cmd/derper: add default-off debug endpoint for profiling

Updates https://github.com/tailscale/corp/issues/11492
Signed-off-by: Tom DNetto <tom@tailscale.com>

.github/workflows/go-licenses.yml

@@ -50,11 +50,11 @@ jobs:
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
-        uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 #v4.2.4
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
-          author: License Updater <noreply@tailscale.com>
-          committer: License Updater <noreply@tailscale.com>
+          author: License Updater <noreply+license-updater@tailscale.com>
+          committer: License Updater <noreply+license-updater@tailscale.com>
           branch: licenses/cli
           commit-message: "licenses: update tailscale{,d} licenses"
           title: "licenses: update tailscale{,d} licenses"

.github/workflows/golangci-lint.yml

@@ -0,0 +1,40 @@
+name: golangci-lint
+on:
+  # For now, only lint pull requests, not the main branches.
+  pull_request:
+
+  # TODO(andrew): enable for main branch after an initial waiting period.
+  #push:
+  #  branches:
+  #    - main
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: golangci-lint
+        # Note: this is the 'v3' tag as of 2023-04-17
+        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5
+        with:
+          version: v1.52.2
+
+          # Show only new issues if it's a pull request.
+          only-new-issues: true

.github/workflows/installer.yml

@@ -0,0 +1,102 @@
+name: test installer.sh
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - scripts/installer.sh
+  pull_request:
+    branches:
+      - "*"
+    paths:
+      - scripts/installer.sh
+
+jobs:
+  test:
+    strategy:
+      # Don't abort the entire matrix if one element fails.
+      fail-fast: false
+      # Don't start all of these at once, which could saturate Github workers.
+      max-parallel: 4
+      matrix:
+        image:
+          # This is a list of Docker images against which we test our installer.
+          # If you find that some of these no longer exist, please feel free
+          # to remove them from the list.
+          # When adding new images, please only use official ones.
+          - "debian:oldstable-slim"
+          - "debian:stable-slim"
+          - "debian:testing-slim"
+          - "debian:sid-slim"
+          - "ubuntu:18.04"
+          - "ubuntu:20.04"
+          - "ubuntu:22.04"
+          - "ubuntu:22.10"
+          - "ubuntu:23.04"
+          - "elementary/docker:stable"
+          - "elementary/docker:unstable"
+          - "parrotsec/core:lts-amd64"
+          - "parrotsec/core:latest"
+          - "kalilinux/kali-rolling"
+          - "kalilinux/kali-dev"
+          - "oraclelinux:9"
+          - "oraclelinux:8"
+          - "fedora:latest"
+          - "rockylinux:8.7"
+          - "rockylinux:9"
+          - "amazonlinux:latest"
+          - "opensuse/leap:latest"
+          - "opensuse/tumbleweed:latest"
+          - "archlinux:latest"
+          - "alpine:3.14"
+          - "alpine:latest"
+          - "alpine:edge"
+        deps:
+          # Run all images installing curl as a dependency.
+          - curl
+        include:
+          # Check a few images with wget rather than curl.
+          - { image: "debian:oldstable-slim", deps: "wget" }
+          - { image: "debian:sid-slim", deps: "wget" }
+          - { image: "ubuntu:23.04", deps: "wget" }
+          # Ubuntu 16.04 also needs apt-transport-https installed.
+          - { image: "ubuntu:16.04", deps: "curl apt-transport-https" }
+          - { image: "ubuntu:16.04", deps: "wget apt-transport-https" }
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ matrix.image }}
+      options: --user root
+    steps:
+    - name: install dependencies (yum)
+      # tar and gzip are needed by the actions/checkout below.
+      run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
+      if: |
+        contains(matrix.image, 'centos')
+        || contains(matrix.image, 'oraclelinux')
+        || contains(matrix.image, 'fedora')
+        || contains(matrix.image, 'amazonlinux')
+    - name: install dependencies (zypper)
+      # tar and gzip are needed by the actions/checkout below.
+      run: zypper --non-interactive install tar gzip
+      if: contains(matrix.image, 'opensuse')
+    - name: install dependencies (apt-get)
+      run: |
+        apt-get update
+        apt-get install -y ${{ matrix.deps }}
+      if: |
+        contains(matrix.image, 'debian')
+        || contains(matrix.image, 'ubuntu')
+        || contains(matrix.image, 'elementary')
+        || contains(matrix.image, 'parrotsec')
+        || contains(matrix.image, 'kalilinux')
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: run installer
+      run: scripts/installer.sh
+      # Package installation can fail in docker because systemd is not running
+      # as PID 1, so ignore errors at this step. The real check is the
+      # `tailscale --version` command below.
+      continue-on-error: true
+    - name: check tailscale version
+      run: tailscale --version

.github/workflows/test.yml

@@ -46,14 +46,31 @@ jobs:
         include:
           - goarch: amd64
           - goarch: amd64
-            variant: race
+            buildflags: "-race"
           - goarch: "386" # thanks yaml
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
       uses: actions/checkout@v3
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-
     - name: build all
-      run: ./tool/go build ./...
+      run: ./tool/go build ${{matrix.buildflags}} ./...
       env:
         GOARCH: ${{ matrix.goarch }}
     - name: build variant CLIs
@@ -73,13 +90,11 @@ jobs:
     - name: build test wrapper
       run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
     - name: test all
-      if: matrix.variant != 'race'
-      run: ./tool/go test -exec=/tmp/testwrapper -bench=. -benchtime=1x ./...
+      run: ./tool/go test ${{matrix.buildflags}} -exec=/tmp/testwrapper
       env:
         GOARCH: ${{ matrix.goarch }}
-    - name: test all (race)
-      if: matrix.variant == 'race'
-      run: ./tool/go test -race -exec=/tmp/testwrapper -bench=. -benchtime=1x ./...
+    - name: bench all
+      run: ./tool/go test ${{matrix.buildflags}} -exec=/tmp/testwrapper -test.bench=. -test.benchtime=1x -test.run=^$
       env:
         GOARCH: ${{ matrix.goarch }}
     - name: check that no tracked files changed
@@ -101,6 +116,13 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v3
+
+    - name: Install Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
+        cache: false
+
     - name: Restore Cache
       uses: actions/cache@v3
       with:
@@ -109,17 +131,20 @@ jobs:
         # contains zips that can be unpacked in parallel faster than they can be
         # fetched and extracted by tar
         path: |
+          ~/.cache/go-build
           ~/go/pkg/mod/cache
           ~\AppData\Local\go-build
         # The -2- here should be incremented when the scheme of data to be
         # cached changes (e.g. path above changes).
-        # TODO(raggi): add a go version here.
-        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-go-2-
     - name: test
       # Don't use -bench=. -benchtime=1x.
       # Somewhere in the layers (powershell?)
       # the equals signs cause great confusion.
-      run: ./tool/go test -bench . -benchtime 1x ./...
+      run: go test -bench . -benchtime 1x ./...
 
   vm:
     runs-on: ["self-hosted", "linux", "vm"]
@@ -174,6 +199,23 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v3
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
     - name: build all
       run: ./tool/go build ./cmd/...
       env:
@@ -223,6 +265,23 @@ jobs:
     steps:
     - name: checkout
       uses: actions/checkout@v3
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+          ${{ github.job }}-${{ runner.os }}-go-2-
     - name: build tsconnect client
       run: ./tool/go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
       env:
@@ -235,6 +294,15 @@ jobs:
         ./tool/go run ./cmd/tsconnect --fast-compression build
         ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
 
+  tailscale_go: # Subset of tests that depend on our custom Go toolchain.
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: test tailscale_go
+      run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
+
+
   fuzz:
     # This target periodically breaks (see TS_FUZZ_CURRENTLY_BROKEN at the top
     # of the file), so it's more complex than usual: the 'build fuzzers' step
@@ -372,6 +440,7 @@ jobs:
       - cross
       - ios
       - wasm
+      - tailscale_go
       - fuzz
       - depaware
       - go_generate
@@ -389,7 +458,7 @@ jobs:
       # By having the job always run, but skipping its only step as needed, we
       # let the CI output collapse nicely in PRs.
       if: failure() && github.event_name == 'push'
-      uses: ruby/action-slack@v3.0.0
+      uses: ruby/action-slack@v3.2.1
       with:
         payload: |
           {
@@ -416,6 +485,7 @@ jobs:
       - cross
       - ios
       - wasm
+      - tailscale_go
       - fuzz
       - depaware
       - go_generate

.github/workflows/tsconnect-pkg-publish.yml

@@ -1,31 +0,0 @@
-name: "@tailscale/connect npm publish"
-
-on: workflow_dispatch
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up node
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16.x"
-          registry-url: "https://registry.npmjs.org"
-
-      - name: Build package
-        # Build with build_dist.sh to ensure that version information is embedded.
-        # GOROOT is specified so that the Go/Wasm that is trigged by build-pk
-        # also picks up our custom Go toolchain.
-        run: |
-          export TS_USE_TOOLCHAIN=1
-          ./build_dist.sh tailscale.com/cmd/tsconnect
-          GOROOT="${HOME}/.cache/tailscale-go" ./tsconnect build-pkg
-
-      - name: Publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.TSCONNECT_NPM_PUBLISH_AUTH_TOKEN }}
-        run: ./tool/yarn --cwd ./cmd/tsconnect/pkg publish --access public

.github/workflows/update-flake.yml

@@ -35,11 +35,11 @@ jobs:
           private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
 
       - name: Send pull request
-        uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 #v4.2.4
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
         with:
           token: ${{ steps.generate-token.outputs.token }}
-          author: Flakes Updater <noreply@tailscale.com>
-          committer: Flakes Updater <noreply@tailscale.com>
+          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
+          committer: Flakes Updater <noreply+flakes-updater@tailscale.com>
           branch: flakes
           commit-message: "go.mod.sri: update SRI hash for go.mod changes"
           title: "go.mod.sri: update SRI hash for go.mod changes"

.golangci.yml

@@ -0,0 +1,61 @@
+linters:
+  # Don't enable any linters by default; just the ones that we explicitly
+  # enable in the list below.
+  disable-all: true
+  enable:
+    - bidichk
+    - gofmt
+    - goimports
+    - misspell
+    - revive
+
+# Configuration for how we run golangci-lint
+run:
+  timeout: 5m
+
+issues:
+  # Excluding configuration per-path, per-linter, per-text and per-source
+  exclude-rules:
+    # These are forks of an upstream package and thus are exempt from stylistic
+    # changes that would make pulling in upstream changes harder.
+    - path: tempfork/.*\.go
+      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
+    - path: util/singleflight/.*\.go
+      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
+
+# Per-linter settings are contained in this top-level key
+linters-settings:
+  # Enable all rules by default; we don't use invisible unicode runes.
+  bidichk:
+
+  gofmt:
+    rewrite-rules:
+      - pattern: 'interface{}'
+        replacement: 'any'
+
+  goimports:
+
+  misspell:
+
+  revive:
+    enable-all-rules: false
+    ignore-generated-header: true
+    rules:
+      - name: atomic
+      - name: context-keys-type
+      - name: defer
+        arguments: [[
+          # Calling 'recover' at the time a defer is registered (i.e. "defer recover()") has no effect.
+          "immediate-recover",
+          # Calling 'recover' outside of a deferred function has no effect
+          "recover",
+          # Returning values from a deferred function has no effect
+          "return",
+        ]]
+      - name: duplicated-imports
+      - name: errorf
+      - name: string-of-int
+      - name: time-equal
+      - name: unconditional-recursion
+      - name: useless-break
+      - name: waitgroup-by-value

Makefile

@@ -48,11 +48,10 @@ staticcheck: ## Run staticcheck.io checks
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
 
 spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
-	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}
+	./tool/go run ./cmd/dist build synology/dsm${SYNO_DSM}/${SYNO_ARCH}
 
 spkall: ## Build synology packages for all architectures and DSM versions
-	mkdir -p spks
-	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all
+	./tool/go run ./cmd/dist build synology
 
 pushspk: spk ## Push and install synology package on ${SYNO_HOST} host
 	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."

VERSION.txt

@@ -1 +1 @@
-1.39.0
+1.43.0

api.md

@@ -503,7 +503,8 @@ Returns the enabled and advertised subnet routes for a device.
 POST /api/v2/device/{deviceID}/authorized
 ```
 
-Authorize a device. This call marks a device as authorized for tailnets where device authorization is required.
+Authorize a device.
+This call marks a device as authorized or revokes its authorization for tailnets where device authorization is required, according to the `authorized` field in the payload.
 
 This returns a successful 2xx response with an empty JSON object in the response body.
 
@@ -515,7 +516,7 @@ The ID of the device.
 
 #### `authorized` (required in `POST` body)
 
-Specify whether the device is authorized. Only 'true' is currently supported.
+Specify whether the device is authorized.
 
 ``` jsonc
 {
@@ -1336,8 +1337,8 @@ It holds the capabilities specified in the request and can no longer be retrieve
 
 ``` jsonc
 {
-  "id":           "XXXX456CNTRL",
-  "key":          "tskey-k123456CNTRL-abcdefghijklmnopqrstuvwxyz",
+  "id":           "k123456CNTRL",
+  "key":          "tskey-auth-k123456CNTRL-abcdefghijklmnopqrstuvwxyz",
   "created":      "2021-12-09T23:22:39Z",
   "expires":      "2022-03-09T23:22:39Z",
   "revoked":      "2022-03-12T23:22:39Z",
@@ -1348,9 +1349,9 @@ It holds the capabilities specified in the request and can no longer be retrieve
         "ephemeral": false,
         "preauthorized": false,
         "tags": [ "tag:example" ]
-        }
       }
     }
+  }
 }
 ```
 

atomicfile/atomicfile.go

@@ -8,14 +8,20 @@
 package atomicfile // import "tailscale.com/atomicfile"
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 )
 
-// WriteFile writes data to filename+some suffix, then renames it
-// into filename. The perm argument is ignored on Windows.
+// WriteFile writes data to filename+some suffix, then renames it into filename.
+// The perm argument is ignored on Windows. If the target filename already
+// exists but is not a regular file, WriteFile returns an error.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
+	fi, err := os.Stat(filename)
+	if err == nil && !fi.Mode().IsRegular() {
+		return fmt.Errorf("%s already exists and is not a regular file", filename)
+	}
 	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err

atomicfile/atomicfile_test.go

@@ -0,0 +1,47 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !js && !windows
+
+package atomicfile
+
+import (
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+)
+
+func TestDoesNotOverwriteIrregularFiles(t *testing.T) {
+	// Per tailscale/tailscale#7658 as one example, almost any imagined use of
+	// atomicfile.Write should likely not attempt to overwrite an irregular file
+	// such as a device node, socket, or named pipe.
+
+	const filename = "TestDoesNotOverwriteIrregularFiles"
+	var path string
+	// macOS private temp does not allow unix socket creation, but /tmp does.
+	if runtime.GOOS == "darwin" {
+		path = filepath.Join("/tmp", filename)
+		t.Cleanup(func() { os.Remove(path) })
+	} else {
+		path = filepath.Join(t.TempDir(), filename)
+	}
+
+	// The least troublesome thing to make that is not a file is a unix socket.
+	// Making a null device sadly requires root.
+	l, err := net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	err = WriteFile(path, []byte("hello"), 0644)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	if !strings.Contains(err.Error(), "is not a regular file") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}

build_dist.sh

@@ -16,7 +16,7 @@ if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then
 	go="./tool/go"
 fi
 
-eval `GOOS=$($go env GOHOSTOS) GOARCH=$($go env GOHOSTARCH) $go run ./cmd/mkversion`
+eval `CGO_ENABLED=0 GOOS=$($go env GOHOSTOS) GOARCH=$($go env GOHOSTARCH) $go run ./cmd/mkversion`
 
 if [ "$1" = "shellvars" ]; then
 	cat <<EOF
@@ -49,4 +49,4 @@ while [ "$#" -gt 1 ]; do
 	esac
 done
 
-exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec $go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"

client/tailscale/acl.go

@@ -436,7 +436,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 		}
 	}()
 
-	tests := []ACLTest{ACLTest{User: source, Allow: []string{dest}}}
+	tests := []ACLTest{{User: source, Allow: []string{dest}}}
 	postData, err := json.Marshal(tests)
 	if err != nil {
 		return nil, err

client/tailscale/devices.go

@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"strings"
 
 	"tailscale.com/types/opt"
 )
@@ -213,8 +212,20 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 
 // AuthorizeDevice marks a device as authorized.
 func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
+	return c.SetAuthorized(ctx, deviceID, true)
+}
+
+// SetAuthorized marks a device as authorized or not.
+func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized bool) error {
+	params := &struct {
+		Authorized bool `json:"authorized"`
+	}{Authorized: authorized}
+	data, err := json.Marshal(params)
+	if err != nil {
+		return err
+	}
 	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}

client/tailscale/dns.go

@@ -63,7 +63,7 @@ func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, er
 	return b, nil
 }
 
-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData interface{}) ([]byte, error) {
+func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
 	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
 	data, err := json.Marshal(&postData)
 	if err != nil {

client/tailscale/keys.go

@@ -68,12 +68,32 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 }
 
 // CreateKey creates a new key for the current user. Currently, only auth keys
-// can be created. Returns the key itself, which cannot be retrieved again
+// can be created. It returns the secret key itself, which cannot be retrieved again
 // later, and the key metadata.
-func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (string, *Key, error) {
+//
+// To create a key with a specific expiry, use CreateKeyWithExpiry.
+func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
+	return c.CreateKeyWithExpiry(ctx, caps, 0)
+}
+
+// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
+//
+// The time is truncated to a whole number of seconds. If zero, that means no expiration.
+func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
+
+	// convert expirySeconds to an int64 (seconds)
+	expirySeconds := int64(expiry.Seconds())
+	if expirySeconds < 0 {
+		return "", nil, fmt.Errorf("expiry must be positive")
+	}
+	if expirySeconds == 0 && expiry != 0 {
+		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
+	}
+
 	keyRequest := struct {
-		Capabilities KeyCapabilities `json:"capabilities"`
-	}{caps}
+		Capabilities  KeyCapabilities `json:"capabilities"`
+		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
+	}{caps, int64(expirySeconds)}
 	bs, err := json.Marshal(keyRequest)
 	if err != nil {
 		return "", nil, err

client/tailscale/localclient.go

@@ -96,8 +96,9 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 		// a TCP server on a random port, find the random port. For HTTP connections,
 		// we don't send the token. It gets added in an HTTP Basic-Auth header.
 		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
+			// We use 127.0.0.1 and not "localhost" (issue 7851).
 			var d net.Dialer
-			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
+			return d.DialContext(ctx, "tcp", "127.0.0.1:"+strconv.Itoa(port))
 		}
 	}
 	s := safesocket.DefaultConnectionStrategy(lc.socket())
@@ -1101,7 +1102,6 @@ func (lc *LocalClient) StreamDebugCapture(ctx context.Context) (io.ReadCloser, e
 	}
 	res, err := lc.doLocalRequestNiceError(req)
 	if err != nil {
-		res.Body.Close()
 		return nil, err
 	}
 	if res.StatusCode != 200 {

cmd/derper/cert.go

@@ -81,7 +81,7 @@ func (m *manualCertManager) TLSConfig() *tls.Config {
 	return &tls.Config{
 		Certificates: nil,
 		NextProtos: []string{
-			"h2", "http/1.1", // enable HTTP/2
+			"http/1.1",
 		},
 		GetCertificate: m.getCertificate,
 	}

cmd/derper/depaware.txt

@@ -3,26 +3,69 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
         filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
+   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
    W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
+   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
    W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
+     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil+
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
         github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
    L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
    L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
    L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
+     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
+        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
+        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
+        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
+  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
+  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
+  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
         github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
      💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
         go4.org/netipx                                               from tailscale.com/wgengine/filter
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
+        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
+        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
+        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
+        google.golang.org/protobuf/internal/encoding/text            from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/errors                   from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/filedesc                 from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/filetype                 from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/internal/flags                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/genid                    from google.golang.org/protobuf/encoding/prototext+
+     💣 google.golang.org/protobuf/internal/impl                     from google.golang.org/protobuf/internal/filetype+
+        google.golang.org/protobuf/internal/order                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/pragma                   from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
+     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
+     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
+        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
         nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
         nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
         nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
@@ -44,6 +87,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
      💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
         tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
+        tailscale.com/net/netmon                                     from tailscale.com/net/sockstats+
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
         tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
@@ -60,8 +104,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/tka                                            from tailscale.com/client/tailscale+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
      💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
         tailscale.com/tsweb                                          from tailscale.com/cmd/derper
+        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
+        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
         tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
         tailscale.com/types/empty                                    from tailscale.com/ipn
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
@@ -85,7 +131,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
         tailscale.com/util/mak                                       from tailscale.com/syncs+
         tailscale.com/util/multierr                                  from tailscale.com/health
-        tailscale.com/util/set                                       from tailscale.com/health
+        tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
         tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
         tailscale.com/util/vizerror                                  from tailscale.com/tsweb
@@ -112,7 +158,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
    L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http
-        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http/httpproxy                              from net/http+
         golang.org/x/net/http2/hpack                                 from net/http
         golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
@@ -169,8 +215,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         expvar                                                       from tailscale.com/cmd/derper+
         flag                                                         from tailscale.com/cmd/derper
         fmt                                                          from compress/flate+
+        go/token                                                     from google.golang.org/protobuf/internal/strs
         hash                                                         from crypto+
         hash/crc32                                                   from compress/gzip+
+        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
         hash/maphash                                                 from go4.org/mem
         html                                                         from net/http/pprof+
         io                                                           from bufio+
@@ -188,7 +236,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         net/http                                                     from expvar+
         net/http/httptrace                                           from net/http+
         net/http/internal                                            from net/http
-        net/http/pprof                                               from tailscale.com/tsweb
+        net/http/pprof                                               from tailscale.com/tsweb+
         net/netip                                                    from go4.org/netipx+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
@@ -201,6 +249,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         regexp                                                       from internal/profile+
         regexp/syntax                                                from regexp
         runtime/debug                                                from golang.org/x/crypto/acme+
+        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof
         runtime/trace                                                from net/http/pprof
         sort                                                         from compress/flate+

cmd/derper/derper.go

@@ -12,15 +12,19 @@ import (
 	"expvar"
 	"flag"
 	"fmt"
+	"html"
 	"io"
 	"log"
 	"math"
 	"net"
 	"net/http"
+	"net/http/pprof"
 	"net/netip"
 	"os"
 	"path/filepath"
 	"regexp"
+	"runtime"
+	"strconv"
 	"strings"
 	"time"
 
@@ -33,11 +37,12 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
+	"tailscale.com/version"
 )
 
 var (
-	dev        = flag.Bool("dev", false, "run in localhost development mode")
-	addr       = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
+	dev        = flag.Bool("dev", false, "run in localhost development mode (overrides -a)")
+	addr       = flag.String("a", ":443", "server HTTP/HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces. Serves HTTPS if the port is 443 and/or -certmode is manual, otherwise HTTP.")
 	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
 	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
 	configPath = flag.String("c", "", "config file path")
@@ -55,6 +60,8 @@ var (
 
 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
+
+	debugAddr = flag.String("debug_addr", "", "listening address for debug server")
 )
 
 var (
@@ -136,6 +143,7 @@ func main() {
 
 	if *dev {
 		*addr = ":3340" // above the keys DERP
+		*debugAddr = "localhost:8383"
 		log.Printf("Running in dev mode.")
 		tsweb.DevMode = true
 	}
@@ -222,6 +230,11 @@ func main() {
 		go serveSTUN(listenHost, *stunPort)
 	}
 
+	if *debugAddr != "" {
+		log.Printf("running debug server on %s", *debugAddr)
+		go runDebugServer(*debugAddr, s)
+	}
+
 	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
 		Addr:     *addr,
@@ -513,3 +526,79 @@ func (logFilter) Write(p []byte) (int, error) {
 	log.Printf("%s", p)
 	return len(p), nil
 }
+
+func runDebugServer(addr string, s *derp.Server) {
+	mux := http.NewServeMux()
+	mux.Handle("/debug/vars", http.DefaultServeMux)  // serve out expvar
+	mux.HandleFunc("/debug/varz", tsweb.VarzHandler) // expvar but in prometheus format
+	mux.HandleFunc("/debug/pprof/", pprof.Index)
+	mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+	mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
+	mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+	mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
+	mux.Handle("/debug/pprofrate", http.HandlerFunc(handlePprofRate))
+
+	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(200)
+		fmt.Fprintf(w, `<html><body>
+<h1>DERP</h1>
+<p>
+  This is a Tailscale DERP debug server.
+</p>
+<ul>
+  <li>Version: <pre style="display: inline">%s</pre>
+  <li><a href="/debug/vars">/debug/vars</a> (JSON)</li>
+  <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>
+  <li><a href="/debug/pprof">/debug/pprof</a></li>
+  <li><a href="/debug/pprof/goroutine?debug=1">/debug/pprof/goroutine?debug=1</a> (goroutine summary)</li>
+</ul>
+`, html.EscapeString(version.Long()))
+	}))
+
+	srv := &http.Server{
+		Addr:    addr,
+		Handler: mux,
+	}
+	if err := srv.ListenAndServe(); err != nil {
+		if err != http.ErrServerClosed {
+			log.Fatal(err)
+		}
+	}
+}
+
+// handlePprofRate adjusts the pprof rate.
+//
+//	$ curl -d block=0 http://localhost:8383/debug/pprofrate
+//	$ curl -d mutex=0 http://localhost:8383/debug/pprofrate
+//
+// See:
+//
+//   - https://pkg.go.dev/runtime#SetMutexProfileFraction
+//   - https://pkg.go.dev/runtime#SetBlockProfileRate
+//
+// And corp#5277.
+func handlePprofRate(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "POST" {
+		http.Error(w, "method not allowed; want POST", http.StatusMethodNotAllowed)
+		return
+	}
+	if s := r.FormValue("block"); s != "" {
+		v, err := strconv.Atoi(s)
+		if err != nil {
+			http.Error(w, "bad block value", http.StatusBadRequest)
+			return
+		}
+		runtime.SetBlockProfileRate(v)
+		fmt.Fprintf(w, "block set to %v\n", v)
+	}
+	if s := r.FormValue("mutex"); s != "" {
+		v, err := strconv.Atoi(s)
+		if err != nil {
+			http.Error(w, "bad mutex value", http.StatusBadRequest)
+			return
+		}
+		old := runtime.SetMutexProfileFraction(v)
+		fmt.Fprintf(w, "mutex changed from %v to %v\n", old, v)
+	}
+}

cmd/derpprobe/derpprobe.go

@@ -5,7 +5,6 @@
 package main
 
 import (
-	"expvar"
 	"flag"
 	"fmt"
 	"html"
@@ -30,7 +29,7 @@ var (
 func main() {
 	flag.Parse()
 
-	p := prober.New().WithSpread(*spread).WithOnce(*probeOnce)
+	p := prober.New().WithSpread(*spread).WithOnce(*probeOnce).WithMetricNamespace("derpprobe")
 	dp, err := prober.DERP(p, *derpMapURL, *interval, *interval, *interval)
 	if err != nil {
 		log.Fatal(err)
@@ -53,7 +52,6 @@ func main() {
 
 	mux := http.NewServeMux()
 	tsweb.Debugger(mux)
-	expvar.Publish("derpprobe", p.Expvar())
 	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
 	log.Fatal(http.ListenAndServe(*listen, mux))
 }

cmd/dist/dist.go

@@ -13,15 +13,38 @@ import (
 
 	"tailscale.com/release/dist"
 	"tailscale.com/release/dist/cli"
+	"tailscale.com/release/dist/synology"
 	"tailscale.com/release/dist/unixpkgs"
 )
 
+var synologyPackageCenter bool
+
 func getTargets() ([]dist.Target, error) {
-	return unixpkgs.Targets(), nil
+	var ret []dist.Target
+
+	ret = append(ret, unixpkgs.Targets()...)
+	// Synology packages can be built either for sideloading, or for
+	// distribution by Synology in their package center. When
+	// distributed through the package center, apps can request
+	// additional permissions to use a tuntap interface and control
+	// the NAS's network stack, rather than be forced to run in
+	// userspace mode.
+	//
+	// Since only we can provide packages to Synology for
+	// distribution, we default to building the "sideload" variant of
+	// packages that we distribute on pkgs.tailscale.com.
+	ret = append(ret, synology.Targets(synologyPackageCenter)...)
+	return ret, nil
 }
 
 func main() {
 	cmd := cli.CLI(getTargets)
+	for _, subcmd := range cmd.Subcommands {
+		if subcmd.Name == "build" {
+			subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")
+		}
+	}
+
 	if err := cmd.ParseAndRun(context.Background(), os.Args[1:]); err != nil && !errors.Is(err, flag.ErrHelp) {
 		log.Fatal(err)
 	}

cmd/get-authkey/main.go

@@ -29,9 +29,9 @@ func main() {
 	tags := flag.String("tags", "", "comma-separated list of tags to apply to the authkey")
 	flag.Parse()
 
