.github/workflows: add cross-android

Fixes 4482 Signed-off-by: James Tucker <james@tailscale.com>
2022-04-21 10:26:40 -07:00 · 2022-04-21 10:13:27 -07:00 · 2022-04-21 10:00:02 -07:00
41 changed files with 358 additions and 1403 deletions
--- a/.github/workflows/cross-android.yml
+++ b/.github/workflows/cross-android.yml
@@ -0,0 +1,53 @@
+name: Android-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.18
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Android build cmd
+      env:
+        GOOS: android
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: Android build tests (does not run tests)
+      env:
+        GOOS: android
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -run '^$' -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.24.2
+1.23.0
--- a/cmd/tailscale/cli/ssh.go
+++ b/cmd/tailscale/cli/ssh.go
@@ -18,6 +18,7 @@ import (
 	"strings"
 	"syscall"

+	"github.com/alessio/shellescape"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
@@ -75,52 +76,38 @@ func runSSH(ctx context.Context, args []string) error {
 		return err
 	}

-	argv := []string{ssh}
+	argv := append([]string{
+		ssh,

-	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
-		argv = append(argv, "-vvv")
-	}
-	argv = append(argv,
 		// Only trust SSH hosts that we know about.
-		"-o", fmt.Sprintf("UserKnownHostsFile %q", knownHostsFile),
+		"-o", fmt.Sprintf("UserKnownHostsFile %s",
+			shellescape.Quote(knownHostsFile),
+		),
 		"-o", "UpdateHostKeys no",
 		"-o", "StrictHostKeyChecking yes",
-	)

-	// TODO(bradfitz): nc is currently broken on macOS:
-	// https://github.com/tailscale/tailscale/issues/4529
-	// So don't use it for now. MagicDNS is usually working on macOS anyway
-	// and they're not in userspace mode, so 'nc' isn't very useful.
-	if runtime.GOOS != "darwin" {
-		argv = append(argv,
-			"-o", fmt.Sprintf("ProxyCommand %q --socket=%q nc %%h %%p",
-				tailscaleBin,
-				rootArgs.socket,
-			))
-	}
+		"-o", fmt.Sprintf("ProxyCommand %s --socket=%s nc %%h %%p",
+			shellescape.Quote(tailscaleBin),
+			shellescape.Quote(rootArgs.socket),
+		),

-	// Explicitly rebuild the user@host argument rather than
-	// passing it through.  In general, the use of OpenSSH's ssh
-	// binary is a crutch for now.  We don't want to be
-	// Hyrum-locked into passing through all OpenSSH flags to the
-	// OpenSSH client forever. We try to make our flags and args
-	// be compatible, but only a subset. The "tailscale ssh"
-	// command should be a simple and portable one. If they want
-	// to use a different one, we'll later be making stock ssh
-	// work well by default too. (doing things like automatically
-	// setting known_hosts, etc)
-	argv = append(argv, username+"@"+hostForSSH)
-
-	argv = append(argv, argRest...)
-
-	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
-		log.Printf("Running: %q, %q ...", ssh, argv)
-	}
+		// Explicitly rebuild the user@host argument rather than
+		// passing it through.  In general, the use of OpenSSH's ssh
+		// binary is a crutch for now.  We don't want to be
+		// Hyrum-locked into passing through all OpenSSH flags to the
+		// OpenSSH client forever. We try to make our flags and args
+		// be compatible, but only a subset. The "tailscale ssh"
+		// command should be a simple and portable one. If they want
+		// to use a different one, we'll later be making stock ssh
+		// work well by default too. (doing things like automatically
+		// setting known_hosts, etc)
+		username + "@" + hostForSSH,
+	}, argRest...)

 	if runtime.GOOS == "windows" {
 		// Don't use syscall.Exec on Windows.
 		cmd := exec.Command(ssh, argv[1:]...)
-		cmd.Stdin = os.Stdin
+		cmd.Stderr = os.Stderr
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 		var ee *exec.ExitError
@@ -131,6 +118,9 @@ func runSSH(ctx context.Context, args []string) error {
 		return err
 	}

+	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
+		log.Printf("Running: %q, %q ...", ssh, argv)
+	}
 	if err := syscall.Exec(ssh, argv, os.Environ()); err != nil {
 		return err
 	}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -52,7 +52,7 @@ down").
 If flags are specified, the flags must be the complete set of desired
 settings. An error is returned if any setting would be changed as a
 result of an unspecified flag's default value, unless the --reset flag
-is also used. (The flags --auth-key, --force-reauth, and --qr are not
+is also used. (The flags --authkey, --force-reauth, and --qr are not
 considered settings that need to be re-specified when modifying
 settings.)
 `),
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -1,5 +1,6 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)

