Added single node test to check Addresses and AllowedIPs

Signed-off-by: Simeng He <simeng@tailscale.com>
Added new Addresses / AllowedIPs fields to testcontrol when creating new &tailcfg.Node
2021-05-18 16:06:05 -04:00 · 2021-05-18 13:47:21 -04:00
64 changed files with 626 additions and 2475 deletions
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -64,7 +64,6 @@ var pingArgs struct {
 }

 func runPing(ctx context.Context, args []string) error {
-	fmt.Println("runPing")
 	c, bc, ctx, cancel := connect(ctx)
 	defer cancel()

--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -230,9 +230,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 			warnf("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = preftype.NetfilterOff
-			if defaultNetfilterMode() != "off" {
-				warnf("netfilter=off; configure iptables yourself.")
-			}
+			warnf("netfilter=off; configure iptables yourself.")
 		default:
 			return nil, fmt.Errorf("invalid value --netfilter-mode=%q", upArgs.netfilterMode)
 		}
@@ -268,7 +266,7 @@ func runUp(ctx context.Context, args []string) error {
 	}

 	if distro.Get() == distro.Synology {
-		notSupported := "not supported on Synology; see https://github.com/tailscale/tailscale/issues/1995"
+		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
 		if upArgs.acceptRoutes {
 			return errors.New("--accept-routes is " + notSupported)
 		}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -214,8 +214,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		url, err := tailscaleUpForceReauth(r.Context())
 		if err != nil {
-			w.WriteHeader(500)
-			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			json.NewEncoder(w).Encode(mi{"error": err})
 			return
 		}
 		json.NewEncoder(w).Encode(mi{"url": url})
@@ -321,10 +320,6 @@ func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error)
 	})
 	bc.StartLoginInteractive()

-	<-pumpCtx.Done() // wait for authURL or complete failure
-	if authURL == "" && retErr == nil {
-		retErr = pumpCtx.Err()
-	}
 	if authURL == "" && retErr == nil {
 		return "", fmt.Errorf("login failed with no backend error message")
 	}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -1,7 +1,6 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)

-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
@@ -49,6 +48,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/wgkey                                    from tailscale.com/types/netmap+
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -1,42 +1,41 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)

-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+   W 💣 github.com/github/certstore                                  from tailscale.com/control/controlclient
        github.com/go-multierror/multierror                          from tailscale.com/wgengine/router+
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
-        github.com/golang/snappy                                     from github.com/klauspost/compress/zstd
        github.com/google/btree                                      from inet.af/netstack/tcpip/header+
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/snappy                         from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
-   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
-   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+   W    github.com/pkg/errors                                        from github.com/github/certstore
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/conn/winrio                from github.com/tailscale/wireguard-go/conn
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
-     💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
-     💣 golang.zx2c4.com/wireguard/device                            from tailscale.com/net/tstun+
-     💣 golang.zx2c4.com/wireguard/ipc                               from golang.zx2c4.com/wireguard/device
-   W 💣 golang.zx2c4.com/wireguard/ipc/winpipe                       from golang.zx2c4.com/wireguard/ipc
-        golang.zx2c4.com/wireguard/ratelimiter                       from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/replay                            from golang.zx2c4.com/wireguard/device
-        golang.zx2c4.com/wireguard/rwcancel                          from golang.zx2c4.com/wireguard/device+
-        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device+
-     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
-   W 💣 golang.zx2c4.com/wireguard/tun/wintun                        from golang.zx2c4.com/wireguard/tun+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        inet.af/netaddr                                              from tailscale.com/control/controlclient+
     💣 inet.af/netstack/gohacks                                     from inet.af/netstack/state/wire+
@@ -129,6 +128,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
+        tailscale.com/types/strbuilder                               from tailscale.com/net/packet
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
        tailscale.com/types/wgkey                                    from tailscale.com/control/controlclient+
   L    tailscale.com/util/cmpver                                    from tailscale.com/net/dns
@@ -155,7 +155,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
@@ -164,7 +164,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -172,15 +172,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
-        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
+        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
+        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from tailscale.com/derp
        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
-   W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
+   W    golang.org/x/sys/windows                                     from github.com/tailscale/wireguard-go/conn+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
   W    golang.org/x/sys/windows/svc                                 from tailscale.com/cmd/tailscaled+
   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -7,7 +7,6 @@ package controlclient
 import (
 	"context"
 	"fmt"
-	"log"
 	"sync"
 	"time"

@@ -158,7 +157,6 @@ func (c *Auto) Start() {
 //
 // It should be called whenever there's something new to tell the server.
 func (c *Auto) sendNewMapRequest() {
-	log.Println("sendNewMapRequest breakpoint")
 	c.mu.Lock()

 	// If we're not already streaming a netmap, or if we're already stuck
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -32,7 +32,6 @@ import (
 	"golang.org/x/crypto/nacl/box"
 	"inet.af/netaddr"
 	"tailscale.com/health"
-	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
@@ -67,7 +66,6 @@ type Direct struct {
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
-	pinger                 Pinger

 	mu           sync.Mutex // mutex guards the following fields
 	serverKey    wgkey.Key
@@ -81,11 +79,6 @@ type Direct struct {
 	everEndpoints bool   // whether we've ever had non-empty endpoints
 	localPort     uint16 // or zero to mean auto
 }
-type Pinger interface {
-	// Ping is a request to start a discovery ping with the peer handling
-	// the given IP and then call cb with its ping latency & method.
-	Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.PingResult))
-}

 type Options struct {
 	Persist              persist.Persist               // initial persistent data
@@ -101,7 +94,6 @@ type Options struct {
 	HTTPTestClient       *http.Client // optional HTTP client to use (for tests only)
 	DebugFlags           []string     // debug settings to send to control
 	LinkMonitor          *monitor.Mon // optional link monitor
-	Pinger               Pinger

 	// KeepSharerAndUserSplit controls whether the client
 	// understands Node.Sharer. If false, the Sharer is mapped to the User.
@@ -173,7 +165,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		keepSharerAndUserSplit: opts.KeepSharerAndUserSplit,
 		linkMon:                opts.LinkMonitor,
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
-		pinger:                 opts.Pinger,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(NewHostinfo())
@@ -562,7 +553,6 @@ func inTest() bool { return flag.Lookup("test.v") != nil }
 // maxPolls is how many network maps to download; common values are 1
 // or -1 (to keep a long-poll query open to the server).
 func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*netmap.NetworkMap)) error {
-	log.Println("POLLNETMAP BREAKPOINT")
 	return c.sendMapRequest(ctx, maxPolls, cb)
 }

@@ -570,7 +560,6 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*netmap.N
 // but does not fetch anything. It returns an error if the server did not return a
 // successful 200 OK response.
 func (c *Direct) SendLiteMapUpdate(ctx context.Context) error {
-	log.Println("SendLiteMapUpdate BREAKPOINT")
 	return c.sendMapRequest(ctx, 1, nil)
 }

@@ -582,7 +571,6 @@ const pollTimeout = 120 * time.Second
 // cb nil means to omit peers.
 func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netmap.NetworkMap)) error {
 	c.mu.Lock()
-	log.Println("sendMapRequest ENDPOINT")
 	persist := c.persist
 	serverURL := c.serverURL
 	serverKey := c.serverKey
@@ -773,11 +761,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		}

 		if pr := resp.PingRequest; pr != nil {
-			// return err
-			log.Println("Ping Triggered")
-			for i := 0; i < 10; i++ {
-				c.CustomPing(&resp)
-			}
 			go answerPing(c.logf, c.httpc, pr)
 		}

@@ -876,8 +859,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		c.expiry = &nm.Expiry
 		c.mu.Unlock()

-		// log.Println("MAPRESPONSE: ", resp.Node)
-		// c.logf("MAPRESPONSE: %v", resp.Node)
 		cb(nm)
 	}
 	if ctx.Err() != nil {
@@ -1230,35 +1211,3 @@ func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<-
 		}
 	}
 }
-
-// Run the ping suite from this client to another one
-// Send the ping results via http to the adminhttp handlers.
-// This is where we hopefully will run the ping suite similar to CLI
-func (c *Direct) CustomPing(mr *tailcfg.MapResponse) bool {
-	log.Printf("Custom Ping Triggered with %d number of peers\n", len(mr.Peers))
-	log.Println("Ping Request: ", mr.PingRequest)
-	log.Println("ALOHA")
-	log.Println("CP PEERLIST : ", mr.Peers, mr.PeersChanged, mr.PeersRemoved, mr.PeerSeenChange)
-	if len(mr.Peers) > 0 {
-		log.Println("Peer data: ", mr.Peers[0].ID)
-	}
-	ip := mr.PingRequest.TestIP
-	log.Println("TestIP : ", ip)
-	start := time.Now()
-	// Run the ping
-	var pingRes *ipnstate.PingResult
-	for i := 1; i <= 10; i++ {
-		log.Println("Ping attempt ", i)
-		go c.pinger.Ping(ip, true, func(res *ipnstate.PingResult) {
-			log.Println("Callback", res, (res.NodeIP))
-			pingRes = res
-		})
-	}
-
-	log.Println("PINGRES", pingRes)
-	duration := time.Since(start)
-	// Send the data to the handler in api.go admin/api/ping
-	log.Printf("Ping operation took %f seconds\n", duration.Seconds())
-
-	return len(mr.Peers) > 0
-}
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -103,37 +103,3 @@ func TestNewHostinfo(t *testing.T) {
 	}
 	t.Logf("Got: %s", j)
 }
-
-// Currently not working properly
-func TestPingFromMapResponse(t *testing.T) {
-	hi := NewHostinfo()
-	ni := tailcfg.NetInfo{LinkType: "wired"}
-	hi.NetInfo = &ni
-
-	key, err := wgkey.NewPrivate()
-	if err != nil {
-		t.Error(err)
-	}
-	opts := Options{
-		ServerURL: "https://example.com",
-		Hostinfo:  hi,
-		GetMachinePrivateKey: func() (wgkey.Private, error) {
-			return key, nil
-		},
-	}
-	c, err := NewDirect(opts)
-	if c == nil || err != nil {
-		t.Errorf("Direct not created %w", err)
-	}
-	peers := []*tailcfg.Node{
-		{ID: 1},
-		{ID: 2},
-		{ID: 3},
-	}
-	pingRequest := tailcfg.PingRequest{URL: "localhost:3040", Log: true, PayloadSize: 10}
-	mr := &tailcfg.MapResponse{Peers: peers, Domain: "DumbTest", PingRequest: &pingRequest}
-	if !c.CustomPing(mr) {
-		t.Errorf("Custom ping failed!\n")
-	}
-	t.Log("Successful ping")
-}
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -18,7 +18,7 @@ import (
 	"fmt"
 	"sync"

-	"github.com/tailscale/certstore"
+	"github.com/github/certstore"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/winutil"
--- a/go.mod
+++ b/go.mod
@@ -3,44 +3,48 @@ module tailscale.com
 go 1.16

 require (
-	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
-	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
-	github.com/coreos/go-iptables v0.6.0
-	github.com/frankban/quicktest v1.13.0
-	github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3
-	github.com/gliderlabs/ssh v0.3.2
+	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5
+	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
+	github.com/coreos/go-iptables v0.4.5
+	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
+	github.com/frankban/quicktest v1.12.1
+	github.com/github/certstore v0.1.0
+	github.com/gliderlabs/ssh v0.2.2
 	github.com/go-multierror/multierror v1.0.2
-	github.com/go-ole/go-ole v1.2.5
-	github.com/godbus/dbus/v5 v5.0.4
+	github.com/go-ole/go-ole v1.2.4
+	github.com/godbus/dbus/v5 v5.0.3
 	github.com/google/go-cmp v0.5.5
-	github.com/google/goexpect v0.0.0-20210430020637-ab937bf7fd6f
-	github.com/goreleaser/nfpm v1.10.3
-	github.com/jsimonetti/rtnetlink v0.0.0-20210409061457-9561dc9288a7
+	github.com/goreleaser/nfpm v1.1.10
+	github.com/jsimonetti/rtnetlink v0.0.0-20210212075122-66c871082f2b
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.12.2
+	github.com/klauspost/compress v1.10.10
 	github.com/kr/pty v1.1.8
-	github.com/mdlayher/netlink v1.4.0
-	github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697
-	github.com/miekg/dns v1.1.42
-	github.com/pborman/getopt v1.1.0
+	github.com/mdlayher/netlink v1.3.2
+	github.com/mdlayher/sdnotify v0.0.0-20200625151349-e4a4f32afc4a
+	github.com/miekg/dns v1.1.30
+	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
+	github.com/tailscale/wireguard-go v0.0.0-20210511223652-bbf7d6cfb6ac
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
-	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
-	golang.org/x/net v0.0.0-20210525063256-abc453219eb5
+	golang.org/x/crypto v0.0.0-20210317152858-513c2a44f670
+	golang.org/x/net v0.0.0-20210510120150-4163338589ed
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea
-	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
+	golang.org/x/sys v0.0.0-20210510120138-977fb7262007
+	golang.org/x/term v0.0.0-20210317153231-de623e64d2a6
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
-	golang.org/x/tools v0.1.2
-	golang.zx2c4.com/wireguard v0.0.0-20210525143454-64cb82f2b3f5
-	golang.zx2c4.com/wireguard/windows v0.3.15-0.20210525143335-94c0476d63e3
-	honnef.co/go/tools v0.1.4
-	inet.af/netaddr v0.0.0-20210523191804-d57edf19c517
+	golang.org/x/tools v0.1.0
+	golang.zx2c4.com/wireguard/windows v0.1.2-0.20201113162609-9b85be97fdf8
+	gopkg.in/yaml.v2 v2.2.8 // indirect
+	honnef.co/go/tools v0.1.0
+	inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841
 	inet.af/netstack v0.0.0-20210317161235-a1bf4e56ef22
-	inet.af/peercred v0.0.0-20210318190834-4259e17bb763
+	inet.af/peercred v0.0.0-20210302202138-56e694897155
 	inet.af/wf v0.0.0-20210516214145-a5343001b756
 	rsc.io/goversion v1.2.0
 )
+
+replace github.com/github/certstore => github.com/cyolosecurity/certstore v0.0.0-20200922073901-ece7f1d353c2
--- a/go.sum
+++ b/go.sum
--- a/internal/deephash/deephash.go
+++ b/internal/deephash/deephash.go
@@ -9,28 +9,26 @@ package deephash
 import (
 	"bufio"
 	"crypto/sha256"
-	"encoding/hex"
 	"fmt"
-	"hash"
 	"reflect"
-	"strconv"
-	"sync"
+
+	"inet.af/netaddr"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/wgkey"
 )

-func calcHash(v interface{}) string {
+func Hash(v ...interface{}) string {
 	h := sha256.New()
-	b := bufio.NewWriterSize(h, h.BlockSize())
-	scratch := make([]byte, 0, 128)
-	printTo(b, v, scratch)
+	// 64 matches the chunk size in crypto/sha256/sha256.go
+	b := bufio.NewWriterSize(h, 64)
+	Print(b, v)
 	b.Flush()
-	scratch = h.Sum(scratch[:0])
-	hex.Encode(scratch[:cap(scratch)], scratch[:sha256.Size])
-	return string(scratch[:sha256.Size*2])
+	return fmt.Sprintf("%x", h.Sum(nil))
 }

 // UpdateHash sets last to the hash of v and reports whether its value changed.
 func UpdateHash(last *string, v ...interface{}) (changed bool) {
-	sig := calcHash(v)
+	sig := Hash(v)
 	if *last != sig {
 		*last = sig
 		return true
@@ -38,30 +36,81 @@ func UpdateHash(last *string, v ...interface{}) (changed bool) {
 	return false
 }

-func printTo(w *bufio.Writer, v interface{}, scratch []byte) {
-	print(w, reflect.ValueOf(v), make(map[uintptr]bool), scratch)
+func Print(w *bufio.Writer, v ...interface{}) {
+	print(w, reflect.ValueOf(v), make(map[uintptr]bool))
 }

