +85,23 @@ type NodeKeySignature struct {
 	// used as Pubkey. Only used for SigRotation signatures.
 	Nested *NodeKeySignature `cbor:"5,keyasint,omitempty"`
 
-	// RotationPubkey specifies the ed25519 public key which may sign a
-	// SigRotation signature, which embeds this one.
+	// WrappingPubkey specifies the ed25519 public key which must be used
+	// to sign a Signature which embeds this one.
 	//
-	// Intermediate SigRotation signatures may omit this value to use the
-	// parent one.
-	RotationPubkey []byte `cbor:"6,keyasint,omitempty"`
+	// For SigRotation signatures multiple levels deep, intermediate
+	// signatures may omit this value, in which case the parent WrappingPubkey
+	// is used.
+	//
+	// SigCredential signatures use this field to specify the public key
+	// they are certifying, following the usual semanticsfor WrappingPubkey.
+	WrappingPubkey []byte `cbor:"6,keyasint,omitempty"`
 }
 
-// rotationPublic returns the public key which must sign a SigRotation
-// signature that embeds this signature, if any.
-func (s NodeKeySignature) rotationPublic() (pub ed25519.PublicKey, ok bool) {
-	if len(s.RotationPubkey) > 0 {
-		return ed25519.PublicKey(s.RotationPubkey), true
+// wrappingPublic returns the public key which must sign a signature which
+// embeds this one, if any.
+func (s NodeKeySignature) wrappingPublic() (pub ed25519.PublicKey, ok bool) {
+	if len(s.WrappingPubkey) > 0 {
+		return ed25519.PublicKey(s.WrappingPubkey), true
 	}
 
 	switch s.SigKind {
@@ -89,7 +109,7 @@ func (s NodeKeySignature) rotationPublic() (pub ed25519.PublicKey, ok bool) {
 		if s.Nested == nil {
 			return nil, false
 		}
-		return s.Nested.rotationPublic()
+		return s.Nested.wrappingPublic()
 
 	default:
 		return nil, false
@@ -138,15 +158,18 @@ func (s *NodeKeySignature) Unserialize(data []byte) error {
 	return dec.Unmarshal(data, s)
 }
 
-// verifySignature checks that the NodeKeySignature is authentic, certified
-// by the given verificationKey, and authorizes the given nodeKey.
+// verifySignature checks that the NodeKeySignature is authentic & certified
+// by the given verificationKey. Additionally, SigDirect and SigRotation
+// signatures are checked to ensure they authorize the given nodeKey.
 func (s *NodeKeySignature) verifySignature(nodeKey key.NodePublic, verificationKey Key) error {
-	nodeBytes, err := nodeKey.MarshalBinary()
-	if err != nil {
-		return fmt.Errorf("marshalling pubkey: %v", err)
-	}
-	if !bytes.Equal(nodeBytes, s.Pubkey) {
-		return errors.New("signature does not authorize nodeKey")
+	if s.SigKind != SigCredential {
+		nodeBytes, err := nodeKey.MarshalBinary()
+		if err != nil {
+			return fmt.Errorf("marshalling pubkey: %v", err)
+		}
+		if !bytes.Equal(nodeBytes, s.Pubkey) {
+			return errors.New("signature does not authorize nodeKey")
+		}
 	}
 
 	sigHash := s.SigHash()
@@ -157,7 +180,7 @@ func (s *NodeKeySignature) verifySignature(nodeKey key.NodePublic, verificationK
 		}
 
 		// Verify the signature using the nested rotation key.
-		verifyPub, ok := s.Nested.rotationPublic()
+		verifyPub, ok := s.Nested.wrappingPublic()
 		if !ok {
 			return errors.New("missing rotation key")
 		}
@@ -167,15 +190,22 @@ func (s *NodeKeySignature) verifySignature(nodeKey key.NodePublic, verificationK
 
 		// Recurse to verify the signature on the nested structure.
 		var nestedPub key.NodePublic
-		if err := nestedPub.UnmarshalBinary(s.Nested.Pubkey); err != nil {
-			return fmt.Errorf("nested pubkey: %v", err)
+		// SigCredential signatures certify an indirection key rather than a node
+		// key, so theres no need to check the node key.
+		if s.Nested.SigKind != SigCredential {
+			if err := nestedPub.UnmarshalBinary(s.Nested.Pubkey); err != nil {
+				return fmt.Errorf("nested pubkey: %v", err)
+			}
 		}
 		if err := s.Nested.verifySignature(nestedPub, verificationKey); err != nil {
 			return fmt.Errorf("nested: %v", err)
 		}
 		return nil
 
-	case SigDirect:
+	case SigDirect, SigCredential:
+		if s.Nested != nil {
+			return fmt.Errorf("invalid signature: signatures of type %v cannot nest another signature", s.SigKind)
+		}
 		switch verificationKey.Kind {
 		case Key25519:
 			if ed25519consensus.Verify(ed25519.PublicKey(verificationKey.Public), sigHash[:], s.Signature) {

tka/sig_test.go

@@ -67,7 +67,7 @@ func TestSigNested(t *testing.T) {
 		SigKind:        SigDirect,
 		KeyID:          k.ID(),
 		Pubkey:         oldPub,
-		RotationPubkey: rPub,
+		WrappingPubkey: rPub,
 	}
 	sigHash := nestedSig.SigHash()
 	nestedSig.Signature = ed25519.Sign(priv, sigHash[:])
@@ -110,6 +110,13 @@ func TestSigNested(t *testing.T) {
 	if err := sig.verifySignature(node.Public(), k); err == nil {
 		t.Error("verifySignature(node) succeeded with bad outer signature")
 	}
+
+	// Test verification fails if the outer signature is signed with a
+	// different public key to whats specified in WrappingPubkey
+	sig.Signature = ed25519.Sign(priv, sigHash[:])
+	if err := sig.verifySignature(node.Public(), k); err == nil {
+		t.Error("verifySignature(node) succeeded with different signature")
+	}
 }
 
 func TestSigNested_DeepNesting(t *testing.T) {
@@ -128,7 +135,7 @@ func TestSigNested_DeepNesting(t *testing.T) {
 		SigKind:        SigDirect,
 		KeyID:          k.ID(),
 		Pubkey:         oldPub,
-		RotationPubkey: rPub,
+		WrappingPubkey: rPub,
 	}
 	sigHash := nestedSig.SigHash()
 	nestedSig.Signature = ed25519.Sign(priv, sigHash[:])
@@ -175,6 +182,91 @@ func TestSigNested_DeepNesting(t *testing.T) {
 	}
 }
 
