cmd/tailscale/cli: [web] update JS in web.html for Unraid support

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>
cmd/tailscale: allow Tailscale to work with Unraid web interface
2023-05-16 20:34:30 -04:00 · 2023-05-06 22:35:02 -04:00
72 changed files with 780 additions and 1494 deletions
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.43.0
+1.41.0
--- a/api.md
+++ b/api.md
@@ -503,8 +503,7 @@ Returns the enabled and advertised subnet routes for a device.
 POST /api/v2/device/{deviceID}/authorized
 ```

-Authorize a device.
-This call marks a device as authorized or revokes its authorization for tailnets where device authorization is required, according to the `authorized` field in the payload.
+Authorize a device. This call marks a device as authorized for tailnets where device authorization is required.

 This returns a successful 2xx response with an empty JSON object in the response body.

@@ -516,7 +515,7 @@ The ID of the device.

 #### `authorized` (required in `POST` body)

-Specify whether the device is authorized.
+Specify whether the device is authorized. Only 'true' is currently supported.

 ``` jsonc
 {
--- a/client/tailscale/keys.go
+++ b/client/tailscale/keys.go
@@ -68,32 +68,12 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 }

 // CreateKey creates a new key for the current user. Currently, only auth keys
-// can be created. It returns the secret key itself, which cannot be retrieved again
+// can be created. Returns the key itself, which cannot be retrieved again
 // later, and the key metadata.
-//
-// To create a key with a specific expiry, use CreateKeyWithExpiry.
-func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
-	return c.CreateKeyWithExpiry(ctx, caps, 0)
-}
-
-// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
-//
-// The time is truncated to a whole number of seconds. If zero, that means no expiration.
-func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
-
-	// convert expirySeconds to an int64 (seconds)
-	expirySeconds := int64(expiry.Seconds())
-	if expirySeconds < 0 {
-		return "", nil, fmt.Errorf("expiry must be positive")
-	}
-	if expirySeconds == 0 && expiry != 0 {
-		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
-	}
-
+func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (string, *Key, error) {
 	keyRequest := struct {
-		Capabilities  KeyCapabilities `json:"capabilities"`
-		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
-	}{caps, int64(expirySeconds)}
+		Capabilities KeyCapabilities `json:"capabilities"`
+	}{caps}
 	bs, err := json.Marshal(keyRequest)
 	if err != nil {
 		return "", nil, err
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -48,7 +48,6 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/version"
 )

 func main() {
@@ -65,7 +64,6 @@ func main() {
 		clientIDPath       = defaultEnv("CLIENT_ID_FILE", "")
 		clientSecretPath   = defaultEnv("CLIENT_SECRET_FILE", "")
 		image              = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
-		priorityClassName  = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
 		tags               = defaultEnv("PROXY_TAGS", "tag:k8s")
 		shouldRunAuthProxy = defaultBool("AUTH_PROXY", false)
 	)
@@ -202,13 +200,12 @@ waitOnline:
 	}

 	sr := &ServiceReconciler{
-		Client:                 mgr.GetClient(),
-		tsClient:               tsClient,
-		defaultTags:            strings.Split(tags, ","),
-		operatorNamespace:      tsNamespace,
-		proxyImage:             image,
-		proxyPriorityClassName: priorityClassName,
-		logger:                 zlog.Named("service-reconciler"),
+		Client:            mgr.GetClient(),
+		tsClient:          tsClient,
+		defaultTags:       strings.Split(tags, ","),
+		operatorNamespace: tsNamespace,
+		proxyImage:        image,
+		logger:            zlog.Named("service-reconciler"),
 	}

 	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(o client.Object) []reconcile.Request {
@@ -238,7 +235,7 @@ waitOnline:
 		startlog.Fatalf("could not create controller: %v", err)
 	}

-	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
+	startlog.Infof("Startup complete, operator running")
 	if shouldRunAuthProxy {
 		cfg, err := restConfig.TransportConfig()
 		if err != nil {
@@ -281,12 +278,11 @@ const (
 // ServiceReconciler is a simple ControllerManagedBy example implementation.
 type ServiceReconciler struct {
 	client.Client
-	tsClient               tsClient
-	defaultTags            []string
-	operatorNamespace      string
-	proxyImage             string
-	proxyPriorityClassName string
-	logger                 *zap.SugaredLogger
+	tsClient          tsClient
+	defaultTags       []string
+	operatorNamespace string
+	proxyImage        string
+	logger            *zap.SugaredLogger
 }

 type tsClient interface {
@@ -570,9 +566,6 @@ func (a *ServiceReconciler) getDeviceInfo(ctx context.Context, svc *corev1.Servi
 	if err != nil {
 		return "", "", err
 	}
-	if sec == nil {
-		return "", "", nil
-	}
 	id = string(sec.Data["device_id"])
 	if id == "" {
 		return "", "", nil
@@ -596,7 +589,6 @@ func (a *ServiceReconciler) newAuthKey(ctx context.Context, tags []string) (stri
 			},
 		},
 	}
-
 	key, _, err := a.tsClient.CreateKey(ctx, caps)
 	if err != nil {
 		return "", err
@@ -641,7 +633,6 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
 	ss.Spec.Template.ObjectMeta.Labels = map[string]string{
 		"app": string(parentSvc.UID),
 	}
-	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
 	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -64,7 +64,7 @@ func TestLoadBalancerClass(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -185,7 +185,7 @@ func TestAnnotations(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -282,7 +282,7 @@ func TestAnnotationIntoLB(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, since it would have normally happened at
@@ -326,7 +326,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
 	// ... but the service should have a LoadBalancer status.

 	want = &corev1.Service{
@@ -398,7 +398,7 @@ func TestLBIntoAnnotation(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -455,7 +455,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	want = &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -522,7 +522,7 @@ func TestCustomHostname(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla"))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -581,51 +581,6 @@ func TestCustomHostname(t *testing.T) {
 	expectEqual(t, fc, want)
 }

-func TestCustomPriorityClassName(t *testing.T) {
-	fc := fake.NewFakeClient()
-	ft := &fakeTSClient{}
-	zl, err := zap.NewDevelopment()
-	if err != nil {
-		t.Fatal(err)
-	}
-	sr := &ServiceReconciler{
-		Client:                 fc,
-		tsClient:               ft,
-		defaultTags:            []string{"tag:k8s"},
-		operatorNamespace:      "operator-ns",
-		proxyImage:             "tailscale/tailscale",
-		proxyPriorityClassName: "tailscale-critical",
-		logger:                 zl.Sugar(),
-	}
-
-	// Create a service that we should manage, and check that the initial round
-	// of objects looks right.
-	mustCreate(t, fc, &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-			// The apiserver is supposed to set the UID, but the fake client
-			// doesn't. So, set it explicitly because other code later depends
-			// on it being set.
-			UID: types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/expose":   "true",
-				"tailscale.com/hostname": "custom-priority-class-name",
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "10.20.30.40",
-			Type:      corev1.ServiceTypeClusterIP,
-		},
-	})
-
-	expectReconciled(t, sr, "default", "test")
-
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "custom-priority-class-name", "tailscale-critical"))
-}
-
 func expectedSecret(name string) *corev1.Secret {
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@@ -674,7 +629,7 @@ func expectedHeadlessService(name string) *corev1.Service {
 	}
 }

-func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv1.StatefulSet {
+func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
 	return &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "StatefulSet",
@@ -703,7 +658,6 @@ func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "proxies",
-					PriorityClassName:  priorityClassName,
 					InitContainers: []corev1.Container{
 						{
 							Name:    "sysctler",
@@ -860,6 +814,7 @@ func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabili
 	k := &tailscale.Key{
 		ID:           "key",
 		Created:      time.Now(),
+		Expires:      time.Now().Add(24 * time.Hour),
 		Capabilities: caps,
 	}
 	return "secret-authkey", k, nil
--- a/cmd/tailscale/cli/serve.go
+++ b/cmd/tailscale/cli/serve.go
@@ -40,7 +40,6 @@ serve https:<port> <mount-point> <source> [off]
  serve tcp:<port> tcp://localhost:<local-port> [off]
  serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]
  serve status [--json]
-  serve reset
 `),
 		LongHelp: strings.TrimSpace(`
 *** BETA; all of this is subject to change ***
@@ -88,13 +87,6 @@ EXAMPLES
 				}),
 				UsageFunc: usageFunc,
 			},
-			{
-				Name:      "reset",
-				Exec:      e.runServeReset,
-				ShortHelp: "reset current serve/funnel config",
-				FlagSet:   e.newFlags("serve-reset", nil),
-				UsageFunc: usageFunc,
-			},
 		},
 	}
 }
@@ -713,15 +705,3 @@ func elipticallyTruncate(s string, max int) string {
 	}
 	return s[:max-3] + "..."
 }
-
-// runServeReset clears out the current serve config.
-//
-// Usage:
-//   - tailscale serve reset
-func (e *serveEnv) runServeReset(ctx context.Context, args []string) error {
-	if len(args) != 0 {
-		return flag.ErrHelp
-	}
-	sc := new(ipn.ServeConfig)
-	return e.lc.SetServeConfig(ctx, sc)
-}
--- a/cmd/tailscale/cli/serve_test.go
+++ b/cmd/tailscale/cli/serve_test.go
@@ -224,10 +224,7 @@ func TestServeConfigMutations(t *testing.T) {
 		command: cmd("https:443 bar https://127.0.0.1:8443"),
 		want:    nil, // nothing to save
 	})
-	add(step{ // try resetting using reset command
-		command: cmd("reset"),
-		want:    &ipn.ServeConfig{},
-	})
+	add(step{reset: true})
 	add(step{
 		command: cmd("https:443 / https+insecure://127.0.0.1:3001"),
 		want: &ipn.ServeConfig{
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -442,9 +442,9 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		LicensesURL:  licensesURL(),
 		TUNMode:      st.TUN,
 		IsSynology:   distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
-		DSMVersion:   distro.DSMVersion(),
 		IsUnraid:     distro.Get() == distro.Unraid,
 		UnraidToken:  os.Getenv("UNRAID_CSRF_TOKEN"),
+		DSMVersion:   distro.DSMVersion(),
 		IPNVersion:   versionShort,
 	}
 	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@@ -144,14 +144,12 @@ function postData(e) {
 	const nextUrl = new URL(window.location);
 	nextUrl.search = nextParams.toString()

-	let body = JSON.stringify(data);
 	let contentType = "application/json";
-
+	let body = JSON.stringify(data);
 	if (isUnraid) {
 		const params = new URLSearchParams();
 		params.append("csrf_token", unraidCsrfToken);
 		params.append("ts_data", JSON.stringify(data));
-
 		body = params.toString();
 		contentType = "application/x-www-form-urlencoded;charset=UTF-8";
 	}
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -282,8 +282,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
        tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
-        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock+
+        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
        tailscale.com/tsweb/varz                                     from tailscale.com/cmd/tailscaled
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -50,7 +50,6 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/syncs"
-	"tailscale.com/tsd"
 	"tailscale.com/tsweb/varz"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
@@ -331,16 +330,12 @@ var debugMux *http.ServeMux

 func run() error {
 	var logf logger.Logf = log.Printf
-
-	sys := new(tsd.System)
-
 	netMon, err := netmon.New(func(format string, args ...any) {
 		logf(format, args...)
 	})
 	if err != nil {
 		return fmt.Errorf("netmon.New: %w", err)
 	}
-	sys.Set(netMon)

 	pol := logpolicy.New(logtail.CollectionNode, netMon)
 	pol.SetVerbosityLevel(args.verbose)
@@ -391,10 +386,10 @@ func run() error {
 		debugMux = newDebugMux()
 	}

-	return startIPNServer(context.Background(), logf, pol.PublicID, sys)
+	return startIPNServer(context.Background(), logf, pol.PublicID, netMon)
 }

-func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) error {
+func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID, netMon *netmon.Monitor) error {
 	ln, err := safesocket.Listen(args.socketpath)
 	if err != nil {
 		return fmt.Errorf("safesocket.Listen: %v", err)
@@ -420,7 +415,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 		}
 	}()

-	srv := ipnserver.New(logf, logID, sys.NetMon.Get())
+	srv := ipnserver.New(logf, logID, netMon)
 	if debugMux != nil {
 		debugMux.HandleFunc("/debug/ipn", srv.ServeHTMLStatus)
 	}
@@ -438,7 +433,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 				return
 			}
 		}
-		lb, err := getLocalBackend(ctx, logf, logID, sys)
+		lb, err := getLocalBackend(ctx, logf, logID, netMon)
 		if err == nil {
 			logf("got LocalBackend in %v", time.Since(t0).Round(time.Millisecond))
 			srv.SetLocalBackend(lb)
@@ -462,28 +457,31 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 	return nil
 }

-func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) (_ *ipnlocal.LocalBackend, retErr error) {
+func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID, netMon *netmon.Monitor) (_ *ipnlocal.LocalBackend, retErr error) {
 	if logPol != nil {
-		logPol.Logtail.SetNetMon(sys.NetMon.Get())
+		logPol.Logtail.SetNetMon(netMon)
 	}

 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)

 	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
-	sys.Set(dialer)
-
-	onlyNetstack, err := createEngine(logf, sys)
+	e, onlyNetstack, err := createEngine(logf, netMon, dialer)
 	if err != nil {
 		return nil, fmt.Errorf("createEngine: %w", err)
 	}
+	if _, ok := e.(wgengine.ResolvingEngine).GetResolver(); !ok {
+		panic("internal error: exit node resolver not wired up")
+	}
 	if debugMux != nil {
-		if ms, ok := sys.MagicSock.GetOK(); ok {
-			debugMux.HandleFunc("/debug/magicsock", ms.ServeHTTPDebug)
+		if ig, ok := e.(wgengine.InternalsGetter); ok {
+			if _, mc, _, ok := ig.GetInternals(); ok {
+				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
+			}
 		}
 		go runDebugServer(debugMux, args.debug)
 	}

-	ns, err := newNetstack(logf, sys)
+	ns, err := newNetstack(logf, dialer, e)
 	if err != nil {
 		return nil, fmt.Errorf("newNetstack: %w", err)
 	}
@@ -491,7 +489,6 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	ns.ProcessSubnets = onlyNetstack || handleSubnetsInNetstack()

 	if onlyNetstack {
-		e := sys.Engine.Get()
 		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
@@ -522,15 +519,16 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 		tshttpproxy.SetSelfProxy(addrs...)
 	}

+	e = wgengine.NewWatchdog(e)
+
 	opts := ipnServerOpts()

 	store, err := store.New(logf, statePathOrDefault())
 	if err != nil {
 		return nil, fmt.Errorf("store.New: %w", err)
 	}
-	sys.Set(store)

-	lb, err := ipnlocal.NewLocalBackend(logf, logID, sys, opts.LoginFlags)
+	lb, err := ipnlocal.NewLocalBackend(logf, logID, store, dialer, e, opts.LoginFlags)
 	if err != nil {
 		return nil, fmt.Errorf("ipnlocal.NewLocalBackend: %w", err)
 	}
@@ -556,21 +554,21 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 //
 // onlyNetstack is true if the user has explicitly requested that we use netstack
 // for all networking.
-func createEngine(logf logger.Logf, sys *tsd.System) (onlyNetstack bool, err error) {
+func createEngine(logf logger.Logf, netMon *netmon.Monitor, dialer *tsdial.Dialer) (e wgengine.Engine, onlyNetstack bool, err error) {
 	if args.tunname == "" {
-		return false, errors.New("no --tun value specified")
+		return nil, false, errors.New("no --tun value specified")
 	}
 	var errs []error
 	for _, name := range strings.Split(args.tunname, ",") {
 		logf("wgengine.NewUserspaceEngine(tun %q) ...", name)
-		onlyNetstack, err = tryEngine(logf, sys, name)
+		e, onlyNetstack, err = tryEngine(logf, netMon, dialer, name)
 		if err == nil {
-			return onlyNetstack, nil
+			return e, onlyNetstack, nil
 		}
 		logf("wgengine.NewUserspaceEngine(tun %q) error: %v", name, err)
 		errs = append(errs, err)
 	}
-	return false, multierr.New(errs...)
+	return nil, false, multierr.New(errs...)
 }

 // handleSubnetsInNetstack reports whether netstack should handle subnet routers
@@ -595,23 +593,21 @@ func handleSubnetsInNetstack() bool {

 var tstunNew = tstun.New

-func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack bool, err error) {
+func tryEngine(logf logger.Logf, netMon *netmon.Monitor, dialer *tsdial.Dialer, name string) (e wgengine.Engine, onlyNetstack bool, err error) {
 	conf := wgengine.Config{
-		ListenPort:   args.port,
-		NetMon:       sys.NetMon.Get(),
-		Dialer:       sys.Dialer.Get(),
-		SetSubsystem: sys.Set,
+		ListenPort: args.port,
+		NetMon:     netMon,
+		Dialer:     dialer,
 	}

 	onlyNetstack = name == "userspace-networking"
-	netstackSubnetRouter := onlyNetstack // but mutated later on some platforms
 	netns.SetEnabled(!onlyNetstack)

 	if args.birdSocketPath != "" && createBIRDClient != nil {
 		log.Printf("Connecting to BIRD at %s ...", args.birdSocketPath)
 		conf.BIRDClient, err = createBIRDClient(args.birdSocketPath)
 		if err != nil {
-			return false, fmt.Errorf("createBIRDClient: %w", err)
+			return nil, false, fmt.Errorf("createBIRDClient: %w", err)
 		}
 	}
 	if onlyNetstack {
@@ -624,55 +620,44 @@ func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack boo
 			// TODO(bradfitz): add a Synology-specific DNS manager.
 			conf.DNS, err = dns.NewOSConfigurator(logf, "") // empty interface name
 			if err != nil {
-				return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+				return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 			}
 		}
 	} else {
 		dev, devName, err := tstunNew(logf, name)
 		if err != nil {
 			tstun.Diagnose(logf, name, err)
-			return false, fmt.Errorf("tstun.New(%q): %w", name, err)
+			return nil, false, fmt.Errorf("tstun.New(%q): %w", name, err)
 		}
 		conf.Tun = dev
 		if strings.HasPrefix(name, "tap:") {
 			conf.IsTAP = true
 			e, err := wgengine.NewUserspaceEngine(logf, conf)
-			if err != nil {
-				return false, err
-			}
-			sys.Set(e)
-			return false, err
+			return e, false, err
 		}

-		r, err := router.New(logf, dev, sys.NetMon.Get())
+		r, err := router.New(logf, dev, netMon)
 		if err != nil {
 			dev.Close()
-			return false, fmt.Errorf("creating router: %w", err)
+			return nil, false, fmt.Errorf("creating router: %w", err)
 		}
-
 		d, err := dns.NewOSConfigurator(logf, devName)
 		if err != nil {
 			dev.Close()
 			r.Close()
-			return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+			return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 		}
 		conf.DNS = d
 		conf.Router = r
 		if handleSubnetsInNetstack() {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
-			netstackSubnetRouter = true
 		}
-		sys.Set(conf.Router)
 	}
-	e, err := wgengine.NewUserspaceEngine(logf, conf)
+	e, err = wgengine.NewUserspaceEngine(logf, conf)
 	if err != nil {
-		return onlyNetstack, err
+		return nil, onlyNetstack, err
 	}
-	e = wgengine.NewWatchdog(e)
-	sys.Set(e)
-	sys.NetstackRouter.Set(netstackSubnetRouter)
-
-	return onlyNetstack, nil
+	return e, onlyNetstack, nil
 }

 func newDebugMux() *http.ServeMux {
@@ -702,8 +687,12 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 	}
 }

-func newNetstack(logf logger.Logf, sys *tsd.System) (*netstack.Impl, error) {
-	return netstack.Create(logf, sys.Tun.Get(), sys.Engine.Get(), sys.MagicSock.Get(), sys.Dialer.Get(), sys.DNSManager.Get())
+func newNetstack(logf logger.Logf, dialer *tsdial.Dialer, e wgengine.Engine) (*netstack.Impl, error) {
+	tunDev, magicConn, dns, ok := e.(wgengine.InternalsGetter).GetInternals()
+	if !ok {
+		return nil, fmt.Errorf("%T is not a wgengine.InternalsGetter", e)
+	}
+	return netstack.Create(logf, tunDev, e, magicConn, dialer, dns)
 }

