cmd/tailscale{,d}: combine into a single binary

To reduce size, combine tailscaled and tailscale into a single
binary which will figure out what it should do based on argv[0].

Signed-off-by: Denton Gentry <dgentry@tailscale.com>

.github/workflows/xe-experimental-vm-test.yml

@@ -1,36 +0,0 @@
-name: "integration-vms"
-
-on:
-  # # NOTE(Xe): uncomment this region when testing the test
-  # pull_request:
-  #   branches:
-  #     - 'main'
-  release:
-    types: [ created ]
-  schedule:
-    # At minute 0 past hour 6 and 18
-    # https://crontab.guru/#00_6,18_*_*_*
-    - cron: '00 6,18 * * *'
-
-jobs:
-  experimental-linux-vm-test:
-    # To set up a new runner, see tstest/integration/vms/runner.nix
-    runs-on: [ self-hosted, linux, vm_integration_test ]
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v1
-
-      - name: Download VM Images
-        run: go test ./tstest/integration/vms -run-vm-tests -run=Download -timeout=60m
-        env:
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-
-      - name: Run VM tests
-        run: go test ./tstest/integration/vms -v -run-vm-tests
-        env:
-          TMPDIR: "/tmp"
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-

build_dist.sh

@@ -11,36 +11,6 @@
 
 set -eu
 
-IFS=".$IFS" read -r major minor patch <VERSION.txt
-git_hash=$(git rev-parse HEAD)
-if ! git diff-index --quiet HEAD; then
-	git_hash="${git_hash}-dirty"
-fi
-base_hash=$(git rev-list --max-count=1 HEAD -- VERSION.txt)
-change_count=$(git rev-list --count HEAD "^$base_hash")
-short_hash=$(echo "$git_hash" | cut -c1-9)
+eval $(./version/version.sh)
 
-if expr "$minor" : "[0-9]*[13579]$" >/dev/null; then
-	patch="$change_count"
-	change_suffix=""
-elif [ "$change_count" != "0" ]; then
-	change_suffix="-$change_count"
-else
-	change_suffix=""
-fi
-
-long_suffix="$change_suffix-t$short_hash"
-SHORT="$major.$minor.$patch"
-LONG="${SHORT}$long_suffix"
-GIT_HASH="$git_hash"
-
-if [ "$1" = "shellvars" ]; then
-	cat <<EOF
-VERSION_SHORT="$SHORT"
-VERSION_LONG="$LONG"
-VERSION_GIT_HASH="$GIT_HASH"
-EOF
-	exit 0
-fi
-
-exec go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
+exec go build -tags xversion -ldflags "-X tailscale.com/version.Long=${VERSION_LONG} -X tailscale.com/version.Short=${VERSION_SHORT} -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" "$@"

client/tailscale/tailscale.go

@@ -256,25 +256,3 @@ func Logout(ctx context.Context) error {
 	_, err := send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
 	return err
 }
-
-// SetDNS adds a DNS TXT record for the given domain name, containing
-// the provided TXT value. The intended use case is answering
-// LetsEncrypt/ACME dns-01 challenges.
-//
-// The control plane will only permit SetDNS requests with very
-// specific names and values. The name should be
-// "_acme-challenge." + your node's MagicDNS name. It's expected that
-// clients cache the certs from LetsEncrypt (or whichever CA is
-// providing them) and only request new ones as needed; the control plane
-// rate limits SetDNS requests.
-//
-// This is a low-level interface; it's expected that most Tailscale
-// users use a higher level interface to getting/using TLS
-// certificates.
-func SetDNS(ctx context.Context, name, value string) error {
-	v := url.Values{}
-	v.Set("name", name)
-	v.Set("value", value)
-	_, err := send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
-	return err
-}

cmd/mkpkg/main.go

@@ -21,9 +21,6 @@ import (
 // into a map of filePathOnDisk -> filePathInPackage.
 func parseFiles(s string) (map[string]string, error) {
 	ret := map[string]string{}
-	if len(s) == 0 {
-		return ret, nil
-	}
 	for _, f := range strings.Split(s, ",") {
 		fs := strings.Split(f, ":")
 		if len(fs) != 2 {

cmd/tailscale/cli/auth-redirect.html

@@ -1,57 +0,0 @@
-<html>
-<head>
-	<title>Redirecting...</title>
-	<style>
-		html,
-		body {
-			height: 100%;
-		}
-
-		html {
-			background-color: rgb(249, 247, 246);
-			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
-			line-height: 1.5;
-			-webkit-text-size-adjust: 100%;
-			-webkit-font-smoothing: antialiased;
-			-moz-osx-font-smoothing: grayscale;
-		}
-
-		body {
-			display: flex;
-			flex-direction: column;
-			align-items: center;
-			justify-content: center;
-		}
-
-		.spinner {
-			margin-bottom: 2rem;
-			border: 4px rgba(112, 110, 109, 0.5) solid;
-			border-left-color: transparent;
-			border-radius: 9999px;
-			width: 4rem;
-			height: 4rem;
-			-webkit-animation: spin 700ms linear infinite;
-      animation: spin 800ms linear infinite;
-		}
-
-		.label {
-			color: rgb(112, 110, 109);
-			padding-left: 0.4rem;
-		}
-
-		@-webkit-keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-
-		@keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-	</style>
-</head> <body>
-	<div class="spinner"></div>
-	<div class="label">Redirecting...</div>
-</body>

cmd/tailscale/depaware.txt

@@ -1,7 +1,6 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)
 
-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
         github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
         github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
@@ -40,12 +39,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
         tailscale.com/syncs                                          from tailscale.com/net/interfaces+
         tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/tempfork/upnp                                  from tailscale.com/tempfork/upnp/dcps/internetgateway2
-        tailscale.com/tempfork/upnp/dcps/internetgateway2            from tailscale.com/net/portmapper
-        tailscale.com/tempfork/upnp/httpu                            from tailscale.com/tempfork/upnp
-        tailscale.com/tempfork/upnp/scpd                             from tailscale.com/tempfork/upnp
-        tailscale.com/tempfork/upnp/soap                             from tailscale.com/tempfork/upnp+
-        tailscale.com/tempfork/upnp/ssdp                             from tailscale.com/tempfork/upnp
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
         tailscale.com/types/empty                                    from tailscale.com/ipn
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
@@ -55,14 +48,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
         tailscale.com/types/persist                                  from tailscale.com/ipn
         tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
         tailscale.com/types/structs                                  from tailscale.com/ipn+
         tailscale.com/types/wgkey                                    from tailscale.com/types/netmap+
         tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
    W    tailscale.com/util/endian                                    from tailscale.com/net/netns
-        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
    L    tailscale.com/util/lineread                                  from tailscale.com/net/interfaces
         tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli
         tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
@@ -82,7 +75,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from net+
-        golang.org/x/sync/errgroup                                   from tailscale.com/derp+
+        golang.org/x/sync/errgroup                                   from tailscale.com/derp
         golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
         golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
   LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
@@ -125,14 +118,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         debug/macho                                                  from rsc.io/goversion/version
         debug/pe                                                     from rsc.io/goversion/version
         embed                                                        from tailscale.com/cmd/tailscale/cli
-        encoding                                                     from encoding/json+
+        encoding                                                     from encoding/json
         encoding/asn1                                                from crypto/x509+
         encoding/base64                                              from encoding/json+
         encoding/binary                                              from compress/gzip+
         encoding/hex                                                 from crypto/x509+
         encoding/json                                                from expvar+
         encoding/pem                                                 from crypto/tls+
-        encoding/xml                                                 from tailscale.com/cmd/tailscale/cli+
         errors                                                       from bufio+
         expvar                                                       from tailscale.com/derp+
         flag                                                         from github.com/peterbourgon/ff/v2+
@@ -164,7 +156,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         os                                                           from crypto/rand+
         os/exec                                                      from github.com/toqueteos/webbrowser+
         os/signal                                                    from tailscale.com/cmd/tailscale/cli
-        os/user                                                      from tailscale.com/util/groupmember
         path                                                         from debug/dwarf+
         path/filepath                                                from crypto/x509+
         reflect                                                      from crypto/x509+

cmd/tailscaled/cli/file.go

@@ -97,12 +97,14 @@ func runCp(ctx context.Context, args []string) error {
 		return err
 	}
 
-	peerAPIBase, isOffline, err := discoverPeerAPIBase(ctx, ip)
+	peerAPIBase, lastSeen, isOffline, err := discoverPeerAPIBase(ctx, ip)
 	if err != nil {
 		return fmt.Errorf("can't send to %s: %v", target, err)
 	}
 	if isOffline {
 		fmt.Fprintf(os.Stderr, "# warning: %s is offline\n", target)
+	} else if !lastSeen.IsZero() && time.Since(lastSeen) > lastSeenOld {
+		fmt.Fprintf(os.Stderr, "# warning: %s last seen %v ago\n", target, time.Since(lastSeen).Round(time.Minute))
 	}
 
 	if len(files) > 1 {
@@ -180,14 +182,14 @@ func runCp(ctx context.Context, args []string) error {
 	return nil
 }
 
-func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, isOffline bool, err error) {
+func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, lastSeen time.Time, isOffline bool, err error) {
 	ip, err := netaddr.ParseIP(ipStr)
 	if err != nil {
-		return "", false, err
+		return "", time.Time{}, false, err
 	}
 	fts, err := tailscale.FileTargets(ctx)
 	if err != nil {
-		return "", false, err
+		return "", time.Time{}, false, err
 	}
 	for _, ft := range fts {
 		n := ft.Node
@@ -195,11 +197,14 @@ func discoverPeerAPIBase(ctx context.Context, ipStr string) (base string, isOffl
 			if a.IP() != ip {
 				continue
 			}
+			if n.LastSeen != nil {
+				lastSeen = *n.LastSeen
+			}
 			isOffline = n.Online != nil && !*n.Online
-			return ft.PeerAPIURL, isOffline, nil
+			return ft.PeerAPIURL, lastSeen, isOffline, nil
 		}
 	}
-	return "", false, fileTargetErrorDetail(ctx, ip)
+	return "", time.Time{}, false, fileTargetErrorDetail(ctx, ip)
 }
 
 // fileTargetErrorDetail returns a non-nil error saying why ip is an
@@ -269,6 +274,8 @@ func (r *slowReader) Read(p []byte) (n int, err error) {
 	return
 }
 
+const lastSeenOld = 20 * time.Minute
+
 func runCpTargets(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("invalid arguments with --targets")

cmd/tailscaled/cli/up.go

@@ -230,9 +230,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 			warnf("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = preftype.NetfilterOff
-			if defaultNetfilterMode() != "off" {
-				warnf("netfilter=off; configure iptables yourself.")
-			}
+			warnf("netfilter=off; configure iptables yourself.")
 		default:
 			return nil, fmt.Errorf("invalid value --netfilter-mode=%q", upArgs.netfilterMode)
 		}
@@ -268,7 +266,7 @@ func runUp(ctx context.Context, args []string) error {
 	}
 
 	if distro.Get() == distro.Synology {
-		notSupported := "not supported on Synology; see https://github.com/tailscale/tailscale/issues/1995"
+		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
 		if upArgs.acceptRoutes {
 			return errors.New("--accept-routes is " + notSupported)
 		}

cmd/tailscaled/cli/web.go

@@ -9,15 +9,12 @@ import (
 	"context"
 	_ "embed"
 	"encoding/json"
-	"encoding/xml"
 	"flag"
 	"fmt"
 	"html/template"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"net/http/cgi"
-	"net/url"
 	"os/exec"
 	"runtime"
 	"strings"
@@ -27,7 +24,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/groupmember"
 	"tailscale.com/version/distro"
 )
 
@@ -37,9 +33,6 @@ var webHTML string
 //go:embed web.css
 var webCSS string
 
-//go:embed auth-redirect.html
-var authenticationRedirectHTML string
-
 var tmpl *template.Template
 
 func init() {
@@ -89,114 +82,23 @@ func runWeb(ctx context.Context, args []string) error {
 	return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
 }
 
-// authorize returns the name of the user accessing the web UI after verifying
-// whether the user has access to the web UI. The function will write the
-// error to the provided http.ResponseWriter.
-// Note: This is different from a tailscale user, and is typically the local
-// user on the node.
-func authorize(w http.ResponseWriter, r *http.Request) (string, error) {
-	switch distro.Get() {
-	case distro.Synology:
-		user, err := synoAuthn()
+func auth() (string, error) {
+	if distro.Get() == distro.Synology {
+		cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
+		out, err := cmd.CombinedOutput()
 		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return "", err
+			return "", fmt.Errorf("auth: %v: %s", err, out)
 		}
-		if err := authorizeSynology(user); err != nil {
-			http.Error(w, err.Error(), http.StatusForbidden)
-			return "", err
-		}
-		return user, nil
-	case distro.QNAP:
-		user, resp, err := qnapAuthn(r)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return "", err
-		}
-		if resp.IsAdmin == 0 {
-			http.Error(w, err.Error(), http.StatusForbidden)
-			return "", err
-		}
-		return user, nil
+		return string(out), nil
 	}
+
 	return "", nil
 }
 
-// authorizeSynology checks whether the provided user has access to the web UI
-// by consulting the membership of the "administrators" group.
-func authorizeSynology(name string) error {
-	yes, err := groupmember.IsMemberOfGroup("administrators", name)
-	if err != nil {
-		return err
-	}
-	if !yes {
-		return fmt.Errorf("not a member of administrators group")
-	}
-	return nil
-}
-
-type qnapAuthResponse struct {
-	AuthPassed int    `xml:"authPassed"`
-	IsAdmin    int    `xml:"isAdmin"`
-	AuthSID    string `xml:"authSid"`
-	ErrorValue int    `xml:"errorValue"`
-}
-
-func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
-	user, err := r.Cookie("NAS_USER")
-	if err != nil {
-		return "", nil, err
-	}
-	token, err := r.Cookie("qtoken")
-	if err != nil {
-		return "", nil, err
-	}
-	query := url.Values{
-		"qtoken": []string{token.Value},
-		"user":   []string{user.Value},
-	}
-	u := url.URL{
-		Scheme:   r.URL.Scheme,
-		Host:     r.URL.Host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-	resp, err := http.Get(u.String())
-	if err != nil {
-		return "", nil, err
-	}
-	defer resp.Body.Close()
-	out, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return "", nil, err
-	}
-	authResp := &qnapAuthResponse{}
-	if err := xml.Unmarshal(out, authResp); err != nil {
-		return "", nil, err
-	}
-	if authResp.AuthPassed == 0 {
-		return "", nil, fmt.Errorf("not authenticated")
-	}
-	return user.Value, authResp, nil
-}
-
-func synoAuthn() (string, error) {
-	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return "", fmt.Errorf("auth: %v: %s", err, out)
-	}
-	return strings.TrimSpace(string(out)), nil
-}
-
-func authRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if distro.Get() == distro.Synology {
-		return synoTokenRedirect(w, r)
-	}
-	return false
-}
-
 func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
+	if distro.Get() != distro.Synology {
+		return false
+	}
 	if r.Header.Get("X-Syno-Token") != "" {
 		return false
 	}
@@ -230,13 +132,75 @@ req.send(null);
 </body></html>
 `
 
+const authenticationRedirectHTML = `
+<html>
+<head>
+	<title>Redirecting...</title>
+	<style>
+		html,
+		body {
+			height: 100%;
+		}
+
+		html {
+			background-color: rgb(249, 247, 246);
+			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+			line-height: 1.5;
+			-webkit-text-size-adjust: 100%;
+			-webkit-font-smoothing: antialiased;
+			-moz-osx-font-smoothing: grayscale;
+		}
+
+		body {
+			display: flex;
+			flex-direction: column;
+			align-items: center;
+			justify-content: center;
+		}
+
+		.spinner {
+			margin-bottom: 2rem;
+			border: 4px rgba(112, 110, 109, 0.5) solid;
+			border-left-color: transparent;
+			border-radius: 9999px;
+			width: 4rem;
+			height: 4rem;
+			-webkit-animation: spin 700ms linear infinite;
+      animation: spin 800ms linear infinite;
+		}
+
+		.label {
+			color: rgb(112, 110, 109);
+			padding-left: 0.4rem;
+		}
+
+		@-webkit-keyframes spin {
+			to {
+				transform: rotate(360deg);
+			}
+		}
+
+		@keyframes spin {
+			to {
+				transform: rotate(360deg);
+			}
+		}
+	</style>
+</head>
+<body>
+	<div class="spinner"></div>
+	<div class="label">Redirecting...</div>
+</body>
+`
+
 func webHandler(w http.ResponseWriter, r *http.Request) {
-	if authRedirect(w, r) {
+	if synoTokenRedirect(w, r) {
 		return
 	}
 
-	user, err := authorize(w, r)
+	user, err := auth()
 	if err != nil {
+		http.Error(w, err.Error(), http.StatusForbidden)
 		return
 	}
 
@@ -250,8 +214,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		url, err := tailscaleUpForceReauth(r.Context())
 		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			json.NewEncoder(w).Encode(mi{"error": err})
 			return
 		}
 		json.NewEncoder(w).Encode(mi{"url": url})
@@ -260,7 +223,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 
 	st, err := tailscale.Status(r.Context())
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, err.Error(), 500)
 		return
 	}
 
@@ -278,7 +241,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 
 	buf := new(bytes.Buffer)
 	if err := tmpl.Execute(buf, data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, err.Error(), 500)
 		return
 	}
 	w.Write(buf.Bytes())
@@ -357,10 +320,6 @@ func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error)
 	})
 	bc.StartLoginInteractive()
 
-	<-pumpCtx.Done() // wait for authURL or complete failure
-	if authURL == "" && retErr == nil {
-		retErr = pumpCtx.Err()
-	}
 	if authURL == "" && retErr == nil {
 		return "", fmt.Errorf("login failed with no backend error message")
 	}

cmd/tailscaled/depaware.txt

@@ -1,43 +1,41 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)
 
-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+   W 💣 github.com/github/certstore                                  from tailscale.com/control/controlclient
         github.com/go-multierror/multierror                          from tailscale.com/wgengine/router+
    W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
    W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
    L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
-        github.com/golang/snappy                                     from github.com/klauspost/compress/zstd
         github.com/google/btree                                      from inet.af/netstack/tcpip/header+
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
    L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
         github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
         github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/snappy                         from github.com/klauspost/compress/zstd
         github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
         github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-   L 💣 github.com/mdlayher/netlink                                  from tailscale.com/wgengine/monitor+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/mdlayher/netlink+
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
    L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
-   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
-   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+   W    github.com/pkg/errors                                        from github.com/github/certstore
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/conn/winrio                from github.com/tailscale/wireguard-go/conn
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
      💣 go4.org/intern                                               from inet.af/netaddr
      💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
         go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
-     💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
-     💣 golang.zx2c4.com/wireguard/device                            from tailscale.com/net/tstun+
-     💣 golang.zx2c4.com/wireguard/ipc                               from golang.zx2c4.com/wireguard/device
-   W 💣 golang.zx2c4.com/wireguard/ipc/winpipe                       from golang.zx2c4.com/wireguard/ipc
-        golang.zx2c4.com/wireguard/ratelimiter                       from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/replay                            from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/rwcancel                          from golang.zx2c4.com/wireguard/device+
-        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device+
-     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/tun/wintun                        from golang.zx2c4.com/wireguard/tun+
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
         inet.af/netaddr                                              from tailscale.com/control/controlclient+
      💣 inet.af/netstack/gohacks                                     from inet.af/netstack/state/wire+
@@ -71,7 +69,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         inet.af/netstack/tcpip/transport/udp                         from inet.af/netstack/tcpip/adapters/gonet+
         inet.af/netstack/waiter                                      from inet.af/netstack/tcpip+
         inet.af/peercred                                             from tailscale.com/ipn/ipnserver
-   W 💣 inet.af/wf                                                   from tailscale.com/wf
         rsc.io/goversion/version                                     from tailscale.com/version
         tailscale.com/atomicfile                                     from tailscale.com/ipn+
         tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
@@ -118,12 +115,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
         tailscale.com/syncs                                          from tailscale.com/net/interfaces+
         tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
-        tailscale.com/tempfork/upnp                                  from tailscale.com/tempfork/upnp/dcps/internetgateway2
-        tailscale.com/tempfork/upnp/dcps/internetgateway2            from tailscale.com/net/portmapper
-        tailscale.com/tempfork/upnp/httpu                            from tailscale.com/tempfork/upnp
-        tailscale.com/tempfork/upnp/scpd                             from tailscale.com/tempfork/upnp
-        tailscale.com/tempfork/upnp/soap                             from tailscale.com/tempfork/upnp+
-        tailscale.com/tempfork/upnp/ssdp                             from tailscale.com/tempfork/upnp
+   W 💣 tailscale.com/tempfork/wireguard-windows/firewall            from tailscale.com/cmd/tailscaled
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
         tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
         tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
@@ -136,12 +128,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
         tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
         tailscale.com/types/preftype                                 from tailscale.com/ipn+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
         tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
         tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
    L    tailscale.com/util/cmpver                                    from tailscale.com/net/dns
         tailscale.com/util/dnsname                                   from tailscale.com/ipn/ipnstate+
   LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
-        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
    L    tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
         tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
         tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
@@ -151,7 +143,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/winutil                                   from tailscale.com/logpolicy+
         tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
         tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
-   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
         tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
         tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine+
@@ -163,7 +154,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
    W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
         golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
         golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
@@ -172,7 +163,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/hkdf                                     from crypto/tls
         golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
         golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
         golang.org/x/net/dns/dnsmessage                              from net+
@@ -180,15 +171,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/net/http/httpproxy                              from net/http
         golang.org/x/net/http2/hpack                                 from net/http
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
-        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
+        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
+        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from net+
-        golang.org/x/sync/errgroup                                   from tailscale.com/derp+
+        golang.org/x/sync/errgroup                                   from tailscale.com/derp
         golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
         golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/mdlayher/netlink+
-   W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from github.com/tailscale/wireguard-go/conn+
    W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
    W    golang.org/x/sys/windows/svc                                 from tailscale.com/cmd/tailscaled+
    W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
@@ -238,7 +229,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         encoding/hex                                                 from crypto/x509+
         encoding/json                                                from expvar+
         encoding/pem                                                 from crypto/tls+
-        encoding/xml                                                 from tailscale.com/tempfork/upnp+
         errors                                                       from bufio+
         expvar                                                       from tailscale.com/derp+
         flag                                                         from tailscale.com/cmd/tailscaled+

cmd/tailscaled/main.go

@@ -0,0 +1,16 @@
+package main
+
+import (
+	"os"
+	"strings"
+)
+
+func main() {
+	if strings.HasSuffix(os.Args[0], "tailscaled") {
+		tailscaled_main()
+	} else if strings.HasSuffix(os.Args[0], "tailscale") {
+		tailscale_main()
+	} else {
+		panic(os.Args[0])
+	}
+}

cmd/tailscaled/tailscale.go

@@ -4,7 +4,7 @@
 
 // The tailscale command is the Tailscale command-line client. It interacts
 // with the tailscaled node agent.
-package main // import "tailscale.com/cmd/tailscale"
+package main // import "tailscale.com/cmd/tailscaled"
 
 import (
 	"fmt"
@@ -12,10 +12,10 @@ import (
 	"path/filepath"
 	"strings"
 
-	"tailscale.com/cmd/tailscale/cli"
+	"tailscale.com/cmd/tailscaled/cli"
 )
 
-func main() {
+func tailscale_main() {
 	args := os.Args[1:]
 	if name, _ := os.Executable(); strings.HasSuffix(filepath.Base(name), ".cgi") {
 		args = []string{"web", "-cgi"}

cmd/tailscaled/tailscaled.go

@@ -101,7 +101,7 @@ var subCommands = map[string]*func([]string) error{
 	"debug":                   &debugModeFunc,
 }
 
-func main() {
+func tailscaled_main() {
 	// We aren't very performance sensitive, and the parts that are
 	// performance sensitive (wireguard) try hard not to do any memory
 	// allocations. So let's be aggressive about garbage collection,

cmd/tailscaled/tailscaled.openrc

@@ -1,23 +0,0 @@
-#!/sbin/openrc-run
-
-source /etc/default/tailscaled
-
-command="/usr/sbin/tailscaled"
-command_args="--state=/var/lib/tailscale/tailscaled.state --port=$PORT --socket=/var/run/tailscale/tailscaled.sock $FLAGS"
-command_background=true
-pidfile="/run/tailscaled.pid"
-start_stop_daemon_args="-1 /var/log/tailscaled.log -2 /var/log/tailscaled.log"
-
-depend() {
-    need net
-}
-
-start_pre() {
-    mkdir -p /var/run/tailscale
-    mkdir -p /var/lib/tailscale
-    $command --cleanup
-}
-
-stop_post() {
-    $command --cleanup
-}

cmd/tailscaled/tailscaled_windows.go

@@ -21,6 +21,7 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"net"
 	"os"
 	"time"
 
@@ -31,9 +32,9 @@ import (
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/tstun"
+	"tailscale.com/tempfork/wireguard-windows/firewall"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
-	"tailscale.com/wf"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
@@ -143,13 +144,13 @@ func beFirewallKillswitch() bool {
 
 	luid, err := winipcfg.LUIDFromGUID(&guid)
 	if err != nil {
-		log.Fatalf("no interface with GUID %q: %v", guid, err)
+		log.Fatalf("no interface with GUID %q", guid)
 	}
 
+	noProtection := false
+	var dnsIPs []net.IP // unused in called code.
 	start := time.Now()
-	if _, err := wf.New(uint64(luid)); err != nil {
-		log.Fatalf("filewall creation failed: %v", err)
-	}
+	firewall.EnableFirewall(uint64(luid), noProtection, dnsIPs)
 	log.Printf("killswitch enabled, took %s", time.Since(start))
 
 	// Block until the monitor goroutine shuts us down.