+func TestSigCredential(t *testing.T) {
+	// Network-lock key (the key used to sign the nested sig)
+	pub, priv := testingKey25519(t, 1)
+	k := Key{Kind: Key25519, Public: pub, Votes: 2}
+	// 'credential' key (the one being delegated to)
+	cPub, cPriv := testingKey25519(t, 2)
+	// The node key being certified
+	node := key.NewNode()
+	nodeKeyPub, _ := node.Public().MarshalBinary()
+
+	// The signature certifying delegated trust to another
+	// public key.
+	nestedSig := NodeKeySignature{
+		SigKind:        SigCredential,
+		KeyID:          k.ID(),
+		WrappingPubkey: cPub,
+	}
+	sigHash := nestedSig.SigHash()
+	nestedSig.Signature = ed25519.Sign(priv, sigHash[:])
+
+	// The signature authorizing the node key, signed by the
+	// delegated key & embedding the original signature.
+	sig := NodeKeySignature{
+		SigKind: SigRotation,
+		KeyID:   k.ID(),
+		Pubkey:  nodeKeyPub,
+		Nested:  &nestedSig,
+	}
+	sigHash = sig.SigHash()
+	sig.Signature = ed25519.Sign(cPriv, sigHash[:])
+	if err := sig.verifySignature(node.Public(), k); err != nil {
+		t.Fatalf("verifySignature(node) failed: %v", err)
+	}
+
+	// Test verification fails if the wrong verification key is provided
+	kBad := Key{Kind: Key25519, Public: []byte{1, 2, 3, 4}, Votes: 2}
+	if err := sig.verifySignature(node.Public(), kBad); err == nil {
+		t.Error("verifySignature() did not error for wrong verification key")
+	}
+
+	// Test someone can't misuse our public API for verifying node-keys
+	a, _ := Open(newTestchain(t, "G1\nG1.template = genesis",
+		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
+			Keys:               []Key{k},
+			DisablementSecrets: [][]byte{disablementKDF([]byte{1, 2, 3})},
+		}})).Chonk())
+	if err := a.NodeKeyAuthorized(node.Public(), nestedSig.Serialize()); err == nil {
+		t.Error("NodeKeyAuthorized(SigCredential, node) did not fail")
+	}
+	// but that they can use it properly (nested in a SigRotation)
+	if err := a.NodeKeyAuthorized(node.Public(), sig.Serialize()); err != nil {
+		t.Errorf("NodeKeyAuthorized(SigRotation{SigCredential}, node) failed: %v", err)
+	}
+
+	// Test verification fails if the inner signature is invalid
+	tmp := make([]byte, ed25519.SignatureSize)
+	copy(tmp, nestedSig.Signature)
+	copy(nestedSig.Signature, []byte{1, 2, 3, 4})
+	if err := sig.verifySignature(node.Public(), k); err == nil {
+		t.Error("verifySignature(node) succeeded with bad inner signature")
+	}
+	copy(nestedSig.Signature, tmp)
+
+	// Test verification fails if the outer signature is invalid
+	copy(tmp, sig.Signature)
+	copy(sig.Signature, []byte{1, 2, 3, 4})
+	if err := sig.verifySignature(node.Public(), k); err == nil {
+		t.Error("verifySignature(node) succeeded with bad outer signature")
+	}
+	copy(sig.Signature, tmp)
+
+	// Test verification fails if we attempt to check a different node-key
+	otherNode := key.NewNode()
+	if err := sig.verifySignature(otherNode.Public(), k); err == nil {
+		t.Error("verifySignature(otherNode) succeeded with different principal")
+	}
+
+	// Test verification fails if the outer signature is signed with a
+	// different public key to whats specified in WrappingPubkey
+	sig.Signature = ed25519.Sign(priv, sigHash[:])
+	if err := sig.verifySignature(node.Public(), k); err == nil {
+		t.Error("verifySignature(node) succeeded with different signature")
+	}
+}
+
 func TestSigSerializeUnserialize(t *testing.T) {
 	nodeKeyPub := []byte{1, 2, 3, 4}
 	pub, priv := testingKey25519(t, 1)

tka/tka.go

@@ -673,6 +673,10 @@ func (a *Authority) NodeKeyAuthorized(nodeKey key.NodePublic, nodeKeySignature t
 	if err := decoded.Unserialize(nodeKeySignature); err != nil {
 		return fmt.Errorf("unserialize: %v", err)
 	}
+	if decoded.SigKind == SigCredential {
+		return errors.New("credential signatures cannot authorize nodes on their own")
+	}
+
 	key, err := a.state.GetKey(decoded.KeyID)
 	if err != nil {
 		return fmt.Errorf("key: %v", err)

wgengine/magicsock/magicsock.go

@@ -14,6 +14,7 @@ import (
 	"errors"
 	"fmt"
 	"hash/fnv"
+	"io"
 	"math"
 	"math/rand"
 	"net"
@@ -60,6 +61,16 @@ import (
 	"tailscale.com/wgengine/monitor"
 )
 
+const (
+	// These are disco.Magic in big-endian form, 4 then 2 bytes. The
+	// BPF filters need the magic in this format to match on it. Used
+	// only in magicsock_linux.go, but defined here so that the test
+	// which verifies this is the correct magic doesn't also need a
+	// _linux variant.
+	discoMagic1 = 0x5453f09f
+	discoMagic2 = 0x92ac
+)
+
 // useDerpRoute reports whether magicsock should enable the DERP
 // return path optimization (Issue 150).
 func useDerpRoute() bool {
@@ -254,6 +265,12 @@ type Conn struct {
 	pconn4 *RebindingUDPConn
 	pconn6 *RebindingUDPConn
 
+	// closeDisco4 and closeDisco6 are io.Closers to shut down the raw
+	// disco packet receivers. If nil, no raw disco receiver is
+	// running for the given family.
+	closeDisco4 io.Closer
+	closeDisco6 io.Closer
+
 	// netChecker is the prober that discovers local network
 	// conditions, including the closest DERP relay and NAT mappings.
 	netChecker *netcheck.Client
@@ -572,6 +589,19 @@ func NewConn(opts Options) (*Conn, error) {
 
 	c.ignoreSTUNPackets()
 
+	if d4, err := c.listenRawDisco("ip4"); err == nil {
+		c.logf("[v1] using BPF disco receiver for IPv4")
+		c.closeDisco4 = d4
+	} else {
+		c.logf("[v1] couldn't create raw v4 disco listener, using regular listener instead: %v", err)
+	}
+	if d6, err := c.listenRawDisco("ip6"); err == nil {
+		c.logf("[v1] using BPF disco receiver for IPv6")
+		c.closeDisco6 = d6
+	} else {
+		c.logf("[v1] couldn't create raw v6 disco listener, using regular listener instead: %v", err)
+	}
+
 	return c, nil
 }
 
@@ -1638,7 +1668,7 @@ func (c *Conn) receiveIPv6(b []byte) (int, conn.Endpoint, error) {
 		if err != nil {
 			return 0, nil, err
 		}
-		if ep, ok := c.receiveIP(b[:n], ipp, &c.ippEndpoint6); ok {
+		if ep, ok := c.receiveIP(b[:n], ipp, &c.ippEndpoint6, c.closeDisco6 == nil); ok {
 			metricRecvDataIPv6.Add(1)
 			return n, ep, nil
 		}
@@ -1654,7 +1684,7 @@ func (c *Conn) receiveIPv4(b []byte) (n int, ep conn.Endpoint, err error) {
 		if err != nil {
 			return 0, nil, err
 		}
-		if ep, ok := c.receiveIP(b[:n], ipp, &c.ippEndpoint4); ok {
+		if ep, ok := c.receiveIP(b[:n], ipp, &c.ippEndpoint4, c.closeDisco4 == nil); ok {
 			metricRecvDataIPv4.Add(1)
 			return n, ep, nil
 		}
@@ -1665,12 +1695,18 @@ func (c *Conn) receiveIPv4(b []byte) (n int, ep conn.Endpoint, err error) {
 //
 // ok is whether this read should be reported up to wireguard-go (our
 // caller).
-func (c *Conn) receiveIP(b []byte, ipp netip.AddrPort, cache *ippEndpointCache) (ep *endpoint, ok bool) {
+func (c *Conn) receiveIP(b []byte, ipp netip.AddrPort, cache *ippEndpointCache, checkDisco bool) (ep *endpoint, ok bool) {
 	if stun.Is(b) {
 		c.stunReceiveFunc.Load()(b, ipp)
 		return nil, false
 	}
-	if c.handleDiscoMessage(b, ipp, key.NodePublic{}) {
+	if checkDisco {
+		if c.handleDiscoMessage(b, ipp, key.NodePublic{}) {
+			return nil, false
+		}
+	} else if disco.LooksLikeDiscoWrapper(b) {
+		// Caller told us to ignore disco traffic, don't let it fall
+		// through to wireguard-go.
 		return nil, false
 	}
 	if !c.havePrivateKey.Load() {
@@ -2094,13 +2130,11 @@ func (c *Conn) enqueueCallMeMaybe(derpAddr netip.AddrPort, de *endpoint) {
 