-var appenderToType = reflect.TypeOf((*appenderTo)(nil)).Elem()
+var (
+	netaddrIPType       = reflect.TypeOf(netaddr.IP{})
+	netaddrIPPrefix     = reflect.TypeOf(netaddr.IPPrefix{})
+	wgkeyKeyType        = reflect.TypeOf(wgkey.Key{})
+	wgkeyPrivateType    = reflect.TypeOf(wgkey.Private{})
+	tailcfgDiscoKeyType = reflect.TypeOf(tailcfg.DiscoKey{})
+)

-type appenderTo interface {
-	AppendTo([]byte) []byte
-}
-
-// print hashes v into w.
-// It reports whether it was able to do so without hitting a cycle.
-func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
+func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool) {
 	if !v.IsValid() {
-		return true
+		return
 	}

+	// Special case some common types.
 	if v.CanInterface() {
-		// Use AppendTo methods, if available and cheap.
-		if v.CanAddr() && v.Type().Implements(appenderToType) {
-			a := v.Addr().Interface().(appenderTo)
-			scratch = a.AppendTo(scratch[:0])
-			w.Write(scratch)
-			return true
+		switch v.Type() {
+		case netaddrIPType:
+			var b []byte
+			var err error
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*netaddr.IP)
+				b, err = x.MarshalText()
+			} else {
+				x := v.Interface().(netaddr.IP)
+				b, err = x.MarshalText()
+			}
+			if err == nil {
+				w.Write(b)
+				return
+			}
+		case netaddrIPPrefix:
+			var b []byte
+			var err error
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*netaddr.IPPrefix)
+				b, err = x.MarshalText()
+			} else {
+				x := v.Interface().(netaddr.IPPrefix)
+				b, err = x.MarshalText()
+			}
+			if err == nil {
+				w.Write(b)
+				return
+			}
+		case wgkeyKeyType:
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*wgkey.Key)
+				w.Write(x[:])
+			} else {
+				x := v.Interface().(wgkey.Key)
+				w.Write(x[:])
+			}
+			return
+		case wgkeyPrivateType:
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*wgkey.Private)
+				w.Write(x[:])
+			} else {
+				x := v.Interface().(wgkey.Private)
+				w.Write(x[:])
+			}
+			return
+		case tailcfgDiscoKeyType:
+			if v.CanAddr() {
+				x := v.Addr().Interface().(*tailcfg.DiscoKey)
+				w.Write(x[:])
+			} else {
+				x := v.Interface().(tailcfg.DiscoKey)
+				w.Write(x[:])
+			}
+			return
 		}
 	}

@@ -72,45 +121,43 @@ func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch [
 	case reflect.Ptr:
 		ptr := v.Pointer()
 		if visited[ptr] {
-			return false
+			return
 		}
 		visited[ptr] = true
-		return print(w, v.Elem(), visited, scratch)
+		print(w, v.Elem(), visited)
+		return
 	case reflect.Struct:
-		acyclic = true
 		w.WriteString("struct{\n")
 		for i, n := 0, v.NumField(); i < n; i++ {
 			fmt.Fprintf(w, " [%d]: ", i)
-			if !print(w, v.Field(i), visited, scratch) {
-				acyclic = false
-			}
+			print(w, v.Field(i), visited)
 			w.WriteString("\n")
 		}
 		w.WriteString("}\n")
-		return acyclic
 	case reflect.Slice, reflect.Array:
 		if v.Type().Elem().Kind() == reflect.Uint8 && v.CanInterface() {
 			fmt.Fprintf(w, "%q", v.Interface())
-			return true
+			return
 		}
 		fmt.Fprintf(w, "[%d]{\n", v.Len())
-		acyclic = true
 		for i, ln := 0, v.Len(); i < ln; i++ {
 			fmt.Fprintf(w, " [%d]: ", i)
-			if !print(w, v.Index(i), visited, scratch) {
-				acyclic = false
-			}
+			print(w, v.Index(i), visited)
 			w.WriteString("\n")
 		}
 		w.WriteString("}\n")
-		return acyclic
 	case reflect.Interface:
-		return print(w, v.Elem(), visited, scratch)
+		print(w, v.Elem(), visited)
 	case reflect.Map:
-		if hashMapAcyclic(w, v, visited, scratch) {
-			return true
+		sm := newSortedMap(v)
+		fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
+		for i, k := range sm.Key {
+			print(w, k, visited)
+			w.WriteString(": ")
+			print(w, sm.Value[i], visited)
+			w.WriteString("\n")
 		}
-		return hashMapFallback(w, v, visited, scratch)
+		w.WriteString("}\n")
 	case reflect.String:
 		w.WriteString(v.String())
 	case reflect.Bool:
@@ -118,109 +165,10 @@ func print(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch [
 	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
 		fmt.Fprintf(w, "%v", v.Int())
 	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		scratch = strconv.AppendUint(scratch[:0], v.Uint(), 10)
-		w.Write(scratch)
+		fmt.Fprintf(w, "%v", v.Uint())
 	case reflect.Float32, reflect.Float64:
 		fmt.Fprintf(w, "%v", v.Float())
 	case reflect.Complex64, reflect.Complex128:
 		fmt.Fprintf(w, "%v", v.Complex())
 	}
-	return true
-}
-
-type mapHasher struct {
-	xbuf [sha256.Size]byte // XOR'ed accumulated buffer
-	ebuf [sha256.Size]byte // scratch buffer
-	s256 hash.Hash         // sha256 hash.Hash
-	bw   *bufio.Writer     // to hasher into ebuf
-	val  valueCache        // re-usable values for map iteration
-	iter *reflect.MapIter  // re-usable map iterator
-}
-
-func (mh *mapHasher) Reset() {
-	for i := range mh.xbuf {
-		mh.xbuf[i] = 0
-	}
-}
-
-func (mh *mapHasher) startEntry() {
-	for i := range mh.ebuf {
-		mh.ebuf[i] = 0
-	}
-	mh.bw.Flush()
-	mh.s256.Reset()
-}
-
-func (mh *mapHasher) endEntry() {
-	mh.bw.Flush()
-	for i, b := range mh.s256.Sum(mh.ebuf[:0]) {
-		mh.xbuf[i] ^= b
-	}
-}
-
-var mapHasherPool = &sync.Pool{
-	New: func() interface{} {
-		mh := new(mapHasher)
-		mh.s256 = sha256.New()
-		mh.bw = bufio.NewWriter(mh.s256)
-		mh.val = make(valueCache)
-		mh.iter = new(reflect.MapIter)
-		return mh
-	},
-}
-
-type valueCache map[reflect.Type]reflect.Value
-
-func (c valueCache) get(t reflect.Type) reflect.Value {
-	v, ok := c[t]
-	if !ok {
-		v = reflect.New(t).Elem()
-		c[t] = v
-	}
-	return v
-}
-
-// hashMapAcyclic is the faster sort-free version of map hashing. If
-// it detects a cycle it returns false and guarantees that nothing was
-// written to w.
-func hashMapAcyclic(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
-	mh := mapHasherPool.Get().(*mapHasher)
-	defer mapHasherPool.Put(mh)
-	mh.Reset()
-	iter := mapIter(mh.iter, v)
-	defer mapIter(mh.iter, reflect.Value{}) // avoid pinning v from mh.iter when we return
-	k := mh.val.get(v.Type().Key())
-	e := mh.val.get(v.Type().Elem())
-	for iter.Next() {
-		key := iterKey(iter, k)
-		val := iterVal(iter, e)
-		mh.startEntry()
-		if !print(mh.bw, key, visited, scratch) {
-			return false
-		}
-		if !print(mh.bw, val, visited, scratch) {
-			return false
-		}
-		mh.endEntry()
-	}
-	w.Write(mh.xbuf[:])
-	return true
-}
-
-func hashMapFallback(w *bufio.Writer, v reflect.Value, visited map[uintptr]bool, scratch []byte) (acyclic bool) {
-	acyclic = true
-	sm := newSortedMap(v)
-	fmt.Fprintf(w, "map[%d]{\n", len(sm.Key))
-	for i, k := range sm.Key {
-		if !print(w, k, visited, scratch) {
-			acyclic = false
-		}
-		w.WriteString(": ")
-		if !print(w, sm.Value[i], visited, scratch) {
-			acyclic = false
-		}
-		w.WriteString("\n")
-	}
-	w.WriteString("}\n")
-	return acyclic
 }
--- a/internal/deephash/deephash_test.go
+++ b/internal/deephash/deephash_test.go
@@ -5,10 +5,6 @@
 package deephash

 import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"reflect"
 	"testing"

 	"inet.af/netaddr"
@@ -18,15 +14,15 @@ import (
 	"tailscale.com/wgengine/wgcfg"
 )

-func TestDeepHash(t *testing.T) {
+func TestDeepPrint(t *testing.T) {
 	// v contains the types of values we care about for our current callers.
 	// Mostly we're just testing that we don't panic on handled types.
 	v := getVal()

-	hash1 := calcHash(v)
+	hash1 := Hash(v)
 	t.Logf("hash: %v", hash1)
 	for i := 0; i < 20; i++ {
-		hash2 := calcHash(getVal())
+		hash2 := Hash(getVal())
 		if hash1 != hash2 {
 			t.Error("second hash didn't match")
 		}
@@ -55,23 +51,14 @@ func getVal() []interface{} {
 		map[dnsname.FQDN][]netaddr.IP{
 			dnsname.FQDN("a."): {netaddr.MustParseIP("1.2.3.4"), netaddr.MustParseIP("4.3.2.1")},
 			dnsname.FQDN("b."): {netaddr.MustParseIP("8.8.8.8"), netaddr.MustParseIP("9.9.9.9")},
-			dnsname.FQDN("c."): {netaddr.MustParseIP("6.6.6.6"), netaddr.MustParseIP("7.7.7.7")},
-			dnsname.FQDN("d."): {netaddr.MustParseIP("6.7.6.6"), netaddr.MustParseIP("7.7.7.8")},
-			dnsname.FQDN("e."): {netaddr.MustParseIP("6.8.6.6"), netaddr.MustParseIP("7.7.7.9")},
-			dnsname.FQDN("f."): {netaddr.MustParseIP("6.9.6.6"), netaddr.MustParseIP("7.7.7.0")},
 		},
 		map[dnsname.FQDN][]netaddr.IPPort{
 			dnsname.FQDN("a."): {netaddr.MustParseIPPort("1.2.3.4:11"), netaddr.MustParseIPPort("4.3.2.1:22")},
 			dnsname.FQDN("b."): {netaddr.MustParseIPPort("8.8.8.8:11"), netaddr.MustParseIPPort("9.9.9.9:22")},
-			dnsname.FQDN("c."): {netaddr.MustParseIPPort("8.8.8.8:12"), netaddr.MustParseIPPort("9.9.9.9:23")},
-			dnsname.FQDN("d."): {netaddr.MustParseIPPort("8.8.8.8:13"), netaddr.MustParseIPPort("9.9.9.9:24")},
-			dnsname.FQDN("e."): {netaddr.MustParseIPPort("8.8.8.8:14"), netaddr.MustParseIPPort("9.9.9.9:25")},
 		},
 		map[tailcfg.DiscoKey]bool{
 			{1: 1}: true,
 			{1: 2}: false,
-			{2: 3}: true,
-			{3: 4}: false,
 		},
 	}
 }
@@ -80,57 +67,6 @@ func BenchmarkHash(b *testing.B) {
 	b.ReportAllocs()
 	v := getVal()
 	for i := 0; i < b.N; i++ {
-		calcHash(v)
-	}
-}
-
-func TestHashMapAcyclic(t *testing.T) {
-	m := map[int]string{}
-	for i := 0; i < 100; i++ {
-		m[i] = fmt.Sprint(i)
-	}
-	got := map[string]bool{}
-
-	var buf bytes.Buffer
-	bw := bufio.NewWriter(&buf)
-
-	for i := 0; i < 20; i++ {
-		visited := map[uintptr]bool{}
-		scratch := make([]byte, 0, 64)
-		v := reflect.ValueOf(m)
-		buf.Reset()
-		bw.Reset(&buf)
-		if !hashMapAcyclic(bw, v, visited, scratch) {
-			t.Fatal("returned false")
-		}
-		if got[string(buf.Bytes())] {
-			continue
-		}
-		got[string(buf.Bytes())] = true
-	}
-	if len(got) != 1 {
-		t.Errorf("got %d results; want 1", len(got))
-	}
-}
-
-func BenchmarkHashMapAcyclic(b *testing.B) {
-	b.ReportAllocs()
-	m := map[int]string{}
-	for i := 0; i < 100; i++ {
-		m[i] = fmt.Sprint(i)
-	}
-
-	var buf bytes.Buffer
-	bw := bufio.NewWriter(&buf)
-	visited := map[uintptr]bool{}
-	scratch := make([]byte, 0, 64)
-	v := reflect.ValueOf(m)
-
-	for i := 0; i < b.N; i++ {
-		buf.Reset()
-		bw.Reset(&buf)
-		if !hashMapAcyclic(bw, v, visited, scratch) {
-			b.Fatal("returned false")
-		}
+		Hash(v)
 	}
 }
--- a/internal/deephash/mapiter.go
+++ b/internal/deephash/mapiter.go
@@ -1,37 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !tailscale_go
-
-package deephash
-
-import "reflect"
-
-// iterKey returns the current iter key.
-// scratch is a re-usable reflect.Value.
-// iterKey may store the iter key in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterKey(iter *reflect.MapIter, _ reflect.Value) reflect.Value {
-	return iter.Key()
-}
-
-// iterVal returns the current iter val.
-// scratch is a re-usable reflect.Value.
-// iterVal may store the iter val in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterVal(iter *reflect.MapIter, _ reflect.Value) reflect.Value {
-	return iter.Value()
-}
-
-// mapIter returns a map iterator for mapVal.
-// scratch is a re-usable reflect.MapIter.
-// mapIter may re-use scratch and return it,
-// or it may allocate and return a new *reflect.MapIter.
-// If mapVal is the zero reflect.Value, mapIter may return nil.
-func mapIter(_ *reflect.MapIter, mapVal reflect.Value) *reflect.MapIter {
-	if !mapVal.IsValid() {
-		return nil
-	}
-	return mapVal.MapRange()
-}
--- a/internal/deephash/mapiter_future.go
+++ b/internal/deephash/mapiter_future.go
@@ -1,42 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build tailscale_go
-
-package deephash
-
-import "reflect"
-
-// iterKey returns the current iter key.
-// scratch is a re-usable reflect.Value.
-// iterKey may store the iter key in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterKey(iter *reflect.MapIter, scratch reflect.Value) reflect.Value {
-	iter.SetKey(scratch)
-	return scratch
-}
-
-// iterVal returns the current iter val.
-// scratch is a re-usable reflect.Value.
-// iterVal may store the iter val in scratch and return scratch,
-// or it may allocate and return a new reflect.Value.
-func iterVal(iter *reflect.MapIter, scratch reflect.Value) reflect.Value {
-	iter.SetValue(scratch)
-	return scratch
-}
-
-// mapIter returns a map iterator for mapVal.
-// scratch is a re-usable reflect.MapIter.
-// mapIter may re-use scratch and return it,
-// or it may allocate and return a new *reflect.MapIter.
-// If mapVal is the zero reflect.Value, mapIter may return nil.
-func mapIter(scratch *reflect.MapIter, mapVal reflect.Value) *reflect.MapIter {
-	scratch.Reset(mapVal) // always Reset, to allow the caller to avoid pinning memory
-	if !mapVal.IsValid() {
-		// Returning scratch would also be OK.
-		// Do this for consistency with the non-optimized version.
-		return nil
-	}
-	return scratch
-}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -10,7 +10,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 	"net"
 	"net/http"
 	"os"
@@ -45,13 +44,11 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
-	"tailscale.com/types/preftype"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
-	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -295,7 +292,6 @@ func (b *LocalBackend) Prefs() *ipn.Prefs {
 // Status returns the latest status of the backend and its
 // sub-components.
 func (b *LocalBackend) Status() *ipnstate.Status {
-	log.Println("Status ENDPOINT")
 	sb := new(ipnstate.StatusBuilder)
 	b.UpdateStatus(sb)
 	return sb.Status()
@@ -825,7 +821,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		DiscoPublicKey:       discoPublic,
 		DebugFlags:           debugFlags,
 		LinkMonitor:          b.e.GetLinkMonitor(),
-		Pinger:               b.e,