+        github.com/alessio/shellescape                               from tailscale.com/cmd/tailscale/cli
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -82,7 +82,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-  LD    github.com/kr/fs                                             from github.com/pkg/sftp
   L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
@@ -90,8 +89,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
-  LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
-  LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
  LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
  LD 💣 github.com/tailscale/golang-x-crypto/internal/subtle         from github.com/tailscale/golang-x-crypto/chacha20
@@ -264,7 +261,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
  LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
        tailscale.com/util/multierr                                  from tailscale.com/cmd/tailscaled+
        tailscale.com/util/netconv                                   from tailscale.com/wgengine/magicsock
        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
@@ -302,7 +298,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
+  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -332,7 +332,6 @@ func run() error {
 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)

 	dialer := new(tsdial.Dialer) // mutated below (before used)
-	dialer.Logf = logf
 	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return fmt.Errorf("createEngine: %w", err)
@@ -395,7 +394,6 @@ func run() error {
 	// want to keep running.
 	signal.Ignore(syscall.SIGPIPE)
 	go func() {
-		defer dialer.Close()
 		select {
 		case s := <-interrupt:
 			logf("tailscaled got signal %v; shutting down", s)
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -38,9 +38,9 @@ import (
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netns"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
-	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -57,8 +57,7 @@ import (
 // Direct is the client that connects to a tailcontrol server for a node.
 type Direct struct {
 	httpc                  *http.Client // HTTP client used to talk to tailcontrol
-	dialer                 *tsdial.Dialer
-	serverURL              string // URL of the tailcontrol server
+	serverURL              string       // URL of the tailcontrol server
 	timeNow                func() time.Time
 	lastPrintMap           time.Time
 	newDecompressor        func() (Decompressor, error)
@@ -107,7 +106,6 @@ type Options struct {
 	DebugFlags           []string         // debug settings to send to control
 	LinkMonitor          *monitor.Mon     // optional link monitor
 	PopBrowserURL        func(url string) // optional func to open browser
-	Dialer               *tsdial.Dialer   // non-nil

 	// KeepSharerAndUserSplit controls whether the client
 	// understands Node.Sharer. If false, the Sharer is mapped to the User.
@@ -172,12 +170,13 @@ func NewDirect(opts Options) (*Direct, error) {
 			UseLastGood:      true,
 			LookupIPFallback: dnsfallback.Lookup,
 		}
+		dialer := netns.NewDialer(opts.Logf)
 		tr := http.DefaultTransport.(*http.Transport).Clone()
 		tr.Proxy = tshttpproxy.ProxyFromEnvironment
 		tshttpproxy.SetTransportGetProxyConnectHeader(tr)
 		tr.TLSClientConfig = tlsdial.Config(serverURL.Hostname(), tr.TLSClientConfig)
-		tr.DialContext = dnscache.Dialer(opts.Dialer.SystemDial, dnsCache)
-		tr.DialTLSContext = dnscache.TLSDialer(opts.Dialer.SystemDial, dnsCache, tr.TLSClientConfig)
+		tr.DialContext = dnscache.Dialer(dialer.DialContext, dnsCache)
+		tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dnsCache, tr.TLSClientConfig)
 		tr.ForceAttemptHTTP2 = true
 		// Disable implicit gzip compression; the various
 		// handlers (register, map, set-dns, etc) do their own
@@ -203,7 +202,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
 		pinger:                 opts.Pinger,
 		popBrowser:             opts.PopBrowserURL,
-		dialer:                 opts.Dialer,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(hostinfo.New())
@@ -378,7 +376,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		if err != nil {
 			return regen, opt.URL, err
 		}
-		c.logf("control server key from %s: ts2021=%s, legacy=%v", c.serverURL, keys.PublicKey.ShortString(), keys.LegacyPublicKey.ShortString())
+		c.logf("control server key %s from %s", serverKey.ShortString(), c.serverURL)

 		c.mu.Lock()
 		c.serverKey = keys.LegacyPublicKey
@@ -1280,7 +1278,7 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 			return nil, err
 		}

-		nc, err = newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer)
+		nc, err = newNoiseClient(k, serverNoiseKey, c.serverURL)
 		if err != nil {
 			return nil, err
 		}
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -14,7 +14,6 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
@@ -31,7 +30,6 @@ func TestNewDirect(t *testing.T) {
 		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
 			return k, nil
 		},
-		Dialer: new(tsdial.Dialer),
 	}
 	c, err := NewDirect(opts)
 	if err != nil {
@@ -108,7 +106,6 @@ func TestTsmpPing(t *testing.T) {
 		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
 			return k, nil
 		},
-		Dialer: new(tsdial.Dialer),
 	}

 	c, err := NewDirect(opts)
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -18,10 +18,8 @@ import (
 	"golang.org/x/net/http2"
 	"tailscale.com/control/controlbase"
 	"tailscale.com/control/controlhttp"
-	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
 )

@@ -47,7 +45,6 @@ func (c *noiseConn) Close() error {
 // the ts2021 protocol.
 type noiseClient struct {
 	*http.Client // HTTP client used to talk to tailcontrol
-	dialer       *tsdial.Dialer
 	privKey      key.MachinePrivate
 	serverPubKey key.MachinePublic
 	serverHost   string // the host:port part of serverURL
@@ -60,7 +57,7 @@ type noiseClient struct {