 	if !c.lastEndpointsTime.After(time.Now().Add(-endpointsFreshEnoughDuration)) {
 		c.logf("[v1] magicsock: want call-me-maybe but endpoints stale; restunning")
-		if c.onEndpointRefreshed == nil {
-			c.onEndpointRefreshed = map[*endpoint]func(){}
-		}
-		c.onEndpointRefreshed[de] = func() {
+
+		mak.Set(&c.onEndpointRefreshed, de, func() {
 			c.logf("[v1] magicsock: STUN done; sending call-me-maybe to %v %v", de.discoShort, de.publicKey.ShortString())
 			c.enqueueCallMeMaybe(derpAddr, de)
-		}
+		})
 		// TODO(bradfitz): make a new 'reSTUNQuickly' method
 		// that passes down a do-a-lite-netcheck flag down to
 		// netcheck that does 1 (or 2 max) STUN queries
@@ -2632,6 +2666,12 @@ func (c *connBind) Close() error {
 	if c.pconn6 != nil {
 		c.pconn6.Close()
 	}
+	if c.closeDisco4 != nil {
+		c.closeDisco4.Close()
+	}
+	if c.closeDisco6 != nil {
+		c.closeDisco6.Close()
+	}
 	// Send an empty read result to unblock receiveDERP,
 	// which will then check connBind.Closed.
 	// connBind.Closed takes c.mu, but c.derpRecvCh is buffered.
@@ -4192,4 +4232,8 @@ var (
 	// metricDERPHomeChange is how many times our DERP home region DI has
 	// changed from non-zero to a different non-zero.
 	metricDERPHomeChange = clientmetric.NewCounter("derp_home_change")
+
+	// Disco packets received bpf read path
+	metricRecvDiscoPacketIPv4 = clientmetric.NewCounter("magicsock_disco_recv_bpf_ipv4")
+	metricRecvDiscoPacketIPv6 = clientmetric.NewCounter("magicsock_disco_recv_bpf_ipv6")
 )

wgengine/magicsock/magicsock_default.go

@@ -0,0 +1,17 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !linux
+// +build !linux
+
+package magicsock
+
+import (
+	"errors"
+	"io"
+)
+
+func (c *Conn) listenRawDisco(family string) (io.Closer, error) {
+	return nil, errors.New("raw disco listening not supported on this OS")
+}