control/controlclient/auto.go

@@ -576,12 +576,9 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	c.logf("[v1] sendStatus: %s: %v", who, state)
 
 	var p *persist.Persist
-	var loginFin, logoutFin *empty.Message
+	var fin *empty.Message
 	if state == StateAuthenticated {
-		loginFin = new(empty.Message)
-	}
-	if state == StateNotAuthenticated {
-		logoutFin = new(empty.Message)
+		fin = new(empty.Message)
 	}
 	if nm != nil && loggedIn && synced {
 		pp := c.direct.GetPersist()
@@ -592,13 +589,12 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		nm = nil
 	}
 	new := Status{
-		LoginFinished:  loginFin,
-		LogoutFinished: logoutFin,
-		URL:            url,
-		Persist:        p,
-		NetMap:         nm,
-		Hostinfo:       hi,
-		State:          state,
+		LoginFinished: fin,
+		URL:           url,
+		Persist:       p,
+		NetMap:        nm,
+		Hostinfo:      hi,
+		State:         state,
 	}
 	if err != nil {
 		new.Err = err.Error()
@@ -716,9 +712,3 @@ func (c *Auto) TestOnlySetAuthKey(authkey string) {
 func (c *Auto) TestOnlyTimeNow() time.Time {
 	return c.timeNow()
 }
-
-// SetDNS sends the SetDNSRequest request to the control plane server,
-// requesting a DNS record be created or updated.
-func (c *Auto) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
-	return c.direct.SetDNS(ctx, req)
-}

control/controlclient/client.go

@@ -74,7 +74,4 @@ type Client interface {
 	// in a separate http request. It has nothing to do with the rest of
 	// the state machine.
 	UpdateEndpoints(localPort uint16, endpoints []tailcfg.Endpoint)
-	// SetDNS sends the SetDNSRequest request to the control plane server,
-	// requesting a DNS record be created or updated.
-	SetDNS(context.Context, *tailcfg.SetDNSRequest) error
 }

control/controlclient/controlclient_test.go

@@ -22,7 +22,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 
 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
+	equalHandles := []string{"LoginFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)

control/controlclient/direct.go

@@ -32,7 +32,6 @@ import (
 	"golang.org/x/crypto/nacl/box"
 	"inet.af/netaddr"
 	"tailscale.com/health"
-	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
@@ -67,7 +66,6 @@ type Direct struct {
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
-	pinger                 Pinger
 
 	mu           sync.Mutex // mutex guards the following fields
 	serverKey    wgkey.Key
@@ -105,18 +103,6 @@ type Options struct {
 	// forwarding works and should not be double-checked by the
 	// controlclient package.
 	SkipIPForwardingCheck bool
-
-	// Pinger optionally specifies the Pinger to use to satisfy
-	// MapResponse.PingRequest queries from the control plane.
-	// If nil, PingRequest queries are not answered.
-	Pinger Pinger
-}
-
-// Pinger is a subset of the wgengine.Engine interface, containing just the Ping method.
-type Pinger interface {
-	// Ping is a request to start a discovery or TSMP ping with the peer handling
-	// the given IP and then call cb with its ping latency & method.
-	Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.PingResult))
 }
 
 type Decompressor interface {
@@ -179,7 +165,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		keepSharerAndUserSplit: opts.KeepSharerAndUserSplit,
 		linkMon:                opts.LinkMonitor,
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
-		pinger:                 opts.Pinger,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(NewHostinfo())
@@ -1226,50 +1211,3 @@ func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<-
 		}
 	}
 }
-
-// SetDNS sends the SetDNSRequest request to the control plane server,
-// requesting a DNS record be created or updated.
-func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
-	c.mu.Lock()
-	serverKey := c.serverKey
-	c.mu.Unlock()
-
-	if serverKey.IsZero() {
-		return errors.New("zero serverKey")
-	}
-	machinePrivKey, err := c.getMachinePrivKey()
-	if err != nil {
-		return fmt.Errorf("getMachinePrivKey: %w", err)
-	}
-	if machinePrivKey.IsZero() {
-		return errors.New("getMachinePrivKey returned zero key")
-	}
-
-	bodyData, err := encode(req, &serverKey, &machinePrivKey)
-	if err != nil {
-		return err
-	}
-	body := bytes.NewReader(bodyData)
-
-	u := fmt.Sprintf("%s/machine/%s/set-dns", c.serverURL, machinePrivKey.Public().HexString())
-	hreq, err := http.NewRequestWithContext(ctx, "POST", u, body)
-	if err != nil {
-		return err
-	}
-	res, err := c.httpc.Do(hreq)
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != 200 {
-		msg, _ := ioutil.ReadAll(res.Body)
-		return fmt.Errorf("sign-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
-	}
-	var setDNSRes struct{} // no fields yet
-	if err := decode(res, &setDNSRes, &serverKey, &machinePrivKey); err != nil {
-		c.logf("error decoding SetDNSResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
-		return fmt.Errorf("set-dns-response: %v", err)
-	}
-
-	return nil
-}

control/controlclient/sign_supported.go

@@ -18,7 +18,7 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/tailscale/certstore"
+	"github.com/github/certstore"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/winutil"

control/controlclient/status.go

@@ -64,12 +64,11 @@ func (s State) String() string {
 }
 
 type Status struct {
-	_              structs.Incomparable
-	LoginFinished  *empty.Message // nonempty when login finishes
-	LogoutFinished *empty.Message // nonempty when logout finishes
-	Err            string
-	URL            string             // interactive URL to visit to finish logging in
-	NetMap         *netmap.NetworkMap // server-pushed configuration
+	_             structs.Incomparable
+	LoginFinished *empty.Message // nonempty when login finishes
+	Err           string
+	URL           string             // interactive URL to visit to finish logging in
+	NetMap        *netmap.NetworkMap // server-pushed configuration
 
 	// The internal state should not be exposed outside this
 	// package, but we have some automated tests elsewhere that need to
@@ -87,7 +86,6 @@ func (s *Status) Equal(s2 *Status) bool {
 	}
 	return s != nil && s2 != nil &&
 		(s.LoginFinished == nil) == (s2.LoginFinished == nil) &&
-		(s.LogoutFinished == nil) == (s2.LogoutFinished == nil) &&
 		s.Err == s2.Err &&
 		s.URL == s2.URL &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&

derp/derp_server.go

@@ -20,7 +20,6 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
-	"math"
 	"math/big"
 	"math/rand"
 	"os"
@@ -28,7 +27,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"
 
 	"go4.org/mem"
@@ -122,7 +120,6 @@ type Server struct {
 	multiForwarderCreated    expvar.Int
 	multiForwarderDeleted    expvar.Int
 	removePktForwardOther    expvar.Int
-	avgQueueDuration         *uint64 // In milliseconds; accessed atomically
 
 	mu          sync.Mutex
 	closed      bool
@@ -185,7 +182,6 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		memSys0:              ms.Sys,
 		watchers:             map[*sclient]bool{},
 		sentTo:               map[key.Public]map[key.Public]int64{},
-		avgQueueDuration:     new(uint64),
 	}
 	s.initMetacert()
 	s.packetsRecvDisco = s.packetsRecvByKind.Get("disco")
@@ -615,9 +611,8 @@ func (c *sclient) handleFrameForwardPacket(ft frameType, fl uint32) error {
 	}
 
 	return c.sendPkt(dst, pkt{
-		bs:         contents,
-		enqueuedAt: time.Now(),
-		src:        srcKey,
+		bs:  contents,
+		src: srcKey,
 	})
 }
 
@@ -670,9 +665,8 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 	}
 
 	p := pkt{
-		bs:         contents,
-		enqueuedAt: time.Now(),
-		src:        c.key,
+		bs:  contents,
+		src: c.key,
 	}
 	return c.sendPkt(dst, p)
 }
@@ -702,7 +696,7 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 		}
 
 		select {
-		case pkt := <-dst.sendQueue:
+		case <-dst.sendQueue:
 			s.packetsDropped.Add(1)
 			s.packetsDroppedQueueHead.Add(1)
 			if verboseDropKeys[dstKey] {
@@ -711,7 +705,6 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 				msg := fmt.Sprintf("tail drop %s -> %s", p.src.ShortString(), dstKey.ShortString())
 				c.s.limitedLogf(msg)
 			}
-			c.recordQueueTime(pkt.enqueuedAt)
 			if debug {
 				c.logf("dropping packet from client %x queue head", dstKey)
 			}
@@ -934,13 +927,11 @@ type pkt struct {
 	// src is the who's the sender of the packet.
 	src key.Public
 
-	// enqueuedAt is when a packet was put onto a queue before it was sent,
-	// and is used for reporting metrics on the duration of packets in the queue.
-	enqueuedAt time.Time
-
 	// bs is the data packet bytes.
 	// The memory is owned by pkt.
 	bs []byte
+
+	// TODO(danderson): enqueue time, to measure queue latency?
 }
 
 func (c *sclient) setPreferred(v bool) {
@@ -968,25 +959,6 @@ func (c *sclient) setPreferred(v bool) {
 	}
 }
 
-// expMovingAverage returns the new moving average given the previous average,
-// a new value, and an alpha decay factor.
-// https://en.wikipedia.org/wiki/Moving_average#Exponential_moving_average
-func expMovingAverage(prev, newValue, alpha float64) float64 {
-	return alpha*newValue + (1-alpha)*prev
-}
-
-// recordQueueTime updates the average queue duration metric after a packet has been sent.
-func (c *sclient) recordQueueTime(enqueuedAt time.Time) {
-	elapsed := float64(time.Since(enqueuedAt).Milliseconds())
-	for {
-		old := atomic.LoadUint64(c.s.avgQueueDuration)
-		newAvg := expMovingAverage(math.Float64frombits(old), elapsed, 0.1)
-		if atomic.CompareAndSwapUint64(c.s.avgQueueDuration, old, math.Float64bits(newAvg)) {
-			break
-		}
-	}
-}
-
 func (c *sclient) sendLoop(ctx context.Context) error {
 	defer func() {
 		// If the sender shuts down unilaterally due to an error, close so
@@ -1030,7 +1002,6 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 			continue
 		case msg := <-c.sendQueue:
 			werr = c.sendPacket(msg.src, msg.bs)
-			c.recordQueueTime(msg.enqueuedAt)
 			continue
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
@@ -1054,7 +1025,6 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 			continue
 		case msg := <-c.sendQueue:
 			werr = c.sendPacket(msg.src, msg.bs)
-			c.recordQueueTime(msg.enqueuedAt)
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
 		}
@@ -1320,9 +1290,6 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("multiforwarder_created", &s.multiForwarderCreated)
 	m.Set("multiforwarder_deleted", &s.multiForwarderDeleted)
 	m.Set("packet_forwarder_delete_other_value", &s.removePktForwardOther)
-	m.Set("average_queue_duration_ms", expvar.Func(func() interface{} {
-		return math.Float64frombits(atomic.LoadUint64(s.avgQueueDuration))
-	}))
 	var expvarVersion expvar.String
 	expvarVersion.Set(version.Long)
 	m.Set("version", &expvarVersion)

go.mod

@@ -3,47 +3,48 @@ module tailscale.com
 go 1.16
 
 require (
-	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
-	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
-	github.com/aws/aws-sdk-go v1.38.52
-	github.com/coreos/go-iptables v0.6.0
-	github.com/frankban/quicktest v1.13.0
-	github.com/gliderlabs/ssh v0.3.2
+	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5
+	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
+	github.com/coreos/go-iptables v0.4.5
+	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
+	github.com/frankban/quicktest v1.12.1
+	github.com/github/certstore v0.1.0
+	github.com/gliderlabs/ssh v0.2.2
 	github.com/go-multierror/multierror v1.0.2
-	github.com/go-ole/go-ole v1.2.5
-	github.com/godbus/dbus/v5 v5.0.4
-	github.com/google/go-cmp v0.5.6
-	github.com/google/goexpect v0.0.0-20210430020637-ab937bf7fd6f
-	github.com/google/uuid v1.1.2
-	github.com/goreleaser/nfpm v1.10.3
-	github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190
+	github.com/go-ole/go-ole v1.2.4
+	github.com/godbus/dbus/v5 v5.0.3
+	github.com/google/go-cmp v0.5.5
+	github.com/goreleaser/nfpm v1.1.10
+	github.com/jsimonetti/rtnetlink v0.0.0-20210212075122-66c871082f2b
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.12.2
+	github.com/klauspost/compress v1.10.10
 	github.com/kr/pty v1.1.8
-	github.com/mdlayher/netlink v1.4.1
-	github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697
-	github.com/miekg/dns v1.1.42
-	github.com/pborman/getopt v1.1.0
+	github.com/mdlayher/netlink v1.3.2
+	github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a
+	github.com/miekg/dns v1.1.30
+	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
-	github.com/pkg/sftp v1.13.0
-	github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
+	github.com/tailscale/wireguard-go v0.0.0-20210510192616-d1aa5623121d
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
-	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
-	golang.org/x/net v0.0.0-20210610132358-84b48f89b13b
+	golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670
+	golang.org/x/net v0.0.0-20210510120150-4163338589ed
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210608053332-aa57babbf139
-	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
+	golang.org/x/sys v0.0.0-20210510120138-977fb7262007
+	golang.org/x/term v0.0.0-20210317153231-de623e64d2a6
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
-	golang.org/x/tools v0.1.2
-	golang.zx2c4.com/wireguard v0.0.0-20210525143454-64cb82f2b3f5
-	golang.zx2c4.com/wireguard/windows v0.3.15-0.20210525143335-94c0476d63e3
-	honnef.co/go/tools v0.1.4
-	inet.af/netaddr v0.0.0-20210602152128-50f8686885e3
+	golang.org/x/tools v0.1.0
+	golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8
+	gopkg.in/yaml.v2 v2.2.8 // indirect
+	honnef.co/go/tools v0.1.0
+	inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841
 	inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22
-	inet.af/peercred v0.0.0-20210318190834-4259e17bb763
+	inet.af/peercred v0.0.0-20210302202138-56e694897155
 	inet.af/wf v0.0.0-20210516214145-a5343001b756
 	rsc.io/goversion v1.2.0
 )
+
+replace github.com/github/certstore => github.com/cyolosecurity/certstore v0.0.0-20200922073901-ece7f1d353c2

internal/deephash/deephash.go

@@ -9,28 +9,26 @@ package deephash
 import (
 	"bufio"
 	"crypto/sha256"
-	"encoding/hex"
 	"fmt"
-	"hash"
 	"reflect"
-	"strconv"
-	"sync"
+
+	"inet.af/netaddr"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/wgkey"
 )
 
-func calcHash(v interface{}) string {
+func Hash(v ...interface{}) string {
 	h := sha256.New()
-	b := bufio.NewWriterSize(h, h.BlockSize())
-	scratch := make([]byte, 0, 128)
-	printTo(b, v, scratch)
+	// 64 matches the chunk size in crypto/sha256/sha256.go
+	b := bufio.NewWriterSize(h, 64)
+	Print(b, v)
 	b.Flush()
-	scratch = h.Sum(scratch[:0])
-	hex.Encode(scratch[:cap(scratch)], scratch[:sha256.Size])
-	return string(scratch[:sha256.Size*2])
+	return fmt.Sprintf("%x", h.Sum(nil))
 }
 
 // UpdateHash sets last to the hash of v and reports whether its value changed.
 func UpdateHash(last *string, v ...interface{}) (changed bool) {
-	sig := calcHash(v)
+	sig := Hash(v)
 	if *last != sig {
 		*last = sig
 		return true
@@ -38,30 +36,81 @@ func UpdateHash(last *string, v ...interface{}) (changed bool) {
 	return false
 }
 
-func printTo(w *bufio.Writer, v interface{}, scratch []byte) {
-	print(w, reflect.ValueOf(v), make(map[uintptr]bool), scratch)
+func Print(w *bufio.Writer, v ...interface{}) {
+	print(w, reflect.ValueOf(v), make(map[uintptr]bool))
 }
 
-var appenderToType = reflect.TypeOf((*appenderTo)(nil)).Elem()
+var (
+	netaddrIPType       = reflect.TypeOf(netaddr.IP{})
+	netaddrIPPrefix     = reflect.TypeOf(netaddr.IPPrefix{})
+	wgkeyKeyType        = reflect.TypeOf(wgkey.Key{})
+	wgkeyPrivateType    = reflect.TypeOf(wgkey.Private{})
+	tailcfgDiscoKeyType = reflect.TypeOf(tailcfg.DiscoKey{})
+)
 
-type appenderTo interface {
-	AppendTo([]byte) []byte
-}
-
-// print hashes v into w.
-// It reports whether it was able to do so without hitting a cycle.
-func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
+func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool) {
 	if !v.IsValid() {
-		return true
+		return
 	}
 
+	// Special case some common types.
 	if v.CanInterface() {
-		// Use AppendTo methods, if available and cheap.
-		if v.CanAddr() && v.Type().Implements(appenderToType) {
-			a := v.Addr().Interface().(appenderTo)
-			scratch = a.AppendTo(scratch[:0])
-			w.Write(scratch)
-			return true
+		switch v.Type() {
+		case netaddrIPType:
+			var b []byte
+			var err error
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*netaddr.IP)
+				b, err = x.MarshalText()
+			} else {
+				x := v.Interface().(netaddr.IP)
+				b, err = x.MarshalText()
+			}
+			if err == nil {
+				w.Write(b)
+				return
+			}
+		case netaddrIPPrefix:
+			var b []byte
+			var err error
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*netaddr.IPPrefix)
+				b, err = x.MarshalText()
+			} else {
+				x := v.Interface().(netaddr.IPPrefix)
+				b, err = x.MarshalText()
+			}
+			if err == nil {
+				w.Write(b)
+				return
+			}
+		case wgkeyKeyType:
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*wgkey.Key)
+				w.Write(x[:])
+			} else {
+				x := v.Interface().(wgkey.Key)
+				w.Write(x[:])
+			}
+			return
+		case wgkeyPrivateType:
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*wgkey.Private)
+				w.Write(x[:])
+			} else {
+				x := v.Interface().(wgkey.Private)
+				w.Write(x[:])
+			}
+			return
+		case tailcfgDiscoKeyType:
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*tailcfg.DiscoKey)
+				w.Write(x[:])
+			} else {
+				x := v.Interface().(tailcfg.DiscoKey)
+				w.Write(x[:])
+			}
+			return
 		}
 	}
 
@@ -72,45 +121,43 @@ func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch [
 	case reflect.Ptr:
 		ptr := v.Pointer()
 		if visited[ptr] {
-			return false
+			return
 		}
 		visited[ptr] = true
-		return print(w, v.Elem(), visited, scratch)
+		print(w, v.Elem(), visited)
+		return
 	case reflect.Struct:
-		acyclic = true
 		w.WriteString("struct{\n")
 		for i, n := 0, v.NumField(); i < n; i++ {
 			fmt.Fprintf(w, " [%d]: ", i)
-			if !print(w, v.Field(i), visited, scratch) {
-				acyclic = false
-			}
+			print(w, v.Field(i), visited)
 			w.WriteString("\n")
 		}
 		w.WriteString("}\n")
-		return acyclic
 	case reflect.Slice, reflect.Array:
 		if v.Type().Elem().Kind() == reflect.Uint8 && v.CanInterface() {
 			fmt.Fprintf(w, "%q", v.Interface())
-			return true
+			return
 		}
 		fmt.Fprintf(w, "[%d]{\n", v.Len())
-		acyclic = true
 		for i, ln := 0, v.Len(); i < ln; i++ {
 			fmt.Fprintf(w, " [%d]: ", i)
-			if !print(w, v.Index(i), visited, scratch) {
-				acyclic = false
-			}
+			print(w, v.Index(i), visited)
 			w.WriteString("\n")
 		}
 		w.WriteString("}\n")
-		return acyclic
 	case reflect.Interface:
-		return print(w, v.Elem(), visited, scratch)
+		print(w, v.Elem(), visited)
 	case reflect.Map:
-		if hashMapAcyclic(w, v, visited, scratch) {
-			return true
+		sm := newSortedMap(v)
+		fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
+		for i, k := range sm.Key {
+			print(w, k, visited)
+			w.WriteString(": ")
+			print(w, sm.Value[i], visited)
+			w.WriteString("\n")
 		}
-		return hashMapFallback(w, v, visited, scratch)
+		w.WriteString("}\n")
 	case reflect.String:
 		w.WriteString(v.String())
 	case reflect.Bool:
@@ -118,109 +165,10 @@ func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch [
 	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
 		fmt.Fprintf(w, "%v", v.Int())
 	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		scratch = strconv.AppendUint(scratch[:0], v.Uint(), 10)
-		w.Write(scratch)
+		fmt.Fprintf(w, "%v", v.Uint())
 	case reflect.Float32, reflect.Float64:
 		fmt.Fprintf(w, "%v", v.Float())
 	case reflect.Complex64, reflect.Complex128:
 		fmt.Fprintf(w, "%v", v.Complex())
 	}
-	return true
-}
-
-type mapHasher struct {
-	xbuf [sha256.Size]byte // XOR'ed accumulated buffer
-	ebuf [sha256.Size]byte // scratch buffer
-	s256 hash.Hash         // sha256 hash.Hash
-	bw   *bufio.Writer     // to hasher into ebuf
-	val  valueCache        // re-usable values for map iteration
-	iter *reflect.MapIter  // re-usable map iterator
-}
-
-func (mh *mapHasher) Reset() {
-	for i := range mh.xbuf {
-		mh.xbuf[i] = 0
-	}
-}
-
-func (mh *mapHasher) startEntry() {
-	for i := range mh.ebuf {
-		mh.ebuf[i] = 0
-	}
-	mh.bw.Flush()
-	mh.s256.Reset()
-}
-
-func (mh *mapHasher) endEntry() {
-	mh.bw.Flush()
-	for i, b := range mh.s256.Sum(mh.ebuf[:0]) {
-		mh.xbuf[i] ^= b
-	}
-}
-
-var mapHasherPool = &sync.Pool{
-	New: func() interface{} {
-		mh := new(mapHasher)
-		mh.s256 = sha256.New()
-		mh.bw = bufio.NewWriter(mh.s256)
-		mh.val = make(valueCache)
-		mh.iter = new(reflect.MapIter)
-		return mh
-	},
-}
-
-type valueCache map[reflect.Type]reflect.Value
-
-func (c valueCache) get(t reflect.Type) reflect.Value {
-	v, ok := c[t]
-	if !ok {
-		v = reflect.New(t).Elem()
-		c[t] = v
-	}
-	return v
-}
-
-// hashMapAcyclic is the faster sort-free version of map hashing. If
-// it detects a cycle it returns false and guarantees that nothing was
-// written to w.
-func hashMapAcyclic(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
-	mh := mapHasherPool.Get().(*mapHasher)
-	defer mapHasherPool.Put(mh)
-	mh.Reset()
-	iter := mapIter(mh.iter, v)
-	defer mapIter(mh.iter, reflect.Value{}) // avoid pinning v from mh.iter when we return
-	k := mh.val.get(v.Type().Key())
-	e := mh.val.get(v.Type().Elem())
-	for iter.Next() {
-		key := iterKey(iter, k)
-		val := iterVal(iter, e)
-		mh.startEntry()
-		if !print(mh.bw, key, visited, scratch) {
-			return false
-		}
-		if !print(mh.bw, val, visited, scratch) {
-			return false
-		}
-		mh.endEntry()
-	}
-	w.Write(mh.xbuf[:])
-	return true
-}
-
-func hashMapFallback(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
-	acyclic = true
-	sm := newSortedMap(v)
-	fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
-	for i, k := range sm.Key {
-		if !print(w, k, visited, scratch) {
-			acyclic = false
-		}
-		w.WriteString(": ")
-		if !print(w, sm.Value[i], visited, scratch) {
-			acyclic = false
-		}
-		w.WriteString("\n")
-	}
-	w.WriteString("}\n")
-	return acyclic
 }

internal/deephash/deephash_test.go

@@ -5,10 +5,6 @@
 package deephash
 
 import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"reflect"
 	"testing"
 
 	"inet.af/netaddr"
@@ -18,15 +14,15 @@ import (
 	"tailscale.com/wgengine/wgcfg"
 )
 
-func TestDeepHash(t *testing.T) {
+func TestDeepPrint(t *testing.T) {
 	// v contains the types of values we care about for our current callers.
 	// Mostly we're just testing that we don't panic on handled types.
 	v := getVal()
 