 // mustStartProxyListeners creates listeners for local SOCKS and HTTP
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -47,7 +47,6 @@ import (
 	"tailscale.com/net/dns"
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/tstun"
-	"tailscale.com/tsd"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/util/winutil"
@@ -293,15 +292,13 @@ func beWindowsSubprocess() bool {
 		}
 	}()

-	sys := new(tsd.System)
 	netMon, err := netmon.New(log.Printf)
 	if err != nil {
-		log.Fatalf("Could not create netMon: %v", err)
+		log.Printf("Could not create netMon: %v", err)
+		netMon = nil
 	}
-	sys.Set(netMon)
-
 	publicLogID, _ := logid.ParsePublicID(logID)
-	err = startIPNServer(ctx, log.Printf, publicLogID, sys)
+	err = startIPNServer(ctx, log.Printf, publicLogID, netMon)
 	if err != nil {
 		log.Fatalf("ipnserver: %v", err)
 	}
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -37,7 +37,6 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tsd"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/words"
@@ -97,19 +96,19 @@ func newIPN(jsConfig js.Value) map[string]any {
 	logtail := logtail.NewLogger(c, log.Printf)
 	logf := logtail.Logf

-	sys := new(tsd.System)
-	sys.Set(store)
 	dialer := &tsdial.Dialer{Logf: logf}
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
-		Dialer:       dialer,
-		SetSubsystem: sys.Set,
+		Dialer: dialer,
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
-	sys.Set(eng)

-	ns, err := netstack.Create(logf, sys.Tun.Get(), eng, sys.MagicSock.Get(), dialer, sys.DNSManager.Get())
+	tunDev, magicConn, dnsManager, ok := eng.(wgengine.InternalsGetter).GetInternals()
+	if !ok {
+		log.Fatalf("%T is not a wgengine.InternalsGetter", eng)
+	}
+	ns, err := netstack.Create(logf, tunDev, eng, magicConn, dialer, dnsManager)
 	if err != nil {
 		log.Fatalf("netstack.Create: %v", err)
 	}
@@ -122,11 +121,10 @@ func newIPN(jsConfig js.Value) map[string]any {
 	dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
 		return ns.DialContextTCP(ctx, dst)
 	}
-	sys.NetstackRouter.Set(true)

 	logid := lpc.PublicID
 	srv := ipnserver.New(logf, logid, nil /* no netMon */)
-	lb, err := ipnlocal.NewLocalBackend(logf, logid, sys, controlclient.LoginEphemeral)
+	lb, err := ipnlocal.NewLocalBackend(logf, logid, store, dialer, eng, controlclient.LoginEphemeral)
 	if err != nil {
 		log.Fatalf("ipnlocal.NewLocalBackend: %v", err)
 	}
--- a/cmd/viewer/tests/tests.go
+++ b/cmd/viewer/tests/tests.go
@@ -9,7 +9,7 @@ import (
 	"net/netip"
 )

-//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded --clone-only-type=OnlyGetClone
+//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone --clone-only-type=OnlyGetClone

 type StructWithoutPtrs struct {
 	Int int
@@ -61,8 +61,3 @@ type StructWithSlices struct {
 type OnlyGetClone struct {
 	SinViewerPorFavor bool
 }
-
-type StructWithEmbedded struct {
-	A *StructWithPtrs
-	StructWithSlices
-}
--- a/cmd/viewer/tests/tests_clone.go
+++ b/cmd/viewer/tests/tests_clone.go
@@ -211,22 +211,3 @@ func (src *OnlyGetClone) Clone() *OnlyGetClone {
 var _OnlyGetCloneCloneNeedsRegeneration = OnlyGetClone(struct {
 	SinViewerPorFavor bool
 }{})
-
-// Clone makes a deep copy of StructWithEmbedded.
-// The result aliases no memory with the original.
-func (src *StructWithEmbedded) Clone() *StructWithEmbedded {
-	if src == nil {
-		return nil
-	}
-	dst := new(StructWithEmbedded)
-	*dst = *src
-	dst.A = src.A.Clone()
-	dst.StructWithSlices = *src.StructWithSlices.Clone()
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithEmbeddedCloneNeedsRegeneration = StructWithEmbedded(struct {
-	A *StructWithPtrs
-	StructWithSlices
-}{})
--- a/cmd/viewer/tests/tests_view.go
+++ b/cmd/viewer/tests/tests_view.go
@@ -14,7 +14,7 @@ import (
 	"tailscale.com/types/views"
 )

-//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone

 // View returns a readonly view of StructWithPtrs.
 func (p *StructWithPtrs) View() StructWithPtrsView {
@@ -325,59 +325,3 @@ var _StructWithSlicesViewNeedsRegeneration = StructWithSlices(struct {
 	Prefixes       []netip.Prefix
 	Data           []byte
 }{})
-
-// View returns a readonly view of StructWithEmbedded.
-func (p *StructWithEmbedded) View() StructWithEmbeddedView {
-	return StructWithEmbeddedView{ж: p}
-}
-
-// StructWithEmbeddedView provides a read-only view over StructWithEmbedded.
-//
-// Its methods should only be called if `Valid()` returns true.
-type StructWithEmbeddedView struct {
-	// ж is the underlying mutable value, named with a hard-to-type
-	// character that looks pointy like a pointer.
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *StructWithEmbedded
-}
-
-// Valid reports whether underlying value is non-nil.
-func (v StructWithEmbeddedView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a clone of the underlying value which aliases no memory with
-// the original.
-func (v StructWithEmbeddedView) AsStruct() *StructWithEmbedded {
-	if v.ж == nil {
-		return nil
-	}
-	return v.ж.Clone()
-}
-
-func (v StructWithEmbeddedView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
-
-func (v *StructWithEmbeddedView) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	var x StructWithEmbedded
-	if err := json.Unmarshal(b, &x); err != nil {
-		return err
-	}
-	v.ж = &x
-	return nil
-}
-
-func (v StructWithEmbeddedView) A() StructWithPtrsView { return v.ж.A.View() }
-func (v StructWithEmbeddedView) StructWithSlices() StructWithSlicesView {
-	return v.ж.StructWithSlices.View()
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithEmbeddedViewNeedsRegeneration = StructWithEmbedded(struct {
-	A *StructWithPtrs
-	StructWithSlices
-}{})
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -498,7 +498,7 @@ func (s *Server) registerClient(c *sclient) {
 	switch set := set.(type) {
 	case nil:
 		s.clients[c.key] = singleClient{c}
-		c.debugLogf("register single client")
+		c.debug("register single client")
 	case singleClient:
 		s.dupClientKeys.Add(1)
 		s.dupClientConns.Add(2) // both old and new count
@@ -514,7 +514,7 @@ func (s *Server) registerClient(c *sclient) {
 			},
 			sendHistory: []*sclient{old},
 		}
-		c.debugLogf("register duplicate client")
+		c.debug("register duplicate client")
 	case *dupClientSet:
 		s.dupClientConns.Add(1)     // the gauge
 		s.dupClientConnTotal.Add(1) // the counter
@@ -522,7 +522,7 @@ func (s *Server) registerClient(c *sclient) {
 		set.set[c] = true
 		set.last = c
 		set.sendHistory = append(set.sendHistory, c)
-		c.debugLogf("register another duplicate client")
+		c.debug("register another duplicate client")
 	}

 	if _, ok := s.clientsMesh[c.key]; !ok {
@@ -555,7 +555,7 @@ func (s *Server) unregisterClient(c *sclient) {
 	case nil:
 		c.logf("[unexpected]; clients map is empty")
 	case singleClient:
-		c.debugLogf("removed connection")
+		c.logf("removed connection")
 		delete(s.clients, c.key)
 		if v, ok := s.clientsMesh[c.key]; ok && v == nil {
 			delete(s.clientsMesh, c.key)
@@ -563,7 +563,7 @@ func (s *Server) unregisterClient(c *sclient) {
 		}
 		s.broadcastPeerStateChangeLocked(c.key, false)
 	case *dupClientSet:
-		c.debugLogf("removed duplicate client")
+		c.debug("removed duplicate client")
 		if set.removeClient(c) {
 			s.dupClientConns.Add(-1)
 		} else {
@@ -712,12 +712,9 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 	if clientInfo != nil {
 		c.info = *clientInfo
 		if envknob.Bool("DERP_PROBER_DEBUG_LOGS") && clientInfo.IsProber {
-			c.debug = true
+			c.debugLogging = true
 		}
 	}
-	if s.debug {
-		c.debug = true
-	}

 	s.registerClient(c)
 	defer s.unregisterClient(c)
@@ -730,12 +727,6 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 	return c.run(ctx)
 }

-func (s *Server) debugLogf(format string, v ...any) {
-	if s.debug {
-		s.logf(format, v...)
-	}
-}
-
 // for testing
 var (
 	timeSleep = time.Sleep
@@ -753,20 +744,16 @@ func (c *sclient) run(ctx context.Context) error {
 	defer func() {
 		cancelSender()
 		if err := grp.Wait(); err != nil && !c.s.isClosed() {
-			if errors.Is(err, context.Canceled) {
-				c.debugLogf("sender canceled by reader exiting")
-			} else {
-				c.logf("sender failed: %v", err)
-			}
+			c.logf("sender failed: %v", err)
 		}
 	}()

 	for {
 		ft, fl, err := readFrameHeader(c.br)
-		c.debugLogf("read frame type %d len %d err %v", ft, fl, err)
+		c.debug("read frame type %d len %d err %v", ft, fl, err)
 		if err != nil {
 			if errors.Is(err, io.EOF) {
-				c.debugLogf("read EOF")
+				c.logf("read EOF")
 				return nil
 			}
 			if c.s.isClosed() {
@@ -923,7 +910,7 @@ func (c *sclient) handleFrameForwardPacket(ft frameType, fl uint32) error {
 		return nil
 	}

-	dst.debugLogf("received forwarded packet from %s via %s", srcKey.ShortString(), c.key.ShortString())
+	dst.debug("received forwarded packet from %s via %s", srcKey.ShortString(), c.key.ShortString())

 	return c.sendPkt(dst, pkt{
 		bs:         contents,
@@ -973,7 +960,7 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 		if fwd != nil {
 			s.packetsForwardedOut.Add(1)
 			err := fwd.ForwardPacket(c.key, dstKey, contents)
-			c.debugLogf("SendPacket for %s, forwarding via %s: %v", dstKey.ShortString(), fwd, err)
+			c.debug("SendPacket for %s, forwarding via %s: %v", dstKey.ShortString(), fwd, err)
 			if err != nil {
 				// TODO:
 				return nil
@@ -987,10 +974,10 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 			c.requestPeerGoneWriteLimited(dstKey, contents, PeerGoneReasonNotHere)
 		}
 		s.recordDrop(contents, c.key, dstKey, reason)
-		c.debugLogf("SendPacket for %s, dropping with reason=%s", dstKey.ShortString(), reason)
+		c.debug("SendPacket for %s, dropping with reason=%s", dstKey.ShortString(), reason)
 		return nil
 	}
-	c.debugLogf("SendPacket for %s, sending directly", dstKey.ShortString())
+	c.debug("SendPacket for %s, sending directly", dstKey.ShortString())

 	p := pkt{
 		bs:         contents,
@@ -1000,8 +987,8 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 	return c.sendPkt(dst, p)
 }

-func (c *sclient) debugLogf(format string, v ...any) {
-	if c.debug {
+func (c *sclient) debug(format string, v ...any) {
+	if c.debugLogging {
 		c.logf(format, v...)
 	}
 }
@@ -1024,8 +1011,7 @@ const (
 func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.NodePublic, reason dropReason) {
 	s.packetsDropped.Add(1)
 	s.packetsDroppedReasonCounters[reason].Add(1)
-	looksDisco := disco.LooksLikeDiscoWrapper(packetBytes)
-	if looksDisco {
+	if disco.LooksLikeDiscoWrapper(packetBytes) {
 		s.packetsDroppedTypeDisco.Add(1)
 	} else {
 		s.packetsDroppedTypeOther.Add(1)
@@ -1038,7 +1024,9 @@ func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.NodePublic, r
 		msg := fmt.Sprintf("drop (%s) %s -> %s", srcKey.ShortString(), reason, dstKey.ShortString())
 		s.limitedLogf(msg)
 	}
-	s.debugLogf("dropping packet reason=%s dst=%s disco=%v", reason, dstKey, looksDisco)
+	if s.debug {
+		s.logf("dropping packet reason=%s dst=%s disco=%v", reason, dstKey, disco.LooksLikeDiscoWrapper(packetBytes))
+	}
 }

 func (c *sclient) sendPkt(dst *sclient, p pkt) error {
@@ -1056,13 +1044,13 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 		select {
 		case <-dst.done:
 			s.recordDrop(p.bs, c.key, dstKey, dropReasonGoneDisconnected)
-			dst.debugLogf("sendPkt attempt %d dropped, dst gone", attempt)
+			dst.debug("sendPkt attempt %d dropped, dst gone", attempt)
 			return nil
 		default:
 		}
 		select {
 		case sendQueue <- p:
-			dst.debugLogf("sendPkt attempt %d enqueued", attempt)
+			dst.debug("sendPkt attempt %d enqueued", attempt)
 			return nil
 		default:
 		}
@@ -1078,7 +1066,7 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 	// contended queue with racing writers. Give up and tail-drop in
 	// this case to keep reader unblocked.
 	s.recordDrop(p.bs, c.key, dstKey, dropReasonQueueTail)
-	dst.debugLogf("sendPkt attempt %d dropped, queue full")
+	dst.debug("sendPkt attempt %d dropped, queue full")

 	return nil
 }
@@ -1316,7 +1304,8 @@ type sclient struct {
 	canMesh        bool             // clientInfo had correct mesh token for inter-region routing
 	isDup          atomic.Bool      // whether more than 1 sclient for key is connected
 	isDisabled     atomic.Bool      // whether sends to this peer are disabled due to active/active dups
-	debug          bool             // turn on for verbose logging
+
+	debugLogging bool

 	// Owned by run, not thread-safe.
 	br          *bufio.Reader
@@ -1604,7 +1593,7 @@ func (c *sclient) sendPacket(srcKey key.NodePublic, contents []byte) (err error)
 			c.s.packetsSent.Add(1)
 			c.s.bytesSent.Add(int64(len(contents)))
 		}
-		c.debugLogf("sendPacket from %s: %v", srcKey.ShortString(), err)
+		c.debug("sendPacket from %s: %v", srcKey.ShortString(), err)
 	}()

 	c.setWriteDeadline()
--- a/ipn/ipnlocal/cert.go
+++ b/ipn/ipnlocal/cert.go
@@ -31,7 +31,6 @@ import (
 	"time"

 	"golang.org/x/crypto/acme"
-	"golang.org/x/exp/slices"
 	"tailscale.com/atomicfile"
 	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
@@ -362,16 +361,17 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, cs certStore, logf logger
 				}
 				key := "_acme-challenge." + domain

-				// Do a best-effort lookup to see if we've already created this DNS name
-				// in a previous attempt. Don't burn too much time on it, though. Worst
-				// case we ask the server to create something that already exists.
 				var resolver net.Resolver
-				lookupCtx, lookupCancel := context.WithTimeout(ctx, 500*time.Millisecond)
-				txts, _ := resolver.LookupTXT(lookupCtx, key)
-				lookupCancel()
-				if slices.Contains(txts, rec) {
-					logf("TXT record already existed")
-				} else {
+				var ok bool
+				txts, _ := resolver.LookupTXT(ctx, key)
+				for _, txt := range txts {
+					if txt == rec {
+						ok = true
+						logf("TXT record already existed")
+						break
+					}
+				}
+				if !ok {
 					logf("starting SetDNS call...")
 					err = b.SetDNS(ctx, key, rec)
 					if err != nil {
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -60,7 +60,6 @@ import (
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
-	"tailscale.com/tsd"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
@@ -138,17 +137,16 @@ type LocalBackend struct {
 	logf                  logger.Logf        // general logging
 	keyLogf               logger.Logf        // for printing list of peers on change
 	statsLogf             logger.Logf        // for printing peers stats on change
-	sys                   *tsd.System
-	e                     wgengine.Engine // non-nil; TODO(bradfitz): remove; use sys
+	e                     wgengine.Engine
 	pm                    *profileManager
-	store                 ipn.StateStore // non-nil; TODO(bradfitz): remove; use sys
-	dialer                *tsdial.Dialer // non-nil; TODO(bradfitz): remove; use sys
+	store                 ipn.StateStore
+	dialer                *tsdial.Dialer // non-nil
 	backendLogID          logid.PublicID
 	unregisterNetMon      func()
 	unregisterHealthWatch func()
-	portpoll              chan portlist.Update // may be nil
-	portpollOnce          sync.Once            // guards starting readPoller
-	gotPortPollRes        chan struct{}        // closed upon first readPoller result
+	portpoll              *portlist.Poller // may be nil
+	portpollOnce          sync.Once        // guards starting readPoller
+	gotPortPollRes        chan struct{}    // closed upon first readPoller result
 	newDecompressor       func() (controlclient.Decompressor, error)
 	varRoot               string         // or empty if SetVarRoot never called
 	logFlushFunc          func()         // or nil if SetLogFlusher wasn't called
@@ -269,10 +267,10 @@ type clientGen func(controlclient.Options) (controlclient.Client, error)
 // but is not actually running.
 //
 // If dialer is nil, a new one is made.
-func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, loginFlags controlclient.LoginFlags) (*LocalBackend, error) {
-	e := sys.Engine.Get()
-	store := sys.StateStore.Get()
-	dialer := sys.Dialer.Get()
+func NewLocalBackend(logf logger.Logf, logID logid.PublicID, store ipn.StateStore, dialer *tsdial.Dialer, e wgengine.Engine, loginFlags controlclient.LoginFlags) (*LocalBackend, error) {
+	if e == nil {
+		panic("ipn.NewLocalBackend: engine must not be nil")
+	}

 	pm, err := newProfileManager(store, logf)
 	if err != nil {
@@ -292,8 +290,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 	osshare.SetFileSharingEnabled(false, logf)

 	ctx, cancel := context.WithCancel(context.Background())
-	var p portlist.Poller
-	portUpdates, err := p.Run(ctx)
+	portpoll, err := portlist.NewPoller()
 	if err != nil {
 		logf("skipping portlist: %s", err)
 	}
@@ -304,21 +301,19 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 		logf:           logf,
 		keyLogf:        logger.LogOnChange(logf, 5*time.Minute, time.Now),
 		statsLogf:      logger.LogOnChange(logf, 5*time.Minute, time.Now),
-		sys:            sys,
 		e:              e,
-		dialer:         dialer,
-		store:          store,
 		pm:             pm,
+		store:          store,
+		dialer:         dialer,
 		backendLogID:   logID,
 		state:          ipn.NoState,
-		portpoll:       portUpdates,
+		portpoll:       portpoll,
 		em:             newExpiryManager(logf),
 		gotPortPollRes: make(chan struct{}),
 		loginFlags:     loginFlags,
 	}

-	netMon := sys.NetMon.Get()
-	b.sockstatLogger, err = sockstatlog.NewLogger(logpolicy.LogsDir(logf), logf, logID, netMon)
+	b.sockstatLogger, err = sockstatlog.NewLogger(logpolicy.LogsDir(logf), logf, logID, e.GetNetMon())
 	if err != nil {
 		log.Printf("error setting up sockstat logger: %v", err)
 	}
@@ -335,6 +330,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 	b.statusChanged = sync.NewCond(&b.statusLock)
 	b.e.SetStatusCallback(b.setWgengineStatus)

+	netMon := e.GetNetMon()
 	b.prevIfState = netMon.InterfaceState()
 	// Call our linkChange code once with the current state, and
 	// then also whenever it changes:
@@ -343,9 +339,14 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo

 	b.unregisterHealthWatch = health.RegisterWatcher(b.onHealthChange)