 		// Don't warn about broken Linux IP forwading when
 		// netstack is being used.
@@ -1699,45 +1694,9 @@ func (b *LocalBackend) authReconfig() {

 	rcfg := b.routerConfig(cfg, uc)

-	dcfg := dns.Config{
-		Routes: map[dnsname.FQDN][]netaddr.IPPort{},
-		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-	}
-
-	// Populate MagicDNS records. We do this unconditionally so that
-	// quad-100 can always respond to MagicDNS queries, even if the OS
-	// isn't configured to make MagicDNS resolution truly
-	// magic. Details in
-	// https://github.com/tailscale/tailscale/issues/1886.
-	set := func(name string, addrs []netaddr.IPPrefix) {
-		if len(addrs) == 0 || name == "" {
-			return
-		}
-		fqdn, err := dnsname.ToFQDN(name)
-		if err != nil {
-			return // TODO: propagate error?
-		}
-		var ips []netaddr.IP
-		for _, addr := range addrs {
-			// Remove IPv6 addresses for now, as we don't
-			// guarantee that the peer node actually can speak
-			// IPv6 correctly.
-			//
-			// https://github.com/tailscale/tailscale/issues/1152
-			// tracks adding the right capability reporting to
-			// enable AAAA in MagicDNS.
-			if addr.IP().Is6() {
-				continue
-			}
-			ips = append(ips, addr.IP())
-		}
-		dcfg.Hosts[fqdn] = ips
-	}
-	set(nm.Name, nm.Addresses)
-	for _, peer := range nm.Peers {
-		set(peer.Name, peer.Addresses)
-	}
+	var dcfg dns.Config

+	// If CorpDNS is false, dcfg remains the zero value.
 	if uc.CorpDNS {
 		addDefault := func(resolvers []tailcfg.DNSResolver) {
 			for _, resolver := range resolvers {
@@ -1751,6 +1710,9 @@ func (b *LocalBackend) authReconfig() {
 		}

 		addDefault(nm.DNS.Resolvers)
+		if len(nm.DNS.Routes) > 0 {
+			dcfg.Routes = map[dnsname.FQDN][]netaddr.IPPort{}
+		}
 		for suffix, resolvers := range nm.DNS.Routes {
 			fqdn, err := dnsname.ToFQDN(suffix)
 			if err != nil {
@@ -1772,9 +1734,36 @@ func (b *LocalBackend) authReconfig() {
 			}
 			dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
 		}
+		set := func(name string, addrs []netaddr.IPPrefix) {
+			if len(addrs) == 0 || name == "" {
+				return
+			}
+			fqdn, err := dnsname.ToFQDN(name)
+			if err != nil {
+				return // TODO: propagate error?
+			}
+			var ips []netaddr.IP
+			for _, addr := range addrs {
+				// Remove IPv6 addresses for now, as we don't
+				// guarantee that the peer node actually can speak
+				// IPv6 correctly.
+				//
+				// https://github.com/tailscale/tailscale/issues/1152
+				// tracks adding the right capability reporting to
+				// enable AAAA in MagicDNS.
+				if addr.IP().Is6() {
+					continue
+				}
+				ips = append(ips, addr.IP())
+			}
+			dcfg.Hosts[fqdn] = ips
+		}
 		if nm.DNS.Proxied { // actually means "enable MagicDNS"
-			for _, dom := range magicDNSRootDomains(nm) {
-				dcfg.Routes[dom] = nil // resolve internally with dcfg.Hosts
+			dcfg.AuthoritativeSuffixes = magicDNSRootDomains(nm)
+			dcfg.Hosts = map[dnsname.FQDN][]netaddr.IP{}
+			set(nm.Name, nm.Addresses)
+			for _, peer := range nm.Peers {
+				set(peer.Name, peer.Addresses)
 			}
 		}

@@ -1798,7 +1787,7 @@ func (b *LocalBackend) authReconfig() {
 			//
 			// https://github.com/tailscale/tailscale/issues/1713
 			addDefault(nm.DNS.FallbackResolvers)
-		case len(dcfg.Routes) == 0:
+		case len(dcfg.Routes) == 0 && len(dcfg.Hosts) == 0 && len(dcfg.AuthoritativeSuffixes) == 0:
 			// No settings requiring split DNS, no problem.
 		case version.OS() == "android":
 			// We don't support split DNS at all on Android yet.
@@ -1826,9 +1815,8 @@ func parseResolver(cfg tailcfg.DNSResolver) (netaddr.IPPort, error) {
 // tailscaleVarRoot returns the root directory of Tailscale's writable
 // storage area. (e.g. "/var/lib/tailscale")
 func tailscaleVarRoot() string {
-	switch runtime.GOOS {
-	case "ios", "android":
-		dir, _ := paths.AppSharedDir.Load().(string)
+	if runtime.GOOS == "ios" {
+		dir, _ := paths.IOSSharedDir.Load().(string)
 		return dir
 	}
 	stateFile := paths.DefaultTailscaledStateFile()
@@ -1932,7 +1920,7 @@ func (b *LocalBackend) initPeerAPIListener() {
 					// ("peerAPIListeners too low").
 					continue
 				}
-				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP(), err)
+				b.logf("[unexpected] peerapi listen(%q) error: %v", a.IP, err)
 				continue
 			}
 		}
@@ -2031,11 +2019,6 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		Routes:           peerRoutes(cfg.Peers, 10_000),
 	}

-	if distro.Get() == distro.Synology {
-		// Issue 1995: we don't use iptables on Synology.
-		rs.NetfilterMode = preftype.NetfilterOff
-	}
-
 	// Sanity check: we expect the control server to program both a v4
 	// and a v6 default route, if default routing is on. Fill in
 	// blackhole routes appropriately if we're missing some. This is
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -104,9 +104,7 @@ func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(Notify)) *
 		b:             b,
 		sendNotifyMsg: sendNotifyMsg,
 	}
-	// b may be nil if the BackendServer is being created just to
-	// encapsulate and send an error message.
-	if sendNotifyMsg != nil && b != nil {
+	if sendNotifyMsg != nil {
 		b.SetNotifyCallback(bs.send)
 	}
 	return bs
--- a/ipn/message_test.go
+++ b/ipn/message_test.go
@@ -187,17 +187,3 @@ func TestClientServer(t *testing.T) {
 	})
 	flushUntil(Running)
 }
-
-func TestNilBackend(t *testing.T) {
-	var called *Notify
-	bs := NewBackendServer(t.Logf, nil, func(n Notify) {
-		called = &n
-	})
-	bs.SendErrorMessage("Danger, Will Robinson!")
-	if called == nil {
-		t.Errorf("expect callback to be called, wasn't")
-	}
-	if called.ErrMessage == nil || *called.ErrMessage != "Danger, Will Robinson!" {
-		t.Errorf("callback got wrong error: %v", called.ErrMessage)
-	}
-}
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -15,7 +15,6 @@ import (
 	"net/http"
 	"os"
 	"strconv"
-	"sync/atomic"
 	"time"

 	"tailscale.com/logtail/backoff"
@@ -73,7 +72,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 	}
 	l := &Logger{
 		stderr:         cfg.Stderr,
-		stderrLevel:    int64(cfg.StderrLevel),
+		stderrLevel:    cfg.StderrLevel,
 		httpc:          cfg.HTTPC,
 		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
 		lowMem:         cfg.LowMemory,
@@ -104,7 +103,7 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 // logging facilities and uploading to a log server.
 type Logger struct {
 	stderr         io.Writer
-	stderrLevel    int64 // accessed atomically
+	stderrLevel    int
 	httpc          *http.Client
 	url            string
 	lowMem         bool
@@ -126,8 +125,10 @@ type Logger struct {
 // SetVerbosityLevel controls the verbosity level that should be
 // written to stderr. 0 is the default (not verbose). Levels 1 or higher
 // are increasingly verbose.
+//
+// It should not be changed concurrently with log writes.
 func (l *Logger) SetVerbosityLevel(level int) {
-	atomic.StoreInt64(&l.stderrLevel, int64(level))
+	l.stderrLevel = level
 }

 // SetLinkMonitor sets the optional the link monitor.
@@ -513,7 +514,7 @@ func (l *Logger) Write(buf []byte) (int, error) {
 		return 0, nil
 	}
 	level, buf := parseAndRemoveLogLevel(buf)
-	if l.stderr != nil && l.stderr != ioutil.Discard && int64(level) <= atomic.LoadInt64(&l.stderrLevel) {
+	if l.stderr != nil && l.stderr != ioutil.Discard && level <= l.stderrLevel {
 		if buf[len(buf)-1] == '\n' {
 			l.stderr.Write(buf)
 		} else {
--- a/net/dns/config.go
+++ b/net/dns/config.go
@@ -22,26 +22,27 @@ type Config struct {
 	// for queries that fall within that suffix.
 	// If a query doesn't match any entry in Routes, the
 	// DefaultResolvers are used.
-	// A Routes entry with no resolvers means the route should be
-	// authoritatively answered using the contents of Hosts.
 	Routes map[dnsname.FQDN][]netaddr.IPPort
 	// SearchDomains are DNS suffixes to try when expanding
 	// single-label queries.
 	SearchDomains []dnsname.FQDN
 	// Hosts maps DNS FQDNs to their IPs, which can be a mix of IPv4
 	// and IPv6.
-	// Queries matching entries in Hosts are resolved locally by
-	// 100.100.100.100 without leaving the machine.
-	// Adding an entry to Hosts merely creates the record. If you want
-	// it to resolve, you also need to add appropriate routes to
-	// Routes.
+	// Queries matching entries in Hosts are resolved locally without
+	// recursing off-machine.
 	Hosts map[dnsname.FQDN][]netaddr.IP
+	// AuthoritativeSuffixes is a list of fully-qualified DNS suffixes
+	// for which the in-process Tailscale resolver is authoritative.
+	// Queries for names within AuthoritativeSuffixes can only be
+	// fulfilled by entries in Hosts. Queries with no match in Hosts
+	// return NXDOMAIN.
+	AuthoritativeSuffixes []dnsname.FQDN
 }

 // needsAnyResolvers reports whether c requires a resolver to be set
 // at the OS level.
 func (c Config) needsOSResolver() bool {
-	return c.hasDefaultResolvers() || c.hasRoutes()
+	return c.hasDefaultResolvers() || c.hasRoutes() || c.hasHosts()
 }

 func (c Config) hasRoutes() bool {
@@ -51,7 +52,7 @@ func (c Config) hasRoutes() bool {
 // hasDefaultResolversOnly reports whether the only resolvers in c are
 // DefaultResolvers.
 func (c Config) hasDefaultResolversOnly() bool {
-	return c.hasDefaultResolvers() && !c.hasRoutes()
+	return c.hasDefaultResolvers() && !c.hasRoutes() && !c.hasHosts()
 }

 func (c Config) hasDefaultResolvers() bool {
@@ -62,28 +63,44 @@ func (c Config) hasDefaultResolvers() bool {
 // routes use the same resolvers, or nil if multiple sets of resolvers
 // are specified.
 func (c Config) singleResolverSet() []netaddr.IPPort {
-	var (
-		prev            []netaddr.IPPort
-		prevInitialized bool
-	)
+	var first []netaddr.IPPort
 	for _, resolvers := range c.Routes {
-		if !prevInitialized {
-			prev = resolvers
-			prevInitialized = true
+		if first == nil {
+			first = resolvers
 			continue
 		}
-		if !sameIPPorts(prev, resolvers) {
+		if !sameIPPorts(first, resolvers) {
 			return nil
 		}
 	}
-	return prev
+	return first
 }

-// matchDomains returns the list of match suffixes needed by Routes.
+// hasHosts reports whether c requires resolution of MagicDNS hosts or
+// domains.
+func (c Config) hasHosts() bool {
+	return len(c.Hosts) > 0 || len(c.AuthoritativeSuffixes) > 0
+}
+
+// matchDomains returns the list of match suffixes needed by Routes,
+// AuthoritativeSuffixes. Hosts is not considered as we assume that
+// they're covered by AuthoritativeSuffixes for now.
 func (c Config) matchDomains() []dnsname.FQDN {
-	ret := make([]dnsname.FQDN, 0, len(c.Routes))
-	for suffix := range c.Routes {
+	ret := make([]dnsname.FQDN, 0, len(c.Routes)+len(c.AuthoritativeSuffixes))
+	seen := map[dnsname.FQDN]bool{}
+	for _, suffix := range c.AuthoritativeSuffixes {
+		if seen[suffix] {
+			continue
+		}
 		ret = append(ret, suffix)
+		seen[suffix] = true
+	}
+	for suffix := range c.Routes {
+		if seen[suffix] {
+			continue
+		}
+		ret = append(ret, suffix)
+		seen[suffix] = true
 	}
 	sort.Slice(ret, func(i, j int) bool {
 		return ret[i].WithTrailingDot() < ret[j].WithTrailingDot()
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -6,6 +6,7 @@ package dns

 import (
 	"runtime"
+	"strings"
 	"time"

 	"inet.af/netaddr"
@@ -74,40 +75,40 @@ func (m *Manager) Set(cfg Config) error {

 // compileConfig converts cfg into a quad-100 resolver configuration
 // and an OS-level configuration.
-func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig, err error) {
-	// The internal resolver always gets MagicDNS hosts and
-	// authoritative suffixes, even if we don't propagate MagicDNS to
-	// the OS.
-	rcfg.Hosts = cfg.Hosts
-	routes := map[dnsname.FQDN][]netaddr.IPPort{} // assigned conditionally to rcfg.Routes below.
-	for suffix, resolvers := range cfg.Routes {
-		if len(resolvers) == 0 {
-			rcfg.LocalDomains = append(rcfg.LocalDomains, suffix)
-		} else {
-			routes[suffix] = resolvers
-		}
-	}
-	// Similarly, the OS always gets search paths.
-	ocfg.SearchDomains = cfg.SearchDomains
-
+func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) {
 	// Deal with trivial configs first.
 	switch {
 	case !cfg.needsOSResolver():
 		// Set search domains, but nothing else. This also covers the
 		// case where cfg is entirely zero, in which case these
 		// configs clear all Tailscale DNS settings.
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			SearchDomains: cfg.SearchDomains,
+		}, nil
 	case cfg.hasDefaultResolversOnly():
 		// Trivial CorpDNS configuration, just override the OS
 		// resolver.
-		ocfg.Nameservers = toIPsOnly(cfg.DefaultResolvers)
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			Nameservers:   toIPsOnly(cfg.DefaultResolvers),
+			SearchDomains: cfg.SearchDomains,
+		}, nil
 	case cfg.hasDefaultResolvers():
 		// Default resolvers plus other stuff always ends up proxying
 		// through quad-100.
-		rcfg.Routes = routes
-		rcfg.Routes["."] = cfg.DefaultResolvers
-		ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+		rcfg := resolver.Config{
+			Routes: map[dnsname.FQDN][]netaddr.IPPort{
+				".": cfg.DefaultResolvers,
+			},
+			Hosts:        cfg.Hosts,
+			LocalDomains: cfg.AuthoritativeSuffixes,
+		}
+		for suffix, resolvers := range cfg.Routes {
+			rcfg.Routes[suffix] = resolvers
+		}
+		ocfg := OSConfig{
+			Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
+			SearchDomains: cfg.SearchDomains,
+		}
 		return rcfg, ocfg, nil
 	}