-	clientId := os.Getenv("TS_API_CLIENT_ID")
+	clientID := os.Getenv("TS_API_CLIENT_ID")
 	clientSecret := os.Getenv("TS_API_CLIENT_SECRET")
-	if clientId == "" || clientSecret == "" {
+	if clientID == "" || clientSecret == "" {
 		log.Fatal("TS_API_CLIENT_ID and TS_API_CLIENT_SECRET must be set")
 	}
 
@@ -39,22 +39,22 @@ func main() {
 		log.Fatal("at least one tag must be specified")
 	}
 
-	baseUrl := os.Getenv("TS_BASE_URL")
-	if baseUrl == "" {
-		baseUrl = "https://api.tailscale.com"
+	baseURL := os.Getenv("TS_BASE_URL")
+	if baseURL == "" {
+		baseURL = "https://api.tailscale.com"
 	}
 
 	credentials := clientcredentials.Config{
-		ClientID:     clientId,
+		ClientID:     clientID,
 		ClientSecret: clientSecret,
-		TokenURL:     baseUrl + "/api/v2/oauth/token",
+		TokenURL:     baseURL + "/api/v2/oauth/token",
 		Scopes:       []string{"device"},
 	}
 
 	ctx := context.Background()
 	tsClient := tailscale.NewClient("-", nil)
 	tsClient.HTTPClient = credentials.Client(ctx)
-	tsClient.BaseURL = baseUrl
+	tsClient.BaseURL = baseURL
 
 	caps := tailscale.KeyCapabilities{
 		Devices: tailscale.KeyDeviceCapabilities{

cmd/k8s-operator/operator.go

@@ -25,7 +25,6 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/transport"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -38,7 +37,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"sigs.k8s.io/controller-runtime/pkg/source"
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
@@ -48,6 +46,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/version"
 )
 
 func main() {
@@ -64,6 +63,7 @@ func main() {
 		clientIDPath       = defaultEnv("CLIENT_ID_FILE", "")
 		clientSecretPath   = defaultEnv("CLIENT_SECRET_FILE", "")
 		image              = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
+		priorityClassName  = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
 		tags               = defaultEnv("PROXY_TAGS", "tag:k8s")
 		shouldRunAuthProxy = defaultBool("AUTH_PROXY", false)
 	)
@@ -183,32 +183,33 @@ waitOnline:
 	// the cache that sits a few layers below the builder stuff, which will
 	// implicitly filter what parts of the world the builder code gets to see at
 	// all.
-	nsFilter := cache.ObjectSelector{
-		Field: fields.SelectorFromSet(fields.Set{"metadata.namespace": tsNamespace}),
+	nsFilter := cache.ByObject{
+		Field: client.InNamespace(tsNamespace).AsSelector(),
 	}
 	restConfig := config.GetConfigOrDie()
 	mgr, err := manager.New(restConfig, manager.Options{
-		NewCache: cache.BuilderWithOptions(cache.Options{
-			SelectorsByObject: map[client.Object]cache.ObjectSelector{
+		Cache: cache.Options{
+			ByObject: map[client.Object]cache.ByObject{
 				&corev1.Secret{}:      nsFilter,
 				&appsv1.StatefulSet{}: nsFilter,
 			},
-		}),
+		},
 	})
 	if err != nil {
 		startlog.Fatalf("could not create manager: %v", err)
 	}
 
 	sr := &ServiceReconciler{
-		Client:            mgr.GetClient(),
-		tsClient:          tsClient,
-		defaultTags:       strings.Split(tags, ","),
-		operatorNamespace: tsNamespace,
-		proxyImage:        image,
-		logger:            zlog.Named("service-reconciler"),
+		Client:                 mgr.GetClient(),
+		tsClient:               tsClient,
+		defaultTags:            strings.Split(tags, ","),
+		operatorNamespace:      tsNamespace,
+		proxyImage:             image,
+		proxyPriorityClassName: priorityClassName,
+		logger:                 zlog.Named("service-reconciler"),
 	}
 
-	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(o client.Object) []reconcile.Request {
+	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(_ context.Context, o client.Object) []reconcile.Request {
 		ls := o.GetLabels()
 		if ls[LabelManaged] != "true" {
 			return nil
@@ -228,14 +229,14 @@ waitOnline:
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&corev1.Service{}).
-		Watches(&source.Kind{Type: &appsv1.StatefulSet{}}, reconcileFilter).
-		Watches(&source.Kind{Type: &corev1.Secret{}}, reconcileFilter).
+		Watches(&appsv1.StatefulSet{}, reconcileFilter).
+		Watches(&corev1.Secret{}, reconcileFilter).
 		Complete(sr)
 	if err != nil {
 		startlog.Fatalf("could not create controller: %v", err)
 	}
 
-	startlog.Infof("Startup complete, operator running")
+	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
 	if shouldRunAuthProxy {
 		cfg, err := restConfig.TransportConfig()
 		if err != nil {
@@ -278,11 +279,12 @@ const (
 // ServiceReconciler is a simple ControllerManagedBy example implementation.
 type ServiceReconciler struct {
 	client.Client
-	tsClient          tsClient
-	defaultTags       []string
-	operatorNamespace string
-	proxyImage        string
-	logger            *zap.SugaredLogger
+	tsClient               tsClient
+	defaultTags            []string
+	operatorNamespace      string
+	proxyImage             string
+	proxyPriorityClassName string
+	logger                 *zap.SugaredLogger
 }
 
 type tsClient interface {
@@ -566,6 +568,9 @@ func (a *ServiceReconciler) getDeviceInfo(ctx context.Context, svc *corev1.Servi
 	if err != nil {
 		return "", "", err
 	}
+	if sec == nil {
+		return "", "", nil
+	}
 	id = string(sec.Data["device_id"])
 	if id == "" {
 		return "", "", nil
@@ -589,6 +594,7 @@ func (a *ServiceReconciler) newAuthKey(ctx context.Context, tags []string) (stri
 			},
 		},
 	}
+
 	key, _, err := a.tsClient.CreateKey(ctx, caps)
 	if err != nil {
 		return "", err
@@ -633,6 +639,7 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
 	ss.Spec.Template.ObjectMeta.Labels = map[string]string{
 		"app": string(parentSvc.UID),
 	}
+	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
 	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }

cmd/k8s-operator/operator_test.go

@@ -14,7 +14,6 @@ import (
 	"go.uber.org/zap"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -65,7 +64,7 @@ func TestLoadBalancerClass(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 
 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -111,6 +110,8 @@ func TestLoadBalancerClass(t *testing.T) {
 	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
+	})
+	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@@ -186,7 +187,7 @@ func TestAnnotations(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -283,7 +284,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 
 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, since it would have normally happened at
@@ -327,7 +328,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 	// ... but the service should have a LoadBalancer status.
 
 	want = &corev1.Service{
@@ -399,7 +400,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 
 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -448,6 +449,8 @@ func TestLBIntoAnnotation(t *testing.T) {
 		}
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
+	})
+	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@@ -456,7 +459,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
 
 	want = &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -523,7 +526,7 @@ func TestCustomHostname(t *testing.T) {
 
 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla", ""))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -582,6 +585,51 @@ func TestCustomHostname(t *testing.T) {
 	expectEqual(t, fc, want)
 }
 
+func TestCustomPriorityClassName(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client:                 fc,
+		tsClient:               ft,
+		defaultTags:            []string{"tag:k8s"},
+		operatorNamespace:      "operator-ns",
+		proxyImage:             "tailscale/tailscale",
+		proxyPriorityClassName: "tailscale-critical",
+		logger:                 zl.Sugar(),
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/expose":   "true",
+				"tailscale.com/hostname": "custom-priority-class-name",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test")
+
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "custom-priority-class-name", "tailscale-critical"))
+}
+
 func expectedSecret(name string) *corev1.Secret {
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@@ -630,7 +678,7 @@ func expectedHeadlessService(name string) *corev1.Service {
 	}
 }
 
-func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
+func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv1.StatefulSet {
 	return &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "StatefulSet",
@@ -659,6 +707,7 @@ func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "proxies",
+					PriorityClassName:  priorityClassName,
 					InitContainers: []corev1.Container{
 						{
 							Name:    "sysctler",
@@ -670,11 +719,11 @@ func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
 							},
 						},
 					},
-					Containers: []v1.Container{
+					Containers: []corev1.Container{
 						{
 							Name:  "tailscale",
 							Image: "tailscale/tailscale",
-							Env: []v1.EnvVar{
+							Env: []corev1.EnvVar{
 								{Name: "TS_USERSPACE", Value: "false"},
 								{Name: "TS_AUTH_ONCE", Value: "true"},
 								{Name: "TS_DEST_IP", Value: "10.20.30.40"},
@@ -732,6 +781,21 @@ func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, n
 	}
 }
 
+func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); err != nil {
+		t.Fatalf("getting %q: %v", name, err)
+	}
+	update(obj)
+	if err := client.Status().Update(context.Background(), obj); err != nil {
+		t.Fatalf("updating %q: %v", name, err)
+	}
+}
+
 func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
 	t.Helper()
 	got := O(new(T))
@@ -815,7 +879,6 @@ func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabili
 	k := &tailscale.Key{
 		ID:           "key",
 		Created:      time.Now(),
-		Expires:      time.Now().Add(24 * time.Hour),
 		Capabilities: caps,
 	}
 	return "secret-authkey", k, nil

cmd/pgproxy/pgproxy.go

@@ -272,7 +272,7 @@ func (p *proxy) serve(sessionID int64, c net.Conn) error {
 	}
 	if buf[0] != 'S' {
 		p.errors.Add("upstream-bad-protocol", 1)
-		return fmt.Errorf("upstream didn't acknowldge start-ssl, said %q", buf[0])
+		return fmt.Errorf("upstream didn't acknowledge start-ssl, said %q", buf[0])
 	}
 	tlsConf := &tls.Config{
 		ServerName: p.upstreamHost,

cmd/sniproxy/sniproxy.go

@@ -18,6 +18,7 @@ import (
 	"golang.org/x/net/dns/dnsmessage"
 	"inet.af/tcpproxy"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/hostinfo"
 	"tailscale.com/net/netutil"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/nettype"
@@ -36,6 +37,8 @@ func main() {
 		log.Fatal("no ports")
 	}
 
+	hostinfo.SetApp("sniproxy")
+
 	var s server
 	defer s.ts.Close()
 

cmd/tailscale/cli/cli.go

@@ -120,6 +120,8 @@ change in the future.
 			pingCmd,
 			ncCmd,
 			sshCmd,
+			funnelCmd,
+			serveCmd,
 			versionCmd,
 			webCmd,
 			fileCmd,
@@ -147,10 +149,6 @@ change in the future.
 	switch {
 	case slices.Contains(args, "debug"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
-	case slices.Contains(args, "funnel"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, funnelCmd)
-	case slices.Contains(args, "serve"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, serveCmd)
 	case slices.Contains(args, "update"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, updateCmd)
 	}

cmd/tailscale/cli/cli_test.go

@@ -621,9 +621,16 @@ func TestPrefsFromUpArgs(t *testing.T) {
 		{
 			name: "error_long_hostname",
 			args: upArgsT{
-				hostname: strings.Repeat("a", 300),
+				hostname: strings.Repeat(strings.Repeat("a", 63)+".", 4),
 			},
-			wantErr: `hostname too long: 300 bytes (max 256)`,
+			wantErr: `"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" is too long to be a DNS name`,
+		},
+		{
+			name: "error_long_label",
+			args: upArgsT{
+				hostname: strings.Repeat("a", 64) + ".example.com",
+			},
+			wantErr: `"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" is not a valid DNS label`,
 		},
 		{
 			name: "error_linux_netfilter_empty",

cmd/tailscale/cli/diag.go

@@ -66,7 +66,7 @@ func isSystemdSystem() bool {
 		return false
 	}
 	switch distro.Get() {
-	case distro.QNAP, distro.Gokrazy, distro.Synology:
+	case distro.QNAP, distro.Gokrazy, distro.Synology, distro.Unraid:
 		return false
 	}
 	_, err := exec.LookPath("systemctl")

cmd/tailscale/cli/funnel.go

@@ -29,7 +29,7 @@ var funnelCmd = newFunnelCommand(&serveEnv{lc: &localClient})
 func newFunnelCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "funnel",
-		ShortHelp: "[ALPHA] turn Tailscale Funnel on or off",
+		ShortHelp: "Turn on/off Funnel service",
 		ShortUsage: strings.TrimSpace(`
 funnel <serve-port> {on|off}
   funnel status [--json]

cmd/tailscale/cli/netcheck.go

@@ -19,6 +19,7 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/portmapper"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
@@ -45,9 +46,15 @@ var netcheckArgs struct {
 }
 
 func runNetcheck(ctx context.Context, args []string) error {
+	logf := logger.WithPrefix(log.Printf, "portmap: ")
+	netMon, err := netmon.New(logf)
+	if err != nil {
+		return err
+	}
 	c := &netcheck.Client{
 		UDPBindAddr: envknob.String("TS_DEBUG_NETCHECK_UDP_BIND"),
-		PortMapper:  portmapper.NewClient(logger.WithPrefix(log.Printf, "portmap: "), nil, nil),
+		PortMapper:  portmapper.NewClient(logf, netMon, nil, nil),
+		UseDNSCache: false, // always resolve, don't cache
 	}
 	if netcheckArgs.verbose {
 		c.Logf = logger.WithPrefix(log.Printf, "netcheck: ")
@@ -96,7 +103,6 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	var err error
 	switch netcheckArgs.format {
 	case "":
-		break
 	case "json":
 		j, err = json.MarshalIndent(report, "", "\t")
 	case "json-line":

cmd/tailscale/cli/serve.go

@@ -16,6 +16,7 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"sort"
 	"strconv"
 	"strings"
@@ -33,15 +34,16 @@ var serveCmd = newServeCommand(&serveEnv{lc: &localClient})
 func newServeCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "serve",
-		ShortHelp: "[ALPHA] Serve from your Tailscale node",
+		ShortHelp: "Serve content and local servers",
 		ShortUsage: strings.TrimSpace(`
 serve https:<port> <mount-point> <source> [off]
   serve tcp:<port> tcp://localhost:<local-port> [off]
   serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]
   serve status [--json]
+  serve reset
 `),
 		LongHelp: strings.TrimSpace(`
-*** ALPHA; all of this is subject to change ***
+*** BETA; all of this is subject to change ***
 
 The 'tailscale serve' set of commands allows you to serve
 content and local servers from your Tailscale node to
@@ -86,6 +88,13 @@ EXAMPLES
 				}),
 				UsageFunc: usageFunc,
 			},
+			{
+				Name:      "reset",
+				Exec:      e.runServeReset,
+				ShortHelp: "reset current serve/funnel config",
+				FlagSet:   e.newFlags("serve-reset", nil),
+				UsageFunc: usageFunc,
+			},
 		},
 	}
 }
@@ -412,6 +421,7 @@ func cleanMountPoint(mount string) (string, error) {
 	if mount == "" {
 		return "", errors.New("mount point cannot be empty")
 	}
+	mount = cleanMinGWPathConversionIfNeeded(mount)
 	if !strings.HasPrefix(mount, "/") {
 		mount = "/" + mount
 	}
@@ -422,6 +432,26 @@ func cleanMountPoint(mount string) (string, error) {
 	return "", fmt.Errorf("invalid mount point %q", mount)
 }
 
+// cleanMinGWPathConversionIfNeeded strips the EXEPATH prefix from the given
+// path if the path is a MinGW(ish) (Windows) shell arg.
+//
+// MinGW(ish) (Windows) shells perform POSIX-to-Windows path conversion
+// converting the leading "/" of any shell arg to the EXEPATH, which mangles the
+// mount point. Strip the EXEPATH prefix if it exists. #7963
+//
+// "/C:/Program Files/Git/foo" -> "/foo"
+func cleanMinGWPathConversionIfNeeded(path string) string {
+	// Only do this on Windows.
+	if runtime.GOOS != "windows" {
+		return path
+	}
+	if _, ok := os.LookupEnv("MSYSTEM"); ok {
+		exepath := filepath.ToSlash(os.Getenv("EXEPATH"))
+		path = strings.TrimPrefix(path, exepath)
+	}
+	return path
+}
+
 func expandProxyTarget(source string) (string, error) {
 	if !strings.Contains(source, "://") {
 		source = "http://" + source
@@ -453,6 +483,7 @@ func expandProxyTarget(source string) (string, error) {
 	if u.Port() != "" {
 		url += ":" + u.Port()
 	}
+	url += u.Path
 	return url, nil
 }
 
@@ -682,3 +713,15 @@ func elipticallyTruncate(s string, max int) string {
 	}
 	return s[:max-3] + "..."
 }
+
+// runServeReset clears out the current serve config.
+//
+// Usage:
+//   - tailscale serve reset
+func (e *serveEnv) runServeReset(ctx context.Context, args []string) error {
+	if len(args) != 0 {
+		return flag.ErrHelp
+	}
+	sc := new(ipn.ServeConfig)
+	return e.lc.SetServeConfig(ctx, sc)
+}

cmd/tailscale/cli/serve_test.go

@@ -224,7 +224,10 @@ func TestServeConfigMutations(t *testing.T) {
 		command: cmd("https:443 bar https://127.0.0.1:8443"),
 		want:    nil, // nothing to save
 	})
-	add(step{reset: true})
+	add(step{ // try resetting using reset command
+		command: cmd("reset"),
+		want:    &ipn.ServeConfig{},
+	})
 	add(step{
 		command: cmd("https:443 / https+insecure://127.0.0.1:3001"),
 		want: &ipn.ServeConfig{
@@ -262,6 +265,18 @@ func TestServeConfigMutations(t *testing.T) {
 			},
 		},
 	})
+	add(step{reset: true})
+	add(step{ // support path in proxy
+		command: cmd("https / http://127.0.0.1:3000/foo/bar"),
+		want: &ipn.ServeConfig{
+			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
+			Web: map[ipn.HostPort]*ipn.WebServerConfig{
+				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
+					"/": {Proxy: "http://127.0.0.1:3000/foo/bar"},
+				}},
+			},
+		},
+	})
 
 	// tcp
 	add(step{reset: true})

cmd/tailscale/cli/up.go

@@ -13,11 +13,13 @@ import (
 	"fmt"
 	"log"
 	"net/netip"
+	"net/url"
 	"os"
 	"os/signal"
 	"reflect"
 	"runtime"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"syscall"
@@ -26,6 +28,9 @@ import (
 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
+	"golang.org/x/oauth2/clientcredentials"
+	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -34,6 +39,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -320,8 +326,8 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 		}
 	}
 
-	if len(upArgs.hostname) > 256 {
-		return nil, fmt.Errorf("hostname too long: %d bytes (max 256)", len(upArgs.hostname))
+	if err := dnsname.ValidHostname(upArgs.hostname); upArgs.hostname != "" && err != nil {
+		return nil, err
 	}
 
 	prefs := ipn.NewPrefs()
@@ -662,6 +668,10 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 		if err != nil {
 			return err
 		}
+		authKey, err = resolveAuthKey(ctx, authKey, upArgs.advertiseTags)
+		if err != nil {
+			return err
+		}
 		if err := localClient.Start(ctx, ipn.Options{
 			AuthKey:     authKey,
 			UpdatePrefs: prefs,
@@ -1101,3 +1111,96 @@ func anyPeerAdvertisingRoutes(st *ipnstate.Status) bool {
 	}
 	return false
 }
+
+func init() {
+	// Required to use our client API. We're fine with the instability since the
+	// client lives in the same repo as this code.
+	tailscale.I_Acknowledge_This_API_Is_Unstable = true
+}
+
+// resolveAuthKey either returns v unchanged (in the common case) or, if it
+// starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
+//
+//	tskey-client-xxxx[?ephemeral=false&bar&preauthorized=BOOL&baseURL=...]
+//
+// and does the OAuth2 dance to get and return an authkey. The "ephemeral"
+// property defaults to true if unspecified. The "preauthorized" defaults to
+// false. The "baseURL" defaults to https://api.tailscale.com.
+// The passed in tags are required, and must be non-empty. These will be
+// set on the authkey generated by the OAuth2 dance.
+func resolveAuthKey(ctx context.Context, v, tags string) (string, error) {
+	if !strings.HasPrefix(v, "tskey-client-") {
+		return v, nil
+	}
+	if !envknob.Bool("TS_EXPERIMENT_OAUTH_AUTHKEY") {
+		return "", errors.New("oauth authkeys are in experimental status")
+	}
+	if tags == "" {
+		return "", errors.New("oauth authkeys require --advertise-tags")
+	}
+
+	clientSecret, named, _ := strings.Cut(v, "?")
+	attrs, err := url.ParseQuery(named)
+	if err != nil {
+		return "", err
+	}
+	for k := range attrs {
+		switch k {
+		case "ephemeral", "preauthorized", "baseURL":
+		default:
+			return "", fmt.Errorf("unknown attribute %q", k)
+		}
+	}
+	getBool := func(name string, def bool) (bool, error) {
+		v := attrs.Get(name)
+		if v == "" {
+			return def, nil
+		}
+		ret, err := strconv.ParseBool(v)
+		if err != nil {
+			return false, fmt.Errorf("invalid attribute boolean attribute %s value %q", name, v)
+		}
+		return ret, nil
+	}
+	ephemeral, err := getBool("ephemeral", true)
+	if err != nil {
+		return "", err
+	}
+	preauth, err := getBool("preauthorized", false)
+	if err != nil {
+		return "", err
+	}
+
+	baseURL := "https://api.tailscale.com"
+	if v := attrs.Get("baseURL"); v != "" {
+		baseURL = v
+	}
+
+	credentials := clientcredentials.Config{
+		ClientID:     "some-client-id", // ignored
+		ClientSecret: clientSecret,
+		TokenURL:     baseURL + "/api/v2/oauth/token",
+		Scopes:       []string{"device"},
+	}
+
+	tsClient := tailscale.NewClient("-", nil)
+	tsClient.HTTPClient = credentials.Client(ctx)
+	tsClient.BaseURL = baseURL
+
+	caps := tailscale.KeyCapabilities{
+		Devices: tailscale.KeyDeviceCapabilities{
+			Create: tailscale.KeyDeviceCreateCapabilities{
+				Reusable:      false,
+				Ephemeral:     ephemeral,
+				Preauthorized: preauth,
+				Tags:          strings.Split(tags, ","),
+			},
+		},
+	}
+
+	authkey, _, err := tsClient.CreateKey(ctx, caps)
+	if err != nil {
+		return "", err
+	}
+	return authkey, nil
+}

cmd/tailscale/cli/web.go

@@ -61,6 +61,8 @@ type tmplData struct {
 	TUNMode           bool
 	IsSynology        bool
 	DSMVersion        int // 6 or 7, if IsSynology=true
+	IsUnraid          bool
+	UnraidToken       string
 	IPNVersion        string
 }
 
@@ -441,6 +443,8 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		TUNMode:      st.TUN,
 		IsSynology:   distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
 		DSMVersion:   distro.DSMVersion(),
+		IsUnraid:     distro.Get() == distro.Unraid,
+		UnraidToken:  os.Getenv("UNRAID_CSRF_TOKEN"),
 		IPNVersion:   versionShort,
 	}
 	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")

cmd/tailscale/cli/web.html

@@ -26,9 +26,9 @@
 			<circle opacity="0.2" cx="19.5" cy="19.5" r="2.7" fill="currentColor"></circle>
 		</svg>
 		<div class="flex items-center justify-end space-x-2 w-2/3">
-			{{ with .Profile.LoginName }}
+			{{ with .Profile }}
 			<div class="text-right w-full leading-4">
-				<h4 class="truncate leading-normal">{{.}}</h4>
+				<h4 class="truncate leading-normal">{{.LoginName}}</h4>
 				<div class="text-xs text-gray-500 text-right">
 					<a href="#" class="hover:text-gray-700 js-loginButton">Switch account</a> | <a href="#"
 						class="hover:text-gray-700 js-loginButton">Reauthenticate</a> | <a href="#"
@@ -116,10 +116,12 @@
 	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
 </footer>
 <script>(function () {
-const advertiseExitNode = {{.AdvertiseExitNode}};
+const advertiseExitNode = {{ .AdvertiseExitNode }};
+const isUnraid = {{ .IsUnraid }};
+const unraidCsrfToken = "{{ .UnraidToken }}";
 let fetchingUrl = false;
 var data = {
-	AdvertiseRoutes: "{{.AdvertiseRoutes}}",
+	AdvertiseRoutes: "{{ .AdvertiseRoutes }}",
 	AdvertiseExitNode: advertiseExitNode,
 	Reauthenticate: false,
 	ForceLogout: false
@@ -141,15 +143,27 @@ function postData(e) {
 	}
 	const nextUrl = new URL(window.location);
 	nextUrl.search = nextParams.toString()
-	const url = nextUrl.toString();
 
+	let body = JSON.stringify(data);
+	let contentType = "application/json";
+
+	if (isUnraid) {
+		const params = new URLSearchParams();
+		params.append("csrf_token", unraidCsrfToken);
+		params.append("ts_data", JSON.stringify(data));
+
+		body = params.toString();
+		contentType = "application/x-www-form-urlencoded;charset=UTF-8";
+	}
+
+	const url = nextUrl.toString();
 	fetch(url, {
 		method: "POST",
 		headers: {
 			"Accept": "application/json",
-			"Content-Type": "application/json",
+			"Content-Type": contentType,
 		},
-		body: JSON.stringify(data)
+		body: body
 	}).then(res => res.json()).then(res => {
 		fetchingUrl = false;
 		const err = res["error"];
@@ -158,7 +172,11 @@ function postData(e) {
 		}
 		const url = res["url"];
 		if (url) {
-			document.location.href = url;
+			if(isUnraid) {
+				window.open(url, "_blank");
+			} else {
+				document.location.href = url;
+			}
 		} else {
 			location.reload();
 		}

cmd/tailscale/depaware.txt

@@ -3,7 +3,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
         filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
+   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
    W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
+   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
    W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
@@ -13,7 +15,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         github.com/google/uuid                                       from tailscale.com/util/quarantine+
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
         github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
         github.com/klauspost/compress/flate                          from nhooyr.io/websocket
@@ -74,9 +76,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
         tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
+        tailscale.com/net/netmon                                     from tailscale.com/net/sockstats+
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
-        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
+        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter+
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/sockstats                                  from tailscale.com/control/controlhttp+
@@ -92,7 +95,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/tka                                            from tailscale.com/client/tailscale+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
      💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
         tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
         tailscale.com/types/empty                                    from tailscale.com/ipn
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
@@ -151,9 +154,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/net/icmp                                        from tailscale.com/net/ping
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
         golang.org/x/net/ipv4                                        from golang.org/x/net/icmp+
-        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp
+        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp+
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from net+
+        golang.org/x/oauth2                                          from golang.org/x/oauth2/clientcredentials
+        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/tailscale/cli
+        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
         golang.org/x/sync/errgroup                                   from tailscale.com/derp+
         golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
   LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+

cmd/tailscaled/debug.go

@@ -23,10 +23,10 @@ import (
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/ipn"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/wgengine/monitor"
 )
 
 var debugArgs struct {
@@ -42,7 +42,7 @@ var debugModeFunc = debugMode // so it can be addressable
 func debugMode(args []string) error {
 	fs := flag.NewFlagSet("debug", flag.ExitOnError)
 	fs.BoolVar(&debugArgs.ifconfig, "ifconfig", false, "If true, print network interface state")
-	fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run link monitor forever. Precludes all other options.")
+	fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run network monitor forever. Precludes all other options.")
 	fs.BoolVar(&debugArgs.portmap, "portmap", false, "If true, run portmap debugging. Precludes all other options.")
 	fs.StringVar(&debugArgs.getURL, "get-url", "", "If non-empty, fetch provided URL.")
 	fs.StringVar(&debugArgs.derpCheck, "derp", "", "if non-empty, test a DERP ping via named region code")
@@ -76,7 +76,7 @@ func runMonitor(ctx context.Context, loop bool) error {
 		j, _ := json.MarshalIndent(st, "", "    ")
 		os.Stderr.Write(j)
 	}
-	mon, err := monitor.New(log.Printf)
+	mon, err := netmon.New(log.Printf)
 	if err != nil {
 		return err
 	}
@@ -84,10 +84,10 @@ func runMonitor(ctx context.Context, loop bool) error {
 
 	mon.RegisterChangeCallback(func(changed bool, st *interfaces.State) {
 		if !changed {
-			log.Printf("Link monitor fired; no change")
+			log.Printf("Network monitor fired; no change")
 			return
 		}
-		log.Printf("Link monitor fired. New state:")
+		log.Printf("Network monitor fired. New state:")
 		dump(st)
 	})
 	if loop {
@@ -193,8 +193,8 @@ func checkDerp(ctx context.Context, derpRegion string) (err error) {
 	priv1 := key.NewNode()
 	priv2 := key.NewNode()
 