wgengine/magicsock/magicsock_linux.go

@@ -0,0 +1,260 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package magicsock
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/netip"
+	"time"
+	"unsafe"
+
+	"golang.org/x/net/bpf"
+	"golang.org/x/sys/unix"
+	"tailscale.com/envknob"
+	"tailscale.com/types/key"
+)
+
+const (
+	udpHeaderSize          = 8
+	ipv6FragmentHeaderSize = 8
+)
+
+// Enable/disable using raw sockets to receive disco traffic.
+var debugDisableRawDisco = envknob.Bool("TS_DEBUG_DISABLE_RAW_DISCO")
+
+// These are our BPF filters that we use for testing packets.
+var (
+	magicsockFilterV4 = []bpf.Instruction{
+		// For raw UDPv4 sockets, BPF receives the entire IP packet to
+		// inspect.
+
+		// Disco packets are so small they should never get
+		// fragmented, and we don't want to handle reassembly.
+		bpf.LoadAbsolute{Off: 6, Size: 2},
+		// More Fragments bit set means this is part of a fragmented packet.
+		bpf.JumpIf{Cond: bpf.JumpBitsSet, Val: 0x2000, SkipTrue: 7, SkipFalse: 0},
+		// Non-zero fragment offset with MF=0 means this is the last
+		// fragment of packet.
+		bpf.JumpIf{Cond: bpf.JumpBitsSet, Val: 0x1fff, SkipTrue: 6, SkipFalse: 0},
+
+		// Load IP header length into X register.
+		bpf.LoadMemShift{Off: 0},
+
+		// Get the first 4 bytes of the UDP packet, compare with our magic number
+		bpf.LoadIndirect{Off: udpHeaderSize, Size: 4},
+		bpf.JumpIf{Cond: bpf.JumpEqual, Val: discoMagic1, SkipTrue: 0, SkipFalse: 3},
+
+		// Compare the next 2 bytes
+		bpf.LoadIndirect{Off: udpHeaderSize + 4, Size: 2},
+		bpf.JumpIf{Cond: bpf.JumpEqual, Val: uint32(discoMagic2), SkipTrue: 0, SkipFalse: 1},
+
+		// Accept the whole packet
+		bpf.RetConstant{Val: 0xFFFFFFFF},
+
+		// Skip the packet
+		bpf.RetConstant{Val: 0x0},
+	}
+
+	// IPv6 is more complicated to filter, since we can have 0-to-N
+	// extension headers following the IPv6 header. Since BPF can't
+	// loop, we can't really parse these in a general way; instead, we
+	// simply handle the case where we have no extension headers; any
+	// packets with headers will be skipped. IPv6 extension headers
+	// are sufficiently uncommon that we're willing to accept false
+	// negatives here.
+	//
+	// The "proper" way to handle this would be to do minimal parsing in
+	// BPF and more in-depth parsing of all IPv6 packets in userspace, but
+	// on systems with a high volume of UDP that would be unacceptably slow
+	// and thus we'd rather be conservative here and possibly not receive
+	// disco packets rather than slow down the system.
+	magicsockFilterV6 = []bpf.Instruction{
+		// For raw UDPv6 sockets, BPF receives _only_ the UDP header onwards, not an entire IP packet.
+		//
+		//    https://stackoverflow.com/questions/24514333/using-bpf-with-sock-dgram-on-linux-machine
+		//    https://blog.cloudflare.com/epbf_sockets_hop_distance/
+		//
+		// This is especially confusing because this *isn't* true for
+		// IPv4; see the following code from the 'ping' utility that
+		// corroborates this:
+		//
+		//    https://github.com/iputils/iputils/blob/1ab5fa/ping/ping.c#L1667-L1676
+		//    https://github.com/iputils/iputils/blob/1ab5fa/ping/ping6_common.c#L933-L941
+
+		// Compare with our magic number. Start by loading and
+		// comparing the first 4 bytes of the UDP payload.
+		bpf.LoadAbsolute{Off: udpHeaderSize, Size: 4},
+		bpf.JumpIf{Cond: bpf.JumpEqual, Val: discoMagic1, SkipTrue: 0, SkipFalse: 3},
+
+		// Compare the next 2 bytes
+		bpf.LoadAbsolute{Off: udpHeaderSize + 4, Size: 2},
+		bpf.JumpIf{Cond: bpf.JumpEqual, Val: discoMagic2, SkipTrue: 0, SkipFalse: 1},
+
+		// Accept the whole packet
+		bpf.RetConstant{Val: 0xFFFFFFFF},
+
+		// Skip the packet
+		bpf.RetConstant{Val: 0x0},
+	}
+
+	testDiscoPacket = []byte{
+		// Disco magic
+		0x54, 0x53, 0xf0, 0x9f, 0x92, 0xac,
+		// Sender key
+		0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+		0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+		0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+		0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+		// Nonce
+		0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+		0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+		0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+	}
+)
+
+// listenRawDisco starts listening for disco packets on the given
+// address family, which must be "ip4" or "ip6", using a raw socket
+// and BPF filter.
+// https://github.com/tailscale/tailscale/issues/3824
+func (c *Conn) listenRawDisco(family string) (io.Closer, error) {
+	if debugDisableRawDisco {
+		return nil, errors.New("raw disco listening disabled by debug flag")
+	}
+
+	var (
+		network  string
+		addr     string
+		testAddr string
+		prog     []bpf.Instruction
+	)
+	switch family {
+	case "ip4":
+		network = "ip4:17"
+		addr = "0.0.0.0"
+		testAddr = "127.0.0.1:1"
+		prog = magicsockFilterV4
+	case "ip6":
+		network = "ip6:17"
+		addr = "::"
+		testAddr = "[::1]:1"
+		prog = magicsockFilterV6
+	default:
+		return nil, fmt.Errorf("unsupported address family %q", family)
+	}
+
+	asm, err := bpf.Assemble(prog)
+	if err != nil {
+		return nil, fmt.Errorf("assembling filter: %w", err)
+	}
+
+	pc, err := net.ListenPacket(network, addr)
+	if err != nil {
+		return nil, fmt.Errorf("creating packet conn: %w", err)
+	}
+
+	if err := setBPF(pc, asm); err != nil {
+		pc.Close()
+		return nil, fmt.Errorf("installing BPF filter: %w", err)
+	}
+
+	// If all the above succeeds, we should be ready to receive. Just
+	// out of paranoia, check that we do receive a well-formed disco
+	// packet.
+	tc, err := net.ListenPacket("udp", net.JoinHostPort(addr, "0"))
+	if err != nil {
+		pc.Close()
+		return nil, fmt.Errorf("creating disco test socket: %w", err)
+	}
+	defer tc.Close()
+	if _, err := tc.(*net.UDPConn).WriteToUDPAddrPort(testDiscoPacket, netip.MustParseAddrPort(testAddr)); err != nil {
+		pc.Close()
+		return nil, fmt.Errorf("writing disco test packet: %w", err)
+	}
+	pc.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
+	var buf [1500]byte
+	for {
+		n, _, err := pc.ReadFrom(buf[:])
+		if err != nil {
+			pc.Close()
+			return nil, fmt.Errorf("reading during raw disco self-test: %w", err)
+		}
+		if n < udpHeaderSize {
+			continue
+		}
+		if !bytes.Equal(buf[udpHeaderSize:n], testDiscoPacket) {
+			continue
+		}
+		break
+	}
+	pc.SetReadDeadline(time.Time{})
+
+	go c.receiveDisco(pc)
+	return pc, nil
+}
+
+func (c *Conn) receiveDisco(pc net.PacketConn) {
+	var buf [1500]byte
+	for {
+		n, src, err := pc.ReadFrom(buf[:])
+		if errors.Is(err, net.ErrClosed) {
+			return
+		} else if err != nil {
+			c.logf("disco raw reader failed: %v", err)
+			return
+		}
+		if n < udpHeaderSize {
+			// Too small to be a valid UDP datagram, drop.
+			continue
+		}
+		srcIP, ok := netip.AddrFromSlice(src.(*net.IPAddr).IP)
+		if !ok {
+			c.logf("[unexpected] PacketConn.ReadFrom returned not-an-IP %v in from", src)
+			continue
+		}
+		srcPort := binary.BigEndian.Uint16(buf[:2])
+
+		if srcIP.Is4() {
+			metricRecvDiscoPacketIPv4.Add(1)
+		} else {
+			metricRecvDiscoPacketIPv6.Add(1)
+		}
+
+		c.handleDiscoMessage(buf[udpHeaderSize:n], netip.AddrPortFrom(srcIP, srcPort), key.NodePublic{})
+	}
+}
+
+// setBPF installs filter as the BPF filter on conn.
+// Ideally we would just use SetBPF as implemented in x/net/ipv4,
+// but x/net/ipv6 doesn't implement it. And once you've written
+// this code once, it turns out to be address family agnostic, so
+// we might as well use it on both and get to use a net.PacketConn
+// directly for both families instead of being stuck with
+// different types.
+func setBPF(conn net.PacketConn, filter []bpf.RawInstruction) error {
+	sc, err := conn.(*net.IPConn).SyscallConn()
+	if err != nil {
+		return err
+	}
+	prog := &unix.SockFprog{
+		Len:    uint16(len(filter)),
+		Filter: (*unix.SockFilter)(unsafe.Pointer(&filter[0])),
+	}
+	var setErr error
+	err = sc.Control(func(fd uintptr) {
+		setErr = unix.SetsockoptSockFprog(int(fd), unix.SOL_SOCKET, unix.SO_ATTACH_FILTER, prog)
+	})
+	if err != nil {
+		return err
+	}
+	if setErr != nil {
+		return err
+	}
+	return nil
+}

wgengine/magicsock/magicsock_test.go

@@ -32,6 +32,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/tuntest"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
+	"tailscale.com/disco"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/stun/stuntest"
@@ -1799,3 +1800,21 @@ func TestBlockForeverConnUnblocks(t *testing.T) {
 		t.Fatal("timeout")
 	}
 }
+
+func TestDiscoMagicMatches(t *testing.T) {
+	// Convert our disco magic number into a uint32 and uint16 to test
+	// against. We panic on an incorrect length here rather than try to be
+	// generic with our BPF instructions below.
+	//
+	// Note that BPF uses network byte order (big-endian) when loading data
+	// from a packet, so that is what we use to generate our magic numbers.
+	if len(disco.Magic) != 6 {
+		t.Fatalf("expected disco.Magic to be of length 6")
+	}
+	if m1 := binary.BigEndian.Uint32([]byte(disco.Magic[:4])); m1 != discoMagic1 {
+		t.Errorf("first 4 bytes of disco magic don't match, got %v want %v", discoMagic1, m1)
+	}
+	if m2 := binary.BigEndian.Uint16([]byte(disco.Magic[4:6])); m2 != discoMagic2 {
+		t.Errorf("last 2 bytes of disco magic don't match, got %v want %v", discoMagic2, m2)
+	}
+}

wgengine/monitor/monitor_windows.go

@@ -7,13 +7,11 @@ package monitor
 import (
 	"context"
 	"errors"
-	"net/netip"
 	"strings"
 	"sync"
 	"time"
 
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
-	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
 )
@@ -133,7 +131,7 @@ func (m *winMon) Receive() (message, error) {
 // unicastAddressChanged is the callback we register with Windows to call when unicast address changes.
 func (m *winMon) unicastAddressChanged(_ winipcfg.MibNotificationType, row *winipcfg.MibUnicastIPAddressRow) {
 	what := "addr"
-	if ip, ok := netip.AddrFromSlice(row.Address.IP()); ok && tsaddr.IsTailscaleIP(ip.Unmap()) {
+	if ip := row.Address.Addr(); ip.IsValid() && tsaddr.IsTailscaleIP(ip.Unmap()) {
 		what = "tsaddr"
 	}
 