@@ -115,6 +116,8 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// configurations. The possible cases don't return directly any
 	// more, because as a final step we have to handle the case where
 	// the OS can't do split DNS.
+	var rcfg resolver.Config
+	var ocfg OSConfig

 	// Workaround for
 	// https://github.com/tailscale/corp/issues/1662. Even though
@@ -132,19 +135,35 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// This bool is used in a couple of places below to implement this
 	// workaround.
 	isWindows := runtime.GOOS == "windows"
-	if cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
+
+	// The windows check is for
+	// . See also below
+	// for further routing workarounds there.
+	if !cfg.hasHosts() && cfg.singleResolverSet() != nil && m.os.SupportsSplitDNS() && !isWindows {
 		// Split DNS configuration requested, where all split domains
 		// go to the same resolvers. We can let the OS do it.
-		ocfg.Nameservers = toIPsOnly(cfg.singleResolverSet())
-		ocfg.MatchDomains = cfg.matchDomains()
-		return rcfg, ocfg, nil
+		return resolver.Config{}, OSConfig{
+			Nameservers:   toIPsOnly(cfg.singleResolverSet()),
+			SearchDomains: cfg.SearchDomains,
+			MatchDomains:  cfg.matchDomains(),
+		}, nil
 	}

 	// Split DNS configuration with either multiple upstream routes,
 	// or routes + MagicDNS, or just MagicDNS, or on an OS that cannot
 	// split-DNS. Install a split config pointing at quad-100.
-	rcfg.Routes = routes
-	ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+	rcfg = resolver.Config{
+		Hosts:        cfg.Hosts,
+		LocalDomains: cfg.AuthoritativeSuffixes,
+		Routes:       map[dnsname.FQDN][]netaddr.IPPort{},
+	}
+	for suffix, resolvers := range cfg.Routes {
+		rcfg.Routes[suffix] = resolvers
+	}
+	ocfg = OSConfig{
+		Nameservers:   []netaddr.IP{tsaddr.TailscaleServiceIP()},
+		SearchDomains: cfg.SearchDomains,
+	}

 	// If the OS can't do native split-dns, read out the underlying
 	// resolver config and blend it into our config.
@@ -154,7 +173,28 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	if !m.os.SupportsSplitDNS() || isWindows {
 		bcfg, err := m.os.GetBaseConfig()
 		if err != nil {
-			return resolver.Config{}, OSConfig{}, err
+			// Temporary hack to make OSes where split-DNS isn't fully
+			// implemented yet not completely crap out, but instead
+			// fall back to quad-9 as a hardcoded "backup resolver".
+			//
+			// This codepath currently only triggers when opted into
+			// the split-DNS feature server side, and when at least
+			// one search domain is something within tailscale.com, so
+			// we don't accidentally leak unstable user DNS queries to
+			// quad-9 if we accidentally go down this codepath.
+			canUseHack := false
+			for _, dom := range cfg.SearchDomains {
+				if strings.HasSuffix(dom.WithoutTrailingDot(), ".tailscale.com") {
+					canUseHack = true
+					break
+				}
+			}
+			if !canUseHack {
+				return resolver.Config{}, OSConfig{}, err
+			}
+			bcfg = OSConfig{
+				Nameservers: []netaddr.IP{netaddr.IPv4(9, 9, 9, 9)},
+			}
 		}
 		rcfg.Routes["."] = toIPPorts(bcfg.Nameservers)
 		ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)
--- a/net/dns/manager_test.go
+++ b/net/dns/manager_test.go
@@ -76,20 +76,6 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 		},
-		{
-			// Regression test for https://github.com/tailscale/tailscale/issues/1886
-			name: "hosts-only",
-			in: Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-			},
-			rs: resolver.Config{
-				Hosts: hosts(
-					"dave.ts.com.", "1.2.3.4",
-					"bradfitz.ts.com.", "2.3.4.5"),
-			},
-		},
 		{
 			name: "corp",
 			in: Config{
@@ -118,10 +104,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			os: OSConfig{
 				Nameservers:   mustIPs("100.100.100.100"),
@@ -140,10 +126,10 @@ func TestManager(t *testing.T) {
 			in: Config{
 				DefaultResolvers: mustIPPs("1.1.1.1:53", "9.9.9.9:53"),
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
-				Routes:           upstreams("ts.com", ""),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
 			},
 			split: true,
 			os: OSConfig{
@@ -275,8 +261,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				Routes:        upstreams("ts.com", ""),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -300,8 +286,8 @@ func TestManager(t *testing.T) {
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				Routes:        upstreams("ts.com", ""),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -319,11 +305,12 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic",
 			in: Config{
-				Routes: upstreams("corp.com", "2.2.2.2:53", "ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			bs: OSConfig{
 				Nameservers:   mustIPs("8.8.8.8"),
@@ -346,13 +333,12 @@ func TestManager(t *testing.T) {
 		{
 			name: "routes-magic-split",
 			in: Config{
-				Routes: upstreams(
-					"corp.com", "2.2.2.2:53",
-					"ts.com", ""),
+				Routes: upstreams("corp.com", "2.2.2.2:53"),
 				Hosts: hosts(
 					"dave.ts.com.", "1.2.3.4",
 					"bradfitz.ts.com.", "2.3.4.5"),
-				SearchDomains: fqdns("tailscale.com", "universe.tf"),
+				AuthoritativeSuffixes: fqdns("ts.com"),
+				SearchDomains:         fqdns("tailscale.com", "universe.tf"),
 			},
 			split: true,
 			os: OSConfig{
@@ -443,12 +429,7 @@ func upstreams(strs ...string) (ret map[dnsname.FQDN][]netaddr.IPPort) {
 	var key dnsname.FQDN
 	ret = map[dnsname.FQDN][]netaddr.IPPort{}
 	for _, s := range strs {
-		if s == "" {
-			if key == "" {
-				panic("IPPort provided before suffix")
-			}
-			ret[key] = nil
-		} else if ipp, err := netaddr.ParseIPPort(s); err == nil {
+		if ipp, err := netaddr.ParseIPPort(s); err == nil {
 			if key == "" {
 				panic("IPPort provided before suffix")
 			}
--- a/net/packet/packet.go
+++ b/net/packet/packet.go
@@ -12,6 +12,7 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/types/ipproto"
+	"tailscale.com/types/strbuilder"
 )

 const unknown = ipproto.Unknown
@@ -61,17 +62,36 @@ func (p *Parsed) String() string {
 		return "Unknown{???}"
 	}

-	// max is the maximum reasonable length of the string we are constructing.
-	// It's OK to overshoot, as the temp buffer is allocated on the stack.
-	const max = len("ICMPv6{[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%enp5s0]:65535 > [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff%enp5s0]:65535}")
-	b := make([]byte, 0, max)
-	b = append(b, p.IPProto.String()...)
-	b = append(b, '{')
-	b = p.Src.AppendTo(b)
-	b = append(b, ' ', '>', ' ')
-	b = p.Dst.AppendTo(b)
-	b = append(b, '}')
-	return string(b)
+	sb := strbuilder.Get()
+	sb.WriteString(p.IPProto.String())
+	sb.WriteByte('{')
+	writeIPPort(sb, p.Src)
+	sb.WriteString(" > ")
+	writeIPPort(sb, p.Dst)
+	sb.WriteByte('}')
+	return sb.String()
+}
+
+// writeIPPort writes ipp.String() into sb, with fewer allocations.
+//
+// TODO: make netaddr more efficient in this area, and retire this func.
+func writeIPPort(sb *strbuilder.Builder, ipp netaddr.IPPort) {
+	if ipp.IP().Is4() {
+		raw := ipp.IP().As4()
+		sb.WriteUint(uint64(raw[0]))
+		sb.WriteByte('.')
+		sb.WriteUint(uint64(raw[1]))
+		sb.WriteByte('.')
+		sb.WriteUint(uint64(raw[2]))
+		sb.WriteByte('.')
+		sb.WriteUint(uint64(raw[3]))
+		sb.WriteByte(':')
+	} else {
+		sb.WriteByte('[')
+		sb.WriteString(ipp.IP().String()) // TODO: faster?
+		sb.WriteString("]:")
+	}
+	sb.WriteUint(uint64(ipp.Port()))
 }

 // Decode extracts data from the packet in b into q.
--- a/net/packet/packet_test.go
+++ b/net/packet/packet_test.go
@@ -378,9 +378,11 @@ func TestParsedString(t *testing.T) {
 		})
 	}

+	var sink string
 	allocs := testing.AllocsPerRun(1000, func() {
-		sinkString = tests[0].qdecode.String()
+		sink = tests[0].qdecode.String()
 	})
+	_ = sink
 	if allocs != 1 {
 		t.Errorf("allocs = %v; want 1", allocs)
 	}
@@ -530,33 +532,3 @@ func TestMarshalResponse(t *testing.T) {
 		})
 	}
 }
-
-var sinkString string
-
-func BenchmarkString(b *testing.B) {
-	benches := []struct {
-		name string
-		buf  []byte
-	}{
-		{"tcp4", tcp4PacketBuffer},
-		{"tcp6", tcp6RequestBuffer},
-		{"udp4", udp4RequestBuffer},
-		{"udp6", udp6RequestBuffer},
-		{"icmp4", icmp4RequestBuffer},
-		{"icmp6", icmp6PacketBuffer},
-		{"igmp", igmpPacketBuffer},
-		{"unknown", unknownPacketBuffer},
-	}
-
-	for _, bench := range benches {
-		b.Run(bench.name, func(b *testing.B) {
-			b.ReportAllocs()
-			var p Parsed
-			p.Decode(bench.buf)
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				sinkString = p.String()
-			}
-		})
-	}
-}
--- a/net/packet/tsmp.go
+++ b/net/packet/tsmp.go
@@ -14,7 +14,6 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
-	"log"

 	"inet.af/netaddr"
 	"tailscale.com/net/flowtrack"
@@ -233,7 +232,6 @@ type TSMPPongReply struct {
 // AsTSMPPong returns pp as a TSMPPongReply and whether it is one.
 // The pong.IPHeader field is not populated.
 func (pp *Parsed) AsTSMPPong() (pong TSMPPongReply, ok bool) {
-	log.Println("TSMPPONG")
 	if pp.IPProto != ipproto.TSMP {
 		return
 	}
--- a/net/tstun/fake.go
+++ b/net/tstun/fake.go
@@ -8,7 +8,7 @@ import (
 	"io"
 	"os"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 )

 type fakeTUN struct {
--- a/net/tstun/ifstatus_noop.go
+++ b/net/tstun/ifstatus_noop.go
@@ -9,7 +9,7 @@ package tstun
 import (
 	"time"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 )

--- a/net/tstun/ifstatus_windows.go
+++ b/net/tstun/ifstatus_windows.go
@@ -9,7 +9,7 @@ import (
 	"sync"
 	"time"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"tailscale.com/types/logger"
 )
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -13,7 +13,7 @@ import (
 	"runtime"
 	"time"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 	"tailscale.com/version/distro"
 )
--- a/net/tstun/tun_notwindows.go
+++ b/net/tstun/tun_notwindows.go
@@ -6,7 +6,7 @@

 package tstun

-import "golang.zx2c4.com/wireguard/tun"
+import "github.com/tailscale/wireguard-go/tun"

 func interfaceName(dev tun.Device) (string, error) {
 	return dev.Name()
--- a/net/tstun/tun_windows.go
+++ b/net/tstun/tun_windows.go
@@ -5,9 +5,9 @@
 package tstun

 import (
+	"github.com/tailscale/wireguard-go/tun"
+	"github.com/tailscale/wireguard-go/tun/wintun"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/tun/wintun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )

--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -9,14 +9,13 @@ package tstun
 import (
 	"errors"
 	"io"
-	"log"
 	"os"
 	"sync"
 	"sync/atomic"
 	"time"

-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/device"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
@@ -277,7 +276,6 @@ func (t *Wrapper) poll() {
 var magicDNSIPPort = netaddr.MustParseIPPort("100.100.100.100:0")

 func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
-	log.Println("FILTEROUT")
 	// Fake ICMP echo responses to MagicDNS (100.100.100.100).
 	if p.IsEchoRequest() && p.Dst == magicDNSIPPort {
 		header := p.ICMP4Header()
@@ -378,7 +376,6 @@ func (t *Wrapper) Read(buf []byte, offset int) (int, error) {
 }

 func (t *Wrapper) filterIn(buf []byte) filter.Response {
-	log.Println("FILTERIN")
 	p := parsedPacketPool.Get().(*packet.Parsed)
 	defer parsedPacketPool.Put(p)
 	p.Decode(buf)
@@ -535,7 +532,6 @@ func (t *Wrapper) InjectInboundCopy(packet []byte) error {
 }

 func (t *Wrapper) injectOutboundPong(pp *packet.Parsed, req packet.TSMPPingRequest) {
-	log.Println("INJECT OUTBOUND")
 	pong := packet.TSMPPongReply{
 		Data: req.Data,
 	}
@@ -572,10 +568,8 @@ func (t *Wrapper) InjectOutbound(packet []byte) error {
 	}
 	select {
 	case <-t.closed:
-		log.Println("Closed")
 		return ErrClosed
 	case t.outbound <- packet:
-		log.Println("t.outbound <- packet")
 		return nil
 	}
 }
--- a/net/tstun/wrap_test.go
+++ b/net/tstun/wrap_test.go
@@ -14,7 +14,7 @@ import (
 	"testing"
 	"unsafe"

-	"golang.zx2c4.com/wireguard/tun/tuntest"
+	"github.com/tailscale/wireguard-go/tun/tuntest"
 	"inet.af/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
--- a/paths/paths.go
+++ b/paths/paths.go
@@ -13,9 +13,9 @@ import (
 	"sync/atomic"
 )

-// AppSharedDir is a string set by the iOS or Android app on start
+// IOSSharedDir is a string set by the iOS app on start
 // containing a directory we can read/write in.
-var AppSharedDir atomic.Value
+var IOSSharedDir atomic.Value

 // DefaultTailscaledSocket returns the path to the tailscaled Unix socket
 // or the empty string if there's no reasonable default.
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -749,9 +749,6 @@ type MapRequest struct {
 	//     * "minimize-netmap": have control minimize the netmap, removing
 	//       peers that are unreachable per ACLS.
 	DebugFlags []string `json:",omitempty"`
-
-	// Basic boolean field to determine if a Ping is being intitiated
-	Ping bool
 }

 // PortRange represents a range of UDP or TCP port numbers.
@@ -887,27 +884,6 @@ type PingRequest struct {
 	// Log is whether to log about this ping in the success case.
 	// For failure cases, the client will log regardless.
 	Log bool `json:",omitempty"`
-
-	Initiator        string // admin@email; "system" (for Tailscale)
-	TestIP           netaddr.IP
-	Types            string // empty means all: TSMP+ICMP+disco
-	StopAfterNDirect int    // 1 means stop on 1st direct ping; 4 means 4 direct pings; 0 means do MaxPings and stop
-	MaxPings         int    // MaxPings total, direct or DERPed
-	PayloadSize      int    // default: 0 extra bytes
-}
-
-// According to https://roamresearch.com/#/app/ts-corp/page/4Bn_Famn2
-// Client can stream responses back via HTTP
-// We will add a struct with the proper fields
-type StreamedPingResult struct {
-	IP      netaddr.IP
-	SeqNum  int     // somewhat redundant with TxID but for clarity
-	SentTo  NodeID  // for exit/subnet relays
-	TxID    string  // N hex bytes random
-	Dir     string  // "in"/"out"
-	Type    string  // ICMP, disco, TSMP, ...
-	Via     string  // "direct", "derp-nyc", ...
-	Seconds float64 // for Dir "in" only
 }

 type MapResponse struct {
@@ -1050,16 +1026,11 @@ func (k MachineKey) MarshalText() ([]byte, error)     { return keyMarshalText("m
 func (k MachineKey) HexString() string                { return fmt.Sprintf("%x", k[:]) }
 func (k *MachineKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "mkey:", text) }