 // newNoiseClient returns a new noiseClient for the provided server and machine key.
 // serverURL is of the form https://<host>:<port> (no trailing slash).
-func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer) (*noiseClient, error) {
+func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string) (*noiseClient, error) {
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		return nil, err
@@ -77,7 +74,6 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 		serverPubKey: serverPubKey,
 		privKey:      priKey,
 		serverHost:   host,
-		dialer:       dialer,
 	}

 	// Create the HTTP/2 Transport using a net/http.Transport
@@ -141,6 +137,9 @@ func (nc *noiseClient) Close() error {
 func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.mu.Lock()
 	connID := nc.nextID
+	if nc.connPool == nil {
+		nc.connPool = make(map[int]*noiseConn)
+	}
 	nc.nextID++
 	nc.mu.Unlock()

@@ -154,7 +153,7 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 		// thousand version numbers before getting to this point.
 		panic("capability version is too high to fit in the wire protocol")
 	}
-	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion), nc.dialer.SystemDial)
+	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion))
 	if err != nil {
 		return nil, err
 	}
@@ -162,6 +161,6 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.mu.Lock()
 	defer nc.mu.Unlock()
 	ncc := &noiseConn{Conn: conn, id: connID, pool: nc}
-	mak.Set(&nc.connPool, ncc.id, ncc)
+	nc.connPool[ncc.id] = ncc
 	return ncc, nil
 }
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -25,15 +25,16 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log"
 	"net"
 	"net/http"
 	"net/http/httptrace"
 	"net/url"
-	"time"

 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
+	"tailscale.com/net/netns"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
@@ -64,12 +65,13 @@ const (
 //
 // The provided ctx is only used for the initial connection, until
 // Dial returns. It does not affect the connection once established.
-func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
+func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16) (*controlbase.Conn, error) {
 	host, port, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil, err
 	}
 	a := &dialParams{
+		ctx:        ctx,
 		host:       host,
 		httpPort:   port,
 		httpsPort:  "443",
@@ -77,12 +79,12 @@ func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, contr
 		controlKey: controlKey,
 		version:    protocolVersion,
 		proxyFunc:  tshttpproxy.ProxyFromEnvironment,
-		dialer:     dialer,
 	}
-	return a.dial(ctx)
+	return a.dial()
 }

 type dialParams struct {
+	ctx        context.Context
 	host       string
 	httpPort   string
 	httpsPort  string
@@ -90,132 +92,65 @@ type dialParams struct {
 	controlKey key.MachinePublic
 	version    uint16
 	proxyFunc  func(*http.Request) (*url.URL, error) // or nil
-	dialer     dnscache.DialContextFunc

 	// For tests only
-	insecureTLS       bool
-	testFallbackDelay time.Duration
+	insecureTLS bool
 }

-// httpsFallbackDelay is how long we'll wait for a.httpPort to work before
-// starting to try a.httpsPort.
-func (a *dialParams) httpsFallbackDelay() time.Duration {
-	if v := a.testFallbackDelay; v != 0 {
-		return v
-	}
-	return 500 * time.Millisecond
-}
-
-func (a *dialParams) dial(ctx context.Context) (*controlbase.Conn, error) {
-	// Create one shared context used by both port 80 and port 443 dials.
-	// If port 80 is still in flight when 443 returns, this deferred cancel
-	// will stop the port 80 dial.
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	// u80 and u443 are the URLs we'll try to hit over HTTP or HTTPS,
-	// respectively, in order to do the HTTP upgrade to a net.Conn over which
-	// we'll speak Noise.
-	u80 := &url.URL{
-		Scheme: "http",
-		Host:   net.JoinHostPort(a.host, a.httpPort),
-		Path:   serverUpgradePath,
-	}
-	u443 := &url.URL{
-		Scheme: "https",
-		Host:   net.JoinHostPort(a.host, a.httpsPort),
-		Path:   serverUpgradePath,
-	}
-
-	type tryURLRes struct {
-		u    *url.URL          // input (the URL conn+err are for/from)
-		conn *controlbase.Conn // result (mutually exclusive with err)
-		err  error
-	}
-	ch := make(chan tryURLRes) // must be unbuffered
-	try := func(u *url.URL) {
-		cbConn, err := a.dialURL(ctx, u)
-		select {
-		case ch <- tryURLRes{u, cbConn, err}:
-		case <-ctx.Done():
-			if cbConn != nil {
-				cbConn.Close()
-			}
-		}
-	}
-
-	// Start the plaintext HTTP attempt first.
-	go try(u80)
-
-	// In case outbound port 80 blocked or MITM'ed poorly, start a backup timer
-	// to dial port 443 if port 80 doesn't either succeed or fail quickly.
-	try443Timer := time.AfterFunc(a.httpsFallbackDelay(), func() { try(u443) })
-	defer try443Timer.Stop()
-
-	var err80, err443 error
-	for {
-		select {
-		case <-ctx.Done():
-			return nil, fmt.Errorf("connection attempts aborted by context: %w", ctx.Err())
-		case res := <-ch:
-			if res.err == nil {
-				return res.conn, nil
-			}
-			switch res.u {
-			case u80:
-				// Connecting over plain HTTP failed; assume it's an HTTP proxy
-				// being difficult and see if we can get through over HTTPS.
-				err80 = res.err
-				// Stop the fallback timer and run it immediately. We don't use
-				// Timer.Reset(0) here because on AfterFuncs, that can run it
-				// again.
-				if try443Timer.Stop() {
-					go try(u443)
-				} // else we lost the race and it started already which is what we want
-			case u443:
-				err443 = res.err
-			default:
-				panic("invalid")
-			}
-			if err80 != nil && err443 != nil {
-				return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", err80, err443)
-			}
-		}
-	}
-}
-
-// dialURL attempts to connect to the given URL.
-func (a *dialParams) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, error) {
+func (a *dialParams) dial() (*controlbase.Conn, error) {
 	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
 	if err != nil {
 		return nil, err
 	}
-	netConn, err := a.tryURLUpgrade(ctx, u, init)
+
+	u := &url.URL{
+		Scheme: "http",
+		Host:   net.JoinHostPort(a.host, a.httpPort),
+		Path:   serverUpgradePath,
+	}
+	conn, httpErr := a.tryURL(u, init)
+	if httpErr == nil {
+		ret, err := cont(a.ctx, conn)
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+		return ret, nil
+	}
+
+	// Connecting over plain HTTP failed, assume it's an HTTP proxy
+	// being difficult and see if we can get through over HTTPS.
+	u.Scheme = "https"
+	u.Host = net.JoinHostPort(a.host, a.httpsPort)
+	init, cont, err = controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
 	if err != nil {
 		return nil, err
 	}
-	cbConn, err := cont(ctx, netConn)
-	if err != nil {
-		netConn.Close()
-		return nil, err
+	conn, tlsErr := a.tryURL(u, init)
+	if tlsErr == nil {
+		ret, err := cont(a.ctx, conn)
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+		return ret, nil
 	}
-	return cbConn, nil
+
+	return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", httpErr, tlsErr)
 }

-// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn.
-//
-// Only the provided ctx is used, not a.ctx.
-func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte) (net.Conn, error) {
+func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
 	dns := &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward,
 		LookupIPFallback: dnsfallback.Lookup,
 		UseLastGood:      true,
 	}
+	dialer := netns.NewDialer(log.Printf)
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	defer tr.CloseIdleConnections()
 	tr.Proxy = a.proxyFunc
 	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
-	tr.DialContext = dnscache.Dialer(a.dialer, dns)
+	tr.DialContext = dnscache.Dialer(dialer.DialContext, dns)
 	// Disable HTTP2, since h2 can't do protocol switching.
 	tr.TLSClientConfig.NextProtos = []string{}
 	tr.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
@@ -224,7 +159,7 @@ func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte)
 		tr.TLSClientConfig.InsecureSkipVerify = true
 		tr.TLSClientConfig.VerifyConnection = nil
 	}
-	tr.DialTLSContext = dnscache.TLSDialer(a.dialer, dns, tr.TLSClientConfig)
+	tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dns, tr.TLSClientConfig)
 	tr.DisableCompression = true

 	// (mis)use httptrace to extract the underlying net.Conn from the
@@ -254,7 +189,7 @@ func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte)
 			connCh <- info.Conn
 		},
 	}
-	ctx = httptrace.WithClientTrace(ctx, &trace)
+	ctx := httptrace.WithClientTrace(a.ctx, &trace)
 	req := &http.Request{
 		Method: "POST",
 		URL:    u,
--- a/control/controlhttp/http_test.go
+++ b/control/controlhttp/http_test.go
@@ -17,36 +17,22 @@ import (
 	"strconv"
 	"sync"
 	"testing"
-	"time"

 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/socks5"
-	"tailscale.com/net/tsdial"
 	"tailscale.com/types/key"
 )

-type httpTestParam struct {
-	name  string
-	proxy proxy
-
-	// makeHTTPHangAfterUpgrade makes the HTTP response hang after sending a
-	// 101 switching protocols.
-	makeHTTPHangAfterUpgrade bool
-}
-
 func TestControlHTTP(t *testing.T) {
-	tests := []httpTestParam{
+	tests := []struct {
+		name  string
+		proxy proxy
+	}{
 		// direct connection
 		{
 			name:  "no_proxy",
 			proxy: nil,
 		},
-		// direct connection but port 80 is MITM'ed and broken
-		{
-			name:                     "port80_broken_mitm",
-			proxy:                    nil,
-			makeHTTPHangAfterUpgrade: true,
-		},
 		// SOCKS5
 		{
 			name:  "socks5",
@@ -110,13 +96,12 @@ func TestControlHTTP(t *testing.T) {

 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			testControlHTTP(t, test)
+			testControlHTTP(t, test.proxy)
 		})
 	}
 }