-	c1 := derphttp.NewRegionClient(priv1, log.Printf, getRegion)
-	c2 := derphttp.NewRegionClient(priv2, log.Printf, getRegion)
+	c1 := derphttp.NewRegionClient(priv1, log.Printf, nil, getRegion)
+	c2 := derphttp.NewRegionClient(priv2, log.Printf, nil, getRegion)
 	defer func() {
 		if err != nil {
 			c1.Close()

cmd/tailscaled/depaware.txt

@@ -3,7 +3,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
         filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
+   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
    W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
+   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
    W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
@@ -12,7 +14,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/aws-sdk-go-v2                                 from github.com/aws/aws-sdk-go-v2/internal/ini
    L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/awsstore
-   L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm
+   L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/aws-sdk-go-v2/aws/middleware                  from github.com/aws/aws-sdk-go-v2/aws/retry+
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/query              from github.com/aws/aws-sdk-go-v2/service/sts
    L    github.com/aws/aws-sdk-go-v2/aws/protocol/restjson           from github.com/aws/aws-sdk-go-v2/service/ssm+
@@ -38,6 +40,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/aws-sdk-go-v2/internal/sdk                    from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/aws-sdk-go-v2/internal/sdkio                  from github.com/aws/aws-sdk-go-v2/credentials/processcreds
+   L    github.com/aws/aws-sdk-go-v2/internal/shareddefaults         from github.com/aws/aws-sdk-go-v2/config+
    L    github.com/aws/aws-sdk-go-v2/internal/strings                from github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4
    L    github.com/aws/aws-sdk-go-v2/internal/sync/singleflight      from github.com/aws/aws-sdk-go-v2/aws
    L    github.com/aws/aws-sdk-go-v2/internal/timeconv               from github.com/aws/aws-sdk-go-v2/aws/retry
@@ -48,16 +51,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/aws-sdk-go-v2/service/sso                     from github.com/aws/aws-sdk-go-v2/config+
    L    github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sso
    L    github.com/aws/aws-sdk-go-v2/service/sso/types               from github.com/aws/aws-sdk-go-v2/service/sso
+   L    github.com/aws/aws-sdk-go-v2/service/ssooidc                 from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints from github.com/aws/aws-sdk-go-v2/service/ssooidc
+   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/types           from github.com/aws/aws-sdk-go-v2/service/ssooidc
    L    github.com/aws/aws-sdk-go-v2/service/sts                     from github.com/aws/aws-sdk-go-v2/config+
    L    github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sts
    L    github.com/aws/aws-sdk-go-v2/service/sts/types               from github.com/aws/aws-sdk-go-v2/credentials/stscreds+
    L    github.com/aws/smithy-go                                     from github.com/aws/aws-sdk-go-v2/aws/protocol/restjson+
-   L    github.com/aws/smithy-go/auth/bearer                         from github.com/aws/aws-sdk-go-v2/aws
+   L    github.com/aws/smithy-go/auth/bearer                         from github.com/aws/aws-sdk-go-v2/aws+
    L    github.com/aws/smithy-go/context                             from github.com/aws/smithy-go/auth/bearer
    L    github.com/aws/smithy-go/document                            from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/smithy-go/encoding                            from github.com/aws/smithy-go/encoding/json+
    L    github.com/aws/smithy-go/encoding/httpbinding                from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
-   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm
+   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm+
    L    github.com/aws/smithy-go/encoding/xml                        from github.com/aws/aws-sdk-go-v2/service/sts
    L    github.com/aws/smithy-go/internal/sync/singleflight          from github.com/aws/smithy-go/auth/bearer
    L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
@@ -73,6 +79,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
    W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com
    W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled
+   W    github.com/dblohm7/wingoes/internal                          from github.com/dblohm7/wingoes/com
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
    W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
    W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
@@ -93,7 +100,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/klauspost/compress/flate                          from nhooyr.io/websocket
         github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
         github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/zstd+
         github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
         github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
         github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
@@ -105,12 +112,17 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
    L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
+   L    github.com/pierrec/lz4/v4                                    from github.com/u-root/uio/uio
+   L    github.com/pierrec/lz4/v4/internal/lz4block                  from github.com/pierrec/lz4/v4+
+   L    github.com/pierrec/lz4/v4/internal/lz4errors                 from github.com/pierrec/lz4/v4+
+   L    github.com/pierrec/lz4/v4/internal/lz4stream                 from github.com/pierrec/lz4/v4
+   L    github.com/pierrec/lz4/v4/internal/xxh32                     from github.com/pierrec/lz4/v4/internal/lz4stream
    W    github.com/pkg/errors                                        from github.com/tailscale/certstore
   LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
   LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
    W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
   LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
-  LD 💣 github.com/tailscale/golang-x-crypto/internal/subtle         from github.com/tailscale/golang-x-crypto/chacha20
+  LD 💣 github.com/tailscale/golang-x-crypto/internal/alias          from github.com/tailscale/golang-x-crypto/chacha20
   LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal+
   LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
         github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
@@ -154,6 +166,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
         gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
      💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
+     💣 gvisor.dev/gvisor/pkg/sync/locking                           from gvisor.dev/gvisor/pkg/tcpip/stack
         gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
         gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
         gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/bufferv2+
@@ -200,6 +213,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
         tailscale.com/disco                                          from tailscale.com/derp+
         tailscale.com/doctor                                         from tailscale.com/ipn/ipnlocal
+     💣 tailscale.com/doctor/permissions                             from tailscale.com/ipn/ipnlocal
         tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
         tailscale.com/envknob                                        from tailscale.com/control/controlclient+
         tailscale.com/health                                         from tailscale.com/control/controlclient+
@@ -238,11 +252,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
         tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns+
+        tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscaled+
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
      💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnauth+
         tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/packet                                     from tailscale.com/net/tstun+
-        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
+        tailscale.com/net/ping                                       from tailscale.com/net/netcheck+
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
         tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
@@ -254,6 +269,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
         tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
+        tailscale.com/net/tstun/table                                from tailscale.com/net/tstun
         tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
         tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
      💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
@@ -262,13 +278,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
         tailscale.com/syncs                                          from tailscale.com/net/netcheck+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
+     💣 tailscale.com/tempfork/device                                from tailscale.com/net/tstun/table
   LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
         tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
+        tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
+        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock+
      💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
-        tailscale.com/tsweb                                          from tailscale.com/cmd/tailscaled
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
+        tailscale.com/tsweb/varz                                     from tailscale.com/cmd/tailscaled
         tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
         tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
         tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
@@ -308,10 +326,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
         tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
+        tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
         tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
         tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
-        tailscale.com/util/vizerror                                  from tailscale.com/tsweb
      💣 tailscale.com/util/winutil                                   from tailscale.com/control/controlclient+
+   W    tailscale.com/util/winutil/policy                            from tailscale.com/ipn/ipnlocal
         tailscale.com/version                                        from tailscale.com/derp+
         tailscale.com/version/distro                                 from tailscale.com/hostinfo+
    W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
@@ -319,7 +338,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
      💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
         tailscale.com/wgengine/netlog                                from tailscale.com/wgengine
         tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
         tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
@@ -345,13 +363,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/poly1305                                 from github.com/tailscale/golang-x-crypto/ssh+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
+        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices+
         golang.org/x/exp/maps                                        from tailscale.com/wgengine
         golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
-        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http/httpproxy                              from net/http+
         golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
         golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
         golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+

cmd/tailscaled/taildrop.go

@@ -18,7 +18,7 @@ import (
 func configureTaildrop(logf logger.Logf, lb *ipnlocal.LocalBackend) {
 	dg := distro.Get()
 	switch dg {
-	case distro.Synology, distro.TrueNAS, distro.QNAP:
+	case distro.Synology, distro.TrueNAS, distro.QNAP, distro.Unraid:
 		// See if they have a "Taildrop" share.
 		// See https://github.com/tailscale/tailscale/issues/2179#issuecomment-982821319
 		path, err := findTaildropDir(dg)
@@ -42,6 +42,8 @@ func findTaildropDir(dg distro.Distro) (string, error) {
 		return findTrueNASTaildropDir(name)
 	case distro.QNAP:
 		return findQnapTaildropDir(name)
+	case distro.Unraid:
+		return findUnraidTaildropDir(name)
 	}
 	return "", fmt.Errorf("%s is an unsupported distro for Taildrop dir", dg)
 }
@@ -103,3 +105,25 @@ func findQnapTaildropDir(name string) (string, error) {
 	}
 	return "", fmt.Errorf("shared folder %q not found", name)
 }
+
+// findUnraidTaildropDir looks for a directory linked at
+// /var/lib/tailscale/Taildrop. This is a symlink to the
+// path specified by the user in the Unraid Web UI
+func findUnraidTaildropDir(name string) (string, error) {
+	dir := fmt.Sprintf("/var/lib/tailscale/%s", name)
+	_, err := os.Stat(dir)
+	if err != nil {
+		return "", fmt.Errorf("symlink %q not found", name)
+	}
+
+	fullpath, err := filepath.EvalSymlinks(dir)
+	if err != nil {
+		return "", fmt.Errorf("symlink %q to shared folder not valid", name)
+	}
+
+	fi, err := os.Stat(fullpath)
+	if err == nil && fi.IsDir() {
+		return dir, nil // return the symlink
+	}
+	return "", fmt.Errorf("shared folder %q not found", name)
+}

cmd/tailscaled/tailscaled.go

@@ -39,16 +39,19 @@ import (
 	"tailscale.com/logtail"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/dnsfallback"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/proxymux"
 	"tailscale.com/net/socks5"
 	"tailscale.com/net/tsdial"
+	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/syncs"
-	"tailscale.com/tsweb"
+	"tailscale.com/tsd"
+	"tailscale.com/tsweb/varz"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
@@ -58,7 +61,6 @@ import (
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
-	"tailscale.com/wgengine/monitor"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
 )
@@ -328,7 +330,19 @@ var logPol *logpolicy.Policy
 var debugMux *http.ServeMux
 
 func run() error {
-	pol := logpolicy.New(logtail.CollectionNode)
+	var logf logger.Logf = log.Printf
+
+	sys := new(tsd.System)
+
+	netMon, err := netmon.New(func(format string, args ...any) {
+		logf(format, args...)
+	})
+	if err != nil {
+		return fmt.Errorf("netmon.New: %w", err)
+	}
+	sys.Set(netMon)
+
+	pol := logpolicy.New(logtail.CollectionNode, netMon)
 	pol.SetVerbosityLevel(args.verbose)
 	logPol = pol
 	defer func() {
@@ -352,7 +366,6 @@ func run() error {
 		return nil
 	}
 
-	var logf logger.Logf = log.Printf
 	if envknob.Bool("TS_DEBUG_MEMORY") {
 		logf = logger.RusagePrefixLog(logf)
 	}
@@ -378,10 +391,10 @@ func run() error {
 		debugMux = newDebugMux()
 	}
 
-	return startIPNServer(context.Background(), logf, pol.PublicID)
+	return startIPNServer(context.Background(), logf, pol.PublicID, sys)
 }
 
-func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID) error {
+func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) error {
 	ln, err := safesocket.Listen(args.socketpath)
 	if err != nil {
 		return fmt.Errorf("safesocket.Listen: %v", err)
@@ -407,7 +420,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID)
 		}
 	}()
 
-	srv := ipnserver.New(logf, logID)
+	srv := ipnserver.New(logf, logID, sys.NetMon.Get())
 	if debugMux != nil {
 		debugMux.HandleFunc("/debug/ipn", srv.ServeHTMLStatus)
 	}
@@ -425,7 +438,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID)
 				return
 			}
 		}
-		lb, err := getLocalBackend(ctx, logf, logID)
+		lb, err := getLocalBackend(ctx, logf, logID, sys)
 		if err == nil {
 			logf("got LocalBackend in %v", time.Since(t0).Round(time.Millisecond))
 			srv.SetLocalBackend(lb)
@@ -449,35 +462,28 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID)
 	return nil
 }
 
-func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID) (_ *ipnlocal.LocalBackend, retErr error) {
-	linkMon, err := monitor.New(logf)
-	if err != nil {
-		return nil, fmt.Errorf("monitor.New: %w", err)
-	}
+func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) (_ *ipnlocal.LocalBackend, retErr error) {
 	if logPol != nil {
-		logPol.Logtail.SetLinkMonitor(linkMon)
+		logPol.Logtail.SetNetMon(sys.NetMon.Get())
 	}
 
 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)
 
 	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
-	e, onlyNetstack, err := createEngine(logf, linkMon, dialer)
+	sys.Set(dialer)
+
+	onlyNetstack, err := createEngine(logf, sys)
 	if err != nil {
 		return nil, fmt.Errorf("createEngine: %w", err)
 	}
-	if _, ok := e.(wgengine.ResolvingEngine).GetResolver(); !ok {
-		panic("internal error: exit node resolver not wired up")
-	}
 	if debugMux != nil {
-		if ig, ok := e.(wgengine.InternalsGetter); ok {
-			if _, mc, _, ok := ig.GetInternals(); ok {
-				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
-			}
+		if ms, ok := sys.MagicSock.GetOK(); ok {
+			debugMux.HandleFunc("/debug/magicsock", ms.ServeHTTPDebug)
 		}
 		go runDebugServer(debugMux, args.debug)
 	}
 
-	ns, err := newNetstack(logf, dialer, e)
+	ns, err := newNetstack(logf, sys)
 	if err != nil {
 		return nil, fmt.Errorf("newNetstack: %w", err)
 	}
@@ -485,6 +491,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	ns.ProcessSubnets = onlyNetstack || handleSubnetsInNetstack()
 
 	if onlyNetstack {
+		e := sys.Engine.Get()
 		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
@@ -494,11 +501,13 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 		}
 	}
 	if socksListener != nil || httpProxyListener != nil {
+		var addrs []string
 		if httpProxyListener != nil {
 			hs := &http.Server{Handler: httpProxyHandler(dialer.UserDial)}
 			go func() {
 				log.Fatalf("HTTP proxy exited: %v", hs.Serve(httpProxyListener))
 			}()
+			addrs = append(addrs, httpProxyListener.Addr().String())
 		}
 		if socksListener != nil {
 			ss := &socks5.Server{
@@ -508,19 +517,20 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 			go func() {
 				log.Fatalf("SOCKS5 server exited: %v", ss.Serve(socksListener))
 			}()
+			addrs = append(addrs, socksListener.Addr().String())
 		}
+		tshttpproxy.SetSelfProxy(addrs...)
 	}
 
-	e = wgengine.NewWatchdog(e)
-
 	opts := ipnServerOpts()
 
 	store, err := store.New(logf, statePathOrDefault())
 	if err != nil {
 		return nil, fmt.Errorf("store.New: %w", err)
 	}
+	sys.Set(store)
 
-	lb, err := ipnlocal.NewLocalBackend(logf, logID, store, dialer, e, opts.LoginFlags)
+	lb, err := ipnlocal.NewLocalBackend(logf, logID, sys, opts.LoginFlags)
 	if err != nil {
 		return nil, fmt.Errorf("ipnlocal.NewLocalBackend: %w", err)
 	}
@@ -529,7 +539,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 		lb.SetLogFlusher(logPol.Logtail.StartFlush)
 	}
 	if root := lb.TailscaleVarRoot(); root != "" {
-		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"))
+		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"), logf)
 	}
 	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
 		return smallzstd.NewDecoder(nil)
@@ -546,21 +556,21 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 //
 // onlyNetstack is true if the user has explicitly requested that we use netstack
 // for all networking.
-func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer) (e wgengine.Engine, onlyNetstack bool, err error) {
+func createEngine(logf logger.Logf, sys *tsd.System) (onlyNetstack bool, err error) {
 	if args.tunname == "" {
-		return nil, false, errors.New("no --tun value specified")
+		return false, errors.New("no --tun value specified")
 	}
 	var errs []error
 	for _, name := range strings.Split(args.tunname, ",") {
 		logf("wgengine.NewUserspaceEngine(tun %q) ...", name)
-		e, onlyNetstack, err = tryEngine(logf, linkMon, dialer, name)
+		onlyNetstack, err = tryEngine(logf, sys, name)
 		if err == nil {
-			return e, onlyNetstack, nil
+			return onlyNetstack, nil
 		}
 		logf("wgengine.NewUserspaceEngine(tun %q) error: %v", name, err)
 		errs = append(errs, err)
 	}
-	return nil, false, multierr.New(errs...)
+	return false, multierr.New(errs...)
 }
 
 // handleSubnetsInNetstack reports whether netstack should handle subnet routers
@@ -585,21 +595,23 @@ func handleSubnetsInNetstack() bool {
 
 var tstunNew = tstun.New
 
-func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, name string) (e wgengine.Engine, onlyNetstack bool, err error) {
+func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack bool, err error) {
 	conf := wgengine.Config{
-		ListenPort:  args.port,
-		LinkMonitor: linkMon,
-		Dialer:      dialer,
+		ListenPort:   args.port,
+		NetMon:       sys.NetMon.Get(),
+		Dialer:       sys.Dialer.Get(),
+		SetSubsystem: sys.Set,
 	}
 
 	onlyNetstack = name == "userspace-networking"
+	netstackSubnetRouter := onlyNetstack // but mutated later on some platforms
 	netns.SetEnabled(!onlyNetstack)
 
 	if args.birdSocketPath != "" && createBIRDClient != nil {
 		log.Printf("Connecting to BIRD at %s ...", args.birdSocketPath)
 		conf.BIRDClient, err = createBIRDClient(args.birdSocketPath)
 		if err != nil {
-			return nil, false, fmt.Errorf("createBIRDClient: %w", err)
+			return false, fmt.Errorf("createBIRDClient: %w", err)
 		}
 	}
 	if onlyNetstack {
@@ -612,44 +624,55 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 			// TODO(bradfitz): add a Synology-specific DNS manager.
 			conf.DNS, err = dns.NewOSConfigurator(logf, "") // empty interface name
 			if err != nil {
-				return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+				return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 			}
 		}
 	} else {
 		dev, devName, err := tstunNew(logf, name)
 		if err != nil {
 			tstun.Diagnose(logf, name, err)
-			return nil, false, fmt.Errorf("tstun.New(%q): %w", name, err)
+			return false, fmt.Errorf("tstun.New(%q): %w", name, err)
 		}
 		conf.Tun = dev
 		if strings.HasPrefix(name, "tap:") {
 			conf.IsTAP = true
 			e, err := wgengine.NewUserspaceEngine(logf, conf)
-			return e, false, err
+			if err != nil {
+				return false, err
+			}
+			sys.Set(e)
+			return false, err
 		}
 
-		r, err := router.New(logf, dev, linkMon)
+		r, err := router.New(logf, dev, sys.NetMon.Get())
 		if err != nil {
 			dev.Close()
-			return nil, false, fmt.Errorf("creating router: %w", err)
+			return false, fmt.Errorf("creating router: %w", err)
 		}
+
 		d, err := dns.NewOSConfigurator(logf, devName)
 		if err != nil {
 			dev.Close()
 			r.Close()
-			return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+			return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 		}
 		conf.DNS = d
 		conf.Router = r
 		if handleSubnetsInNetstack() {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
+			netstackSubnetRouter = true
 		}
+		sys.Set(conf.Router)
 	}
-	e, err = wgengine.NewUserspaceEngine(logf, conf)
+	e, err := wgengine.NewUserspaceEngine(logf, conf)
 	if err != nil {
-		return nil, onlyNetstack, err
+		return onlyNetstack, err
 	}
-	return e, onlyNetstack, nil
+	e = wgengine.NewWatchdog(e)
+	sys.Set(e)
+	sys.NetstackRouter.Set(netstackSubnetRouter)
+
+	return onlyNetstack, nil
 }
 
 func newDebugMux() *http.ServeMux {
@@ -665,7 +688,7 @@ func newDebugMux() *http.ServeMux {
 
 func servePrometheusMetrics(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/plain")
-	tsweb.VarzHandler(w, r)
+	varz.Handler(w, r)
 	clientmetric.WritePrometheusExpositionFormat(w)
 }
 
@@ -679,12 +702,8 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 	}
 }
 
-func newNetstack(logf logger.Logf, dialer *tsdial.Dialer, e wgengine.Engine) (*netstack.Impl, error) {
-	tunDev, magicConn, dns, ok := e.(wgengine.InternalsGetter).GetInternals()
-	if !ok {
-		return nil, fmt.Errorf("%T is not a wgengine.InternalsGetter", e)
-	}
-	return netstack.Create(logf, tunDev, e, magicConn, dialer, dns)
+func newNetstack(logf logger.Logf, sys *tsd.System) (*netstack.Impl, error) {
+	return netstack.Create(logf, sys.Tun.Get(), sys.Engine.Get(), sys.MagicSock.Get(), sys.Dialer.Get(), sys.DNSManager.Get())
 }
 
 // mustStartProxyListeners creates listeners for local SOCKS and HTTP

cmd/tailscaled/tailscaled_windows.go

@@ -45,7 +45,9 @@ import (
 	"tailscale.com/logpolicy"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/tstun"
+	"tailscale.com/tsd"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/util/winutil"
@@ -124,6 +126,10 @@ var syslogf logger.Logf = logger.Discard
 // At this point we're still the parent process that
 // Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
+	go func() {
+		winutil.LogSupportInfo(log.Printf)
+	}()
+
 	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
 		syslog, err := eventlog.Open(serviceName)
 		if err == nil {
@@ -291,8 +297,15 @@ func beWindowsSubprocess() bool {
 		}
 	}()
 
+	sys := new(tsd.System)
+	netMon, err := netmon.New(log.Printf)
+	if err != nil {
+		log.Fatalf("Could not create netMon: %v", err)
+	}
+	sys.Set(netMon)
+
 	publicLogID, _ := logid.ParsePublicID(logID)
-	err := startIPNServer(ctx, log.Printf, publicLogID)
+	err = startIPNServer(ctx, log.Printf, publicLogID, sys)
 	if err != nil {
 		log.Fatalf("ipnserver: %v", err)
 	}

cmd/tsconnect/common.go

@@ -71,6 +71,9 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 }
 
 func findRepoRoot() (string, error) {
+	if *rootDir != "" {
+		return *rootDir, nil
+	}
 	cwd, err := os.Getwd()
 	if err != nil {
 		return "", err

cmd/tsconnect/tsconnect.go

@@ -23,6 +23,7 @@ var (
 	yarnPath        = flag.String("yarnpath", "../../tool/yarn", "path yarn executable used to install JavaScript dependencies")
 	fastCompression = flag.Bool("fast-compression", false, "Use faster compression when building, to speed up build time. Meant to iterative/debugging use only.")
 	devControl      = flag.String("dev-control", "", "URL of a development control server to be used with dev. If provided without specifying dev, an error will be returned.")
+	rootDir         = flag.String("rootdir", "", "Root directory of repo. If not specified, will be inferred from the cwd.")
 )
 
 func main() {

cmd/tsconnect/wasm/wasm_js.go

@@ -37,6 +37,7 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tsd"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/words"
@@ -46,7 +47,7 @@ import (
 var ControlURL = ipn.DefaultControlURL
 
 func main() {
-	js.Global().Set("newIPN", js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+	js.Global().Set("newIPN", js.FuncOf(func(this js.Value, args []js.Value) any {
 		if len(args) != 1 {
 			log.Fatal("Usage: newIPN(config)")
 			return nil
@@ -96,19 +97,19 @@ func newIPN(jsConfig js.Value) map[string]any {
 	logtail := logtail.NewLogger(c, log.Printf)
 	logf := logtail.Logf
 
+	sys := new(tsd.System)
+	sys.Set(store)
 	dialer := &tsdial.Dialer{Logf: logf}
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
-		Dialer: dialer,
+		Dialer:       dialer,
+		SetSubsystem: sys.Set,
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
+	sys.Set(eng)
 
-	tunDev, magicConn, dnsManager, ok := eng.(wgengine.InternalsGetter).GetInternals()
-	if !ok {
-		log.Fatalf("%T is not a wgengine.InternalsGetter", eng)
-	}
-	ns, err := netstack.Create(logf, tunDev, eng, magicConn, dialer, dnsManager)
+	ns, err := netstack.Create(logf, sys.Tun.Get(), eng, sys.MagicSock.Get(), dialer, sys.DNSManager.Get())
 	if err != nil {
 		log.Fatalf("netstack.Create: %v", err)
 	}
@@ -121,10 +122,11 @@ func newIPN(jsConfig js.Value) map[string]any {
 	dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
 		return ns.DialContextTCP(ctx, dst)
 	}
+	sys.NetstackRouter.Set(true)
 
 	logid := lpc.PublicID
-	srv := ipnserver.New(logf, logid)
-	lb, err := ipnlocal.NewLocalBackend(logf, logid, store, dialer, eng, controlclient.LoginEphemeral)
+	srv := ipnserver.New(logf, logid, nil /* no netMon */)
+	lb, err := ipnlocal.NewLocalBackend(logf, logid, sys, controlclient.LoginEphemeral)
 	if err != nil {
 		log.Fatalf("ipnlocal.NewLocalBackend: %v", err)
 	}
@@ -146,7 +148,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 	}
 
 	return map[string]any{
-		"run": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+		"run": js.FuncOf(func(this js.Value, args []js.Value) any {
 			if len(args) != 1 {
 				log.Fatal(`Usage: run({
 					notifyState(state: int): void,
@@ -159,7 +161,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 			jsIPN.run(args[0])
 			return nil
 		}),
-		"login": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+		"login": js.FuncOf(func(this js.Value, args []js.Value) any {
 			if len(args) != 0 {
 				log.Printf("Usage: login()")
 				return nil
@@ -167,7 +169,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 			jsIPN.login()
 			return nil
 		}),
-		"logout": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+		"logout": js.FuncOf(func(this js.Value, args []js.Value) any {
 			if len(args) != 0 {
 				log.Printf("Usage: logout()")
 				return nil
@@ -175,7 +177,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 			jsIPN.logout()
 			return nil
 		}),
-		"ssh": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+		"ssh": js.FuncOf(func(this js.Value, args []js.Value) any {
 			if len(args) != 3 {
 				log.Printf("Usage: ssh(hostname, userName, termConfig)")
 				return nil
@@ -185,7 +187,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 				args[1].String(),
 				args[2])
 		}),
-		"fetch": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+		"fetch": js.FuncOf(func(this js.Value, args []js.Value) any {
 			if len(args) != 1 {
 				log.Printf("Usage: fetch(url)")
 				return nil
@@ -334,10 +336,10 @@ func (i *jsIPN) ssh(host, username string, termConfig js.Value) map[string]any {
 	go jsSSHSession.Run()
 
 	return map[string]any{
-		"close": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+		"close": js.FuncOf(func(this js.Value, args []js.Value) any {
 			return jsSSHSession.Close() != nil
 		}),
-		"resize": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+		"resize": js.FuncOf(func(this js.Value, args []js.Value) any {
 			rows := args[0].Int()
 			cols := args[1].Int()
 			return jsSSHSession.Resize(rows, cols) != nil
@@ -426,7 +428,7 @@ func (s *jsSSHSession) Run() {
 	session.Stdout = termWriter{writeFn}
 	session.Stderr = termWriter{writeFn}
 
-	setReadFn.Invoke(js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+	setReadFn.Invoke(js.FuncOf(func(this js.Value, args []js.Value) any {
 		input := args[0].String()
 		_, err := stdin.Write([]byte(input))
 		if err != nil {
@@ -496,7 +498,7 @@ func (i *jsIPN) fetch(url string) js.Value {
 		return map[string]any{
 			"status":     res.StatusCode,
 			"statusText": res.Status,
-			"text": js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+			"text": js.FuncOf(func(this js.Value, args []js.Value) any {
 				return makePromise(func() (any, error) {
 					defer res.Body.Close()
 					buf := new(bytes.Buffer)
@@ -602,7 +604,7 @@ func generateHostname() string {
 // f is run on a goroutine and its return value is used to resolve the promise
 // (or reject it if an error is returned).
 func makePromise(f func() (any, error)) js.Value {
-	handler := js.FuncOf(func(this js.Value, args []js.Value) interface{} {
+	handler := js.FuncOf(func(this js.Value, args []js.Value) any {
 		resolve := args[0]
 		reject := args[1]
 		go func() {

cmd/viewer/tests/tests.go

@@ -9,7 +9,7 @@ import (
 	"net/netip"
 )
 