-func appendKey(base []byte, prefix string, k [32]byte) []byte {
-	ret := append(base, make([]byte, len(prefix)+64)...)
-	buf := ret[len(base):]
+func keyMarshalText(prefix string, k [32]byte) []byte {
+	buf := make([]byte, len(prefix)+64)
 	copy(buf, prefix)
 	hex.Encode(buf[len(prefix):], k[:])
-	return ret
-}
-
-func keyMarshalText(prefix string, k [32]byte) []byte {
-	return appendKey(nil, prefix, k)
+	return buf
 }

 func keyUnmarshalText(dst []byte, prefix string, text []byte) error {
@@ -1090,7 +1061,6 @@ func (k DiscoKey) String() string                   { return fmt.Sprintf("discok
 func (k DiscoKey) MarshalText() ([]byte, error)     { return keyMarshalText("discokey:", k), nil }
 func (k *DiscoKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "discokey:", text) }
 func (k DiscoKey) ShortString() string              { return fmt.Sprintf("d:%x", k[:8]) }
-func (k DiscoKey) AppendTo(b []byte) []byte         { return appendKey(b, "discokey:", k) }

 // IsZero reports whether k is the zero value.
 func (k DiscoKey) IsZero() bool { return k == DiscoKey{} }
--- a/tailcfg/tailcfg_test.go
+++ b/tailcfg/tailcfg_test.go
@@ -14,7 +14,6 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/types/wgkey"
-	"tailscale.com/version"
 )

 func fieldsOf(t reflect.Type) (fields []string) {
@@ -529,25 +528,3 @@ func BenchmarkKeyMarshalText(b *testing.B) {
 		sinkBytes = keyMarshalText("prefix", k)
 	}
 }
-
-func TestAppendKeyAllocs(t *testing.T) {
-	if version.IsRace() {
-		t.Skip("skipping in race detector") // append(b, make([]byte, N)...) not optimized in compiler with race
-	}
-	var k [32]byte
-	n := int(testing.AllocsPerRun(1000, func() {
-		sinkBytes = keyMarshalText("prefix", k)
-	}))
-	if n != 1 {
-		t.Fatalf("allocs = %v; want 1", n)
-	}
-}
-
-func TestDiscoKeyAppend(t *testing.T) {
-	d := DiscoKey{1: 1, 2: 2}
-	got := string(d.AppendTo([]byte("foo")))
-	want := "foodiscokey:0001020000000000000000000000000000000000000000000000000000000000"
-	if got != want {
-		t.Errorf("got %q; want %q", got, want)
-	}
-}
--- a/tstest/integration/integration_test.go
+++ b/tstest/integration/integration_test.go
@@ -11,6 +11,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"errors"
+	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -46,7 +47,7 @@ import (
 	"tailscale.com/version"
 )

-// var verbose = flag.Bool("verbose", true, "verbose debug logs")
+var verbose = flag.Bool("verbose", false, "verbose debug logs")

 var mainError atomic.Value // of error

@@ -59,7 +60,6 @@ func TestMain(m *testing.M) {
 		fmt.Fprintf(os.Stderr, "FAIL: %v\n", err)
 		os.Exit(1)
 	}
-	time.Sleep(5 * time.Second)
 	os.Exit(0)
 }

@@ -279,9 +279,6 @@ func newTestEnv(t testing.TB, bins *testBinaries) *testEnv {
 		DERPMap: derpMap,
 	}
 	trafficTrap := new(trafficTrap)
-	log.Println("SERVER ATTACHED")
-	log.Println(len(control.PingRequestC))
-	// go func() { control.PingRequestC <- true }()
 	e := &testEnv{
 		t:                 t,
 		Binaries:          bins,
@@ -587,7 +584,7 @@ func (lc *logCatcher) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	} else {
 		for _, ent := range jreq {
 			fmt.Fprintf(&lc.buf, "%s\n", strings.TrimSpace(ent.Text))
-			if testing.Verbose() {
+			if *verbose {
 				fmt.Fprintf(os.Stderr, "%s\n", strings.TrimSpace(ent.Text))
 			}
 		}
@@ -686,132 +683,3 @@ func (w *authURLParserWriter) Write(p []byte) (n int, err error) {
 	}
 	return n, err
 }
-
-type panicOnUseTransport struct{}
-
-func (panicOnUseTransport) RoundTrip(*http.Request) (*http.Response, error) {
-	panic("unexpected HTTP request")
-}
-func TestTwoNodePing(t *testing.T) {
-
-	// < --->
-	t.Parallel()
-	bins := buildTestBinaries(t)
-
-	env := newTestEnv(t, bins)
-	t.Log("Env :", env.ControlServer.URL)
-	res, err := http.Get(env.ControlServer.URL + "/ping")
-	t.Log("RESPONSE", res)
-	if err != nil {
-		t.Error(err)
-	}
-	defer env.Close()
-
-	// Create two nodes:
-	n1 := newTestNode(t, env)
-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
-
-	n2 := newTestNode(t, env)
-	d2 := n2.StartDaemon(t)
-	defer d2.Kill()
-
-	n1.AwaitListening(t)
-	n2.AwaitListening(t)
-	n1.MustUp()
-	n2.MustUp()
-	n1.AwaitRunning(t)
-	n2.AwaitRunning(t)
-	ip1 := n1.AwaitIP(t)
-	ip2 := n2.AwaitIP(t)
-	t.Logf("Node IPs : %s, %s\n", ip1, ip2)
-
-	if err := tstest.WaitFor(2*time.Second, func() error {
-		st := n1.MustStatus(t)
-		t.Log("CURPEER", len(st.Peer))
-		var peers []*ipnstate.PeerStatus
-		for _, peer := range st.Peers() {
-			ps := st.Peer[peer]
-			if ps.ShareeNode {
-				continue
-			}
-			peers = append(peers, ps)
-		}
-		jsonForm, _ := json.MarshalIndent(peers[0], "", " ")
-		t.Log("PeerStatus", string(jsonForm))
-		if len(st.Peer) == 0 {
-			return errors.New("no peers")
-		}
-		if len(st.Peer) > 1 {
-			return fmt.Errorf("got %d peers; want 1", len(st.Peer))
-		}
-		peer := st.Peer[st.Peers()[0]]
-		if peer.ID == st.Self.ID {
-			return errors.New("peer is self")
-		}
-		return nil
-	}); err != nil {
-		t.Error(err)
-	}
-
-	d1.MustCleanShutdown(t)
-	d2.MustCleanShutdown(t)
-}
-
-// Tests if our addPingRequest function works
-func TestAddPingRequest(t *testing.T) {
-
-}
-
-// Test such that we can simulate the ping instead of hardcoding in the map response
-func TestControlSelectivePing(t *testing.T) {
-	t.Parallel()
-	bins := buildTestBinaries(t)
-
-	env := newTestEnv(t, bins)
-	log.Println("POSTSTARTUP")
-	defer env.Close()
-
-	// Create two nodes:
-	n1 := newTestNode(t, env)
-	d1 := n1.StartDaemon(t)
-	defer d1.Kill()
-
-	n2 := newTestNode(t, env)
-	d2 := n2.StartDaemon(t)
-	defer d2.Kill()
-
-	n1.AwaitListening(t)
-	n2.AwaitListening(t)
-	n1.MustUp()
-	n2.MustUp()
-	n1.AwaitRunning(t)
-	n2.AwaitRunning(t)
-
-	// Wait for server to start serveMap
-	if err := tstest.WaitFor(2*time.Second, func() error {
-		t.Log("ENOUGHTIME")
-		env.Control.AddControlPingRequest()
-		if len(env.Control.PingRequestC) == 0 {
-			return errors.New("failed to add to PingRequestC")
-		}
-		log.Println("CHANNEL LENGTH", len(env.Control.PingRequestC))
-		return nil
-	}); err != nil {
-		t.Error(err)
-	}
-
-	// Wait for a MapResponse
-	if err := tstest.WaitFor(20*time.Second, func() error {
-		// Simulate the time needed for MapResponse method call.
-		time.Sleep(500 * time.Millisecond)
-		if len(env.Control.PingRequestC) == 1 {
-			t.Error("Expected PingRequestC to be empty")
-		}
-		return nil
-	}); err != nil {
-		t.Error(err)
-	}
-	d1.MustCleanShutdown(t)
-	d2.MustCleanShutdown(t)
-}
--- a/tstest/integration/testcontrol/testcontrol.go
+++ b/tstest/integration/testcontrol/testcontrol.go
@@ -36,16 +36,14 @@ import (
 // Server is a control plane server. Its zero value is ready for use.
 // Everything is stored in-memory in one tailnet.
 type Server struct {
-	Logf         logger.Logf      // nil means to use the log package
-	DERPMap      *tailcfg.DERPMap // nil means to use prod DERP map
-	RequireAuth  bool
-	BaseURL      string // must be set to e.g. "http://127.0.0.1:1234" with no trailing URL
-	Verbose      bool
-	PingRequestC chan bool
+	Logf        logger.Logf      // nil means to use the log package
+	DERPMap     *tailcfg.DERPMap // nil means to use prod DERP map
+	RequireAuth bool
+	BaseURL     string // must be set to e.g. "http://127.0.0.1:1234" with no trailing URL
+	Verbose     bool

-	initMuxOnce       sync.Once
-	mux               *http.ServeMux
-	initPRchannelOnce sync.Once
+	initMuxOnce sync.Once
+	mux         *http.ServeMux

 	mu            sync.Mutex
 	pubKey        wgkey.Key
@@ -58,17 +56,6 @@ type Server struct {
 	nodeKeyAuthed map[tailcfg.NodeKey]bool // key => true once authenticated
 }

-// NumNodes returns the number of nodes in the testcontrol server.
-//
-// This is useful when connecting a bunch of virtual machines to a testcontrol
-// server to see how many of them connected successfully.
-func (s *Server) NumNodes() int {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	return len(s.nodes)
-}
-
 type AuthPath struct {
 	nodeKey tailcfg.NodeKey

@@ -97,26 +84,14 @@ func (s *Server) logf(format string, a ...interface{}) {
 }

 func (s *Server) initMux() {
-	log.Println("Mux inited")
 	s.mux = http.NewServeMux()
 	s.mux.HandleFunc("/", s.serveUnhandled)
 	s.mux.HandleFunc("/key", s.serveKey)
 	s.mux.HandleFunc("/machine/", s.serveMachine)
-	s.mux.HandleFunc("/ping", s.receivePingInfo)
-	s.mux.HandleFunc("/mockpingrequest", s.serveMockPing)
-}
-
-func (s *Server) initPingRequestC() {
-	log.Println("Channel created")
-	s.PingRequestC = make(chan bool, 1)
-	// s.AddControlPingRequest()
-	// log.Println("Channel length : ", len(s.PingRequestC))
 }

 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	log.Println("HTTPSERVE")
 	s.initMuxOnce.Do(s.initMux)
-	s.initPRchannelOnce.Do(s.initPingRequestC)
 	s.mux.ServeHTTP(w, r)
 }

@@ -126,12 +101,6 @@ func (s *Server) serveUnhandled(w http.ResponseWriter, r *http.Request) {
 	go panic(fmt.Sprintf("testcontrol.Server received unhandled request: %s", got.Bytes()))
 }

-func (s *Server) serveMockPing(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "text/plain")
-	s.AddControlPingRequest()
-	io.WriteString(w, "A ControlPingRequest has been queued for our next MapResponse.")
-}
-
 func (s *Server) publicKey() wgkey.Key {
 	pub, _ := s.keyPair()
 	return pub
@@ -211,16 +180,6 @@ func (s *Server) AllNodes() (nodes []*tailcfg.Node) {
 	return nodes
 }

-// AddControlPingRequest enqueues a bool to PingRequestC.
-// in serveMap this will result to a ControlPingRequest
-// added to the next MapResponse sent to the client
-func (s *Server) AddControlPingRequest() {
-	// Redundant check to avoid errors when called multiple times
-	if len(s.PingRequestC) == 0 {
-		s.PingRequestC <- true
-	}
-}
-
 func (s *Server) getUser(nodeKey tailcfg.NodeKey) (*tailcfg.User, *tailcfg.Login) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -308,7 +267,6 @@ func (s *Server) CompleteAuth(authPathOrURL string) bool {
 }

 func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey tailcfg.MachineKey) {
-	log.Println("SERVE REGISTER CALLED")
 	var req tailcfg.RegisterRequest
 	if err := s.decode(mkey, r.Body, &req); err != nil {
 		panic(fmt.Sprintf("serveRegister: decode: %v", err))
@@ -412,24 +370,6 @@ func (s *Server) updateLocked(source string, peers []tailcfg.NodeID) {
 	}
 }

-// Adds a PingRequest to a MapResponse, we will ping the first peer.
-func (s *Server) addPingRequest(res *tailcfg.MapResponse) error {
-	if len(res.Peers) == 0 {
-		return errors.New("MapResponse has no peers to ping")
-	}
-
-	if len(res.Peers[0].Addresses) == 0 || len(res.Peers[0].AllowedIPs) == 0 {
-		return errors.New("peer has no Addresses or no AllowedIPs")
-	}
-	targetIP := res.Peers[0].AllowedIPs[0].IP()
-	res.PingRequest = &tailcfg.PingRequest{URL: s.BaseURL + "/ping", TestIP: targetIP, Types: "tsmp"}
-	// jsonRes, _ := json.MarshalIndent(res, "", " ")
-	// log.Println("jsonprint", string(jsonRes))
-	// log.Println("respeers", res.Peers)
-	// log.Println("allnodes", s.AllNodes(), res.Node.AllowedIPs)
-	return nil
-}
-
 // sendUpdate sends updateType to dst if dst is non-nil and
 // has capacity.
 func sendUpdate(dst chan<- updateType, updateType updateType) {
@@ -461,7 +401,6 @@ func (s *Server) UpdateNode(n *tailcfg.Node) (peersToUpdate []tailcfg.NodeID) {
 }

 func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey tailcfg.MachineKey) {
-	log.Println("SERVEMAP CALLED")
 	ctx := r.Context()

 	req := new(tailcfg.MapRequest)
@@ -514,20 +453,9 @@ func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey tailcfg.M
 	streaming := req.Stream && !req.ReadOnly
 	compress := req.Compress != ""

-	log.Println("CREATED MAPREQ", *req)
-	log.Println("REQUEST", r)
-	log.Println("REQBODY", r.Body)
 	w.WriteHeader(200)
 	for {
 		res, err := s.MapResponse(req)
-		log.Println("LENGTHER", len(s.PingRequestC))
-		select {
-		case <-s.PingRequestC:
-			log.Println("PINGADD", len(s.PingRequestC))
-			s.addPingRequest(res)
-		default:
-			log.Println("NOTEXIST")
-		}
 		if err != nil {
 			// TODO: log
 			return
@@ -588,7 +516,6 @@ var prodDERPMap = derpmap.Prod()
 //
 // No updates to s are done here.
 func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse, err error) {
-	log.Println("MAPREQUEST : ", string(JsonPrint(req)))
 	node := s.Node(req.NodeKey)
 	if node == nil {
 		// node key rotated away (once test server supports that)
@@ -616,7 +543,6 @@ func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse,
 		netaddr.MustParseIPPrefix(fmt.Sprintf("100.64.%d.%d/32", uint8(node.ID>>8), uint8(node.ID))),
 	}
 	res.Node.AllowedIPs = res.Node.Addresses
-
 	return res, nil
 }