-func testControlHTTP(t *testing.T, param httpTestParam) {
-	proxy := param.proxy
+func testControlHTTP(t *testing.T, proxy proxy) {
 	client, server := key.NewMachine(), key.NewMachine()

 	const testProtocolVersion = 1
@@ -147,11 +132,7 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 		t.Fatalf("HTTPS listen: %v", err)
 	}

-	var httpHandler http.Handler = handler
-	if param.makeHTTPHangAfterUpgrade {
-		httpHandler = http.HandlerFunc(brokenMITMHandler)
-	}
-	httpServer := &http.Server{Handler: httpHandler}
+	httpServer := &http.Server{Handler: handler}
 	go httpServer.Serve(httpLn)
 	defer httpServer.Close()

@@ -162,24 +143,18 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 	go httpsServer.ServeTLS(httpsLn, "", "")
 	defer httpsServer.Close()

-	ctx := context.Background()
-	const debugTimeout = false
-	if debugTimeout {
-		var cancel context.CancelFunc
-		ctx, cancel = context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-	}
+	//ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	//defer cancel()

 	a := dialParams{
-		host:              "localhost",
-		httpPort:          strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
-		httpsPort:         strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
-		machineKey:        client,
-		controlKey:        server.Public(),
-		version:           testProtocolVersion,
-		insecureTLS:       true,
-		dialer:            new(tsdial.Dialer).SystemDial,
-		testFallbackDelay: 50 * time.Millisecond,
+		ctx:         context.Background(), //ctx,
+		host:        "localhost",
+		httpPort:    strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
+		httpsPort:   strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
+		machineKey:  client,
+		controlKey:  server.Public(),
+		version:     testProtocolVersion,
+		insecureTLS: true,
 	}

 	if proxy != nil {
@@ -198,7 +173,7 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 		}
 	}

-	conn, err := a.dial(ctx)
+	conn, err := a.dial()
 	if err != nil {
 		t.Fatalf("dialing controlhttp: %v", err)
 	}
@@ -240,7 +215,6 @@ type proxy interface {

 type socksProxy struct {
 	sync.Mutex
-	closed          bool
 	proxy           socks5.Server
 	ln              net.Listener
 	clientConnAddrs map[string]bool // addrs of the local end of outgoing conns from proxy
@@ -256,14 +230,7 @@ func (s *socksProxy) Start(t *testing.T) (url string) {
 	}
 	s.ln = ln
 	s.clientConnAddrs = map[string]bool{}
-	s.proxy.Logf = func(format string, a ...any) {
-		s.Lock()
-		defer s.Unlock()
-		if s.closed {
-			return
-		}
-		t.Logf(format, a...)
-	}
+	s.proxy.Logf = t.Logf
 	s.proxy.Dialer = s.dialAndRecord
 	go s.proxy.Serve(ln)
 	return fmt.Sprintf("socks5://%s", ln.Addr().String())
@@ -272,10 +239,6 @@ func (s *socksProxy) Start(t *testing.T) (url string) {
 func (s *socksProxy) Close() {
 	s.Lock()
 	defer s.Unlock()
-	if s.closed {
-		return
-	}
-	s.closed = true
 	s.ln.Close()
 }

@@ -435,11 +398,3 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		Certificates: []tls.Certificate{cert},
 	}
 }
-
-func brokenMITMHandler(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Upgrade", upgradeHeaderValue)
-	w.Header().Set("Connection", "upgrade")
-	w.WriteHeader(http.StatusSwitchingProtocols)
-	w.(http.Flusher).Flush()
-	<-r.Context().Done()
-}
--- a/go.mod
+++ b/go.mod
@@ -5,6 +5,7 @@ go 1.18
 require (
 	filippo.io/mkcert v1.4.3
 	github.com/akutz/memconn v0.1.0
+	github.com/alessio/shellescape v1.4.1
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be
 	github.com/aws/aws-sdk-go-v2 v1.11.2
@@ -39,7 +40,7 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1
+	github.com/tailscale/golang-x-crypto v0.0.0-20220420224200-c602b5dfaa7f
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
@@ -48,10 +49,10 @@ require (
 	github.com/u-root/u-root v0.8.0
 	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
 	go4.org/mem v0.0.0-20210711025021-927187094b94
-	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
+	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4
 	golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20220422013727-9388b58f7150
+	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11-0.20220413170336-afc6aad76eb1
--- a/go.sum
+++ b/go.sum
@@ -104,6 +104,8 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
+github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/alexkohler/prealloc v1.0.0 h1:Hbq0/3fJPQhNkN0dR95AVrr6R7tou91y0uHG5pOcUuw=
@@ -1065,8 +1067,8 @@ github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HP
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1 h1:vsFV6BKSIgjRd8m8UfrGW4r+cc28fRF71K6IRo46rKs=
-github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
+github.com/tailscale/golang-x-crypto v0.0.0-20220420224200-c602b5dfaa7f h1:3CuODoSnBXS+ZkQlGakDqtX1o2RteR1870yF+dS61PY=
+github.com/tailscale/golang-x-crypto v0.0.0-20220420224200-c602b5dfaa7f/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83 h1:f7nwzdAHTUUOJjHZuDvLz9CEAlUM228amCRvwzlPvsA=
@@ -1225,8 +1227,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f h1:OeJjE6G4dgCY4PIXvIRQbE8+RX+uXZyGhUy/ksMGJoc=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA=
+golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1476,8 +1478,8 @@ golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220412211240-33da011f77ad h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0=
+golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -1034,7 +1034,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		LinkMonitor:          b.e.GetLinkMonitor(),
 		Pinger:               b.e,
 		PopBrowserURL:        b.tellClientToBrowseToURL,
-		Dialer:               b.Dialer(),