-	if tunWrap, ok := b.sys.Tun.GetOK(); ok {
-		tunWrap.PeerAPIPort = b.GetPeerAPIPort
-	} else {
+	wiredPeerAPIPort := false
+	if ig, ok := e.(wgengine.InternalsGetter); ok {
+		if tunWrap, _, _, ok := ig.GetInternals(); ok {
+			tunWrap.PeerAPIPort = b.GetPeerAPIPort
+			wiredPeerAPIPort = true
+		}
+	}
+	if !wiredPeerAPIPort {
 		b.logf("[unexpected] failed to wire up PeerAPI port for engine %T", e)
 	}

@@ -463,7 +464,6 @@ func (b *LocalBackend) GetComponentDebugLogging(component string) time.Time {
 }

 // Dialer returns the backend's dialer.
-// It is always non-nil.
 func (b *LocalBackend) Dialer() *tsdial.Dialer {
 	return b.dialer
 }
@@ -644,7 +644,7 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 	defer b.mu.Unlock()
 	sb.MutateStatus(func(s *ipnstate.Status) {
 		s.Version = version.Long()
-		s.TUN = !b.sys.IsNetstack()
+		s.TUN = !wgengine.IsNetstack(b.e)
 		s.BackendState = b.state.String()
 		s.AuthURL = b.authURLSticky
 		if err := health.OverallError(); err != nil {
@@ -1315,8 +1315,8 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	hostinfo := hostinfo.New()
 	hostinfo.BackendLogID = b.backendLogID.String()
 	hostinfo.FrontendLogID = opts.FrontendLogID
-	hostinfo.Userspace.Set(b.sys.IsNetstack())
-	hostinfo.UserspaceRouter.Set(b.sys.IsNetstackRouter())
+	hostinfo.Userspace.Set(wgengine.IsNetstack(b.e))
+	hostinfo.UserspaceRouter.Set(wgengine.IsNetstackRouter(b.e))

 	if b.cc != nil {
 		// TODO(apenwarr): avoid the need to reinit controlclient.
@@ -1378,6 +1378,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {

 	if b.portpoll != nil {
 		b.portpollOnce.Do(func() {
+			go b.portpoll.Run(b.ctx)
 			go b.readPoller()

 			// Give the poller a second to get results to
@@ -1400,7 +1401,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {

 	var err error

-	isNetstack := b.sys.IsNetstackRouter()
+	isNetstack := wgengine.IsNetstackRouter(b.e)
 	debugFlags := controlDebugFlags
 	if isNetstack {
 		debugFlags = append([]string{"netstack"}, debugFlags...)
@@ -1422,7 +1423,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		HTTPTestClient:       httpTestClient,
 		DiscoPublicKey:       discoPublic,
 		DebugFlags:           debugFlags,
-		NetMon:               b.sys.NetMon.Get(),
+		NetMon:               b.e.GetNetMon(),
 		Pinger:               b,
 		PopBrowserURL:        b.tellClientToBrowseToURL,
 		OnClientVersion:      b.onClientVersion,
@@ -1814,17 +1815,12 @@ func dnsMapsEqual(new, old *netmap.NetworkMap) bool {
 func (b *LocalBackend) readPoller() {
 	n := 0
 	for {
-		update, ok := <-b.portpoll
+		ports, ok := <-b.portpoll.Updates()
 		if !ok {
 			return
 		}
-		if update.Err() != nil {
-			// TODO(marwan-at-work): do we need to log this?
-			// TODO(marwan-at-work): should we return or keep trying?
-			return
-		}
 		sl := []tailcfg.Service{}
-		for _, p := range update.List() {
+		for _, p := range ports {
 			s := tailcfg.Service{
 				Proto:       tailcfg.ServiceProto(p.Proto),
 				Port:        p.Port,
@@ -3321,12 +3317,14 @@ func (b *LocalBackend) initPeerAPIListener() {
 		directFileMode:          b.directFileRoot != "",
 		directFileDoFinalRename: b.directFileDoFinalRename,
 	}
-	if dm, ok := b.sys.DNSManager.GetOK(); ok {
-		ps.resolver = dm.Resolver()
+	if re, ok := b.e.(wgengine.ResolvingEngine); ok {
+		if r, ok := re.GetResolver(); ok {
+			ps.resolver = r
+		}
 	}
 	b.peerAPIServer = ps

-	isNetstack := b.sys.IsNetstack()
+	isNetstack := wgengine.IsNetstack(b.e)
 	for i, a := range b.netMap.Addresses {
 		var ln net.Listener
 		var err error
@@ -3632,19 +3630,6 @@ func (b *LocalBackend) hasNodeKey() bool {
 	return p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero()
 }

-// NodeKey returns the public node key.
-func (b *LocalBackend) NodeKey() key.NodePublic {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	p := b.pm.CurrentPrefs()
-	if !p.Valid() || !p.Persist().Valid() || p.Persist().PrivateNodeKey().IsZero() {
-		return key.NodePublic{}
-	}
-
-	return p.Persist().PublicNodeKey()
-}
-
 // nextState returns the state the backend seems to be in, based on
 // its internal state.
 func (b *LocalBackend) nextState() ipn.State {
@@ -4055,7 +4040,7 @@ func (b *LocalBackend) setTCPPortsInterceptedFromNetmapAndPrefsLocked(prefs ipn.
 		b.setServeProxyHandlersLocked()

 		// don't listen on netmap addresses if we're in userspace mode
-		if !b.sys.IsNetstack() {
+		if !wgengine.IsNetstack(b.e) {
 			b.updateServeTCPPortNetMapAddrListenersLocked(servePorts)
 		}
 	}
@@ -4406,7 +4391,7 @@ func nodeIP(n *tailcfg.Node, pred func(netip.Addr) bool) netip.Addr {
 }

 func (b *LocalBackend) CheckIPForwarding() error {
-	if b.sys.IsNetstackRouter() {
+	if wgengine.IsNetstackRouter(b.e) {
 		return nil
 	}

@@ -4552,9 +4537,13 @@ func (b *LocalBackend) DebugReSTUN() error {
 }

 func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
-	mc, ok := b.sys.MagicSock.GetOK()
+	ig, ok := b.e.(wgengine.InternalsGetter)
 	if !ok {
-		return nil, errors.New("failed to get magicsock from sys")
+		return nil, errors.New("engine isn't InternalsGetter")
+	}
+	_, mc, _, ok := ig.GetInternals()
+	if !ok {
+		return nil, errors.New("failed to get internals")
 	}
 	return mc, nil
 }
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -20,7 +20,6 @@ import (
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -502,16 +501,13 @@ func TestLazyMachineKeyGeneration(t *testing.T) {
 	tstest.Replace(t, &panicOnMachineKeyGeneration, func() bool { return true })

 	var logf logger.Logf = logger.Discard
-	sys := new(tsd.System)
 	store := new(mem.Store)
-	sys.Set(store)
-	eng, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
 	t.Cleanup(eng.Close)
-	sys.Set(eng)
-	lb, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	lb, err := NewLocalBackend(logf, logid.PublicID{}, store, nil, eng, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
@@ -769,16 +765,13 @@ func TestPacketFilterPermitsUnlockedNodes(t *testing.T) {
 func TestStatusWithoutPeers(t *testing.T) {
 	logf := tstest.WhileTestRunningLogger(t)
 	store := new(testStateStorage)
-	sys := new(tsd.System)
-	sys.Set(store)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
-	sys.Set(e)
 	t.Cleanup(e.Close)

-	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	b, err := NewLocalBackend(logf, logid.PublicID{}, store, nil, e, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
--- a/ipn/ipnlocal/loglines_test.go
+++ b/ipn/ipnlocal/loglines_test.go
@@ -12,7 +12,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -48,17 +47,14 @@ func TestLocalLogLines(t *testing.T) {
 	idA := logid(0xaa)

 	// set up a LocalBackend, super bare bones. No functional data.
-	sys := new(tsd.System)
 	store := new(mem.Store)
-	sys.Set(store)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(e.Close)
-	sys.Set(e)

-	lb, err := NewLocalBackend(logf, idA, sys, 0)
+	lb, err := NewLocalBackend(logf, idA, store, nil, e, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -50,6 +50,7 @@ import (
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/multierr"
 	"tailscale.com/version/distro"
+	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 )

@@ -468,7 +469,7 @@ func (s *peerAPIServer) listen(ip netip.Addr, ifState *interfaces.State) (ln net
 		}
 	}

-	if s.b.sys.IsNetstack() {
+	if wgengine.IsNetstack(s.b.e) {
 		ipStr = ""
 	}

@@ -1238,9 +1239,12 @@ func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Req
 		http.Error(w, "denied; no debug access", http.StatusForbidden)
 		return
 	}
-	if mc, ok := h.ps.b.sys.MagicSock.GetOK(); ok {
-		mc.ServeHTTPDebug(w, r)
-		return
+	eng := h.ps.b.e
+	if ig, ok := eng.(wgengine.InternalsGetter); ok {
+		if _, mc, _, ok := ig.GetInternals(); ok {
+			mc.ServeHTTPDebug(w, r)
+			return
+		}
 	}
 	http.Error(w, "miswired", 500)
 }
--- a/ipn/ipnlocal/serve.go
+++ b/ipn/ipnlocal/serve.go
@@ -143,7 +143,7 @@ func (s *serveListener) Run() {
 }

 func (s *serveListener) shouldWarnAboutListenError(err error) bool {
-	if !s.b.sys.NetMon.Get().InterfaceState().HasIP(s.ap.Addr()) {
+	if !s.b.e.GetNetMon().InterfaceState().HasIP(s.ap.Addr()) {
 		// Machine likely doesn't have IPv6 enabled (or the IP is still being
 		// assigned). No need to warn. Notably, WSL2 (Issue 6303).
 		return false
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -17,7 +17,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
@@ -298,17 +297,14 @@ func TestStateMachine(t *testing.T) {
 	c := qt.New(t)

 	logf := tstest.WhileTestRunningLogger(t)
-	sys := new(tsd.System)
 	store := new(testStateStorage)
-	sys.Set(store)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
 	t.Cleanup(e.Close)
-	sys.Set(e)

-	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	b, err := NewLocalBackend(logf, logid.PublicID{}, store, nil, e, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
@@ -945,16 +941,13 @@ func TestStateMachine(t *testing.T) {

 func TestEditPrefsHasNoKeys(t *testing.T) {
 	logf := tstest.WhileTestRunningLogger(t)
-	sys := new(tsd.System)
-	sys.Set(new(mem.Store))
-	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
 	t.Cleanup(e.Close)
-	sys.Set(e)

-	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	b, err := NewLocalBackend(logf, logid.PublicID{}, new(mem.Store), nil, e, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
@@ -1030,14 +1023,10 @@ func TestWGEngineStatusRace(t *testing.T) {
 	t.Skip("test fails")
 	c := qt.New(t)
 	logf := tstest.WhileTestRunningLogger(t)
-	sys := new(tsd.System)
-	sys.Set(new(mem.Store))
-
-	eng, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	c.Assert(err, qt.IsNil)
 	t.Cleanup(eng.Close)
-	sys.Set(eng)
-	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	b, err := NewLocalBackend(logf, logid.PublicID{}, new(mem.Store), nil, eng, 0)
 	c.Assert(err, qt.IsNil)

 	var cc *mockControl
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -37,7 +37,7 @@ import (
 type Server struct {
 	lb           atomic.Pointer[ipnlocal.LocalBackend]
 	logf         logger.Logf
-	netMon       *netmon.Monitor // must be non-nil
+	netMon       *netmon.Monitor // optional; nil means interfaces will be looked up on-demand
 	backendLogID logid.PublicID
 	// resetOnZero is whether to call bs.Reset on transition from
 	// 1->0 active HTTP requests. That is, this is whether the backend is
@@ -410,15 +410,14 @@ func (s *Server) addActiveHTTPRequest(req *http.Request, ci *ipnauth.ConnIdentit
 }

 // New returns a new Server.
+// The netMon parameter is optional; if non-nil it's used to do faster interface
+// lookups.
 //
 // To start it, use the Server.Run method.
 //
 // At some point, either before or after Run, the Server's SetLocalBackend
 // method must also be called before Server can do anything useful.
 func New(logf logger.Logf, logID logid.PublicID, netMon *netmon.Monitor) *Server {
-	if netMon == nil {
-		panic("nil netMon")
-	}
 	return &Server{
 		backendLogID: logID,
 		logf:         logf,
--- a/licenses/android.md
+++ b/licenses/android.md
@@ -9,23 +9,22 @@ Client][].  See also the dependencies in the [Tailscale CLI][].


 - [eliasnaur.com/font/roboto](https://pkg.go.dev/eliasnaur.com/font/roboto) ([BSD-3-Clause](https://git.sr.ht/~eliasnaur/font/tree/832bb8fc08c3/LICENSE))
- - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0/LICENSE))
+ - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0-rc.1/LICENSE))
 - [gioui.org](https://pkg.go.dev/gioui.org) ([MIT](https://git.sr.ht/~eliasnaur/gio/tree/32c6a9b10d0b/LICENSE))
 - [gioui.org/cpu](https://pkg.go.dev/gioui.org/cpu) ([MIT](https://git.sr.ht/~eliasnaur/gio-cpu/tree/8d6a761490d2/LICENSE))
 - [gioui.org/shader](https://pkg.go.dev/gioui.org/shader) ([MIT](https://git.sr.ht/~eliasnaur/gio-shader/tree/v1.0.6/LICENSE))
- - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.18.0/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.22/config/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.13.21/credentials/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.13.3/feature/ec2/imds/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.33/internal/configsources/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.27/internal/endpoints/v2/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.34/internal/ini/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.18.0/internal/sync/singleflight/LICENSE))
- - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.27/service/internal/presigned-url/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.36.3/service/ssm/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.12.9/service/sso/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.14.9/service/ssooidc/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.18.10/service/sts/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.17.3/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.11.0/config/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.6.4/credentials/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.8.2/feature/ec2/imds/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.27/internal/configsources/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.21/internal/endpoints/v2/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.2/internal/ini/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.17.3/internal/sync/singleflight/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.5.2/service/internal/presigned-url/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.35.0/service/ssm/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.6.2/service/sso/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.11.1/service/sts/LICENSE.txt))
 - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.13.5/LICENSE))
 - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.13.5/internal/sync/singleflight/LICENSE))
 - [github.com/benoitkugler/textlayout](https://pkg.go.dev/github.com/benoitkugler/textlayout) ([MIT](https://github.com/benoitkugler/textlayout/blob/v0.3.0/LICENSE))
@@ -35,51 +34,50 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.6.0/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
 - [github.com/go-text/typesetting](https://pkg.go.dev/github.com/go-text/typesetting) ([BSD-3-Clause](https://github.com/go-text/typesetting/blob/0399769901d5/LICENSE))
- - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/v5.1.0/LICENSE))
+ - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/v5.0.6/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
- - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
- - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.1.0/LICENSE))
+ - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.0.1/LICENSE))
+ - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
 - [github.com/illarion/gonotify](https://pkg.go.dev/github.com/illarion/gonotify) ([MIT](https://github.com/illarion/gonotify/blob/v1.0.1/LICENSE))
- - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/974c6f05fe16/LICENSE))
+ - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/de60144f33f8/LICENSE))
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
- - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.2/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.16.5/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.16.5/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.16.5/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.4/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.15.4/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.15.4/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
- - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.3.2/LICENSE.md))
- - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
+ - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.2.0/LICENSE.md))
+ - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.1/LICENSE.md))
 - [github.com/mdlayher/sdnotify](https://pkg.go.dev/github.com/mdlayher/sdnotify) ([MIT](https://github.com/mdlayher/sdnotify/blob/v1.0.0/LICENSE.md))
- - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.1/LICENSE.md))
+ - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.0/LICENSE.md))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
- - [github.com/pierrec/lz4/v4](https://pkg.go.dev/github.com/pierrec/lz4/v4) ([BSD-3-Clause](https://github.com/pierrec/lz4/blob/v4.1.17/LICENSE))
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/17a3db2c30d2/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/bc99ab8c2d17/LICENSE))
 - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
 - [github.com/tailscale/tailscale-android](https://pkg.go.dev/github.com/tailscale/tailscale-android) ([BSD-3-Clause](https://github.com/tailscale/tailscale-android/blob/HEAD/LICENSE))
 - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/af172621b4dd/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
- - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/3e8cd9d6bf63/LICENSE))
- - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/v1.2.1-beta.2/LICENSE))
- - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/v0.0.4/LICENSE))
+ - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/c3537552635f/LICENSE))
+ - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/650dca95af54/LICENSE))
+ - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/50045581ed74/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/intern](https://pkg.go.dev/go4.org/intern) ([BSD-3-Clause](https://github.com/go4org/intern/blob/ae77deb06f29/LICENSE))
- - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
- - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/f1b76eb4bb35/LICENSE))
+ - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/927187094b94/LICENSE))
+ - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
 - [go4.org/unsafe/assume-no-moving-gc](https://pkg.go.dev/go4.org/unsafe/assume-no-moving-gc) ([BSD-3-Clause](https://github.com/go4org/unsafe-assume-no-moving-gc/blob/ee73d164e760/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.8.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47ecfdc1:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.6.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47842c84:LICENSE))
 - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/334a2380:shiny/LICENSE))
- - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.7.0:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.9.0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.8.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.7.0:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.9.0:LICENSE))
- - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/7b0a1988a28f/LICENSE))
+ - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.5.0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.8.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.6.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.6.0:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.8.0:LICENSE))
+ - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/162ed5ef888d/LICENSE))
 - [inet.af/netaddr](https://pkg.go.dev/inet.af/netaddr) ([BSD-3-Clause](https://github.com/inetaf/netaddr/blob/097006376321/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -10,63 +10,62 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 ## Go Packages


- - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0/LICENSE))
- - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.18.0/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.22/config/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.13.21/credentials/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.13.3/feature/ec2/imds/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.33/internal/configsources/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.27/internal/endpoints/v2/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.34/internal/ini/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.18.0/internal/sync/singleflight/LICENSE))
- - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.27/service/internal/presigned-url/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.36.3/service/ssm/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.12.9/service/sso/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.14.9/service/ssooidc/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.18.10/service/sts/LICENSE.txt))
+ - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0-rc.1/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.17.3/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.17.7/config/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.12.20/credentials/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.12.17/feature/ec2/imds/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.27/internal/configsources/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.21/internal/endpoints/v2/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.24/internal/ini/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.17.3/internal/sync/singleflight/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.17/service/internal/presigned-url/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.35.0/service/ssm/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.11.23/service/sso/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.13.5/service/ssooidc/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.16.19/service/sts/LICENSE.txt))
 - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.13.5/LICENSE))
 - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.13.5/internal/sync/singleflight/LICENSE))
 - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.6.0/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
- - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/v5.1.0/LICENSE))
+ - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/v5.0.6/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
- - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.1.0/LICENSE))
+ - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
 - [github.com/illarion/gonotify](https://pkg.go.dev/github.com/illarion/gonotify) ([MIT](https://github.com/illarion/gonotify/blob/v1.0.1/LICENSE))
- - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/974c6f05fe16/LICENSE))
+ - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/de60144f33f8/LICENSE))
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
- - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.2/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.16.5/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.16.5/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.16.5/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.11/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.15.11/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.15.11/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
- - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.3.2/LICENSE.md))
- - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
+ - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.2.0/LICENSE.md))
+ - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.1/LICENSE.md))
 - [github.com/mdlayher/sdnotify](https://pkg.go.dev/github.com/mdlayher/sdnotify) ([MIT](https://github.com/mdlayher/sdnotify/blob/v1.0.0/LICENSE.md))
- - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.1/LICENSE.md))
+ - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.0/LICENSE.md))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
- - [github.com/pierrec/lz4/v4](https://pkg.go.dev/github.com/pierrec/lz4/v4) ([BSD-3-Clause](https://github.com/pierrec/lz4/blob/v4.1.17/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/17a3db2c30d2/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/bc99ab8c2d17/LICENSE))
 - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
 - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/af172621b4dd/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
- - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/3e8cd9d6bf63/LICENSE))
- - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/v1.2.1-beta.2/LICENSE))
- - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/v0.0.4/LICENSE))
+ - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/c3537552635f/LICENSE))
+ - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/650dca95af54/LICENSE))
+ - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/50045581ed74/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
- - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/f1b76eb4bb35/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.8.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47ecfdc1:LICENSE))
+ - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.6.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/cafedaf6:LICENSE))
 - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.9.0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.8.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.7.0:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.7.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.9.0:LICENSE))
- - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/7b0a1988a28f/LICENSE))
+ - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/579cf78f:LICENSE))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/162ed5ef888d/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))
--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -83,18 +83,18 @@ Some packages may only be included on certain architectures or operating systems
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47ecfdc1:LICENSE))
 - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.9.0:LICENSE))
 - [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) ([BSD-3-Clause](https://cs.opensource.google/go/x/oauth2/+/v0.7.0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.8.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.7.0:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.7.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.9.0:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))
 - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
 - [gopkg.in/yaml.v2](https://pkg.go.dev/gopkg.in/yaml.v2) ([Apache-2.0](https://github.com/go-yaml/yaml/blob/v2.4.0/LICENSE))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/7b0a1988a28f/LICENSE))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/162ed5ef888d/LICENSE))
 - [inet.af/peercred](https://pkg.go.dev/inet.af/peercred) ([BSD-3-Clause](https://github.com/inetaf/peercred/blob/0893ea02156a/LICENSE))
 - [inet.af/wf](https://pkg.go.dev/inet.af/wf) ([BSD-3-Clause](https://github.com/inetaf/wf/blob/36129f591884/LICENSE))
- - [k8s.io/client-go/util/homedir](https://pkg.go.dev/k8s.io/client-go/util/homedir) ([Apache-2.0](https://github.com/kubernetes/client-go/blob/v0.26.1/LICENSE))
+ - [k8s.io/client-go/util/homedir](https://pkg.go.dev/k8s.io/client-go/util/homedir) ([Apache-2.0](https://github.com/kubernetes/client-go/blob/v0.25.0/LICENSE))
 - [nhooyr.io/websocket](https://pkg.go.dev/nhooyr.io/websocket) ([MIT](https://github.com/nhooyr/websocket/blob/v1.8.7/LICENSE.txt))
 - [sigs.k8s.io/yaml](https://pkg.go.dev/sigs.k8s.io/yaml) ([MIT](https://github.com/kubernetes-sigs/yaml/blob/v1.3.0/LICENSE))
 - [software.sslmate.com/src/go-pkcs12](https://pkg.go.dev/software.sslmate.com/src/go-pkcs12) ([BSD-3-Clause](https://github.com/SSLMate/go-pkcs12/blob/v0.2.0/LICENSE))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -9,42 +9,42 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 ## Go Packages


- - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0/LICENSE))
- - [github.com/Microsoft/go-winio](https://pkg.go.dev/github.com/Microsoft/go-winio) ([MIT](https://github.com/Microsoft/go-winio/blob/v0.6.1/LICENSE))
+ - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0-rc.1/LICENSE))
+ - [github.com/Microsoft/go-winio](https://pkg.go.dev/github.com/Microsoft/go-winio) ([MIT](https://github.com/Microsoft/go-winio/blob/v0.6.0/LICENSE))
 - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/909beea2cc74/LICENSE))
 - [github.com/apenwarr/fixconsole](https://pkg.go.dev/github.com/apenwarr/fixconsole) ([Apache-2.0](https://github.com/apenwarr/fixconsole/blob/5a9f6489cc29/LICENSE))
 - [github.com/apenwarr/w32](https://pkg.go.dev/github.com/apenwarr/w32) ([BSD-3-Clause](https://github.com/apenwarr/w32/blob/aa00fece76ab/LICENSE))
- - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/111c8c3b57c8/LICENSE))
+ - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/2b26ab7fb5f9/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
 - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.0/LICENSE))
 - [github.com/gregjones/httpcache](https://pkg.go.dev/github.com/gregjones/httpcache) ([MIT](https://github.com/gregjones/httpcache/blob/901d90724c79/LICENSE.txt))
- - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.1.0/LICENSE))
+ - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
- - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.2/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.16.5/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.16.5/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.16.5/zstd/internal/xxhash/LICENSE.txt))
- - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
- - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.1/LICENSE.md))
+ - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.11/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.15.11/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.15.11/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.1/LICENSE.md))
+ - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.4.0/LICENSE.md))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
 - [github.com/nfnt/resize](https://pkg.go.dev/github.com/nfnt/resize) ([ISC](https://github.com/nfnt/resize/blob/83c6a9932646/LICENSE))
 - [github.com/peterbourgon/diskv](https://pkg.go.dev/github.com/peterbourgon/diskv) ([MIT](https://github.com/peterbourgon/diskv/blob/v2.0.1/LICENSE))
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
- - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/f63dace725d8/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/f374e3278cd0/LICENSE))
 - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/59dfb47dfef1/LICENSE))
- - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.2.0/LICENSE))
+ - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.1.6/LICENSE))
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
- - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/f1b76eb4bb35/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.8.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47ecfdc1:LICENSE))
- - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.7.0:LICENSE))
+ - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.6.0:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/cafedaf6:LICENSE))
+ - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.5.0:LICENSE))
 - [golang.org/x/mod](https://pkg.go.dev/golang.org/x/mod) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.10.0:LICENSE))
 - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.9.0:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.8.0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.1.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.7.0:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.7.0:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.9.0:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -13,19 +13,19 @@ import (
 	"fmt"
 	"io"
 	"log"
-	mrand "math/rand"
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"

 	"tailscale.com/envknob"
+	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/sockstats"
-	"tailscale.com/tstime"
 	tslogger "tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/util/set"
@@ -128,6 +128,9 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 		cfg.FlushDelayFn = func() time.Duration { return 0 }
 	}

+	stdLogf := func(f string, a ...any) {
+		fmt.Fprintf(cfg.Stderr, strings.TrimSuffix(f, "\n")+"\n", a...)
+	}
 	var urlSuffix string
 	if !cfg.CopyPrivateID.IsZero() {
 		urlSuffix = "?copyId=" + cfg.CopyPrivateID.String()
@@ -145,6 +148,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 		sentinel:       make(chan int32, 16),
 		flushDelayFn:   cfg.FlushDelayFn,
 		timeNow:        cfg.TimeNow,
+		bo:             backoff.NewBackoff("logtail", stdLogf, 30*time.Second),
 		metricsDelta:   cfg.MetricsDelta,
 		sockstatsLabel: sockstats.LabelLogtailLogger,

@@ -182,6 +186,7 @@ type Logger struct {
 	flushPending   atomic.Bool
 	sentinel       chan int32
 	timeNow        func() time.Time
+	bo             *backoff.Backoff
 	zstdEncoder    Encoder
 	uploadCancel   func()
 	explainedRaw   bool
@@ -368,38 +373,23 @@ func (l *Logger) uploading(ctx context.Context) {
 			}
 		}

-		var lastError string
-		var numFailures int
-		var firstFailure time.Time
-		for len(body) > 0 && ctx.Err() == nil {
-			retryAfter, err := l.upload(ctx, body, origlen)
+		for len(body) > 0 {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+			}
+			uploaded, err := l.upload(ctx, body, origlen)
 			if err != nil {
-				numFailures++
-				firstFailure = time.Now()
-
 				if !l.internetUp() {
 					fmt.Fprintf(l.stderr, "logtail: internet down; waiting\n")
 					l.awaitInternetUp(ctx)
 					continue
 				}
-
-				// Only print the same message once.
-				if currError := err.Error(); lastError != currError {
-					fmt.Fprintf(l.stderr, "logtail: upload: %v\n", err)
-					lastError = currError
-				}
-
-				// Sleep for the specified retryAfter period,
-				// otherwise default to some random value.
-				if retryAfter <= 0 {
-					retryAfter = time.Duration(30+mrand.Intn(30)) * time.Second
-				}
-				tstime.Sleep(ctx, retryAfter)
-			} else {
-				// Only print a success message after recovery.
-				if numFailures > 0 {
-					fmt.Fprintf(l.stderr, "logtail: upload succeeded after %d failures and %s\n", numFailures, time.Since(firstFailure).Round(time.Second))
-				}
+				fmt.Fprintf(l.stderr, "logtail: upload: %v\n", err)
+			}
+			l.bo.BackOff(ctx, err)
+			if uploaded {
 				break
 			}
 		}
@@ -443,7 +433,7 @@ func (l *Logger) awaitInternetUp(ctx context.Context) {
 // upload uploads body to the log server.
 // origlen indicates the pre-compression body length.
 // origlen of -1 indicates that the body is not compressed.
-func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (retryAfter time.Duration, err error) {
+func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (uploaded bool, err error) {
 	const maxUploadTime = 45 * time.Second
 	ctx = sockstats.WithSockStats(ctx, l.sockstatsLabel, l.Logf)
 	ctx, cancel := context.WithTimeout(ctx, maxUploadTime)
@@ -470,16 +460,17 @@ func (l *Logger) upload(ctx context.Context, body []byte, origlen int) (retryAft
 	l.httpDoCalls.Add(1)
 	resp, err := l.httpc.Do(req)
 	if err != nil {
-		return 0, fmt.Errorf("log upload of %d bytes %s failed: %v", len(body), compressedNote, err)
+		return false, fmt.Errorf("log upload of %d bytes %s failed: %v", len(body), compressedNote, err)
 	}
 	defer resp.Body.Close()

-	if resp.StatusCode != http.StatusOK {
-		n, _ := strconv.Atoi(resp.Header.Get("Retry-After"))
-		b, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<10))
-		return time.Duration(n) * time.Second, fmt.Errorf("log upload of %d bytes %s failed %d: %s", len(body), compressedNote, resp.StatusCode, bytes.TrimSpace(b))
+	if resp.StatusCode != 200 {
+		uploaded = resp.StatusCode == 400 // the server saved the logs anyway
+		b, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+		return uploaded, fmt.Errorf("log upload of %d bytes %s failed %d: %q", len(body), compressedNote, resp.StatusCode, b)
 	}
-	return 0, nil
+
+	return true, nil
 }

 // Flush uploads all logs to the server. It blocks until complete or there is an
--- a/net/netcheck/netcheck_test.go
+++ b/net/netcheck/netcheck_test.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"net/netip"
 	"reflect"
+	"runtime"
 	"sort"
 	"strconv"
 	"strings"
@@ -155,6 +156,9 @@ func TestHairpinWait(t *testing.T) {
 }

 func TestBasic(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("TODO(#7876): test regressed on windows while CI was broken")
+	}
 	stunAddr, cleanup := stuntest.Serve(t)
 	defer cleanup()

--- a/net/netns/netns_darwin.go
+++ b/net/netns/netns_darwin.go
@@ -111,7 +111,7 @@ func getInterfaceIndex(logf logger.Logf, netMon *netmon.Monitor, address string)
 	// Verify that we didn't just choose the Tailscale interface;
 	// if so, we fall back to binding from the default.
 	_, tsif, err2 := interfaces.Tailscale()
-	if err2 == nil && tsif != nil && tsif.Index == idx {
+	if err2 == nil && tsif.Index == idx {
 		logf("[unexpected] netns: interfaceIndexFor returned Tailscale interface")
 		return defaultIdx()
 	}
--- a/net/sockstats/sockstats_tsgo.go
+++ b/net/sockstats/sockstats_tsgo.go
@@ -325,10 +325,6 @@ type radioMonitor struct {
 // Usage is measured once per second, so this is the number of seconds of history to track.
 const radioSampleSize = 3600 // 1 hour

-// initStallPeriod is the minimum amount of time in seconds to collect data before reporting.
-// Otherwise, all clients will report 100% radio usage on startup.
-var initStallPeriod int64 = 120 // 2 minutes
-
 var radio = &radioMonitor{
 	now:       time.Now,
 	startTime: time.Now().Unix(),
@@ -379,7 +375,7 @@ func (rm *radioMonitor) radioHighPercent() int64 {
 		}
 	})

-	if periodLength < initStallPeriod {
+	if periodLength == 0 {
 		return 0
 	}

@@ -390,7 +386,7 @@ func (rm *radioMonitor) radioHighPercent() int64 {
 }

 // forEachSample calls f for each sample in the past hour (or less if less time
-// has passed -- the evaluated period is returned, measured in seconds)
+// has passed -- the evaluated period is returned)
 func (rm *radioMonitor) forEachSample(f func(c int, isActive bool)) (periodLength int64) {
 	now := rm.now().Unix()
 	periodLength = radioSampleSize
--- a/net/sockstats/sockstats_tsgo_test.go
+++ b/net/sockstats/sockstats_tsgo_test.go
@@ -33,14 +33,6 @@ func TestRadioMonitor(t *testing.T) {
 			func(_ *testTime, _ *radioMonitor) {},
 			0,
 		},
-		{
-			"active less than init stall period",
-			func(tt *testTime, rm *radioMonitor) {
-				rm.active()
-				tt.Add(1 * time.Second)
-			},
-			0, // radio on, but not long enough to report data
-		},
 		{
 			"active, 10 sec idle",
 			func(tt *testTime, rm *radioMonitor) {
@@ -50,13 +42,13 @@ func TestRadioMonitor(t *testing.T) {
 			50, // radio on 5 seconds of 10 seconds
 		},
 		{
-			"active, spanning three seconds",
+			"active, spanning two seconds",
 			func(tt *testTime, rm *radioMonitor) {
 				rm.active()
-				tt.Add(2100 * time.Millisecond)
+				tt.Add(1100 * time.Millisecond)
 				rm.active()
 			},
-			100, // radio on for 3 seconds
+			100, // radio on for 2 seconds
 		},
 		{
 			"400 iterations: 2 sec active, 1 min idle",
@@ -74,17 +66,13 @@ func TestRadioMonitor(t *testing.T) {
 		{
 			"activity at end of time window",
 			func(tt *testTime, rm *radioMonitor) {
-				tt.Add(3 * time.Second)
+				tt.Add(1 * time.Second)
 				rm.active()
 			},
-			25,
+			50,
 		},
 	}

-	oldStallPeriod := initStallPeriod
-	initStallPeriod = 3
-	t.Cleanup(func() { initStallPeriod = oldStallPeriod })
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			tm := &testTime{time.Date(2021, 1, 1, 0, 0, 0, 0, time.UTC)}
--- a/net/tstun/fake.go
+++ b/net/tstun/fake.go
@@ -47,11 +47,8 @@ func (t *fakeTUN) Write(b [][]byte, n int) (int, error) {
 	return 1, nil
 }

-// FakeTUNName is the name of the fake TUN device.
-const FakeTUNName = "FakeTUN"
-
 func (t *fakeTUN) Flush() error             { return nil }
 func (t *fakeTUN) MTU() (int, error)        { return 1500, nil }
-func (t *fakeTUN) Name() (string, error)    { return FakeTUNName, nil }
+func (t *fakeTUN) Name() (string, error)    { return "FakeTUN", nil }
 func (t *fakeTUN) Events() <-chan tun.Event { return t.evchan }
 func (t *fakeTUN) BatchSize() int           { return 1 }
--- a/portlist/netstat.go
+++ b/portlist/netstat.go
@@ -67,7 +67,7 @@ type nothing struct{}
 // Unfortunately, options to filter by proto or state are non-portable,
 // so we'll filter for ourselves.
 // Nowadays, though, we only use it for macOS as of 2022-11-04.
-func appendParsePortsNetstat(base []Port, br *bufio.Reader, includeLocalhost bool) ([]Port, error) {
+func appendParsePortsNetstat(base []Port, br *bufio.Reader) ([]Port, error) {
 	ret := base
 	var fieldBuf [10]mem.RO
 	for {
@@ -99,7 +99,7 @@ func appendParsePortsNetstat(base []Port, br *bufio.Reader, includeLocalhost boo
 				// not interested in non-listener sockets
 				continue
 			}
-			if !includeLocalhost && isLoopbackAddr(laddr) {
+			if isLoopbackAddr(laddr) {
 				// not interested in loopback-bound listeners
 				continue
 			}
@@ -110,7 +110,7 @@ func appendParsePortsNetstat(base []Port, br *bufio.Reader, includeLocalhost boo
 			proto = "udp"
 			laddr = cols[len(cols)-2]
 			raddr = cols[len(cols)-1]
-			if !includeLocalhost && isLoopbackAddr(laddr) {
+			if isLoopbackAddr(laddr) {
 				// not interested in loopback-bound listeners
 				continue
 			}
--- a/portlist/netstat_test.go
+++ b/portlist/netstat_test.go
@@ -8,7 +8,6 @@ package portlist
 import (
 	"bufio"
 	"encoding/json"
-	"fmt"
 	"strings"
 	"testing"

@@ -53,40 +52,30 @@ udp46      0      0  *.146                 *.*
 `

 func TestParsePortsNetstat(t *testing.T) {
-	for _, loopBack := range [...]bool{false, true} {
-		t.Run(fmt.Sprintf("loopback_%v", loopBack), func(t *testing.T) {
-			want := List{
-				{"tcp", 23, "", 0},
-				{"tcp", 24, "", 0},
-				{"udp", 104, "", 0},
-				{"udp", 106, "", 0},
-				{"udp", 146, "", 0},
-				{"tcp", 8185, "", 0}, // but not 8186, 8187, 8188 on localhost, when loopback is false
-			}
-			if loopBack {
-				want = append(want,
-					Port{"tcp", 8186, "", 0},
-					Port{"tcp", 8187, "", 0},
-					Port{"tcp", 8188, "", 0},
-				)
-			}
-			pl, err := appendParsePortsNetstat(nil, bufio.NewReader(strings.NewReader(netstatOutput)), loopBack)
-			if err != nil {
-				t.Fatal(err)
-			}
-			pl = sortAndDedup(pl)
-			jgot, _ := json.MarshalIndent(pl, "", "\t")
-			jwant, _ := json.MarshalIndent(want, "", "\t")
-			if len(pl) != len(want) {
-				t.Fatalf("Got:\n%s\n\nWant:\n%s\n", jgot, jwant)
-			}
-			for i := range pl {
-				if pl[i] != want[i] {
-					t.Errorf("row#%d\n got: %+v\n\nwant: %+v\n",
-						i, pl[i], want[i])
-					t.Fatalf("Got:\n%s\n\nWant:\n%s\n", jgot, jwant)
-				}
-			}
-		})
+	want := List{
+		Port{"tcp", 23, ""},
+		Port{"tcp", 24, ""},
+		Port{"udp", 104, ""},
+		Port{"udp", 106, ""},
+		Port{"udp", 146, ""},
+		Port{"tcp", 8185, ""}, // but not 8186, 8187, 8188 on localhost
+	}
+
+	pl, err := appendParsePortsNetstat(nil, bufio.NewReader(strings.NewReader(netstatOutput)))
+	if err != nil {
+		t.Fatal(err)
+	}
+	pl = sortAndDedup(pl)
+	jgot, _ := json.MarshalIndent(pl, "", "\t")
+	jwant, _ := json.MarshalIndent(want, "", "\t")
+	if len(pl) != len(want) {
+		t.Fatalf("Got:\n%s\n\nWant:\n%s\n", jgot, jwant)
+	}
+	for i := range pl {
+		if pl[i] != want[i] {
+			t.Errorf("row#%d\n got: %+v\n\nwant: %+v\n",
+				i, pl[i], want[i])
+			t.Fatalf("Got:\n%s\n\nWant:\n%s\n", jgot, jwant)
+		}
 	}
 }
--- a/portlist/poller.go
+++ b/portlist/poller.go
@@ -24,12 +24,7 @@ var debugDisablePortlist = envknob.RegisterBool("TS_DEBUG_DISABLE_PORTLIST")
 // Poller scans the systems for listening ports periodically and sends
 // the results to C.
 type Poller struct {
-	// IncludeLocalhost controls whether services bound to localhost are included.
-	//
-	// This field should only be changed before calling Run.
-	IncludeLocalhost bool
-
-	c chan Update // unbuffered
+	c chan List // unbuffered

 	// os, if non-nil, is an OS-specific implementation of the portlist getting
 	// code. When non-nil, it's responsible for getting the complete list of
@@ -52,23 +47,6 @@ type Poller struct {
 	prev List // most recent data, not aliasing scratch
 }