@@ -767,24 +693,3 @@ func breakSameNodeMapResponseStreams(req *tailcfg.MapRequest) bool {
 	}
 	return true
 }
-
-// This is where the PUT requests will go
-func (s *Server) receivePingInfo(w http.ResponseWriter, r *http.Request) {
-	if r.Method != "PUT" {
-		log.Println("Received NON PUT request, should panic if this happens after")
-		// panic("Only PUT requests are supported currently")
-	}
-	w.Header().Set("Content-Type", "text/plain")
-	reqBody, err := ioutil.ReadAll(r.Body)
-	if err != nil {
-		panic("Failed to read request body")
-	}
-	log.Println("Ping Info Received", string(reqBody))
-	w.WriteHeader(200)
-	io.WriteString(w, "Ping Streamed Back : "+string(reqBody))
-}
-
-func JsonPrint(item interface{}) []byte {
-	res, _ := json.MarshalIndent(item, "", " ")
-	return res
-}
--- a/tstest/integration/vms/doc.go
+++ b/tstest/integration/vms/doc.go
@@ -1,7 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package vms does VM-based integration/functional tests by using
-// qemu and a bank of pre-made VM images.
-package vms
--- a/tstest/integration/vms/vms_test.go
+++ b/tstest/integration/vms/vms_test.go
@@ -1,532 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux
-
-package vms
-
-import (
-	"crypto/sha256"
-	"encoding/hex"
-	"flag"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
-	"strings"
-	"sync"
-	"syscall"
-	"testing"
-	"text/template"
-	"time"
-
-	expect "github.com/google/goexpect"
-	"golang.org/x/crypto/ssh"
-	"inet.af/netaddr"
-	"tailscale.com/tstest/integration/testcontrol"
-)
-
-var runVMTests = flag.Bool("run-vm-tests", false, "if set, run expensive (10G+ ram) VM based integration tests")
-
-type Distro struct {
-	name           string // amazon-linux
-	url            string // URL to a qcow2 image
-	sha256sum      string // hex-encoded sha256 sum of contents of URL
-	mem            int    // VM memory in megabytes
-	packageManager string // yum/apt/dnf/zypper
-}
-
-func (d *Distro) InstallPre() string {
-	switch d.packageManager {
-	case "yum":
-		return ` - [ yum, update, gnupg2 ]
-`
-	case "apt":
-		return ` - [ apt-get, update ]
- - [ apt-get, "-y", install, curl, "apt-transport-https", gnupg2 ]
-`
-	}
-
-	return ""
-}
-
-// fetchDistro fetches a distribution from the internet if it doesn't already exist locally. It
-// also validates the sha256 sum from a known good hash.
-func fetchDistro(t *testing.T, resultDistro Distro) {
-	t.Helper()
-
-	cdir, err := os.UserCacheDir()
-	if err != nil {
-		t.Fatalf("can't find cache dir: %v", err)
-	}
-	cdir = filepath.Join(cdir, "tailscale", "vm-test")
-
-	qcowPath := filepath.Join(cdir, "qcow2", resultDistro.sha256sum)
-
-	_, err = os.Stat(qcowPath)
-	if err != nil {
-		t.Logf("downloading distro image %s to %s", resultDistro.url, qcowPath)
-		fout, err := os.Create(qcowPath)
-		if err != nil {
-			t.Fatal(err)
-		}
-		resp, err := http.Get(resultDistro.url)
-		if err != nil {
-			t.Fatalf("can't fetch qcow2 for %s (%s): %v", resultDistro.name, resultDistro.url, err)
-		}
-
-		if resp.StatusCode != http.StatusOK {
-			resp.Body.Close()
-			t.Fatalf("%s replied %s", resultDistro.url, resp.Status)
-		}
-
-		_, err = io.Copy(fout, resp.Body)
-		resp.Body.Close()
-		if err != nil {
-			t.Fatalf("download of %s failed: %v", resultDistro.url, err)
-		}
-
-		err = fout.Close()
-		if err != nil {
-			t.Fatalf("can't close fout: %v", err)
-		}
-
-		fin, err := os.Open(qcowPath)
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		hasher := sha256.New()
-		if _, err := io.Copy(hasher, fin); err != nil {
-			t.Fatal(err)
-		}
-		hash := hex.EncodeToString(hasher.Sum(nil))
-
-		if hash != resultDistro.sha256sum {
-			t.Logf("got:  %q", hash)
-			t.Logf("want: %q", resultDistro.sha256sum)
-			t.Fatal("hash mismatch, someone is doing something nasty")
-		}
-
-		t.Logf("hash check passed (%s)", resultDistro.sha256sum)
-	}
-}
-
-// run runs a command or fails the test.
-func run(t *testing.T, dir, prog string, args ...string) {
-	t.Helper()
-	t.Logf("running: %s %s", prog, strings.Join(args, " "))
-
-	cmd := exec.Command(prog, args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	cmd.Dir = dir
-	if err := cmd.Run(); err != nil {
-		t.Fatal(err)
-	}
-}
-
-// mkLayeredQcow makes a layered qcow image that allows us to keep the upstream VM images
-// pristine and only do our changes on an overlay.
-func mkLayeredQcow(t *testing.T, tdir string, d Distro) {
-	t.Helper()
-
-	cdir, err := os.UserCacheDir()
-	if err != nil {
-		t.Fatalf("can't find cache dir: %v", err)
-	}
-	cdir = filepath.Join(cdir, "tailscale", "vm-test")
-
-	run(t, tdir, "qemu-img", "create",
-		"-f", "qcow2",
-		"-o", "backing_file="+filepath.Join(cdir, "qcow2", d.sha256sum),
-		filepath.Join(tdir, d.name+".qcow2"),
-	)
-}
-
-// mkSeed makes the cloud-init seed ISO that is used to configure a VM with tailscale.
-func mkSeed(t *testing.T, d Distro, sshKey, hostURL, tdir string, port int) {
-	t.Helper()
-
-	dir := filepath.Join(tdir, d.name, "seed")
-	os.MkdirAll(dir, 0700)
-
-	// make meta-data
-	{
-		fout, err := os.Create(filepath.Join(dir, "meta-data"))
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		err = template.Must(template.New("meta-data.yaml").Parse(metaDataTemplate)).Execute(fout, struct {
-			ID       string
-			Hostname string
-		}{
-			ID:       "31337",
-			Hostname: d.name,
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		err = fout.Close()
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	// make user-data
-	{
-		fout, err := os.Create(filepath.Join(dir, "user-data"))
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		err = template.Must(template.New("user-data.yaml").Parse(userDataTemplate)).Execute(fout, struct {
-			SSHKey     string
-			HostURL    string
-			Hostname   string
-			Port       int
-			InstallPre string
-		}{
-			SSHKey:     strings.TrimSpace(sshKey),
-			HostURL:    hostURL,
-			Hostname:   d.name,
-			Port:       port,
-			InstallPre: d.InstallPre(),
-		})
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		err = fout.Close()
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	run(t, tdir, "genisoimage",
-		"-output", filepath.Join(dir, "seed.iso"),
-		"-volid", "cidata", "-joliet", "-rock",
-		filepath.Join(dir, "meta-data"),
-		filepath.Join(dir, "user-data"),
-	)
-}
-
-// mkVM makes a KVM-accelerated virtual machine and prepares it for introduction to the
-// testcontrol server. The function it returns is for killing the virtual machine when it
-// is time for it to die.
-func mkVM(t *testing.T, n int, d Distro, sshKey, hostURL, tdir string) func() {
-	t.Helper()
-
-	cdir, err := os.UserCacheDir()
-	if err != nil {
-		t.Fatalf("can't find cache dir: %v", err)
-	}
-	cdir = filepath.Join(cdir, "within", "mkvm")
-	os.MkdirAll(filepath.Join(cdir, "qcow2"), 0755)
-	os.MkdirAll(filepath.Join(cdir, "seed"), 0755)
-
-	port := 23100 + n
-
-	fetchDistro(t, d)
-	mkLayeredQcow(t, tdir, d)
-	mkSeed(t, d, sshKey, hostURL, tdir, port)
-
-	driveArg := fmt.Sprintf("file=%s,if=virtio", filepath.Join(tdir, d.name+".qcow2"))
-
-	args := []string{
-		"-machine", "pc-q35-5.1,accel=kvm,usb=off,vmport=off,dump-guest-core=off",
-		"-netdev", fmt.Sprintf("user,hostfwd=::%d-:22,id=net0", port),
-		"-device", "virtio-net-pci,netdev=net0,id=net0,mac=8a:28:5c:30:1f:25",
-		"-m", fmt.Sprint(d.mem),
-		"-boot", "c",
-		"-drive", driveArg,
-		"-cdrom", filepath.Join(tdir, d.name, "seed", "seed.iso"),
-		"-vnc", fmt.Sprintf(":%d", n),
-	}
-
-	t.Logf("running: qemu-system-x86_64 %s", strings.Join(args, " "))
-
-	cmd := exec.Command("qemu-system-x86_64", args...)
-	err = cmd.Start()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	time.Sleep(time.Second)
-
-	if err := cmd.Process.Signal(syscall.Signal(0)); err != nil {
-		t.Fatal("qemu is not running")
-	}
-
-	return func() {
-		err := cmd.Process.Kill()
-		if err != nil {
-			t.Errorf("can't kill %s (%d): %v", d.name, cmd.Process.Pid, err)
-		}
-	}
-}
-
-// TestVMIntegrationEndToEnd creates a virtual machine with mkvm(1X), installs tailscale on it and then ensures that it connects to the network successfully.
-func TestVMIntegrationEndToEnd(t *testing.T) {
-	if !*runVMTests {
-		t.Skip("not running integration tests (need -run-vm-tests)")
-	}
-
-	if _, err := exec.LookPath("qemu-system-x86_64"); err != nil {
-		t.Logf("hint: nix-shell -p go -p qemu -p cdrkit --run 'go test -v -timeout=60m -run-vm-tests'")
-		t.Fatalf("missing dependency: %v", err)
-	}
-
-	if _, err := exec.LookPath("genisoimage"); err != nil {
-		t.Logf("hint: nix-shell -p go -p qemu -p cdrkit --run 'go test -v -timeout=60m -run-vm-tests'")
-		t.Fatalf("missing dependency: %v", err)
-	}
-
-	distros := []Distro{
-		{"amazon-linux", "https://cdn.amazonlinux.com/os-images/2.0.20210427.0/kvm/amzn2-kvm-2.0.20210427.0-x86_64.xfs.gpt.qcow2", "6ef9daef32cec69b2d0088626ec96410cd24afc504d57278bbf2f2ba2b7e529b", 512, "yum"},
-		{"centos-7", "https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2", "1db30c9c272fb37b00111b93dcebff16c278384755bdbe158559e9c240b73b80", 512, "yum"},
-		{"centos-8", "https://cloud.centos.org/centos/8/x86_64/images/CentOS-8-GenericCloud-8.3.2011-20201204.2.x86_64.qcow2", "7ec97062618dc0a7ebf211864abf63629da1f325578868579ee70c495bed3ba0", 768, "dnf"},
-		{"debian-9", "https://cdimage.debian.org/cdimage/openstack/9.13.21-20210511/debian-9.13.21-20210511-openstack-amd64.qcow2", "0667a08e2d947b331aee068db4bbf3a703e03edaf5afa52e23d534adff44b62a", 512, "apt"},
-		{"debian-10", "https://cdimage.debian.org/images/cloud/buster/20210329-591/debian-10-generic-amd64-20210329-591.qcow2", "70c61956095870c4082103d1a7a1cb5925293f8405fc6cb348588ec97e8611b0", 768, "apt"},
-		{"fedora-34", "https://download.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-34-1.2.x86_64.qcow2", "b9b621b26725ba95442d9a56cbaa054784e0779a9522ec6eafff07c6e6f717ea", 768, "dnf"},
-		{"opensuse-leap-15.1", "https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.1/images/openSUSE-Leap-15.1-OpenStack.x86_64.qcow2", "3203e256dab5981ca3301408574b63bc522a69972fbe9850b65b54ff44a96e0a", 512, "zypper"},
-		{"opensuse-leap-15.2", "https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.2/images/openSUSE-Leap-15.2-OpenStack.x86_64.qcow2", "4df9cee9281d1f57d20f79dc65d76e255592b904760e73c0dd44ac753a54330f", 512, "zypper"},
-		{"opensuse-tumbleweed", "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-JeOS.x86_64-OpenStack-Cloud.qcow2", "ba3ecd281045b5019f0fb11378329a644a41870b77631ea647b128cd07eb804b", 512, "zypper"},
-		{"ubuntu-16-04", "https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-disk1.img", "50a21bc067c05e0c73bf5d8727ab61152340d93073b3dc32eff18b626f7d813b", 512, "apt"},
-		{"ubuntu-18-04", "https://cloud-images.ubuntu.com/bionic/current/bionic-server-cloudimg-amd64.img", "08396cf95c18534a2e3f88289bd92d18eee76f0e75813636b3ab9f1e603816d7", 512, "apt"},
-		{"ubuntu-20-04", "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img", "513158b22ff0f08d0a078d8d60293bcddffdb17094a7809c76c52aba415ecc54", 512, "apt"},
-		{"ubuntu-20-10", "https://cloud-images.ubuntu.com/groovy/current/groovy-server-cloudimg-amd64.img", "e470df72fce4fb8d0ee4ef8af8eed740ee3bf51290515eb42e5c747725e98b6d", 512, "apt"},
-		{"ubuntu-21-04", "https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64.img", "7fab8eda0bcf6f8f6e63845ccf1e29de4706e3359c82d3888835093020fe6f05", 512, "apt"},
-	}
-
-	dir := t.TempDir()
-
-	ln, err := net.Listen("tcp", deriveBindhost(t)+":0")
-	if err != nil {
-		t.Fatalf("can't make TCP listener: %v", err)
-	}
-	defer ln.Close()
-	t.Logf("host:port: %s", ln.Addr())
-
-	cs := &testcontrol.Server{}
-
-	var (
-		ipMu  sync.Mutex
-		ipMap = map[string]string{} // SSH port => IP address
-	)
-
-	mux := http.NewServeMux()
-	mux.Handle("/", cs)
-
-	// This handler will let the virtual machines tell the host information about that VM.
-	// This is used to maintain a list of port->IP address mappings that are known to be
-	// working. This allows later steps to connect over SSH. This returns no response to
-	// clients because no response is needed.
-	mux.HandleFunc("/myip/", func(w http.ResponseWriter, r *http.Request) {
-		ipMu.Lock()
-		defer ipMu.Unlock()
-
-		name := path.Base(r.URL.Path)
-		host, _, _ := net.SplitHostPort(r.RemoteAddr)
-		ipMap[name] = host
-		t.Logf("%s: %v", name, host)
-	})
-
-	hs := &http.Server{Handler: mux}
-	go hs.Serve(ln)
-
-	run(t, dir, "ssh-keygen", "-t", "ed25519", "-f", "machinekey", "-N", ``)
-	pubkey, err := os.ReadFile(filepath.Join(dir, "machinekey.pub"))
-	if err != nil {
-		t.Fatalf("can't read ssh key: %v", err)
-	}
-
-	privateKey, err := os.ReadFile(filepath.Join(dir, "machinekey"))
-	if err != nil {
-		t.Fatalf("can't read ssh private key: %v", err)
-	}
-
-	signer, err := ssh.ParsePrivateKey(privateKey)
-	if err != nil {
-		t.Fatalf("can't parse private key: %v", err)
-	}
-
-	loginServer := fmt.Sprintf("http://%s", ln.Addr())
-	t.Logf("loginServer: %s", loginServer)
-
-	cancels := make(chan func(), len(distros))
-
-	t.Run("mkvm", func(t *testing.T) {
-		for n, distro := range distros {
-			n, distro := n, distro
-			t.Run(distro.name, func(t *testing.T) {
-				t.Parallel()
-
-				cancel := mkVM(t, n, distro, string(pubkey), loginServer, dir)
-				cancels <- cancel
-			})
-		}
-	})
-
-	close(cancels)
-	for cancel := range cancels {
-		//lint:ignore SA9001 They do actually get ran
-		defer cancel()
-
-		if len(cancels) == 0 {
-			t.Log("all VMs started")
-			break
-		}
-	}
-
-	t.Run("wait-for-vms", func(t *testing.T) {
-		t.Log("waiting for VMs to register")
-		waiter := time.NewTicker(time.Second)
-		defer waiter.Stop()
-		n := 0
-		for {
-			<-waiter.C
-			ipMu.Lock()
-			if len(ipMap) == len(distros) {
-				ipMu.Unlock()
-				break
-			} else {
-				if n%30 == 0 {
-					t.Logf("ipMap:   %d", len(ipMap))
-					t.Logf("distros: %d", len(distros))
-				}
-			}
-			n++
-			ipMu.Unlock()
-		}
-	})
-
-	ipMu.Lock()
-	defer ipMu.Unlock()
-	t.Run("join-net", func(t *testing.T) {
-		for port := range ipMap {
-			port := port
-			t.Run(port, func(t *testing.T) {
-				config := &ssh.ClientConfig{
-					User:            "ts",
-					Auth:            []ssh.AuthMethod{ssh.PublicKeys(signer), ssh.Password("hunter2")},
-					HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-				}
-
-				cli, err := ssh.Dial("tcp", fmt.Sprintf("127.0.0.1:%s", port), config)
-				if err != nil {
-					t.Fatalf("can't dial 127.0.0.1:%s: %v", port, err)
-				}
-				defer cli.Close()
-
-				t.Parallel()
-				t.Logf("about to ssh into 127.0.0.1:%s", port)
-				timeout := 5 * time.Minute
-
-				e, _, err := expect.SpawnSSH(cli, timeout, expect.Verbose(true), expect.VerboseWriter(os.Stdout))
-				if err != nil {
-					t.Fatalf("%s: can't register a shell session: %v", port, err)
-				}
-				defer e.Close()
-
-				_, _, err = e.Expect(regexp.MustCompile(`(\$|\>)`), timeout)
-				if err != nil {
-					t.Fatalf("%s: can't get a shell: %v", port, err)
-				}
-				t.Logf("got shell for %s", port)
-				err = e.Send(fmt.Sprintf("sudo tailscale up --login-server %s\n", loginServer))
-				if err != nil {
-					t.Fatalf("%s: can't send tailscale up command: %v", port, err)
-				}
-				_, _, err = e.Expect(regexp.MustCompile(`Success.`), timeout)
-				if err != nil {
-					t.Fatalf("can't extract URL: %v", err)
-				}
-			})
-		}
-	})
-
-	if numNodes := cs.NumNodes(); numNodes != len(ipMap) {
-		t.Errorf("wanted %d nodes, got: %d", len(ipMap), numNodes)
-	}
-}
-
-func deriveBindhost(t *testing.T) string {
-	t.Helper()
-
-	ifaces, err := net.Interfaces()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	rex := regexp.MustCompile(`^(eth|enp|wlp|wlan)`)
-
-	for _, iface := range ifaces {
-		t.Logf("found interface %s: %d", iface.Name, iface.Flags&net.FlagUp)
-		if (iface.Flags & net.FlagUp) == 0 {
-			continue
-		}
-
-		if rex.MatchString(iface.Name) {
-			addrs, err := iface.Addrs()
-			if err != nil {
-				t.Fatalf("can't get address for %s: %v", iface.Name, err)
-			}
-
-			for _, addr := range addrs {
-				return netaddr.MustParseIPPrefix(addr.String()).IP().String()
-			}
-		}
-	}
-
-	t.Fatal("can't find a bindhost")
-	return "invalid"
-}
-
-func TestDeriveBindhost(t *testing.T) {
-	t.Log(deriveBindhost(t))
-}
-
-const metaDataTemplate = `instance-id: {{.ID}}
-local-hostname: {{.Hostname}}`
-
-const userDataTemplate = `#cloud-config
-#vim:syntax=yaml
-
-cloud_config_modules:
- - runcmd
-
-cloud_final_modules:
- - [users-groups, always]
- - [scripts-user, once-per-instance]
-
-users:
-  - name: ts
-    plain_text_passwd: hunter2
-    groups: [ wheel ]
-    sudo: [ "ALL=(ALL) NOPASSWD:ALL" ]
-    shell: /bin/sh
-    ssh-authorized-keys:
-    - {{.SSHKey}}
-
-write_files:
-  - path: /etc/cloud/cloud.cfg.d/80_disable_network_after_firstboot.cfg
-    content: |
-      # Disable network configuration after first boot
-      network:
-        config: disabled
-
-runcmd:
-{{.InstallPre}}
- - [ "sh", "-c", "curl https://raw.githubusercontent.com/tailscale/tailscale/Xe/test-install-script-libvirtd/scripts/installer.sh | sh" ]
- - [ systemctl, enable, --now, tailscaled.service ]
- - [ curl, "{{.HostURL}}/myip/{{.Port}}", "-H", "User-Agent: {{.Hostname}}" ]
-`
--- a/tsweb/jsonhandler.go
+++ b/tsweb/jsonhandler.go
@@ -89,64 +89,3 @@ func (fn JSONHandlerFunc) ServeHTTPReturn(w http.ResponseWriter, r *http.Request
 	w.Write(b)
 	return err
 }
-
-// TODO() Set this function such that chunk encoding works
-// Currently the same thing with chunking headers set.
-func (fn JSONHandlerFunc) ServeHTTPChunkEncodingReturn(w http.ResponseWriter, r *http.Request) error {
-	w.Header().Set("Connection", "Keep-Alive")
-	w.Header().Set("Transfer-Encoding", "chunked")
-	w.Header().Set("X-Content-Type-Options", "nosniff")
-	var resp *response
-	status, data, err := fn(r)
-	if err != nil {
-		if werr, ok := err.(HTTPError); ok {
-			resp = &response{
-				Status: "error",
-				Error:  werr.Msg,
-				Data:   data,
-			}
-			// Unwrap the HTTPError here because we are communicating with
-			// the client in this handler. We don't want the wrapping
-			// ReturnHandler to do it too.
-			err = werr.Err
-			if werr.Msg != "" {
-				err = fmt.Errorf("%s: %w", werr.Msg, err)
-			}
-			// take status from the HTTPError to encourage error handling in one location
-			if status != 0 && status != werr.Code {
-				err = fmt.Errorf("[unexpected] non-zero status that does not match HTTPError status, status: %d, HTTPError.code: %d: %w", status, werr.Code, err)
-			}
-			status = werr.Code
-		} else {
-			status = http.StatusInternalServerError
-			resp = &response{
-				Status: "error",
-				Error:  "internal server error",
-			}
-		}
-	} else if status == 0 {
-		status = http.StatusInternalServerError
-		resp = &response{
-			Status: "error",
-			Error:  "internal server error",
-		}
-	} else if err == nil {
-		resp = &response{
-			Status: "success",
-			Data:   data,
-		}
-	}
-	b, jerr := json.Marshal(resp)
-	if jerr != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		w.Write([]byte(`{"status":"error","error":"json marshal error"}`))
-		if err != nil {
-			return fmt.Errorf("%w, and then we could not respond: %v", err, jerr)
-		}
-		return jerr
-	}
-
-	w.WriteHeader(status)
-	w.Write(b)
-	return err
-}
--- a/types/strbuilder/strbuilder.go
+++ b/types/strbuilder/strbuilder.go
@@ -0,0 +1,74 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package strbuilder defines a string builder type that allocates
+// less than the standard library's strings.Builder by using a
+// sync.Pool, so it doesn't matter if the compiler can't prove that
+// the builder doesn't escape into the fmt package, etc.
+package strbuilder
+
+import (
+	"bytes"
+	"strconv"
+	"sync"
+)
+
+var pool = sync.Pool{
+	New: func() interface{} { return new(Builder) },
+}
+
+type Builder struct {
+	bb      bytes.Buffer
+	scratch [20]byte // long enough for MinInt64, MaxUint64
+	locked  bool     // in pool, not for use
+}
+
+// Get returns a new or reused string Builder.
+func Get() *Builder {
+	b := pool.Get().(*Builder)
+	b.bb.Reset()
+	b.locked = false
+	return b
+}
+
+// String both returns the Builder's string, and returns the builder
+// to the pool.
+func (b *Builder) String() string {
+	if b.locked {
+		panic("String called twiced on Builder")
+	}
+	s := b.bb.String()
+	b.locked = true
+	pool.Put(b)
+	return s
+}
+
+func (b *Builder) WriteByte(v byte) error {
+	return b.bb.WriteByte(v)
+}
+
+func (b *Builder) WriteString(s string) (int, error) {
+	return b.bb.WriteString(s)
+}
+
+func (b *Builder) Write(p []byte) (int, error) {
+	return b.bb.Write(p)
+}
+
+func (b *Builder) WriteInt(v int64) {
+	b.Write(strconv.AppendInt(b.scratch[:0], v, 10))
+}
+
+func (b *Builder) WriteUint(v uint64) {
+	b.Write(strconv.AppendUint(b.scratch[:0], v, 10))
+}
+
+// Grow grows the buffer's capacity, if necessary, to guarantee space
+// for another n bytes. After Grow(n), at least n bytes can be written
+// to the buffer without another allocation. If n is negative, Grow
+// will panic. If the buffer can't grow it will panic with
+// ErrTooLarge.
+func (b *Builder) Grow(n int) {
+	b.bb.Grow(n)
+}
--- a/types/strbuilder/strbuilder_test.go
+++ b/types/strbuilder/strbuilder_test.go
@@ -0,0 +1,52 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package strbuilder
+
+import (
+	"math"
+	"testing"
+)
+
+func TestBuilder(t *testing.T) {
+	const want = "Hello, world 123 -456!"
+	bang := []byte("!")
+	var got string
+	allocs := testing.AllocsPerRun(1000, func() {
+		sb := Get()
+		sb.WriteString("Hello, world ")
+		sb.WriteUint(123)
+		sb.WriteByte(' ')
+		sb.WriteInt(-456)
+		sb.Write(bang)
+		got = sb.String()
+	})
+	if got != want {
+		t.Errorf("got %q; want %q", got, want)
+	}
+	if allocs != 1 {
+		t.Errorf("allocs = %v; want 1", allocs)
+	}
+}
+
+// Verifies scratch buf is large enough.
+func TestIntBounds(t *testing.T) {
+	const want = "-9223372036854775808 9223372036854775807 18446744073709551615"
+	var got string
+	allocs := testing.AllocsPerRun(1000, func() {
+		sb := Get()
+		sb.WriteInt(math.MinInt64)
+		sb.WriteByte(' ')
+		sb.WriteInt(math.MaxInt64)
+		sb.WriteByte(' ')
+		sb.WriteUint(math.MaxUint64)
+		got = sb.String()
+	})
+	if got != want {
+		t.Errorf("got %q; want %q", got, want)
+	}
+	if allocs != 1 {
+		t.Errorf("allocs = %v; want 1", allocs)
+	}
+}
--- a/types/wgkey/key.go
+++ b/types/wgkey/key.go
@@ -10,6 +10,7 @@
 package wgkey