 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -563,9 +563,6 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case "/v0/dnsfwd":
 		h.handleServeDNSFwd(w, r)
 		return
-	case "/v0/interfaces":
-		h.handleServeInterfaces(w, r)
-		return
 	}
 	who := h.peerUser.DisplayName
 	fmt.Fprintf(w, `<html>
@@ -580,40 +577,6 @@ This is my Tailscale device. Your device is %v.
 	}
 }

-func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {
-	if !h.canDebug() {
-		http.Error(w, "denied; no debug access", http.StatusForbidden)
-		return
-	}
-	i, err := interfaces.GetList()
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-	}
-
-	dr, err := interfaces.DefaultRoute()
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	fmt.Fprintln(w, "<h1>Interfaces</h1>")
-	fmt.Fprintf(w, "<h3>Default route is %q(%d)</h3>\n", dr.InterfaceName, dr.InterfaceIndex)
-
-	fmt.Fprintln(w, "<table>")
-	fmt.Fprint(w, "<tr>")
-	for _, v := range []any{"Index", "Name", "MTU", "Flags", "Addrs"} {
-		fmt.Fprintf(w, "<th>%v</th> ", v)
-	}
-	fmt.Fprint(w, "</tr>\n")
-	i.ForeachInterface(func(iface interfaces.Interface, ipps []netaddr.IPPrefix) {
-		fmt.Fprint(w, "<tr>")
-		for _, v := range []any{iface.Index, iface.Name, iface.MTU, iface.Flags, ipps} {
-			fmt.Fprintf(w, "<td>%v</td> ", v)
-		}
-		fmt.Fprint(w, "</tr>\n")
-	})
-	fmt.Fprintln(w, "</table>")
-}
-
 type incomingFile struct {
 	name        string // "foo.jpg"
 	started     time.Time
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -428,14 +428,9 @@ func NewPrefs() *Prefs {
 }

 // ControlURLOrDefault returns the coordination server's URL base.
-//
-// If not configured, or if the configured value is a legacy name equivalent to
-// the default, then DefaultControlURL is returned instead.
+// If not configured, DefaultControlURL is returned instead.
 func (p *Prefs) ControlURLOrDefault() string {
 	if p.ControlURL != "" {
-		if p.ControlURL != DefaultControlURL && IsLoginServerSynonym(p.ControlURL) {
-			return DefaultControlURL
-		}
 		return p.ControlURL
 	}
 	return DefaultControlURL
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -810,18 +810,3 @@ func TestExitNodeIPOfArg(t *testing.T) {
 		})
 	}
 }
-
-func TestControlURLOrDefault(t *testing.T) {
-	var p Prefs
-	if got, want := p.ControlURLOrDefault(), DefaultControlURL; got != want {
-		t.Errorf("got %q; want %q", got, want)
-	}
-	p.ControlURL = "http://foo.bar"
-	if got, want := p.ControlURLOrDefault(), "http://foo.bar"; got != want {
-		t.Errorf("got %q; want %q", got, want)
-	}
-	p.ControlURL = "https://login.tailscale.com"
-	if got, want := p.ControlURLOrDefault(), DefaultControlURL; got != want {
-		t.Errorf("got %q; want %q", got, want)
-	}
-}
--- a/ipn/store/stores.go
+++ b/ipn/store/stores.go
@@ -21,7 +21,6 @@ import (
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/paths"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/mak"
 )

 // Provider returns a StateStore for the provided path.
@@ -83,7 +82,10 @@ func Register(prefix string, fn Provider) {
 	if _, ok := knownStores[prefix]; ok {
 		panic(fmt.Sprintf("%q already registered", prefix))
 	}
-	mak.Set(&knownStores, prefix, fn)
+	if knownStores == nil {
+		knownStores = make(map[string]Provider)
+	}
+	knownStores[prefix] = fn
 }

 // TryWindowsAppDataMigration attempts to copy the Windows state file
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -17,7 +17,6 @@ import (
 	"os"
 	"runtime"
 	"sort"
-	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -634,10 +633,6 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP,
 			return tsaddr.TailscaleServiceIPv6(), dns.RCodeSuccess
 		}
 	}
-	// Special-case: 'via-<siteid>.<ipv4>' queries.
-	if ip, ok := r.parseViaDomain(domain, typ); ok {
-		return ip, dns.RCodeSuccess
-	}

 	r.mu.Lock()
 	hosts := r.hostToIP
@@ -713,46 +708,6 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netaddr.IP,
 	}
 }