-// Update is sent by Poller to indicate
-// an update has been made to the machine's
-// open ports. Receiver of this struct must
-// check the Err() method before calling List().
-type Update struct {
-	list List
-	err  error
-}
-
-func (u *Update) Err() error {
-	return u.err
-}
-
-func (u *Update) List() List {
-	return u.list
-}
-
 // osImpl is the OS-specific implementation of getting the open listening ports.
 type osImpl interface {
 	Close() error
@@ -84,10 +62,36 @@ type osImpl interface {
 }

 // newOSImpl, if non-nil, constructs a new osImpl.
-var newOSImpl func(includeLocalhost bool) osImpl
+var newOSImpl func() osImpl

 var errUnimplemented = errors.New("portlist poller not implemented on " + runtime.GOOS)

+// NewPoller returns a new portlist Poller. It returns an error
+// if the portlist couldn't be obtained.
+func NewPoller() (*Poller, error) {
+	if debugDisablePortlist() {
+		return nil, errors.New("portlist disabled by envknob")
+	}
+	p := &Poller{
+		c:       make(chan List),
+		runDone: make(chan struct{}),
+	}
+	p.closeCtx, p.closeCtxCancel = context.WithCancel(context.Background())
+	p.osOnce.Do(p.initOSField)
+	if p.os == nil {
+		return nil, errUnimplemented
+	}
+
+	// Do one initial poll synchronously so we can return an error
+	// early.
+	if pl, err := p.getList(); err != nil {
+		return nil, err
+	} else {
+		p.setPrev(pl)
+	}
+	return p, nil
+}
+
 func (p *Poller) setPrev(pl List) {
 	// Make a copy, as the pass in pl slice aliases pl.scratch and we don't want
 	// that to except to the caller.
@@ -96,22 +100,18 @@ func (p *Poller) setPrev(pl List) {

 func (p *Poller) initOSField() {
 	if newOSImpl != nil {
-		p.os = newOSImpl(p.IncludeLocalhost)
+		p.os = newOSImpl()
 	}
 }

 // Updates return the channel that receives port list updates.
 //
 // The channel is closed when the Poller is closed.
-func (p *Poller) Updates() <-chan Update { return p.c }
+func (p *Poller) Updates() <-chan List { return p.c }

 // Close closes the Poller.
 // Run will return with a nil error.
 func (p *Poller) Close() error {
-	// Skip if uninitialized.
-	if p.os == nil {
-		return nil
-	}
 	p.closeCtxCancel()
 	<-p.runDone
 	if p.os != nil {
@@ -121,14 +121,14 @@ func (p *Poller) Close() error {
 }

 // send sends pl to p.c and returns whether it was successfully sent.
-func (p *Poller) send(ctx context.Context, pl List, listErr error) (sent bool) {
+func (p *Poller) send(ctx context.Context, pl List) (sent bool, err error) {
 	select {
-	case p.c <- Update{list: pl, err: listErr}:
-		return true
+	case p.c <- pl:
+		return true, nil
 	case <-ctx.Done():
-		return false
+		return false, ctx.Err()
 	case <-p.closeCtx.Done():
-		return false
+		return false, nil
 	}
 }

@@ -136,82 +136,48 @@ func (p *Poller) send(ctx context.Context, pl List, listErr error) (sent bool) {
 // is done, or the Close is called.
 //
 // Run may only be called once.
-func (p *Poller) Run(ctx context.Context) (chan Update, error) {
-	if debugDisablePortlist() {
-		return nil, errors.New("portlist disabled by envknob")
-	}
-	if p.os != nil {
-		return nil, errors.New("method called more than once")
-	}
-	p.initOSField()
-	if p.os == nil {
-		return nil, errUnimplemented
-	}
-
-	p.c = make(chan Update)
-	p.runDone = make(chan struct{})
-	p.closeCtx, p.closeCtxCancel = context.WithCancel(context.Background())
-
-	// Do one initial poll synchronously so we can return an error
-	// early.
-	if pl, err := p.getList(); err != nil {
-		return nil, err
-	} else {
-		p.setPrev(pl)
-	}
-
+func (p *Poller) Run(ctx context.Context) error {
 	tick := time.NewTicker(pollInterval)
 	defer tick.Stop()
-	go p.runWithTickChan(ctx, tick.C)
-	return p.c, nil
+	return p.runWithTickChan(ctx, tick.C)
 }

-func (p *Poller) runWithTickChan(ctx context.Context, tickChan <-chan time.Time) {
+func (p *Poller) runWithTickChan(ctx context.Context, tickChan <-chan time.Time) error {
 	defer close(p.runDone)
 	defer close(p.c)

 	// Send out the pre-generated initial value.
-	if sent := p.send(ctx, p.prev, nil); !sent {
-		return
+	if sent, err := p.send(ctx, p.prev); !sent {
+		return err
 	}

-	// Order of events:
-	// 1. If the context is done, exit
-	// 2. If the user called p.Close(), exit.
-	// 3. If we received a tick, then get the list
-	// 3B. If that error'd, send an error to the user.
-	// 3C. If the context or p.Close where called in the meantime, exit.
-	// 3D. If getList succeeded, skip if there are no updates.
-	// 3E. If there are indeed updates, send them, or exit if 1/2 are true.
-	// We check 1 & 2 in 3 places: top of the for-loop,
-	// whenever we send (which is two places: sending an error, or sending a list).
 	for {
 		select {
-		case <-ctx.Done():
-			return
-		case <-p.closeCtx.Done():
-			return
 		case <-tickChan:
 			pl, err := p.getList()
 			if err != nil {
-				sent := p.send(ctx, nil, err)
-				if !sent {
-					return
-				}
-				continue
+				return err
 			}
 			if pl.equal(p.prev) {
 				continue
 			}
 			p.setPrev(pl)
-			if sent := p.send(ctx, p.prev, nil); !sent {
-				return
+			if sent, err := p.send(ctx, p.prev); !sent {
+				return err
 			}
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-p.closeCtx.Done():
+			return nil
 		}
 	}
 }

 func (p *Poller) getList() (List, error) {
+	if debugDisablePortlist() {
+		return nil, nil
+	}
+	p.osOnce.Do(p.initOSField)
 	var err error
 	p.scratch, err = p.os.AppendListeningPorts(p.scratch[:0])
 	return p.scratch, err
--- a/portlist/portlist.go
+++ b/portlist/portlist.go
@@ -18,7 +18,6 @@ type Port struct {
 	Proto   string // "tcp" or "udp"
 	Port    uint16 // port number
 	Process string // optional process name, if found
-	Pid     int    // process id, if known
 }

 // List is a list of Ports.
@@ -70,11 +69,12 @@ func sortAndDedup(ps List) List {
 	out := ps[:0]
 	var last Port
 	for _, p := range ps {
-		if last.Proto == p.Proto && last.Port == p.Port {
+		protoPort := Port{Proto: p.Proto, Port: p.Port}
+		if last == protoPort {
 			continue
 		}
 		out = append(out, p)
-		last = p
+		last = protoPort
 	}
 	return out
 }
--- a/portlist/portlist_linux.go
+++ b/portlist/portlist_linux.go
@@ -35,28 +35,25 @@ type linuxImpl struct {
 	procNetFiles    []*os.File // seeked to start & reused between calls
 	readlinkPathBuf []byte

-	known            map[string]*portMeta // inode string => metadata
-	br               *bufio.Reader
-	includeLocalhost bool
+	known map[string]*portMeta // inode string => metadata
+	br    *bufio.Reader
 }

 type portMeta struct {
 	port          Port
-	pid           int
 	keep          bool
 	needsProcName bool
 }

-func newLinuxImplBase(includeLocalhost bool) *linuxImpl {
+func newLinuxImplBase() *linuxImpl {
 	return &linuxImpl{
-		br:               bufio.NewReader(eofReader),
-		known:            map[string]*portMeta{},
-		includeLocalhost: includeLocalhost,
+		br:    bufio.NewReader(eofReader),
+		known: map[string]*portMeta{},
 	}
 }

-func newLinuxImpl(includeLocalhost bool) osImpl {
-	li := newLinuxImplBase(includeLocalhost)
+func newLinuxImpl() osImpl {
+	li := newLinuxImplBase()
 	for _, name := range []string{
 		"/proc/net/tcp",
 		"/proc/net/tcp6",
@@ -223,7 +220,7 @@ func (li *linuxImpl) parseProcNetFile(r *bufio.Reader, fileBase string) error {
 		// If a port is bound to localhost, ignore it.
 		// TODO: localhost is bigger than 1 IP, we need to ignore
 		// more things.
-		if !li.includeLocalhost && (mem.HasPrefix(local, mem.S(v4Localhost)) || mem.HasPrefix(local, mem.S(v6Localhost))) {
+		if mem.HasPrefix(local, mem.S(v4Localhost)) || mem.HasPrefix(local, mem.S(v6Localhost)) {
 			continue
 		}

@@ -318,9 +315,6 @@ func (li *linuxImpl) findProcessNames(need map[string]*portMeta) error {
 			}

 			argv := strings.Split(strings.TrimSuffix(string(bs), "\x00"), "\x00")
-			if p, err := mem.ParseInt(pid, 10, 0); err == nil {
-				pe.pid = int(p)
-			}
 			pe.port.Process = argvSubject(argv...)
 			pe.needsProcName = false
 			delete(need, string(targetBuf[:n]))
--- a/portlist/portlist_linux_test.go
+++ b/portlist/portlist_linux_test.go
@@ -89,7 +89,7 @@ func TestParsePorts(t *testing.T) {
 			if tt.file != "" {
 				file = tt.file
 			}
-			li := newLinuxImplBase(false)
+			li := newLinuxImplBase()
 			err := li.parseProcNetFile(r, file)
 			if err != nil {
 				t.Fatal(err)
@@ -118,7 +118,7 @@ func BenchmarkParsePorts(b *testing.B) {
 		contents.WriteString("   3: 69050120005716BC64906EBE009ECD4D:D506 0047062600000000000000006E171268:01BB 01 00000000:00000000 02:0000009E 00000000  1000        0 151042856 2 0000000000000000 21 4 28 10 -1\n")
 	}

-	li := newLinuxImplBase(false)
+	li := newLinuxImplBase()

 	r := bytes.NewReader(contents.Bytes())
 	br := bufio.NewReader(&contents)
--- a/portlist/portlist_macos.go
+++ b/portlist/portlist_macos.go
@@ -29,9 +29,8 @@ type macOSImpl struct {
 	known       map[protoPort]*portMeta // inode string => metadata
 	netstatPath string                  // lazily populated

-	br               *bufio.Reader // reused
-	portsBuf         []Port
-	includeLocalhost bool
+	br       *bufio.Reader // reused
+	portsBuf []Port
 }

 type protoPort struct {
@@ -44,11 +43,10 @@ type portMeta struct {
 	keep bool
 }

-func newMacOSImpl(includeLocalhost bool) osImpl {
+func newMacOSImpl() osImpl {
 	return &macOSImpl{
-		known:            map[protoPort]*portMeta{},
-		br:               bufio.NewReader(bytes.NewReader(nil)),
-		includeLocalhost: includeLocalhost,
+		known: map[protoPort]*portMeta{},
+		br:    bufio.NewReader(bytes.NewReader(nil)),
 	}
 }

@@ -121,7 +119,7 @@ func (im *macOSImpl) appendListeningPortsNetstat(base []Port) ([]Port, error) {
 	defer cmd.Process.Wait()
 	defer cmd.Process.Kill()

-	return appendParsePortsNetstat(base, im.br, im.includeLocalhost)
+	return appendParsePortsNetstat(base, im.br)
 }

 var lsofFailed atomic.Bool
@@ -172,7 +170,6 @@ func (im *macOSImpl) addProcesses() error {
 	im.br.Reset(outPipe)

 	var cmd, proto string
-	var pid int
 	for {
 		line, err := im.br.ReadBytes('\n')
 		if err != nil {
@@ -187,10 +184,6 @@ func (im *macOSImpl) addProcesses() error {
 			// starting a new process
 			cmd = ""
 			proto = ""
-			pid = 0
-			if p, err := mem.ParseInt(mem.B(val), 10, 0); err == nil {
-				pid = int(p)
-			}
 		case 'c':
 			cmd = string(val) // TODO(bradfitz): avoid garbage; cache process names between runs?
 		case 'P':
@@ -209,7 +202,6 @@ func (im *macOSImpl) addProcesses() error {
 			switch {
 			case m != nil:
 				m.port.Process = cmd
-				m.port.Pid = pid
 			default:
 				// ignore: processes and ports come and go
 			}
--- a/portlist/portlist_test.go
+++ b/portlist/portlist_test.go
@@ -5,7 +5,9 @@ package portlist

 import (
 	"context"
+	"flag"
 	"net"
+	"runtime"
 	"sync"
 	"testing"
 	"time"
@@ -49,9 +51,16 @@ func TestIgnoreLocallyBoundPorts(t *testing.T) {
 	}
 }

+var flagRunUnspecTests = flag.Bool("run-unspec-tests",
+	runtime.GOOS == "linux", // other OSes have annoying firewall GUI confirmation dialogs
+	"run tests that require listening on the the unspecified address")
+
 func TestChangesOverTime(t *testing.T) {
+	if !*flagRunUnspecTests {
+		t.Skip("skipping test without --run-unspec-tests")
+	}
+
 	var p Poller
-	p.IncludeLocalhost = true
 	get := func(t *testing.T) []Port {
 		t.Helper()
 		s, err := p.getList()
@@ -62,7 +71,7 @@ func TestChangesOverTime(t *testing.T) {
 	}

 	p1 := get(t)
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	ln, err := net.Listen("tcp", ":0")
 	if err != nil {
 		t.Skipf("failed to bind: %v", err)
 	}
@@ -192,7 +201,7 @@ func TestPoller(t *testing.T) {
 		for pl := range p.Updates() {
 			// Look at all the pl slice memory to maximize
 			// chance of race detector seeing violations.
-			for _, v := range pl.List() {
+			for _, v := range pl {
 				if v == (Port{}) {
 					// Force use
 					panic("empty port")
--- a/portlist/portlist_windows.go
+++ b/portlist/portlist_windows.go
@@ -25,8 +25,7 @@ type famPort struct {
 }

 type windowsImpl struct {
-	known            map[famPort]*portMeta // inode string => metadata
-	includeLocalhost bool
+	known map[famPort]*portMeta // inode string => metadata
 }

 type portMeta struct {
@@ -34,10 +33,9 @@ type portMeta struct {
 	keep bool
 }

-func newWindowsImpl(includeLocalhost bool) osImpl {
+func newWindowsImpl() osImpl {
 	return &windowsImpl{
-		known:            map[famPort]*portMeta{},
-		includeLocalhost: includeLocalhost,
+		known: map[famPort]*portMeta{},
 	}
 }

@@ -60,7 +58,7 @@ func (im *windowsImpl) AppendListeningPorts(base []Port) ([]Port, error) {
 		if e.State != "LISTEN" {
 			continue
 		}
-		if !im.includeLocalhost && !e.Local.Addr().IsUnspecified() {
+		if !e.Local.Addr().IsUnspecified() {
 			continue
 		}
 		fp := famPort{
@@ -85,7 +83,6 @@ func (im *windowsImpl) AppendListeningPorts(base []Port) ([]Port, error) {
 				Proto:   "tcp",
 				Port:    e.Local.Port(),
 				Process: process,
-				Pid:     e.Pid,
 			},
 		}
 		im.known[fp] = pm
--- a/release/dist/unixpkgs/pkgs.go
+++ b/release/dist/unixpkgs/pkgs.go
@@ -354,10 +354,6 @@ func debArch(arch string) string {
 		// can ship more than 1 ARM deb, so for now match redo's behavior of
 		// shipping armv5 binaries in an armv7 trenchcoat.
 		return "armhf"
-	case "mipsle":
-		return "mipsel"
-	case "mips64le":
-		return "mips64el"
 	default:
 		return arch
 	}
@@ -376,10 +372,6 @@ func rpmArch(arch string) string {
 		return "armv7hl"
 	case "arm64":
 		return "aarch64"
-	case "mipsle":
-		return "mipsel"
-	case "mips64le":
-		return "mips64el"
 	default:
 		return arch
 	}
--- a/release/dist/unixpkgs/targets.go
+++ b/release/dist/unixpkgs/targets.go
@@ -82,31 +82,31 @@ var (
 	}

 	debs = map[string]bool{
-		"linux/386":      true,
-		"linux/amd64":    true,
-		"linux/arm":      true,
-		"linux/arm64":    true,
-		"linux/riscv64":  true,
-		"linux/mipsle":   true,
-		"linux/mips64le": true,
-		"linux/mips":     true,
-		// Debian does not support big endian mips64. Leave that out until we know
-		// we need it.
+		"linux/386":     true,
+		"linux/amd64":   true,
+		"linux/arm":     true,
+		"linux/arm64":   true,
+		"linux/riscv64": true,
+		// TODO: maybe mipses, we accidentally started building them at some
+		// point even though they probably don't work right.
+		// "linux/mips":     true,
+		// "linux/mipsle":   true,
 		// "linux/mips64":   true,
+		// "linux/mips64le": true,
 	}

 	rpms = map[string]bool{
-		"linux/386":      true,
-		"linux/amd64":    true,
-		"linux/arm":      true,
-		"linux/arm64":    true,
-		"linux/riscv64":  true,
-		"linux/mipsle":   true,
-		"linux/mips64le": true,
-		// Fedora only supports little endian mipses. Maybe some other distribution
-		// supports big-endian? Leave them out for now.
+		"linux/386":     true,
+		"linux/amd64":   true,
+		"linux/arm":     true,
+		"linux/arm64":   true,
+		"linux/riscv64": true,
+		// TODO: maybe mipses, we accidentally started building them at some
+		// point even though they probably don't work right.
 		// "linux/mips":     true,
+		// "linux/mipsle":   true,
 		// "linux/mips64":   true,
+		// "linux/mips64le": true,
 	}
 )

--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@@ -20,6 +20,7 @@ import (
 	"log/syslog"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"runtime"
 	"sort"
@@ -30,12 +31,16 @@ import (
 	"github.com/creack/pty"
 	"github.com/pkg/sftp"
 	"github.com/u-root/u-root/pkg/termios"
+	"go4.org/mem"
 	gossh "golang.org/x/crypto/ssh"
 	"golang.org/x/exp/slices"
 	"golang.org/x/sys/unix"
 	"tailscale.com/cmd/tailscaled/childproc"
+	"tailscale.com/envknob"
+	"tailscale.com/hostinfo"
 	"tailscale.com/tempfork/gliderlabs/ssh"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/lineread"
 	"tailscale.com/version/distro"
 )

@@ -78,7 +83,7 @@ func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) {
 	case "sftp":
 		isSFTP = true
 	case "":
-		name = ss.conn.localUser.LoginShell()
+		name = loginShell(ss.conn.localUser)
 		if rawCmd := ss.RawCommand(); rawCmd != "" {
 			args = append(args, "-c", rawCmd)
 		} else {
@@ -452,7 +457,7 @@ func (ss *sshSession) launchProcess() error {
 		return ss.startWithStdPipes()
 	}
 	ss.ptyReq = &ptyReq
-	pty, tty, err := ss.startWithPTY()
+	pty, err := ss.startWithPTY()
 	if err != nil {
 		return err
 	}
@@ -461,13 +466,10 @@ func (ss *sshSession) launchProcess() error {
 	// dup.
 	ptyDup, err := syscall.Dup(int(pty.Fd()))
 	if err != nil {
-		pty.Close()
-		tty.Close()
 		return err
 	}
 	go resizeWindow(ptyDup /* arbitrary fd */, winCh)

-	ss.tty = tty
 	ss.stdin = pty
 	ss.stdout = os.NewFile(uintptr(ptyDup), pty.Name())
 	ss.stderr = nil // not available for pty
@@ -547,16 +549,17 @@ var opcodeShortName = map[uint8]string{
 }