 import (
+	"bytes"
 	"crypto/rand"
 	"crypto/subtle"
 	"encoding/base64"
@@ -71,11 +72,10 @@ func ParsePrivateHex(v string) (Private, error) {
 	return pk, nil
 }

-func (k Key) Base64() string           { return base64.StdEncoding.EncodeToString(k[:]) }
-func (k Key) String() string           { return k.ShortString() }
-func (k Key) HexString() string        { return hex.EncodeToString(k[:]) }
-func (k Key) Equal(k2 Key) bool        { return subtle.ConstantTimeCompare(k[:], k2[:]) == 1 }
-func (k Key) AppendTo(b []byte) []byte { return appendKey(b, "", k) }
+func (k Key) Base64() string    { return base64.StdEncoding.EncodeToString(k[:]) }
+func (k Key) String() string    { return k.ShortString() }
+func (k Key) HexString() string { return hex.EncodeToString(k[:]) }
+func (k Key) Equal(k2 Key) bool { return subtle.ConstantTimeCompare(k[:], k2[:]) == 1 }

 func (k *Key) ShortString() string {
 	// The goal here is to generate "[" + base64.StdEncoding.EncodeToString(k[:])[:5] + "]".
@@ -178,17 +178,13 @@ func (k *Private) Public() Key {
 	return (Key)(p)
 }

-func appendKey(base []byte, prefix string, k [32]byte) []byte {
-	ret := append(base, make([]byte, len(prefix)+64)...)
-	buf := ret[len(base):]
-	copy(buf, prefix)
-	hex.Encode(buf[len(prefix):], k[:])
-	return ret
+func (k Private) MarshalText() ([]byte, error) {
+	// TODO(josharian): use encoding/hex instead?
+	buf := new(bytes.Buffer)
+	fmt.Fprintf(buf, `privkey:%x`, k[:])
+	return buf.Bytes(), nil
 }

-func (k Private) MarshalText() ([]byte, error) { return appendKey(nil, "privkey:", k), nil }
-func (k Private) AppendTo(b []byte) []byte     { return appendKey(b, "privkey:", k) }
-
 func (k *Private) UnmarshalText(b []byte) error {
 	s := string(b)
 	if !strings.HasPrefix(s, `privkey:`) {
--- a/wgengine/bench/wg.go
+++ b/wgengine/bench/wg.go
@@ -12,7 +12,7 @@ import (
 	"sync"
 	"testing"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"

 	"tailscale.com/net/dns"
--- a/wgengine/magicsock/legacy.go
+++ b/wgengine/magicsock/legacy.go
@@ -16,11 +16,11 @@ import (
 	"sync"
 	"time"

+	"github.com/tailscale/wireguard-go/conn"
+	"github.com/tailscale/wireguard-go/tai64n"
 	"golang.org/x/crypto/blake2s"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/poly1305"
-	"golang.zx2c4.com/wireguard/conn"
-	"golang.zx2c4.com/wireguard/tai64n"
 	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/types/key"
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -15,7 +15,6 @@ import (
 	"errors"
 	"fmt"
 	"hash/fnv"
-	"log"
 	"math"
 	"math/rand"
 	"net"
@@ -28,9 +27,9 @@ import (
 	"sync/atomic"
 	"time"

+	"github.com/tailscale/wireguard-go/conn"
 	"golang.org/x/crypto/nacl/box"
 	"golang.org/x/time/rate"
-	"golang.zx2c4.com/wireguard/conn"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/derp"
@@ -825,7 +824,6 @@ func (c *Conn) LastRecvActivityOfDisco(dk tailcfg.DiscoKey) time.Time {