-	hash1 := calcHash(v)
+	hash1 := Hash(v)
 	t.Logf("hash: %v", hash1)
 	for i := 0; i < 20; i++ {
-		hash2 := calcHash(getVal())
+		hash2 := Hash(getVal())
 		if hash1 != hash2 {
 			t.Error("second hash didn't match")
 		}
@@ -55,23 +51,14 @@ func getVal() []interface{} {
 		map[dnsname.FQDN][]netaddr.IP{
 			dnsname.FQDN("a."): {netaddr.MustParseIP("1.2.3.4"), netaddr.MustParseIP("4.3.2.1")},
 			dnsname.FQDN("b."): {netaddr.MustParseIP("8.8.8.8"), netaddr.MustParseIP("9.9.9.9")},
-			dnsname.FQDN("c."): {netaddr.MustParseIP("6.6.6.6"), netaddr.MustParseIP("7.7.7.7")},
-			dnsname.FQDN("d."): {netaddr.MustParseIP("6.7.6.6"), netaddr.MustParseIP("7.7.7.8")},
-			dnsname.FQDN("e."): {netaddr.MustParseIP("6.8.6.6"), netaddr.MustParseIP("7.7.7.9")},
-			dnsname.FQDN("f."): {netaddr.MustParseIP("6.9.6.6"), netaddr.MustParseIP("7.7.7.0")},
 		},
 		map[dnsname.FQDN][]netaddr.IPPort{
 			dnsname.FQDN("a."): {netaddr.MustParseIPPort("1.2.3.4:11"), netaddr.MustParseIPPort("4.3.2.1:22")},
 			dnsname.FQDN("b."): {netaddr.MustParseIPPort("8.8.8.8:11"), netaddr.MustParseIPPort("9.9.9.9:22")},
-			dnsname.FQDN("c."): {netaddr.MustParseIPPort("8.8.8.8:12"), netaddr.MustParseIPPort("9.9.9.9:23")},
-			dnsname.FQDN("d."): {netaddr.MustParseIPPort("8.8.8.8:13"), netaddr.MustParseIPPort("9.9.9.9:24")},
-			dnsname.FQDN("e."): {netaddr.MustParseIPPort("8.8.8.8:14"), netaddr.MustParseIPPort("9.9.9.9:25")},
 		},
 		map[tailcfg.DiscoKey]bool{
 			{1: 1}: true,
 			{1: 2}: false,
-			{2: 3}: true,
-			{3: 4}: false,
 		},
 	}
 }
@@ -80,57 +67,6 @@ func BenchmarkHash(b *testing.B) {
 	b.ReportAllocs()
 	v := getVal()
 	for i := 0; i < b.N; i++ {
-		calcHash(v)
-	}
-}
-
-func TestHashMapAcyclic(t *testing.T) {
-	m := map[int]string{}
-	for i := 0; i < 100; i++ {
-		m[i] = fmt.Sprint(i)
-	}
-	got := map[string]bool{}
-
-	var buf bytes.Buffer
-	bw := bufio.NewWriter(&buf)
-
-	for i := 0; i < 20; i++ {
-		visited := map[uintptr]bool{}
-		scratch := make([]byte, 0, 64)
-		v := reflect.ValueOf(m)
-		buf.Reset()
-		bw.Reset(&buf)
-		if !hashMapAcyclic(bw, v, visited, scratch) {
-			t.Fatal("returned false")
-		}
-		if got[string(buf.Bytes())] {
-			continue
-		}
-		got[string(buf.Bytes())] = true
-	}
-	if len(got) != 1 {
-		t.Errorf("got %d results; want 1", len(got))
-	}
-}
-
-func BenchmarkHashMapAcyclic(b *testing.B) {
-	b.ReportAllocs()
-	m := map[int]string{}
-	for i := 0; i < 100; i++ {
-		m[i] = fmt.Sprint(i)
-	}
-
-	var buf bytes.Buffer
-	bw := bufio.NewWriter(&buf)
-	visited := map[uintptr]bool{}
-	scratch := make([]byte, 0, 64)
-	v := reflect.ValueOf(m)
-
-	for i := 0; i < b.N; i++ {
-		buf.Reset()
-		bw.Reset(&buf)
-		if !hashMapAcyclic(bw, v, visited, scratch) {
-			b.Fatal("returned false")
-		}
+		Hash(v)
 	}
 }

internal/deephash/mapiter.go

@@ -1,37 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !tailscale_go
-
-package deephash
-
-import "reflect"
-
-// iterKey returns the current iter key.
-// scratch is a re-usable reflect.Value.
-// iterKey may store the iter key in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterKey(iter *reflect.MapIter, _ reflect.Value) reflect.Value {
-	return iter.Key()
-}
-
-// iterVal returns the current iter val.
-// scratch is a re-usable reflect.Value.
-// iterVal may store the iter val in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterVal(iter *reflect.MapIter, _ reflect.Value) reflect.Value {
-	return iter.Value()
-}
-
-// mapIter returns a map iterator for mapVal.
-// scratch is a re-usable reflect.MapIter.
-// mapIter may re-use scratch and return it,
-// or it may allocate and return a new *reflect.MapIter.
-// If mapVal is the zero reflect.Value, mapIter may return nil.
-func mapIter(_ *reflect.MapIter, mapVal reflect.Value) *reflect.MapIter {
-	if !mapVal.IsValid() {
-		return nil
-	}
-	return mapVal.MapRange()
-}

internal/deephash/mapiter_future.go

@@ -1,42 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build tailscale_go
-
-package deephash
-
-import "reflect"
-
-// iterKey returns the current iter key.
-// scratch is a re-usable reflect.Value.
-// iterKey may store the iter key in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterKey(iter *reflect.MapIter, scratch reflect.Value) reflect.Value {
-	iter.SetKey(scratch)
-	return scratch
-}
-
-// iterVal returns the current iter val.
-// scratch is a re-usable reflect.Value.
-// iterVal may store the iter val in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterVal(iter *reflect.MapIter, scratch reflect.Value) reflect.Value {
-	iter.SetValue(scratch)
-	return scratch
-}
-
-// mapIter returns a map iterator for mapVal.
-// scratch is a re-usable reflect.MapIter.
-// mapIter may re-use scratch and return it,
-// or it may allocate and return a new *reflect.MapIter.
-// If mapVal is the zero reflect.Value, mapIter may return nil.
-func mapIter(scratch *reflect.MapIter, mapVal reflect.Value) *reflect.MapIter {
-	scratch.Reset(mapVal) // always Reset, to allow the caller to avoid pinning memory
-	if !mapVal.IsValid() {
-		// Returning scratch would also be OK.
-		// Do this for consistency with the non-optimized version.
-		return nil
-	}
-	return scratch
-}

ipn/ipnlocal/local.go

@@ -44,13 +44,11 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
-	"tailscale.com/types/preftype"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
-	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -453,13 +451,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	// Lock b once and do only the things that require locking.
 	b.mu.Lock()
 
-	if st.LogoutFinished != nil {
-		// Since we're logged out now, our netmap cache is invalid.
-		// Since st.NetMap==nil means "netmap is unchanged", there is
-		// no other way to represent this change.
-		b.setNetMapLocked(nil)
-	}
-
 	prefs := b.prefs
 	stateKey := b.stateKey
 	netMap := b.netMap
@@ -657,12 +648,6 @@ func (b *LocalBackend) getNewControlClientFunc() clientGen {
 // startIsNoopLocked reports whether a Start call on this LocalBackend
 // with the provided Start Options would be a useless no-op.
 //
-// TODO(apenwarr): we shouldn't need this.
-//  The state machine is now nearly clean enough where it can accept a new
-//  connection while in any state, not just Running, and on any platform.
-//  We'd want to add a few more tests to state_test.go to ensure this continues
-//  to work as expected.
-//
 // b.mu must be held.
 func (b *LocalBackend) startIsNoopLocked(opts ipn.Options) bool {
 	// Options has 5 fields; check all of them:
@@ -716,7 +701,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		b.send(ipn.Notify{
 			State:         &state,
 			NetMap:        nm,
-			Prefs:         b.prefs,
 			LoginFinished: new(empty.Message),
 		})
 		return nil
@@ -929,8 +913,8 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 			}
 		}
 	}
-	localNets, _ := localNetsB.IPSet()
-	logNets, _ := logNetsB.IPSet()
+	localNets := localNetsB.IPSet()
+	logNets := logNetsB.IPSet()
 
 	changed := deephash.UpdateHash(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp)
 	if !changed {
@@ -987,8 +971,7 @@ func interfaceRoutes() (ips *netaddr.IPSet, hostIPs []netaddr.IP, err error) {
 		return nil, nil, err
 	}
 
-	ipSet, _ := b.IPSet()
-	return ipSet, hostIPs, nil
+	return b.IPSet(), hostIPs, nil
 }
 
 // shrinkDefaultRoute returns an IPSet representing the IPs in route,
@@ -1019,7 +1002,7 @@ func shrinkDefaultRoute(route netaddr.IPPrefix) (*netaddr.IPSet, error) {
 	for _, pfx := range removeFromDefaultRoute {
 		b.RemovePrefix(pfx)
 	}
-	return b.IPSet()
+	return b.IPSet(), nil
 }
 
 // dnsCIDRsEqual determines whether two CIDR lists are equal
@@ -1711,45 +1694,9 @@ func (b *LocalBackend) authReconfig() {
 
 	rcfg := b.routerConfig(cfg, uc)
 
-	dcfg := dns.Config{
-		Routes: map[dnsname.FQDN][]netaddr.IPPort{},
-		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-	}
-
-	// Populate MagicDNS records. We do this unconditionally so that
-	// quad-100 can always respond to MagicDNS queries, even if the OS
-	// isn't configured to make MagicDNS resolution truly
-	// magic. Details in
-	// https://github.com/tailscale/tailscale/issues/1886.
-	set := func(name string, addrs []netaddr.IPPrefix) {
-		if len(addrs) == 0 || name == "" {
-			return
-		}
-		fqdn, err := dnsname.ToFQDN(name)
-		if err != nil {
-			return // TODO: propagate error?
-		}
-		var ips []netaddr.IP
-		for _, addr := range addrs {
-			// Remove IPv6 addresses for now, as we don't
-			// guarantee that the peer node actually can speak
-			// IPv6 correctly.
-			//
-			// https://github.com/tailscale/tailscale/issues/1152
-			// tracks adding the right capability reporting to
-			// enable AAAA in MagicDNS.
-			if addr.IP().Is6() {
-				continue
-			}
-			ips = append(ips, addr.IP())
-		}
-		dcfg.Hosts[fqdn] = ips
-	}
-	set(nm.Name, nm.Addresses)
-	for _, peer := range nm.Peers {
-		set(peer.Name, peer.Addresses)
-	}
+	var dcfg dns.Config
 
+	// If CorpDNS is false, dcfg remains the zero value.
 	if uc.CorpDNS {
 		addDefault := func(resolvers []tailcfg.DNSResolver) {
 			for _, resolver := range resolvers {
@@ -1763,6 +1710,9 @@ func (b *LocalBackend) authReconfig() {
 		}
 
 		addDefault(nm.DNS.Resolvers)
+		if len(nm.DNS.Routes) > 0 {
+			dcfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{}
+		}
 		for suffix, resolvers := range nm.DNS.Routes {
 			fqdn, err := dnsname.ToFQDN(suffix)
 			if err != nil {
@@ -1784,9 +1734,36 @@ func (b *LocalBackend) authReconfig() {
 			}
 			dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
 		}
+		set := func(name string, addrs []netaddr.IPPrefix) {
+			if len(addrs) == 0 || name == "" {
+				return
+			}
+			fqdn, err := dnsname.ToFQDN(name)
+			if err != nil {
+				return // TODO: propagate error?
+			}
+			var ips []netaddr.IP
+			for _, addr := range addrs {
+				// Remove IPv6 addresses for now, as we don't
+				// guarantee that the peer node actually can speak
+				// IPv6 correctly.
+				//
+				// https://github.com/tailscale/tailscale/issues/1152
+				// tracks adding the right capability reporting to
+				// enable AAAA in MagicDNS.
+				if addr.IP().Is6() {
+					continue
+				}
+				ips = append(ips, addr.IP())
+			}
+			dcfg.Hosts[fqdn] = ips
+		}
 		if nm.DNS.Proxied { // actually means "enable MagicDNS"
-			for _, dom := range magicDNSRootDomains(nm) {
-				dcfg.Routes[dom] = nil // resolve internally with dcfg.Hosts
+			dcfg.AuthoritativeSuffixes = magicDNSRootDomains(nm)
+			dcfg.Hosts = map[dnsname.FQDN][]netaddr.IP{}
+			set(nm.Name, nm.Addresses)
+			for _, peer := range nm.Peers {
+				set(peer.Name, peer.Addresses)
 			}
 		}
 
@@ -1810,7 +1787,7 @@ func (b *LocalBackend) authReconfig() {
 			//
 			// https://github.com/tailscale/tailscale/issues/1713
 			addDefault(nm.DNS.FallbackResolvers)
-		case len(dcfg.Routes) == 0:
+		case len(dcfg.Routes) == 0 && len(dcfg.Hosts) == 0 && len(dcfg.AuthoritativeSuffixes) == 0:
 			// No settings requiring split DNS, no problem.
 		case version.OS() == "android":
 			// We don't support split DNS at all on Android yet.
@@ -1838,9 +1815,8 @@ func parseResolver(cfg tailcfg.DNSResolver) (netaddr.IPPort, error) {
 // tailscaleVarRoot returns the root directory of Tailscale's writable
 // storage area. (e.g. "/var/lib/tailscale")
 func tailscaleVarRoot() string {
-	switch runtime.GOOS {
-	case "ios", "android":
-		dir, _ := paths.AppSharedDir.Load().(string)
+	if runtime.GOOS == "ios" {
+		dir, _ := paths.IOSSharedDir.Load().(string)
 		return dir
 	}
 	stateFile := paths.DefaultTailscaledStateFile()
@@ -1888,15 +1864,6 @@ func (b *LocalBackend) initPeerAPIListener() {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
-	if b.netMap == nil {
-		// We're called from authReconfig which checks that
-		// netMap is non-nil, but if a concurrent Logout,
-		// ResetForClientDisconnect, or Start happens when its
-		// mutex was released, the netMap could be
-		// nil'ed out (Issue 1996). Bail out early here if so.
-		return
-	}
-
 	if len(b.netMap.Addresses) == len(b.peerAPIListeners) {
 		allSame := true
 		for i, pln := range b.peerAPIListeners {
@@ -1953,7 +1920,7 @@ func (b *LocalBackend) initPeerAPIListener() {
 					// ("peerAPIListeners too low").
 					continue
 				}
-				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP(), err)
+				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP, err)
 				continue
 			}
 		}
@@ -2052,11 +2019,6 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		Routes:           peerRoutes(cfg.Peers, 10_000),
 	}
 
-	if distro.Get() == distro.Synology {
-		// Issue 1995: we don't use iptables on Synology.
-		rs.NetfilterMode = preftype.NetfilterOff
-	}
-
 	// Sanity check: we expect the control server to program both a v4
 	// and a v6 default route, if default routing is on. Fill in
 	// blackhole routes appropriately if we're missing some. This is
@@ -2350,6 +2312,7 @@ func (b *LocalBackend) LogoutSync(ctx context.Context) error {
 func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 	b.mu.Lock()
 	cc := b.cc
+	b.setNetMapLocked(nil)
 	b.mu.Unlock()
 
 	b.EditPrefs(&ipn.MaskedPrefs{
@@ -2376,6 +2339,10 @@ func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 		cc.StartLogout()
 	}
 
+	b.mu.Lock()
+	b.setNetMapLocked(nil)
+	b.mu.Unlock()
+
 	b.stateMachine()
 	return err
 }
@@ -2577,42 +2544,6 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 	return ret, nil
 }
 
-// SetDNS adds a DNS record for the given domain name & TXT record
-// value.
-//
-// It's meant for use with dns-01 ACME (LetsEncrypt) challenges.
-//
-// This is the low-level interface. Other layers will provide more
-// friendly options to get HTTPS certs.
-func (b *LocalBackend) SetDNS(ctx context.Context, name, value string) error {
-	req := &tailcfg.SetDNSRequest{
-		Version: 1,
-		Type:    "TXT",
-		Name:    name,
-		Value:   value,
-	}
-
-	b.mu.Lock()
-	cc := b.cc
-	if prefs := b.prefs; prefs != nil {
-		req.NodeKey = tailcfg.NodeKey(prefs.Persist.PrivateNodeKey.Public())
-	}
-	b.mu.Unlock()
-	if cc == nil {
-		return errors.New("not connected")
-	}
-	if req.NodeKey.IsZero() {
-		return errors.New("no nodekey")
-	}
-	if name == "" {
-		return errors.New("missing 'name'")
-	}
-	if value == "" {
-		return errors.New("missing 'value'")
-	}
-	return cc.SetDNS(ctx, req)
-}
-
 func (b *LocalBackend) registerIncomingFile(inf *incomingFile, active bool) {
 	b.mu.Lock()
 	defer b.mu.Unlock()

ipn/ipnlocal/peerapi_macios_ext.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build darwin,ts_macext ios,ts_macext
+// +build darwin,redo ios,redo
 
 package ipnlocal
 

ipn/ipnlocal/state_test.go

@@ -140,8 +140,6 @@ func (cc *mockControl) send(err error, url string, loginFinished bool, nm *netma
 		}
 		if loginFinished {
 			s.LoginFinished = &empty.Message{}
-		} else if url == "" && err == nil && nm == nil {
-			s.LogoutFinished = &empty.Message{}
 		}
 		cc.statusFunc(s)
 	}
@@ -248,10 +246,6 @@ func (cc *mockControl) UpdateEndpoints(localPort uint16, endpoints []tailcfg.End
 	cc.called("UpdateEndpoints")
 }
 
-func (*mockControl) SetDNS(context.Context, *tailcfg.SetDNSRequest) error {
-	panic("unexpected SetDNS call")
-}
-
 // A very precise test of the sequence of function calls generated by
 // ipnlocal.Local into its controlclient instance, and the events it
 // produces upstream into the UI.
@@ -554,7 +548,10 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
 		c.Assert(nn[0].NetMap, qt.Not(qt.IsNil))
-		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		// BUG: Prefs should be sent too, or the UI could end up in
+		// a bad state. (iOS, the only current user of this feature,
+		// probably wouldn't notice because it happens to not display
+		// any prefs. Maybe exit nodes will look weird?)
 	}
 
 	// undo the state hack above.
@@ -566,25 +563,24 @@ func TestStateMachine(t *testing.T) {
 	b.Logout()
 	{
 		nn := notifies.drain(2)
-		c.Assert([]string{"pause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
+		// BUG: now is not the time to unpause.
+		c.Assert([]string{"unpause", "StartLogout"}, qt.DeepEquals, cc.getCalls())
 		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
-		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
+		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
 		c.Assert(nn[1].Prefs.LoggedOut, qt.IsTrue)
 		c.Assert(nn[1].Prefs.WantRunning, qt.IsFalse)
-		c.Assert(ipn.Stopped, qt.Equals, b.State())
+		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}
 
 	// Let's make the logout succeed.
 	t.Logf("\n\nLogout (async) - succeed")
-	notifies.expect(1)
+	notifies.expect(0)
 	cc.setAuthBlocked(true)
 	cc.send(nil, "", false, nil)
 	{
-		nn := notifies.drain(1)
-		c.Assert([]string{"unpause"}, qt.DeepEquals, cc.getCalls())
-		c.Assert(nn[0].State, qt.Not(qt.IsNil))
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
+		notifies.drain(0)
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
 		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())

ipn/ipnserver/server.go

@@ -24,6 +24,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"syscall"
 	"time"
 
@@ -40,11 +41,9 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/groupmember"
 	"tailscale.com/util/pidowner"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
-	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 )
 
@@ -348,32 +347,51 @@ func isReadonlyConn(ci connIdentity, operatorUID string, logf logger.Logf) bool
 		logf("connection from userid %v; is configured operator", uid)
 		return rw
 	}
-	if yes, err := isLocalAdmin(uid); err != nil {
-		logf("connection from userid %v; read-only; %v", uid, err)
+	var adminGroupID string
+	switch runtime.GOOS {
+	case "darwin":
+		adminGroupID = darwinAdminGroupID()
+	default:
+		logf("connection from userid %v; read-only", uid)
 		return ro
-	} else if yes {
-		logf("connection from userid %v; is local admin, has access", uid)
-		return rw
+	}
+	if adminGroupID == "" {
+		logf("connection from userid %v; no system admin group found, read-only", uid)
+		return ro
+	}
+	u, err := user.LookupId(uid)
+	if err != nil {
+		logf("connection from userid %v; failed to look up user; read-only", uid)
+		return ro
+	}
+	gids, err := u.GroupIds()
+	if err != nil {
+		logf("connection from userid %v; failed to look up groups; read-only", uid)
+		return ro
+	}
+	for _, gid := range gids {
+		if gid == adminGroupID {
+			logf("connection from userid %v; is local admin, has access", uid)
+			return rw
+		}
 	}
 	logf("connection from userid %v; read-only", uid)
 	return ro
 }
 
-func isLocalAdmin(uid string) (bool, error) {
-	u, err := user.LookupId(uid)
+var darwinAdminGroupIDCache atomic.Value // of string
+
+func darwinAdminGroupID() string {
+	s, _ := darwinAdminGroupIDCache.Load().(string)
+	if s != "" {
+		return s
+	}
+	g, err := user.LookupGroup("admin")
 	if err != nil {
-		return false, err
+		return ""
 	}
-	var adminGroup string
-	switch {
-	case runtime.GOOS == "darwin":
-		adminGroup = "admin"
-	case distro.Get() == distro.QNAP:
-		adminGroup = "administrators"
-	default:
-		return false, fmt.Errorf("no system admin group found")
-	}
-	return groupmember.IsMemberOfGroup(adminGroup, u.Username)
+	darwinAdminGroupIDCache.Store(g.Gid)
+	return g.Gid
 }
 
 // inUseOtherUserError is the error type for when the server is in use

ipn/localapi/localapi.go

@@ -100,8 +100,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveBugReport(w, r)
 	case "/localapi/v0/file-targets":
 		h.serveFileTargets(w, r)
-	case "/localapi/v0/set-dns":
-		h.serveSetDNS(w, r)
 	case "/":
 		io.WriteString(w, "tailscaled\n")
 	default:
@@ -384,25 +382,6 @@ func (h *Handler) serveFilePut(w http.ResponseWriter, r *http.Request) {
 	rp.ServeHTTP(w, outReq)
 }
 
-func (h *Handler) serveSetDNS(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != "POST" {
-		http.Error(w, "want POST", 400)
-		return
-	}
-	ctx := r.Context()
-	err := h.b.SetDNS(ctx, r.FormValue("name"), r.FormValue("value"))
-	if err != nil {
-		writeErrorJSON(w, err)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(struct{}{})
-}
-
 var dialPeerTransportOnce struct {
 	sync.Once
 	v *http.Transport

ipn/message.go

@@ -104,9 +104,7 @@ func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(Notify)) *
 		b:             b,
 		sendNotifyMsg: sendNotifyMsg,
 	}
-	// b may be nil if the BackendServer is being created just to
-	// encapsulate and send an error message.
-	if sendNotifyMsg != nil && b != nil {
+	if sendNotifyMsg != nil {
 		b.SetNotifyCallback(bs.send)
 	}
 	return bs

ipn/message_test.go

@@ -187,17 +187,3 @@ func TestClientServer(t *testing.T) {
 	})
 	flushUntil(Running)
 }
-
-func TestNilBackend(t *testing.T) {
-	var called *Notify
-	bs := NewBackendServer(t.Logf, nil, func(n Notify) {
-		called = &n
-	})
-	bs.SendErrorMessage("Danger, Will Robinson!")
-	if called == nil {
-		t.Errorf("expect callback to be called, wasn't")
-	}
-	if called.ErrMessage == nil || *called.ErrMessage != "Danger, Will Robinson!" {
-		t.Errorf("callback got wrong error: %v", called.ErrMessage)
-	}
-}

logtail/logtail.go

@@ -15,7 +15,6 @@ import (
 	"net/http"
 	"os"
 	"strconv"
-	"sync/atomic"
 	"time"
 
 	"tailscale.com/logtail/backoff"
@@ -73,7 +72,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 	}
 	l := &Logger{
 		stderr:         cfg.Stderr,
-		stderrLevel:    int64(cfg.StderrLevel),
+		stderrLevel:    cfg.StderrLevel,
 		httpc:          cfg.HTTPC,
 		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
 		lowMem:         cfg.LowMemory,
@@ -104,7 +103,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 // logging facilities and uploading to a log server.
 type Logger struct {
 	stderr         io.Writer
-	stderrLevel    int64 // accessed atomically
+	stderrLevel    int
 	httpc          *http.Client
 	url            string
 	lowMem         bool
@@ -126,8 +125,10 @@ type Logger struct {
 // SetVerbosityLevel controls the verbosity level that should be
 // written to stderr. 0 is the default (not verbose). Levels 1 or higher
 // are increasingly verbose.
+//
+// It should not be changed concurrently with log writes.
 func (l *Logger) SetVerbosityLevel(level int) {
-	atomic.StoreInt64(&l.stderrLevel, int64(level))
+	l.stderrLevel = level
 }
 
 // SetLinkMonitor sets the optional the link monitor.
@@ -513,7 +514,7 @@ func (l *Logger) Write(buf []byte) (int, error) {
 		return 0, nil
 	}
 	level, buf := parseAndRemoveLogLevel(buf)
-	if l.stderr != nil && l.stderr != ioutil.Discard && int64(level) <= atomic.LoadInt64(&l.stderrLevel) {
+	if l.stderr != nil && l.stderr != ioutil.Discard && level <= l.stderrLevel {
 		if buf[len(buf)-1] == '\n' {
 			l.stderr.Write(buf)
 		} else {

net/dns/config.go

@@ -22,26 +22,27 @@ type Config struct {
 	// for queries that fall within that suffix.
 	// If a query doesn't match any entry in Routes, the
 	// DefaultResolvers are used.
-	// A Routes entry with no resolvers means the route should be
-	// authoritatively answered using the contents of Hosts.
 	Routes map[dnsname.FQDN][]netaddr.IPPort
 	// SearchDomains are DNS suffixes to try when expanding
 	// single-label queries.
 	SearchDomains []dnsname.FQDN
 	// Hosts maps DNS FQDNs to their IPs, which can be a mix of IPv4
 	// and IPv6.
-	// Queries matching entries in Hosts are resolved locally by
-	// 100.100.100.100 without leaving the machine.
-	// Adding an entry to Hosts merely creates the record. If you want
-	// it to resolve, you also need to add appropriate routes to
-	// Routes.
+	// Queries matching entries in Hosts are resolved locally without
+	// recursing off-machine.
 	Hosts map[dnsname.FQDN][]netaddr.IP
+	// AuthoritativeSuffixes is a list of fully-qualified DNS suffixes
+	// for which the in-process Tailscale resolver is authoritative.
+	// Queries for names within AuthoritativeSuffixes can only be
+	// fulfilled by entries in Hosts. Queries with no match in Hosts
+	// return NXDOMAIN.
+	AuthoritativeSuffixes []dnsname.FQDN
 }
 