-// parseViaDomain synthesizes an IP address for quad-A DNS requests of
-// the form 'via-<X>.<IPv4-address>', where X is a decimal, or hex-encoded
-// number with a '0x' prefix.
-//
-// This exists as a convenient mapping into Tailscales 'Via Range'.
-func (r *Resolver) parseViaDomain(domain dnsname.FQDN, typ dns.Type) (netaddr.IP, bool) {
-	fqdn := string(domain.WithoutTrailingDot())
-	if typ != dns.TypeAAAA {
-		return netaddr.IP{}, false
-	}
-	if len(fqdn) < len("via-X.0.0.0.0") {
-		return netaddr.IP{}, false // too short to be valid
-	}
-	if !strings.HasPrefix(fqdn, "via-") {
-		return netaddr.IP{}, false
-	}
-
-	firstDot := strings.Index(fqdn, ".")
-	if firstDot < 0 {
-		return netaddr.IP{}, false // missing dot delimiters
-	}
-
-	siteID := fqdn[len("via-"):firstDot]
-	ip4Str := fqdn[firstDot+1:]
-
-	ip4, err := netaddr.ParseIP(ip4Str)
-	if err != nil {
-		return netaddr.IP{}, false // badly formed, dont respond
-	}
-
-	prefix, err := strconv.ParseUint(siteID, 0, 32)
-	if err != nil {
-		return netaddr.IP{}, false // badly formed, dont respond
-	}
-
-	// MapVia will never error when given an ipv4 netaddr.IPPrefix.
-	out, _ := tsaddr.MapVia(uint32(prefix), netaddr.IPPrefixFrom(ip4, ip4.BitLen()))
-	return out.IP(), true
-}
-
 // resolveReverse returns the unique domain name that maps to the given address.
 func (r *Resolver) resolveLocalReverse(name dnsname.FQDN) (dnsname.FQDN, dns.RCode) {
 	var ip netaddr.IP
--- a/net/dns/resolver/tsdns_test.go
+++ b/net/dns/resolver/tsdns_test.go
@@ -348,9 +348,6 @@ func TestResolveLocal(t *testing.T) {
 		{"ns-nxdomain", "test3.ipn.dev.", dns.TypeNS, netaddr.IP{}, dns.RCodeNameError},
 		{"onion-domain", "footest.onion.", dns.TypeA, netaddr.IP{}, dns.RCodeNameError},
 		{"magicdns", dnsSymbolicFQDN, dns.TypeA, netaddr.MustParseIP("100.100.100.100"), dns.RCodeSuccess},
-		{"via_hex", dnsname.FQDN("via-0xff.1.2.3.4."), dns.TypeAAAA, netaddr.MustParseIP("fd7a:115c:a1e0:b1a:0:ff:102:304"), dns.RCodeSuccess},
-		{"via_dec", dnsname.FQDN("via-1.10.0.0.1."), dns.TypeAAAA, netaddr.MustParseIP("fd7a:115c:a1e0:b1a:0:1:a00:1"), dns.RCodeSuccess},
-		{"via_invalid", dnsname.FQDN("via-."), dns.TypeA, netaddr.IP{}, dns.RCodeRefused},
 	}

 	for _, tt := range tests {
--- a/net/netns/netns_linux_test.go
+++ b/net/netns/netns_linux_test.go
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build linux && !android
+// +build linux,!android
+
 package netns

 import (
--- a/net/tsdial/tsdial.go
+++ b/net/tsdial/tsdial.go
@@ -20,12 +20,8 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/net/dnscache"
-	"tailscale.com/net/interfaces"
 	"tailscale.com/net/netknob"
-	"tailscale.com/net/netns"
-	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
-	"tailscale.com/util/mak"
 	"tailscale.com/wgengine/monitor"
 )

@@ -34,7 +30,6 @@ import (
 // (TUN, netstack), the OS network sandboxing style (macOS/iOS
 // Extension, none), user-selected route acceptance prefs, etc.
 type Dialer struct {
-	Logf logger.Logf
 	// UseNetstackForIP if non-nil is whether NetstackDialTCP (if
 	// it's non-nil) should be used to dial the provided IP.
 	UseNetstackForIP func(netaddr.IP) bool
@@ -51,33 +46,12 @@ type Dialer struct {
 	peerDialerOnce sync.Once
 	peerDialer     *net.Dialer

-	netnsDialerOnce sync.Once
-	netnsDialer     netns.Dialer
-
-	mu                sync.Mutex
-	closed            bool
-	dns               dnsMap
-	tunName           string // tun device name
-	linkMon           *monitor.Mon
-	linkMonUnregister func()
-	exitDNSDoHBase    string                 // non-empty if DoH-proxying exit node in use; base URL+path (without '?')
-	dnsCache          *dnscache.MessageCache // nil until first first non-empty SetExitDNSDoH
-	nextSysConnID     int
-	activeSysConns    map[int]net.Conn // active connections not yet closed
-}
-
-// sysConn wraps a net.Conn that was created using d.SystemDial.
-// It exists to track which connections are still open, and should be
-// closed on major link changes.
-type sysConn struct {
-	net.Conn
-	id int
-	d  *Dialer
-}
-
-func (c sysConn) Close() error {
-	c.d.closeSysConn(c.id)
-	return nil
+	mu             sync.Mutex
+	dns            dnsMap
+	tunName        string // tun device name
+	linkMon        *monitor.Mon
+	exitDNSDoHBase string                 // non-empty if DoH-proxying exit node in use; base URL+path (without '?')
+	dnsCache       *dnscache.MessageCache // nil until first first non-empty SetExitDNSDoH
 }