 // Ping handles a "tailscale ping" CLI query.
 func (c *Conn) Ping(peer *tailcfg.Node, res *ipnstate.PingResult, cb func(*ipnstate.PingResult)) {
-	log.Println("CLIPING")
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	if c.privateKey.IsZero() {
@@ -2214,7 +2212,6 @@ func nodesEqual(x, y []*tailcfg.Node) bool {
 // conditionally sent to SetDERPMap instead.
 func (c *Conn) SetNetworkMap(nm *netmap.NetworkMap) {
 	c.mu.Lock()
-	log.Println("NETMAP being set")
 	defer c.mu.Unlock()

 	if c.netMap != nil && nodesEqual(c.netMap.Peers, nm.Peers) {
@@ -3393,7 +3390,6 @@ func (de *discoEndpoint) send(b []byte) error {
 	now := time.Now()

 	de.mu.Lock()
-	log.Println("Discosend")
 	udpAddr, derpAddr := de.addrForSendLocked(now)
 	if udpAddr.IsZero() || now.After(de.trustBestAddrUntil) {
 		de.sendPingsLocked(now, true)
@@ -3452,9 +3448,7 @@ func (de *discoEndpoint) removeSentPingLocked(txid stun.TxID, sp sentPing) {
 // The caller (startPingLocked) should've already been recorded the ping in
 // sentPing and set up the timer.
 func (de *discoEndpoint) sendDiscoPing(ep netaddr.IPPort, txid stun.TxID, logLevel discoLogLevel) {
-	log.Println("sendDiscoPing")
 	sent, _ := de.sendDiscoMessage(ep, &disco.Ping{TxID: [12]byte(txid)}, logLevel)
-	log.Println(sent)
 	if !sent {
 		de.forgetPing(txid)
 	}
@@ -3633,7 +3627,6 @@ func (de *discoEndpoint) noteConnectivityChange() {
 // It should be called with the Conn.mu held.
 func (de *discoEndpoint) handlePongConnLocked(m *disco.Pong, src netaddr.IPPort) {
 	de.mu.Lock()
-	log.Println("Disco Reached")
 	defer de.mu.Unlock()

 	isDerp := src.IP() == derpMagicIPAddr
--- a/wgengine/magicsock/magicsock_test.go
+++ b/wgengine/magicsock/magicsock_test.go
@@ -26,9 +26,9 @@ import (
 	"time"
 	"unsafe"

+	"github.com/tailscale/wireguard-go/device"
+	"github.com/tailscale/wireguard-go/tun/tuntest"
 	"golang.org/x/crypto/nacl/box"
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun/tuntest"
 	"inet.af/netaddr"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
--- a/wgengine/mem_ios.go
+++ b/wgengine/mem_ios.go
@@ -1,21 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package wgengine
-
-import (
-	"golang.zx2c4.com/wireguard/device"
-)
-
-// iOS has a very restrictive memory limit on network extensions.
-// Reduce the maximum amount of memory that wireguard-go can allocate
-// to avoid getting killed.
-
-func init() {
-	device.QueueStagedSize = 64
-	device.QueueOutboundSize = 64
-	device.QueueInboundSize = 64
-	device.QueueHandshakeSize = 64
-	device.PreallocatedBuffersPerPool = 64
-}
--- a/wgengine/router/ifconfig_windows.go
+++ b/wgengine/router/ifconfig_windows.go
@@ -17,8 +17,8 @@ import (

 	"github.com/go-multierror/multierror"
 	ole "github.com/go-ole/go-ole"
+	"github.com/tailscale/wireguard-go/tun"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
 	"tailscale.com/health"
--- a/wgengine/router/router.go
+++ b/wgengine/router/router.go
@@ -7,7 +7,7 @@
 package router

 import (
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
--- a/wgengine/router/router_darwin.go
+++ b/wgengine/router/router_darwin.go
@@ -5,7 +5,7 @@
 package router

 import (
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 )

--- a/wgengine/router/router_default.go
+++ b/wgengine/router/router_default.go
@@ -7,7 +7,7 @@
 package router

 import (
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 )

--- a/wgengine/router/router_freebsd.go
+++ b/wgengine/router/router_freebsd.go
@@ -5,7 +5,7 @@
 package router

 import (
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
 )

--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -16,7 +16,7 @@ import (

 	"github.com/coreos/go-iptables/iptables"
 	"github.com/go-multierror/multierror"
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
--- a/wgengine/router/router_linux_test.go
+++ b/wgengine/router/router_linux_test.go
@@ -16,7 +16,7 @@ import (
 	"testing"

 	"github.com/google/go-cmp/cmp"
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 )

--- a/wgengine/router/router_openbsd.go
+++ b/wgengine/router/router_openbsd.go
@@ -10,7 +10,7 @@ import (
 	"log"
 	"os/exec"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/types/logger"
 )
--- a/wgengine/router/router_userspace_bsd.go
+++ b/wgengine/router/router_userspace_bsd.go
@@ -12,7 +12,7 @@ import (
 	"os/exec"
 	"runtime"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
--- a/wgengine/router/router_windows.go
+++ b/wgengine/router/router_windows.go
@@ -16,8 +16,8 @@ import (
 	"syscall"
 	"time"

+	"github.com/tailscale/wireguard-go/tun"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
 	"tailscale.com/logtail/backoff"
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -11,7 +11,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 	"os"
 	"reflect"
 	"runtime"
@@ -21,9 +20,9 @@ import (
 	"sync/atomic"
 	"time"

+	"github.com/tailscale/wireguard-go/device"
+	"github.com/tailscale/wireguard-go/tun"
 	"go4.org/mem"
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/health"
@@ -308,7 +307,6 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)

 	e.wgLogger = wglog.NewLogger(logf)
 	e.tundev.OnTSMPPongReceived = func(pong packet.TSMPPongReply) {
-		log.Println("PONGReceived")
 		e.mu.Lock()
 		defer e.mu.Unlock()
 		cb := e.pongCallback[pong.Data]
@@ -371,7 +369,6 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)

 // echoRespondToAll is an inbound post-filter responding to all echo requests.
 func echoRespondToAll(p *packet.Parsed, t *tstun.Wrapper) filter.Response {
-	log.Println("ECHO respond to all")
 	if p.IsEchoRequest() {
 		header := p.ICMP4Header()
 		header.ToResponse()
@@ -636,7 +633,7 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[key.Publ
 		}
 	}

-	if !deephash.UpdateHash(&e.lastEngineSigTrim, &min, trimmedDisco, trackDisco, trackIPs) {
+	if !deephash.UpdateHash(&e.lastEngineSigTrim, min, trimmedDisco, trackDisco, trackIPs) {
 		// No changes
 		return nil
 	}
@@ -1090,7 +1087,6 @@ func (e *userspaceEngine) SetDERPMap(dm *tailcfg.DERPMap) {
 }

 func (e *userspaceEngine) SetNetworkMap(nm *netmap.NetworkMap) {
-	log.Println("SETNETMAP")
 	e.magicConn.SetNetworkMap(nm)
 	e.mu.Lock()
 	e.netMap = nm
@@ -1127,18 +1123,15 @@ func (e *userspaceEngine) UpdateStatus(sb *ipnstate.StatusBuilder) {
 }

 func (e *userspaceEngine) Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.PingResult)) {
-	log.Println("Userspace Ping Called")
 	res := &ipnstate.PingResult{IP: ip.String()}
 	peer, err := e.peerForIP(ip)
 	if err != nil {
-		log.Println(err)
 		e.logf("ping(%v): %v", ip, err)
 		res.Err = err.Error()
 		cb(res)
 		return
 	}
 	if peer == nil {
-		log.Println("No peer moment")
 		e.logf("ping(%v): no matching peer", ip)
 		res.Err = "no matching peer"
 		cb(res)
@@ -1146,7 +1139,6 @@ func (e *userspaceEngine) Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.Pi
 	}
 	pingType := "disco"
 	if useTSMP {
-		log.Println("TSMPSELECTED")
 		pingType = "TSMP"
 	}
 	e.logf("ping(%v): sending %v ping to %v %v ...", ip, pingType, peer.Key.ShortString(), peer.ComputedName)
@@ -1175,10 +1167,8 @@ func (e *userspaceEngine) mySelfIPMatchingFamily(dst netaddr.IP) (src netaddr.IP
 }

 func (e *userspaceEngine) sendTSMPPing(ip netaddr.IP, peer *tailcfg.Node, res *ipnstate.PingResult, cb func(*ipnstate.PingResult)) {
-	log.Println("TSMPcheck")
 	srcIP, err := e.mySelfIPMatchingFamily(ip)
 	if err != nil {
-		log.Println("TSMPcheckerror")
 		res.Err = err.Error()
 		cb(res)
 		return
@@ -1200,17 +1190,12 @@ func (e *userspaceEngine) sendTSMPPing(ip netaddr.IP, peer *tailcfg.Node, res *i

 	var data [8]byte
 	crand.Read(data[:])
-	log.Println("CRAND CHECKlog")
-	fmt.Println("CRAND CHECKfmt")

 	expireTimer := time.AfterFunc(10*time.Second, func() {
-		log.Println("CHECKEXPIRE")
 		e.setTSMPPongCallback(data, nil)
 	})
-	log.Println("TIMECHECK")
 	t0 := time.Now()
 	e.setTSMPPongCallback(data, func(pong packet.TSMPPongReply) {
-		log.Println("ping cb called")
 		expireTimer.Stop()
 		d := time.Since(t0)
 		res.LatencySeconds = d.Seconds()
@@ -1223,32 +1208,22 @@ func (e *userspaceEngine) sendTSMPPing(ip netaddr.IP, peer *tailcfg.Node, res *i
 	var tsmpPayload [9]byte
 	tsmpPayload[0] = byte(packet.TSMPTypePing)
 	copy(tsmpPayload[1:], data[:])
-	log.Println("PAYLOADCHECK")

 	tsmpPing := packet.Generate(iph, tsmpPayload[:])
-	log.Println("BEFOREPACKET", tsmpPing)
-	log.Println("PACKETGEN", *res, res.LatencySeconds)
 	e.tundev.InjectOutbound(tsmpPing)
-	log.Println("TUNDEVINJECT")
 }

 func (e *userspaceEngine) setTSMPPongCallback(data [8]byte, cb func(packet.TSMPPongReply)) {
-	log.Println("Ponger2nolock", data)
 	e.mu.Lock()
-	log.Println("Ponger2", e.pongCallback == nil, cb == nil)
 	defer e.mu.Unlock()
 	if e.pongCallback == nil {
-		log.Println("pongCallback nil")
 		e.pongCallback = map[[8]byte]func(packet.TSMPPongReply){}
 	}
 	if cb == nil {
-		log.Println("DELETEoccur")
 		delete(e.pongCallback, data)
 	} else {
-		log.Println("Callbackset")
 		e.pongCallback[data] = cb
 	}
-	log.Println("PONGCALLBACKMAP", data, e.pongCallback)
 }

 func (e *userspaceEngine) RegisterIPPortIdentity(ipport netaddr.IPPort, tsIP netaddr.IP) {
@@ -1316,20 +1291,12 @@ func (e *userspaceEngine) peerForIP(ip netaddr.IP) (n *tailcfg.Node, err error)
 	// Check for exact matches before looking for subnet matches.
 	var bestInNMPrefix netaddr.IPPrefix
 	var bestInNM *tailcfg.Node
-	log.Println("Scan starting : ", len(nm.Peers), nm.Addresses)
 	for _, p := range nm.Peers {
-		log.Println("peerp", p.Addresses, p.AllowedIPs, p.ID)
 		for _, a := range p.Addresses {
-			log.Println("paddr", a)
 			if a.IP() == ip && a.IsSingleIP() && tsaddr.IsTailscaleIP(ip) {
-				log.Println("Foundp")
 				return p, nil
-			} else {
-				// log.Println("Failure : ", a.IP(), a.IsSingleIP(), tsaddr.IsTailscaleIP(ip))
 			}
 		}
-		log.Println("ALLOW : ", p.AllowedIPs)
-		bestInNM = p
 		for _, cidr := range p.AllowedIPs {
 			if !cidr.Contains(ip) {
 				continue
@@ -1343,7 +1310,6 @@ func (e *userspaceEngine) peerForIP(ip netaddr.IP) (n *tailcfg.Node, err error)

 	e.wgLock.Lock()
 	defer e.wgLock.Unlock()
-	log.Println("Scanpoint2")

 	// TODO(bradfitz): this is O(n peers). Add ART to netaddr?
 	var best netaddr.IPPrefix
@@ -1368,13 +1334,10 @@ func (e *userspaceEngine) peerForIP(ip netaddr.IP) (n *tailcfg.Node, err error)
 			}
 		}
 	}
-	log.Println("Scanpoint3")
 	if bestInNM == nil {
-		log.Println("Scanpoint4")
 		return nil, nil
 	}
 	if bestInNMPrefix.Bits() == 0 {
-		log.Println("Scanpoint5")
 		return nil, errors.New("exit node found but not enabled")
 	}
 	return nil, fmt.Errorf("node %q found, but not using its %v route", bestInNM.ComputedNameWithHost, bestInNMPrefix)
--- a/wgengine/userspace_ext_test.go
+++ b/wgengine/userspace_ext_test.go
@@ -7,7 +7,7 @@ package wgengine_test
 import (
 	"testing"

-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/net/tstun"
 	"tailscale.com/types/logger"
 	"tailscale.com/wgengine"
--- a/wgengine/wgcfg/device.go
+++ b/wgengine/wgcfg/device.go
@@ -8,7 +8,7 @@ import (
 	"io"
 	"sort"

-	"golang.zx2c4.com/wireguard/device"
+	"github.com/tailscale/wireguard-go/device"
 	"tailscale.com/types/logger"
 )

--- a/wgengine/wgcfg/device_test.go
+++ b/wgengine/wgcfg/device_test.go
@@ -16,9 +16,9 @@ import (
 	"sync"
 	"testing"

-	"golang.zx2c4.com/wireguard/conn"
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/tailscale/wireguard-go/conn"
+	"github.com/tailscale/wireguard-go/device"
+	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/types/wgkey"
 )
--- a/wgengine/wglog/wglog.go
+++ b/wgengine/wglog/wglog.go
@@ -9,10 +9,9 @@ import (
 	"encoding/base64"
 	"fmt"
 	"strings"
-	"sync"
 	"sync/atomic"

-	"golang.zx2c4.com/wireguard/device"
+	"github.com/tailscale/wireguard-go/device"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/wgengine/wgcfg"
@@ -22,15 +21,7 @@ import (
 // It can be modified at run time to adjust to new wireguard-go configurations.
 type Logger struct {
 	DeviceLogger *device.Logger
-	replace      atomic.Value            // of map[string]string
-	mu           sync.Mutex              // protects strs
-	strs         map[wgkey.Key]*strCache // cached strs used to populate replace
-}
-
-// strCache holds a wireguard-go and a Tailscale style peer string.
-type strCache struct {
-	wg, ts string
-	used   bool // track whether this strCache was used in a particular round
+	replace      atomic.Value // of map[string]string
 }

 // NewLogger creates a new logger for use with wireguard-go.
@@ -85,36 +76,18 @@ func NewLogger(logf logger.Logf) *Logger {
 		Verbosef: logger.WithPrefix(wrapper, "[v2] "),
 		Errorf:   wrapper,
 	}
-	ret.strs = make(map[wgkey.Key]*strCache)
 	return ret
 }

 // SetPeers adjusts x to rewrite the peer public keys found in peers.
 // SetPeers is safe for concurrent use.
 func (x *Logger) SetPeers(peers []wgcfg.Peer) {
-	x.mu.Lock()
-	defer x.mu.Unlock()
 	// Construct a new peer public key log rewriter.
 	replace := make(map[string]string)
 	for _, peer := range peers {
-		c, ok := x.strs[peer.PublicKey] // look up cached strs
-		if !ok {
-			wg := wireguardGoString(peer.PublicKey)
-			ts := peer.PublicKey.ShortString()
-			c = &strCache{wg: wg, ts: ts}
-			x.strs[peer.PublicKey] = c
-		}
-		c.used = true
-		replace[c.wg] = c.ts
-	}
-	// Remove any unused cached strs.
-	for k, c := range x.strs {
-		if !c.used {
-			delete(x.strs, k)
-			continue
-		}
-		// Mark c as unused for next round.
-		c.used = false
+		old := wireguardGoString(peer.PublicKey)
+		new := peer.PublicKey.ShortString()
+		replace[old] = new
 	}
 	x.replace.Store(replace)
 }
Author	SHA1	Message	Date
Simeng He	d36c7a40b4	Added single node test to check Addresses and AllowedIPs Signed-off-by: Simeng He <simeng@tailscale.com>	2021-05-18 16:06:05 -04:00
Simeng He	13b94cc4d7	Added new Addresses / AllowedIPs fields to testcontrol when creating new &tailcfg.Node Signed-off-by: Simeng He <simeng@tailscale.com>	2021-05-18 13:47:21 -04:00