 // needsAnyResolvers reports whether c requires a resolver to be set
 // at the OS level.
 func (c Config) needsOSResolver() bool {
-	return c.hasDefaultResolvers() || c.hasRoutes()
+	return c.hasDefaultResolvers() || c.hasRoutes() || c.hasHosts()
 }
 
 func (c Config) hasRoutes() bool {
@@ -51,7 +52,7 @@ func (c Config) hasRoutes() bool {
 // hasDefaultResolversOnly reports whether the only resolvers in c are
 // DefaultResolvers.
 func (c Config) hasDefaultResolversOnly() bool {
-	return c.hasDefaultResolvers() && !c.hasRoutes()
+	return c.hasDefaultResolvers() && !c.hasRoutes() && !c.hasHosts()
 }
 
 func (c Config) hasDefaultResolvers() bool {
@@ -62,28 +63,44 @@ func (c Config) hasDefaultResolvers() bool {
 // routes use the same resolvers, or nil if multiple sets of resolvers
 // are specified.
 func (c Config) singleResolverSet() []netaddr.IPPort {
-	var (
-		prev            []netaddr.IPPort
-		prevInitialized bool
-	)
+	var first []netaddr.IPPort
 	for _, resolvers := range c.Routes {
-		if !prevInitialized {
-			prev = resolvers
-			prevInitialized = true
+		if first == nil {
+			first = resolvers
 			continue
 		}
-		if !sameIPPorts(prev, resolvers) {
+		if !sameIPPorts(first, resolvers) {
 			return nil
 		}
 	}
-	return prev
+	return first
 }
 
-// matchDomains returns the list of match suffixes needed by Routes.
+// hasHosts reports whether c requires resolution of MagicDNS hosts or
+// domains.
+func (c Config) hasHosts() bool {
+	return len(c.Hosts) > 0 || len(c.AuthoritativeSuffixes) > 0
+}
+
+// matchDomains returns the list of match suffixes needed by Routes,
+// AuthoritativeSuffixes. Hosts is not considered as we assume that
+// they're covered by AuthoritativeSuffixes for now.
 func (c Config) matchDomains() []dnsname.FQDN {
-	ret := make([]dnsname.FQDN, 0, len(c.Routes))
-	for suffix := range c.Routes {
+	ret := make([]dnsname.FQDN, 0, len(c.Routes)+len(c.AuthoritativeSuffixes))
+	seen := map[dnsname.FQDN]bool{}
+	for _, suffix := range c.AuthoritativeSuffixes {
+		if seen[suffix] {
+			continue
+		}
 		ret = append(ret, suffix)
+		seen[suffix] = true
+	}
+	for suffix := range c.Routes {
+		if seen[suffix] {
+			continue
+		}
+		ret = append(ret, suffix)
+		seen[suffix] = true
 	}
 	sort.Slice(ret, func(i, j int) bool {
 		return ret[i].WithTrailingDot() < ret[j].WithTrailingDot()

net/dns/manager.go

@@ -6,6 +6,7 @@ package dns
 
 import (
 	"runtime"
+	"strings"
 	"time"
 
 	"inet.af/netaddr"
@@ -74,40 +75,40 @@ func (m *Manager) Set(cfg Config) error {
 
 // compileConfig converts cfg into a quad-100 resolver configuration
 // and an OS-level configuration.
-func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig, err error) {
-	// The internal resolver always gets MagicDNS hosts and
-	// authoritative suffixes, even if we don't propagate MagicDNS to
-	// the OS.
-	rcfg.Hosts = cfg.Hosts
-	routes := map[dnsname.FQDN][]netaddr.IPPort{} // assigned conditionally to rcfg.Routes below.
-	for suffix, resolvers := range cfg.Routes {
-		if len(resolvers) == 0 {
-			rcfg.LocalDomains = append(rcfg.LocalDomains, suffix)
-		} else {
-			routes[suffix] = resolvers
-		}
-	}
-	// Similarly, the OS always gets search paths.
-	ocfg.SearchDomains = cfg.SearchDomains
-
+func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	// Deal with trivial configs first.
 	switch {
 	case !cfg.needsOSResolver():
 		// Set search domains, but nothing else. This also covers the
 		// case where cfg is entirely zero, in which case these
 		// configs clear all Tailscale DNS settings.
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			SearchDomains: cfg.SearchDomains,
+		}, nil
 	case cfg.hasDefaultResolversOnly():
 		// Trivial CorpDNS configuration, just override the OS
 		// resolver.
-		ocfg.Nameservers = toIPsOnly(cfg.DefaultResolvers)
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			Nameservers:   toIPsOnly(cfg.DefaultResolvers),
+			SearchDomains: cfg.SearchDomains,
+		}, nil
 	case cfg.hasDefaultResolvers():
 		// Default resolvers plus other stuff always ends up proxying
 		// through quad-100.
-		rcfg.Routes = routes
-		rcfg.Routes["."] = cfg.DefaultResolvers
-		ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+		rcfg := resolver.Config{
+			Routes: map[dnsname.FQDN][]netaddr.IPPort{
+				".": cfg.DefaultResolvers,
+			},
+			Hosts:        cfg.Hosts,
+			LocalDomains: cfg.AuthoritativeSuffixes,
+		}
+		for suffix, resolvers := range cfg.Routes {
+			rcfg.Routes[suffix] = resolvers
+		}
+		ocfg := OSConfig{
+			Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
+			SearchDomains: cfg.SearchDomains,
+		}
 		return rcfg, ocfg, nil
 	}
 
@@ -115,6 +116,8 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// configurations. The possible cases don't return directly any
 	// more, because as a final step we have to handle the case where
 	// the OS can't do split DNS.
+	var rcfg resolver.Config
+	var ocfg OSConfig
 
 	// Workaround for
 	// https://github.com/tailscale/corp/issues/1662. Even though
@@ -132,19 +135,35 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// This bool is used in a couple of places below to implement this
 	// workaround.
 	isWindows := runtime.GOOS == "windows"
-	if cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
+
+	// The windows check is for
+	// . See also below
+	// for further routing workarounds there.
+	if !cfg.hasHosts() && cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
 		// Split DNS configuration requested, where all split domains
 		// go to the same resolvers. We can let the OS do it.
-		ocfg.Nameservers = toIPsOnly(cfg.singleResolverSet())
-		ocfg.MatchDomains = cfg.matchDomains()
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			Nameservers:   toIPsOnly(cfg.singleResolverSet()),
+			SearchDomains: cfg.SearchDomains,
+			MatchDomains:  cfg.matchDomains(),
+		}, nil
 	}
 
 	// Split DNS configuration with either multiple upstream routes,
 	// or routes + MagicDNS, or just MagicDNS, or on an OS that cannot
 	// split-DNS. Install a split config pointing at quad-100.
-	rcfg.Routes = routes
-	ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+	rcfg = resolver.Config{
+		Hosts:        cfg.Hosts,
+		LocalDomains: cfg.AuthoritativeSuffixes,
+		Routes:       map[dnsname.FQDN][]netaddr.IPPort{},
+	}
+	for suffix, resolvers := range cfg.Routes {
+		rcfg.Routes[suffix] = resolvers
+	}
+	ocfg = OSConfig{
+		Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
+		SearchDomains: cfg.SearchDomains,
+	}
 
 	// If the OS can't do native split-dns, read out the underlying
 	// resolver config and blend it into our config.
@@ -154,7 +173,28 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	if !m.os.SupportsSplitDNS() || isWindows {
 		bcfg, err := m.os.GetBaseConfig()
 		if err != nil {
-			return resolver.Config{}, OSConfig{}, err
+			// Temporary hack to make OSes where split-DNS isn't fully
+			// implemented yet not completely crap out, but instead
+			// fall back to quad-9 as a hardcoded "backup resolver".
+			//
+			// This codepath currently only triggers when opted into
+			// the split-DNS feature server side, and when at least
+			// one search domain is something within tailscale.com, so
+			// we don't accidentally leak unstable user DNS queries to
+			// quad-9 if we accidentally go down this codepath.
+			canUseHack := false
+			for _, dom := range cfg.SearchDomains {
+				if strings.HasSuffix(dom.WithoutTrailingDot(), ".tailscale.com") {
+					canUseHack = true
+					break
+				}
+			}
+			if !canUseHack {
+				return resolver.Config{}, OSConfig{}, err
+			}
+			bcfg = OSConfig{
+				Nameservers: []netaddr.IP{netaddr.IPv4(9, 9, 9, 9)},
+			}
 		}
 		rcfg.Routes["."] = toIPPorts(bcfg.Nameservers)
 		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)

net/dns/manager_linux.go

@@ -5,6 +5,7 @@
 package dns
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
@@ -78,18 +79,6 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 		// "unmanaged" interfaces - meaning NM 1.26.6 and later
 		// actively ignore DNS configuration we give it. So, for those
 		// NM versions, we can and must use resolved directly.
-		//
-		// In a perfect world, we'd avoid this by replacing
-		// configuration out from under NM entirely (e.g. using
-		// directManager to overwrite resolv.conf), but in a world
-		// where resolved runs, we need to get correct configuration
-		// into resolved regardless of what's in resolv.conf (because
-		// resolved can also be queried over dbus, or via an NSS
-		// module that bypasses /etc/resolv.conf). Given that we must
-		// get correct configuration into resolved, we have no choice
-		// but to use NM, and accept the loss of IPv6 configuration
-		// that comes with it (see
-		// https://github.com/tailscale/tailscale/issues/1699)
 		old, err := nmVersionOlderThan("1.26.6")
 		if err != nil {
 			// Failed to figure out NM's version, can't make a correct
@@ -104,6 +93,26 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 		return newResolvedManager(logf, interfaceName)
 	case "resolvconf":
 		dbg("rc", "resolvconf")
+		if err := resolvconfSourceIsNM(bs); err == nil {
+			dbg("src-is-nm", "yes")
+			if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err == nil {
+				dbg("nm", "yes")
+				old, err := nmVersionOlderThan("1.26.6")
+				if err != nil {
+					return nil, fmt.Errorf("checking NetworkManager version: %v", err)
+				}
+				if old {
+					dbg("nm-old", "yes")
+					return newNMManager(interfaceName)
+				} else {
+					dbg("nm-old", "no")
+				}
+			} else {
+				dbg("nm", "no")
+			}
+		} else {
+			dbg("src-is-nm", "no")
+		}
 		if _, err := exec.LookPath("resolvconf"); err != nil {
 			dbg("resolvconf", "no")
 			return newDirectManager()
@@ -111,19 +120,21 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 		dbg("resolvconf", "yes")
 		return newResolvconfManager(logf)
 	case "NetworkManager":
-		// You'd think we would use newNMManager somewhere in
-		// here. However, as explained in
-		// https://github.com/tailscale/tailscale/issues/1699 , using
-		// NetworkManager for DNS configuration carries with it the
-		// cost of losing IPv6 configuration on the Tailscale network
-		// interface. So, when we can avoid it, we bypass
-		// NetworkManager by replacing resolv.conf directly.
-		//
-		// If you ever try to put NMManager back here, keep in mind
-		// that versions >=1.26.6 will ignore DNS configuration
-		// anyway, so you still need a fallback path that uses
-		// directManager.
 		dbg("rc", "nm")
+		if err := dbusPing("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager/DnsManager"); err != nil {
+			dbg("nm", "no")
+			return newDirectManager()
+		}
+		dbg("nm", "yes")
+		old, err := nmVersionOlderThan("1.26.6")
+		if err != nil {
+			return nil, fmt.Errorf("checking NetworkManager version: %v", err)
+		}
+		if old {
+			dbg("nm-old", "yes")
+			return newNMManager(interfaceName)
+		}
+		dbg("nm-old", "no")
 		return newDirectManager()
 	default:
 		dbg("rc", "unknown")
@@ -131,6 +142,45 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (ret OSConfigurat
 	}
 }
 
+func resolvconfSourceIsNM(resolvDotConf []byte) error {
+	b := bytes.NewBuffer(resolvDotConf)
+	cfg, err := readResolv(b)
+	if err != nil {
+		return fmt.Errorf("parsing /etc/resolv.conf: %w", err)
+	}
+
+	var (
+		paths = []string{
+			"/etc/resolvconf/run/interface/NetworkManager",
+			"/run/resolvconf/interface/NetworkManager",
+			"/var/run/resolvconf/interface/NetworkManager",
+			"/run/resolvconf/interfaces/NetworkManager",
+			"/var/run/resolvconf/interfaces/NetworkManager",
+		}
+		nmCfg OSConfig
+		found bool
+	)
+	for _, path := range paths {
+		nmCfg, err = readResolvFile(path)
+		if os.IsNotExist(err) {
+			continue
+		} else if err != nil {
+			return err
+		}
+		found = true
+		break
+	}
+	if !found {
+		return errors.New("NetworkManager resolvconf snippet not found")
+	}
+
+	if !nmCfg.Equal(cfg) {
+		return errors.New("NetworkManager config not applied by resolvconf")
+	}
+
+	return nil
+}
+
 func nmVersionOlderThan(want string) (bool, error) {
 	conn, err := dbus.SystemBus()
 	if err != nil {

net/dns/manager_test.go

@@ -76,20 +76,6 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 		},
-		{
-			// Regression test for https://github.com/tailscale/tailscale/issues/1886
-			name: "hosts-only",
-			in: Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-			},
-			rs: resolver.Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-			},
-		},
 		{
 			name: "corp",
 			in: Config{
@@ -118,10 +104,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			os: OSConfig{
 				Nameservers:   mustIPs("100.100.100.100"),
@@ -140,10 +126,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			split: true,
 			os: OSConfig{
@@ -275,8 +261,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				Routes:        upstreams("ts.com", ""),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -300,8 +286,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				Routes:        upstreams("ts.com", ""),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -319,11 +305,12 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic",
 			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2:53", "ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -346,13 +333,12 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic-split",
 			in: Config{
-				Routes: upstreams(
-					"corp.com", "2.2.2.2:53",
-					"ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -443,12 +429,7 @@ func upstreams(strs ...string) (ret map[dnsname.FQDN][]netaddr.IPPort) {
 	var key dnsname.FQDN
 	ret = map[dnsname.FQDN][]netaddr.IPPort{}
 	for _, s := range strs {
-		if s == "" {
-			if key == "" {
-				panic("IPPort provided before suffix")
-			}
-			ret[key] = nil
-		} else if ipp, err := netaddr.ParseIPPort(s); err == nil {
+		if ipp, err := netaddr.ParseIPPort(s); err == nil {
 			if key == "" {
 				panic("IPPort provided before suffix")
 			}

net/dns/resolver/forwarder.go

@@ -14,7 +14,6 @@ import (
 	"math/rand"
 	"net"
 	"sync"
-	"syscall"
 	"time"
 
 	dns "golang.org/x/net/dns/dnsmessage"
@@ -194,14 +193,8 @@ func (f *forwarder) recv(conn *fwdConn) {
 			return
 		default:
 		}
-		// The 1 extra byte is to detect packet truncation.
-		out := make([]byte, maxResponseBytes+1)
+		out := make([]byte, maxResponseBytes)
 		n := conn.read(out)
-		var truncated bool
-		if n > maxResponseBytes {
-			n = maxResponseBytes
-			truncated = true
-		}
 		if n == 0 {
 			continue
 		}
@@ -212,19 +205,6 @@ func (f *forwarder) recv(conn *fwdConn) {
 		out = out[:n]
 		txid := getTxID(out)
 
-		if truncated {
-			const dnsFlagTruncated = 0x200
-			flags := binary.BigEndian.Uint16(out[2:4])
-			flags |= dnsFlagTruncated
-			binary.BigEndian.PutUint16(out[2:4], flags)
-
-			// TODO(#2067): Remove any incomplete records? RFC 1035 section 6.2
-			// states that truncation should head drop so that the authority
-			// section can be preserved if possible. However, the UDP read with
-			// a too-small buffer has already dropped the end, so that's the
-			// best we can do.
-		}
-
 		f.mu.Lock()
 
 		record, found := f.txMap[txid]
@@ -306,8 +286,6 @@ func (f *forwarder) forward(query packet) error {
 	}
 	f.mu.Unlock()
 
-	// TODO(#2066): EDNS size clamping
-
 	for _, resolver := range resolvers {
 		f.send(query.bs, resolver)
 	}
@@ -393,12 +371,6 @@ func (c *fwdConn) send(packet []byte, dst netaddr.IPPort) {
 			backOff(err)
 			continue
 		}
-		if errors.Is(err, syscall.EHOSTUNREACH) {
-			// "No route to host." The network stack is fine, but
-			// can't talk to this destination. Not much we can do
-			// about that, don't spam logs.
-			return
-		}
 		if networkIsDown(err) {
 			// Fail.
 			c.logf("send: network is down")
@@ -450,7 +422,7 @@ func (c *fwdConn) read(out []byte) int {
 		c.mu.Unlock()
 
 		n, _, err := conn.ReadFrom(out)
-		if err == nil || packetWasTruncated(err) {
+		if err == nil {
 			// Success.
 			return n
 		}

net/dns/resolver/neterr_darwin.go

@@ -23,8 +23,3 @@ func networkIsDown(err error) bool {
 func networkIsUnreachable(err error) bool {
 	return errors.Is(err, networkUnreachable)
 }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. It always returns false on this
-// platform.
-func packetWasTruncated(err error) bool { return false }

net/dns/resolver/neterr_other.go

@@ -8,8 +8,3 @@ package resolver
 
 func networkIsDown(err error) bool        { return false }
 func networkIsUnreachable(err error) bool { return false }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. It always returns false on this
-// platform.
-func packetWasTruncated(err error) bool { return false }

net/dns/resolver/neterr_windows.go

@@ -5,7 +5,6 @@
 package resolver
 
 import (
-	"errors"
 	"net"
 	"os"
 
@@ -28,16 +27,3 @@ func networkIsUnreachable(err error) bool {
 	// difference between down and unreachable? Add comments.
 	return false
 }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. On Windows, Go's UDP RecvFrom
-// calls WSARecvFrom which returns the WSAEMSGSIZE error code when the received
-// datagram is larger than the provided buffer. When that happens, both a valid
-// size and an error are returned (as per the partial fix for golang/go#14074).
-// If the WSAEMSGSIZE error is returned, then we ignore the error to get
-// semantics similar to the POSIX operating systems. One caveat is that it
-// appears that the source address is not returned when WSAEMSGSIZE occurs, but
-// we do not currently look at the source address.
-func packetWasTruncated(err error) bool {
-	return errors.Is(err, windows.WSAEMSGSIZE)
-}

net/dns/resolver/tsdns.go

@@ -22,10 +22,8 @@ import (
 	"tailscale.com/wgengine/monitor"
 )
 
-// maxResponseBytes is the maximum size of a response from a Resolver. The
-// actual buffer size will be one larger than this so that we can detect
-// truncation in a platform-agnostic way.
-const maxResponseBytes = 4095
+// maxResponseBytes is the maximum size of a response from a Resolver.
+const maxResponseBytes = 512
 
 // queueSize is the maximal number of DNS requests that can await polling.
 // If EnqueueRequest is called when this many requests are already pending,

net/dns/resolver/tsdns_server_test.go

@@ -66,39 +66,6 @@ func resolveToIP(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 	}
 }
 
-// resolveToTXT returns a handler function which responds to queries of type TXT
-// it receives with the strings in txts.
-func resolveToTXT(txts []string) dns.HandlerFunc {
-	return func(w dns.ResponseWriter, req *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(req)
-
-		if len(req.Question) != 1 {
-			panic("not a single-question request")
-		}
-		question := req.Question[0]
-
-		if question.Qtype != dns.TypeTXT {
-			w.WriteMsg(m)
-			return
-		}
-
-		ans := &dns.TXT{
-			Hdr: dns.RR_Header{
-				Name:   question.Name,
-				Rrtype: dns.TypeTXT,
-				Class:  dns.ClassINET,
-			},
-			Txt: txts,
-		}
-
-		m.Answer = append(m.Answer, ans)
-		if err := w.WriteMsg(m); err != nil {
-			panic(err)
-		}
-	}
-}
-
 var resolveToNXDOMAIN = dns.HandlerFunc(func(w dns.ResponseWriter, req *dns.Msg) {
 	m := new(dns.Msg)
 	m.SetRcode(req, dns.RcodeNameError)

net/dns/resolver/tsdns_test.go

@@ -6,9 +6,7 @@ package resolver
 
 import (
 	"bytes"
-	"encoding/hex"
 	"errors"
-	"math/rand"
 	"net"
 	"testing"
 
@@ -46,11 +44,9 @@ func dnspacket(domain dnsname.FQDN, tp dns.Type) []byte {
 }
 
 type dnsResponse struct {
-	ip        netaddr.IP
-	txt       []string
-	name      dnsname.FQDN
-	rcode     dns.RCode
-	truncated bool
+	ip    netaddr.IP
+	name  dnsname.FQDN
+	rcode dns.RCode
 }
 
 func unpackResponse(payload []byte) (dnsResponse, error) {
@@ -71,16 +67,6 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 		return response, nil
 	}
 
-	response.truncated = h.Truncated
-	if response.truncated {
-		// TODO(#2067): Ideally, answer processing should still succeed when
-		// dealing with a truncated message, but currently when we truncate
-		// a packet, it's caused by the buffer being too small and usually that
-		// means the data runs out mid-record. dns.Parser does not like it when
-		// that happens. We can improve this by trimming off incomplete records.
-		return response, nil
-	}
-
 	err = parser.SkipAllQuestions()
 	if err != nil {
 		return response, err
@@ -104,12 +90,6 @@ func unpackResponse(payload []byte) (dnsResponse, error) {
 			return response, err
 		}
 		response.ip = netaddr.IPv6Raw(res.AAAA)
-	case dns.TypeTXT:
-		res, err := parser.TXTResource()
-		if err != nil {
-			return response, err
-		}
-		response.txt = res.TXT
 	case dns.TypeNS:
 		res, err := parser.NSResource()
 		if err != nil {
@@ -289,32 +269,6 @@ func ipv6Works() bool {
 	return true
 }
 
-func generateTXT(size int, source rand.Source) []string {
-	const sizePerTXT = 120
-
-	if size%2 != 0 {
-		panic("even lengths only")
-	}
-
-	rng := rand.New(source)
-
-	txts := make([]string, 0, size/sizePerTXT+1)
-
-	raw := make([]byte, sizePerTXT/2)
-
-	rem := size
-	for ; rem > sizePerTXT; rem -= sizePerTXT {
-		rng.Read(raw)
-		txts = append(txts, hex.EncodeToString(raw))
-	}
-	if rem > 0 {
-		rng.Read(raw[:rem/2])
-		txts = append(txts, hex.EncodeToString(raw[:rem/2]))
-	}
-
-	return txts
-}
-
 func TestDelegate(t *testing.T) {
 	tstest.ResourceCheck(t)
 
@@ -322,43 +276,13 @@ func TestDelegate(t *testing.T) {
 		t.Skip("skipping test that requires localhost IPv6")
 	}
 
-	randSource := rand.NewSource(4)
-
-	// smallTXT does not require EDNS
-	smallTXT := generateTXT(300, randSource)
-
-	// medTXT and largeTXT are responses that require EDNS but we would like to
-	// support these sizes of response without truncation because they are
-	// moderately common.
-	medTXT := generateTXT(1200, randSource)
-	largeTXT := generateTXT(4000, randSource)
-
-	// xlargeTXT is slightly above the maximum response size that we support,
-	// so there should be truncation.
-	xlargeTXT := generateTXT(5000, randSource)
-
-	// hugeTXT is significantly larger than any typical MTU and will require
-	// significant fragmentation. For buffer management reasons, we do not
-	// intend to handle responses this large, so there should be truncation.
-	hugeTXT := generateTXT(64000, randSource)
-
 	v4server := serveDNS(t, "127.0.0.1:0",
 		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"nxdomain.site.", resolveToNXDOMAIN,
-		"small.txt.", resolveToTXT(smallTXT),
-		"med.txt.", resolveToTXT(medTXT),
-		"large.txt.", resolveToTXT(largeTXT),
-		"xlarge.txt.", resolveToTXT(xlargeTXT),
-		"huge.txt.", resolveToTXT(hugeTXT))
+		"nxdomain.site.", resolveToNXDOMAIN)
 	defer v4server.Shutdown()
 	v6server := serveDNS(t, "[::1]:0",
 		"test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."),
-		"nxdomain.site.", resolveToNXDOMAIN,
-		"small.txt.", resolveToTXT(smallTXT),
-		"med.txt.", resolveToTXT(medTXT),
-		"large.txt.", resolveToTXT(largeTXT),
-		"xlarge.txt.", resolveToTXT(xlargeTXT),
-		"huge.txt.", resolveToTXT(hugeTXT))
+		"nxdomain.site.", resolveToNXDOMAIN)
 	defer v6server.Shutdown()
 
 	r := New(t.Logf, nil)
@@ -398,31 +322,6 @@ func TestDelegate(t *testing.T) {
 			dnspacket("nxdomain.site.", dns.TypeA),
 			dnsResponse{rcode: dns.RCodeNameError},
 		},
-		{
-			"smalltxt",
-			dnspacket("small.txt.", dns.TypeTXT),
-			dnsResponse{txt: smallTXT, rcode: dns.RCodeSuccess},
-		},
-		{
-			"medtxt",
-			dnspacket("med.txt.", dns.TypeTXT),
-			dnsResponse{txt: medTXT, rcode: dns.RCodeSuccess},
-		},
-		{
-			"largetxt",
-			dnspacket("large.txt.", dns.TypeTXT),
-			dnsResponse{txt: largeTXT, rcode: dns.RCodeSuccess},
-		},
-		{
-			"xlargetxt",
-			dnspacket("xlarge.txt.", dns.TypeTXT),
-			dnsResponse{rcode: dns.RCodeSuccess, truncated: true},
-		},
-		{
-			"hugetxt",
-			dnspacket("huge.txt.", dns.TypeTXT),
-			dnsResponse{rcode: dns.RCodeSuccess, truncated: true},
-		},
 	}
 
 	for _, tt := range tests {
@@ -446,15 +345,6 @@ func TestDelegate(t *testing.T) {
 			if response.name != tt.response.name {
 				t.Errorf("name = %v; want %v", response.name, tt.response.name)
 			}
-			if len(response.txt) != len(tt.response.txt) {
-				t.Errorf("%v txt records, want %v txt records", len(response.txt), len(tt.response.txt))
-			} else {
-				for i := range response.txt {
-					if response.txt[i] != tt.response.txt[i] {
-						t.Errorf("txt record %v is %s, want %s", i, response.txt[i], tt.response.txt[i])
-					}
-				}
-			}
 		})
 	}
 }

net/interfaces/interfaces_default_route_test.go

@@ -2,11 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build linux darwin,!ts_macext
+// +build linux,!redo
 
 package interfaces
 
 import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
 	"testing"
 )
 