 // startWithPTY starts cmd with a pseudo-terminal attached to Stdin, Stdout and Stderr.
-func (ss *sshSession) startWithPTY() (ptyFile, tty *os.File, err error) {
+func (ss *sshSession) startWithPTY() (ptyFile *os.File, err error) {
 	ptyReq := ss.ptyReq
 	cmd := ss.cmd
 	if cmd == nil {
-		return nil, nil, errors.New("nil ss.cmd")
+		return nil, errors.New("nil ss.cmd")
 	}
 	if ptyReq == nil {
-		return nil, nil, errors.New("nil ss.ptyReq")
+		return nil, errors.New("nil ss.ptyReq")
 	}

+	var tty *os.File
 	ptyFile, tty, err = pty.Open()
 	if err != nil {
 		err = fmt.Errorf("pty.Open: %w", err)
@@ -570,7 +573,7 @@ func (ss *sshSession) startWithPTY() (ptyFile, tty *os.File, err error) {
 	}()
 	ptyRawConn, err := tty.SyscallConn()
 	if err != nil {
-		return nil, nil, fmt.Errorf("SyscallConn: %w", err)
+		return nil, fmt.Errorf("SyscallConn: %w", err)
 	}
 	var ctlErr error
 	if err := ptyRawConn.Control(func(fd uintptr) {
@@ -617,10 +620,10 @@ func (ss *sshSession) startWithPTY() (ptyFile, tty *os.File, err error) {
 			return
 		}
 	}); err != nil {
-		return nil, nil, fmt.Errorf("ptyRawConn.Control: %w", err)
+		return nil, fmt.Errorf("ptyRawConn.Control: %w", err)
 	}
 	if ctlErr != nil {
-		return nil, nil, fmt.Errorf("ptyRawConn.Control func: %w", ctlErr)
+		return nil, fmt.Errorf("ptyRawConn.Control func: %w", ctlErr)
 	}
 	cmd.SysProcAttr = &syscall.SysProcAttr{
 		Setctty: true,
@@ -644,7 +647,7 @@ func (ss *sshSession) startWithPTY() (ptyFile, tty *os.File, err error) {
 	if err = cmd.Start(); err != nil {
 		return
 	}
-	return ptyFile, tty, nil
+	return ptyFile, nil
 }

 // startWithStdPipes starts cmd with os.Pipe for Stdin, Stdout and Stderr.
@@ -685,15 +688,117 @@ func (ss *sshSession) startWithStdPipes() (err error) {
 	return nil
 }

-func envForUser(u *userMeta) []string {
+func loginShell(u *user.User) string {
+	switch runtime.GOOS {
+	case "linux":
+		if distro.Get() == distro.Gokrazy {
+			return "/tmp/serial-busybox/ash"
+		}
+		out, _ := exec.Command("getent", "passwd", u.Uid).Output()
+		// out is "root:x:0:0:root:/root:/bin/bash"
+		f := strings.SplitN(string(out), ":", 10)
+		if len(f) > 6 {
+			return strings.TrimSpace(f[6]) // shell
+		}
+	case "darwin":
+		// Note: /Users/username is key, and not the same as u.HomeDir.
+		out, _ := exec.Command("dscl", ".", "-read", filepath.Join("/Users", u.Username), "UserShell").Output()
+		// out is "UserShell: /bin/bash"
+		s, ok := strings.CutPrefix(string(out), "UserShell: ")
+		if ok {
+			return strings.TrimSpace(s)
+		}
+	}
+	if e := os.Getenv("SHELL"); e != "" {
+		return e
+	}
+	return "/bin/sh"
+}
+
+func envForUser(u *user.User) []string {
 	return []string{
-		fmt.Sprintf("SHELL=" + u.LoginShell()),
+		fmt.Sprintf("SHELL=" + loginShell(u)),
 		fmt.Sprintf("USER=" + u.Username),
 		fmt.Sprintf("HOME=" + u.HomeDir),
-		fmt.Sprintf("PATH=" + defaultPathForUser(&u.User)),
+		fmt.Sprintf("PATH=" + defaultPathForUser(u)),
 	}
 }

+// defaultPathTmpl specifies the default PATH template to use for new sessions.
+//
+// If empty, a default value is used based on the OS & distro to match OpenSSH's
+// usually-hardcoded behavior. (see
+// https://github.com/tailscale/tailscale/issues/5285 for background).
+//
+// The template may contain @{HOME} or @{PAM_USER} which expand to the user's
+// home directory and username, respectively. (PAM is not used, despite the
+// name)
+var defaultPathTmpl = envknob.RegisterString("TAILSCALE_SSH_DEFAULT_PATH")
+
+func defaultPathForUser(u *user.User) string {
+	if s := defaultPathTmpl(); s != "" {
+		return expandDefaultPathTmpl(s, u)
+	}
+	isRoot := u.Uid == "0"
+	switch distro.Get() {
+	case distro.Debian:
+		hi := hostinfo.New()
+		if hi.Distro == "ubuntu" {
+			// distro.Get's Debian includes Ubuntu. But see if it's actually Ubuntu.
+			// Ubuntu doesn't empirically seem to distinguish between root and non-root for the default.
+			// And it includes /snap/bin.
+			return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
+		}
+		if isRoot {
+			return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+		}
+		return "/usr/local/bin:/usr/bin:/bin:/usr/bn/games"
+	case distro.NixOS:
+		return defaultPathForUserOnNixOS(u)
+	}
+	if isRoot {
+		return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+	}
+	return "/usr/local/bin:/usr/bin:/bin"
+}
+
+func defaultPathForUserOnNixOS(u *user.User) string {
+	var path string
+	lineread.File("/etc/pam/environment", func(lineb []byte) error {
+		if v := pathFromPAMEnvLine(lineb, u); v != "" {
+			path = v
+			return io.EOF // stop iteration
+		}
+		return nil
+	})
+	return path
+}
+
+func pathFromPAMEnvLine(line []byte, u *user.User) (path string) {
+	if !mem.HasPrefix(mem.B(line), mem.S("PATH")) {
+		return ""
+	}
+	rest := strings.TrimSpace(strings.TrimPrefix(string(line), "PATH"))
+	if quoted, ok := strings.CutPrefix(rest, "DEFAULT="); ok {
+		if path, err := strconv.Unquote(quoted); err == nil {
+			return expandDefaultPathTmpl(path, u)
+		}
+	}
+	return ""
+}
+
+func expandDefaultPathTmpl(t string, u *user.User) string {
+	p := strings.NewReplacer(
+		"@{HOME}", u.HomeDir,
+		"@{PAM_USER}", u.Username,
+	).Replace(t)
+	if strings.Contains(p, "@{") {
+		// If there are unknown expansions, conservatively fail closed.
+		return ""
+	}
+	return p
+}
+
 // updateStringInSlice mutates ss to change the first occurrence of a
 // to b.
 func updateStringInSlice(ss []string, a, b string) {
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -22,13 +22,13 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
-	"syscall"
 	"time"

 	gossh "github.com/tailscale/golang-x-crypto/ssh"
@@ -39,12 +39,12 @@ import (
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tempfork/gliderlabs/ssh"
-	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
+	"tailscale.com/version/distro"
 )

 var (
@@ -68,7 +68,6 @@ type ipnLocalBackend interface {
 	DoNoiseRequest(req *http.Request) (*http.Response, error)
 	Dialer() *tsdial.Dialer
 	TailscaleVarRoot() string
-	NodeKey() key.NodePublic
 }

 type server struct {
@@ -106,7 +105,6 @@ func init() {
 			logf:           logf,
 			tailscaledPath: tsd,
 		}
-
 		return srv, nil
 	})
 }
@@ -221,7 +219,7 @@ type conn struct {
 	finalActionErr error              // set by doPolicyAuth or resolveNextAction

 	info         *sshConnInfo    // set by setInfo
-	localUser    *userMeta       // set by doPolicyAuth
+	localUser    *user.User      // set by doPolicyAuth
 	userGroupIDs []string        // set by doPolicyAuth
 	pubKey       gossh.PublicKey // set by doPolicyAuth

@@ -378,7 +376,16 @@ func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
 		if a.Accept {
 			c.finalAction = a
 		}
-		lu, err := userLookup(localUser)
+		if runtime.GOOS == "linux" && distro.Get() == distro.Gokrazy {
+			// Gokrazy is a single-user appliance with ~no userspace.
+			// There aren't users to look up (no /etc/passwd, etc)
+			// so rather than fail below, just hardcode root.
+			// TODO(bradfitz): fix os/user upstream instead?
+			c.userGroupIDs = []string{"0"}
+			c.localUser = &user.User{Uid: "0", Gid: "0", Username: "root"}
+			return nil
+		}
+		lu, err := user.Lookup(localUser)
 		if err != nil {
 			c.logf("failed to look up %v: %v", localUser, err)
 			ctx.SendAuthBanner(fmt.Sprintf("failed to look up %v\r\n", localUser))
@@ -812,7 +819,6 @@ type sshSession struct {
 	stdout io.ReadCloser
 	stderr io.Reader // nil for pty sessions
 	ptyReq *ssh.Pty  // non-nil for pty sessions
-	tty    *os.File  // non-nil for pty sessions, must be closed after process exits

 	// We use this sync.Once to ensure that we only terminate the process once,
 	// either it exits itself or is terminated
@@ -961,7 +967,7 @@ var errSessionDone = errors.New("session is done")
 // handleSSHAgentForwarding starts a Unix socket listener and in the background
 // forwards agent connections between the listener and the ssh.Session.
 // On success, it assigns ss.agentListener.
-func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *userMeta) error {
+func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) error {
 	if !ssh.AgentRequested(ss) || !ss.conn.finalAction.AllowAgentForwarding {
 		return nil
 	}
@@ -1089,7 +1095,6 @@ func (ss *sshSession) run() {
 	}
 	go ss.killProcessOnContextDone()

-	var processDone atomic.Bool
 	go func() {
 		defer ss.stdin.Close()
 		if _, err := io.Copy(rec.writer("i", ss.stdin), ss); err != nil {
@@ -1107,11 +1112,8 @@ func (ss *sshSession) run() {
 		defer ss.stdout.Close()
 		_, err := io.Copy(rec.writer("o", ss), ss.stdout)
 		if err != nil && !errors.Is(err, io.EOF) {
-			isErrBecauseProcessExited := processDone.Load() && errors.Is(err, syscall.EIO)
-			if !isErrBecauseProcessExited {
-				logf("stdout copy: %v, %T", err)
-				ss.cancelCtx(err)
-			}
+			logf("stdout copy: %v", err)
+			ss.cancelCtx(err)
 		}
 		if openOutputStreams.Add(-1) == 0 {
 			ss.CloseWrite()
@@ -1130,12 +1132,7 @@ func (ss *sshSession) run() {
 		}()
 	}

-	if ss.tty != nil {
-		// If running a tty session, close the tty when the session is done.
-		defer ss.tty.Close()
-	}
 	err = ss.cmd.Wait()
-	processDone.Store(true)
 	// This will either make the SSH Termination goroutine be a no-op,
 	// or itself will be a no-op because the process was killed by the
 	// aforementioned goroutine.
@@ -1410,11 +1407,6 @@ type CastHeader struct {

 	// LocalUser is the effective username on the server.
 	LocalUser string `json:"localUser"`
-
-	// ConnectionID uniquely identifies a connection made to the SSH server.
-	// It may be shared across multiple sessions over the same connection in
-	// case of SSH multiplexing.
-	ConnectionID string `json:"connectionID"`
 }

 // sessionRecordingClient returns an http.Client that uses srv.lb.Dialer() to
@@ -1453,16 +1445,11 @@ func (ss *sshSession) sessionRecordingClient(dialCtx context.Context) (*http.Cli
 // On success, it returns a WriteCloser that can be used to upload the
 // recording, and a channel that will be sent an error (or nil) when the upload
 // fails or completes.
-//
-// In both cases, a slice of SSHRecordingAttempts is returned which detail the
-// attempted recorder IP and the error message, if the attempt failed. The
-// attempts are in order the recorder(s) was attempted. If successful a
-// successful connection is made, the last attempt in the slice is the
-// attempt for connected recorder.
-func (ss *sshSession) connectToRecorder(ctx context.Context, recs []netip.AddrPort) (io.WriteCloser, []*tailcfg.SSHRecordingAttempt, <-chan error, error) {
+func (ss *sshSession) connectToRecorder(ctx context.Context, recs []netip.AddrPort) (io.WriteCloser, <-chan error, error) {
 	if len(recs) == 0 {
-		return nil, nil, nil, errors.New("no recorders configured")
+		return nil, nil, errors.New("no recorders configured")
 	}
+
 	// We use a special context for dialing the recorder, so that we can
 	// limit the time we spend dialing to 30 seconds and still have an
 	// unbounded context for the upload.
@@ -1470,17 +1457,10 @@ func (ss *sshSession) connectToRecorder(ctx context.Context, recs []netip.AddrPo
 	defer dialCancel()
 	hc, err := ss.sessionRecordingClient(dialCtx)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
-
 	var errs []error
-	var attempts []*tailcfg.SSHRecordingAttempt
 	for _, ap := range recs {
-		attempt := &tailcfg.SSHRecordingAttempt{
-			Recorder: ap,
-		}
-		attempts = append(attempts, attempt)
-
 		// We dial the recorder and wait for it to send a 100-continue
 		// response before returning from this function. This ensures that
 		// the recorder is ready to accept the recording.
@@ -1496,9 +1476,7 @@ func (ss *sshSession) connectToRecorder(ctx context.Context, recs []netip.AddrPo
 		pr, pw := io.Pipe()
 		req, err := http.NewRequestWithContext(ctx, "POST", fmt.Sprintf("http://%s:%d/record", ap.Addr(), ap.Port()), pr)
 		if err != nil {
-			err = fmt.Errorf("recording: error starting recording: %w", err)
-			attempt.FailureMessage = err.Error()
-			errs = append(errs, err)
+			errs = append(errs, fmt.Errorf("recording: error starting recording: %w", err))
 			continue
 		}
 		// We set the Expect header to 100-continue, so that the recorder
@@ -1530,13 +1508,12 @@ func (ss *sshSession) connectToRecorder(ctx context.Context, recs []netip.AddrPo
 				// is unexpected as we haven't sent any data yet.
 				err = errors.New("recording: unexpected EOF")
 			}
-			attempt.FailureMessage = err.Error()
 			errs = append(errs, err)
 			continue
 		}
-		return pw, attempts, errChan, nil
+		return pw, errChan, nil
 	}
-	return nil, attempts, nil, multierr.New(errs...)
+	return nil, nil, multierr.New(errs...)
 }

 func (ss *sshSession) openFileForRecording(now time.Time) (_ io.WriteCloser, err error) {
@@ -1558,13 +1535,6 @@ func (ss *sshSession) openFileForRecording(now time.Time) (_ io.WriteCloser, err
 // startNewRecording starts a new SSH session recording.
 // It may return a nil recording if recording is not available.
 func (ss *sshSession) startNewRecording() (_ *recording, err error) {
-	// We store the node key as soon as possible when creating
-	// a new recording incase of FUS.
-	nodeKey := ss.conn.srv.lb.NodeKey()
-	if nodeKey.IsZero() {
-		return nil, errors.New("ssh server is unavailable: no node key")
-	}
-
 	recorders, onFailure := ss.recorders()
 	var localRecording bool
 	if len(recorders) == 0 {
@@ -1603,17 +1573,9 @@ func (ss *sshSession) startNewRecording() (_ *recording, err error) {
 		}
 	} else {
 		var errChan <-chan error
-		var attempts []*tailcfg.SSHRecordingAttempt
-		rec.out, attempts, errChan, err = ss.connectToRecorder(ctx, recorders)
+		rec.out, errChan, err = ss.connectToRecorder(ctx, recorders)
 		if err != nil {
-			if onFailure != nil && onFailure.NotifyURL != "" && len(attempts) > 0 {
-				eventType := tailcfg.SSHSessionRecordingFailed
-				if onFailure.RejectSessionWithMessage != "" {
-					eventType = tailcfg.SSHSessionRecordingRejected
-				}
-				ss.notifyControl(ctx, nodeKey, eventType, attempts, onFailure.NotifyURL)
-			}
-
+			// TODO(catzkorn): notify control here.
 			if onFailure != nil && onFailure.RejectSessionWithMessage != "" {
 				ss.logf("recording: error starting recording (rejecting session): %v", err)
 				return nil, userVisibleError{
@@ -1630,17 +1592,7 @@ func (ss *sshSession) startNewRecording() (_ *recording, err error) {
 				// Success.
 				return
 			}
-			if onFailure != nil && onFailure.NotifyURL != "" && len(attempts) > 0 {
-				lastAttempt := attempts[len(attempts)-1]
-				lastAttempt.FailureMessage = err.Error()
-
-				eventType := tailcfg.SSHSessionRecordingFailed
-				if onFailure.TerminateSessionWithMessage != "" {
-					eventType = tailcfg.SSHSessionRecordingTerminated
-				}
-
-				ss.notifyControl(ctx, nodeKey, eventType, attempts, onFailure.NotifyURL)
-			}
+			// TODO(catzkorn): notify control here.
 			if onFailure != nil && onFailure.TerminateSessionWithMessage != "" {
 				ss.logf("recording: error uploading recording (closing session): %v", err)
 				ss.cancelCtx(userVisibleError{
@@ -1670,11 +1622,10 @@ func (ss *sshSession) startNewRecording() (_ *recording, err error) {
 			// it. Then we can (1) make the cmd, (2) start the
 			// recording, (3) start the process.
 		},
-		SSHUser:      ss.conn.info.sshUser,
-		LocalUser:    ss.conn.localUser.Username,
-		SrcNode:      strings.TrimSuffix(ss.conn.info.node.Name, "."),
-		SrcNodeID:    ss.conn.info.node.StableID,
-		ConnectionID: ss.conn.connID,
+		SSHUser:   ss.conn.info.sshUser,
+		LocalUser: ss.conn.localUser.Username,
+		SrcNode:   strings.TrimSuffix(ss.conn.info.node.Name, "."),
+		SrcNodeID: ss.conn.info.node.StableID,
 	}
 	if !ss.conn.info.node.IsTagged() {
 		ch.SrcNodeUser = ss.conn.info.uprof.LoginName
@@ -1699,45 +1650,6 @@ func (ss *sshSession) startNewRecording() (_ *recording, err error) {
 	return rec, nil
 }

-// notifyControl sends a SSHEventNotifyRequest to control over noise.
-// A SSHEventNotifyRequest is sent when an action or state reached during
-// an SSH session is a defined EventType.
-func (ss *sshSession) notifyControl(ctx context.Context, nodeKey key.NodePublic, notifyType tailcfg.SSHEventType, attempts []*tailcfg.SSHRecordingAttempt, url string) {
-	re := tailcfg.SSHEventNotifyRequest{
-		EventType:         notifyType,
-		ConnectionID:      ss.conn.connID,
-		CapVersion:        tailcfg.CurrentCapabilityVersion,
-		NodeKey:           nodeKey,
-		SrcNode:           ss.conn.info.node.ID,
-		SSHUser:           ss.conn.info.sshUser,
-		LocalUser:         ss.conn.localUser.Username,
-		RecordingAttempts: attempts,
-	}
-
-	body, err := json.Marshal(re)
-	if err != nil {
-		ss.logf("notifyControl: unable to marshal SSHNotifyRequest:", err)
-		return
-	}
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(body))
-	if err != nil {
-		ss.logf("notifyControl: unable to create request:", err)
-		return
-	}
-
-	resp, err := ss.conn.srv.lb.DoNoiseRequest(req)
-	if err != nil {
-		ss.logf("notifyControl: unable to send noise request:", err)
-		return
-	}
-
-	if resp.StatusCode != http.StatusCreated {
-		ss.logf("notifyControl: noise request returned status code %v", resp.StatusCode)
-		return
-	}
-}
-
 // recording is the state for an SSH session recording.
 type recording struct {
 	ss    *sshSession
--- a/ssh/tailssh/tailssh_test.go
+++ b/ssh/tailssh/tailssh_test.go
@@ -38,9 +38,7 @@ import (
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tempfork/gliderlabs/ssh"
-	"tailscale.com/tsd"
 	"tailscale.com/tstest"
-	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netmap"
@@ -314,10 +312,6 @@ func (ts *localState) TailscaleVarRoot() string {
 	return ""
 }