@@ -144,8 +142,8 @@ func (m *winMon) unicastAddressChanged(_ winipcfg.MibNotificationType, row *wini
 // routeChanged is the callback we register with Windows to call when route changes.
 func (m *winMon) routeChanged(_ winipcfg.MibNotificationType, row *winipcfg.MibIPforwardRow2) {
 	what := "route"
-	ipn := row.DestinationPrefix.IPNet()
-	if cidr, ok := netaddr.FromStdIPNet(&ipn); ok && tsaddr.IsTailscaleIP(cidr.Addr()) {
+	ip := row.DestinationPrefix.Prefix().Addr().Unmap()
+	if ip.IsValid() && tsaddr.IsTailscaleIP(ip) {
 		what = "tsroute"
 	}
 	// start a goroutine to finish our work, to return to Windows out of this callback

wgengine/router/ifconfig_windows.go

@@ -6,7 +6,6 @@
 package router
 
 import (
-	"bytes"
 	"errors"
 	"fmt"
 	"log"
@@ -18,12 +17,12 @@ import (
 
 	ole "github.com/go-ole/go-ole"
 	"go4.org/netipx"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/health"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/util/multierr"
 	"tailscale.com/wgengine/winnet"
@@ -324,25 +323,23 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 	// ours where the nexthop is meaningless, you're supposed to use
 	// one of the local IP addresses of the interface. Find an IPv4
 	// and IPv6 address we can use for this purpose.
-	var firstGateway4 *net.IP
-	var firstGateway6 *net.IP
-	addresses := make([]*net.IPNet, 0, len(cfg.LocalAddrs))
+	var firstGateway4 netip.Addr
+	var firstGateway6 netip.Addr
+	addresses := make([]netip.Prefix, 0, len(cfg.LocalAddrs))
 	for _, addr := range cfg.LocalAddrs {
 		if (addr.Addr().Is4() && ipif4 == nil) || (addr.Addr().Is6() && ipif6 == nil) {
 			// Can't program addresses for disabled protocol.
 			continue
 		}
-		ipnet := netipx.PrefixIPNet(addr)
-		addresses = append(addresses, ipnet)
-		gateway := ipnet.IP
-		if addr.Addr().Is4() && firstGateway4 == nil {
-			firstGateway4 = &gateway
-		} else if addr.Addr().Is6() && firstGateway6 == nil {
-			firstGateway6 = &gateway
+		addresses = append(addresses, addr)
+		if addr.Addr().Is4() && !firstGateway4.IsValid() {
+			firstGateway4 = addr.Addr()
+		} else if addr.Addr().Is6() && !firstGateway6.IsValid() {
+			firstGateway6 = addr.Addr()
 		}
 	}
 
-	var routes []winipcfg.RouteData
+	var routes []*winipcfg.RouteData
 	foundDefault4 := false
 	foundDefault6 := false
 	for _, route := range cfg.Routes {
@@ -351,37 +348,33 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 			continue
 		}
 
-		if route.Addr().Is6() && firstGateway6 == nil {
+		if route.Addr().Is6() && !firstGateway6.IsValid() {
 			// Windows won't let us set IPv6 routes without having an
 			// IPv6 local address set. However, when we've configured
 			// a default route, we want to forcibly grab IPv6 traffic
 			// even if the v6 overlay network isn't configured. To do
 			// that, we add a dummy local IPv6 address to serve as a
 			// route source.
-			ipnet := &net.IPNet{tsaddr.Tailscale4To6Placeholder().AsSlice(), net.CIDRMask(128, 128)}
-			addresses = append(addresses, ipnet)
-			firstGateway6 = &ipnet.IP
-		} else if route.Addr().Is4() && firstGateway4 == nil {
+			ip := tsaddr.Tailscale4To6Placeholder()
+			addresses = append(addresses, netip.PrefixFrom(ip, ip.BitLen()))
+			firstGateway6 = ip
+		} else if route.Addr().Is4() && !firstGateway4.IsValid() {
 			// TODO: do same dummy behavior as v6?
 			return errors.New("due to a Windows limitation, one cannot have interface routes without an interface address")
 		}
 
-		ipn := netipx.PrefixIPNet(route)
-		var gateway net.IP
+		var gateway netip.Addr
 		if route.Addr().Is4() {
-			gateway = *firstGateway4
+			gateway = firstGateway4
 		} else if route.Addr().Is6() {
-			gateway = *firstGateway6
+			gateway = firstGateway6
 		}
-		r := winipcfg.RouteData{
-			Destination: net.IPNet{
-				IP:   ipn.IP.Mask(ipn.Mask),
-				Mask: ipn.Mask,
-			},
-			NextHop: gateway,
-			Metric:  0,
+		r := &winipcfg.RouteData{
+			Destination: route,
+			NextHop:     gateway,
+			Metric:      0,
 		}
-		if net.IP.Equal(r.Destination.IP, gateway) {
+		if r.Destination.Addr().Unmap() == gateway {
 			// no need to add a route for the interface's
 			// own IP. The kernel does that for us.
 			// If we try to replace it, we'll fail to
@@ -393,12 +386,12 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 			if route.Bits() == 0 {
 				foundDefault4 = true
 			}
-			r.NextHop = *firstGateway4
+			r.NextHop = firstGateway4
 		} else if route.Addr().Is6() {
 			if route.Bits() == 0 {
 				foundDefault6 = true
 			}
-			r.NextHop = *firstGateway6
+			r.NextHop = firstGateway6
 		}
 		routes = append(routes, r)
 	}
@@ -408,18 +401,16 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 		return fmt.Errorf("syncAddresses: %w", err)
 	}
 
-	sort.Slice(routes, func(i, j int) bool { return routeLess(&routes[i], &routes[j]) })
+	slices.SortFunc(routes, routeDataLess)
 
 	deduplicatedRoutes := []*winipcfg.RouteData{}
 	for i := 0; i < len(routes); i++ {
 		// There's only one way to get to a given IP+Mask, so delete
 		// all matches after the first.
-		if i > 0 &&
-			net.IP.Equal(routes[i].Destination.IP, routes[i-1].Destination.IP) &&
-			bytes.Equal(routes[i].Destination.Mask, routes[i-1].Destination.Mask) {
+		if i > 0 && routes[i].Destination == routes[i-1].Destination {
 			continue
 		}
-		deduplicatedRoutes = append(deduplicatedRoutes, &routes[i])
+		deduplicatedRoutes = append(deduplicatedRoutes, routes[i])
 	}
 
 	// Re-read interface after syncAddresses.
@@ -484,28 +475,6 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 	return errAcc
 }
 
-// routeLess reports whether ri should sort before rj.
-// The actual sort order doesn't appear to matter. The caller just
-// wants them sorted to be able to de-dup.
-func routeLess(ri, rj *winipcfg.RouteData) bool {
-	if v := bytes.Compare(ri.Destination.IP, rj.Destination.IP); v != 0 {
-		return v == -1
-	}
-	if v := bytes.Compare(ri.Destination.Mask, rj.Destination.Mask); v != 0 {
-		// Narrower masks first
-		return v == 1
-	}
-	if ri.Metric != rj.Metric {
-		// Lower metrics first
-		return ri.Metric < rj.Metric
-	}
-	if v := bytes.Compare(ri.NextHop, rj.NextHop); v != 0 {
-		// No nexthop before non-empty nexthop.
-		return v == -1
-	}
-	return false
-}
-
 // unwrapIP returns the shortest version of ip.
 func unwrapIP(ip net.IP) net.IP {
 	if ip4 := ip.To4(); ip4 != nil {
@@ -521,40 +490,40 @@ func v4Mask(m net.IPMask) net.IPMask {
 	return m
 }
 
-func netCompare(a, b net.IPNet) int {
-	aip, bip := unwrapIP(a.IP), unwrapIP(b.IP)
-	v := bytes.Compare(aip, bip)
+func netCompare(a, b netip.Prefix) int {
+	aip, bip := a.Addr().Unmap(), b.Addr().Unmap()
+	v := aip.Compare(bip)
 	if v != 0 {
 		return v
 	}
 