-//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone --clone-only-type=OnlyGetClone
+//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded --clone-only-type=OnlyGetClone
 
 type StructWithoutPtrs struct {
 	Int int
@@ -61,3 +61,8 @@ type StructWithSlices struct {
 type OnlyGetClone struct {
 	SinViewerPorFavor bool
 }
+
+type StructWithEmbedded struct {
+	A *StructWithPtrs
+	StructWithSlices
+}

cmd/viewer/tests/tests_clone.go

@@ -211,3 +211,22 @@ func (src *OnlyGetClone) Clone() *OnlyGetClone {
 var _OnlyGetCloneCloneNeedsRegeneration = OnlyGetClone(struct {
 	SinViewerPorFavor bool
 }{})
+
+// Clone makes a deep copy of StructWithEmbedded.
+// The result aliases no memory with the original.
+func (src *StructWithEmbedded) Clone() *StructWithEmbedded {
+	if src == nil {
+		return nil
+	}
+	dst := new(StructWithEmbedded)
+	*dst = *src
+	dst.A = src.A.Clone()
+	dst.StructWithSlices = *src.StructWithSlices.Clone()
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithEmbeddedCloneNeedsRegeneration = StructWithEmbedded(struct {
+	A *StructWithPtrs
+	StructWithSlices
+}{})

cmd/viewer/tests/tests_view.go

@@ -14,7 +14,7 @@ import (
 	"tailscale.com/types/views"
 )
 
-//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded
 
 // View returns a readonly view of StructWithPtrs.
 func (p *StructWithPtrs) View() StructWithPtrsView {
@@ -325,3 +325,59 @@ var _StructWithSlicesViewNeedsRegeneration = StructWithSlices(struct {
 	Prefixes       []netip.Prefix
 	Data           []byte
 }{})
+
+// View returns a readonly view of StructWithEmbedded.
+func (p *StructWithEmbedded) View() StructWithEmbeddedView {
+	return StructWithEmbeddedView{ж: p}
+}
+
+// StructWithEmbeddedView provides a read-only view over StructWithEmbedded.
+//
+// Its methods should only be called if `Valid()` returns true.
+type StructWithEmbeddedView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *StructWithEmbedded
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v StructWithEmbeddedView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v StructWithEmbeddedView) AsStruct() *StructWithEmbedded {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v StructWithEmbeddedView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *StructWithEmbeddedView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x StructWithEmbedded
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v StructWithEmbeddedView) A() StructWithPtrsView { return v.ж.A.View() }
+func (v StructWithEmbeddedView) StructWithSlices() StructWithSlicesView {
+	return v.ж.StructWithSlices.View()
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithEmbeddedViewNeedsRegeneration = StructWithEmbedded(struct {
+	A *StructWithPtrs
+	StructWithSlices
+}{})

control/controlbase/conn.go

@@ -398,7 +398,7 @@ type maxMsgBuffer [maxMessageSize]byte
 
 // bufPool holds the temporary buffers for Conn.Read & Write.
 var bufPool = &sync.Pool{
-	New: func() interface{} {
+	New: func() any {
 		return new(maxMsgBuffer)
 	},
 }

control/controlclient/auto.go

@@ -121,10 +121,10 @@ func NewNoStart(opts Options) (_ *Auto, err error) {
 		statusFunc: opts.Status,
 	}
 	c.authCtx, c.authCancel = context.WithCancel(context.Background())
-	c.authCtx = sockstats.WithSockStats(c.authCtx, sockstats.LabelControlClientAuto)
+	c.authCtx = sockstats.WithSockStats(c.authCtx, sockstats.LabelControlClientAuto, opts.Logf)
 
 	c.mapCtx, c.mapCancel = context.WithCancel(context.Background())
-	c.mapCtx = sockstats.WithSockStats(c.mapCtx, sockstats.LabelControlClientAuto)
+	c.mapCtx = sockstats.WithSockStats(c.mapCtx, sockstats.LabelControlClientAuto, opts.Logf)
 
 	c.unregisterHealthWatch = health.RegisterWatcher(direct.ReportHealthChange)
 	return c, nil
@@ -244,7 +244,7 @@ func (c *Auto) cancelAuth() {
 	}
 	if !c.closed {
 		c.authCtx, c.authCancel = context.WithCancel(context.Background())
-		c.authCtx = sockstats.WithSockStats(c.authCtx, sockstats.LabelControlClientAuto)
+		c.authCtx = sockstats.WithSockStats(c.authCtx, sockstats.LabelControlClientAuto, c.logf)
 	}
 	c.mu.Unlock()
 }
@@ -255,7 +255,7 @@ func (c *Auto) cancelMapLocked() {
 	}
 	if !c.closed {
 		c.mapCtx, c.mapCancel = context.WithCancel(context.Background())
-		c.mapCtx = sockstats.WithSockStats(c.mapCtx, sockstats.LabelControlClientAuto)
+		c.mapCtx = sockstats.WithSockStats(c.mapCtx, sockstats.LabelControlClientAuto, c.logf)
 
 	}
 }

control/controlclient/direct.go

@@ -37,6 +37,7 @@ import (
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tsdial"
@@ -54,20 +55,20 @@ import (
 	"tailscale.com/util/multierr"
 	"tailscale.com/util/singleflight"
 	"tailscale.com/util/systemd"
-	"tailscale.com/wgengine/monitor"
 )
 
 // Direct is the client that connects to a tailcontrol server for a node.
 type Direct struct {
 	httpc                  *http.Client // HTTP client used to talk to tailcontrol
 	dialer                 *tsdial.Dialer
+	dnsCache               *dnscache.Resolver
 	serverURL              string // URL of the tailcontrol server
 	timeNow                func() time.Time
 	lastPrintMap           time.Time
 	newDecompressor        func() (Decompressor, error)
 	keepAlive              bool
 	logf                   logger.Logf
-	linkMon                *monitor.Mon // or nil
+	netMon                 *netmon.Monitor // or nil
 	discoPubKey            key.DiscoPublic
 	getMachinePrivKey      func() (key.MachinePrivate, error)
 	debugFlags             []string
@@ -113,7 +114,7 @@ type Options struct {
 	HTTPTestClient       *http.Client                 // optional HTTP client to use (for tests only)
 	NoiseTestClient      *http.Client                 // optional HTTP client to use for noise RPCs (tests only)
 	DebugFlags           []string                     // debug settings to send to control
-	LinkMonitor          *monitor.Mon                 // optional link monitor
+	NetMon               *netmon.Monitor              // optional network monitor
 	PopBrowserURL        func(url string)             // optional func to open browser
 	OnClientVersion      func(*tailcfg.ClientVersion) // optional func to inform GUI of client version status
 	OnControlTime        func(time.Time)              // optional func to notify callers of new time from control
@@ -199,6 +200,14 @@ func NewDirect(opts Options) (*Direct, error) {
 		opts.Logf = log.Printf
 	}
 
+	dnsCache := &dnscache.Resolver{
+		Forward:          dnscache.Get().Forward, // use default cache's forwarder
+		UseLastGood:      true,
+		LookupIPFallback: dnsfallback.MakeLookupFunc(opts.Logf, opts.NetMon),
+		Logf:             opts.Logf,
+		NetMon:           opts.NetMon,
+	}
+
 	httpc := opts.HTTPTestClient
 	if httpc == nil && runtime.GOOS == "js" {
 		// In js/wasm, net/http.Transport (as of Go 1.18) will
@@ -208,12 +217,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		httpc = http.DefaultClient
 	}
 	if httpc == nil {
-		dnsCache := &dnscache.Resolver{
-			Forward:          dnscache.Get().Forward, // use default cache's forwarder
-			UseLastGood:      true,
-			LookupIPFallback: dnsfallback.Lookup,
-			Logf:             opts.Logf,
-		}
 		tr := http.DefaultTransport.(*http.Transport).Clone()
 		tr.Proxy = tshttpproxy.ProxyFromEnvironment
 		tshttpproxy.SetTransportGetProxyConnectHeader(tr)
@@ -241,7 +244,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		discoPubKey:            opts.DiscoPublicKey,
 		debugFlags:             opts.DebugFlags,
 		keepSharerAndUserSplit: opts.KeepSharerAndUserSplit,
-		linkMon:                opts.LinkMonitor,
+		netMon:                 opts.NetMon,
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
 		pinger:                 opts.Pinger,
 		popBrowser:             opts.PopBrowserURL,
@@ -249,6 +252,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		onControlTime:          opts.OnControlTime,
 		c2nHandler:             opts.C2NHandler,
 		dialer:                 opts.Dialer,
+		dnsCache:               dnsCache,
 		dialPlan:               opts.DialPlan,
 	}
 	if opts.Hostinfo == nil {
@@ -871,8 +875,8 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		ReadOnly: readOnly && !allowStream,
 	}
 	var extraDebugFlags []string
-	if hi != nil && c.linkMon != nil && !c.skipIPForwardingCheck &&
-		ipForwardingBroken(hi.RoutableIPs, c.linkMon.InterfaceState()) {
+	if hi != nil && c.netMon != nil && !c.skipIPForwardingCheck &&
+		ipForwardingBroken(hi.RoutableIPs, c.netMon.InterfaceState()) {
 		extraDebugFlags = append(extraDebugFlags, "warn-ip-forwarding-off")
 	}
 	if health.RouterHealth() != nil {
@@ -1508,7 +1512,16 @@ func (c *Direct) getNoiseClient() (*NoiseClient, error) {
 			return nil, err
 		}
 		c.logf("creating new noise client")
-		nc, err := NewNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer, dp)
+		nc, err := NewNoiseClient(NoiseOpts{
+			PrivKey:      k,
+			ServerPubKey: serverNoiseKey,
+			ServerURL:    c.serverURL,
+			Dialer:       c.dialer,
+			DNSCache:     c.dnsCache,
+			Logf:         c.logf,
+			NetMon:       c.netMon,
+			DialPlan:     dp,
+		})
 		if err != nil {
 			return nil, err
 		}

control/controlclient/noise.go

@@ -19,9 +19,12 @@ import (
 	"golang.org/x/net/http2"
 	"tailscale.com/control/controlbase"
 	"tailscale.com/control/controlhttp"
+	"tailscale.com/net/dnscache"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
 	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
 	"tailscale.com/util/singleflight"
@@ -156,6 +159,7 @@ type NoiseClient struct {
 	sfDial singleflight.Group[struct{}, *noiseConn]
 
 	dialer       *tsdial.Dialer
+	dnsCache     *dnscache.Resolver
 	privKey      key.MachinePrivate
 	serverPubKey key.MachinePublic
 	host         string // the host part of serverURL
@@ -167,6 +171,9 @@ type NoiseClient struct {
 	// be nil.
 	dialPlan func() *tailcfg.ControlDialPlan
 
+	logf   logger.Logf
+	netMon *netmon.Monitor
+
 	// mu only protects the following variables.
 	mu       sync.Mutex
 	last     *noiseConn // or nil
@@ -174,12 +181,39 @@ type NoiseClient struct {
 	connPool map[int]*noiseConn // active connections not yet closed; see noiseConn.Close
 }
 
+// NoiseOpts contains options for the NewNoiseClient function. All fields are
+// required unless otherwise specified.
+type NoiseOpts struct {
+	// PrivKey is this node's private key.
+	PrivKey key.MachinePrivate
+	// ServerPubKey is the public key of the server.
+	ServerPubKey key.MachinePublic
+	// ServerURL is the URL of the server to connect to.
+	ServerURL string
+	// Dialer's SystemDial function is used to connect to the server.
+	Dialer *tsdial.Dialer
+	// DNSCache is the caching Resolver to use to connect to the server.
+	//
+	// This field can be nil.
+	DNSCache *dnscache.Resolver
+	// Logf is the log function to use. This field can be nil.
+	Logf logger.Logf
+	// NetMon is the network monitor that, if set, will be used to get the
+	// network interface state. This field can be nil; if so, the current
+	// state will be looked up dynamically.
+	NetMon *netmon.Monitor
+	// DialPlan, if set, is a function that should return an explicit plan
+	// on how to connect to the server.
+	DialPlan func() *tailcfg.ControlDialPlan
+}
+
 // NewNoiseClient returns a new noiseClient for the provided server and machine key.
 // serverURL is of the form https://<host>:<port> (no trailing slash).
 //
+// netMon may be nil, if non-nil it's used to do faster interface lookups.
 // dialPlan may be nil
-func NewNoiseClient(privKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer, dialPlan func() *tailcfg.ControlDialPlan) (*NoiseClient, error) {
-	u, err := url.Parse(serverURL)
+func NewNoiseClient(opts NoiseOpts) (*NoiseClient, error) {
+	u, err := url.Parse(opts.ServerURL)
 	if err != nil {
 		return nil, err
 	}
@@ -199,14 +233,18 @@ func NewNoiseClient(privKey key.MachinePrivate, serverPubKey key.MachinePublic,
 		httpPort = "80"
 		httpsPort = "443"
 	}
+
 	np := &NoiseClient{
-		serverPubKey: serverPubKey,
-		privKey:      privKey,
+		serverPubKey: opts.ServerPubKey,
+		privKey:      opts.PrivKey,
 		host:         u.Hostname(),
 		httpPort:     httpPort,
 		httpsPort:    httpsPort,
-		dialer:       dialer,
-		dialPlan:     dialPlan,
+		dialer:       opts.Dialer,
+		dnsCache:     opts.DNSCache,
+		dialPlan:     opts.DialPlan,
+		logf:         opts.Logf,
+		netMon:       opts.NetMon,
 	}
 
 	// Create the HTTP/2 Transport using a net/http.Transport
@@ -365,7 +403,10 @@ func (nc *NoiseClient) dial() (*noiseConn, error) {
 		ControlKey:      nc.serverPubKey,
 		ProtocolVersion: uint16(tailcfg.CurrentCapabilityVersion),
 		Dialer:          nc.dialer.SystemDial,
+		DNSCache:        nc.dnsCache,
 		DialPlan:        dialPlan,
+		Logf:            nc.logf,
+		NetMon:          nc.netMon,
 	}).Dial(ctx)
 	if err != nil {
 		return nil, err

control/controlclient/noise_test.go

@@ -74,7 +74,12 @@ func (tt noiseClientTest) run(t *testing.T) {
 	defer hs.Close()
 
 	dialer := new(tsdial.Dialer)
-	nc, err := NewNoiseClient(clientPrivate, serverPrivate.Public(), hs.URL, dialer, nil)
+	nc, err := NewNoiseClient(NoiseOpts{
+		PrivKey:      clientPrivate,
+		ServerPubKey: serverPrivate.Public(),
+		ServerURL:    hs.URL,
+		Dialer:       dialer,
+	})
 	if err != nil {
 		t.Fatal(err)
 	}

control/controlhttp/client.go

@@ -273,7 +273,7 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*ClientConn, er
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
-	ctx = sockstats.WithSockStats(ctx, sockstats.LabelControlClientDialer)
+	ctx = sockstats.WithSockStats(ctx, sockstats.LabelControlClientDialer, a.logf)
 
 	// u80 and u443 are the URLs we'll try to hit over HTTP or HTTPS,
 	// respectively, in order to do the HTTP upgrade to a net.Conn over which
@@ -374,6 +374,22 @@ func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*Cli
 	}, nil
 }
 
+// resolver returns a.DNSCache if non-nil or a new *dnscache.Resolver
+// otherwise.
+func (a *Dialer) resolver() *dnscache.Resolver {
+	if a.DNSCache != nil {
+		return a.DNSCache
+	}
+
+	return &dnscache.Resolver{
+		Forward:          dnscache.Get().Forward,
+		LookupIPFallback: dnsfallback.MakeLookupFunc(a.logf, a.NetMon),
+		UseLastGood:      true,
+		Logf:             a.Logf, // not a.logf method; we want to propagate nil-ness
+		NetMon:           a.NetMon,
+	}
+}
+
 // tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn. If addr
 // is valid, then no DNS is used and the connection will be made to the
 // provided address.
@@ -389,14 +405,10 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr,
 			SingleHostStaticResult: []netip.Addr{addr},
 			SingleHost:             u.Hostname(),
 			Logf:                   a.Logf, // not a.logf method; we want to propagate nil-ness
+			NetMon:                 a.NetMon,
 		}
 	} else {
-		dns = &dnscache.Resolver{
-			Forward:          dnscache.Get().Forward,
-			LookupIPFallback: dnsfallback.Lookup,
-			UseLastGood:      true,
-			Logf:             a.Logf, // not a.logf method; we want to propagate nil-ness
-		}
+		dns = a.resolver()
 	}
 
 	var dialer dnscache.DialContextFunc

control/controlhttp/constants.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"tailscale.com/net/dnscache"
+	"tailscale.com/net/netmon"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -66,10 +67,17 @@ type Dialer struct {
 	// If not specified, this defaults to net.Dialer.DialContext.
 	Dialer dnscache.DialContextFunc
 
+	// DNSCache is the caching Resolver used by this Dialer.
+	//
+	// If not specified, a new Resolver is created per attempt.
+	DNSCache *dnscache.Resolver
+
 	// Logf, if set, is a logging function to use; if unset, logs are
 	// dropped.
 	Logf logger.Logf
 
+	NetMon *netmon.Monitor
+
 	// DialPlan, if set, contains instructions from the control server on
 	// how to connect to it. If present, we will try the methods in this
 	// plan before falling back to DNS.

derp/README.md

@@ -0,0 +1,61 @@
+# DERP
+
+This directory (and subdirectories) contain the DERP code. The server itself is
+in `../cmd/derper`.
+
+DERP is a packet relay system (client and servers) where peers are addressed
+using WireGuard public keys instead of IP addresses.
+
+It relays two types of packets:
+
+* "Disco" discovery messages (see `../disco`) as the a side channel during [NAT
+  traversal](https://tailscale.com/blog/how-nat-traversal-works/).
+
+* Encrypted WireGuard packets as the fallback of last resort when UDP is blocked
+  or NAT traversal fails.
+
+## DERP Map
+
+Each client receives a "[DERP
+Map](https://pkg.go.dev/tailscale.com/tailcfg#DERPMap)" from the coordination
+server describing the DERP servers the client should try to use.
+
+The client picks its home "DERP home" based on latency. This is done to keep
+costs low by avoid using cloud load balancers (pricey) or anycast, which would
+necessarily require server-side routing between DERP regions.
+
+Clients pick their DERP home and report it to the coordination server which
+shares it to all the peers in the tailnet. When a peer wants to send a packet
+and it doesn't already have a WireGuard session open, it sends disco messages
+(some direct, and some over DERP), trying to do the NAT traversal. The client
+will make connections to multiple DERP regions as needed. Only the DERP home
+region connection needs to be alive forever.
+
+## DERP Regions
+
+Tailscale runs 1 or more DERP nodes (instances of `cmd/derper`) in various
+geographic regions to make sure users have low latency to their DERP home.
+
+Regions generally have multiple nodes per region "meshed" (routing to each
+other) together for redundancy: it allows for cloud failures or upgrades without
+kicking users out to a higher latency region. Instead, clients will reconnect to
+the next node in the region. Each node in the region is required to to be meshed
+with every other node in the region and forward packets to the other nodes in
+the region. Packets are forwarded only one hop within the region. There is no
+routing between regions. The assumption is that the mesh TCP connections are
+over a VPC that's very fast, low latency, and not charged per byte. The
+coordination server assigns the list of nodes in a region as a function of the
+tailnet, so all nodes within a tailnet should generally be on the same node and
+not require forwarding. Only after a failure do clients of a particular tailnet
+get split between nodes in a region and require inter-node forwarding. But over
+time it balances back out. There's also an admin-only DERP frame type to force
+close the TCP connection of a particular client to force them to reconnect to
+their primary if the operator wants to force things to balance out sooner.
+(Using the `(*derphttp.Client).ClosePeer` method, as used by Tailscale's
+internal rarely-used `cmd/derpprune` maintenance tool)
+
+We generally run a minimum of three nodes in a region not for quorum reasons
+(there's no voting) but just because two is too uncomfortably few for cascading
+failure reasons: if you're running two nodes at 51% load (CPU, memory, etc) and
+then one fails, that makes the second one fail. With three or more nodes, you
+can run each node a bit hotter.

derp/derp.go

@@ -77,8 +77,11 @@ const (
 	// a previous sender is no longer connected. That is, if A
 	// sent to B, and then if A disconnects, the server sends
 	// framePeerGone to B so B can forget that a reverse path
-	// exists on that connection to get back to A.
-	framePeerGone = frameType(0x08) // 32B pub key of peer that's gone
+	// exists on that connection to get back to A. It is also sent
+	// if A tries to send a CallMeMaybe to B and the server has no
+	// record of B (which currently would only happen if there was
+	// a bug).
+	framePeerGone = frameType(0x08) // 32B pub key of peer that's gone + 1 byte reason
 
 	// framePeerPresent is like framePeerGone, but for other
 	// members of the DERP region when they're meshed up together.
@@ -116,6 +119,15 @@ const (
 	frameRestarting = frameType(0x15)
 )
 
+// PeerGoneReasonType is a one byte reason code explaining why a
+// server does not have a path to the requested destination.
+type PeerGoneReasonType byte
+
+const (
+	PeerGoneReasonDisconnected = PeerGoneReasonType(0x00) // peer disconnected from this server
+	PeerGoneReasonNotHere      = PeerGoneReasonType(0x01) // server doesn't know about this peer, unexpected
+)
+
 var bin = binary.BigEndian
 
 func writeUint32(bw *bufio.Writer, v uint32) error {

derp/derp_client.go

@@ -348,9 +348,12 @@ type ReceivedPacket struct {
 func (ReceivedPacket) msg() {}
 
 // PeerGoneMessage is a ReceivedMessage that indicates that the client
-// identified by the underlying public key had previously sent you a
-// packet but has now disconnected from the server.
-type PeerGoneMessage key.NodePublic
+// identified by the underlying public key is not connected to this
+// server.
+type PeerGoneMessage struct {
+	Peer   key.NodePublic
+	Reason PeerGoneReasonType
+}
 
 func (PeerGoneMessage) msg() {}
 
@@ -524,7 +527,15 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 				c.logf("[unexpected] dropping short peerGone frame from DERP server")
 				continue
 			}
-			pg := PeerGoneMessage(key.NodePublicFromRaw32(mem.B(b[:keyLen])))
+			// Backward compatibility for the older peerGone without reason byte
+			reason := PeerGoneReasonDisconnected
+			if n > keyLen {
+				reason = PeerGoneReasonType(b[keyLen])
+			}
+			pg := PeerGoneMessage{
+				Peer:   key.NodePublicFromRaw32(mem.B(b[:keyLen])),
+				Reason: reason,
+			}
 			return pg, nil
 
 		case framePeerPresent:

derp/derp_server.go

@@ -34,12 +34,12 @@ import (
 
 	"go4.org/mem"
 	"golang.org/x/sync/errgroup"
-	"golang.org/x/time/rate"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/disco"
 	"tailscale.com/envknob"
 	"tailscale.com/metrics"
 	"tailscale.com/syncs"
+	"tailscale.com/tstime/rate"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
@@ -122,7 +122,8 @@ type Server struct {
 	_                            align64
 	packetsForwardedOut          expvar.Int
 	packetsForwardedIn           expvar.Int
-	peerGoneFrames               expvar.Int // number of peer gone frames sent
+	peerGoneDisconnectedFrames   expvar.Int // number of peer disconnected frames sent
+	peerGoneNotHereFrames        expvar.Int // number of peer not here frames sent
 	gotPing                      expvar.Int // number of ping frames from client
 	sentPong                     expvar.Int // number of pong frames enqueued to client
 	accepts                      expvar.Int
@@ -324,7 +325,8 @@ func NewServer(privateKey key.NodePrivate, logf logger.Logf) *Server {
 	s.packetsDroppedReasonCounters = []*expvar.Int{
 		s.packetsDroppedReason.Get("unknown_dest"),
 		s.packetsDroppedReason.Get("unknown_dest_on_fwd"),
-		s.packetsDroppedReason.Get("gone"),
+		s.packetsDroppedReason.Get("gone_disconnected"),
+		s.packetsDroppedReason.Get("gone_not_here"),
 		s.packetsDroppedReason.Get("queue_head"),
 		s.packetsDroppedReason.Get("queue_tail"),
 		s.packetsDroppedReason.Get("write_error"),
@@ -496,7 +498,7 @@ func (s *Server) registerClient(c *sclient) {
 	switch set := set.(type) {
 	case nil:
 		s.clients[c.key] = singleClient{c}
-		c.debug("register single client")
+		c.debugLogf("register single client")
 	case singleClient:
 		s.dupClientKeys.Add(1)
 		s.dupClientConns.Add(2) // both old and new count
@@ -512,7 +514,7 @@ func (s *Server) registerClient(c *sclient) {
 			},
 			sendHistory: []*sclient{old},
 		}
-		c.debug("register duplicate client")
+		c.debugLogf("register duplicate client")
 	case *dupClientSet:
 		s.dupClientConns.Add(1)     // the gauge
 		s.dupClientConnTotal.Add(1) // the counter
@@ -520,7 +522,7 @@ func (s *Server) registerClient(c *sclient) {
 		set.set[c] = true
 		set.last = c
 		set.sendHistory = append(set.sendHistory, c)
-		c.debug("register another duplicate client")
+		c.debugLogf("register another duplicate client")
 	}
 
 	if _, ok := s.clientsMesh[c.key]; !ok {
@@ -553,7 +555,7 @@ func (s *Server) unregisterClient(c *sclient) {
 	case nil:
 		c.logf("[unexpected]; clients map is empty")
 	case singleClient:
-		c.logf("removed connection")
+		c.debugLogf("removed connection")
 		delete(s.clients, c.key)
 		if v, ok := s.clientsMesh[c.key]; ok && v == nil {
 			delete(s.clientsMesh, c.key)
@@ -561,7 +563,7 @@ func (s *Server) unregisterClient(c *sclient) {
 		}
 		s.broadcastPeerStateChangeLocked(c.key, false)
 	case *dupClientSet:
-		c.debug("removed duplicate client")
+		c.debugLogf("removed duplicate client")
 		if set.removeClient(c) {
 			s.dupClientConns.Add(-1)
 		} else {
@@ -615,13 +617,26 @@ func (s *Server) notePeerGoneFromRegionLocked(key key.NodePublic) {
 		}
 		set.ForeachClient(func(peer *sclient) {
 			if peer.connNum == connNum {
-				go peer.requestPeerGoneWrite(key)
+				go peer.requestPeerGoneWrite(key, PeerGoneReasonDisconnected)
 			}
 		})
 	}
 	delete(s.sentTo, key)
 }
 
+// requestPeerGoneWriteLimited sends a request to write a "peer gone"
+// frame, but only in reply to a disco packet, and only if we haven't
+// sent one recently.
+func (c *sclient) requestPeerGoneWriteLimited(peer key.NodePublic, contents []byte, reason PeerGoneReasonType) {
+	if disco.LooksLikeDiscoWrapper(contents) != true {
+		return
+	}
+
+	if c.peerGoneLim.Allow() {
+		go c.requestPeerGoneWrite(peer, reason)
+	}
+}
+
 func (s *Server) addWatcher(c *sclient) {
 	if !c.canMesh {
 		panic("invariant: addWatcher called without permissions")
@@ -686,8 +701,9 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 		sendQueue:      make(chan pkt, perClientSendQueueDepth),
 		discoSendQueue: make(chan pkt, perClientSendQueueDepth),
 		sendPongCh:     make(chan [8]byte, 1),
-		peerGone:       make(chan key.NodePublic),
+		peerGone:       make(chan peerGoneMsg),
 		canMesh:        clientInfo.MeshKey != "" && clientInfo.MeshKey == s.meshKey,
+		peerGoneLim:    rate.NewLimiter(rate.Every(time.Second), 3),
 	}
 
 	if c.canMesh {
@@ -696,9 +712,12 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 	if clientInfo != nil {
 		c.info = *clientInfo
 		if envknob.Bool("DERP_PROBER_DEBUG_LOGS") && clientInfo.IsProber {
-			c.debugLogging = true
+			c.debug = true
 		}
 	}
+	if s.debug {
+		c.debug = true
+	}
 
 	s.registerClient(c)
 	defer s.unregisterClient(c)
@@ -711,6 +730,12 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 	return c.run(ctx)
 }
 