-func (ts *localState) NodeKey() key.NodePublic {
-	return key.NewNode().Public()
-}
-
 func newSSHRule(action *tailcfg.SSHAction) *tailcfg.SSHRule {
 	return &tailcfg.SSHRule{
 		SSHUsers: map[string]string{
@@ -821,14 +815,14 @@ func TestSSHAuthFlow(t *testing.T) {

 func TestSSH(t *testing.T) {
 	var logf logger.Logf = t.Logf
-	sys := &tsd.System{}
-	eng, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
-	sys.Set(eng)
-	sys.Set(new(mem.Store))
-	lb, err := ipnlocal.NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	lb, err := ipnlocal.NewLocalBackend(logf, logid.PublicID{},
+		new(mem.Store),
+		new(tsdial.Dialer),
+		eng, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -851,11 +845,7 @@ func TestSSH(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	um, err := userLookup(u.Username)
-	if err != nil {
-		t.Fatal(err)
-	}
-	sc.localUser = um
+	sc.localUser = u
 	sc.info = &sshConnInfo{
 		sshUser: "test",
 		src:     netip.MustParseAddrPort("1.2.3.4:32342"),
@@ -1139,10 +1129,3 @@ func TestPathFromPAMEnvLineOnNixOS(t *testing.T) {
 	}
 	t.Logf("success; got=%q", got)
 }
-
-func TestStdOsUserUserAssumptions(t *testing.T) {
-	v := reflect.TypeOf(user.User{})
-	if got, want := v.NumField(), 5; got != want {
-		t.Errorf("os/user.User has %v fields; this package assumes %v", got, want)
-	}
-}
--- a/ssh/tailssh/user.go
+++ b/ssh/tailssh/user.go
@@ -1,230 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux || (darwin && !ios) || freebsd || openbsd
-
-package tailssh
-
-import (
-	"context"
-	"errors"
-	"io"
-	"log"
-	"os"
-	"os/exec"
-	"os/user"
-	"path/filepath"
-	"runtime"
-	"strconv"
-	"strings"
-	"time"
-	"unicode/utf8"
-
-	"go4.org/mem"
-	"tailscale.com/envknob"
-	"tailscale.com/hostinfo"
-	"tailscale.com/util/lineread"
-	"tailscale.com/version/distro"
-)
-
-// userMeta is a wrapper around *user.User with extra fields.
-type userMeta struct {
-	user.User
-
-	// loginShellCached is the user's login shell, if known
-	// at the time of userLookup.
-	loginShellCached string
-}
-
-// GroupIds returns the list of group IDs that the user is a member of.
-func (u *userMeta) GroupIds() ([]string, error) {
-	if runtime.GOOS == "linux" && distro.Get() == distro.Gokrazy {
-		// Gokrazy is a single-user appliance with ~no userspace.
-		// There aren't users to look up (no /etc/passwd, etc)
-		// so rather than fail below, just hardcode root.
-		// TODO(bradfitz): fix os/user upstream instead?
-		return []string{"0"}, nil
-	}
-	return u.User.GroupIds()
-}
-
-// userLookup is like os/user.Lookup but it returns a *userMeta wrapper
-// around a *user.User with extra fields.
-func userLookup(username string) (*userMeta, error) {
-	if runtime.GOOS != "linux" {
-		return userLookupStd(username)
-	}
-
-	// No getent on Gokrazy. So hard-code the login shell.
-	if distro.Get() == distro.Gokrazy {
-		um, err := userLookupStd(username)
-		if err != nil {
-			um.User = user.User{
-				Uid:      "0",
-				Gid:      "0",
-				Username: "root",
-				Name:     "Gokrazy",
-				HomeDir:  "/",
-			}
-		}
-		um.loginShellCached = "/tmp/serial-busybox/ash"
-		return um, err
-	}
-
-	// On Linux, default to using "getent" to look up users so that
-	// even with static tailscaled binaries without cgo (as we distribute),
-	// we can still look up PAM/NSS users which the standard library's
-	// os/user without cgo won't get (because of no libc hooks).
-	// But if "getent" fails, userLookupGetent falls back to the standard
-	// library anyway.
-	return userLookupGetent(username)
-}
-
-func validUsername(uid string) bool {
-	if len(uid) > 32 || len(uid) == 0 {
-		return false
-	}
-	for _, r := range uid {
-		if r < ' ' || r == 0x7f || r == utf8.RuneError { // TODO(bradfitz): more?
-			return false
-		}
-	}
-	return true
-}
-
-func userLookupGetent(username string) (*userMeta, error) {
-	// Do some basic validation before passing this string to "getent", even though
-	// getent should do its own validation.
-	if !validUsername(username) {
-		return nil, errors.New("invalid username")
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-	out, err := exec.CommandContext(ctx, "getent", "passwd", username).Output()
-	if err != nil {
-		log.Printf("error calling getent for user %q: %v", username, err)
-		return userLookupStd(username)
-	}
-	// output is "alice:x:1001:1001:Alice Smith,,,:/home/alice:/bin/bash"
-	f := strings.SplitN(strings.TrimSpace(string(out)), ":", 10)
-	for len(f) < 7 {
-		f = append(f, "")
-	}
-	um := &userMeta{
-		User: user.User{
-			Username: f[0],
-			Uid:      f[2],
-			Gid:      f[3],
-			Name:     f[4],
-			HomeDir:  f[5],
-		},
-		loginShellCached: f[6],
-	}
-	return um, nil
-}
-
-func userLookupStd(username string) (*userMeta, error) {
-	u, err := user.Lookup(username)
-	if err != nil {
-		return nil, err
-	}
-	return &userMeta{User: *u}, nil
-}
-
-func (u *userMeta) LoginShell() string {
-	if u.loginShellCached != "" {
-		// This field should be populated on Linux, at least, because
-		// func userLookup on Linux uses "getent" to look up the user
-		// and that populates it.
-		return u.loginShellCached
-	}
-	switch runtime.GOOS {
-	case "darwin":
-		// Note: /Users/username is key, and not the same as u.HomeDir.
-		out, _ := exec.Command("dscl", ".", "-read", filepath.Join("/Users", u.Username), "UserShell").Output()
-		// out is "UserShell: /bin/bash"
-		s, ok := strings.CutPrefix(string(out), "UserShell: ")
-		if ok {
-			return strings.TrimSpace(s)
-		}
-	}
-	if e := os.Getenv("SHELL"); e != "" {
-		return e
-	}
-	return "/bin/sh"
-}
-
-// defaultPathTmpl specifies the default PATH template to use for new sessions.
-//
-// If empty, a default value is used based on the OS & distro to match OpenSSH's
-// usually-hardcoded behavior. (see
-// https://github.com/tailscale/tailscale/issues/5285 for background).
-//
-// The template may contain @{HOME} or @{PAM_USER} which expand to the user's
-// home directory and username, respectively. (PAM is not used, despite the
-// name)
-var defaultPathTmpl = envknob.RegisterString("TAILSCALE_SSH_DEFAULT_PATH")
-
-func defaultPathForUser(u *user.User) string {
-	if s := defaultPathTmpl(); s != "" {
-		return expandDefaultPathTmpl(s, u)
-	}
-	isRoot := u.Uid == "0"
-	switch distro.Get() {
-	case distro.Debian:
-		hi := hostinfo.New()
-		if hi.Distro == "ubuntu" {
-			// distro.Get's Debian includes Ubuntu. But see if it's actually Ubuntu.
-			// Ubuntu doesn't empirically seem to distinguish between root and non-root for the default.
-			// And it includes /snap/bin.
-			return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
-		}
-		if isRoot {
-			return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-		}
-		return "/usr/local/bin:/usr/bin:/bin:/usr/bn/games"
-	case distro.NixOS:
-		return defaultPathForUserOnNixOS(u)
-	}
-	if isRoot {
-		return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-	}
-	return "/usr/local/bin:/usr/bin:/bin"
-}
-
-func defaultPathForUserOnNixOS(u *user.User) string {
-	var path string
-	lineread.File("/etc/pam/environment", func(lineb []byte) error {
-		if v := pathFromPAMEnvLine(lineb, u); v != "" {
-			path = v
-			return io.EOF // stop iteration
-		}
-		return nil
-	})
-	return path
-}
-
-func pathFromPAMEnvLine(line []byte, u *user.User) (path string) {
-	if !mem.HasPrefix(mem.B(line), mem.S("PATH")) {
-		return ""
-	}
-	rest := strings.TrimSpace(strings.TrimPrefix(string(line), "PATH"))
-	if quoted, ok := strings.CutPrefix(rest, "DEFAULT="); ok {
-		if path, err := strconv.Unquote(quoted); err == nil {
-			return expandDefaultPathTmpl(path, u)
-		}
-	}
-	return ""
-}
-
-func expandDefaultPathTmpl(t string, u *user.User) string {
-	p := strings.NewReplacer(
-		"@{HOME}", u.HomeDir,
-		"@{PAM_USER}", u.Username,
-	).Replace(t)
-	if strings.Contains(p, "@{") {
-		// If there are unknown expansions, conservatively fail closed.
-		return ""
-	}
-	return p
-}
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -98,8 +98,7 @@ type CapabilityVersion int
 //   - 59: 2023-03-16: Client understands Peers[].SelfNodeV4MasqAddrForThisPeer
 //   - 60: 2023-04-06: Client understands IsWireGuardOnly
 //   - 61: 2023-04-18: Client understand SSHAction.SSHRecorderFailureAction
-//   - 62: 2023-05-05: Client can notify control over noise for SSHEventNotificationRequest recording failure events
-const CurrentCapabilityVersion CapabilityVersion = 62
+const CurrentCapabilityVersion CapabilityVersion = 61

 type StableID string

@@ -2076,17 +2075,9 @@ type SSHRecorderFailureAction struct {
 	NotifyURL string `json:",omitempty"`
 }

-// SSHEventNotifyRequest is the JSON payload sent to the NotifyURL
-// for an SSH event.
-type SSHEventNotifyRequest struct {
-	// EventType is the type of notify request being sent.
-	EventType SSHEventType
-
-	// ConnectionID uniquely identifies a connection made to the SSH server.
-	// It may be shared across multiple sessions over the same connection in
-	// case a single connection creates multiple sessions.
-	ConnectionID string
-
+// SSHRecordingFailureNotifyRequest is the JSON payload sent to the NotifyURL
+// when a recording fails.
+type SSHRecordingFailureNotifyRequest struct {
 	// CapVersion is the client's current CapabilityVersion.
 	CapVersion CapabilityVersion

@@ -2102,33 +2093,10 @@ type SSHEventNotifyRequest struct {
 	// LocalUser is the user that was resolved from the SSHUser for the local machine.
 	LocalUser string

-	// RecordingAttempts is the list of recorders that were attempted, in order.
-	RecordingAttempts []*SSHRecordingAttempt
+	// Attempts is the list of recorders that were attempted, in order.
+	Attempts []SSHRecordingAttempt
 }

-// SSHEventType defines the event type linked to a SSH action or state.
-type SSHEventType int
-
-const (
-	UnspecifiedSSHEventType SSHEventType = 0
-	// SSHSessionRecordingRejected is the event that
-	// defines when a SSH session cannot be started
-	// because no recorder is available for session
-	// recording, and the SSHRecorderFailureAction
-	// RejectSessionWithMessage is not empty.
-	SSHSessionRecordingRejected SSHEventType = 1
-	// SSHSessionRecordingTerminated is the event that
-	// defines when session recording has failed
-	// during the session and the SSHRecorderFailureAction
-	// TerminateSessionWithMessage is not empty.
-	SSHSessionRecordingTerminated SSHEventType = 2
-	// SSHSessionRecordingFailed is the event that
-	// defines when session recording is unavailable and
-	// the SSHRecorderFailureAction RejectSessionWithMessage
-	// or TerminateSessionWithMessage is empty.
-	SSHSessionRecordingFailed SSHEventType = 3
-)
-
 // SSHRecordingAttempt is a single attempt to start a recording.
 type SSHRecordingAttempt struct {
 	// Recorder is the address of the recorder that was attempted.
--- a/tool/gocross/gocross-wrapper.sh
+++ b/tool/gocross/gocross-wrapper.sh
@@ -31,7 +31,7 @@ toolchain="$HOME/.cache/tailscale-go"
 if [ -d "$toolchain" ]; then
    # A toolchain exists, but is it recent enough to compile gocross? If not,
    # wipe it out so that the next if block fetches a usable one.
-    want_go_minor=$(grep -E '^go ' "go.mod" | cut -f2 -d'.')
+    want_go_minor=$(grep -E '^go ' "$repo_root/go.mod" | cut -f2 -d'.')
    have_go_minor=$(cut -f2 -d'.' <$toolchain/VERSION)
    if [ -z "$have_go_minor" -o "$have_go_minor" -lt "$want_go_minor" ]; then
        rm -rf "$toolchain" "$toolchain.extracted"
@@ -45,7 +45,7 @@ if [ ! -d "$toolchain" ]; then
    # build with Go N-1. So, if we have no cached tailscale toolchain at all,
    # fetch the initial one in shell. Once gocross is built, it'll manage
    # updates.
-    read -r REV <go.toolchain.rev
+    read -r REV <$repo_root/go.toolchain.rev

    case "$REV" in
    /*)
@@ -80,7 +80,7 @@ fi
 # case, cmd/cloner invokes go with GO111MODULE=off at some stage.
 #
 # Anyway, build gocross in a stripped down universe.
-gocross_path="gocross"
+gocross_path="$repo_root/gocross"
 gocross_ok=0
 wantver="$(git rev-parse HEAD)"
 if [ -x "$gocross_path" ]; then
--- a/tsd/tsd.go
+++ b/tsd/tsd.go
@@ -1,135 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package tsd (short for "Tailscale Daemon") contains a System type that
-// containing all the subsystems a Tailscale node (tailscaled or platform
-// equivalent) uses.
-//
-// The goal of this package (as of 2023-05-03) is to eventually unify
-// initialization across tailscaled, tailscaled as a Windows services, the mac
-// GUI, tsnet, wasm, tests, and other places that wire up all the subsystems.
-// And doing so without weird optional interface accessors on some subsystems
-// that return other subsystems. It's all a work in progress.
-//
-// This package depends on nearly all parts of Tailscale, so it should not be
-// imported by (or thus passed to) any package that does not want to depend on
-// the world. In practice this means that only things like cmd/tailscaled,
-// ipn/ipnlocal, and ipn/ipnserver should import this package.
-package tsd
-
-import (
-	"fmt"
-	"reflect"
-
-	"tailscale.com/ipn"
-	"tailscale.com/net/dns"
-	"tailscale.com/net/netmon"
-	"tailscale.com/net/tsdial"
-	"tailscale.com/net/tstun"
-	"tailscale.com/wgengine"
-	"tailscale.com/wgengine/magicsock"
-	"tailscale.com/wgengine/router"
-)
-
-// System contains all the subsystems of a Tailscale node (tailscaled, etc.)
-type System struct {
-	Dialer         SubSystem[*tsdial.Dialer]
-	DNSManager     SubSystem[*dns.Manager] // can get its *resolver.Resolver from DNSManager.Resolver
-	Engine         SubSystem[wgengine.Engine]
-	NetMon         SubSystem[*netmon.Monitor]
-	MagicSock      SubSystem[*magicsock.Conn]
-	NetstackRouter SubSystem[bool] // using Netstack at all (either entirely or at least for subnets)
-	Router         SubSystem[router.Router]
-	Tun            SubSystem[*tstun.Wrapper]
-	StateStore     SubSystem[ipn.StateStore]
-}
-
-// Set is a convenience method to set a subsystem value.
-// It panics if the type is unknown or has that type
-// has already been set.
-func (s *System) Set(v any) {
-	switch v := v.(type) {
-	case *netmon.Monitor:
-		s.NetMon.Set(v)
-	case *dns.Manager:
-		s.DNSManager.Set(v)
-	case *tsdial.Dialer:
-		s.Dialer.Set(v)
-	case wgengine.Engine:
-		s.Engine.Set(v)
-	case router.Router:
-		s.Router.Set(v)
-	case *tstun.Wrapper:
-		s.Tun.Set(v)
-	case *magicsock.Conn:
-		s.MagicSock.Set(v)
-	case ipn.StateStore:
-		s.StateStore.Set(v)
-	default:
-		panic(fmt.Sprintf("unknown type %T", v))
-	}
-}
-
-// IsNetstackRouter reports whether Tailscale is either fully netstack based
-// (without TUN) or is at least using netstack for routing.
-func (s *System) IsNetstackRouter() bool {
-	if v, ok := s.NetstackRouter.GetOK(); ok && v {
-		return true
-	}
-	return s.IsNetstack()
-}
-
-// IsNetstack reports whether Tailscale is running as a netstack-based TUN-free engine.
-func (s *System) IsNetstack() bool {
-	name, _ := s.Tun.Get().Name()
-	return name == tstun.FakeTUNName
-}
-
-// SubSystem represents some subsystem of the Tailscale node daemon.
-//
-// A subsystem can be set to a value, and then later retrieved. A subsystem
-// value tracks whether it's been set and, once set, doesn't allow the value to
-// change.
-type SubSystem[T any] struct {
-	set bool
-	v   T
-}
-
-// Set sets p to v.
-//
-// It panics if p is already set to a different value.
-//
-// Set must not be called concurrently with other Sets or Gets.
-func (p *SubSystem[T]) Set(v T) {
-	if p.set {
-		var oldVal any = p.v
-		var newVal any = v
-		if oldVal == newVal {
-			// Allow setting to the same value.
-			// Note we had to box them through "any" to force them to be comparable.
-			// We can't set the type constraint T to be "comparable" because the interfaces
-			// aren't comparable. (See https://github.com/golang/go/issues/52531 and
-			// https://github.com/golang/go/issues/52614 for some background)
-			return
-		}
-
-		var z *T
-		panic(fmt.Sprintf("%v is already set", reflect.TypeOf(z).Elem().String()))
-	}
-	p.v = v
-	p.set = true
-}
-
-// Get returns the value of p, panicking if it hasn't been set.
-func (p *SubSystem[T]) Get() T {
-	if !p.set {
-		var z *T
-		panic(fmt.Sprintf("%v is not set", reflect.TypeOf(z).Elem().String()))
-	}
-	return p.v
-}
-
-// GetOK returns the value of p (if any) and whether it's been set.
-func (p *SubSystem[T]) GetOK() (_ T, ok bool) {
-	return p.v, p.set
-}
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -47,7 +47,6 @@ import (
 	"tailscale.com/net/socks5"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/smallzstd"
-	"tailscale.com/tsd"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/nettype"
@@ -483,21 +482,23 @@ func (s *Server) start() (reterr error) {
 	}
 	closePool.add(s.netMon)

-	sys := new(tsd.System)
 	s.dialer = &tsdial.Dialer{Logf: logf} // mutated below (before used)
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
-		ListenPort:   0,
-		NetMon:       s.netMon,
-		Dialer:       s.dialer,
-		SetSubsystem: sys.Set,
+		ListenPort: 0,
+		NetMon:     s.netMon,
+		Dialer:     s.dialer,
 	})
 	if err != nil {
 		return err
 	}
 	closePool.add(s.dialer)
-	sys.Set(eng)

-	ns, err := netstack.Create(logf, sys.Tun.Get(), eng, sys.MagicSock.Get(), s.dialer, sys.DNSManager.Get())
+	tunDev, magicConn, dns, ok := eng.(wgengine.InternalsGetter).GetInternals()
+	if !ok {
+		return fmt.Errorf("%T is not a wgengine.InternalsGetter", eng)
+	}
+
+	ns, err := netstack.Create(logf, tunDev, eng, magicConn, s.dialer, dns)
 	if err != nil {
 		return fmt.Errorf("netstack.Create: %w", err)
 	}
@@ -521,13 +522,12 @@ func (s *Server) start() (reterr error) {
 			return err
 		}
 	}
-	sys.Set(s.Store)

 	loginFlags := controlclient.LoginDefault
 	if s.Ephemeral {
 		loginFlags = controlclient.LoginEphemeral
 	}
-	lb, err := ipnlocal.NewLocalBackend(logf, s.logid, sys, loginFlags)
+	lb, err := ipnlocal.NewLocalBackend(logf, s.logid, s.Store, s.dialer, eng, loginFlags)
 	if err != nil {
 		return fmt.Errorf("NewLocalBackend: %v", err)
 	}
--- a/tsnet/tsnet_test.go
+++ b/tsnet/tsnet_test.go
@@ -24,6 +24,7 @@ import (
 	"net/netip"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"sync"
 	"testing"
@@ -356,6 +357,10 @@ func TestLoopbackLocalAPI(t *testing.T) {
 }

 func TestLoopbackSOCKS5(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("TODO(#7876): test regressed on windows while CI was broken")
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()