-	amask, bmask := a.Mask, b.Mask
-	if len(aip) == 4 {
-		amask = v4Mask(a.Mask)
-		bmask = v4Mask(b.Mask)
+	if a.Bits() == b.Bits() {
+		return 0
 	}
-
 	// narrower first
-	return -bytes.Compare(amask, bmask)
+	if a.Bits() > b.Bits() {
+		return -1
+	}
+	return 1
 }
 
-func sortNets(a []*net.IPNet) {
-	sort.Slice(a, func(i, j int) bool {
-		return netCompare(*a[i], *a[j]) == -1
+func sortNets(s []netip.Prefix) {
+	sort.Slice(s, func(i, j int) bool {
+		return netCompare(s[i], s[j]) == -1
 	})
 }
 
 // deltaNets returns the changes to turn a into b.
-func deltaNets(a, b []*net.IPNet) (add, del []*net.IPNet) {
-	add = make([]*net.IPNet, 0, len(b))
-	del = make([]*net.IPNet, 0, len(a))
+func deltaNets(a, b []netip.Prefix) (add, del []netip.Prefix) {
+	add = make([]netip.Prefix, 0, len(b))
+	del = make([]netip.Prefix, 0, len(a))
 	sortNets(a)
 	sortNets(b)
 
 	i := 0
 	j := 0
 	for i < len(a) && j < len(b) {
-		switch netCompare(*a[i], *b[j]) {
+		switch netCompare(a[i], b[j]) {
 		case -1:
 			// a < b, delete
 			del = append(del, a[i])
@@ -576,28 +545,21 @@ func deltaNets(a, b []*net.IPNet) (add, del []*net.IPNet) {
 	return
 }
 
-func isIPv6LinkLocal(in *net.IPNet) bool {
-	return len(in.IP) == 16 && in.IP.IsLinkLocalUnicast()
+func isIPv6LinkLocal(a netip.Prefix) bool {
+	return a.Addr().Is6() && a.Addr().IsLinkLocalUnicast()
 }
 
-// ipAdapterUnicastAddressToIPNet converts windows.IpAdapterUnicastAddress to net.IPNet.
-func ipAdapterUnicastAddressToIPNet(u *windows.IpAdapterUnicastAddress) *net.IPNet {
-	ip := u.Address.IP()
-	w := 32
-	if ip.To4() == nil {
-		w = 128
-	}
-	return &net.IPNet{
-		IP:   ip,
-		Mask: net.CIDRMask(int(u.OnLinkPrefixLength), w),
-	}
+// ipAdapterUnicastAddressToPrefix converts windows.IpAdapterUnicastAddress to netip.Prefix
+func ipAdapterUnicastAddressToPrefix(u *windows.IpAdapterUnicastAddress) netip.Prefix {
+	ip, _ := netip.AddrFromSlice(u.Address.IP())
+	return netip.PrefixFrom(ip.Unmap(), int(u.OnLinkPrefixLength))
 }
 
 // unicastIPNets returns all unicast net.IPNet for ifc interface.
-func unicastIPNets(ifc *winipcfg.IPAdapterAddresses) []*net.IPNet {
-	nets := make([]*net.IPNet, 0)
+func unicastIPNets(ifc *winipcfg.IPAdapterAddresses) []netip.Prefix {
+	var nets []netip.Prefix
 	for addr := ifc.FirstUnicastAddress; addr != nil; addr = addr.Next {
-		nets = append(nets, ipAdapterUnicastAddressToIPNet(addr))
+		nets = append(nets, ipAdapterUnicastAddressToPrefix(addr))
 	}
 	return nets
 }
@@ -612,13 +574,13 @@ func unicastIPNets(ifc *winipcfg.IPAdapterAddresses) []*net.IPNet {
 // DNS locally or remotely and from being picked as a source address for
 // outgoing packets with unspecified sources. See #4647 and
 // https://web.archive.org/web/20200912120956/https://devblogs.microsoft.com/scripting/use-powershell-to-change-ip-behavior-with-skipassource/
-func syncAddresses(ifc *winipcfg.IPAdapterAddresses, want []*net.IPNet) error {
+func syncAddresses(ifc *winipcfg.IPAdapterAddresses, want []netip.Prefix) error {
 	var erracc error
 
 	got := unicastIPNets(ifc)
 	add, del := deltaNets(got, want)
 
-	ll := make([]*net.IPNet, 0)
+	ll := make([]netip.Prefix, 0)
 	for _, a := range del {
 		// do not delete link-local addresses, and collect them for later
 		// applying SkipAsSource.
@@ -627,29 +589,29 @@ func syncAddresses(ifc *winipcfg.IPAdapterAddresses, want []*net.IPNet) error {
 			continue
 		}
 
-		err := ifc.LUID.DeleteIPAddress(*a)
+		err := ifc.LUID.DeleteIPAddress(a)
 		if err != nil {
-			erracc = fmt.Errorf("deleting IP %q: %w", *a, err)
+			erracc = fmt.Errorf("deleting IP %q: %w", a, err)
 		}
 	}
 
 	for _, a := range add {
-		err := ifc.LUID.AddIPAddress(*a)
+		err := ifc.LUID.AddIPAddress(a)
 		if err != nil {
-			erracc = fmt.Errorf("adding IP %q: %w", *a, err)
+			erracc = fmt.Errorf("adding IP %q: %w", a, err)
 		}
 	}
 
 	for _, a := range ll {
-		mib, err := ifc.LUID.IPAddress(a.IP)
+		mib, err := ifc.LUID.IPAddress(a.Addr())
 		if err != nil {
-			erracc = fmt.Errorf("setting skip-as-source on IP %q: unable to retrieve MIB: %w", *a, err)
+			erracc = fmt.Errorf("setting skip-as-source on IP %q: unable to retrieve MIB: %w", a, err)
 			continue
 		}
 		if !mib.SkipAsSource {
 			mib.SkipAsSource = true
 			if err := mib.Set(); err != nil {
-				erracc = fmt.Errorf("setting skip-as-source on IP %q: unable to set MIB: %w", *a, err)
+				erracc = fmt.Errorf("setting skip-as-source on IP %q: unable to set MIB: %w", a, err)
 			}
 		}
 	}
@@ -657,20 +619,27 @@ func syncAddresses(ifc *winipcfg.IPAdapterAddresses, want []*net.IPNet) error {
 	return erracc
 }
 
+func routeDataLess(a, b *winipcfg.RouteData) bool {
+	return routeDataCompare(a, b) < 0
+}
+
 func routeDataCompare(a, b *winipcfg.RouteData) int {
-	v := bytes.Compare(a.Destination.IP, b.Destination.IP)
+	v := a.Destination.Addr().Compare(b.Destination.Addr())
 	if v != 0 {
 		return v
 	}
 
 	// Narrower masks first
-	v = bytes.Compare(a.Destination.Mask, b.Destination.Mask)
-	if v != 0 {
-		return -v
+	b1, b2 := a.Destination.Bits(), b.Destination.Bits()
+	if b1 != b2 {
+		if b1 > b2 {
+			return -1
+		}
+		return 1
 	}
 
 	// No nexthop before non-empty nexthop
-	v = bytes.Compare(a.NextHop, b.NextHop)
+	v = a.NextHop.Compare(b.NextHop)
 	if v != 0 {
 		return v
 	}
@@ -685,17 +654,11 @@ func routeDataCompare(a, b *winipcfg.RouteData) int {
 	return 0
 }
 