+func (s *Server) debugLogf(format string, v ...any) {
+	if s.debug {
+		s.logf(format, v...)
+	}
+}
+
 // for testing
 var (
 	timeSleep = time.Sleep
@@ -728,16 +753,20 @@ func (c *sclient) run(ctx context.Context) error {
 	defer func() {
 		cancelSender()
 		if err := grp.Wait(); err != nil && !c.s.isClosed() {
-			c.logf("sender failed: %v", err)
+			if errors.Is(err, context.Canceled) {
+				c.debugLogf("sender canceled by reader exiting")
+			} else {
+				c.logf("sender failed: %v", err)
+			}
 		}
 	}()
 
 	for {
 		ft, fl, err := readFrameHeader(c.br)
-		c.debug("read frame type %d len %d err %v", ft, fl, err)
+		c.debugLogf("read frame type %d len %d err %v", ft, fl, err)
 		if err != nil {
 			if errors.Is(err, io.EOF) {
-				c.logf("read EOF")
+				c.debugLogf("read EOF")
 				return nil
 			}
 			if c.s.isClosed() {
@@ -887,12 +916,14 @@ func (c *sclient) handleFrameForwardPacket(ft frameType, fl uint32) error {
 		reason := dropReasonUnknownDestOnFwd
 		if dstLen > 1 {
 			reason = dropReasonDupClient
+		} else {
+			c.requestPeerGoneWriteLimited(dstKey, contents, PeerGoneReasonNotHere)
 		}
 		s.recordDrop(contents, srcKey, dstKey, reason)
 		return nil
 	}
 
-	dst.debug("received forwarded packet from %s via %s", srcKey.ShortString(), c.key.ShortString())
+	dst.debugLogf("received forwarded packet from %s via %s", srcKey.ShortString(), c.key.ShortString())
 
 	return c.sendPkt(dst, pkt{
 		bs:         contents,
@@ -942,7 +973,7 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 		if fwd != nil {
 			s.packetsForwardedOut.Add(1)
 			err := fwd.ForwardPacket(c.key, dstKey, contents)
-			c.debug("SendPacket for %s, forwarding via %s: %v", dstKey.ShortString(), fwd, err)
+			c.debugLogf("SendPacket for %s, forwarding via %s: %v", dstKey.ShortString(), fwd, err)
 			if err != nil {
 				// TODO:
 				return nil
@@ -952,12 +983,14 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 		reason := dropReasonUnknownDest
 		if dstLen > 1 {
 			reason = dropReasonDupClient
+		} else {
+			c.requestPeerGoneWriteLimited(dstKey, contents, PeerGoneReasonNotHere)
 		}
 		s.recordDrop(contents, c.key, dstKey, reason)
-		c.debug("SendPacket for %s, dropping with reason=%s", dstKey.ShortString(), reason)
+		c.debugLogf("SendPacket for %s, dropping with reason=%s", dstKey.ShortString(), reason)
 		return nil
 	}
-	c.debug("SendPacket for %s, sending directly", dstKey.ShortString())
+	c.debugLogf("SendPacket for %s, sending directly", dstKey.ShortString())
 
 	p := pkt{
 		bs:         contents,
@@ -967,8 +1000,8 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 	return c.sendPkt(dst, p)
 }
 
-func (c *sclient) debug(format string, v ...any) {
-	if c.debugLogging {
+func (c *sclient) debugLogf(format string, v ...any) {
+	if c.debug {
 		c.logf(format, v...)
 	}
 }
@@ -981,7 +1014,7 @@ type dropReason int
 const (
 	dropReasonUnknownDest      dropReason = iota // unknown destination pubkey
 	dropReasonUnknownDestOnFwd                   // unknown destination pubkey on a derp-forwarded packet
-	dropReasonGone                               // destination tailscaled disconnected before we could send
+	dropReasonGoneDisconnected                   // destination tailscaled disconnected before we could send
 	dropReasonQueueHead                          // destination queue is full, dropped packet at queue head
 	dropReasonQueueTail                          // destination queue is full, dropped packet at queue tail
 	dropReasonWriteError                         // OS write() failed
@@ -991,7 +1024,8 @@ const (
 func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.NodePublic, reason dropReason) {
 	s.packetsDropped.Add(1)
 	s.packetsDroppedReasonCounters[reason].Add(1)
-	if disco.LooksLikeDiscoWrapper(packetBytes) {
+	looksDisco := disco.LooksLikeDiscoWrapper(packetBytes)
+	if looksDisco {
 		s.packetsDroppedTypeDisco.Add(1)
 	} else {
 		s.packetsDroppedTypeOther.Add(1)
@@ -1004,9 +1038,7 @@ func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.NodePublic, r
 		msg := fmt.Sprintf("drop (%s) %s -> %s", srcKey.ShortString(), reason, dstKey.ShortString())
 		s.limitedLogf(msg)
 	}
-	if s.debug {
-		s.logf("dropping packet reason=%s dst=%s disco=%v", reason, dstKey, disco.LooksLikeDiscoWrapper(packetBytes))
-	}
+	s.debugLogf("dropping packet reason=%s dst=%s disco=%v", reason, dstKey, looksDisco)
 }
 
 func (c *sclient) sendPkt(dst *sclient, p pkt) error {
@@ -1023,14 +1055,14 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 	for attempt := 0; attempt < 3; attempt++ {
 		select {
 		case <-dst.done:
-			s.recordDrop(p.bs, c.key, dstKey, dropReasonGone)
-			dst.debug("sendPkt attempt %d dropped, dst gone", attempt)
+			s.recordDrop(p.bs, c.key, dstKey, dropReasonGoneDisconnected)
+			dst.debugLogf("sendPkt attempt %d dropped, dst gone", attempt)
 			return nil
 		default:
 		}
 		select {
 		case sendQueue <- p:
-			dst.debug("sendPkt attempt %d enqueued", attempt)
+			dst.debugLogf("sendPkt attempt %d enqueued", attempt)
 			return nil
 		default:
 		}
@@ -1046,17 +1078,20 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 	// contended queue with racing writers. Give up and tail-drop in
 	// this case to keep reader unblocked.
 	s.recordDrop(p.bs, c.key, dstKey, dropReasonQueueTail)
-	dst.debug("sendPkt attempt %d dropped, queue full")
+	dst.debugLogf("sendPkt attempt %d dropped, queue full")
 
 	return nil
 }
 
 // requestPeerGoneWrite sends a request to write a "peer gone" frame
-// that the provided peer has disconnected. It blocks until either the
+// with an explanation of why it is gone. It blocks until either the
 // write request is scheduled, or the client has closed.
-func (c *sclient) requestPeerGoneWrite(peer key.NodePublic) {
+func (c *sclient) requestPeerGoneWrite(peer key.NodePublic, reason PeerGoneReasonType) {
 	select {
-	case c.peerGone <- peer:
+	case c.peerGone <- peerGoneMsg{
+		peer:   peer,
+		reason: reason,
+	}:
 	case <-c.done:
 	}
 }
@@ -1270,24 +1305,18 @@ type sclient struct {
 	key            key.NodePublic
 	info           clientInfo
 	logf           logger.Logf
-	done           <-chan struct{}     // closed when connection closes
-	remoteAddr     string              // usually ip:port from net.Conn.RemoteAddr().String()
-	remoteIPPort   netip.AddrPort      // zero if remoteAddr is not ip:port.
-	sendQueue      chan pkt            // packets queued to this client; never closed
-	discoSendQueue chan pkt            // important packets queued to this client; never closed
-	sendPongCh     chan [8]byte        // pong replies to send to the client; never closed
-	peerGone       chan key.NodePublic // write request that a previous sender has disconnected (not used by mesh peers)
-	meshUpdate     chan struct{}       // write request to write peerStateChange
-	canMesh        bool                // clientInfo had correct mesh token for inter-region routing
-	isDup          atomic.Bool         // whether more than 1 sclient for key is connected
-	isDisabled     atomic.Bool         // whether sends to this peer are disabled due to active/active dups
-
-	debugLogging bool
-
-	// replaceLimiter controls how quickly two connections with
-	// the same client key can kick each other off the server by
-	// taking over ownership of a key.
-	replaceLimiter *rate.Limiter
+	done           <-chan struct{}  // closed when connection closes
+	remoteAddr     string           // usually ip:port from net.Conn.RemoteAddr().String()
+	remoteIPPort   netip.AddrPort   // zero if remoteAddr is not ip:port.
+	sendQueue      chan pkt         // packets queued to this client; never closed
+	discoSendQueue chan pkt         // important packets queued to this client; never closed
+	sendPongCh     chan [8]byte     // pong replies to send to the client; never closed
+	peerGone       chan peerGoneMsg // write request that a peer is not at this server (not used by mesh peers)
+	meshUpdate     chan struct{}    // write request to write peerStateChange
+	canMesh        bool             // clientInfo had correct mesh token for inter-region routing
+	isDup          atomic.Bool      // whether more than 1 sclient for key is connected
+	isDisabled     atomic.Bool      // whether sends to this peer are disabled due to active/active dups
+	debug          bool             // turn on for verbose logging
 
 	// Owned by run, not thread-safe.
 	br          *bufio.Reader
@@ -1304,6 +1333,11 @@ type sclient struct {
 	// the client for them to update their map of who's connected
 	// to this node.
 	peerStateChange []peerConnState
+
+	// peerGoneLimiter limits how often the server will inform a
+	// client that it's trying to establish a direct connection
+	// through us with a peer we have no record of.
+	peerGoneLim *rate.Limiter
 }
 
 // peerConnState represents whether a peer is connected to the server
@@ -1327,6 +1361,12 @@ type pkt struct {
 	bs []byte
 }
 
+// peerGoneMsg is a request to write a peerGone frame to an sclient
+type peerGoneMsg struct {
+	peer   key.NodePublic
+	reason PeerGoneReasonType
+}
+
 func (c *sclient) setPreferred(v bool) {
 	if c.preferred == v {
 		return
@@ -1381,9 +1421,9 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		for {
 			select {
 			case pkt := <-c.sendQueue:
-				c.s.recordDrop(pkt.bs, pkt.src, c.key, dropReasonGone)
+				c.s.recordDrop(pkt.bs, pkt.src, c.key, dropReasonGoneDisconnected)
 			case pkt := <-c.discoSendQueue:
-				c.s.recordDrop(pkt.bs, pkt.src, c.key, dropReasonGone)
+				c.s.recordDrop(pkt.bs, pkt.src, c.key, dropReasonGoneDisconnected)
 			default:
 				return
 			}
@@ -1404,8 +1444,8 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		select {
 		case <-ctx.Done():
 			return nil
-		case peer := <-c.peerGone:
-			werr = c.sendPeerGone(peer)
+		case msg := <-c.peerGone:
+			werr = c.sendPeerGone(msg.peer, msg.reason)
 			continue
 		case <-c.meshUpdate:
 			werr = c.sendMeshUpdates()
@@ -1436,8 +1476,8 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		select {
 		case <-ctx.Done():
 			return nil
-		case peer := <-c.peerGone:
-			werr = c.sendPeerGone(peer)
+		case msg := <-c.peerGone:
+			werr = c.sendPeerGone(msg.peer, msg.reason)
 		case <-c.meshUpdate:
 			werr = c.sendMeshUpdates()
 			continue
@@ -1478,13 +1518,22 @@ func (c *sclient) sendPong(data [8]byte) error {
 }
 
 // sendPeerGone sends a peerGone frame, without flushing.
-func (c *sclient) sendPeerGone(peer key.NodePublic) error {
-	c.s.peerGoneFrames.Add(1)
+func (c *sclient) sendPeerGone(peer key.NodePublic, reason PeerGoneReasonType) error {
+	switch reason {
+	case PeerGoneReasonDisconnected:
+		c.s.peerGoneDisconnectedFrames.Add(1)
+	case PeerGoneReasonNotHere:
+		c.s.peerGoneNotHereFrames.Add(1)
+	}
 	c.setWriteDeadline()
-	if err := writeFrameHeader(c.bw.bw(), framePeerGone, keyLen); err != nil {
+	data := make([]byte, 0, keyLen+1)
+	data = peer.AppendTo(data)
+	data = append(data, byte(reason))
+	if err := writeFrameHeader(c.bw.bw(), framePeerGone, uint32(len(data))); err != nil {
 		return err
 	}
-	_, err := c.bw.Write(peer.AppendTo(nil))
+
+	_, err := c.bw.Write(data)
 	return err
 }
 
@@ -1515,7 +1564,7 @@ func (c *sclient) sendMeshUpdates() error {
 		if pcs.present {
 			err = c.sendPeerPresent(pcs.peer)
 		} else {
-			err = c.sendPeerGone(pcs.peer)
+			err = c.sendPeerGone(pcs.peer, PeerGoneReasonDisconnected)
 		}
 		if err != nil {
 			// Shouldn't happen, though, as we're writing
@@ -1555,7 +1604,7 @@ func (c *sclient) sendPacket(srcKey key.NodePublic, contents []byte) (err error)
 			c.s.packetsSent.Add(1)
 			c.s.bytesSent.Add(int64(len(contents)))
 		}
-		c.debug("sendPacket from %s: %v", srcKey.ShortString(), err)
+		c.debugLogf("sendPacket from %s: %v", srcKey.ShortString(), err)
 	}()
 
 	c.setWriteDeadline()
@@ -1756,7 +1805,8 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("home_moves_out", &s.homeMovesOut)
 	m.Set("got_ping", &s.gotPing)
 	m.Set("sent_pong", &s.sentPong)
-	m.Set("peer_gone_frames", &s.peerGoneFrames)
+	m.Set("peer_gone_disconnected_frames", &s.peerGoneDisconnectedFrames)
+	m.Set("peer_gone_not_here_frames", &s.peerGoneNotHereFrames)
 	m.Set("packets_forwarded_out", &s.packetsForwardedOut)
 	m.Set("packets_forwarded_in", &s.packetsForwardedIn)
 	m.Set("multiforwarder_created", &s.multiForwarderCreated)

derp/derp_test.go

@@ -25,6 +25,7 @@ import (
 
 	"go4.org/mem"
 	"golang.org/x/time/rate"
+	"tailscale.com/disco"
 	"tailscale.com/net/memnet"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -105,7 +106,8 @@ func TestSendRecv(t *testing.T) {
 		t.Logf("Connected client %d.", i)
 	}
 
-	var peerGoneCount expvar.Int
+	var peerGoneCountDisconnected expvar.Int
+	var peerGoneCountNotHere expvar.Int
 
 	t.Logf("Starting read loops")
 	for i := 0; i < numClients; i++ {
@@ -121,7 +123,14 @@ func TestSendRecv(t *testing.T) {
 					t.Errorf("unexpected message type %T", m)
 					continue
 				case PeerGoneMessage:
-					peerGoneCount.Add(1)
+					switch m.Reason {
+					case PeerGoneReasonDisconnected:
+						peerGoneCountDisconnected.Add(1)
+					case PeerGoneReasonNotHere:
+						peerGoneCountNotHere.Add(1)
+					default:
+						t.Errorf("unexpected PeerGone reason %v", m.Reason)
+					}
 				case ReceivedPacket:
 					if m.Source.IsZero() {
 						t.Errorf("zero Source address in ReceivedPacket")
@@ -171,7 +180,19 @@ func TestSendRecv(t *testing.T) {
 		var got int64
 		dl := time.Now().Add(5 * time.Second)
 		for time.Now().Before(dl) {
-			if got = peerGoneCount.Value(); got == want {
+			if got = peerGoneCountDisconnected.Value(); got == want {
+				return
+			}
+		}
+		t.Errorf("peer gone count = %v; want %v", got, want)
+	}
+
+	wantUnknownPeers := func(want int64) {
+		t.Helper()
+		var got int64
+		dl := time.Now().Add(5 * time.Second)
+		for time.Now().Before(dl) {
+			if got = peerGoneCountNotHere.Value(); got == want {
 				return
 			}
 		}
@@ -194,6 +215,30 @@ func TestSendRecv(t *testing.T) {
 	recvNothing(0)
 	recvNothing(1)
 
+	// Send messages to a non-existent node
+	neKey := key.NewNode().Public()
+	msg4 := []byte("not a CallMeMaybe->unknown destination\n")
+	if err := clients[1].Send(neKey, msg4); err != nil {
+		t.Fatal(err)
+	}
+	wantUnknownPeers(0)
+
+	callMe := neKey.AppendTo([]byte(disco.Magic))
+	callMeHeader := make([]byte, disco.NonceLen)
+	callMe = append(callMe, callMeHeader...)
+	if err := clients[1].Send(neKey, callMe); err != nil {
+		t.Fatal(err)
+	}
+	wantUnknownPeers(1)
+
+	// PeerGoneNotHere is rate-limited to 3 times a second
+	for i := 0; i < 5; i++ {
+		if err := clients[1].Send(neKey, callMe); err != nil {
+			t.Fatal(err)
+		}
+	}
+	wantUnknownPeers(3)
+
 	wantActive(3, 0)
 	clients[0].NotePreferred(true)
 	wantActive(3, 1)
@@ -595,10 +640,14 @@ func (tc *testClient) wantGone(t *testing.T, peer key.NodePublic) {
 	}
 	switch m := m.(type) {
 	case PeerGoneMessage:
-		got := key.NodePublic(m)
+		got := key.NodePublic(m.Peer)
 		if peer != got {
 			t.Errorf("got gone message for %v; want gone for %v", tc.ts.keyName(got), tc.ts.keyName(peer))
 		}
+		reason := m.Reason
+		if reason != PeerGoneReasonDisconnected {
+			t.Errorf("got gone message for reason %v; wanted %v", reason, PeerGoneReasonDisconnected)
+		}
 	default:
 		t.Fatalf("unexpected message type %T", m)
 	}

derp/derphttp/derphttp_client.go

@@ -31,6 +31,7 @@ import (
 	"tailscale.com/derp"
 	"tailscale.com/envknob"
 	"tailscale.com/net/dnscache"
+	"tailscale.com/net/netmon"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/sockstats"
 	"tailscale.com/net/tlsdial"
@@ -55,6 +56,7 @@ type Client struct {
 
 	privateKey key.NodePrivate
 	logf       logger.Logf
+	netMon     *netmon.Monitor // optional; nil means interfaces will be looked up on-demand
 	dialer     func(ctx context.Context, network, addr string) (net.Conn, error)
 
 	// Either url or getRegion is non-nil:
@@ -88,11 +90,13 @@ func (c *Client) String() string {
 
 // NewRegionClient returns a new DERP-over-HTTP client. It connects lazily.
 // To trigger a connection, use Connect.
-func NewRegionClient(privateKey key.NodePrivate, logf logger.Logf, getRegion func() *tailcfg.DERPRegion) *Client {
+// The netMon parameter is optional; if non-nil it's used to do faster interface lookups.
+func NewRegionClient(privateKey key.NodePrivate, logf logger.Logf, netMon *netmon.Monitor, getRegion func() *tailcfg.DERPRegion) *Client {
 	ctx, cancel := context.WithCancel(context.Background())
 	c := &Client{
 		privateKey: privateKey,
 		logf:       logf,
+		netMon:     netMon,
 		getRegion:  getRegion,
 		ctx:        ctx,
 		cancelCtx:  cancel,
@@ -174,6 +178,10 @@ func urlPort(u *url.URL) string {
 	return ""
 }
 
+// debugDERPUseHTTP tells clients to connect to DERP via HTTP on port
+// 3340 instead of HTTPS on 443.
+var debugUseDERPHTTP = envknob.RegisterBool("TS_DEBUG_USE_DERP_HTTP")
+
 func (c *Client) targetString(reg *tailcfg.DERPRegion) string {
 	if c.url != nil {
 		return c.url.String()
@@ -185,6 +193,10 @@ func (c *Client) useHTTPS() bool {
 	if c.url != nil && c.url.Scheme == "http" {
 		return false
 	}
+	if debugUseDERPHTTP() {
+		return false
+	}
+
 	return true
 }
 
@@ -200,7 +212,11 @@ func (c *Client) urlString(node *tailcfg.DERPNode) string {
 	if c.url != nil {
 		return c.url.String()
 	}
-	return fmt.Sprintf("https://%s/derp", node.HostName)
+	proto := "https"
+	if debugUseDERPHTTP() {
+		proto = "http"
+	}
+	return fmt.Sprintf("%s://%s/derp", proto, node.HostName)
 }
 
 // AddressFamilySelector decides whether IPv6 is preferred for
@@ -480,7 +496,7 @@ func (c *Client) dialURL(ctx context.Context) (net.Conn, error) {
 		return c.dialer(ctx, "tcp", net.JoinHostPort(host, urlPort(c.url)))
 	}
 	hostOrIP := host
-	dialer := netns.NewDialer(c.logf)
+	dialer := netns.NewDialer(c.logf, c.netMon)
 
 	if c.DNSCache != nil {
 		ip, _, _, err := c.DNSCache.LookupIP(ctx, host)
@@ -575,7 +591,7 @@ func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tl
 }
 
 func (c *Client) dialContext(ctx context.Context, proto, addr string) (net.Conn, error) {
-	return netns.NewDialer(c.logf).DialContext(ctx, proto, addr)
+	return netns.NewDialer(c.logf, c.netMon).DialContext(ctx, proto, addr)
 }
 
 // shouldDialProto reports whether an explicitly provided IPv4 or IPv6
@@ -620,7 +636,7 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 	ctx, cancel := context.WithTimeout(ctx, dialNodeTimeout)
 	defer cancel()
 
-	ctx = sockstats.WithSockStats(ctx, sockstats.LabelDERPHTTPClient)
+	ctx = sockstats.WithSockStats(ctx, sockstats.LabelDERPHTTPClient, c.logf)
 
 	nwait := 0
 	startDial := func(dstPrimary, proto string) {

derp/derphttp/mesh_client.go

@@ -128,7 +128,17 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 			case derp.PeerPresentMessage:
 				updatePeer(key.NodePublic(m), true)
 			case derp.PeerGoneMessage:
-				updatePeer(key.NodePublic(m), false)
+				switch m.Reason {
+				case derp.PeerGoneReasonDisconnected:
+					// Normal case, log nothing
+				case derp.PeerGoneReasonNotHere:
+					logf("Recv: peer %s not connected to %s",
+						key.NodePublic(m.Peer).ShortString(), c.ServerPublicKey().ShortString())
+				default:
+					logf("Recv: peer %s not at server %s for unknown reason %v",
+						key.NodePublic(m.Peer).ShortString(), c.ServerPublicKey().ShortString(), m.Reason)
+				}
+				updatePeer(key.NodePublic(m.Peer), false)
 			default:
 				continue
 			}

derp/dropreason_string.go

@@ -13,16 +13,16 @@ func _() {
 	var x [1]struct{}
 	_ = x[dropReasonUnknownDest-0]
 	_ = x[dropReasonUnknownDestOnFwd-1]
-	_ = x[dropReasonGone-2]
+	_ = x[dropReasonGoneDisconnected-2]
 	_ = x[dropReasonQueueHead-3]
 	_ = x[dropReasonQueueTail-4]
 	_ = x[dropReasonWriteError-5]
 	_ = x[dropReasonDupClient-6]
 }
 
-const _dropReason_name = "UnknownDestUnknownDestOnFwdGoneQueueHeadQueueTailWriteErrorDupClient"
+const _dropReason_name = "UnknownDestUnknownDestOnFwdGoneDisconnectedQueueHeadQueueTailWriteErrorDupClient"
 
-var _dropReason_index = [...]uint8{0, 11, 27, 31, 40, 49, 59, 68}
+var _dropReason_index = [...]uint8{0, 11, 27, 43, 52, 61, 71, 80}
 
 func (i dropReason) String() string {
 	if i < 0 || i >= dropReason(len(_dropReason_index)-1) {

doctor/permissions/permissions.go

@@ -0,0 +1,56 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package permissions provides a doctor.Check that prints the process
+// permissions for the running process.
+package permissions
+
+import (
+	"context"
+	"fmt"
+	"os/user"
+	"strings"
+
+	"golang.org/x/exp/constraints"
+	"tailscale.com/types/logger"
+)
+
+// Check implements the doctor.Check interface.
+type Check struct{}
+
+func (Check) Name() string {
+	return "permissions"
+}
+
+func (Check) Run(_ context.Context, logf logger.Logf) error {
+	return permissionsImpl(logf)
+}
+
+func formatUserID[T constraints.Integer](id T) string {
+	idStr := fmt.Sprint(id)
+	if uu, err := user.LookupId(idStr); err != nil {
+		return idStr + "(<unknown>)"
+	} else {
+		return fmt.Sprintf("%s(%q)", idStr, uu.Username)
+	}
+}
+
+func formatGroupID[T constraints.Integer](id T) string {
+	idStr := fmt.Sprint(id)
+	if g, err := user.LookupGroupId(idStr); err != nil {
+		return idStr + "(<unknown>)"
+	} else {
+		return fmt.Sprintf("%s(%q)", idStr, g.Name)
+	}
+}
+
+func formatGroups[T constraints.Integer](groups []T) string {
+	var buf strings.Builder
+	for i, group := range groups {
+		if i > 0 {
+			buf.WriteByte(',')
+		}
+		buf.WriteString(formatGroupID(group))
+	}
+	return buf.String()
+}

doctor/permissions/permissions_bsd.go

@@ -0,0 +1,23 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build darwin || freebsd || openbsd
+
+package permissions
+
+import (
+	"golang.org/x/sys/unix"
+	"tailscale.com/types/logger"
+)
+
+func permissionsImpl(logf logger.Logf) error {
+	groups, _ := unix.Getgroups()
+	logf("uid=%s euid=%s gid=%s egid=%s groups=%s",
+		formatUserID(unix.Getuid()),
+		formatUserID(unix.Geteuid()),
+		formatGroupID(unix.Getgid()),
+		formatGroupID(unix.Getegid()),
+		formatGroups(groups),
+	)
+	return nil
+}

doctor/permissions/permissions_linux.go

@@ -0,0 +1,62 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux
+
+package permissions
+
+import (
+	"fmt"
+	"strings"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+	"tailscale.com/types/logger"
+)
+
+func permissionsImpl(logf logger.Logf) error {
+	// NOTE: getresuid and getresgid never fail unless passed an
+	// invalid address.
+	var ruid, euid, suid uint64
+	unix.Syscall(unix.SYS_GETRESUID,
+		uintptr(unsafe.Pointer(&ruid)),
+		uintptr(unsafe.Pointer(&euid)),
+		uintptr(unsafe.Pointer(&suid)),
+	)
+
+	var rgid, egid, sgid uint64
+	unix.Syscall(unix.SYS_GETRESGID,
+		uintptr(unsafe.Pointer(&rgid)),
+		uintptr(unsafe.Pointer(&egid)),
+		uintptr(unsafe.Pointer(&sgid)),
+	)
+
+	groups, _ := unix.Getgroups()
+
+	var buf strings.Builder
+	fmt.Fprintf(&buf, "ruid=%s euid=%s suid=%s rgid=%s egid=%s sgid=%s groups=%s",
+		formatUserID(ruid), formatUserID(euid), formatUserID(suid),
+		formatGroupID(rgid), formatGroupID(egid), formatGroupID(sgid),
+		formatGroups(groups),
+	)
+
+	// Get process capabilities
+	var (
+		capHeader = unix.CapUserHeader{
+			Version: unix.LINUX_CAPABILITY_VERSION_3,
+			Pid:     0, // 0 means 'ourselves'
+		}
+		capData unix.CapUserData
+	)
+
+	if err := unix.Capget(&capHeader, &capData); err != nil {
+		fmt.Fprintf(&buf, " caperr=%v", err)
+	} else {
+		fmt.Fprintf(&buf, " cap_effective=%08x cap_permitted=%08x cap_inheritable=%08x",
+			capData.Effective, capData.Permitted, capData.Inheritable,
+		)
+	}
+
+	logf("%s", buf.String())
+	return nil
+}

doctor/permissions/permissions_other.go

@@ -0,0 +1,17 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !(linux || darwin || freebsd || openbsd)
+
+package permissions
+
+import (
+	"runtime"
+
+	"tailscale.com/types/logger"
+)
+
+func permissionsImpl(logf logger.Logf) error {
+	logf("unsupported on %s/%s", runtime.GOOS, runtime.GOARCH)
+	return nil
+}

doctor/permissions/permissions_test.go

@@ -0,0 +1,12 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package permissions
+
+import "testing"
+
+func TestPermissionsImpl(t *testing.T) {
+	if err := permissionsImpl(t.Logf); err != nil {
+		t.Error(err)
+	}
+}

envknob/envknob.go

@@ -330,6 +330,46 @@ func LookupInt(envVar string) (v int, ok bool) {
 	panic("unreachable")
 }
 