--- a/tstest/integration/tailscaled_deps_test_darwin.go
+++ b/tstest/integration/tailscaled_deps_test_darwin.go
@@ -37,7 +37,6 @@ import (
 	_ "tailscale.com/ssh/tailssh"
 	_ "tailscale.com/syncs"
 	_ "tailscale.com/tailcfg"
-	_ "tailscale.com/tsd"
 	_ "tailscale.com/tsweb/varz"
 	_ "tailscale.com/types/flagtype"
 	_ "tailscale.com/types/key"
--- a/tstest/integration/tailscaled_deps_test_freebsd.go
+++ b/tstest/integration/tailscaled_deps_test_freebsd.go
@@ -37,7 +37,6 @@ import (
 	_ "tailscale.com/ssh/tailssh"
 	_ "tailscale.com/syncs"
 	_ "tailscale.com/tailcfg"
-	_ "tailscale.com/tsd"
 	_ "tailscale.com/tsweb/varz"
 	_ "tailscale.com/types/flagtype"
 	_ "tailscale.com/types/key"
--- a/tstest/integration/tailscaled_deps_test_linux.go
+++ b/tstest/integration/tailscaled_deps_test_linux.go
@@ -37,7 +37,6 @@ import (
 	_ "tailscale.com/ssh/tailssh"
 	_ "tailscale.com/syncs"
 	_ "tailscale.com/tailcfg"
-	_ "tailscale.com/tsd"
 	_ "tailscale.com/tsweb/varz"
 	_ "tailscale.com/types/flagtype"
 	_ "tailscale.com/types/key"
--- a/tstest/integration/tailscaled_deps_test_openbsd.go
+++ b/tstest/integration/tailscaled_deps_test_openbsd.go
@@ -37,7 +37,6 @@ import (
 	_ "tailscale.com/ssh/tailssh"
 	_ "tailscale.com/syncs"
 	_ "tailscale.com/tailcfg"
-	_ "tailscale.com/tsd"
 	_ "tailscale.com/tsweb/varz"
 	_ "tailscale.com/types/flagtype"
 	_ "tailscale.com/types/key"
--- a/tstest/integration/tailscaled_deps_test_windows.go
+++ b/tstest/integration/tailscaled_deps_test_windows.go
@@ -44,7 +44,6 @@ import (
 	_ "tailscale.com/smallzstd"
 	_ "tailscale.com/syncs"
 	_ "tailscale.com/tailcfg"
-	_ "tailscale.com/tsd"
 	_ "tailscale.com/tsweb/varz"
 	_ "tailscale.com/types/flagtype"
 	_ "tailscale.com/types/key"
--- a/tsweb/promvarz/promvarz_test.go
+++ b/tsweb/promvarz/promvarz_test.go
@@ -14,14 +14,11 @@ import (
 	"github.com/prometheus/client_golang/prometheus/testutil"
 )

-var (
-	testVar1 = expvar.NewInt("gauge_promvarz_test_expvar")
-	testVar2 = promauto.NewGauge(prometheus.GaugeOpts{Name: "promvarz_test_native"})
-)
-
 func TestHandler(t *testing.T) {
-	testVar1.Set(42)
-	testVar2.Set(4242)
+	test1 := expvar.NewInt("gauge_promvarz_test_expvar")
+	test1.Set(42)
+	test2 := promauto.NewGauge(prometheus.GaugeOpts{Name: "promvarz_test_native"})
+	test2.Set(4242)

 	svr := httptest.NewServer(http.HandlerFunc(Handler))
 	defer svr.Close()
--- a/util/codegen/codegen.go
+++ b/util/codegen/codegen.go
@@ -202,18 +202,13 @@ func AssertStructUnchanged(t *types.Struct, tname, ctx string, it *ImportTracker
 	w("var _%s%sNeedsRegeneration = %s(struct {", tname, ctx, tname)

 	for i := 0; i < t.NumFields(); i++ {
-		st := t.Field(i)
-		fname := st.Name()
+		fname := t.Field(i).Name()
 		ft := t.Field(i).Type()
 		if IsInvalid(ft) {
 			continue
 		}
 		qname := it.QualifiedName(ft)
-		if st.Anonymous() {
-			w("\t%s ", fname)
-		} else {
-			w("\t%s %s", fname, qname)
-		}
+		w("\t%s %s", fname, qname)
 	}

 	w("}{})\n")
--- a/util/set/set.go
+++ b/util/set/set.go
@@ -4,21 +4,6 @@
 // Package set contains set types.
 package set

-// Set is a set of T.
-type Set[T comparable] map[T]struct{}
-
-// Add adds e to the set.
-func (s Set[T]) Add(e T) { s[e] = struct{}{} }
-
-// Contains reports whether s contains e.
-func (s Set[T]) Contains(e T) bool {
-	_, ok := s[e]
-	return ok
-}
-
-// Len reports the number of items in s.
-func (s Set[T]) Len() int { return len(s) }
-
 // HandleSet is a set of T.
 //
 // It is not safe for concurrent use.
--- a/util/set/set_test.go
+++ b/util/set/set_test.go
@@ -1,24 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package set
-
-import "testing"
-
-func TestSet(t *testing.T) {
-	s := Set[int]{}
-	s.Add(1)
-	s.Add(2)
-	if !s.Contains(1) {
-		t.Error("missing 1")
-	}
-	if !s.Contains(2) {
-		t.Error("missing 2")
-	}
-	if s.Contains(3) {
-		t.Error("shouldn't have 3")
-	}
-	if s.Len() != 2 {
-		t.Errorf("wrong len %d; want 2", s.Len())
-	}
-}
--- a/version/version.go
+++ b/version/version.go
@@ -131,7 +131,7 @@ var getEmbeddedInfo = lazy.SyncFunc(func() embeddedInfo {
 				ret.commitDate = strings.ReplaceAll(ret.commitDate, "-", "")
 			}
 		case "vcs.modified":
-			ret.dirty = s.Value == "true"
+			ret.dirty = true
 		}
 	}
 	if ret.commit == "" || ret.commitDate == "" {
--- a/wgengine/netstack/netstack_test.go
+++ b/wgengine/netstack/netstack_test.go
@@ -16,7 +16,6 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tstun"
-	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/ipproto"
 	"tailscale.com/types/logid"
@@ -34,26 +33,29 @@ func TestInjectInboundLeak(t *testing.T) {
 			t.Logf(format, args...)
 		}
 	}
-	sys := new(tsd.System)
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
-		Tun:          tunDev,
-		Dialer:       dialer,
-		SetSubsystem: sys.Set,
+		Tun:    tunDev,
+		Dialer: dialer,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer eng.Close()
-	sys.Set(eng)
-	sys.Set(new(mem.Store))
+	ig, ok := eng.(wgengine.InternalsGetter)
+	if !ok {
+		t.Fatal("not an InternalsGetter")
+	}
+	tunWrap, magicSock, dns, ok := ig.GetInternals()
+	if !ok {
+		t.Fatal("failed to get internals")
+	}

-	tunWrap := sys.Tun.Get()
-	lb, err := ipnlocal.NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	lb, err := ipnlocal.NewLocalBackend(logf, logid.PublicID{}, new(mem.Store), dialer, eng, 0)
 	if err != nil {
 		t.Fatal(err)
 	}

-	ns, err := Create(logf, tunWrap, eng, sys.MagicSock.Get(), dialer, sys.DNSManager.Get())
+	ns, err := Create(logf, tunWrap, eng, magicSock, dialer, dns)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -87,28 +89,32 @@ func getMemStats() (ms runtime.MemStats) {

 func makeNetstack(t *testing.T, config func(*Impl)) *Impl {
 	tunDev := tstun.NewFake()
-	sys := &tsd.System{}
-	sys.Set(new(mem.Store))
 	dialer := new(tsdial.Dialer)
 	logf := tstest.WhileTestRunningLogger(t)
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
-		Tun:          tunDev,
-		Dialer:       dialer,
-		SetSubsystem: sys.Set,
+		Tun:    tunDev,
+		Dialer: dialer,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(func() { eng.Close() })
-	sys.Set(eng)
+	ig, ok := eng.(wgengine.InternalsGetter)
+	if !ok {
+		t.Fatal("not an InternalsGetter")
+	}
+	tunWrap, magicSock, dns, ok := ig.GetInternals()
+	if !ok {
+		t.Fatal("failed to get internals")
+	}

-	ns, err := Create(logf, sys.Tun.Get(), eng, sys.MagicSock.Get(), dialer, sys.DNSManager.Get())
+	ns, err := Create(logf, tunWrap, eng, magicSock, dialer, dns)
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(func() { ns.Close() })

-	lb, err := ipnlocal.NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	lb, err := ipnlocal.NewLocalBackend(logf, logid.PublicID{}, new(mem.Store), dialer, eng, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
--- a/wgengine/netstack/subnet_router_wrapper.go
+++ b/wgengine/netstack/subnet_router_wrapper.go
@@ -4,9 +4,16 @@
 package netstack

 import (
+	"reflect"
+
+	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/router"
 )

+func init() {
+	wgengine.NetstackRouterType = reflect.TypeOf(&subnetRouter{})
+}
+
 type subnetRouter struct {
 	router.Router
 }
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -10,8 +10,8 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"math"
 	"net/netip"
+	"reflect"
 	"runtime"
 	"strings"
 	"sync"
@@ -25,6 +25,7 @@ import (
 	"tailscale.com/health"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/dns/resolver"
 	"tailscale.com/net/flowtrack"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netmon"
@@ -149,6 +150,29 @@ type userspaceEngine struct {
 	// Lock ordering: magicsock.Conn.mu, wgLock, then mu.
 }

+// InternalsGetter is implemented by Engines that can export their internals.
+type InternalsGetter interface {
+	GetInternals() (_ *tstun.Wrapper, _ *magicsock.Conn, _ *dns.Manager, ok bool)
+}
+
+func (e *userspaceEngine) GetInternals() (_ *tstun.Wrapper, _ *magicsock.Conn, _ *dns.Manager, ok bool) {
+	return e.tundev, e.magicConn, e.dns, true
+}
+
+// ResolvingEngine is implemented by Engines that have DNS resolvers.
+type ResolvingEngine interface {
+	GetResolver() (_ *resolver.Resolver, ok bool)
+}
+
+var (
+	_ ResolvingEngine = (*userspaceEngine)(nil)
+	_ ResolvingEngine = (*watchdogEngine)(nil)
+)
+
+func (e *userspaceEngine) GetResolver() (r *resolver.Resolver, ok bool) {
+	return e.dns.Resolver(), true
+}
+
 // BIRDClient handles communication with the BIRD Internet Routing Daemon.
 type BIRDClient interface {
 	EnableProtocol(proto string) error
@@ -195,37 +219,47 @@ type Config struct {
 	// BIRDClient, if non-nil, will be used to configure BIRD whenever
 	// this node is a primary subnet router.
 	BIRDClient BIRDClient
-
-	// SetSubsystem, if non-nil, is called for each new subsystem created, just before a successful return.
-	SetSubsystem func(any)
 }

-// NewFakeUserspaceEngine returns a new userspace engine for testing.
-//
-// The opts may contain the following types:
-//
-//   - int or uint16: to set the ListenPort.
-func NewFakeUserspaceEngine(logf logger.Logf, opts ...any) (Engine, error) {
-	conf := Config{
-		RespondToPing: true,
-	}
-	for _, o := range opts {
-		switch v := o.(type) {
-		case uint16:
-			conf.ListenPort = v
-		case int:
-			if v < 0 || v > math.MaxUint16 {
-				return nil, fmt.Errorf("invalid ListenPort: %d", v)
-			}
-			conf.ListenPort = uint16(v)
-		case func(any):
-			conf.SetSubsystem = v
-		default:
-			return nil, fmt.Errorf("unknown option type %T", v)
-		}
-	}
+func NewFakeUserspaceEngine(logf logger.Logf, listenPort uint16) (Engine, error) {
 	logf("Starting userspace WireGuard engine (with fake TUN device)")
-	return NewUserspaceEngine(logf, conf)
+	return NewUserspaceEngine(logf, Config{
+		ListenPort:    listenPort,
+		RespondToPing: true,
+	})
+}
+
+// NetstackRouterType is a gross cross-package init-time registration
+// from netstack to here, informing this package of netstack's router
+// type.
+var NetstackRouterType reflect.Type
+
+// IsNetstackRouter reports whether e is either fully netstack based
+// (without TUN) or is at least using netstack for routing.
+func IsNetstackRouter(e Engine) bool {
+	switch e := e.(type) {
+	case *userspaceEngine:
+		if reflect.TypeOf(e.router) == NetstackRouterType {
+			return true
+		}
+	case *watchdogEngine:
+		return IsNetstackRouter(e.wrap)
+	}
+	return IsNetstack(e)
+}
+
+// IsNetstack reports whether e is a netstack-based TUN-free engine.
+func IsNetstack(e Engine) bool {
+	ig, ok := e.(InternalsGetter)
+	if !ok {
+		return false
+	}
+	tw, _, _, ok := ig.GetInternals()
+	if !ok {
+		return false
+	}
+	name, err := tw.Name()
+	return err == nil && name == "FakeTUN"
 }

 // NewUserspaceEngine creates the named tun device and returns a
@@ -424,15 +458,6 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)
 	e.logf("Starting network monitor...")
 	e.netMon.Start()

-	if conf.SetSubsystem != nil {
-		conf.SetSubsystem(e.tundev)
-		conf.SetSubsystem(e.magicConn)
-		conf.SetSubsystem(e.dns)
-		conf.SetSubsystem(conf.Router)
-		conf.SetSubsystem(conf.Dialer)
-		conf.SetSubsystem(e.netMon)
-	}
-
 	e.logf("Engine created.")
 	return e, nil
 }
@@ -1094,6 +1119,10 @@ func (e *userspaceEngine) Wait() {
 	<-e.waitCh
 }

+func (e *userspaceEngine) GetNetMon() *netmon.Monitor {
+	return e.netMon
+}
+
 // LinkChange signals a network change event. It's currently
 // (2021-03-03) only called on Android. On other platforms, netMon
 // generates link change events for us.
--- a/wgengine/userspace_ext_test.go
+++ b/wgengine/userspace_ext_test.go
@@ -8,7 +8,6 @@ import (

 	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/net/tstun"
-	"tailscale.com/tsd"
 	"tailscale.com/types/logger"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
@@ -16,23 +15,21 @@ import (
 )

 func TestIsNetstack(t *testing.T) {
-	sys := new(tsd.System)
-	e, err := wgengine.NewUserspaceEngine(t.Logf, wgengine.Config{SetSubsystem: sys.Set})
+	e, err := wgengine.NewUserspaceEngine(t.Logf, wgengine.Config{})
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer e.Close()
-	if !sys.IsNetstack() {
+	if !wgengine.IsNetstack(e) {
 		t.Errorf("IsNetstack = false; want true")
 	}
 }

 func TestIsNetstackRouter(t *testing.T) {
 	tests := []struct {
-		name              string
-		conf              wgengine.Config
-		setNetstackRouter bool
-		want              bool
+		name string
+		conf wgengine.Config
+		want bool
 	}{
 		{
 			name: "no_netstack",
@@ -53,26 +50,23 @@ func TestIsNetstackRouter(t *testing.T) {
 				Tun:    newFakeOSTUN(),
 				Router: netstack.NewSubnetRouterWrapper(newFakeOSRouter()),
 			},
-			setNetstackRouter: true,
-			want:              true,
+			want: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			sys := &tsd.System{}
-			if tt.setNetstackRouter {
-				sys.NetstackRouter.Set(true)
-			}
-			conf := tt.conf
-			conf.SetSubsystem = sys.Set
-			e, err := wgengine.NewUserspaceEngine(logger.Discard, conf)
+			e, err := wgengine.NewUserspaceEngine(logger.Discard, tt.conf)
 			if err != nil {
 				t.Fatal(err)
 			}
 			defer e.Close()
-			if got := sys.IsNetstackRouter(); got != tt.want {
+			if got := wgengine.IsNetstackRouter(e); got != tt.want {
 				t.Errorf("IsNetstackRouter = %v; want %v", got, tt.want)
 			}
+
+			if got := wgengine.IsNetstackRouter(wgengine.NewWatchdog(e)); got != tt.want {
+				t.Errorf("IsNetstackRouter(watchdog-wrapped) = %v; want %v", got, tt.want)
+			}
 		})
 	}
 }
--- a/wgengine/watchdog.go
+++ b/wgengine/watchdog.go
@@ -17,11 +17,15 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/dns/resolver"
+	"tailscale.com/net/netmon"
+	"tailscale.com/net/tstun"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
 	"tailscale.com/wgengine/capture"
 	"tailscale.com/wgengine/filter"
+	"tailscale.com/wgengine/magicsock"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/wgcfg"
 )
@@ -122,6 +126,9 @@ func (e *watchdogEngine) watchdog(name string, fn func()) {
 func (e *watchdogEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config, dnsCfg *dns.Config, debug *tailcfg.Debug) error {
 	return e.watchdogErr("Reconfig", func() error { return e.wrap.Reconfig(cfg, routerCfg, dnsCfg, debug) })
 }
+func (e *watchdogEngine) GetNetMon() *netmon.Monitor {
+	return e.wrap.GetNetMon()
+}
 func (e *watchdogEngine) GetFilter() *filter.Filter {
 	return e.wrap.GetFilter()
 }
@@ -174,6 +181,18 @@ func (e *watchdogEngine) WhoIsIPPort(ipp netip.AddrPort) (tsIP netip.Addr, ok bo
 func (e *watchdogEngine) Close() {
 	e.watchdog("Close", e.wrap.Close)
 }
+func (e *watchdogEngine) GetInternals() (tw *tstun.Wrapper, c *magicsock.Conn, d *dns.Manager, ok bool) {
+	if ig, ok := e.wrap.(InternalsGetter); ok {
+		return ig.GetInternals()
+	}
+	return
+}
+func (e *watchdogEngine) GetResolver() (r *resolver.Resolver, ok bool) {
+	if re, ok := e.wrap.(ResolvingEngine); ok {
+		return re.GetResolver()
+	}
+	return nil, false
+}
 func (e *watchdogEngine) PeerForIP(ip netip.Addr) (ret PeerForIP, ok bool) {
 	e.watchdog("PeerForIP", func() { ret, ok = e.wrap.PeerForIP(ip) })
 	return ret, ok
--- a/wgengine/wgengine.go
+++ b/wgengine/wgengine.go
@@ -10,6 +10,7 @@ import (

 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/netmon"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
@@ -91,6 +92,9 @@ type Engine interface {
 	// WireGuard status changes.
 	SetStatusCallback(StatusCallback)

+	// GetNetMon returns the network monitor.
+	GetNetMon() *netmon.Monitor
+
 	// RequestStatus requests a WireGuard status update right
 	// away, sent to the callback registered via SetStatusCallback.
 	RequestStatus()
--- a/words/tails.txt
+++ b/words/tails.txt
@@ -541,6 +541,3 @@ vimba
 wahoo
 coelacanth
 llama
-shrimp
-prawn
-lobster
Author	SHA1	Message	Date
Shayne Sweeney	1dc9edde90	cmd/tailscale/cli: [web] update JS in web.html for Unraid support Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2023-05-16 20:34:30 -04:00
Derek Kaser	b15d8525d0	cmd/tailscale: allow Tailscale to work with Unraid web interface Updates tailscale/tailscale#8026 Signed-off-by: Derek Kaser <derek.kaser@gmail.com>	2023-05-06 22:35:02 -04:00
@@ -1 +1 @@
 .43.0
 .41.0