@@ -19,3 +23,64 @@ func TestDefaultRouteInterface(t *testing.T) {
 	}
 	t.Logf("got %q", v)
 }
+
+// test the specific /proc/net/route path as found on Google Cloud Run instances
+func TestGoogleCloudRunDefaultRouteInterface(t *testing.T) {
+	dir := t.TempDir()
+	savedProcNetRoutePath := procNetRoutePath
+	defer func() { procNetRoutePath = savedProcNetRoutePath }()
+	procNetRoutePath = filepath.Join(dir, "CloudRun")
+	buf := []byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n" +
+		"eth0\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n" +
+		"eth1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n")
+	err := ioutil.WriteFile(procNetRoutePath, buf, 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+	got, err := DefaultRouteInterface()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if got != "eth1" {
+		t.Fatalf("got %s, want eth1", got)
+	}
+}
+
+// we read chunks of /proc/net/route at a time, test that files longer than the chunk
+// size can be handled.
+func TestExtremelyLongProcNetRoute(t *testing.T) {
+	dir := t.TempDir()
+	savedProcNetRoutePath := procNetRoutePath
+	defer func() { procNetRoutePath = savedProcNetRoutePath }()
+	procNetRoutePath = filepath.Join(dir, "VeryLong")
+	f, err := os.Create(procNetRoutePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = f.Write([]byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for n := 0; n <= 1000; n++ {
+		line := fmt.Sprintf("eth%d\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n", n)
+		_, err := f.Write([]byte(line))
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	_, err = f.Write([]byte("tokenring1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	got, err := DefaultRouteInterface()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if got != "tokenring1" {
+		t.Fatalf("got %q, want tokenring1", got)
+	}
+}

net/interfaces/interfaces_linux_test.go

@@ -4,74 +4,7 @@
 
 package interfaces
 
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-// test the specific /proc/net/route path as found on Google Cloud Run instances
-func TestGoogleCloudRunDefaultRouteInterface(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "CloudRun")
-	buf := []byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n" +
-		"eth0\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n" +
-		"eth1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n")
-	err := ioutil.WriteFile(procNetRoutePath, buf, 0644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "eth1" {
-		t.Fatalf("got %s, want eth1", got)
-	}
-}
-
-// we read chunks of /proc/net/route at a time, test that files longer than the chunk
-// size can be handled.
-func TestExtremelyLongProcNetRoute(t *testing.T) {
-	dir := t.TempDir()
-	savedProcNetRoutePath := procNetRoutePath
-	defer func() { procNetRoutePath = savedProcNetRoutePath }()
-	procNetRoutePath = filepath.Join(dir, "VeryLong")
-	f, err := os.Create(procNetRoutePath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = f.Write([]byte("Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\tMTU\tWindow\tIRTT\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	for n := 0; n <= 1000; n++ {
-		line := fmt.Sprintf("eth%d\t8008FEA9\t00000000\t0001\t0\t0\t0\t01FFFFFF\t0\t0\t0\n", n)
-		_, err := f.Write([]byte(line))
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-	_, err = f.Write([]byte("tokenring1\t00000000\t00000000\t0001\t0\t0\t0\t00000000\t0\t0\t0\n"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	got, err := DefaultRouteInterface()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if got != "tokenring1" {
-		t.Fatalf("got %q, want tokenring1", got)
-	}
-}
+import "testing"
 
 func BenchmarkDefaultRouteInterface(b *testing.B) {
 	b.ReportAllocs()

net/netns/netns_darwin_tailscaled.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build darwin,!ts_macext
+// +build darwin,!redo
 
 package netns
 

net/netns/netns_default.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !linux,!windows,!darwin darwin,ts_macext
+// +build !linux,!windows,!darwin darwin,redo
 
 package netns
 

net/packet/packet.go

@@ -12,6 +12,7 @@ import (
 
 	"inet.af/netaddr"
 	"tailscale.com/types/ipproto"
+	"tailscale.com/types/strbuilder"
 )
 
 const unknown = ipproto.Unknown
@@ -61,17 +62,36 @@ func (p *Parsed) String() string {
 		return "Unknown{???}"
 	}
 
-	// max is the maximum reasonable length of the string we are constructing.
-	// It's OK to overshoot, as the temp buffer is allocated on the stack.
-	const max = len("ICMPv6{[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%enp5s0]:65535 > [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%enp5s0]:65535}")
-	b := make([]byte, 0, max)
-	b = append(b, p.IPProto.String()...)
-	b = append(b, '{')
-	b = p.Src.AppendTo(b)
-	b = append(b, ' ', '>', ' ')
-	b = p.Dst.AppendTo(b)
-	b = append(b, '}')
-	return string(b)
+	sb := strbuilder.Get()
+	sb.WriteString(p.IPProto.String())
+	sb.WriteByte('{')
+	writeIPPort(sb, p.Src)
+	sb.WriteString(" > ")
+	writeIPPort(sb, p.Dst)
+	sb.WriteByte('}')
+	return sb.String()
+}
+
+// writeIPPort writes ipp.String() into sb, with fewer allocations.
+//
+// TODO: make netaddr more efficient in this area, and retire this func.
+func writeIPPort(sb *strbuilder.Builder, ipp netaddr.IPPort) {
+	if ipp.IP().Is4() {
+		raw := ipp.IP().As4()
+		sb.WriteUint(uint64(raw[0]))
+		sb.WriteByte('.')
+		sb.WriteUint(uint64(raw[1]))
+		sb.WriteByte('.')
+		sb.WriteUint(uint64(raw[2]))
+		sb.WriteByte('.')
+		sb.WriteUint(uint64(raw[3]))
+		sb.WriteByte(':')
+	} else {
+		sb.WriteByte('[')
+		sb.WriteString(ipp.IP().String()) // TODO: faster?
+		sb.WriteString("]:")
+	}
+	sb.WriteUint(uint64(ipp.Port()))
 }
 
 // Decode extracts data from the packet in b into q.

net/packet/packet_test.go

@@ -378,9 +378,11 @@ func TestParsedString(t *testing.T) {
 		})
 	}
 
+	var sink string
 	allocs := testing.AllocsPerRun(1000, func() {
-		sinkString = tests[0].qdecode.String()
+		sink = tests[0].qdecode.String()
 	})
+	_ = sink
 	if allocs != 1 {
 		t.Errorf("allocs = %v; want 1", allocs)
 	}
@@ -530,33 +532,3 @@ func TestMarshalResponse(t *testing.T) {
 		})
 	}
 }
-
-var sinkString string
-
-func BenchmarkString(b *testing.B) {
-	benches := []struct {
-		name string
-		buf  []byte
-	}{
-		{"tcp4", tcp4PacketBuffer},
-		{"tcp6", tcp6RequestBuffer},
-		{"udp4", udp4RequestBuffer},
-		{"udp6", udp6RequestBuffer},
-		{"icmp4", icmp4RequestBuffer},
-		{"icmp6", icmp6PacketBuffer},
-		{"igmp", igmpPacketBuffer},
-		{"unknown", unknownPacketBuffer},
-	}
-
-	for _, bench := range benches {
-		b.Run(bench.name, func(b *testing.B) {
-			b.ReportAllocs()
-			var p Parsed
-			p.Decode(bench.buf)
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				sinkString = p.String()
-			}
-		})
-	}
-}

net/portmapper/portmapper.go

@@ -17,6 +17,7 @@ import (
 	"sync"
 	"time"
 
+	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netns"
@@ -56,31 +57,18 @@ type Client struct {
 	pmpPubIPTime time.Time  // time pmpPubIP last verified
 	pmpLastEpoch uint32
 
-	localPort uint16
+	pcpSawTime  time.Time // time we last saw PCP was available
+	uPnPSawTime time.Time // time we last saw UPnP was available
 
-	mapping // non-nil if we have a mapping
-
-	// Prober is this portmappers stateful mechanism for detecting when portmapping services are
-	// available on the current network. It is exposed so that clients can pause or stop probing.
-	// In order to create a prober, either call `Probe()` or `NewProber()`, which will populate
-	// this field.
-	*Prober
-}
-
-// Mapping represents a created port-mapping over some protocol.  It specifies a lease duration,
-// how to release the mapping, and whether the map is still valid.
-type mapping interface {
-	isCurrent() bool
-	release()
-	validUntil() time.Time
-	externalIPPort() netaddr.IPPort
+	localPort  uint16
+	pmpMapping *pmpMapping // non-nil if we have a PMP mapping
 }
 
 // HaveMapping reports whether we have a current valid mapping.
 func (c *Client) HaveMapping() bool {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	return c.mapping != nil && c.mapping.isCurrent()
+	return c.pmpMapping != nil && c.pmpMapping.useUntil.After(time.Now())
 }
 
 // pmpMapping is an already-created PMP mapping.
@@ -99,10 +87,6 @@ func (m *pmpMapping) externalValid() bool {
 	return !m.external.IP().IsZero() && m.external.Port() != 0
 }
 
-func (p *pmpMapping) isCurrent() bool                { return p.useUntil.After(time.Now()) }
-func (p *pmpMapping) validUntil() time.Time          { return p.useUntil }
-func (p *pmpMapping) externalIPPort() netaddr.IPPort { return p.external }
-
 // release does a best effort fire-and-forget release of the PMP mapping m.
 func (m *pmpMapping) release() {
 	uc, err := netns.Listener().ListenPacket(context.Background(), "udp4", ":0")
@@ -135,8 +119,8 @@ func (c *Client) SetGatewayLookupFunc(f func() (gw, myIP netaddr.IP, ok bool)) {
 // comes back.
 func (c *Client) NoteNetworkDown() {
 	c.mu.Lock()
+	defer c.mu.Unlock()
 	c.invalidateMappingsLocked(false)
-	c.mu.Unlock()
 }
 
 func (c *Client) Close() error {
@@ -170,6 +154,7 @@ func (c *Client) gatewayAndSelfIP() (gw, myIP netaddr.IP, ok bool) {
 		gw = netaddr.IP{}
 		myIP = netaddr.IP{}
 	}
+
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
@@ -182,14 +167,16 @@ func (c *Client) gatewayAndSelfIP() (gw, myIP netaddr.IP, ok bool) {
 }
 
 func (c *Client) invalidateMappingsLocked(releaseOld bool) {
-	if c.mapping != nil {
+	if c.pmpMapping != nil {
 		if releaseOld {
-			c.mapping.release()
+			c.pmpMapping.release()
 		}
-		c.mapping = nil
+		c.pmpMapping = nil
 	}
 	c.pmpPubIP = netaddr.IP{}
 	c.pmpPubIPTime = time.Time{}
+	c.pcpSawTime = time.Time{}
+	c.uPnPSawTime = time.Time{}
 }
 
 func (c *Client) sawPMPRecently() bool {
@@ -203,19 +190,15 @@ func (c *Client) sawPMPRecentlyLocked() bool {
 }
 
 func (c *Client) sawPCPRecently() bool {
-	if c.Prober == nil {
-		return false
-	}
-	present, _ := c.Prober.PCP.PresentCurrent()
-	return present
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.pcpSawTime.After(time.Now().Add(-trustServiceStillAvailableDuration))
 }
 
 func (c *Client) sawUPnPRecently() bool {
-	if c.Prober == nil {
-		return false
-	}
-	present, _ := c.Prober.UPnP.PresentCurrent()
-	return present
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.uPnPSawTime.After(time.Now().Add(-trustServiceStillAvailableDuration))
 }
 
 // closeCloserOnContextDone starts a new goroutine to call c.Close
@@ -258,11 +241,6 @@ var (
 	ErrGatewayNotFound       = errors.New("failed to look up gateway address")
 )
 
-// Probe starts a periodic probe and blocks until the first result of probing.
-func (c *Client) Probe(ctx context.Context) (ProbeResult, error) {
-	return c.NewProber(ctx).StatusBlock()
-}
-
 // CreateOrGetMapping either creates a new mapping or returns a cached
 // valid one.
 //
@@ -276,10 +254,9 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 
 	c.mu.Lock()
 	localPort := c.localPort
-	internalAddr := netaddr.IPPortFrom(myIP, localPort)
 	m := &pmpMapping{
 		gw:       gw,
-		internal: internalAddr,
+		internal: netaddr.IPPortFrom(myIP, localPort),
 	}
 
 	// prevPort is the port we had most previously, if any. We try
@@ -288,13 +265,13 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 
 	// Do we have an existing mapping that's valid?
 	now := time.Now()
-	if m := c.mapping; m != nil {
-		if now.Before(m.validUntil()) {
+	if m := c.pmpMapping; m != nil {
+		if now.Before(m.useUntil) {
 			defer c.mu.Unlock()
-			return m.externalIPPort(), nil
+			return m.external, nil
 		}
 		// The mapping might still be valid, so just try to renew it.
-		prevPort = m.externalIPPort().Port()
+		prevPort = m.external.Port()
 	}
 
 	// If we just did a Probe (e.g. via netchecker) but didn't
@@ -304,11 +281,11 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 	if haveRecentPMP {
 		m.external = m.external.WithIP(c.pmpPubIP)
 	}
-
 	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentPMP {
 		c.mu.Unlock()
 		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
 	}
+
 	c.mu.Unlock()
 
 	uc, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
@@ -343,8 +320,7 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 			if ctx.Err() == context.Canceled {
 				return netaddr.IPPort{}, err
 			}
-			// switch to trying UPnP
-			break
+			return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
 		}
 		srcu := srci.(*net.UDPAddr)
 		src, ok := netaddr.FromStdAddr(srcu.IP, srcu.Port, srcu.Zone)
@@ -375,12 +351,10 @@ func (c *Client) CreateOrGetMapping(ctx context.Context) (external netaddr.IPPor
 		if m.externalValid() {
 			c.mu.Lock()
 			defer c.mu.Unlock()
-			c.mapping = m
+			c.pmpMapping = m
 			return m.external, nil
 		}
 	}
-
-	return c.getUPnPPortMapping(ctx, gw, internalAddr, prevPort)
 }
 
 type pmpResultCode uint16
@@ -465,6 +439,121 @@ type ProbeResult struct {
 	UPnP bool
 }
 
+// Probe returns a summary of which port mapping services are
+// available on the network.
+//
+// If a probe has run recently and there haven't been any network changes since,
+// the returned result might be server from the Client's cache, without
+// sending any network traffic.
+func (c *Client) Probe(ctx context.Context) (res ProbeResult, err error) {
+	gw, myIP, ok := c.gatewayAndSelfIP()
+	if !ok {
+		return res, ErrGatewayNotFound
+	}
+	defer func() {
+		if err == nil {
+			c.mu.Lock()
+			defer c.mu.Unlock()
+			c.lastProbe = time.Now()
+		}
+	}()
+
+	uc, err := netns.Listener().ListenPacket(context.Background(), "udp4", ":0")
+	if err != nil {
+		c.logf("ProbePCP: %v", err)
+		return res, err
+	}
+	defer uc.Close()
+	ctx, cancel := context.WithTimeout(ctx, 250*time.Millisecond)
+	defer cancel()
+	defer closeCloserOnContextDone(ctx, uc)()
+
+	pcpAddr := netaddr.IPPortFrom(gw, pcpPort).UDPAddr()
+	pmpAddr := netaddr.IPPortFrom(gw, pmpPort).UDPAddr()
+	upnpAddr := netaddr.IPPortFrom(gw, upnpPort).UDPAddr()
+
+	// Don't send probes to services that we recently learned (for
+	// the same gw/myIP) are available. See
+	// https://github.com/tailscale/tailscale/issues/1001
+	if c.sawPMPRecently() {
+		res.PMP = true
+	} else {
+		uc.WriteTo(pmpReqExternalAddrPacket, pmpAddr)
+	}
+	if c.sawPCPRecently() {
+		res.PCP = true
+	} else {
+		uc.WriteTo(pcpAnnounceRequest(myIP), pcpAddr)
+	}
+	if c.sawUPnPRecently() {
+		res.UPnP = true
+	} else {
+		uc.WriteTo(uPnPPacket, upnpAddr)
+	}
+
+	buf := make([]byte, 1500)
+	pcpHeard := false // true when we get any PCP response
+	for {
+		if pcpHeard && res.PMP && res.UPnP {
+			// Nothing more to discover.
+			return res, nil
+		}
+		n, addr, err := uc.ReadFrom(buf)
+		if err != nil {
+			if ctx.Err() == context.DeadlineExceeded {
+				err = nil
+			}
+			return res, err
+		}
+		port := addr.(*net.UDPAddr).Port
+		switch port {
+		case upnpPort:
+			if mem.Contains(mem.B(buf[:n]), mem.S(":InternetGatewayDevice:")) {
+				res.UPnP = true
+				c.mu.Lock()
+				c.uPnPSawTime = time.Now()
+				c.mu.Unlock()
+			}
+		case pcpPort: // same as pmpPort
+			if pres, ok := parsePCPResponse(buf[:n]); ok {
+				if pres.OpCode == pcpOpReply|pcpOpAnnounce {
+					pcpHeard = true
+					c.mu.Lock()
+					c.pcpSawTime = time.Now()
+					c.mu.Unlock()
+					switch pres.ResultCode {
+					case pcpCodeOK:
+						c.logf("Got PCP response: epoch: %v", pres.Epoch)
+						res.PCP = true
+						continue
+					case pcpCodeNotAuthorized:
+						// A PCP service is running, but refuses to
+						// provide port mapping services.
+						res.PCP = false
+						continue
+					default:
+						// Fall through to unexpected log line.
+					}
+				}
+				c.logf("unexpected PCP probe response: %+v", pres)
+			}
+			if pres, ok := parsePMPResponse(buf[:n]); ok {
+				if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr && pres.ResultCode == pmpCodeOK {
+					c.logf("Got PMP response; IP: %v, epoch: %v", pres.PublicAddr, pres.SecondsSinceEpoch)
+					res.PMP = true
+					c.mu.Lock()
+					c.pmpPubIP = pres.PublicAddr
+					c.pmpPubIPTime = time.Now()
+					c.pmpLastEpoch = pres.SecondsSinceEpoch
+					c.mu.Unlock()
+					continue
+				}
+				c.logf("unexpected PMP probe response: %+v", pres)
+			}
+		}
+	}
+}
+
 const (
 	pcpVersion = 2
 	pcpPort    = 5351
@@ -538,4 +627,14 @@ func parsePCPResponse(b []byte) (res pcpResponse, ok bool) {
 	return res, true
 }
 
+const (
+	upnpPort = 1900
+)
+
+var uPnPPacket = []byte("M-SEARCH * HTTP/1.1\r\n" +
+	"HOST: 239.255.255.250:1900\r\n" +
+	"ST: ssdp:all\r\n" +
+	"MAN: \"ssdp:discover\"\r\n" +
+	"MX: 2\r\n\r\n")
+
 var pmpReqExternalAddrPacket = []byte{0, 0} // version 0, opcode 0 = "Public address request"

net/portmapper/portmapper_test.go

@@ -32,13 +32,12 @@ func TestClientProbe(t *testing.T) {
 		t.Skip("skipping test without HIT_NETWORK=1")
 	}
 	c := NewClient(t.Logf)
-	c.NewProber(context.Background())
-	for i := 0; i < 30; i++ {
+	for i := 0; i < 2; i++ {
 		if i > 0 {
 			time.Sleep(100 * time.Millisecond)
 		}
-		res, err := c.Prober.CurrentStatus()
-		t.Logf("Got(t=%dms): %+v, %v", i*100, res, err)
+		res, err := c.Probe(context.Background())
+		t.Logf("Got: %+v, %v", res, err)
 	}
 }
 

net/portmapper/probe.go

@@ -1,337 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-package portmapper
-
-import (
-	"context"
-	"sync"
-	"time"
-
-	"inet.af/netaddr"
-	"tailscale.com/net/netns"
-)
-
-// Prober periodically pings the network and checks for port-mapping services.
-type Prober struct {
-	// pause signals the probe to either pause temporarily (true), or stop entirely (false)
-	// to restart the probe, send another pause to it.
-	pause chan<- bool
-
-	// Each of the SubResults below is intended to expose whether a specific service is available
-	// for use on a client, and the most recent seen time. Should not be modified externally, and
-	// will be periodically updated.
-
-	// PMP stores the result of probing pmp services and is populated by prober.
-	PMP ProbeSubResult
-	// PCP stores the result of probing pcp services and is populated by prober.
-	PCP ProbeSubResult
-
-	// upnpClient is a reused upnpClient for probing upnp results.
-	upnpClient upnpClient
-	// PCP stores the result of probing pcp services and is populated by prober.
-	UPnP ProbeSubResult
-}
-
-// NewProber creates a new prober for a given client.
-func (c *Client) NewProber(ctx context.Context) *Prober {
-	if c.Prober != nil {
-		return c.Prober
-	}
-	pause := make(chan bool)
-	p := &Prober{
-		pause: pause,
-
-		PMP:  NewProbeSubResult(),
-		PCP:  NewProbeSubResult(),
-		UPnP: NewProbeSubResult(),
-	}
-	c.Prober = p
-
-	go func() {
-		for {
-			pmpCtx, cancel := context.WithTimeout(ctx, portMapServiceTimeout)
-			hasPCP, hasPMP, err := c.probePMPAndPCP(pmpCtx)
-			if err != nil {
-				if ctx.Err() == context.DeadlineExceeded {
-					err = nil
-					// the global context has passed, exit cleanly
-					cancel()
-					return
-				}
-				if pmpCtx.Err() == context.DeadlineExceeded {
-					err = nil
-				}
-			}
-			cancel()
-			p.PMP.Set(hasPMP, err)
-			p.PCP.Set(hasPCP, err)
-
-			t := time.NewTimer(trustServiceStillAvailableDuration * 3 / 4)
-
-			select {
-			case should_pause := <-pause:
-				if !should_pause {
-					t.Stop()
-					return
-				}
-				restart := <-pause
-				if !restart {
-					t.Stop()
-					return
-				}
-			case <-t.C: // break through and retry the connection
-			}
-		}
-	}()
-
-	go func() {
-		// Do not timeout on getting an initial client, as we can reuse it so paying an initial cost
-		// is fine.
-		upnpClient, err := getUPnPClient(ctx)
-		if upnpClient == nil || err != nil {
-			p.UPnP.Set(false, err)
-			return
-		}
-		p.upnpClient = upnpClient
-		defer func() {
-			// unset client when no longer using it.
-			p.upnpClient = nil
-			upnpClient.RequestTermination(context.Background())
-		}()
-		// TODO maybe do something fancy/dynamic with more delay (exponential back-off)
-		for {
-			upnpCtx, cancel := context.WithTimeout(ctx, portMapServiceTimeout*5)
-			retries := 0
-			hasUPnP := false
-			const num_connect_retries = 5
-			for retries < num_connect_retries {
-				status, _, _, statusErr := p.upnpClient.GetStatusInfo(upnpCtx)
-				if statusErr != nil {
-					err = statusErr
-					break
-				}
-				hasUPnP = hasUPnP || status == "Connected"
-				if status == "Disconnected" {
-					upnpClient.RequestConnection(upnpCtx)
-				}
-				retries += 1
-			}
-			// need to manually check these since GetStatusInfo doesn't take a context
-			if ctx.Err() == context.DeadlineExceeded {
-				err = nil
-				// the global context has passed, exit cleanly
-				cancel()
-				return
-			}
-			if upnpCtx.Err() == context.DeadlineExceeded {
-				err = nil
-			}
-			cancel()
-			p.UPnP.Set(hasUPnP, err)
-
-			t := time.NewTimer(trustServiceStillAvailableDuration * 3 / 4)
-
-			select {
-			case should_pause := <-pause:
-				if !should_pause {
-					t.Stop()
-					return
-				}
-				restart := <-pause
-				if !restart {
-					t.Stop()
-					return
-				}
-			case <-t.C: // break through and retry the connection
-			}
-		}
-	}()
-
-	return p
-}
-
-// Stop gracefully turns the Prober off, completing the current probes before exiting.
-func (p *Prober) Stop() { close(p.pause) }
-
-// Pauses the prober if currently running, or starts if it was previously paused.
-func (p *Prober) Toggle() { p.pause <- true }
-
-// CurrentStatus returns the current results of the prober, regardless of whether they have
-// completed or not.
-func (p *Prober) CurrentStatus() (res ProbeResult, err error) {
-	hasPMP, errPMP := p.PMP.PresentCurrent()
-	res.PMP = hasPMP
-	err = errPMP
-
-	hasUPnP, errUPnP := p.UPnP.PresentCurrent()
-	res.UPnP = hasUPnP
-	if err == nil {
-		err = errUPnP
-	}
-
-	hasPCP, errPCP := p.PCP.PresentCurrent()
-	res.PCP = hasPCP
-	if err == nil {
-		err = errPCP
-	}
-	return
-}
-
-// Blocks until the current probe gets any result.
-func (p *Prober) StatusBlock() (res ProbeResult, err error) {
-	hasPMP, errPMP := p.PMP.PresentBlock()
-	res.PMP = hasPMP
-	err = errPMP
-
-	hasUPnP, errUPnP := p.UPnP.PresentBlock()
-	res.UPnP = hasUPnP
-	if err == nil {
-		err = errUPnP
-	}
-
-	hasPCP, errPCP := p.PCP.PresentBlock()
-	res.PCP = hasPCP
-	if err == nil {
-		err = errPCP
-	}
-	return
-}
-
-// ProbeSubResult is a result for a single probing service.
-type ProbeSubResult struct {
-	cond *sync.Cond
-	// If this probe has finished, regardless of success or failure
-	completed bool
-
-	// whether or not this feature is present
-	present bool
-	// most recent error
-	err error
-
-	// Time we last saw the service to be available.
-	sawTime time.Time
-}
-
-func NewProbeSubResult() ProbeSubResult {
-	return ProbeSubResult{
-		cond: &sync.Cond{
-			L: &sync.Mutex{},
-		},
-	}
-}
-
-// PresentBlock blocks until the probe completes, then returns the result.
-func (psr *ProbeSubResult) PresentBlock() (bool, error) {
-	psr.cond.L.Lock()
-	defer psr.cond.L.Unlock()
-	for !psr.completed {
-		psr.cond.Wait()
-	}
-	return psr.present, psr.err
-}
-
-// PresentCurrent returns the current state, regardless whether or not the probe has completed.
-func (psr *ProbeSubResult) PresentCurrent() (bool, error) {
-	psr.cond.L.Lock()
-	defer psr.cond.L.Unlock()
-	present := psr.present && psr.sawTime.After(time.Now().Add(-trustServiceStillAvailableDuration))
-	return present, psr.err
-}
-
-// Assigns the result of the probe and any error seen, signalling to any items waiting for this
-// result that it is now available.
-func (psr *ProbeSubResult) Set(present bool, err error) {
-	saw := time.Now()
-	psr.cond.L.Lock()
-	psr.sawTime = saw
-	psr.completed = true
-	psr.err = err
-	psr.present = present
-	psr.cond.L.Unlock()
-
-	psr.cond.Broadcast()
-}
-
-func (c *Client) probePMPAndPCP(ctx context.Context) (pcp bool, pmp bool, err error) {
-	gw, myIP, ok := c.gatewayAndSelfIP()
-	if !ok {
-		return false, false, ErrGatewayNotFound
-	}
-
-	uc, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
-	if err != nil {
-		c.logf("ProbePCP/PMP: %v", err)
-		return false, false, err
-	}
-	defer uc.Close()
-	defer closeCloserOnContextDone(ctx, uc)()
-
-	pcpAddr := netaddr.IPPortFrom(gw, pcpPort).UDPAddr()
-	pmpAddr := netaddr.IPPortFrom(gw, pmpPort).UDPAddr()
-
-	// Don't send probes to services that we recently learned (for
-	// the same gw/myIP) are available. See
-	// https://github.com/tailscale/tailscale/issues/1001
-	if c.sawPMPRecently() {
-		pmp = true
-	} else {
-		uc.WriteTo(pmpReqExternalAddrPacket, pmpAddr)
-	}
-	if c.sawPCPRecently() {
-		pcp = true
-	} else {
-		uc.WriteTo(pcpAnnounceRequest(myIP), pcpAddr)
-	}
-
-	buf := make([]byte, 1500)
-	pcpHeard := false // true when we get any PCP response
-	for {
-		if pcpHeard && pmp {
-			// Nothing more to discover.
-			return
-		}
-		n, _, err := uc.ReadFrom(buf)
-		if err != nil {
-			if ctx.Err() == context.DeadlineExceeded {
-				err = nil
-			}
-			return pcp, pmp, err
-		}
-		if pres, ok := parsePCPResponse(buf[:n]); ok {
-			if pres.OpCode == pcpOpReply|pcpOpAnnounce {
-				pcpHeard = true
-				//c.mu.Lock()
-				//c.pcpSawTime = time.Now()
-				//c.mu.Unlock()
-				switch pres.ResultCode {
-				case pcpCodeOK:
-					c.logf("Got PCP response: epoch: %v", pres.Epoch)
-					pcp = true
-					continue
-				case pcpCodeNotAuthorized:
-					// A PCP service is running, but refuses to
-					// provide port mapping services.
-					pcp = false
-					continue
-				default:
-					// Fall through to unexpected log line.
-				}
-			}
-			c.logf("unexpected PCP probe response: %+v", pres)
-		}
-		if pres, ok := parsePMPResponse(buf[:n]); ok {
-			if pres.OpCode == pmpOpReply|pmpOpMapPublicAddr && pres.ResultCode == pmpCodeOK {
-				c.logf("Got PMP response; IP: %v, epoch: %v", pres.PublicAddr, pres.SecondsSinceEpoch)
-				pmp = true
-				c.mu.Lock()
-				c.pmpPubIP = pres.PublicAddr
-				c.pmpPubIPTime = time.Now()
-				c.pmpLastEpoch = pres.SecondsSinceEpoch
-				c.mu.Unlock()
-				continue
-			}
-			c.logf("unexpected PMP probe response: %+v", pres)
-		}
-	}
-}