+// LookupIntSized returns the integer value of the named environment value
+// parsed in base and with a maximum bit size bitSize.
+// The ok result is whether a value was set.
+// If the value isn't a valid int, it exits the program with a failure.
+func LookupIntSized(envVar string, base, bitSize int) (v int, ok bool) {
+	assertNotInInit()
+	val := os.Getenv(envVar)
+	if val == "" {
+		return 0, false
+	}
+	i, err := strconv.ParseInt(val, base, bitSize)
+	if err == nil {
+		v = int(i)
+		noteEnv(envVar, val)
+		return v, true
+	}
+	log.Fatalf("invalid integer environment variable %s: %v", envVar, val)
+	panic("unreachable")
+}
+
+// LookupUintSized returns the unsigned integer value of the named environment
+// value parsed in base and with a maximum bit size bitSize.
+// The ok result is whether a value was set.
+// If the value isn't a valid int, it exits the program with a failure.
+func LookupUintSized(envVar string, base, bitSize int) (v uint, ok bool) {
+	assertNotInInit()
+	val := os.Getenv(envVar)
+	if val == "" {
+		return 0, false
+	}
+	i, err := strconv.ParseUint(val, base, bitSize)
+	if err == nil {
+		v = uint(i)
+		noteEnv(envVar, val)
+		return v, true
+	}
+	log.Fatalf("invalid unsigned integer environment variable %s: %v", envVar, val)
+	panic("unreachable")
+}
+
 // UseWIPCode is whether TAILSCALE_USE_WIP_CODE is set to permit use
 // of Work-In-Progress code.
 func UseWIPCode() bool { return Bool("TAILSCALE_USE_WIP_CODE") }
@@ -417,13 +457,24 @@ var applyDiskConfigErr error
 // ApplyDiskConfigError returns the most recent result of ApplyDiskConfig.
 func ApplyDiskConfigError() error { return applyDiskConfigErr }
 
-// ApplyDiskConfig returns a platform-specific config file of environment keys/values and
-// applies them. On Linux and Unix operating systems, it's a no-op and always returns nil.
-// If no platform-specific config file is found, it also returns nil.
+// ApplyDiskConfig returns a platform-specific config file of environment
+// keys/values and applies them. On Linux and Unix operating systems, it's a
+// no-op and always returns nil. If no platform-specific config file is found,
+// it also returns nil.
+//
+// It exists primarily for Windows and macOS to make it easy to apply
+// environment variables to a running service in a way similar to modifying
+// /etc/default/tailscaled on Linux.
 //
-// It exists primarily for Windows to make it easy to apply environment variables to
-// a running service in a way similar to modifying /etc/default/tailscaled on Linux.
 // On Windows, you use %ProgramData%\Tailscale\tailscaled-env.txt instead.
+//
+// On macOS, use one of:
+//
+//   - ~/Library/Containers/io.tailscale.ipn.macsys/Data/tailscaled-env.txt
+//     for standalone macOS GUI builds
+//   - ~/Library/Containers/io.tailscale.ipn.macos.network-extension/Data/tailscaled-env.txt
+//     for App Store builds
+//   - /etc/tailscale/tailscaled-env.txt for tailscaled-on-macOS (homebrew, etc)
 func ApplyDiskConfig() (err error) {
 	var f *os.File
 	defer func() {
@@ -472,9 +523,15 @@ func getPlatformEnvFile() string {
 			return "/etc/tailscale/tailscaled-env.txt"
 		}
 	case "darwin":
-		// TODO(bradfitz): figure this out. There are three ways to run
-		// Tailscale on macOS (tailscaled, GUI App Store, GUI System Extension)
-		// and we should deal with all three.
+		if version.IsSandboxedMacOS() { // the two GUI variants (App Store or separate download)
+			// This will be user-visible as ~/Library/Containers/$VARIANT/Data/tailscaled-env.txt
+			// where $VARIANT is "io.tailscale.ipn.macsys" for macsys (downloadable mac GUI builds)
+			// or "io.tailscale.ipn.macos.network-extension" for App Store builds.
+			return filepath.Join(os.Getenv("HOME"), "tailscaled-env.txt")
+		} else {
+			// Open source / homebrew variable, running tailscaled-on-macOS.
+			return "/etc/tailscale/tailscaled-env.txt"
+		}
 	}
 	return ""
 }

envknob/logknob/logknob.go

@@ -0,0 +1,84 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package logknob provides a helpful wrapper that allows enabling logging
+// based on either an envknob or other methods of enablement.
+package logknob
+
+import (
+	"sync/atomic"
+
+	"golang.org/x/exp/slices"
+	"tailscale.com/envknob"
+	"tailscale.com/types/logger"
+)
+
+// TODO(andrew-d): should we have a package-global registry of logknobs? It
+// would allow us to update from a netmap in a central location, which might be
+// reason enough to do it...
+
+// LogKnob allows configuring verbose logging, with multiple ways to enable. It
+// supports enabling logging via envknob, via atomic boolean (for use in e.g.
+// c2n log level changes), and via capabilities from a NetMap (so users can
+// enable logging via the ACL JSON).
+type LogKnob struct {
+	capName string
+	cap     atomic.Bool
+	env     func() bool
+	manual  atomic.Bool
+}
+
+// NewLogKnob creates a new LogKnob, with the provided environment variable
+// name and/or NetMap capability.
+func NewLogKnob(env, cap string) *LogKnob {
+	if env == "" && cap == "" {
+		panic("must provide either an environment variable or capability")
+	}
+
+	lk := &LogKnob{
+		capName: cap,
+	}
+	if env != "" {
+		lk.env = envknob.RegisterBool(env)
+	} else {
+		lk.env = func() bool { return false }
+	}
+	return lk
+}
+
+// Set will cause logs to be printed when called with Set(true). When called
+// with Set(false), logs will not be printed due to an earlier call of
+// Set(true), but may be printed due to either the envknob and/or capability of
+// this LogKnob.
+func (lk *LogKnob) Set(v bool) {
+	lk.manual.Store(v)
+}
+
+// NetMap is an interface for the parts of netmap.NetworkMap that we care
+// about; we use this rather than a concrete type to avoid a circular
+// dependency.
+type NetMap interface {
+	SelfCapabilities() []string
+}
+
+// UpdateFromNetMap will enable logging if the SelfNode in the provided NetMap
+// contains the capability provided for this LogKnob.
+func (lk *LogKnob) UpdateFromNetMap(nm NetMap) {
+	if lk.capName == "" {
+		return
+	}
+
+	lk.cap.Store(slices.Contains(nm.SelfCapabilities(), lk.capName))
+}
+
+// Do will call log with the provided format and arguments if any of the
+// configured methods for enabling logging are true.
+func (lk *LogKnob) Do(log logger.Logf, format string, args ...any) {
+	if lk.shouldLog() {
+		log(format, args...)
+	}
+}
+
+func (lk *LogKnob) shouldLog() bool {
+	return lk.manual.Load() || lk.env() || lk.cap.Load()
+}

envknob/logknob/logknob_test.go

@@ -0,0 +1,102 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package logknob
+
+import (
+	"bytes"
+	"fmt"
+	"testing"
+
+	"tailscale.com/envknob"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/netmap"
+)
+
+var testKnob = NewLogKnob(
+	"TS_TEST_LOGKNOB",
+	"https://tailscale.com/cap/testing",
+)
+
+// Static type assertion for our interface type.
+var _ NetMap = &netmap.NetworkMap{}
+
+func TestLogKnob(t *testing.T) {
+	t.Run("Default", func(t *testing.T) {
+		if testKnob.shouldLog() {
+			t.Errorf("expected default shouldLog()=false")
+		}
+		assertNoLogs(t)
+	})
+	t.Run("Manual", func(t *testing.T) {
+		t.Cleanup(func() { testKnob.Set(false) })
+
+		assertNoLogs(t)
+		testKnob.Set(true)
+		if !testKnob.shouldLog() {
+			t.Errorf("expected shouldLog()=true")
+		}
+		assertLogs(t)
+	})
+	t.Run("Env", func(t *testing.T) {
+		t.Cleanup(func() {
+			envknob.Setenv("TS_TEST_LOGKNOB", "")
+		})
+
+		assertNoLogs(t)
+		if testKnob.shouldLog() {
+			t.Errorf("expected default shouldLog()=false")
+		}
+
+		envknob.Setenv("TS_TEST_LOGKNOB", "true")
+		if !testKnob.shouldLog() {
+			t.Errorf("expected shouldLog()=true")
+		}
+		assertLogs(t)
+	})
+	t.Run("NetMap", func(t *testing.T) {
+		t.Cleanup(func() { testKnob.cap.Store(false) })
+
+		assertNoLogs(t)
+		if testKnob.shouldLog() {
+			t.Errorf("expected default shouldLog()=false")
+		}
+
+		testKnob.UpdateFromNetMap(&netmap.NetworkMap{
+			SelfNode: &tailcfg.Node{
+				Capabilities: []string{
+					"https://tailscale.com/cap/testing",
+				},
+			},
+		})
+		if !testKnob.shouldLog() {
+			t.Errorf("expected shouldLog()=true")
+		}
+		assertLogs(t)
+	})
+}
+
+func assertLogs(t *testing.T) {
+	var buf bytes.Buffer
+	logf := func(format string, args ...any) {
+		fmt.Fprintf(&buf, format, args...)
+	}
+
+	testKnob.Do(logf, "hello %s", "world")
+	const want = "hello world"
+	if got := buf.String(); got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}
+}
+
+func assertNoLogs(t *testing.T) {
+	var buf bytes.Buffer
+	logf := func(format string, args ...any) {
+		fmt.Fprintf(&buf, format, args...)
+	}
+
+	testKnob.Do(logf, "hello %s", "world")
+	if got := buf.String(); got != "" {
+		t.Errorf("expected no logs, but got: %q", got)
+	}
+}

flake.nix

@@ -115,4 +115,4 @@
   in
     flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-LIvaxSo+4LuHUk8DIZ27IaRQwaDnjW6Jwm5AEc/V95A=
+# nix-direnv cache busting line: sha256-l2uIma2oEdSN0zVo9BOFJF2gC3S60vXwTLVadv8yQPo=

go.mod

@@ -3,198 +3,207 @@ module tailscale.com
 go 1.20
 
 require (
-	filippo.io/mkcert v1.4.3
-	github.com/Microsoft/go-winio v0.6.0
+	filippo.io/mkcert v1.4.4
+	github.com/Microsoft/go-winio v0.6.1
 	github.com/akutz/memconn v0.1.0
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
-	github.com/andybalholm/brotli v1.0.3
+	github.com/andybalholm/brotli v1.0.5
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
-	github.com/aws/aws-sdk-go-v2 v1.17.3
-	github.com/aws/aws-sdk-go-v2/config v1.11.0
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.7.4
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.21.0
-	github.com/aws/aws-sdk-go-v2/service/ssm v1.35.0
+	github.com/aws/aws-sdk-go-v2 v1.18.0
+	github.com/aws/aws-sdk-go-v2/config v1.18.22
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.64
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.33.0
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.36.3
 	github.com/coreos/go-iptables v0.6.0
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
-	github.com/creack/pty v1.1.17
-	github.com/dave/jennifer v1.4.1
-	github.com/dblohm7/wingoes v0.0.0-20221124203957-6ac47ab19aa5
+	github.com/creack/pty v1.1.18
+	github.com/dave/jennifer v1.6.1
+	github.com/dblohm7/wingoes v0.0.0-20230426155039-111c8c3b57c8
 	github.com/dsnet/try v0.0.3
 	github.com/evanw/esbuild v0.14.53
-	github.com/frankban/quicktest v1.14.0
+	github.com/frankban/quicktest v1.14.5
 	github.com/fxamacker/cbor/v2 v2.4.0
-	github.com/go-json-experiment/json v0.0.0-20221017203807-c5ed296b8c92
-	github.com/go-logr/zapr v1.2.3
+	github.com/go-json-experiment/json v0.0.0-20230321051131-ccbac49a6929
+	github.com/go-logr/zapr v1.2.4
 	github.com/go-ole/go-ole v1.2.6
-	github.com/godbus/dbus/v5 v5.0.6
+	github.com/godbus/dbus/v5 v5.1.0
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
+	github.com/golangci/golangci-lint v1.52.2
 	github.com/google/go-cmp v0.5.9
-	github.com/google/go-containerregistry v0.9.0
+	github.com/google/go-containerregistry v0.14.0
 	github.com/google/nftables v0.1.1-0.20230115205135-9aa6fdf5a28c
 	github.com/google/uuid v1.3.0
 	github.com/goreleaser/nfpm v1.10.3
-	github.com/hdevalence/ed25519consensus v0.0.0-20220222234857-c00d1f31bab3
+	github.com/hdevalence/ed25519consensus v0.1.0
 	github.com/iancoleman/strcase v0.2.0
 	github.com/illarion/gonotify v1.0.1
-	github.com/insomniacslk/dhcp v0.0.0-20221215072855-de60144f33f8
+	github.com/insomniacslk/dhcp v0.0.0-20230407062729-974c6f05fe16
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
-	github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b
+	github.com/jsimonetti/rtnetlink v1.3.2
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.15.4
+	github.com/klauspost/compress v1.16.5
 	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a
-	github.com/mattn/go-colorable v0.1.12
-	github.com/mattn/go-isatty v0.0.14
-	github.com/mdlayher/genetlink v1.2.0
-	github.com/mdlayher/netlink v1.7.1
+	github.com/mattn/go-colorable v0.1.13
+	github.com/mattn/go-isatty v0.0.18
+	github.com/mdlayher/genetlink v1.3.2
+	github.com/mdlayher/netlink v1.7.2
 	github.com/mdlayher/sdnotify v1.0.0
-	github.com/miekg/dns v1.1.43
+	github.com/miekg/dns v1.1.54
 	github.com/mitchellh/go-ps v1.0.0
-	github.com/peterbourgon/ff/v3 v3.1.2
+	github.com/peterbourgon/ff/v3 v3.3.0
 	github.com/pkg/errors v0.9.1
-	github.com/pkg/sftp v1.13.4
+	github.com/pkg/sftp v1.13.5
+	github.com/prometheus/client_golang v1.15.1
+	github.com/prometheus/common v0.42.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20221102133106-bc99ab8c2d17
+	github.com/tailscale/golang-x-crypto v0.0.0-20221115211329-17a3db2c30d2
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
-	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
+	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
-	github.com/tailscale/wireguard-go v0.0.0-20221219190806-4fa124729667
-	github.com/tc-hib/winres v0.1.6
+	github.com/tailscale/wireguard-go v0.0.0-20230410165232-af172621b4dd
+	github.com/tc-hib/winres v0.2.0
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
-	github.com/u-root/u-root v0.9.1-0.20230109201855-948a78c969ad
-	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
-	go.uber.org/zap v1.21.0
-	go4.org/mem v0.0.0-20210711025021-927187094b94
-	go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf
-	golang.org/x/crypto v0.6.0
-	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db
-	golang.org/x/mod v0.7.0
-	golang.org/x/net v0.7.0
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
-	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.5.0
-	golang.org/x/term v0.5.0
-	golang.org/x/time v0.0.0-20220609170525-579cf78fd858
-	golang.org/x/tools v0.4.1-0.20221208213631-3f74d914ae6d
+	github.com/u-root/u-root v0.11.0
+	github.com/vishvananda/netlink v1.2.1-beta.2
+	go.uber.org/zap v1.24.0
+	go4.org/mem v0.0.0-20220726221520-4f986261bf13
+	go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35
+	golang.org/x/crypto v0.8.0
+	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53
+	golang.org/x/mod v0.10.0
+	golang.org/x/net v0.10.0
+	golang.org/x/oauth2 v0.7.0
+	golang.org/x/sync v0.2.0
+	golang.org/x/sys v0.8.0
+	golang.org/x/term v0.8.0
+	golang.org/x/time v0.3.0
+	golang.org/x/tools v0.9.1
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0
-	honnef.co/go/tools v0.4.0-0.dev.0.20230130122044-c30b15588105
+	gvisor.dev/gvisor v0.0.0-20230504175454-7b0a1988a28f
+	honnef.co/go/tools v0.4.3
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/tcpproxy v0.0.0-20221017015627-91f861402626
-	inet.af/wf v0.0.0-20220728202103-50d96caab2f6
-	k8s.io/api v0.25.0
-	k8s.io/apimachinery v0.25.0
-	k8s.io/client-go v0.25.0
+	inet.af/wf v0.0.0-20221017222439-36129f591884
+	k8s.io/api v0.27.2
+	k8s.io/apimachinery v0.27.2
+	k8s.io/client-go v0.27.2
 	nhooyr.io/websocket v1.8.7
-	sigs.k8s.io/controller-runtime v0.13.1
+	sigs.k8s.io/controller-runtime v0.15.0
 	sigs.k8s.io/yaml v1.3.0
 	software.sslmate.com/src/go-pkcs12 v0.2.0
 )
 
 require (
-	4d63.com/gochecknoglobals v0.1.0 // indirect
-	filippo.io/edwards25519 v1.0.0-rc.1 // indirect
-	github.com/Antonboom/errname v0.1.5 // indirect
-	github.com/Antonboom/nilnil v0.1.0 // indirect
+	4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
+	4d63.com/gochecknoglobals v0.2.1 // indirect
+	filippo.io/edwards25519 v1.0.0 // indirect
+	github.com/Abirdcfly/dupword v0.0.11 // indirect
+	github.com/Antonboom/errname v0.1.9 // indirect
+	github.com/Antonboom/nilnil v0.1.4 // indirect
 	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/Djarvur/go-err113 v0.1.0 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v2 v2.3.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
-	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
-	github.com/OpenPeeDeeP/depguard v1.0.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/acomagu/bufpipe v1.0.3 // indirect
+	github.com/OpenPeeDeeP/depguard v1.1.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230426101702-58e86b294756 // indirect
+	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
-	github.com/ashanbrown/forbidigo v1.2.0 // indirect
-	github.com/ashanbrown/makezero v0.0.0-20210520155254-b6261585ddde // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.0.0 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.6.4 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.8.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.5.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.5.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.9.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.6.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.11.1 // indirect
+	github.com/alingse/asasalint v0.0.11 // indirect
+	github.com/ashanbrown/forbidigo v1.5.1 // indirect
+	github.com/ashanbrown/makezero v1.1.1 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.21 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.25 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.28 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.12.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.18.10 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bkielbasa/cyclop v1.2.0 // indirect
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
-	github.com/blizzy78/varnamelen v0.5.0 // indirect
-	github.com/bombsimon/wsl/v3 v3.3.0 // indirect
-	github.com/breml/bidichk v0.2.1 // indirect
-	github.com/butuzov/ireturn v0.1.1 // indirect
-	github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/charithe/durationcheck v0.0.9 // indirect
-	github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af // indirect
-	github.com/cloudflare/circl v1.1.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.11.4 // indirect
-	github.com/daixiang0/gci v0.2.9 // indirect
+	github.com/blizzy78/varnamelen v0.8.0 // indirect
+	github.com/bombsimon/wsl/v3 v3.4.0 // indirect
+	github.com/breml/bidichk v0.2.4 // indirect
+	github.com/breml/errchkjson v0.3.1 // indirect
+	github.com/butuzov/ireturn v0.2.0 // indirect
+	github.com/cavaliergopher/cpio v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/charithe/durationcheck v0.0.10 // indirect
+	github.com/chavacava/garif v0.0.0-20230227094218-b8c73b2037b8 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/curioswitch/go-reassign v0.2.0 // indirect
+	github.com/daixiang0/gci v0.10.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/denis-tingajkin/go-header v0.4.2 // indirect
-	github.com/docker/cli v20.10.16+incompatible // indirect
+	github.com/denis-tingaikin/go-header v0.4.3 // indirect
+	github.com/docker/cli v23.0.5+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker v20.10.16+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.4 // indirect
-	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
-	github.com/emirpasic/gods v1.12.0 // indirect
-	github.com/esimonov/ifshort v1.0.3 // indirect
+	github.com/docker/docker v23.0.5+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/esimonov/ifshort v1.0.4 // indirect
 	github.com/ettle/strcase v0.1.1 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/fatih/color v1.13.0 // indirect
+	github.com/fatih/color v1.15.0 // indirect
 	github.com/fatih/structtag v1.2.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.4 // indirect
-	github.com/fzipp/gocyclo v0.3.1 // indirect
-	github.com/gliderlabs/ssh v0.3.3 // indirect
-	github.com/go-critic/go-critic v0.6.1 // indirect
+	github.com/firefart/nonamedreturns v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/fzipp/gocyclo v0.6.0 // indirect
+	github.com/go-critic/go-critic v0.8.0 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
-	github.com/go-git/go-billy/v5 v5.3.1 // indirect
-	github.com/go-git/go-git/v5 v5.4.2 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
-	github.com/go-toolsmith/astcast v1.0.0 // indirect
-	github.com/go-toolsmith/astcopy v1.0.0 // indirect
-	github.com/go-toolsmith/astequal v1.0.1 // indirect
-	github.com/go-toolsmith/astfmt v1.0.0 // indirect
-	github.com/go-toolsmith/astp v1.0.0 // indirect
-	github.com/go-toolsmith/strparse v1.0.0 // indirect
-	github.com/go-toolsmith/typep v1.0.2 // indirect
-	github.com/go-xmlfmt/xmlfmt v0.0.0-20211206191508-7fd73a941850 // indirect
+	github.com/go-git/go-billy/v5 v5.4.1 // indirect
+	github.com/go-git/go-git/v5 v5.6.1 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-toolsmith/astcast v1.1.0 // indirect
+	github.com/go-toolsmith/astcopy v1.1.0 // indirect
+	github.com/go-toolsmith/astequal v1.1.0 // indirect
+	github.com/go-toolsmith/astfmt v1.1.0 // indirect
+	github.com/go-toolsmith/astp v1.1.0 // indirect
+	github.com/go-toolsmith/strparse v1.1.0 // indirect
+	github.com/go-toolsmith/typep v1.1.0 // indirect
+	github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 // indirect
 	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
-	github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613 // indirect
-	github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a // indirect
-	github.com/golangci/golangci-lint v1.43.0 // indirect
+	github.com/golangci/go-misc v0.0.0-20220329215616-d24fe342adfe // indirect
+	github.com/golangci/gofmt v0.0.0-20220901101216-f2edd75033f2 // indirect
 	github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0 // indirect
 	github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca // indirect
-	github.com/golangci/misspell v0.3.5 // indirect
-	github.com/golangci/revgrep v0.0.0-20210930125155-c22e5001d4f2 // indirect
+	github.com/golangci/misspell v0.4.0 // indirect
+	github.com/golangci/revgrep v0.0.0-20220804021717-745bb2f7c2e6 // indirect
 	github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4 // indirect
-	github.com/google/btree v1.0.1 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/btree v1.1.2 // indirect
+	github.com/google/gnostic v0.6.9 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 // indirect
-	github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1 // indirect
-	github.com/gordonklaus/ineffassign v0.0.0-20210914165742-4cc7213b9bc8 // indirect
-	github.com/goreleaser/chglog v0.1.2 // indirect
+	github.com/google/rpmpack v0.0.0-20221120200012-98b63d62fd77 // indirect
+	github.com/gordonklaus/ineffassign v0.0.0-20230107090616-13ace0543b28 // indirect
+	github.com/goreleaser/chglog v0.4.2 // indirect
 	github.com/goreleaser/fileglob v0.3.1 // indirect
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.4.2 // indirect
@@ -202,10 +211,12 @@ require (
 	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/hexops/gotextdiff v1.0.3 // indirect
+	github.com/huandu/xstrings v1.4.0 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jgautheron/goconst v1.5.1 // indirect
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
@@ -213,118 +224,134 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/julz/importas v0.0.0-20210922140945-27e0a5d4dee2 // indirect
-	github.com/kevinburke/ssh_config v1.1.0 // indirect
-	github.com/kisielk/errcheck v1.6.0 // indirect
+	github.com/julz/importas v0.1.0 // indirect
+	github.com/junk1tm/musttag v0.5.0 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/kisielk/errcheck v1.6.3 // indirect
 	github.com/kisielk/gotool v1.0.0 // indirect
+	github.com/kkHAIKE/contextcheck v1.1.4 // indirect
+	github.com/klauspost/pgzip v1.2.5 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/kulti/thelper v0.4.0 // indirect
-	github.com/kunwardeep/paralleltest v1.0.3 // indirect
-	github.com/kyoh86/exportloopref v0.1.8 // indirect
-	github.com/ldez/gomoddirectives v0.2.2 // indirect
-	github.com/ldez/tagliatelle v0.2.0 // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
-	github.com/maratori/testpackage v1.0.1 // indirect
-	github.com/matoous/godox v0.0.0-20210227103229-6504466cf951 // indirect
-	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/kulti/thelper v0.6.3 // indirect
+	github.com/kunwardeep/paralleltest v1.0.6 // indirect
+	github.com/kyoh86/exportloopref v0.1.11 // indirect
+	github.com/ldez/gomoddirectives v0.2.3 // indirect
+	github.com/ldez/tagliatelle v0.5.0 // indirect
+	github.com/leonklingele/grouper v1.1.1 // indirect
+	github.com/lufeee/execinquery v1.2.1 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/maratori/testableexamples v1.0.0 // indirect
+	github.com/maratori/testpackage v1.1.1 // indirect
+	github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 // indirect
+	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mbilski/exhaustivestruct v1.2.0 // indirect
-	github.com/mdlayher/socket v0.4.0 // indirect
-	github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517 // indirect
-	github.com/mgechev/revive v1.1.2 // indirect
+	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/mgechev/revive v1.3.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.3 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/moricho/tparallel v0.2.1 // indirect
+	github.com/moricho/tparallel v0.3.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nakabonne/nestif v0.3.1 // indirect
 	github.com/nbutton23/zxcvbn-go v0.0.0-20210217022336-fa2cb2858354 // indirect
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
-	github.com/nishanths/exhaustive v0.7.11 // indirect
-	github.com/nishanths/predeclared v0.2.1 // indirect
+	github.com/nishanths/exhaustive v0.10.0 // indirect
+	github.com/nishanths/predeclared v0.2.2 // indirect
+	github.com/nunnatsa/ginkgolinter v0.11.2 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/onsi/gomega v1.20.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
-	github.com/pelletier/go-toml v1.9.4 // indirect
-	github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
+	github.com/pierrec/lz4/v4 v4.1.17 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/polyfloyd/go-errorlint v0.0.0-20211125173453-6d6d39c5bb8b // indirect
-	github.com/prometheus/client_golang v1.12.2 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/quasilyte/go-ruleguard v0.3.13 // indirect
+	github.com/polyfloyd/go-errorlint v1.4.1 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/quasilyte/go-ruleguard v0.3.19 // indirect
+	github.com/quasilyte/gogrep v0.5.0 // indirect
 	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/rogpeppe/go-internal v1.8.1-0.20211023094830-115ce09fd6b4 // indirect
-	github.com/ryancurrah/gomodguard v1.2.3 // indirect
-	github.com/ryanrolds/sqlclosecheck v0.3.0 // indirect
+	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/ryancurrah/gomodguard v1.3.0 // indirect
+	github.com/ryanrolds/sqlclosecheck v0.4.0 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
-	github.com/sassoftware/go-rpmutils v0.1.0 // indirect
-	github.com/securego/gosec/v2 v2.9.3 // indirect
-	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.23.0 // indirect
+	github.com/sassoftware/go-rpmutils v0.2.0 // indirect
+	github.com/securego/gosec/v2 v2.15.0 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
-	github.com/sivchari/tenv v1.4.7 // indirect
-	github.com/sonatard/noctx v0.0.1 // indirect
-	github.com/sourcegraph/go-diff v0.6.1 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
-	github.com/spf13/cast v1.4.1 // indirect
-	github.com/spf13/cobra v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/sivchari/containedctx v1.0.3 // indirect
+	github.com/sivchari/nosnakecase v1.7.0 // indirect
+	github.com/sivchari/tenv v1.7.1 // indirect
+	github.com/skeema/knownhosts v1.1.0 // indirect
+	github.com/sonatard/noctx v0.0.2 // indirect
+	github.com/sourcegraph/go-diff v0.7.0 // indirect
+	github.com/spf13/afero v1.9.5 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.9.0 // indirect
+	github.com/spf13/viper v1.15.0 // indirect
 	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
-	github.com/stretchr/objx v0.4.0 // indirect
-	github.com/stretchr/testify v1.8.0 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/sylvia7788/contextcheck v1.0.4 // indirect
-	github.com/tdakkota/asciicheck v0.1.1 // indirect
+	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/testify v1.8.2 // indirect
+	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
+	github.com/tdakkota/asciicheck v0.2.0 // indirect
 	github.com/tetafro/godot v1.4.11 // indirect
-	github.com/timakin/bodyclose v0.0.0-20210704033933-f49887972144 // indirect
-	github.com/tomarrell/wrapcheck/v2 v2.4.0 // indirect
-	github.com/tommy-muehle/go-mnd/v2 v2.4.0 // indirect
-	github.com/u-root/uio v0.0.0-20221213070652-c3537552635f // indirect
-	github.com/ulikunitz/xz v0.5.10 // indirect
+	github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect
+	github.com/timonwong/loggercheck v0.9.4 // indirect
+	github.com/tomarrell/wrapcheck/v2 v2.8.1 // indirect
+	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
+	github.com/u-root/uio v0.0.0-20230305220412-3e8cd9d6bf63 // indirect
+	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/ultraware/funlen v0.0.3 // indirect
-	github.com/ultraware/whitespace v0.0.4 // indirect
-	github.com/uudashr/gocognit v1.0.5 // indirect
+	github.com/ultraware/whitespace v0.0.5 // indirect
+	github.com/uudashr/gocognit v1.0.6 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	github.com/xanzy/ssh-agent v0.3.1 // indirect
-	github.com/yeya24/promlinter v0.1.0 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a // indirect
-	golang.org/x/image v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/yagipy/maintidx v1.0.0 // indirect
+	github.com/yeya24/promlinter v0.2.0 // indirect
+	gitlab.com/bosi/decorder v0.2.3 // indirect
+	gitlab.com/digitalxero/go-conventional-commit v1.0.7 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20230425010034-47ecfdc1ba53 // indirect
+	golang.org/x/image v0.7.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.66.2 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
-	k8s.io/apiextensions-apiserver v0.25.0 // indirect
-	k8s.io/component-base v0.25.0 // indirect
-	k8s.io/klog/v2 v2.70.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
-	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
-	mvdan.cc/gofumpt v0.2.0 // indirect
+	k8s.io/apiextensions-apiserver v0.27.2 // indirect
+	k8s.io/component-base v0.27.2 // indirect
+	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	mvdan.cc/gofumpt v0.5.0 // indirect
 	mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect
 	mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect
-	mvdan.cc/unparam v0.0.0-20211002134041-24922b6997ca // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )

go.mod.sri

@@ -1 +1 @@
-sha256-LIvaxSo+4LuHUk8DIZ27IaRQwaDnjW6Jwm5AEc/V95A=
+sha256-l2uIma2oEdSN0zVo9BOFJF2gC3S60vXwTLVadv8yQPo=

go.toolchain.rev

@@ -1 +1 @@
-568add9f5d780e86f8b3e7002fd7b4a7479005fa
+480a0c381923c53e70ed5e72f9a9f79ce1884859

hostinfo/hostinfo.go

@@ -405,7 +405,7 @@ func DisabledEtcAptSource() bool {
 		return false
 	}
 	mod := fi.ModTime()
-	if c, ok := etcAptSrcCache.Load().(etcAptSrcResult); ok && c.mod == mod {
+	if c, ok := etcAptSrcCache.Load().(etcAptSrcResult); ok && c.mod.Equal(mod) {
 		return c.disabled
 	}
 	f, err := os.Open(path)

hostinfo/hostinfo_linux.go

@@ -95,6 +95,8 @@ func linuxVersionMeta() (meta versionMeta) {
 		propFile = "/etc.defaults/VERSION"
 	case distro.OpenWrt:
 		propFile = "/etc/openwrt_release"
+	case distro.Unraid:
+		propFile = "/etc/unraid-version"
 	case distro.WDMyCloud:
 		slurp, _ := os.ReadFile("/etc/version")
 		meta.DistroVersion = string(bytes.TrimSpace(slurp))
@@ -153,6 +155,8 @@ func linuxVersionMeta() (meta versionMeta) {
 		meta.DistroVersion = m["productversion"]
 	case distro.OpenWrt:
 		meta.DistroVersion = m["DISTRIB_RELEASE"]
+	case distro.Unraid:
+		meta.DistroVersion = m["version"]
 	}
 	return
 }

internal/tooldeps/tooldeps.go

@@ -6,6 +6,7 @@
 package tooldeps
 
 import (
+	_ "github.com/golangci/golangci-lint/cmd/golangci-lint"
 	_ "github.com/tailscale/depaware/depaware"
 	_ "golang.org/x/tools/cmd/goimports"
 )

ipn/ipnlocal/c2n.go

@@ -17,6 +17,7 @@ import (
 	"time"
 