-func sortRouteData(a []*winipcfg.RouteData) {
-	sort.Slice(a, func(i, j int) bool {
-		return routeDataCompare(a[i], a[j]) < 0
-	})
-}
-
 func deltaRouteData(a, b []*winipcfg.RouteData) (add, del []*winipcfg.RouteData) {
 	add = make([]*winipcfg.RouteData, 0, len(b))
 	del = make([]*winipcfg.RouteData, 0, len(a))
-	sortRouteData(a)
-	sortRouteData(b)
+	slices.SortFunc(a, routeDataLess)
+	slices.SortFunc(b, routeDataLess)
 
 	i := 0
 	j := 0
@@ -751,15 +714,15 @@ func getAllInterfaceRoutes(ifc *winipcfg.IPAdapterAddresses) ([]*winipcfg.RouteD
 	rd := make([]*winipcfg.RouteData, 0, len(routes4)+len(routes6))
 	for _, r := range routes4 {
 		rd = append(rd, &winipcfg.RouteData{
-			Destination: r.DestinationPrefix.IPNet(),
-			NextHop:     r.NextHop.IP(),
+			Destination: r.DestinationPrefix.Prefix(),
+			NextHop:     r.NextHop.Addr(),
 			Metric:      r.Metric,
 		})
 	}
 	for _, r := range routes6 {
 		rd = append(rd, &winipcfg.RouteData{
-			Destination: r.DestinationPrefix.IPNet(),
-			NextHop:     r.NextHop.IP(),
+			Destination: r.DestinationPrefix.Prefix(),
+			NextHop:     r.NextHop.Addr(),
 			Metric:      r.Metric,
 		})
 	}
@@ -777,8 +740,8 @@ func filterRoutes(routes []*winipcfg.RouteData, dontDelete []netip.Prefix) []*wi
 	}
 	for _, r := range routes {
 		// We don't want to touch broadcast routes that Windows adds.
-		nr, ok := netaddr.FromStdIPNet(&r.Destination)
-		if !ok {
+		nr := r.Destination
+		if !nr.IsValid() {
 			continue
 		}
 		if nr.IsSingleIP() {
@@ -789,8 +752,8 @@ func filterRoutes(routes []*winipcfg.RouteData, dontDelete []netip.Prefix) []*wi
 	}
 	filtered := make([]*winipcfg.RouteData, 0, len(routes))
 	for _, r := range routes {
-		rr, ok := netaddr.FromStdIPNet(&r.Destination)
-		if ok && ddm[rr] {
+		rr := r.Destination
+		if rr.IsValid() && ddm[rr] {
 			continue
 		}
 		filtered = append(filtered, r)

wgengine/router/ifconfig_windows_test.go

@@ -7,41 +7,30 @@ package router
 import (
 	"fmt"
 	"math/rand"
-	"net"
 	"net/netip"
+	"reflect"
 	"strings"
 	"testing"
 
-	"go4.org/netipx"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
-func randIP() net.IP {
+func randIP() netip.Addr {
 	b := byte(rand.Intn(3))
-	return net.IP{b, b, b, b}
+	return netip.AddrFrom4([4]byte{b, b, b, b})
 }
 
 func randRouteData() *winipcfg.RouteData {
 	return &winipcfg.RouteData{
-		Destination: net.IPNet{
-			IP:   randIP(),
-			Mask: net.CIDRMask(rand.Intn(3)+1, 32),
-		},
-		NextHop: randIP(),
-		Metric:  uint32(rand.Intn(3)),
+		Destination: netip.PrefixFrom(randIP(), rand.Intn(30)+1),
+		NextHop:     randIP(),
+		Metric:      uint32(rand.Intn(3)),
 	}
 }
 
 func TestRouteLess(t *testing.T) {
 	type D = winipcfg.RouteData
-	ipnet := func(s string) net.IPNet {
-		ipp, err := netip.ParsePrefix(s)
-		if err != nil {
-			t.Fatalf("error parsing test data %q: %v", s, err)
-		}
-		return *netipx.PrefixIPNet(ipp)
-	}
-
+	ipnet := netip.MustParsePrefix
 	tests := []struct {
 		ri, rj *winipcfg.RouteData
 		want   bool
@@ -72,76 +61,51 @@ func TestRouteLess(t *testing.T) {
 			want: true,
 		},
 		{
-			ri:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 1, NextHop: net.ParseIP("3.3.3.3")},
-			rj:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 1, NextHop: net.ParseIP("4.4.4.4")},
+			ri:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 1, NextHop: netip.MustParseAddr("3.3.3.3")},
+			rj:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 1, NextHop: netip.MustParseAddr("4.4.4.4")},
 			want: true,
 		},
 	}
 	for i, tt := range tests {
-		got := routeLess(tt.ri, tt.rj)
+		got := routeDataLess(tt.ri, tt.rj)
 		if got != tt.want {
 			t.Errorf("%v. less = %v; want %v", i, got, tt.want)
 		}
-		back := routeLess(tt.rj, tt.ri)
+		back := routeDataLess(tt.rj, tt.ri)
 		if back && got {
 			t.Errorf("%v. less both ways", i)
 		}
 	}
 }
 
-func TestRouteLessConsistent(t *testing.T) {
+func TestRouteDataLessConsistent(t *testing.T) {
 	for i := 0; i < 10000; i++ {
 		ri := randRouteData()
 		rj := randRouteData()
-		if routeLess(ri, rj) && routeLess(rj, ri) {
+		if routeDataLess(ri, rj) && routeDataLess(rj, ri) {
 			t.Fatalf("both compare less to each other:\n\t%#v\nand\n\t%#v", ri, rj)
 		}
 	}
 }
 
-func equalNetIPs(a, b []*net.IPNet) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	for i := range a {
-		if netCompare(*a[i], *b[i]) != 0 {
-			return false
-		}
-	}
-	return true
-}
-
-func ipnet4(ip string, bits int) *net.IPNet {
-	return &net.IPNet{
-		IP:   net.ParseIP(ip),
-		Mask: net.CIDRMask(bits, 32),
-	}
-}
-
-// each cidr can end in "[4]" to mean To4 form.
-func nets(cidrs ...string) (ret []*net.IPNet) {
+func nets(cidrs ...string) (ret []netip.Prefix) {
 	for _, s := range cidrs {
-		to4 := strings.HasSuffix(s, "[4]")
-		if to4 {
-			s = strings.TrimSuffix(s, "[4]")
-		}
-		ip, ipNet, err := net.ParseCIDR(s)
-		if err != nil {
-			panic(fmt.Sprintf("Bogus CIDR %q in test", s))
-		}
-		if to4 {
-			ip = ip.To4()
-		}
-		ipNet.IP = ip
-		ret = append(ret, ipNet)
+		ret = append(ret, netip.MustParsePrefix(s))
 	}
 	return
 }
 