net/portmapper/probe_test.go

@@ -1,26 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package portmapper
-
-import (
-	"context"
-	"os"
-	"strconv"
-	"testing"
-	"time"
-)
-
-func TestClientProber(t *testing.T) {
-	if v, _ := strconv.ParseBool(os.Getenv("HIT_NETWORK")); !v {
-		t.Skip("skipping test without HIT_NETWORK=1")
-	}
-	c := NewClient(t.Logf)
-	ctx := context.Background()
-	prober := c.NewProber(ctx)
-	time.Sleep(3 * time.Second)
-	prober.Stop()
-	res, err := prober.CurrentStatus()
-	t.Logf("Got: %+v, %v", res, err)
-}

net/portmapper/upnp.go

@@ -1,202 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-package portmapper
-
-import (
-	"context"
-	"time"
-
-	"golang.org/x/sync/errgroup"
-	"inet.af/netaddr"
-	"tailscale.com/tempfork/upnp/dcps/internetgateway2"
-)
-
-type upnpMapping struct {
-	gw       netaddr.IP
-	external netaddr.IPPort
-	internal netaddr.IPPort
-	useUntil time.Time
-	client   upnpClient
-}
-
-func (u *upnpMapping) isCurrent() bool                { return u.useUntil.After(time.Now()) }
-func (u *upnpMapping) validUntil() time.Time          { return u.useUntil }
-func (u *upnpMapping) externalIPPort() netaddr.IPPort { return u.external }
-func (u *upnpMapping) release() {
-	u.client.DeletePortMapping(context.Background(), "", u.external.Port(), "udp")
-}
-
-type upnpClient interface {
-	// http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf
-	// Implicitly assume that the calls for all these are uniform, which might be a dangerous
-	// assumption.
-	AddPortMapping(
-		ctx context.Context,
-		newRemoteHost string,
-		newExternalPort uint16,
-		newProtocol string,
-		newInternalPort uint16,
-		newInternalClient string,
-		newEnabled bool,
-		newPortMappingDescription string,
-		newLeaseDuration uint32,
-	) (err error)
-
-	DeletePortMapping(ctx context.Context, newRemoteHost string, newExternalPort uint16, newProtocol string) error
-	GetStatusInfo(ctx context.Context) (status string, lastErr string, uptime uint32, err error)
-	GetExternalIPAddress(ctx context.Context) (externalIPAddress string, err error)
-
-	RequestTermination(ctx context.Context) error
-	RequestConnection(ctx context.Context) error
-}
-
-// addAnyPortMapping abstracts over different UPnP client connections, calling the available
-// AddAnyPortMapping call if available, otherwise defaulting to the old behavior of calling
-// AddPortMapping with port = 0 to specify a wildcard port.
-func addAnyPortMapping(
-	ctx context.Context,
-	upnp upnpClient,
-	newRemoteHost string,
-	newExternalPort uint16,
-	newProtocol string,
-	newInternalPort uint16,
-	newInternalClient string,
-	newEnabled bool,
-	newPortMappingDescription string,
-	newLeaseDuration uint32,
-) (newPort uint16, err error) {
-	if upnp, ok := upnp.(*internetgateway2.WANIPConnection2); ok {
-		return upnp.AddAnyPortMapping(
-			ctx,
-			newRemoteHost,
-			newExternalPort,
-			newProtocol,
-			newInternalPort,
-			newInternalClient,
-			newEnabled,
-			newPortMappingDescription,
-			newLeaseDuration,
-		)
-	}
-	err = upnp.AddPortMapping(
-		ctx,
-		newRemoteHost,
-		newExternalPort,
-		newProtocol,
-		newInternalPort,
-		newInternalClient,
-		newEnabled,
-		newPortMappingDescription,
-		newLeaseDuration,
-	)
-	return newInternalPort, err
-}
-
-// getUPnPClients gets a client for interfacing with UPnP, ignoring the underlying protocol for
-// now.
-// Adapted from https://github.com/huin/goupnp/blob/master/GUIDE.md.
-func getUPnPClient(ctx context.Context) (upnpClient, error) {
-	tasks, _ := errgroup.WithContext(ctx)
-	// Attempt to connect over the multiple available connection types.
-	var ip1Clients []*internetgateway2.WANIPConnection1
-	tasks.Go(func() error {
-		var err error
-		ip1Clients, _, err = internetgateway2.NewWANIPConnection1Clients()
-		return err
-	})
-	var ip2Clients []*internetgateway2.WANIPConnection2
-	tasks.Go(func() error {
-		var err error
-		ip2Clients, _, err = internetgateway2.NewWANIPConnection2Clients()
-		return err
-	})
-	var ppp1Clients []*internetgateway2.WANPPPConnection1
-	tasks.Go(func() error {
-		var err error
-		ppp1Clients, _, err = internetgateway2.NewWANPPPConnection1Clients()
-		return err
-	})
-
-	err := tasks.Wait()
-
-	switch {
-	case len(ip2Clients) > 0:
-		return ip2Clients[0], nil
-	case len(ip1Clients) > 0:
-		return ip1Clients[0], nil
-	case len(ppp1Clients) > 0:
-		return ppp1Clients[0], nil
-	default:
-		// Didn't get any outputs, report if there was an error or nil if
-		// just no clients.
-		return nil, err
-	}
-}
-
-// getUPnPPortMapping will attempt to create a port-mapping over the UPnP protocol. On success,
-// it will return the externally exposed IP and port. Otherwise, it will return a zeroed IP and
-// port and an error.
-func (c *Client) getUPnPPortMapping(ctx context.Context, gw netaddr.IP, internal netaddr.IPPort,
-	prevPort uint16) (external netaddr.IPPort, err error) {
-	// If did not see UPnP within the past 5 seconds then bail
-	haveRecentUPnP := c.sawUPnPRecently()
-	now := time.Now()
-	if c.lastProbe.After(now.Add(-5*time.Second)) && !haveRecentUPnP {
-		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
-	}
-	// Otherwise try a uPnP mapping if PMP did not work
-	mpnp := &upnpMapping{
-		gw:       gw,
-		internal: internal,
-	}
-
-	var client upnpClient
-	c.mu.Lock()
-	oldMapping, ok := c.mapping.(*upnpMapping)
-	c.mu.Unlock()
-	if ok && oldMapping != nil {
-		client = oldMapping.client
-	} else if c.Prober != nil && c.Prober.upnpClient != nil {
-		client = c.Prober.upnpClient
-	} else {
-		client, err = getUPnPClient(ctx)
-		if err != nil {
-			return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
-		}
-	}
-	if client == nil {
-		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
-	}
-
-	var newPort uint16
-	newPort, err = addAnyPortMapping(
-		ctx, client,
-		"", prevPort, "UDP", internal.Port(), internal.IP().String(), true,
-		// string below is just a name for reporting on device.
-		"tailscale-portmap", pmpMapLifetimeSec,
-	)
-	if err != nil {
-		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
-	}
-	// TODO cache this ip somewhere?
-	extIP, err := client.GetExternalIPAddress(ctx)
-	if err != nil {
-		// TODO this doesn't seem right
-		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
-	}
-	externalIP, err := netaddr.ParseIP(extIP)
-	if err != nil {
-		return netaddr.IPPort{}, NoMappingError{ErrNoPortMappingServices}
-	}
-
-	mpnp.external = netaddr.IPPortFrom(externalIP, newPort)
-	d := time.Duration(pmpMapLifetimeSec) * time.Second / 2
-	mpnp.useUntil = time.Now().Add(d)
-	mpnp.client = client
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	c.mapping = mpnp
-	c.localPort = newPort
-	return mpnp.external, nil
-}

net/tsaddr/tsaddr.go

@@ -41,9 +41,12 @@ var (
 // TailscaleServiceIP returns the listen address of services
 // provided by Tailscale itself such as the MagicDNS proxy.
 func TailscaleServiceIP() netaddr.IP {
-	return netaddr.IPv4(100, 100, 100, 100) // "100.100.100.100" for those grepping
+	serviceIP.Do(func() { mustIP(&serviceIP.v, "100.100.100.100") })
+	return serviceIP.v
 }
 
+var serviceIP onceIP
+
 // IsTailscaleIP reports whether ip is an IP address in a range that
 // Tailscale assigns from.
 func IsTailscaleIP(ip netaddr.IP) bool {
@@ -123,6 +126,19 @@ type oncePrefix struct {
 	v netaddr.IPPrefix
 }
 
+func mustIP(v *netaddr.IP, ip string) {
+	var err error
+	*v, err = netaddr.ParseIP(ip)
+	if err != nil {
+		panic(err)
+	}
+}
+
+type onceIP struct {
+	sync.Once
+	v netaddr.IP
+}
+
 // NewContainsIPFunc returns a func that reports whether ip is in addrs.
 //
 // It's optimized for the cases of addrs being empty and addrs

net/tsaddr/tsaddr_test.go

@@ -93,11 +93,3 @@ func TestNewContainsIPFunc(t *testing.T) {
 		t.Fatal("bad")
 	}
 }
-
-var sinkIP netaddr.IP
-
-func BenchmarkTailscaleServiceAddr(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		sinkIP = TailscaleServiceIP()
-	}
-}

net/tstun/fake.go

@@ -8,7 +8,7 @@ import (
 	"io"
 	"os"
 
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 )
 
 type fakeTUN struct {

net/tstun/ifstatus_noop.go

@@ -9,7 +9,7 @@ package tstun
 import (
 	"time"
 
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 )
 

net/tstun/ifstatus_windows.go

@@ -9,7 +9,7 @@ import (
 	"sync"
 	"time"
 
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/types/logger"
 )

net/tstun/tun.go

@@ -11,34 +11,27 @@ import (
 	"os"
 	"os/exec"
 	"runtime"
-	"strconv"
 	"time"
 
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 	"tailscale.com/version/distro"
 )
 
-// tunMTU is the MTU we set on tailscale's TUN interface. wireguard-go
-// defaults to 1420 bytes, which only works if the "outer" MTU is 1500
-// bytes. This breaks on DSL connections (typically 1492 MTU) and on
-// GCE (1460 MTU?!).
+// minimalMTU is the MTU we set on tailscale's TUN
+// interface. wireguard-go defaults to 1420 bytes, which only works if
+// the "outer" MTU is 1500 bytes. This breaks on DSL connections
+// (typically 1492 MTU) and on GCE (1460 MTU?!).
 //
 // 1280 is the smallest MTU allowed for IPv6, which is a sensible
 // "probably works everywhere" setting until we develop proper PMTU
 // discovery.
-var tunMTU = 1280
-
-func init() {
-	if mtu, _ := strconv.Atoi(os.Getenv("TS_DEBUG_MTU")); mtu != 0 {
-		tunMTU = mtu
-	}
-}
+const minimalMTU = 1280
 
 // New returns a tun.Device for the requested device name, along with
 // the OS-dependent name that was allocated to the device.
 func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
-	dev, err := tun.CreateTUN(tunName, tunMTU)
+	dev, err := tun.CreateTUN(tunName, minimalMTU)
 	if err != nil {
 		return nil, "", err
 	}

net/tstun/tun_notwindows.go

@@ -6,7 +6,7 @@
 
 package tstun
 
-import "golang.zx2c4.com/wireguard/tun"
+import "github.com/tailscale/wireguard-go/tun"
 
 func interfaceName(dev tun.Device) (string, error) {
 	return dev.Name()

net/tstun/tun_windows.go

@@ -5,9 +5,9 @@
 package tstun
 
 import (
+	"github.com/tailscale/wireguard-go/tun"
+	"github.com/tailscale/wireguard-go/tun/wintun"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/tun/wintun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 

net/tstun/wrap.go

@@ -14,8 +14,8 @@ import (
 	"sync/atomic"
 	"time"
 
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/device"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"

net/tstun/wrap_test.go

@@ -14,7 +14,7 @@ import (
 	"testing"
 	"unsafe"
 
-	"golang.zx2c4.com/wireguard/tun/tuntest"
+	"github.com/tailscale/wireguard-go/tun/tuntest"
 	"inet.af/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
@@ -146,8 +146,7 @@ func setfilter(logf logger.Logf, tun *Wrapper) {
 	}
 	var sb netaddr.IPSetBuilder
 	sb.AddPrefix(netaddr.MustParseIPPrefix("1.2.0.0/16"))
-	ipSet, _ := sb.IPSet()
-	tun.SetFilter(filter.New(matches, ipSet, ipSet, nil, logf))
+	tun.SetFilter(filter.New(matches, sb.IPSet(), sb.IPSet(), nil, logf))
 }
 
 func newChannelTUN(logf logger.Logf, secure bool) (*tuntest.ChannelTUN, *Wrapper) {

packages/deb/deb.go

@@ -1,184 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package deb extracts metadata from Debian packages.
-package deb
-
-import (
-	"archive/tar"
-	"bufio"
-	"bytes"
-	"compress/gzip"
-	"crypto/md5"
-	"crypto/sha1"
-	"crypto/sha256"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-)
-
-// Info is the Debian package metadata needed to integrate the package
-// into a repository.
-type Info struct {
-	// Version is the version of the package, as reported by dpkg.
-	Version string
-	// Arch is the Debian CPU architecture the package is for.
-	Arch string
-	// Control is the entire contents of the package's control file,
-	// with leading and trailing whitespace removed.
-	Control []byte
-	// MD5 is the MD5 hash of the package file.
-	MD5 []byte
-	// SHA1 is the SHA1 hash of the package file.
-	SHA1 []byte
-	// SHA256 is the SHA256 hash of the package file.
-	SHA256 []byte
-}
-
-// ReadFile returns Debian package metadata from the .deb file at path.
-func ReadFile(path string) (*Info, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	return Read(f)
-}
-
-// Read returns Debian package metadata from the .deb file in r.
-func Read(r io.Reader) (*Info, error) {
-	b := bufio.NewReader(r)
-
-	m5, s1, s256 := md5.New(), sha1.New(), sha256.New()
-	summers := io.MultiWriter(m5, s1, s256)
-	r = io.TeeReader(b, summers)
-
-	t, err := findControlTar(r)
-	if err != nil {
-		return nil, fmt.Errorf("searching for control.tar.gz: %w", err)
-	}
-
-	control, err := findControlFile(t)
-	if err != nil {
-		return nil, fmt.Errorf("searching for control file in control.tar.gz: %w", err)
-	}
-
-	arch, version, err := findArchAndVersion(control)
-	if err != nil {
-		return nil, fmt.Errorf("extracting version and architecture from control file: %w", err)
-	}
-
-	// Exhaust the remainder of r, so that the summers see the entire file.
-	if _, err := io.Copy(ioutil.Discard, r); err != nil {
-		return nil, fmt.Errorf("hashing file: %w", err)
-	}
-
-	return &Info{
-		Version: version,
-		Arch:    arch,
-		Control: control,
-		MD5:     m5.Sum(nil),
-		SHA1:    s1.Sum(nil),
-		SHA256:  s256.Sum(nil),
-	}, nil
-}
-
-// findControlTar reads r as an `ar` archive, finds a tarball named
-// `control.tar.gz` within, and returns a reader for that file.
-func findControlTar(r io.Reader) (tarReader io.Reader, err error) {
-	var magic [8]byte
-	if _, err := io.ReadFull(r, magic[:]); err != nil {
-		return nil, fmt.Errorf("reading ar magic: %w", err)
-	}
-	if string(magic[:]) != "!<arch>\n" {
-		return nil, fmt.Errorf("not an ar file (bad magic %q)", magic)
-	}
-
-	for {
-		var hdr [60]byte
-		if _, err := io.ReadFull(r, hdr[:]); err != nil {
-			return nil, fmt.Errorf("reading file header: %w", err)
-		}
-		filename := strings.TrimSpace(string(hdr[:16]))
-		size, err := strconv.ParseInt(strings.TrimSpace(string(hdr[48:58])), 10, 64)
-		if err != nil {
-			return nil, fmt.Errorf("reading size of file %q: %w", filename, err)
-		}
-		if filename == "control.tar.gz" {
-			return io.LimitReader(r, size), nil
-		}
-
-		// files in ar are padded out to 2 bytes.
-		if size%2 == 1 {
-			size++
-		}
-		if _, err := io.CopyN(ioutil.Discard, r, size); err != nil {
-			return nil, fmt.Errorf("seeking past file %q: %w", filename, err)
-		}
-	}
-}
-
-// findControlFile reads r as a tar.gz archive, finds a file named
-// `control` within, and returns its contents.
-func findControlFile(r io.Reader) (control []byte, err error) {
-	gz, err := gzip.NewReader(r)
-	if err != nil {
-		return nil, fmt.Errorf("decompressing control.tar.gz: %w", err)
-	}
-	defer gz.Close()
-
-	tr := tar.NewReader(gz)
-	for {
-		hdr, err := tr.Next()
-		if err != nil {
-			if errors.Is(err, io.EOF) {
-				return nil, errors.New("EOF while looking for control file in control.tar.gz")
-			}
-			return nil, fmt.Errorf("reading tar header: %w", err)
-		}
-
-		if filepath.Clean(hdr.Name) != "control" {
-			continue
-		}
-
-		// Found control file
-		break
-	}
-
-	bs, err := ioutil.ReadAll(tr)
-	if err != nil {
-		return nil, fmt.Errorf("reading control file: %w", err)
-	}
-
-	return bytes.TrimSpace(bs), nil
-}
-
-var (
-	archKey    = []byte("Architecture:")
-	versionKey = []byte("Version:")
-)
-
-// findArchAndVersion extracts the architecture and version strings
-// from the given control file.
-func findArchAndVersion(control []byte) (arch string, version string, err error) {
-	b := bytes.NewBuffer(control)
-	for {
-		l, err := b.ReadBytes('\n')
-		if err != nil {
-			return "", "", err
-		}
-		if bytes.HasPrefix(l, archKey) {
-			arch = string(bytes.TrimSpace(l[len(archKey):]))
-		} else if bytes.HasPrefix(l, versionKey) {
-			version = string(bytes.TrimSpace(l[len(versionKey):]))
-		}
-		if arch != "" && version != "" {
-			return arch, version, nil
-		}
-	}
-}

packages/deb/deb_test.go

@@ -1,202 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package deb
-
-import (
-	"bytes"
-	"crypto/md5"
-	"crypto/sha1"
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"hash"
-	"strings"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/goreleaser/nfpm"
-	_ "github.com/goreleaser/nfpm/deb"
-)
-
-func TestDebInfo(t *testing.T) {
-	tests := []struct {
-		name    string
-		in      []byte
-		want    *Info
-		wantErr bool
-	}{
-		{
-			name: "simple",
-			in:   mkTestDeb("1.2.3", "amd64"),
-			want: &Info{
-				Version: "1.2.3",
-				Arch:    "amd64",
-				Control: mkControl(
-					"Package", "tailscale",
-					"Version", "1.2.3",
-					"Section", "net",
-					"Priority", "extra",
-					"Architecture", "amd64",
-					"Installed-Size", "0",
-					"Description", "test package"),
-			},
-		},
-		{
-			name: "arm64",
-			in:   mkTestDeb("1.2.3", "arm64"),
-			want: &Info{
-				Version: "1.2.3",
-				Arch:    "arm64",
-				Control: mkControl(
-					"Package", "tailscale",
-					"Version", "1.2.3",
-					"Section", "net",
-					"Priority", "extra",
-					"Architecture", "arm64",
-					"Installed-Size", "0",
-					"Description", "test package"),
-			},
-		},
-		{
-			name: "unstable",
-			in:   mkTestDeb("1.7.25", "amd64"),
-			want: &Info{
-				Version: "1.7.25",
-				Arch:    "amd64",
-				Control: mkControl(
-					"Package", "tailscale",
-					"Version", "1.7.25",
-					"Section", "net",
-					"Priority", "extra",
-					"Architecture", "amd64",
-					"Installed-Size", "0",
-					"Description", "test package"),
-			},
-		},
-
-		// These truncation tests assume the structure of a .deb
-		// package, which is as follows:
-		//  magic: 8 bytes
-		//  file header: 60 bytes, before each file blob
-		//
-		// The first file in a .deb ar is "debian-binary", which is 4
-		// bytes long and consists of "2.0\n".
-		// The second file is control.tar.gz, which is what we care
-		// about introspecting for metadata.
-		// The final file is data.tar.gz, which we don't care about.
-		//
-		// The first file in control.tar.gz is the "control" file we
-		// want to read for metadata.
-		{
-			name:    "truncated_ar_magic",
-			in:      mkTestDeb("1.7.25", "amd64")[:4],
-			wantErr: true,
-		},
-		{
-			name:    "truncated_ar_header",
-			in:      mkTestDeb("1.7.25", "amd64")[:30],
-			wantErr: true,
-		},
-		{
-			name: "missing_control_tgz",
-			// Truncate right after the "debian-binary" file, which
-			// makes the file a valid 1-file archive that's missing
-			// control.tar.gz.
-			in:      mkTestDeb("1.7.25", "amd64")[:72],
-			wantErr: true,
-		},
-		{
-			name:    "truncated_tgz",
-			in:      mkTestDeb("1.7.25", "amd64")[:172],
-			wantErr: true,
-		},
-	}
-
-	for _, test := range tests {
-		// mkTestDeb returns non-deterministic output due to
-		// timestamps embedded in the package file, so compute the
-		// wanted hashes on the fly here.
-		if test.want != nil {
-			test.want.MD5 = mkHash(test.in, md5.New)
-			test.want.SHA1 = mkHash(test.in, sha1.New)
-			test.want.SHA256 = mkHash(test.in, sha256.New)
-		}
-
-		t.Run(test.name, func(t *testing.T) {
-			b := bytes.NewBuffer(test.in)
-			got, err := Read(b)
-			if err != nil {
-				if test.wantErr {
-					t.Logf("got expected error: %v", err)
-					return
-				}
-				t.Fatalf("reading deb info: %v", err)
-			}
-			if diff := diff(got, test.want); diff != "" {
-				t.Fatalf("parsed info diff (-got+want):\n%s", diff)
-			}
-		})
-	}
-}
-
-func diff(got, want interface{}) string {
-	matchField := func(name string) func(p cmp.Path) bool {
-		return func(p cmp.Path) bool {
-			if len(p) != 3 {
-				return false
-			}
-			return p[2].String() == "."+name
-		}
-	}
-	toLines := cmp.Transformer("lines", func(b []byte) []string { return strings.Split(string(b), "\n") })
-	toHex := cmp.Transformer("hex", func(b []byte) string { return hex.EncodeToString(b) })
-	return cmp.Diff(got, want,
-		cmp.FilterPath(matchField("Control"), toLines),
-		cmp.FilterPath(matchField("MD5"), toHex),
-		cmp.FilterPath(matchField("SHA1"), toHex),
-		cmp.FilterPath(matchField("SHA256"), toHex))
-}
-
-func mkTestDeb(version, arch string) []byte {
-	info := nfpm.WithDefaults(&nfpm.Info{
-		Name:        "tailscale",
-		Description: "test package",
-		Arch:        arch,
-		Platform:    "linux",
-		Version:     version,
-		Section:     "net",
-		Priority:    "extra",
-	})
-
-	pkg, err := nfpm.Get("deb")
-	if err != nil {
-		panic(fmt.Sprintf("getting deb packager: %v", err))
-	}
-
-	var b bytes.Buffer
-	if err := pkg.Package(info, &b); err != nil {
-		panic(fmt.Sprintf("creating deb package: %v", err))
-	}
-
-	return b.Bytes()
-}
-
-func mkControl(fs ...string) []byte {
-	if len(fs)%2 != 0 {
-		panic("odd number of control file fields")
-	}
-	var b bytes.Buffer
-	for i := 0; i < len(fs); i = i + 2 {
-		k, v := fs[i], fs[i+1]
-		fmt.Fprintf(&b, "%s: %s\n", k, v)
-	}
-	return bytes.TrimSpace(b.Bytes())
-}
-
-func mkHash(b []byte, hasher func() hash.Hash) []byte {
-	h := hasher()
-	h.Write(b)
-	return h.Sum(nil)
-}

paths/paths.go

@@ -11,13 +11,11 @@ import (
 	"path/filepath"
 	"runtime"
 	"sync/atomic"
-
-	"tailscale.com/version/distro"
 )
 