 	"tailscale.com/envknob"
+	"tailscale.com/net/sockstats"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/goroutines"
@@ -89,8 +90,13 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		w.Header().Set("Content-Type", "text/plain")
+		if b.sockstatLogger == nil {
+			http.Error(w, "no sockstatLogger", http.StatusInternalServerError)
+			return
+		}
 		b.sockstatLogger.Flush()
-		fmt.Fprintln(w, b.sockstatLogger.LogID())
+		fmt.Fprintf(w, "logid: %s\n", b.sockstatLogger.LogID())
+		fmt.Fprintf(w, "debug info: %v\n", sockstats.DebugInfo())
 	default:
 		http.Error(w, "unknown c2n path", http.StatusBadRequest)
 	}

ipn/ipnlocal/cert.go

@@ -31,6 +31,7 @@ import (
 	"time"
 
 	"golang.org/x/crypto/acme"
+	"golang.org/x/exp/slices"
 	"tailscale.com/atomicfile"
 	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
@@ -100,11 +101,13 @@ func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string) (*TLSCertK
 	}
 
 	if pair, err := getCertPEMCached(cs, domain, now); err == nil {
-		future := now.AddDate(0, 0, 14)
-		if b.shouldStartDomainRenewal(cs, domain, future) {
+		shouldRenew, err := shouldStartDomainRenewal(domain, now, pair)
+		if err != nil {
+			logf("error checking for certificate renewal: %v", err)
+		} else if shouldRenew {
 			logf("starting async renewal")
 			// Start renewal in the background.
-			go b.getCertPEM(context.Background(), cs, logf, traceACME, domain, future)
+			go b.getCertPEM(context.Background(), cs, logf, traceACME, domain, now)
 		}
 		return pair, nil
 	}
@@ -117,18 +120,41 @@ func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string) (*TLSCertK
 	return pair, nil
 }
 
-func (b *LocalBackend) shouldStartDomainRenewal(cs certStore, domain string, future time.Time) bool {
+func shouldStartDomainRenewal(domain string, now time.Time, pair *TLSCertKeyPair) (bool, error) {
 	renewMu.Lock()
 	defer renewMu.Unlock()
-	now := time.Now()
 	if last, ok := lastRenewCheck[domain]; ok && now.Sub(last) < time.Minute {
 		// We checked very recently. Don't bother reparsing &
 		// validating the x509 cert.
-		return false
+		return false, nil
 	}
 	lastRenewCheck[domain] = now
-	_, err := getCertPEMCached(cs, domain, future)
-	return errors.Is(err, errCertExpired)
+
+	block, _ := pem.Decode(pair.CertPEM)
+	if block == nil {
+		return false, fmt.Errorf("parsing certificate PEM")
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return false, fmt.Errorf("parsing certificate: %w", err)
+	}
+
+	certLifetime := cert.NotAfter.Sub(cert.NotBefore)
+	if certLifetime < 0 {
+		return false, fmt.Errorf("negative certificate lifetime %v", certLifetime)
+	}
+
+	// Per https://github.com/tailscale/tailscale/issues/8204, check
+	// whether we're more than 2/3 of the way through the certificate's
+	// lifetime, which is the officially-recommended best practice by Let's
+	// Encrypt.
+	renewalDuration := certLifetime * 2 / 3
+	renewAt := cert.NotBefore.Add(renewalDuration)
+
+	if now.After(renewAt) {
+		return true, nil
+	}
+	return false, nil
 }
 
 // certStore provides a way to perist and retrieve TLS certificates.
@@ -361,17 +387,16 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, cs certStore, logf logger
 				}
 				key := "_acme-challenge." + domain
 
+				// Do a best-effort lookup to see if we've already created this DNS name
+				// in a previous attempt. Don't burn too much time on it, though. Worst
+				// case we ask the server to create something that already exists.
 				var resolver net.Resolver
-				var ok bool
-				txts, _ := resolver.LookupTXT(ctx, key)
-				for _, txt := range txts {
-					if txt == rec {
-						ok = true
-						logf("TXT record already existed")
-						break
-					}
-				}
-				if !ok {
+				lookupCtx, lookupCancel := context.WithTimeout(ctx, 500*time.Millisecond)
+				txts, _ := resolver.LookupTXT(lookupCtx, key)
+				lookupCancel()
+				if slices.Contains(txts, rec) {
+					logf("TXT record already existed")
+				} else {
 					logf("starting SetDNS call...")
 					err = b.SetDNS(ctx, key, rec)
 					if err != nil {

ipn/ipnlocal/cert_test.go

@@ -6,12 +6,19 @@
 package ipnlocal
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"embed"
+	"encoding/pem"
+	"math/big"
 	"testing"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	"golang.org/x/exp/maps"
 	"tailscale.com/ipn/store/mem"
 )
 
@@ -100,3 +107,94 @@ func TestCertStoreRoundTrip(t *testing.T) {
 		})
 	}
 }
+
+func TestShouldStartDomainRenewal(t *testing.T) {
+	reset := func() {
+		renewMu.Lock()
+		defer renewMu.Unlock()
+		maps.Clear(lastRenewCheck)
+	}
+
+	mustMakePair := func(template *x509.Certificate) *TLSCertKeyPair {
+		priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			panic(err)
+		}
+
+		b, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
+		if err != nil {
+			panic(err)
+		}
+		certPEM := pem.EncodeToMemory(&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: b,
+		})
+
+		return &TLSCertKeyPair{
+			Cached:  false,
+			CertPEM: certPEM,
+			KeyPEM:  []byte("unused"),
+		}
+	}
+
+	now := time.Unix(1685714838, 0)
+	subject := pkix.Name{
+		Organization:  []string{"Tailscale, Inc."},
+		Country:       []string{"CA"},
+		Province:      []string{"ON"},
+		Locality:      []string{"Toronto"},
+		StreetAddress: []string{"290 Bremner Blvd"},
+		PostalCode:    []string{"M5V 3L9"},
+	}
+
+	testCases := []struct {
+		name      string
+		notBefore time.Time
+		lifetime  time.Duration
+		want      bool
+		wantErr   string
+	}{
+		{
+			name:      "should renew",
+			notBefore: now.AddDate(0, 0, -89),
+			lifetime:  90 * 24 * time.Hour,
+			want:      true,
+		},
+		{
+			name:      "short-lived renewal",
+			notBefore: now.AddDate(0, 0, -7),
+			lifetime:  10 * 24 * time.Hour,
+			want:      true,
+		},
+		{
+			name:      "no renew",
+			notBefore: now.AddDate(0, 0, -59), // 59 days ago == not 2/3rds of the way through 90 days yet
+			lifetime:  90 * 24 * time.Hour,
+			want:      false,
+		},
+	}
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			reset()
+
+			ret, err := shouldStartDomainRenewal("example.com", now, mustMakePair(&x509.Certificate{
+				SerialNumber: big.NewInt(2019),
+				Subject:      subject,
+				NotBefore:    tt.notBefore,
+				NotAfter:     tt.notBefore.Add(tt.lifetime),
+			}))
+
+			if tt.wantErr != "" {
+				if err == nil {
+					t.Errorf("wanted error, got nil")
+				} else if err.Error() != tt.wantErr {
+					t.Errorf("got err=%q, want %q", err.Error(), tt.wantErr)
+				}
+			} else {
+				if ret != tt.want {
+					t.Errorf("got ret=%v, want %v", ret, tt.want)
+				}
+			}
+		})
+	}
+}

ipn/ipnlocal/expiry.go

@@ -158,7 +158,7 @@ func (em *expiryManager) nextPeerExpiry(nm *netmap.NetworkMap, localNow time.Tim
 		// nextExpiry being zero is a sentinel that we haven't yet set
 		// an expiry; otherwise, only update if this node's expiry is
 		// sooner than the currently-stored one (since we want the
-		// soonest-occuring expiry time).
+		// soonest-occurring expiry time).
 		if nextExpiry.IsZero() || peer.KeyExpiry.Before(nextExpiry) {
 			nextExpiry = peer.KeyExpiry
 		}

ipn/ipnlocal/expiry_test.go

@@ -243,7 +243,7 @@ func TestNextPeerExpiry(t *testing.T) {
 			em := newExpiryManager(t.Logf)
 			em.timeNow = func() time.Time { return now }
 			got := em.nextPeerExpiry(tt.netmap, now)
-			if got != tt.want {
+			if !got.Equal(tt.want) {
 				t.Errorf("got %q, want %q", got.Format(time.RFC3339), tt.want.Format(time.RFC3339))
 			} else if !got.IsZero() && got.Before(now) {
 				t.Errorf("unexpectedly got expiry %q before now %q", got.Format(time.RFC3339), now.Format(time.RFC3339))
@@ -269,7 +269,7 @@ func TestNextPeerExpiry(t *testing.T) {
 		}
 		got := em.nextPeerExpiry(nm, now)
 		want := now.Add(30 * time.Second)
-		if got != want {
+		if !got.Equal(want) {
 			t.Errorf("got %q, want %q", got.Format(time.RFC3339), want.Format(time.RFC3339))
 		}
 	})

ipn/ipnlocal/local.go

@@ -35,6 +35,7 @@ import (
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/doctor"
+	"tailscale.com/doctor/permissions"
 	"tailscale.com/doctor/routetable"
 	"tailscale.com/envknob"
 	"tailscale.com/health"
@@ -59,6 +60,7 @@ import (
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
+	"tailscale.com/tsd"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
@@ -136,12 +138,13 @@ type LocalBackend struct {
 	logf                  logger.Logf        // general logging
 	keyLogf               logger.Logf        // for printing list of peers on change
 	statsLogf             logger.Logf        // for printing peers stats on change
-	e                     wgengine.Engine
+	sys                   *tsd.System
+	e                     wgengine.Engine // non-nil; TODO(bradfitz): remove; use sys
 	pm                    *profileManager
-	store                 ipn.StateStore
-	dialer                *tsdial.Dialer // non-nil
+	store                 ipn.StateStore // non-nil; TODO(bradfitz): remove; use sys
+	dialer                *tsdial.Dialer // non-nil; TODO(bradfitz): remove; use sys
 	backendLogID          logid.PublicID
-	unregisterLinkMon     func()
+	unregisterNetMon      func()
 	unregisterHealthWatch func()
 	portpoll              *portlist.Poller // may be nil
 	portpollOnce          sync.Once        // guards starting readPoller
@@ -266,15 +269,18 @@ type clientGen func(controlclient.Options) (controlclient.Client, error)
 // but is not actually running.
 //
 // If dialer is nil, a new one is made.
-func NewLocalBackend(logf logger.Logf, logID logid.PublicID, store ipn.StateStore, dialer *tsdial.Dialer, e wgengine.Engine, loginFlags controlclient.LoginFlags) (*LocalBackend, error) {
-	if e == nil {
-		panic("ipn.NewLocalBackend: engine must not be nil")
-	}
+func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, loginFlags controlclient.LoginFlags) (*LocalBackend, error) {
+	e := sys.Engine.Get()
+	store := sys.StateStore.Get()
+	dialer := sys.Dialer.Get()
 
 	pm, err := newProfileManager(store, logf)
 	if err != nil {
 		return nil, err
 	}
+	if sds, ok := store.(ipn.StateStoreDialerSetter); ok {
+		sds.SetDialer(dialer.SystemDial)
+	}
 
 	hi := hostinfo.New()
 	logf.JSON(1, "Hostinfo", hi)
@@ -286,10 +292,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, store ipn.StateStor
 	osshare.SetFileSharingEnabled(false, logf)
 
 	ctx, cancel := context.WithCancel(context.Background())
-	portpoll, err := portlist.NewPoller()
-	if err != nil {
-		logf("skipping portlist: %s", err)
-	}
+	portpoll := new(portlist.Poller)
 
 	b := &LocalBackend{
 		ctx:            ctx,
@@ -297,10 +300,11 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, store ipn.StateStor
 		logf:           logf,
 		keyLogf:        logger.LogOnChange(logf, 5*time.Minute, time.Now),
 		statsLogf:      logger.LogOnChange(logf, 5*time.Minute, time.Now),
+		sys:            sys,
 		e:              e,
-		pm:             pm,
-		store:          store,
 		dialer:         dialer,
+		store:          store,
+		pm:             pm,
 		backendLogID:   logID,
 		state:          ipn.NoState,
 		portpoll:       portpoll,
@@ -309,12 +313,14 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, store ipn.StateStor
 		loginFlags:     loginFlags,
 	}
 
-	// for now, only log sockstats on unstable builds
-	if version.IsUnstableBuild() {
-		b.sockstatLogger, err = sockstatlog.NewLogger(logpolicy.LogsDir(logf), logf, logID)
-		if err != nil {
-			log.Printf("error setting up sockstat logger: %v", err)
-		}
+	netMon := sys.NetMon.Get()
+	b.sockstatLogger, err = sockstatlog.NewLogger(logpolicy.LogsDir(logf), logf, logID, netMon)
+	if err != nil {
+		log.Printf("error setting up sockstat logger: %v", err)
+	}
+	// Enable sockstats logs only on unstable builds
+	if version.IsUnstableBuild() && b.sockstatLogger != nil {
+		b.sockstatLogger.SetLoggingEnabled(true)
 	}
 
 	// Default filter blocks everything and logs nothing, until Start() is called.
@@ -325,23 +331,17 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, store ipn.StateStor
 	b.statusChanged = sync.NewCond(&b.statusLock)
 	b.e.SetStatusCallback(b.setWgengineStatus)
 
-	linkMon := e.GetLinkMonitor()
-	b.prevIfState = linkMon.InterfaceState()
+	b.prevIfState = netMon.InterfaceState()
 	// Call our linkChange code once with the current state, and
 	// then also whenever it changes:
-	b.linkChange(false, linkMon.InterfaceState())
-	b.unregisterLinkMon = linkMon.RegisterChangeCallback(b.linkChange)
+	b.linkChange(false, netMon.InterfaceState())
+	b.unregisterNetMon = netMon.RegisterChangeCallback(b.linkChange)
 
 	b.unregisterHealthWatch = health.RegisterWatcher(b.onHealthChange)
 
-	wiredPeerAPIPort := false
-	if ig, ok := e.(wgengine.InternalsGetter); ok {
-		if tunWrap, _, _, ok := ig.GetInternals(); ok {
-			tunWrap.PeerAPIPort = b.GetPeerAPIPort
-			wiredPeerAPIPort = true
-		}
-	}
-	if !wiredPeerAPIPort {
+	if tunWrap, ok := b.sys.Tun.GetOK(); ok {
+		tunWrap.PeerAPIPort = b.GetPeerAPIPort
+	} else {
 		b.logf("[unexpected] failed to wire up PeerAPI port for engine %T", e)
 	}
 
@@ -365,6 +365,7 @@ type componentLogState struct {
 
 var debuggableComponents = []string{
 	"magicsock",
+	"sockstats",
 }
 
 func componentStateKey(component string) ipn.StateKey {
@@ -377,6 +378,7 @@ func componentStateKey(component string) ipn.StateKey {
 // The following components are recognized:
 //
 //   - magicsock
+//   - sockstats
 func (b *LocalBackend) SetComponentDebugLogging(component string, until time.Time) error {
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -389,6 +391,17 @@ func (b *LocalBackend) SetComponentDebugLogging(component string, until time.Tim
 			return err
 		}
 		setEnabled = mc.SetDebugLoggingEnabled
+	case "sockstats":
+		if b.sockstatLogger != nil {
+			setEnabled = func(v bool) {
+				b.sockstatLogger.SetLoggingEnabled(v)
+				// Flush (and thus upload) logs when the enabled period ends,
+				// so that the logs are available for debugging.
+				if !v {
+					b.sockstatLogger.Flush()
+				}
+			}
+		}
 	}
 	if setEnabled == nil || !slices.Contains(debuggableComponents, component) {
 		return fmt.Errorf("unknown component %q", component)
@@ -420,7 +433,7 @@ func (b *LocalBackend) SetComponentDebugLogging(component string, until time.Tim
 			// unchanged when the timer actually fires.
 			b.mu.Lock()
 			defer b.mu.Unlock()
-			if ls := b.componentLogUntil[component]; ls.until == until {
+			if ls := b.componentLogUntil[component]; ls.until.Equal(until) {
 				setEnabled(false)
 				b.logf("debugging logging for component %q disabled (by timer)", component)
 			}
@@ -446,6 +459,7 @@ func (b *LocalBackend) GetComponentDebugLogging(component string) time.Time {
 }
 
 // Dialer returns the backend's dialer.
+// It is always non-nil.
 func (b *LocalBackend) Dialer() *tsdial.Dialer {
 	return b.dialer
 }
@@ -481,7 +495,7 @@ func (b *LocalBackend) maybePauseControlClientLocked() {
 	b.cc.SetPaused((b.state == ipn.Stopped && b.netMap != nil) || !networkUp)
 }
 
-// linkChange is our link monitor callback, called whenever the network changes.
+// linkChange is our network monitor callback, called whenever the network changes.
 // major is whether ifst is different than earlier.
 func (b *LocalBackend) linkChange(major bool, ifst *interfaces.State) {
 	b.mu.Lock()
@@ -558,7 +572,7 @@ func (b *LocalBackend) Shutdown() {
 		b.sockstatLogger.Shutdown()
 	}
 
-	b.unregisterLinkMon()
+	b.unregisterNetMon()
 	b.unregisterHealthWatch()
 	if cc != nil {
 		cc.Shutdown()
@@ -626,7 +640,7 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 	defer b.mu.Unlock()
 	sb.MutateStatus(func(s *ipnstate.Status) {
 		s.Version = version.Long()
-		s.TUN = !wgengine.IsNetstack(b.e)
+		s.TUN = !b.sys.IsNetstack()
 		s.BackendState = b.state.String()
 		s.AuthURL = b.authURLSticky
 		if err := health.OverallError(); err != nil {
@@ -1059,7 +1073,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		b.e.SetDERPMap(st.NetMap.DERPMap)
 
 		// Update our cached DERP map
-		dnsfallback.UpdateCache(st.NetMap.DERPMap)
+		dnsfallback.UpdateCache(st.NetMap.DERPMap, b.logf)
 
 		b.send(ipn.Notify{NetMap: st.NetMap})
 	}
@@ -1297,8 +1311,8 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	hostinfo := hostinfo.New()
 	hostinfo.BackendLogID = b.backendLogID.String()
 	hostinfo.FrontendLogID = opts.FrontendLogID
-	hostinfo.Userspace.Set(wgengine.IsNetstack(b.e))
-	hostinfo.UserspaceRouter.Set(wgengine.IsNetstackRouter(b.e))
+	hostinfo.Userspace.Set(b.sys.IsNetstack())
+	hostinfo.UserspaceRouter.Set(b.sys.IsNetstackRouter())
 
 	if b.cc != nil {
 		// TODO(apenwarr): avoid the need to reinit controlclient.
@@ -1360,7 +1374,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 
 	if b.portpoll != nil {
 		b.portpollOnce.Do(func() {
-			go b.portpoll.Run(b.ctx)
 			go b.readPoller()
 
 			// Give the poller a second to get results to
@@ -1383,7 +1396,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 
 	var err error
 
-	isNetstack := wgengine.IsNetstackRouter(b.e)
+	isNetstack := b.sys.IsNetstackRouter()
 	debugFlags := controlDebugFlags
 	if isNetstack {
 		debugFlags = append([]string{"netstack"}, debugFlags...)
@@ -1405,7 +1418,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		HTTPTestClient:       httpTestClient,
 		DiscoPublicKey:       discoPublic,
 		DebugFlags:           debugFlags,
-		LinkMonitor:          b.e.GetLinkMonitor(),
+		NetMon:               b.sys.NetMon.Get(),
 		Pinger:               b,
 		PopBrowserURL:        b.tellClientToBrowseToURL,
 		OnClientVersion:      b.onClientVersion,
@@ -1795,11 +1808,30 @@ func dnsMapsEqual(new, old *netmap.NetworkMap) bool {
 // readPoller is a goroutine that receives service lists from
 // b.portpoll and propagates them into the controlclient's HostInfo.
 func (b *LocalBackend) readPoller() {
-	n := 0
+	isFirst := true
+	ticker := time.NewTicker(portlist.PollInterval())
+	defer ticker.Stop()
+	initChan := make(chan struct{})
+	close(initChan)
 	for {
-		ports, ok := <-b.portpoll.Updates()
-		if !ok {
+		select {
+		case <-ticker.C:
+		case <-b.ctx.Done():
 			return
+		case <-initChan:
+			// Preserving old behavior: readPoller should
+			// immediately poll the first time, then wait
+			// for a tick after.
+			initChan = nil
+		}
+
+		ports, changed, err := b.portpoll.Poll()
+		if err != nil {
+			b.logf("error polling for open ports: %v", err)
+			return
+		}
+		if !changed {
+			continue
 		}
 		sl := []tailcfg.Service{}
 		for _, p := range ports {
@@ -1823,8 +1855,8 @@ func (b *LocalBackend) readPoller() {
 
 		b.doSetHostinfoFilterServices(hi)
 
-		n++
-		if n == 1 {
+		if isFirst {
+			isFirst = false
 			close(b.gotPortPollRes)
 		}
 	}
@@ -2461,7 +2493,7 @@ func (b *LocalBackend) parseWgStatusLocked(s *wgengine.Status) (ret ipn.EngineSt
 	// [GRINDER STATS LINES] - please don't remove (used for log parsing)
 	if peerStats.Len() > 0 {
 		b.keyLogf("[v1] peer keys: %s", strings.TrimSpace(peerKeys.String()))
-		b.statsLogf("[v1] v%v peers: %v", version.Long, strings.TrimSpace(peerStats.String()))
+		b.statsLogf("[v1] v%v peers: %v", version.Long(), strings.TrimSpace(peerStats.String()))
 	}
 	return ret
 }
@@ -2531,6 +2563,9 @@ func (b *LocalBackend) checkPrefsLocked(p *ipn.Prefs) error {
 	if err := b.checkExitNodePrefsLocked(p); err != nil {
 		errs = append(errs, err)
 	}
+	if err := b.checkFunnelEnabledLocked(p); err != nil {
+		errs = append(errs, err)
+	}
 	return multierr.New(errs...)
 }
 
@@ -2615,6 +2650,13 @@ func (b *LocalBackend) checkExitNodePrefsLocked(p *ipn.Prefs) error {
 	return nil
 }
 
+func (b *LocalBackend) checkFunnelEnabledLocked(p *ipn.Prefs) error {
+	if p.ShieldsUp && b.serveConfig.IsFunnelOn() {
+		return errors.New("Cannot enable shields-up when Funnel is enabled.")
+	}
+	return nil
+}
+
 func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (ipn.PrefsView, error) {
 	b.mu.Lock()
 	if mp.EggSet {
@@ -3192,6 +3234,10 @@ func (b *LocalBackend) TailscaleVarRoot() string {
 	switch runtime.GOOS {
 	case "ios", "android", "darwin":
 		return paths.AppSharedDir.Load()
+	case "linux":
+		if distro.Get() == distro.Gokrazy {
+			return "/perm/tailscaled"
+		}
 	}
 	return ""
 }
@@ -3285,14 +3331,12 @@ func (b *LocalBackend) initPeerAPIListener() {
 		directFileMode:          b.directFileRoot != "",
 		directFileDoFinalRename: b.directFileDoFinalRename,
 	}
-	if re, ok := b.e.(wgengine.ResolvingEngine); ok {
-		if r, ok := re.GetResolver(); ok {
-			ps.resolver = r
-		}
+	if dm, ok := b.sys.DNSManager.GetOK(); ok {
+		ps.resolver = dm.Resolver()
 	}
 	b.peerAPIServer = ps
 
-	isNetstack := wgengine.IsNetstack(b.e)
+	isNetstack := b.sys.IsNetstack()
 	for i, a := range b.netMap.Addresses {
 		var ln net.Listener
 		var err error
@@ -3598,6 +3642,19 @@ func (b *LocalBackend) hasNodeKey() bool {
 	return p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero()
 }
 
+// NodeKey returns the public node key.
+func (b *LocalBackend) NodeKey() key.NodePublic {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	p := b.pm.CurrentPrefs()
+	if !p.Valid() || !p.Persist().Valid() || p.Persist().PrivateNodeKey().IsZero() {
+		return key.NodePublic{}
+	}
+
+	return p.Persist().PublicNodeKey()
+}
+
 // nextState returns the state the backend seems to be in, based on
 // its internal state.
 func (b *LocalBackend) nextState() ipn.State {
@@ -4008,7 +4065,7 @@ func (b *LocalBackend) setTCPPortsInterceptedFromNetmapAndPrefsLocked(prefs ipn.
 		b.setServeProxyHandlersLocked()
 
 		// don't listen on netmap addresses if we're in userspace mode
-		if !wgengine.IsNetstack(b.e) {
+		if !b.sys.IsNetstack() {
 			b.updateServeTCPPortNetMapAddrListenersLocked(servePorts)
 		}
 	}
@@ -4359,7 +4416,7 @@ func nodeIP(n *tailcfg.Node, pred func(netip.Addr) bool) netip.Addr {
 }
 
 func (b *LocalBackend) CheckIPForwarding() error {
-	if wgengine.IsNetstackRouter(b.e) {
+	if b.sys.IsNetstackRouter() {
 		return nil
 	}
 