+func nilIfEmpty[E any](s []E) []E {
+	if len(s) == 0 {
+		return nil
+	}
+	return s
+}
+
 func TestDeltaNets(t *testing.T) {
 	tests := []struct {
-		a, b             []*net.IPNet
-		wantAdd, wantDel []*net.IPNet
+		a, b             []netip.Prefix
+		wantAdd, wantDel []netip.Prefix
 	}{
 		{
 			a:       nets("1.2.3.4/24", "1.2.3.4/31", "1.2.3.3/32", "10.0.1.1/32", "100.0.1.1/32"),
@@ -161,30 +125,16 @@ func TestDeltaNets(t *testing.T) {
 		},
 		{
 			a:       nets("100.84.36.11/32", "fe80::99d0:ec2d:b2e7:536b/64"),
-			b:       nets("100.84.36.11/32[4]"),
+			b:       nets("100.84.36.11/32"),
 			wantDel: nets("fe80::99d0:ec2d:b2e7:536b/64"),
 		},
-		{
-			a: []*net.IPNet{
-				{
-					IP:   net.ParseIP("1.2.3.4"),
-					Mask: net.IPMask{0xff, 0xff, 0xff, 0xff},
-				},
-			},
-			b: []*net.IPNet{
-				{
-					IP:   net.ParseIP("1.2.3.4"),
-					Mask: net.IPMask{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
-				},
-			},
-		},
 	}
 	for i, tt := range tests {
 		add, del := deltaNets(tt.a, tt.b)
-		if !equalNetIPs(add, tt.wantAdd) {
+		if !reflect.DeepEqual(nilIfEmpty(add), nilIfEmpty(tt.wantAdd)) {
 			t.Errorf("[%d] add:\n  got: %v\n want: %v\n", i, add, tt.wantAdd)
 		}
-		if !equalNetIPs(del, tt.wantDel) {
+		if !reflect.DeepEqual(nilIfEmpty(del), nilIfEmpty(tt.wantDel)) {
 			t.Errorf("[%d] del:\n  got: %v\n want: %v\n", i, del, tt.wantDel)
 		}
 	}
@@ -210,35 +160,40 @@ func equalRouteDatas(a, b []*winipcfg.RouteData) bool {
 	return true
 }
 
+func ipnet4(ip string, bits int) netip.Prefix {
+	return netip.PrefixFrom(netip.MustParseAddr(ip), bits)
+}
+
 func TestFilterRoutes(t *testing.T) {
-	var h0 net.IP
+	var h0 netip.Addr
+
 	in := []*winipcfg.RouteData{
 		// LinkLocal and Loopback routes.
-		{*ipnet4("169.254.0.0", 16), h0, 1},
-		{*ipnet4("169.254.255.255", 32), h0, 1},
-		{*ipnet4("127.0.0.0", 8), h0, 1},
-		{*ipnet4("127.255.255.255", 32), h0, 1},
+		{ipnet4("169.254.0.0", 16), h0, 1},
+		{ipnet4("169.254.255.255", 32), h0, 1},
+		{ipnet4("127.0.0.0", 8), h0, 1},
+		{ipnet4("127.255.255.255", 32), h0, 1},
 		// Local LAN routes.
-		{*ipnet4("192.168.0.0", 24), h0, 1},
-		{*ipnet4("192.168.0.255", 32), h0, 1},
-		{*ipnet4("192.168.1.0", 25), h0, 1},
-		{*ipnet4("192.168.1.127", 32), h0, 1},
+		{ipnet4("192.168.0.0", 24), h0, 1},
+		{ipnet4("192.168.0.255", 32), h0, 1},
+		{ipnet4("192.168.1.0", 25), h0, 1},
+		{ipnet4("192.168.1.127", 32), h0, 1},
 		// Some random other route.
-		{*ipnet4("192.168.2.23", 32), h0, 1},
+		{ipnet4("192.168.2.23", 32), h0, 1},
 		// Our own tailscale address.
-		{*ipnet4("100.100.100.100", 32), h0, 1},
+		{ipnet4("100.100.100.100", 32), h0, 1},
 		// Other tailscale addresses.
-		{*ipnet4("100.100.100.101", 32), h0, 1},
-		{*ipnet4("100.100.100.102", 32), h0, 1},
+		{ipnet4("100.100.100.101", 32), h0, 1},
+		{ipnet4("100.100.100.102", 32), h0, 1},
 	}
 	want := []*winipcfg.RouteData{
-		{*ipnet4("169.254.0.0", 16), h0, 1},
-		{*ipnet4("127.0.0.0", 8), h0, 1},
-		{*ipnet4("192.168.0.0", 24), h0, 1},
-		{*ipnet4("192.168.1.0", 25), h0, 1},
-		{*ipnet4("192.168.2.23", 32), h0, 1},
-		{*ipnet4("100.100.100.101", 32), h0, 1},
-		{*ipnet4("100.100.100.102", 32), h0, 1},
+		{ipnet4("169.254.0.0", 16), h0, 1},
+		{ipnet4("127.0.0.0", 8), h0, 1},
+		{ipnet4("192.168.0.0", 24), h0, 1},
+		{ipnet4("192.168.1.0", 25), h0, 1},
+		{ipnet4("192.168.2.23", 32), h0, 1},
+		{ipnet4("100.100.100.101", 32), h0, 1},
+		{ipnet4("100.100.100.102", 32), h0, 1},
 	}
 
 	got := filterRoutes(in, mustCIDRs("100.100.100.100/32"))
@@ -248,29 +203,29 @@ func TestFilterRoutes(t *testing.T) {
 }
 
 func TestDeltaRouteData(t *testing.T) {
-	var h0 net.IP
-	h1 := net.ParseIP("99.99.99.99")
-	h2 := net.ParseIP("99.99.9.99")
+	var h0 netip.Addr
+	h1 := netip.MustParseAddr("99.99.99.99")
+	h2 := netip.MustParseAddr("99.99.9.99")
 
 	a := []*winipcfg.RouteData{
-		{*ipnet4("1.2.3.4", 32), h0, 1},
-		{*ipnet4("1.2.3.4", 24), h1, 2},
-		{*ipnet4("1.2.3.4", 24), h2, 1},
-		{*ipnet4("1.2.3.5", 32), h0, 1},
+		{ipnet4("1.2.3.4", 32), h0, 1},
+		{ipnet4("1.2.3.4", 24), h1, 2},
+		{ipnet4("1.2.3.4", 24), h2, 1},
+		{ipnet4("1.2.3.5", 32), h0, 1},
 	}
 	b := []*winipcfg.RouteData{
-		{*ipnet4("1.2.3.5", 32), h0, 1},
-		{*ipnet4("1.2.3.4", 24), h1, 2},
-		{*ipnet4("1.2.3.4", 24), h2, 2},
+		{ipnet4("1.2.3.5", 32), h0, 1},
+		{ipnet4("1.2.3.4", 24), h1, 2},
+		{ipnet4("1.2.3.4", 24), h2, 2},
 	}
 	add, del := deltaRouteData(a, b)
 
 	wantAdd := []*winipcfg.RouteData{
-		{*ipnet4("1.2.3.4", 24), h2, 2},
+		{ipnet4("1.2.3.4", 24), h2, 2},
 	}
 	wantDel := []*winipcfg.RouteData{
-		{*ipnet4("1.2.3.4", 32), h0, 1},
-		{*ipnet4("1.2.3.4", 24), h2, 1},
+		{ipnet4("1.2.3.4", 32), h0, 1},
+		{ipnet4("1.2.3.4", 24), h2, 1},
 	}
 
 	if !equalRouteDatas(add, wantAdd) {

wgengine/userspace.go

@@ -1005,6 +1005,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 	closing := e.closing
 	peerKeys := make([]key.NodePublic, len(e.peerSequence))
 	copy(peerKeys, e.peerSequence)
+	localAddrs := append([]tailcfg.Endpoint(nil), e.endpoints...)
 	e.mu.Unlock()
 
 	if closing {
@@ -1020,7 +1021,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 
 	return &Status{
 		AsOf:       time.Now(),
-		LocalAddrs: append([]tailcfg.Endpoint(nil), e.endpoints...),
+		LocalAddrs: localAddrs,
 		Peers:      peers,
 		DERPs:      derpConns,
 	}, nil

words/scales.txt

@@ -113,6 +113,11 @@ bee
 bearded
 beardie
 pogona
+chicken
+hen
+rooster
+quail
+grouse
 
 # Musical scales
 acoustic

words/tails.txt

@@ -217,3 +217,8 @@ dragon
 bearded
 beardie
 pogona
+chicken
+hen
+rooster
+quail
+grouse