-// AppSharedDir is a string set by the iOS or Android app on start
+// IOSSharedDir is a string set by the iOS app on start
 // containing a directory we can read/write in.
-var AppSharedDir atomic.Value
+var IOSSharedDir atomic.Value
 
 // DefaultTailscaledSocket returns the path to the tailscaled Unix socket
 // or the empty string if there's no reasonable default.
@@ -28,15 +26,11 @@ func DefaultTailscaledSocket() string {
 	if runtime.GOOS == "darwin" {
 		return "/var/run/tailscaled.socket"
 	}
-	if distro.Get() == distro.Synology {
-		// TODO(maisem): be smarter about this. We can parse /etc/VERSION.
-		const dsm6Sock = "/var/packages/Tailscale/etc/tailscaled.sock"
-		const dsm7Sock = "/var/packages/Tailscale/var/tailscaled.sock"
-		if fi, err := os.Stat(dsm6Sock); err == nil && !fi.IsDir() {
-			return dsm6Sock
-		}
-		if fi, err := os.Stat(dsm7Sock); err == nil && !fi.IsDir() {
-			return dsm7Sock
+	if runtime.GOOS == "linux" {
+		// TODO(crawshaw): does this path change with DSM7?
+		const synologySock = "/volume1/@appstore/Tailscale/var/tailscaled.sock" // SYNOPKG_PKGDEST in scripts/installer
+		if fi, err := os.Stat(filepath.Dir(synologySock)); err == nil && fi.IsDir() {
+			return synologySock
 		}
 	}
 	if fi, err := os.Stat("/var/run"); err == nil && fi.IsDir() {

tailcfg/tailcfg.go

@@ -42,8 +42,7 @@ import (
 //    17: 2021-04-18: MapResponse.Domain empty means unchanged
 //    18: 2021-04-19: MapResponse.Node nil means unchanged (all fields now omitempty)
 //    19: 2021-04-21: MapResponse.Debug.SleepSeconds
-//    20: 2021-06-11: MapResponse.LastSeen used even less (https://github.com/tailscale/tailscale/issues/2107)
-const CurrentMapRequestVersion = 20
+const CurrentMapRequestVersion = 19
 
 type StableID string
 
@@ -1027,16 +1026,11 @@ func (k MachineKey) MarshalText() ([]byte, error)     { return keyMarshalText("m
 func (k MachineKey) HexString() string                { return fmt.Sprintf("%x", k[:]) }
 func (k *MachineKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "mkey:", text) }
 
-func appendKey(base []byte, prefix string, k [32]byte) []byte {
-	ret := append(base, make([]byte, len(prefix)+64)...)
-	buf := ret[len(base):]
+func keyMarshalText(prefix string, k [32]byte) []byte {
+	buf := make([]byte, len(prefix)+64)
 	copy(buf, prefix)
 	hex.Encode(buf[len(prefix):], k[:])
-	return ret
-}
-
-func keyMarshalText(prefix string, k [32]byte) []byte {
-	return appendKey(nil, prefix, k)
+	return buf
 }
 
 func keyUnmarshalText(dst []byte, prefix string, text []byte) error {
@@ -1067,7 +1061,6 @@ func (k DiscoKey) String() string                   { return fmt.Sprintf("discok
 func (k DiscoKey) MarshalText() ([]byte, error)     { return keyMarshalText("discokey:", k), nil }
 func (k *DiscoKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "discokey:", text) }
 func (k DiscoKey) ShortString() string              { return fmt.Sprintf("d:%x", k[:8]) }
-func (k DiscoKey) AppendTo(b []byte) []byte         { return appendKey(b, "discokey:", k) }
 
 // IsZero reports whether k is the zero value.
 func (k DiscoKey) IsZero() bool { return k == DiscoKey{} }
@@ -1175,31 +1168,3 @@ const (
 	CapabilityFileSharing = "https://tailscale.com/cap/file-sharing"
 	CapabilityAdmin       = "https://tailscale.com/cap/is-admin"
 )
-
-// SetDNSRequest is a request to add a DNS record.
-//
-// This is used for ACME DNS-01 challenges (so people can use
-// LetsEncrypt, etc).
-//
-// The request is encoded to JSON, encrypted with golang.org/x/crypto/nacl/box,
-// using the local machine key, and sent to:
-//	https://login.tailscale.com/machine/<mkey hex>/set-dns
-type SetDNSRequest struct {
-	// Version indicates what level of SetDNSRequest functionality
-	// the client understands. Currently this type only has
-	// one version; this field should always be 1 for now.
-	Version int
-
-	// NodeKey is the client's current node key.
-	NodeKey NodeKey
-
-	// Name is the domain name for which to create a record.
-	Name string
-
-	// Type is the DNS record type. For ACME DNS-01 challenges, it
-	// should be "TXT".
-	Type string
-
-	// Value is the value to add.
-	Value string
-}

tailcfg/tailcfg_test.go

@@ -14,7 +14,6 @@ import (
 
 	"inet.af/netaddr"
 	"tailscale.com/types/wgkey"
-	"tailscale.com/version"
 )
 
 func fieldsOf(t reflect.Type) (fields []string) {
@@ -529,25 +528,3 @@ func BenchmarkKeyMarshalText(b *testing.B) {
 		sinkBytes = keyMarshalText("prefix", k)
 	}
 }
-
-func TestAppendKeyAllocs(t *testing.T) {
-	if version.IsRace() {
-		t.Skip("skipping in race detector") // append(b, make([]byte, N)...) not optimized in compiler with race
-	}
-	var k [32]byte
-	n := int(testing.AllocsPerRun(1000, func() {
-		sinkBytes = keyMarshalText("prefix", k)
-	}))
-	if n != 1 {
-		t.Fatalf("allocs = %v; want 1", n)
-	}
-}
-
-func TestDiscoKeyAppend(t *testing.T) {
-	d := DiscoKey{1: 1, 2: 2}
-	got := string(d.AppendTo([]byte("foo")))
-	want := "foodiscokey:0001020000000000000000000000000000000000000000000000000000000000"
-	if got != want {
-		t.Errorf("got %q; want %q", got, want)
-	}
-}

tempfork/upnp/LICENSE

@@ -1,23 +0,0 @@
-Copyright (c) 2013, John Beisley <johnbeisleyuk@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this
-  list of conditions and the following disclaimer.
-
-* Redistributions in binary form must reproduce the above copyright notice, this
-  list of conditions and the following disclaimer in the documentation and/or
-  other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

tempfork/upnp/README.md

@@ -1,46 +0,0 @@
-goupnp is a UPnP client library for Go
-
-## Installation
-
-Run `go get -u github.com/huin/goupnp`.
-
-## Documentation
-
-See [GUIDE.md](GUIDE.md) for a quick start on the most common use case for this
-library.
-
-Supported DCPs (you probably want to start with one of these):
-
-- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) av1](https://godoc.org/github.com/huin/goupnp/dcps/av1) - Client for UPnP Device Control Protocol MediaServer v1 and MediaRenderer v1.
-- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) internetgateway1](https://godoc.org/github.com/huin/goupnp/dcps/internetgateway1) - Client for UPnP Device Control Protocol Internet Gateway Device v1.
-- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) internetgateway2](https://godoc.org/github.com/huin/goupnp/dcps/internetgateway2) - Client for UPnP Device Control Protocol Internet Gateway Device v2.
-
-Core components:
-
-- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) (goupnp)](https://godoc.org/github.com/huin/goupnp) core library - contains datastructures and utilities typically used by the implemented DCPs.
-- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) httpu](https://godoc.org/github.com/huin/goupnp/httpu) HTTPU implementation, underlies SSDP.
-- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) ssdp](https://godoc.org/github.com/huin/goupnp/ssdp) SSDP client implementation (simple service discovery protocol) - used to discover UPnP services on a network.
-- [![GoDoc](https://godoc.org/github.com/huin/goupnp?status.svg) soap](https://godoc.org/github.com/huin/goupnp/soap) SOAP client implementation (simple object access protocol) - used to communicate with discovered services.
-
-## Regenerating dcps generated source code:
-
-1. Build code generator:
-
-   `go get -u github.com/huin/goupnp/cmd/goupnpdcpgen`
-
-2. Regenerate the code:
-
-   `go generate ./...`
-
-## Supporting additional UPnP devices and services:
-
-Supporting additional services is, in the trivial case, simply a matter of
-adding the service to the `dcpMetadata` whitelist in `cmd/goupnpdcpgen/metadata.go`,
-regenerating the source code (see above), and committing that source code.
-
-However, it would be helpful if anyone needing such a service could test the
-service against the service they have, and then reporting any trouble
-encountered as an [issue on this
-project](https://github.com/huin/goupnp/issues/new). If it just works, then
-please report at least minimal working functionality as an issue, and
-optionally contribute the metadata upstream.

tempfork/upnp/cmd/goupnpdcpgen/codetemplate.go

@@ -1,154 +0,0 @@
-package main
-
-import (
-	"html/template"
-)
-
-var packageTmpl = template.Must(template.New("package").Parse(`{{$name := .Metadata.Name}}
-// Client for UPnP Device Control Protocol {{.Metadata.OfficialName}}.
-// {{if .Metadata.DocURL}}
-// This DCP is documented in detail at: {{.Metadata.DocURL}}{{end}}
-//
-// Typically, use one of the New* functions to create clients for services.
-package {{$name}}
-
-// ***********************************************************
-// GENERATED FILE - DO NOT EDIT BY HAND. See README.md
-// ***********************************************************
-
-import (
-  "context"
-	"net/url"
-	"time"
-
-	"tailscale.com/tempfork/upnp"
-	"tailscale.com/tempfork/upnp/soap"
-)
-
-// Hack to avoid Go complaining if time isn't used.
-var _ time.Time
-
-// Device URNs:
-const ({{range .DeviceTypes}}
-	{{.Const}} = "{{.URN}}"{{end}}
-)
-
-// Service URNs:
-const ({{range .ServiceTypes}}
-	{{.Const}} = "{{.URN}}"{{end}}
-)
-
-{{range .Services}}
-{{$srv := .}}
-{{$srvIdent := printf "%s%s" .Name .Version}}
-
-// {{$srvIdent}} is a client for UPnP SOAP service with URN "{{.URN}}". See
-// goupnp.ServiceClient, which contains RootDevice and Service attributes which
-// are provided for informational value.
-type {{$srvIdent}} struct {
-	goupnp.ServiceClient
-}
-
-// New{{$srvIdent}}Clients discovers instances of the service on the network,
-// and returns clients to any that are found. errors will contain an error for
-// any devices that replied but which could not be queried, and err will be set
-// if the discovery process failed outright.
-//
-// This is a typical entry calling point into this package.
-func New{{$srvIdent}}Clients() (clients []*{{$srvIdent}}, errors []error, err error) {
-	var genericClients []goupnp.ServiceClient
-	if genericClients, errors, err = goupnp.NewServiceClients({{$srv.Const}}); err != nil {
-		return
-	}
-	clients = new{{$srvIdent}}ClientsFromGenericClients(genericClients)
-	return
-}
-
-// New{{$srvIdent}}ClientsByURL discovers instances of the service at the given
-// URL, and returns clients to any that are found. An error is returned if
-// there was an error probing the service.
-//
-// This is a typical entry calling point into this package when reusing an
-// previously discovered service URL.
-func New{{$srvIdent}}ClientsByURL(loc *url.URL) ([]*{{$srvIdent}}, error) {
-	genericClients, err := goupnp.NewServiceClientsByURL(loc, {{$srv.Const}})
-	if err != nil {
-		return nil, err
-	}
-	return new{{$srvIdent}}ClientsFromGenericClients(genericClients), nil
-}
-
-// New{{$srvIdent}}ClientsFromRootDevice discovers instances of the service in
-// a given root device, and returns clients to any that are found. An error is
-// returned if there was not at least one instance of the service within the
-// device. The location parameter is simply assigned to the Location attribute
-// of the wrapped ServiceClient(s).
-//
-// This is a typical entry calling point into this package when reusing an
-// previously discovered root device.
-func New{{$srvIdent}}ClientsFromRootDevice(rootDevice *goupnp.RootDevice, loc *url.URL) ([]*{{$srvIdent}}, error) {
-	genericClients, err := goupnp.NewServiceClientsFromRootDevice(rootDevice, loc, {{$srv.Const}})
-	if err != nil {
-		return nil, err
-	}
-	return new{{$srvIdent}}ClientsFromGenericClients(genericClients), nil
-}
-
-func new{{$srvIdent}}ClientsFromGenericClients(genericClients []goupnp.ServiceClient) []*{{$srvIdent}} {
-	clients := make([]*{{$srvIdent}}, len(genericClients))
-	for i := range genericClients {
-		clients[i] = &{{$srvIdent}}{genericClients[i]}
-	}
-	return clients
-}
-
-{{range .SCPD.Actions}}{{/* loops over *SCPDWithURN values */}}
-
-{{$winargs := $srv.WrapArguments .InputArguments}}
-{{$woutargs := $srv.WrapArguments .OutputArguments}}
-{{if $winargs.HasDoc}}
-//
-// Arguments:{{range $winargs}}{{if .HasDoc}}
-//
-// * {{.Name}}: {{.Document}}{{end}}{{end}}{{end}}
-{{if $woutargs.HasDoc}}
-//
-// Return values:{{range $woutargs}}{{if .HasDoc}}
-//
-// * {{.Name}}: {{.Document}}{{end}}{{end}}{{end}}
-func (client *{{$srvIdent}}) {{.Name}}(ctx context.Context, {{range $winargs -}}
-{{.AsParameter}}, {{end -}}
-) ({{range $woutargs -}}
-{{.AsParameter}}, {{end}} err error) {
-	// Request structure.
-	request := {{if $winargs}}&{{template "argstruct" $winargs}}{{"{}"}}{{else}}{{"interface{}(nil)"}}{{end}}
-	// BEGIN Marshal arguments into request.
-{{range $winargs}}
-	if request.{{.Name}}, err = {{.Marshal}}; err != nil {
-		return
-	}{{end}}
-	// END Marshal arguments into request.
-
-	// Response structure.
-	response := {{if $woutargs}}&{{template "argstruct" $woutargs}}{{"{}"}}{{else}}{{"interface{}(nil)"}}{{end}}
-
-	// Perform the SOAP call.
-	if err = client.SOAPClient.PerformAction(ctx, {{$srv.URNParts.Const}}, "{{.Name}}", request, response); err != nil {
-		return
-	}
-
-	// BEGIN Unmarshal arguments from response.
-{{range $woutargs}}
-	if {{.Name}}, err = {{.Unmarshal "response"}}; err != nil {
-		return
-	}{{end}}
-	// END Unmarshal arguments from response.
-	return
-}
-{{end}}
-{{end}}
-
-{{define "argstruct"}}struct {{"{"}}
-{{range .}}{{.Name}} string
-{{end}}{{"}"}}{{end}}
-`))

tempfork/upnp/cmd/goupnpdcpgen/dcp.go

@@ -1,265 +0,0 @@
-package main
-
-import (
-	"archive/zip"
-	"fmt"
-	"io"
-	"os"
-	"os/exec"
-	"strings"
-
-	"tailscale.com/tempfork/upnp"
-	"tailscale.com/tempfork/upnp/scpd"
-)
-
-// DCP collects together information about a UPnP Device Control Protocol.
-type DCP struct {
-	Metadata     DCPMetadata
-	DeviceTypes  map[string]*URNParts
-	ServiceTypes map[string]*URNParts
-	Services     []SCPDWithURN
-}
-
-func newDCP(metadata DCPMetadata) *DCP {
-	return &DCP{
-		Metadata:     metadata,
-		DeviceTypes:  make(map[string]*URNParts),
-		ServiceTypes: make(map[string]*URNParts),
-	}
-}
-
-func (dcp *DCP) processZipFile(filename string) error {
-	archive, err := zip.OpenReader(filename)
-	if err != nil {
-		return fmt.Errorf("error reading zip file %q: %v", filename, err)
-	}
-	defer archive.Close()
-	for _, deviceFile := range globFiles("*/device/*.xml", archive) {
-		if err := dcp.processDeviceFile(deviceFile); err != nil {
-			return err
-		}
-	}
-	for _, scpdFile := range globFiles("*/service/*.xml", archive) {
-		if err := dcp.processSCPDFile(scpdFile); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (dcp *DCP) processDeviceFile(file *zip.File) error {
-	var device goupnp.Device
-	if err := unmarshalXmlFile(file, &device); err != nil {
-		return fmt.Errorf("error decoding device XML from file %q: %v", file.Name, err)
-	}
-	var mainErr error
-	device.VisitDevices(func(d *goupnp.Device) {
-		t := strings.TrimSpace(d.DeviceType)
-		if t != "" {
-			u, err := extractURNParts(t, deviceURNPrefix)
-			if err != nil {
-				mainErr = err
-			}
-			dcp.DeviceTypes[t] = u
-		}
-	})
-	device.VisitServices(func(s *goupnp.Service) {
-		u, err := extractURNParts(s.ServiceType, serviceURNPrefix)
-		if err != nil {
-			mainErr = err
-		}
-		dcp.ServiceTypes[s.ServiceType] = u
-	})
-	return mainErr
-}
-
-func (dcp *DCP) writeCode(outFile string, useGofmt bool) error {
-	packageFile, err := os.Create(outFile)
-	if err != nil {
-		return err
-	}
-	var output io.WriteCloser = packageFile
-	if useGofmt {
-		if output, err = NewGofmtWriteCloser(output); err != nil {
-			packageFile.Close()
-			return err
-		}
-	}
-	if err = packageTmpl.Execute(output, dcp); err != nil {
-		output.Close()
-		return err
-	}
-	return output.Close()
-}
-
-func (dcp *DCP) processSCPDFile(file *zip.File) error {
-	scpd := new(scpd.SCPD)
-	if err := unmarshalXmlFile(file, scpd); err != nil {
-		return fmt.Errorf("error decoding SCPD XML from file %q: %v", file.Name, err)
-	}
-	scpd.Clean()
-	urnParts, err := urnPartsFromSCPDFilename(file.Name)
-	if err != nil {
-		return fmt.Errorf("could not recognize SCPD filename %q: %v", file.Name, err)
-	}
-	dcp.Services = append(dcp.Services, SCPDWithURN{
-		URNParts: urnParts,
-		SCPD:     scpd,
-	})
-	return nil
-}
-
-type SCPDWithURN struct {
-	*URNParts
-	SCPD *scpd.SCPD
-}
-
-func (s *SCPDWithURN) WrapArguments(args []*scpd.Argument) (argumentWrapperList, error) {
-	wrappedArgs := make(argumentWrapperList, len(args))
-	for i, arg := range args {
-		wa, err := s.wrapArgument(arg)
-		if err != nil {
-			return nil, err
-		}
-		wrappedArgs[i] = wa
-	}
-	return wrappedArgs, nil
-}
-
-func (s *SCPDWithURN) wrapArgument(arg *scpd.Argument) (*argumentWrapper, error) {
-	relVar := s.SCPD.GetStateVariable(arg.RelatedStateVariable)
-	if relVar == nil {
-		return nil, fmt.Errorf("no such state variable: %q, for argument %q", arg.RelatedStateVariable, arg.Name)
-	}
-	cnv, ok := typeConvs[relVar.DataType.Name]
-	if !ok {
-		return nil, fmt.Errorf("unknown data type: %q, for state variable %q, for argument %q", relVar.DataType.Type, arg.RelatedStateVariable, arg.Name)
-	}
-	return &argumentWrapper{
-		Argument: *arg,
-		relVar:   relVar,
-		conv:     cnv,
-	}, nil
-}
-
-type argumentWrapper struct {
-	scpd.Argument
-	relVar *scpd.StateVariable
-	conv   conv
-}
-
-func (arg *argumentWrapper) AsParameter() string {
-	return fmt.Sprintf("%s %s", arg.Name, arg.conv.ExtType)
-}
-
-func (arg *argumentWrapper) HasDoc() bool {
-	rng := arg.relVar.AllowedValueRange
-	return ((rng != nil && (rng.Minimum != "" || rng.Maximum != "" || rng.Step != "")) ||
-		len(arg.relVar.AllowedValues) > 0)
-}
-
-func (arg *argumentWrapper) Document() string {
-	relVar := arg.relVar
-	if rng := relVar.AllowedValueRange; rng != nil {
-		var parts []string
-		if rng.Minimum != "" {
-			parts = append(parts, fmt.Sprintf("minimum=%s", rng.Minimum))
-		}
-		if rng.Maximum != "" {
-			parts = append(parts, fmt.Sprintf("maximum=%s", rng.Maximum))
-		}
-		if rng.Step != "" {
-			parts = append(parts, fmt.Sprintf("step=%s", rng.Step))
-		}
-		return "allowed value range: " + strings.Join(parts, ", ")
-	}
-	if len(relVar.AllowedValues) != 0 {
-		return "allowed values: " + strings.Join(relVar.AllowedValues, ", ")
-	}
-	return ""
-}
-
-func (arg *argumentWrapper) Marshal() string {
-	return fmt.Sprintf("soap.Marshal%s(%s)", arg.conv.FuncSuffix, arg.Name)
-}
-
-func (arg *argumentWrapper) Unmarshal(objVar string) string {
-	return fmt.Sprintf("soap.Unmarshal%s(%s.%s)", arg.conv.FuncSuffix, objVar, arg.Name)
-}
-
-type argumentWrapperList []*argumentWrapper
-
-func (args argumentWrapperList) HasDoc() bool {
-	for _, arg := range args {
-		if arg.HasDoc() {
-			return true
-		}
-	}
-	return false
-}
-
-type URNParts struct {
-	URN     string
-	Name    string
-	Version string
-}
-
-func (u *URNParts) Const() string {
-	return fmt.Sprintf("URN_%s_%s", u.Name, u.Version)
-}
-
-// extractURNParts extracts the name and version from a URN string.
-func extractURNParts(urn, expectedPrefix string) (*URNParts, error) {
-	if !strings.HasPrefix(urn, expectedPrefix) {
-		return nil, fmt.Errorf("%q does not have expected prefix %q", urn, expectedPrefix)
-	}
-	parts := strings.SplitN(strings.TrimPrefix(urn, expectedPrefix), ":", 2)
-	if len(parts) != 2 {
-		return nil, fmt.Errorf("%q does not have a name and version", urn)
-	}
-	name, version := parts[0], parts[1]
-	return &URNParts{urn, name, version}, nil
-}
-
-// Taken from: https://github.com/huin/goutil/blob/master/codegen/gofmt.go
-// License: https://github.com/huin/goutil/blob/master/LICENSE
-// NewGofmtWriteCloser returns an io.WriteCloser that filters what is written
-// to it through gofmt. It must be closed for this process to be completed, an
-// error from Close can be due to syntax errors in the source that has been
-// written.
-type goFmtWriteCloser struct {
-	output io.WriteCloser
-	stdin  io.WriteCloser
-	gofmt  *exec.Cmd
-}
-
-func NewGofmtWriteCloser(output io.WriteCloser) (io.WriteCloser, error) {
-	gofmt := exec.Command("gofmt")
-	gofmt.Stdout = output
-	gofmt.Stderr = os.Stderr
-	stdin, err := gofmt.StdinPipe()
-	if err != nil {
-		return nil, err
-	}
-	if err = gofmt.Start(); err != nil {
-		return nil, err
-	}
-	return &goFmtWriteCloser{
-		output: output,
-		stdin:  stdin,
-		gofmt:  gofmt,
-	}, nil
-}
-
-func (gwc *goFmtWriteCloser) Write(p []byte) (int, error) {
-	return gwc.stdin.Write(p)
-}
-
-func (gwc *goFmtWriteCloser) Close() error {
-	gwc.stdin.Close()
-	if err := gwc.output.Close(); err != nil {
-		gwc.gofmt.Wait()
-		return err
-	}
-	return gwc.gofmt.Wait()
-}