@@ -4505,13 +4562,9 @@ func (b *LocalBackend) DebugReSTUN() error {
 }
 
 func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
-	ig, ok := b.e.(wgengine.InternalsGetter)
+	mc, ok := b.sys.MagicSock.GetOK()
 	if !ok {
-		return nil, errors.New("engine isn't InternalsGetter")
-	}
-	_, mc, _, ok := ig.GetInternals()
-	if !ok {
-		return nil, errors.New("failed to get internals")
+		return nil, errors.New("failed to get magicsock from sys")
 	}
 	return mc, nil
 }
@@ -4690,7 +4743,10 @@ func (b *LocalBackend) Doctor(ctx context.Context, logf logger.Logf) {
 	logf = logger.SlowLoggerWithClock(ctx, logf, 20*time.Millisecond, 60, time.Now)
 
 	var checks []doctor.Check
-	checks = append(checks, routetable.Check{})
+	checks = append(checks,
+		permissions.Check{},
+		routetable.Check{},
+	)
 
 	// Print a log message if any of the global DNS resolvers are Tailscale
 	// IPs; this can interfere with our ability to connect to the Tailscale

ipn/ipnlocal/local_test.go

@@ -20,6 +20,7 @@ import (
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -501,13 +502,16 @@ func TestLazyMachineKeyGeneration(t *testing.T) {
 	tstest.Replace(t, &panicOnMachineKeyGeneration, func() bool { return true })
 
 	var logf logger.Logf = logger.Discard
+	sys := new(tsd.System)
 	store := new(mem.Store)
-	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
+	sys.Set(store)
+	eng, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
 	t.Cleanup(eng.Close)
-	lb, err := NewLocalBackend(logf, logid.PublicID{}, store, nil, eng, 0)
+	sys.Set(eng)
+	lb, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
@@ -765,13 +769,16 @@ func TestPacketFilterPermitsUnlockedNodes(t *testing.T) {
 func TestStatusWithoutPeers(t *testing.T) {
 	logf := tstest.WhileTestRunningLogger(t)
 	store := new(testStateStorage)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
+	sys := new(tsd.System)
+	sys.Set(store)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
+	sys.Set(e)
 	t.Cleanup(e.Close)
 
-	b, err := NewLocalBackend(logf, logid.PublicID{}, store, nil, e, 0)
+	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}

ipn/ipnlocal/loglines_test.go

@@ -12,6 +12,7 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -47,14 +48,17 @@ func TestLocalLogLines(t *testing.T) {
 	idA := logid(0xaa)
 
 	// set up a LocalBackend, super bare bones. No functional data.
+	sys := new(tsd.System)
 	store := new(mem.Store)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
+	sys.Set(store)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(e.Close)
+	sys.Set(e)
 
-	lb, err := NewLocalBackend(logf, idA, store, nil, e, 0)
+	lb, err := NewLocalBackend(logf, idA, sys, 0)
 	if err != nil {
 		t.Fatal(err)
 	}

ipn/ipnlocal/network-lock.go

@@ -449,6 +449,8 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 		filtered[i] = b.tka.filtered[i].Clone()
 	}
 
+	stateID1, _ := b.tka.authority.StateIDs()
+
 	return &ipnstate.NetworkLockStatus{
 		Enabled:       true,
 		Head:          &head,
@@ -457,6 +459,7 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 		NodeKeySigned: selfAuthorized,
 		TrustedKeys:   outKeys,
 		FilteredPeers: filtered,
+		StateID:       stateID1,
 	}
 }
 

ipn/ipnlocal/network-lock_test.go

@@ -875,7 +875,7 @@ func TestTKAForceDisable(t *testing.T) {
 	}
 
 	if b.tka != nil {
-		t.Fatal("tka was re-initalized")
+		t.Fatal("tka was re-initialized")
 	}
 }
 

ipn/ipnlocal/peerapi.go

@@ -49,7 +49,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/multierr"
-	"tailscale.com/wgengine"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/filter"
 )
 
@@ -468,7 +468,7 @@ func (s *peerAPIServer) listen(ip netip.Addr, ifState *interfaces.State) (ln net
 		}
 	}
 
-	if wgengine.IsNetstack(s.b.e) {
+	if s.b.sys.IsNetstack() {
 		ipStr = ""
 	}
 
@@ -605,6 +605,16 @@ func (h *peerAPIHandler) logf(format string, a ...any) {
 	h.ps.b.logf("peerapi: "+format, a...)
 }
 
+// isAddressValid reports whether addr is a valid destination address for this
+// node originating from the peer.
+func (h *peerAPIHandler) isAddressValid(addr netip.Addr) bool {
+	if h.peerNode.SelfNodeV4MasqAddrForThisPeer != nil {
+		return *h.peerNode.SelfNodeV4MasqAddrForThisPeer == addr
+	}
+	pfx := netip.PrefixFrom(addr, addr.BitLen())
+	return slices.Contains(h.selfNode.Addresses, pfx)
+}
+
 func (h *peerAPIHandler) validateHost(r *http.Request) error {
 	if r.Host == "peer" {
 		return nil
@@ -613,9 +623,8 @@ func (h *peerAPIHandler) validateHost(r *http.Request) error {
 	if err != nil {
 		return err
 	}
-	hostIPPfx := netip.PrefixFrom(ap.Addr(), ap.Addr().BitLen())
-	if !slices.Contains(h.selfNode.Addresses, hostIPPfx) {
-		return fmt.Errorf("%v not found in self addresses", hostIPPfx)
+	if !h.isAddressValid(ap.Addr()) {
+		return fmt.Errorf("%v not found in self addresses", ap.Addr())
 	}
 	return nil
 }
@@ -865,6 +874,11 @@ func (h *peerAPIHandler) handleServeSockStats(w http.ResponseWriter, r *http.Req
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	fmt.Fprintln(w, "<!DOCTYPE html><h1>Socket Stats</h1>")
 
+	if !sockstats.IsAvailable {
+		fmt.Fprintln(w, "Socket stats are not available for this client")
+		return
+	}
+
 	stats, interfaceStats, validation := sockstats.Get(), sockstats.GetInterfaces(), sockstats.GetValidation()
 	if stats == nil {
 		fmt.Fprintln(w, "No socket stats available")
@@ -942,6 +956,12 @@ func (h *peerAPIHandler) handleServeSockStats(w http.ResponseWriter, r *http.Req
 	fmt.Fprintln(w, "</tfoot>")
 
 	fmt.Fprintln(w, "</table>")
+
+	fmt.Fprintln(w, "<h2>Debug Info</h2>")
+
+	fmt.Fprintln(w, "<pre>")
+	fmt.Fprintln(w, html.EscapeString(sockstats.DebugInfo()))
+	fmt.Fprintln(w, "</pre>")
 }
 
 type incomingFile struct {
@@ -1070,6 +1090,10 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, errNoTaildrop.Error(), http.StatusInternalServerError)
 		return
 	}
+	if distro.Get() == distro.Unraid && !h.ps.directFileMode {
+		http.Error(w, "Taildrop folder not configured or accessible", http.StatusInternalServerError)
+		return
+	}
 	rawPath := r.URL.EscapedPath()
 	suffix, ok := strings.CutPrefix(rawPath, "/v0/put/")
 	if !ok {
@@ -1214,12 +1238,9 @@ func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Req
 		http.Error(w, "denied; no debug access", http.StatusForbidden)
 		return
 	}
-	eng := h.ps.b.e
-	if ig, ok := eng.(wgengine.InternalsGetter); ok {
-		if _, mc, _, ok := ig.GetInternals(); ok {
-			mc.ServeHTTPDebug(w, r)
-			return
-		}
+	if mc, ok := h.ps.b.sys.MagicSock.GetOK(); ok {
+		mc.ServeHTTPDebug(w, r)
+		return
 	}
 	http.Error(w, "miswired", 500)
 }

ipn/ipnlocal/profiles.go

@@ -20,9 +20,12 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/winutil"
-	"tailscale.com/version"
 )
 
+var errAlreadyMigrated = errors.New("profile migration already completed")
+
+var debug = envknob.RegisterBool("TS_DEBUG_PROFILES")
+
 // profileManager is a wrapper around a StateStore that manages
 // multiple profiles and the current profile.
 type profileManager struct {
@@ -41,6 +44,13 @@ type profileManager struct {
 	isNewProfile bool
 }
 
+func (pm *profileManager) dlogf(format string, args ...any) {
+	if !debug() {
+		return
+	}
+	pm.logf(format, args...)
+}
+
 // CurrentUserID returns the current user ID. It is only non-empty on
 // Windows where we have a multi-user system.
 func (pm *profileManager) CurrentUserID() ipn.WindowsUserID {
@@ -65,8 +75,16 @@ func (pm *profileManager) SetCurrentUserID(uid ipn.WindowsUserID) error {
 	// Read the CurrentProfileKey from the store which stores
 	// the selected profile for the current user.
 	b, err := pm.store.ReadState(ipn.CurrentProfileKey(string(uid)))
+	pm.dlogf("SetCurrentUserID: ReadState(%q) = %v, %v", string(uid), len(b), err)
 	if err == ipn.ErrStateNotExist || len(b) == 0 {
-		pm.NewProfile()
+		if runtime.GOOS == "windows" {
+			pm.dlogf("SetCurrentUserID: windows: migrating from legacy preferences")
+			if err := pm.migrateFromLegacyPrefs(); err != nil && !errors.Is(err, errAlreadyMigrated) {
+				return err
+			}
+		} else {
+			pm.NewProfile()
+		}
 		return nil
 	}
 
@@ -74,6 +92,7 @@ func (pm *profileManager) SetCurrentUserID(uid ipn.WindowsUserID) error {
 	pk := ipn.StateKey(string(b))
 	prof := pm.findProfileByKey(pk)
 	if prof == nil {
+		pm.dlogf("SetCurrentUserID: no profile found for key: %q", pk)
 		pm.NewProfile()
 		return nil
 	}
@@ -424,12 +443,7 @@ var defaultPrefs = func() ipn.PrefsView {
 	prefs.WantRunning = false
 
 	prefs.ControlURL = winutil.GetPolicyString("LoginURL", "")
-
-	if exitNode := winutil.GetPolicyString("ExitNodeIP", ""); exitNode != "" {
-		if ip, err := netip.ParseAddr(exitNode); err == nil {
-			prefs.ExitNodeIP = ip
-		}
-	}
+	prefs.ExitNodeIP = resolveExitNodeIP(netip.Addr{})
 
 	// Allow Incoming (used by the UI) is the negation of ShieldsUp (used by the
 	// backend), so this has to convert between the two conventions.
@@ -439,6 +453,16 @@ var defaultPrefs = func() ipn.PrefsView {
 	return prefs.View()
 }()
 
+func resolveExitNodeIP(defIP netip.Addr) (ret netip.Addr) {
+	ret = defIP
+	if exitNode := winutil.GetPolicyString("ExitNodeIP", ""); exitNode != "" {
+		if ip, err := netip.ParseAddr(exitNode); err == nil {
+			ret = ip
+		}
+	}
+	return ret
+}
+
 // Store returns the StateStore used by the ProfileManager.
 func (pm *profileManager) Store() ipn.StateStore {
 	return pm.store
@@ -534,8 +558,16 @@ func newProfileManagerWithGOOS(store ipn.StateStore, logf logger.Logf, goos stri
 		if err := pm.setPrefsLocked(prefs); err != nil {
 			return nil, err
 		}
-	} else if len(knownProfiles) == 0 && goos != "windows" {
+		// Most platform behavior is controlled by the goos parameter, however
+		// some behavior is implied by build tag and fails when run on Windows,
+		// so we explicitly avoid that behavior when running on Windows.
+		// Specifically this reaches down into legacy preference loading that is
+		// specialized by profiles_windows.go and fails in tests on an invalid
+		// uid passed in from the unix tests. The uid's used for Windows tests
+		// and runtime must be valid Windows security identifier structures.
+	} else if len(knownProfiles) == 0 && goos != "windows" && runtime.GOOS != "windows" {
 		// No known profiles, try a migration.
+		pm.dlogf("no known profiles; trying to migrate from legacy prefs")
 		if err := pm.migrateFromLegacyPrefs(); err != nil {
 			return nil, err
 		}
@@ -549,27 +581,18 @@ func newProfileManagerWithGOOS(store ipn.StateStore, logf logger.Logf, goos stri
 func (pm *profileManager) migrateFromLegacyPrefs() error {
 	metricMigration.Add(1)
 	pm.NewProfile()
-	k := ipn.LegacyGlobalDaemonStateKey
-	switch {
-	case runtime.GOOS == "ios":
-		k = "ipn-go-bridge"
-	case version.IsSandboxedMacOS():
-		k = "ipn-go-bridge"
-	case runtime.GOOS == "android":
-		k = "ipn-android"
-	}
-	prefs, err := pm.loadSavedPrefs(k)
+	sentinel, prefs, err := pm.loadLegacyPrefs()
 	if err != nil {
 		metricMigrationError.Add(1)
-		return fmt.Errorf("calling ReadState on state store: %w", err)
+		return fmt.Errorf("load legacy prefs: %w", err)
 	}
-	pm.logf("migrating %q profile to new format", k)
+	pm.dlogf("loaded legacy preferences; sentinel=%q", sentinel)
 	if err := pm.SetPrefs(prefs); err != nil {
 		metricMigrationError.Add(1)
 		return fmt.Errorf("migrating _daemon profile: %w", err)
 	}
-	// Do not delete the old state key, as we may be downgraded to an
-	// older version that still relies on it.
+	pm.completeMigration(sentinel)
+	pm.dlogf("completed legacy preferences migration with sentinel=%q", sentinel)
 	metricMigrationSuccess.Add(1)
 	return nil
 }

ipn/ipnlocal/profiles_notwindows.go

@@ -0,0 +1,37 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !windows
+
+package ipnlocal
+
+import (
+	"fmt"
+	"runtime"
+
+	"tailscale.com/ipn"
+	"tailscale.com/version"
+)
+
+func (pm *profileManager) loadLegacyPrefs() (string, ipn.PrefsView, error) {
+	k := ipn.LegacyGlobalDaemonStateKey
+	switch {
+	case runtime.GOOS == "ios":
+		k = "ipn-go-bridge"
+	case version.IsSandboxedMacOS():
+		k = "ipn-go-bridge"
+	case runtime.GOOS == "android":
+		k = "ipn-android"
+	}
+	prefs, err := pm.loadSavedPrefs(k)
+	if err != nil {
+		return "", ipn.PrefsView{}, fmt.Errorf("calling ReadState on state store: %w", err)
+	}
+	pm.logf("migrating %q profile to new format", k)
+	return "", prefs, nil
+}
+
+func (pm *profileManager) completeMigration(migrationSentinel string) {
+	// Do not delete the old state key, as we may be downgraded to an
+	// older version that still relies on it.
+}

ipn/ipnlocal/profiles_test.go

@@ -5,6 +5,7 @@ package ipnlocal
 
 import (
 	"fmt"
+	"os/user"
 	"strconv"
 	"testing"
 
@@ -302,6 +303,12 @@ func TestProfileManagement(t *testing.T) {
 // TestProfileManagementWindows tests going into and out of Unattended mode on
 // Windows.
 func TestProfileManagementWindows(t *testing.T) {
+	u, err := user.Current()
+	if err != nil {
+		t.Fatal(err)
+	}
+	uid := ipn.WindowsUserID(u.Uid)
+
 	store := new(mem.Store)
 
 	pm, err := newProfileManagerWithGOOS(store, logger.Discard, "windows")
@@ -350,8 +357,8 @@ func TestProfileManagementWindows(t *testing.T) {
 
 	{
 		t.Logf("Set user1 as logged in user")
-		if err := pm.SetCurrentUserID("user1"); err != nil {
-			t.Fatal(err)
+		if err := pm.SetCurrentUserID(uid); err != nil {
+			t.Fatalf("can't set user id: %s", err)
 		}
 		checkProfiles(t)
 		t.Logf("Save prefs for user1")
@@ -386,7 +393,7 @@ func TestProfileManagementWindows(t *testing.T) {
 
 	{
 		t.Logf("Set user1 as current user")
-		if err := pm.SetCurrentUserID("user1"); err != nil {
+		if err := pm.SetCurrentUserID(uid); err != nil {
 			t.Fatal(err)
 		}
 		wantCurProfile = "test"
@@ -396,8 +403,8 @@ func TestProfileManagementWindows(t *testing.T) {
 		t.Logf("set unattended mode")
 		wantProfiles["test"] = setPrefs(t, "test", true)
 	}
-	if pm.CurrentUserID() != "user1" {
-		t.Fatalf("CurrentUserID = %q; want %q", pm.CurrentUserID(), "user1")
+	if pm.CurrentUserID() != uid {
+		t.Fatalf("CurrentUserID = %q; want %q", pm.CurrentUserID(), uid)
 	}
 
 	// Recreate the profile manager to ensure that it starts with test profile.
@@ -406,7 +413,7 @@ func TestProfileManagementWindows(t *testing.T) {
 		t.Fatal(err)
 	}
 	checkProfiles(t)
-	if pm.CurrentUserID() != "user1" {
-		t.Fatalf("CurrentUserID = %q; want %q", pm.CurrentUserID(), "user1")
+	if pm.CurrentUserID() != uid {
+		t.Fatalf("CurrentUserID = %q; want %q", pm.CurrentUserID(), uid)
 	}
 }

ipn/ipnlocal/profiles_windows.go

@@ -0,0 +1,90 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package ipnlocal
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"os/user"
+	"path/filepath"
+
+	"tailscale.com/atomicfile"
+	"tailscale.com/ipn"
+	"tailscale.com/util/winutil/policy"
+)
+
+const (
+	legacyPrefsFile                  = "prefs"
+	legacyPrefsMigrationSentinelFile = "_migrated-to-profiles"
+	legacyPrefsExt                   = ".conf"
+)
+
+func legacyPrefsDir(uid ipn.WindowsUserID) (string, error) {
+	// TODO(aaron): Ideally we'd have the impersonation token for the pipe's
+	// client and use it to call SHGetKnownFolderPath, thus yielding the correct
+	// path without having to make gross assumptions about directory names.
+	usr, err := user.LookupId(string(uid))
+	if err != nil {
+		return "", err
+	}
+	if usr.HomeDir == "" {
+		return "", fmt.Errorf("user %q does not have a home directory", uid)
+	}
+	userLegacyPrefsDir := filepath.Join(usr.HomeDir, "AppData", "Local", "Tailscale")
+	return userLegacyPrefsDir, nil
+}
+
+func (pm *profileManager) loadLegacyPrefs() (string, ipn.PrefsView, error) {
+	userLegacyPrefsDir, err := legacyPrefsDir(pm.currentUserID)
+	if err != nil {
+		pm.dlogf("no legacy preferences directory for %q: %v", pm.currentUserID, err)
+		return "", ipn.PrefsView{}, err
+	}
+
+	migrationSentinel := filepath.Join(userLegacyPrefsDir, legacyPrefsMigrationSentinelFile+legacyPrefsExt)
+	// verify that migration sentinel is not present
+	_, err = os.Stat(migrationSentinel)
+	if err == nil {
+		pm.dlogf("migration sentinel %q already exists", migrationSentinel)
+		return "", ipn.PrefsView{}, errAlreadyMigrated
+	}
+	if !os.IsNotExist(err) {
+		pm.dlogf("os.Stat(%q) = %v", migrationSentinel, err)
+		return "", ipn.PrefsView{}, err
+	}
+
+	prefsPath := filepath.Join(userLegacyPrefsDir, legacyPrefsFile+legacyPrefsExt)
+	prefs, err := ipn.LoadPrefs(prefsPath)
+	pm.dlogf("ipn.LoadPrefs(%q) = %v, %v", prefsPath, prefs, err)
+	if errors.Is(err, fs.ErrNotExist) {
+		return "", ipn.PrefsView{}, errAlreadyMigrated
+	}
+	if err != nil {
+		return "", ipn.PrefsView{}, err
+	}
+
+	prefs.ControlURL = policy.SelectControlURL(defaultPrefs.ControlURL(), prefs.ControlURL)
+	prefs.ExitNodeIP = resolveExitNodeIP(prefs.ExitNodeIP)
+	prefs.ShieldsUp = resolveShieldsUp(prefs.ShieldsUp)
+	prefs.ForceDaemon = resolveForceDaemon(prefs.ForceDaemon)
+
+	pm.logf("migrating Windows profile to new format")
+	return migrationSentinel, prefs.View(), nil
+}
+
+func (pm *profileManager) completeMigration(migrationSentinel string) {
+	atomicfile.WriteFile(migrationSentinel, []byte{}, 0600)
+}
+
+func resolveShieldsUp(defval bool) bool {
+	pol := policy.GetPreferenceOptionPolicy("AllowIncomingConnections")
+	return !pol.ShouldEnable(!defval)
+}
+
+func resolveForceDaemon(defval bool) bool {
+	pol := policy.GetPreferenceOptionPolicy("UnattendedMode")
+	return pol.ShouldEnable(defval)
+}

ipn/ipnlocal/serve.go

@@ -17,7 +17,6 @@ import (
 	"net/url"
 	"os"
 	"path"
-	pathpkg "path"
 	"strconv"
 	"strings"
 	"sync"
@@ -144,7 +143,7 @@ func (s *serveListener) Run() {
 }
 
 func (s *serveListener) shouldWarnAboutListenError(err error) bool {
-	if !s.b.e.GetLinkMonitor().InterfaceState().HasIP(s.ap.Addr()) {
+	if !s.b.sys.NetMon.Get().InterfaceState().HasIP(s.ap.Addr()) {
 		// Machine likely doesn't have IPv6 enabled (or the IP is still being
 		// assigned). No need to warn. Notably, WSL2 (Issue 6303).
 		return false
@@ -218,6 +217,11 @@ func (b *LocalBackend) SetServeConfig(config *ipn.ServeConfig) error {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
+	prefs := b.pm.CurrentPrefs()
+	if config.IsFunnelOn() && prefs.ShieldsUp() {
+		return errors.New("Unable to turn on Funnel while shields-up is enabled")
+	}
+
 	nm := b.netMap
 	if nm == nil {
 		return errors.New("netMap is nil")
@@ -415,19 +419,19 @@ func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView,
 	if h, ok := wsc.Handlers().GetOk(r.URL.Path); ok {
 		return h, r.URL.Path, true
 	}
-	path := path.Clean(r.URL.Path)
+	pth := path.Clean(r.URL.Path)
 	for {
-		withSlash := path + "/"
+		withSlash := pth + "/"
 		if h, ok := wsc.Handlers().GetOk(withSlash); ok {
 			return h, withSlash, true
 		}
-		if h, ok := wsc.Handlers().GetOk(path); ok {
-			return h, path, true
+		if h, ok := wsc.Handlers().GetOk(pth); ok {
+			return h, pth, true
 		}
-		if path == "/" {
+		if pth == "/" {
 			return z, "", false
 		}
-		path = pathpkg.Dir(path)
+		pth = path.Dir(pth)
 	}
 }
 
@@ -439,18 +443,28 @@ func (b *LocalBackend) proxyHandlerForBackend(backend string) (*httputil.Reverse
 	if err != nil {
 		return nil, fmt.Errorf("invalid url %s: %w", targetURL, err)
 	}
-	rp := httputil.NewSingleHostReverseProxy(u)
-	rp.Transport = &http.Transport{
-		DialContext: b.dialer.SystemDial,
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: insecure,
+	rp := &httputil.ReverseProxy{
+		Rewrite: func(r *httputil.ProxyRequest) {
+			r.SetURL(u)
+			r.Out.Host = r.In.Host
+			r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
+			r.Out.Header.Set("X-Forwarded-Proto", "https")
+			if c, ok := r.Out.Context().Value(serveHTTPContextKey{}).(*serveHTTPContext); ok {
+				r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
+			}
+		},
+		Transport: &http.Transport{
+			DialContext: b.dialer.SystemDial,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: insecure,
+			},
+			// Values for the following parameters have been copied from http.DefaultTransport.
+			ForceAttemptHTTP2:     true,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
 		},
-		// Values for the following parameters have been copied from http.DefaultTransport.
-		ForceAttemptHTTP2:     true,
-		MaxIdleConns:          100,
-		IdleConnTimeout:       90 * time.Second,
-		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 1 * time.Second,
 	}
 	return rp, nil
 }
@@ -476,7 +490,12 @@ func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "unknown proxy destination", http.StatusInternalServerError)
 			return
 		}
-		p.(http.Handler).ServeHTTP(w, r)
+		h := p.(http.Handler)
+		// Trim the mount point from the URL path before proxying. (#6571)
+		if r.URL.Path != "/" {
+			h = http.StripPrefix(strings.TrimSuffix(mountPoint, "/"), h)
+		}
+		h.ServeHTTP(w, r)
 		return
 	}
 

ipn/ipnlocal/state_test.go

@@ -17,6 +17,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
@@ -297,14 +298,17 @@ func TestStateMachine(t *testing.T) {
 	c := qt.New(t)
 
 	logf := tstest.WhileTestRunningLogger(t)
+	sys := new(tsd.System)
 	store := new(testStateStorage)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
+	sys.Set(store)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
 	t.Cleanup(e.Close)
+	sys.Set(e)
 
-	b, err := NewLocalBackend(logf, logid.PublicID{}, store, nil, e, 0)
+	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
@@ -941,13 +945,16 @@ func TestStateMachine(t *testing.T) {
 
 func TestEditPrefsHasNoKeys(t *testing.T) {
 	logf := tstest.WhileTestRunningLogger(t)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
+	sys := new(tsd.System)
+	sys.Set(new(mem.Store))
+	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
 	t.Cleanup(e.Close)
+	sys.Set(e)
 
-	b, err := NewLocalBackend(logf, logid.PublicID{}, new(mem.Store), nil, e, 0)
+	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
@@ -1023,10 +1030,14 @@ func TestWGEngineStatusRace(t *testing.T) {
 	t.Skip("test fails")
 	c := qt.New(t)
 	logf := tstest.WhileTestRunningLogger(t)
-	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
+	sys := new(tsd.System)
+	sys.Set(new(mem.Store))
+
+	eng, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
 	c.Assert(err, qt.IsNil)
 	t.Cleanup(eng.Close)
-	b, err := NewLocalBackend(logf, logid.PublicID{}, new(mem.Store), nil, eng, 0)
+	sys.Set(eng)
+	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
 	c.Assert(err, qt.IsNil)
 
 	var cc *mockControl

ipn/ipnserver/proxyconnect.go

@@ -37,8 +37,8 @@ func (s *Server) handleProxyConnectConn(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	tr := logpolicy.NewLogtailTransport(logHost)
-	back, err := tr.DialContext(ctx, "tcp", hostPort)
+	dialContext := logpolicy.MakeDialFunc(s.netMon)
+	back, err := dialContext(ctx, "tcp", hostPort)
 	if err != nil {
 		s.logf("error CONNECT dialing %v: %v", hostPort, err)
 		http.Error(w, "Connect failure", http.StatusBadGateway)

ipn/ipnserver/server.go

@@ -24,6 +24,7 @@ import (
 	"tailscale.com/ipn/ipnauth"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/localapi"
+	"tailscale.com/net/netmon"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/util/mak"
@@ -36,6 +37,7 @@ import (
 type Server struct {
 	lb           atomic.Pointer[ipnlocal.LocalBackend]
 	logf         logger.Logf
+	netMon       *netmon.Monitor // must be non-nil
 	backendLogID logid.PublicID
 	// resetOnZero is whether to call bs.Reset on transition from
 	// 1->0 active HTTP requests. That is, this is whether the backend is
@@ -197,7 +199,7 @@ func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) {
 	defer onDone()
 
 	if strings.HasPrefix(r.URL.Path, "/localapi/") {
-		lah := localapi.NewHandler(lb, s.logf, s.backendLogID)
+		lah := localapi.NewHandler(lb, s.logf, s.netMon, s.backendLogID)
 		lah.PermitRead, lah.PermitWrite = s.localAPIPermissions(ci)
 		lah.PermitCert = s.connCanFetchCerts(ci)
 		lah.ServeHTTP(w, r)
@@ -413,10 +415,14 @@ func (s *Server) addActiveHTTPRequest(req *http.Request, ci *ipnauth.ConnIdentit
 //
 // At some point, either before or after Run, the Server's SetLocalBackend
 // method must also be called before Server can do anything useful.
-func New(logf logger.Logf, logID logid.PublicID) *Server {
+func New(logf logger.Logf, logID logid.PublicID, netMon *netmon.Monitor) *Server {
+	if netMon == nil {
+		panic("nil netMon")
+	}
 	return &Server{
 		backendLogID: logID,
 		logf:         logf,
+		netMon:       netMon,
 		resetOnZero:  envknob.GOOS() == "windows",
 	}
 }