tempfork/upnp/cmd/goupnpdcpgen/fileutil.go

@@ -1,88 +0,0 @@
-package main
-
-import (
-	"archive/zip"
-	"encoding/xml"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"path"
-	"regexp"
-)
-
-func acquireFile(specFilename string, xmlSpecURL string) error {
-	if f, err := os.Open(specFilename); err != nil {
-		if !os.IsNotExist(err) {
-			return err
-		}
-	} else {
-		f.Close()
-		return nil
-	}
-
-	resp, err := http.Get(xmlSpecURL)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("could not download spec %q from %q: %s",
-			specFilename, xmlSpecURL, resp.Status)
-	}
-
-	tmpFilename := specFilename + ".download"
-	w, err := os.Create(tmpFilename)
-	if err != nil {
-		return err
-	}
-	defer w.Close()
-
-	_, err = io.Copy(w, resp.Body)
-	if err != nil {
-		return err
-	}
-
-	return os.Rename(tmpFilename, specFilename)
-}
-
-func globFiles(pattern string, archive *zip.ReadCloser) []*zip.File {
-	var files []*zip.File
-	for _, f := range archive.File {
-		if matched, err := path.Match(pattern, f.Name); err != nil {
-			// This shouldn't happen - all patterns are hard-coded, errors in them
-			// are a programming error.
-			panic(err)
-		} else if matched {
-			files = append(files, f)
-		}
-	}
-	return files
-}
-
-func unmarshalXmlFile(file *zip.File, data interface{}) error {
-	r, err := file.Open()
-	if err != nil {
-		return err
-	}
-	decoder := xml.NewDecoder(r)
-	defer r.Close()
-	return decoder.Decode(data)
-}
-
-var scpdFilenameRe = regexp.MustCompile(
-	`.*/([a-zA-Z0-9]+)([0-9]+)\.xml`)
-
-func urnPartsFromSCPDFilename(filename string) (*URNParts, error) {
-	parts := scpdFilenameRe.FindStringSubmatch(filename)
-	if len(parts) != 3 {
-		return nil, fmt.Errorf("SCPD filename %q does not have expected number of parts", filename)
-	}
-	name, version := parts[1], parts[2]
-	return &URNParts{
-		URN:     serviceURNPrefix + name + ":" + version,
-		Name:    name,
-		Version: version,
-	}, nil
-}

tempfork/upnp/cmd/goupnpdcpgen/goupnpdcpgen.go

@@ -1,64 +0,0 @@
-// Command to generate DCP package source from the XML specification.
-package main
-
-import (
-	"flag"
-	"fmt"
-	"log"
-	"os"
-	"path/filepath"
-)
-
-var (
-	deviceURNPrefix  = "urn:schemas-upnp-org:device:"
-	serviceURNPrefix = "urn:schemas-upnp-org:service:"
-)
-
-func main() {
-	var (
-		dcpName  = flag.String("dcp_name", "", "Name of the DCP to generate.")
-		specsDir = flag.String("specs_dir", ".", "Path to the specification storage directory. "+
-			"This is used to find (and download if not present) the specification ZIP files.")
-		useGofmt = flag.Bool("gofmt", true, "Pass the generated code through gofmt. "+
-			"Disable this if debugging code generation and needing to see the generated code "+
-			"prior to being passed through gofmt.")
-	)
-	flag.Parse()
-
-	if err := run(*dcpName, *specsDir, *useGofmt); err != nil {
-		log.Fatal(err)
-	}
-}
-
-func run(dcpName, specsDir string, useGofmt bool) error {
-	if err := os.MkdirAll(specsDir, os.ModePerm); err != nil {
-		return fmt.Errorf("could not create specs-dir %q: %v", specsDir, err)
-	}
-
-	for _, d := range dcpMetadata {
-		if d.Name != dcpName {
-			continue
-		}
-		specFilename := filepath.Join(specsDir, d.Name+".zip")
-		err := acquireFile(specFilename, d.XMLSpecURL)
-		if err != nil {
-			return fmt.Errorf("could not acquire spec for %s: %v", d.Name, err)
-		}
-		dcp := newDCP(d)
-		if err := dcp.processZipFile(specFilename); err != nil {
-			return fmt.Errorf("error processing spec for %s in file %q: %v", d.Name, specFilename, err)
-		}
-		for i, hack := range d.Hacks {
-			if err := hack(dcp); err != nil {
-				return fmt.Errorf("error with Hack[%d] for %s: %v", i, d.Name, err)
-			}
-		}
-		if err := dcp.writeCode(d.Name+".go", useGofmt); err != nil {
-			return fmt.Errorf("error writing package %q: %v", dcp.Metadata.Name, err)
-		}
-
-		return nil
-	}
-
-	return fmt.Errorf("could not find DCP with name %q", dcpName)
-}

tempfork/upnp/cmd/goupnpdcpgen/metadata.go

@@ -1,83 +0,0 @@
-package main
-
-// DCP contains extra metadata to use when generating DCP source files.
-type DCPMetadata struct {
-	Name         string // What to name the Go DCP package.
-	OfficialName string // Official name for the DCP.
-	DocURL       string // Optional - URL for further documentation about the DCP.
-	XMLSpecURL   string // Where to download the XML spec from.
-	// Any special-case functions to run against the DCP before writing it out.
-	Hacks []DCPHackFn
-}
-
-var dcpMetadata = []DCPMetadata{
-	{
-		Name:         "internetgateway2",
-		OfficialName: "Internet Gateway Device v2",
-		DocURL:       "http://upnp.org/specs/gw/UPnP-gw-InternetGatewayDevice-v2-Device.pdf",
-		XMLSpecURL:   "http://upnp.org/specs/gw/UPnP-gw-IGD-Testfiles-20110224.zip",
-		Hacks: []DCPHackFn{
-			func(dcp *DCP) error {
-				missingURN := "urn:schemas-upnp-org:service:WANIPv6FirewallControl:1"
-				if _, ok := dcp.ServiceTypes[missingURN]; ok {
-					return nil
-				}
-				urnParts, err := extractURNParts(missingURN, serviceURNPrefix)
-				if err != nil {
-					return err
-				}
-				dcp.ServiceTypes[missingURN] = urnParts
-				return nil
-			}, totalBytesHack,
-			func(dcp *DCP) error {
-				// omit certain device types that we do not need
-				var allowedServices = map[string]bool{
-					"urn:schemas-upnp-org:service:WANIPConnection:1":  true,
-					"urn:schemas-upnp-org:service:WANIPConnection:2":  true,
-					"urn:schemas-upnp-org:service:WANPPPConnection:1": true,
-				}
-				var allowedParts = map[string]bool{
-					"WANIPConnection":  true,
-					"WANPPPConnection": true,
-				}
-				for service := range dcp.ServiceTypes {
-					if _, ok := allowedServices[service]; ok {
-						continue
-					}
-					delete(dcp.ServiceTypes, service)
-				}
-				var permitted []SCPDWithURN
-				for _, v := range dcp.Services {
-					if _, ok := allowedParts[v.URNParts.Name]; ok {
-						permitted = append(permitted, v)
-						continue
-					}
-				}
-				dcp.Services = permitted
-				return nil
-			},
-		},
-	},
-}
-
-func totalBytesHack(dcp *DCP) error {
-	for _, service := range dcp.Services {
-		if service.URN == "urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1" {
-			variables := service.SCPD.StateVariables
-			for key, variable := range variables {
-				varName := variable.Name
-				if varName == "TotalBytesSent" || varName == "TotalBytesReceived" {
-					// Fix size of total bytes which is by default ui4 or maximum 4 GiB.
-					variable.DataType.Name = "ui8"
-					variables[key] = variable
-				}
-			}
-
-			break
-		}
-	}
-
-	return nil
-}
-
-type DCPHackFn func(*DCP) error

tempfork/upnp/cmd/goupnpdcpgen/typemap.go

@@ -1,35 +0,0 @@
-package main
-
-type conv struct {
-	FuncSuffix string
-	ExtType    string
-}
-
-// typeConvs maps from a SOAP type (e.g "fixed.14.4") to the function name
-// suffix inside the soap module (e.g "Fixed14_4") and the Go type.
-var typeConvs = map[string]conv{
-	"ui1":         {"Ui1", "uint8"},
-	"ui2":         {"Ui2", "uint16"},
-	"ui4":         {"Ui4", "uint32"},
-	"ui8":         {"Ui8", "uint64"},
-	"i1":          {"I1", "int8"},
-	"i2":          {"I2", "int16"},
-	"i4":          {"I4", "int32"},
-	"int":         {"Int", "int64"},
-	"r4":          {"R4", "float32"},
-	"r8":          {"R8", "float64"},
-	"number":      {"R8", "float64"}, // Alias for r8.
-	"fixed.14.4":  {"Fixed14_4", "float64"},
-	"float":       {"R8", "float64"},
-	"char":        {"Char", "rune"},
-	"string":      {"String", "string"},
-	"date":        {"Date", "time.Time"},
-	"dateTime":    {"DateTime", "time.Time"},
-	"dateTime.tz": {"DateTimeTz", "time.Time"},
-	"time":        {"TimeOfDay", "soap.TimeOfDay"},
-	"time.tz":     {"TimeOfDayTz", "soap.TimeOfDay"},
-	"boolean":     {"Boolean", "bool"},
-	"bin.base64":  {"BinBase64", "[]byte"},
-	"bin.hex":     {"BinHex", "[]byte"},
-	"uri":         {"URI", "*url.URL"},
-}

tempfork/upnp/dcps/internetgateway2/.gitignore

@@ -1 +0,0 @@
-*.zip

tempfork/upnp/dcps/internetgateway2/gen.go

@@ -1,2 +0,0 @@
-//go:generate goupnpdcpgen -dcp_name internetgateway2
-package internetgateway2

tempfork/upnp/device.go

@@ -1,190 +0,0 @@
-// This file contains XML structures for communicating with UPnP devices.
-
-package goupnp
-
-import (
-	"encoding/xml"
-	"errors"
-	"fmt"
-	"net/url"
-
-	"tailscale.com/tempfork/upnp/scpd"
-	"tailscale.com/tempfork/upnp/soap"
-)
-
-const (
-	DeviceXMLNamespace = "urn:schemas-upnp-org:device-1-0"
-)
-
-// RootDevice is the device description as described by section 2.3 "Device
-// description" in
-// http://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
-type RootDevice struct {
-	XMLName     xml.Name    `xml:"root"`
-	SpecVersion SpecVersion `xml:"specVersion"`
-	URLBase     url.URL     `xml:"-"`
-	URLBaseStr  string      `xml:"URLBase"`
-	Device      Device      `xml:"device"`
-}
-
-// SetURLBase sets the URLBase for the RootDevice and its underlying components.
-func (root *RootDevice) SetURLBase(urlBase *url.URL) {
-	root.URLBase = *urlBase
-	root.URLBaseStr = urlBase.String()
-	root.Device.SetURLBase(urlBase)
-}
-
-// SpecVersion is part of a RootDevice, describes the version of the
-// specification that the data adheres to.
-type SpecVersion struct {
-	Major int32 `xml:"major"`
-	Minor int32 `xml:"minor"`
-}
-
-// Device is a UPnP device. It can have child devices.
-type Device struct {
-	DeviceType       string    `xml:"deviceType"`
-	FriendlyName     string    `xml:"friendlyName"`
-	Manufacturer     string    `xml:"manufacturer"`
-	ManufacturerURL  URLField  `xml:"manufacturerURL"`
-	ModelDescription string    `xml:"modelDescription"`
-	ModelName        string    `xml:"modelName"`
-	ModelNumber      string    `xml:"modelNumber"`
-	ModelURL         URLField  `xml:"modelURL"`
-	SerialNumber     string    `xml:"serialNumber"`
-	UDN              string    `xml:"UDN"`
-	UPC              string    `xml:"UPC,omitempty"`
-	Icons            []Icon    `xml:"iconList>icon,omitempty"`
-	Services         []Service `xml:"serviceList>service,omitempty"`
-	Devices          []Device  `xml:"deviceList>device,omitempty"`
-
-	// Extra observed elements:
-	PresentationURL URLField `xml:"presentationURL"`
-}
-
-// VisitDevices calls visitor for the device, and all its descendent devices.
-func (device *Device) VisitDevices(visitor func(*Device)) {
-	visitor(device)
-	for i := range device.Devices {
-		device.Devices[i].VisitDevices(visitor)
-	}
-}
-
-// VisitServices calls visitor for all Services under the device and all its
-// descendent devices.
-func (device *Device) VisitServices(visitor func(*Service)) {
-	device.VisitDevices(func(d *Device) {
-		for i := range d.Services {
-			visitor(&d.Services[i])
-		}
-	})
-}
-
-// FindService finds all (if any) Services under the device and its descendents
-// that have the given ServiceType.
-func (device *Device) FindService(serviceType string) []*Service {
-	var services []*Service
-	device.VisitServices(func(s *Service) {
-		if s.ServiceType == serviceType {
-			services = append(services, s)
-		}
-	})
-	return services
-}
-
-// SetURLBase sets the URLBase for the Device and its underlying components.
-func (device *Device) SetURLBase(urlBase *url.URL) {
-	device.ManufacturerURL.SetURLBase(urlBase)
-	device.ModelURL.SetURLBase(urlBase)
-	device.PresentationURL.SetURLBase(urlBase)
-	for i := range device.Icons {
-		device.Icons[i].SetURLBase(urlBase)
-	}
-	for i := range device.Services {
-		device.Services[i].SetURLBase(urlBase)
-	}
-	for i := range device.Devices {
-		device.Devices[i].SetURLBase(urlBase)
-	}
-}
-
-func (device *Device) String() string {
-	return fmt.Sprintf("Device ID %s : %s (%s)", device.UDN, device.DeviceType, device.FriendlyName)
-}
-
-// Icon is a representative image that a device might include in its
-// description.
-type Icon struct {
-	Mimetype string   `xml:"mimetype"`
-	Width    int32    `xml:"width"`
-	Height   int32    `xml:"height"`
-	Depth    int32    `xml:"depth"`
-	URL      URLField `xml:"url"`
-}
-
-// SetURLBase sets the URLBase for the Icon.
-func (icon *Icon) SetURLBase(url *url.URL) {
-	icon.URL.SetURLBase(url)
-}
-
-// Service is a service provided by a UPnP Device.
-type Service struct {
-	ServiceType string   `xml:"serviceType"`
-	ServiceId   string   `xml:"serviceId"`
-	SCPDURL     URLField `xml:"SCPDURL"`
-	ControlURL  URLField `xml:"controlURL"`
-	EventSubURL URLField `xml:"eventSubURL"`
-}
-
-// SetURLBase sets the URLBase for the Service.
-func (srv *Service) SetURLBase(urlBase *url.URL) {
-	srv.SCPDURL.SetURLBase(urlBase)
-	srv.ControlURL.SetURLBase(urlBase)
-	srv.EventSubURL.SetURLBase(urlBase)
-}
-
-func (srv *Service) String() string {
-	return fmt.Sprintf("Service ID %s : %s", srv.ServiceId, srv.ServiceType)
-}
-
-// RequestSCPD requests the SCPD (soap actions and state variables description)
-// for the service.
-func (srv *Service) RequestSCPD() (*scpd.SCPD, error) {
-	if !srv.SCPDURL.Ok {
-		return nil, errors.New("bad/missing SCPD URL, or no URLBase has been set")
-	}
-	s := new(scpd.SCPD)
-	if err := requestXml(srv.SCPDURL.URL.String(), scpd.SCPDXMLNamespace, s); err != nil {
-		return nil, err
-	}
-	return s, nil
-}
-
-// RequestSCDP is for compatibility only, prefer RequestSCPD. This was a
-// misspelling of RequestSCDP.
-func (srv *Service) RequestSCDP() (*scpd.SCPD, error) {
-	return srv.RequestSCPD()
-}
-
-func (srv *Service) NewSOAPClient() *soap.SOAPClient {
-	return soap.NewSOAPClient(srv.ControlURL.URL)
-}
-
-// URLField is a URL that is part of a device description.
-type URLField struct {
-	URL url.URL `xml:"-"`
-	Ok  bool    `xml:"-"`
-	Str string  `xml:",chardata"`
-}
-
-func (uf *URLField) SetURLBase(urlBase *url.URL) {
-	refUrl, err := url.Parse(uf.Str)
-	if err != nil {
-		uf.URL = url.URL{}
-		uf.Ok = false
-		return
-	}
-
-	uf.URL = *urlBase.ResolveReference(refUrl)
-	uf.Ok = true
-}

tempfork/upnp/goupnp.go

@@ -1,146 +0,0 @@
-// goupnp is an implementation of a client for various UPnP services.
-//
-// For most uses, it is recommended to use the code-generated packages under
-// github.com/huin/goupnp/dcps. Example use is shown at
-// http://godoc.org/github.com/huin/goupnp/example
-//
-// A commonly used client is internetgateway1.WANPPPConnection1:
-// http://godoc.org/github.com/huin/goupnp/dcps/internetgateway1#WANPPPConnection1
-//
-// Currently only a couple of schemas have code generated for them from the
-// UPnP example XML specifications. Not all methods will work on these clients,
-// because the generated stubs contain the full set of specified methods from
-// the XML specifications, and the discovered services will likely support a
-// subset of those methods.
-package goupnp
-
-import (
-	"encoding/xml"
-	"fmt"
-	"net/http"
-	"net/url"
-	"time"
-
-	"tailscale.com/tempfork/upnp/ssdp"
-)
-
-// ContextError is an error that wraps an error with some context information.
-type ContextError struct {
-	Context string
-	Err     error
-}
-
-func ctxError(err error, msg string) ContextError {
-	return ContextError{
-		Context: msg,
-		Err:     err,
-	}
-}
-
-func ctxErrorf(err error, msg string, args ...interface{}) ContextError {
-	return ContextError{
-		Context: fmt.Sprintf(msg, args...),
-		Err:     err,
-	}
-}
-
-func (err ContextError) Error() string {
-	return fmt.Sprintf("%s: %v", err.Context, err.Err)
-}
-
-// MaybeRootDevice contains either a RootDevice or an error.
-type MaybeRootDevice struct {
-	// Identifier of the device.
-	USN string
-
-	// Set iff Err == nil.
-	Root *RootDevice
-
-	// The location the device was discovered at. This can be used with
-	// DeviceByURL, assuming the device is still present. A location represents
-	// the discovery of a device, regardless of if there was an error probing it.
-	Location *url.URL
-
-	// Any error encountered probing a discovered device.
-	Err error
-}
-
-// DiscoverDevices attempts to find targets of the given type. This is
-// typically the entry-point for this package. searchTarget is typically a URN
-// in the form "urn:schemas-upnp-org:device:..." or
-// "urn:schemas-upnp-org:service:...". A single error is returned for errors
-// while attempting to send the query. An error or RootDevice is returned for
-// each discovered RootDevice.
-func DiscoverDevices(searchTarget string) ([]MaybeRootDevice, error) {
-	hc, hcCleanup, err := httpuClient()
-	if err != nil {
-		return nil, err
-	}
-	defer hcCleanup()
-	responses, err := ssdp.SSDPRawSearch(hc, string(searchTarget), 2, 3)
-	if err != nil {
-		return nil, err
-	}
-
-	results := make([]MaybeRootDevice, len(responses))
-	for i, response := range responses {
-		maybe := &results[i]
-		maybe.USN = response.Header.Get("USN")
-		loc, err := response.Location()
-		if err != nil {
-			maybe.Err = ContextError{"unexpected bad location from search", err}
-			continue
-		}
-		maybe.Location = loc
-		if root, err := DeviceByURL(loc); err != nil {
-			maybe.Err = err
-		} else {
-			maybe.Root = root
-		}
-	}
-
-	return results, nil
-}
-
-func DeviceByURL(loc *url.URL) (*RootDevice, error) {
-	locStr := loc.String()
-	root := new(RootDevice)
-	if err := requestXml(locStr, DeviceXMLNamespace, root); err != nil {
-		return nil, ContextError{fmt.Sprintf("error requesting root device details from %q", locStr), err}
-	}
-	var urlBaseStr string
-	if root.URLBaseStr != "" {
-		urlBaseStr = root.URLBaseStr
-	} else {
-		urlBaseStr = locStr
-	}
-	urlBase, err := url.Parse(urlBaseStr)
-	if err != nil {
-		return nil, ContextError{fmt.Sprintf("error parsing location URL %q", locStr), err}
-	}
-	root.SetURLBase(urlBase)
-	return root, nil
-}
-
-func requestXml(url string, defaultSpace string, doc interface{}) error {
-	timeout := time.Duration(3 * time.Second)
-	client := http.Client{
-		Timeout: timeout,
-	}
-	resp, err := client.Get(url)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != 200 {
-		return fmt.Errorf("goupnp: got response status %s from %q",
-			resp.Status, url)
-	}
-
-	decoder := xml.NewDecoder(resp.Body)
-	decoder.DefaultSpace = defaultSpace
-	//decoder.CharsetReader = charset.NewReaderLabel
-
-	return decoder.Decode(doc)
-}

tempfork/upnp/httpu/httpu.go

@@ -1,151 +0,0 @@
-package httpu
-
-import (
-	"bufio"
-	"bytes"
-	"errors"
-	"fmt"
-	"log"
-	"net"
-	"net/http"
-	"sync"
-	"time"
-)
-
-// ClientInterface is the general interface provided to perform HTTP-over-UDP
-// requests.
-type ClientInterface interface {
-	// Do performs a request. The timeout is how long to wait for before returning
-	// the responses that were received. An error is only returned for failing to
-	// send the request. Failures in receipt simply do not add to the resulting
-	// responses.
-	Do(
-		req *http.Request,
-		timeout time.Duration,
-		numSends int,
-	) ([]*http.Response, error)
-}
-
-// HTTPUClient is a client for dealing with HTTPU (HTTP over UDP). Its typical
-// function is for HTTPMU, and particularly SSDP.
-type HTTPUClient struct {
-	connLock sync.Mutex // Protects use of conn.
-	conn     net.PacketConn
-}
-
-var _ ClientInterface = &HTTPUClient{}
-
-// NewHTTPUClient creates a new HTTPUClient, opening up a new UDP socket for the
-// purpose.
-func NewHTTPUClient() (*HTTPUClient, error) {
-	conn, err := net.ListenPacket("udp", ":0")
-	if err != nil {
-		return nil, err
-	}
-	return &HTTPUClient{conn: conn}, nil
-}
-
-// NewHTTPUClientAddr creates a new HTTPUClient which will broadcast packets
-// from the specified address, opening up a new UDP socket for the purpose
-func NewHTTPUClientAddr(addr string) (*HTTPUClient, error) {
-	ip := net.ParseIP(addr)
-	if ip == nil {
-		return nil, errors.New("invalid listening address")
-	}
-	conn, err := net.ListenPacket("udp", ip.String()+":0")
-	if err != nil {
-		return nil, err
-	}
-	return &HTTPUClient{conn: conn}, nil
-}
-
-// Close shuts down the client. The client will no longer be useful following
-// this.
-func (httpu *HTTPUClient) Close() error {
-	httpu.connLock.Lock()
-	defer httpu.connLock.Unlock()
-	return httpu.conn.Close()
-}
-
-// Do implements ClientInterface.Do.
-//
-// Note that at present only one concurrent connection will happen per
-// HTTPUClient.
-func (httpu *HTTPUClient) Do(
-	req *http.Request,
-	timeout time.Duration,
-	numSends int,
-) ([]*http.Response, error) {
-	httpu.connLock.Lock()
-	defer httpu.connLock.Unlock()
-
-	// Create the request. This is a subset of what http.Request.Write does
-	// deliberately to avoid creating extra fields which may confuse some
-	// devices.
-	var requestBuf bytes.Buffer
-	method := req.Method
-	if method == "" {
-		method = "GET"
-	}
-	if _, err := fmt.Fprintf(&requestBuf, "%s %s HTTP/1.1\r\n", method, req.URL.RequestURI()); err != nil {
-		return nil, err
-	}
-	if err := req.Header.Write(&requestBuf); err != nil {
-		return nil, err
-	}
-	if _, err := requestBuf.Write([]byte{'\r', '\n'}); err != nil {
-		return nil, err
-	}
-
-	destAddr, err := net.ResolveUDPAddr("udp", req.Host)
-	if err != nil {
-		return nil, err
-	}
-	if err = httpu.conn.SetDeadline(time.Now().Add(timeout)); err != nil {
-		return nil, err
-	}
-
-	// Send request.
-	for i := 0; i < numSends; i++ {
-		if n, err := httpu.conn.WriteTo(requestBuf.Bytes(), destAddr); err != nil {
-			return nil, err
-		} else if n < len(requestBuf.Bytes()) {
-			return nil, fmt.Errorf("httpu: wrote %d bytes rather than full %d in request",
-				n, len(requestBuf.Bytes()))
-		}
-		time.Sleep(5 * time.Millisecond)
-	}
-
-	// Await responses until timeout.
-	var responses []*http.Response
-	responseBytes := make([]byte, 2048)
-	for {
-		// 2048 bytes should be sufficient for most networks.
-		n, _, err := httpu.conn.ReadFrom(responseBytes)
-		if err != nil {
-			if err, ok := err.(net.Error); ok {
-				if err.Timeout() {
-					break
-				}
-				if err.Temporary() {
-					// Sleep in case this is a persistent error to avoid pegging CPU until deadline.
-					time.Sleep(10 * time.Millisecond)
-					continue
-				}
-			}
-			return nil, err
-		}
-
-		// Parse response.
-		response, err := http.ReadResponse(bufio.NewReader(bytes.NewBuffer(responseBytes[:n])), req)
-		if err != nil {
-			log.Printf("httpu: error while parsing response: %v", err)
-			continue
-		}
-
-		responses = append(responses, response)
-	}
-
-	// Timeout reached - return discovered responses.
-	return responses, nil
-}