 // SetTUNName sets the name of the tun device in use ("tailscale0", "utun6",
@@ -117,53 +91,10 @@ func (d *Dialer) SetExitDNSDoH(doh string) {
 	}
 }

-func (d *Dialer) Close() error {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	d.closed = true
-	if d.linkMonUnregister != nil {
-		d.linkMonUnregister()
-		d.linkMonUnregister = nil
-	}
-	for _, c := range d.activeSysConns {
-		c.Close()
-	}
-	d.activeSysConns = nil
-	return nil
-}
-
 func (d *Dialer) SetLinkMonitor(mon *monitor.Mon) {
 	d.mu.Lock()
 	defer d.mu.Unlock()
-	if d.linkMonUnregister != nil {
-		go d.linkMonUnregister()
-		d.linkMonUnregister = nil
-	}
 	d.linkMon = mon
-	d.linkMonUnregister = d.linkMon.RegisterChangeCallback(d.linkChanged)
-}
-
-func (d *Dialer) linkChanged(major bool, state *interfaces.State) {
-	if !major {
-		return
-	}
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	for id, c := range d.activeSysConns {
-		go c.Close()
-		delete(d.activeSysConns, id)
-	}
-}
-
-func (d *Dialer) closeSysConn(id int) {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	c, ok := d.activeSysConns[id]
-	if !ok {
-		return
-	}
-	delete(d.activeSysConns, id)
-	go c.Close() // ignore the error
 }

 func (d *Dialer) interfaceIndexLocked(ifName string) (index int, ok bool) {
@@ -266,42 +197,6 @@ func ipNetOfNetwork(n string) string {
 	return "ip"
 }

-// SystemDial connects to the provided network address without going over
-// Tailscale. It prefers going over the default interface and closes existing
-// connections if the default interface changes. It is used to connect to
-// Control and (in the future, as of 2022-04-27) DERPs..
-func (d *Dialer) SystemDial(ctx context.Context, network, addr string) (net.Conn, error) {
-	d.mu.Lock()
-	closed := d.closed
-	d.mu.Unlock()
-	if closed {
-		return nil, net.ErrClosed
-	}
-
-	d.netnsDialerOnce.Do(func() {
-		logf := d.Logf
-		if logf == nil {
-			logf = logger.Discard
-		}
-		d.netnsDialer = netns.NewDialer(logf)
-	})
-	c, err := d.netnsDialer.DialContext(ctx, network, addr)
-	if err != nil {
-		return nil, err
-	}
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	id := d.nextSysConnID
-	d.nextSysConnID++
-	mak.Set(&d.activeSysConns, id, c)
-
-	return sysConn{
-		id:   id,
-		d:    d,
-		Conn: c,
-	}, nil
-}
-
 // UserDial connects to the provided network address as if a user were initiating the dial.
 // (e.g. from a SOCKS or HTTP outbound proxy)
 func (d *Dialer) UserDial(ctx context.Context, network, addr string) (net.Conn, error) {
--- a/net/tshttpproxy/tshttpproxy_linux.go
+++ b/net/tshttpproxy/tshttpproxy_linux.go
@@ -1,26 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux
-// +build linux
-
-package tshttpproxy
-
-import (
-	"net/http"
-	"net/url"
-
-	"tailscale.com/version/distro"
-)
-
-func init() {
-	sysProxyFromEnv = linuxSysProxyFromEnv
-}
-
-func linuxSysProxyFromEnv(req *http.Request) (*url.URL, error) {
-	if distro.Get() == distro.Synology {
-		return synologyProxyFromConfigCached(req)
-	}
-	return nil, nil
-}
--- a/net/tshttpproxy/tshttpproxy_synology.go
+++ b/net/tshttpproxy/tshttpproxy_synology.go
@@ -1,142 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux
-// +build linux
-
-package tshttpproxy
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"strings"
-	"sync"
-	"time"
-
-	"tailscale.com/util/lineread"
-)
-
-// These vars are overridden for tests.
-var (
-	synologyProxyConfigPath = "/etc/proxy.conf"
-
-	openSynologyProxyConf = func() (io.ReadCloser, error) {
-		return os.Open(synologyProxyConfigPath)
-	}
-)
-
-var cache struct {
-	sync.Mutex
-	httpProxy  *url.URL
-	httpsProxy *url.URL
-	updated    time.Time
-}
-
-func synologyProxyFromConfigCached(req *http.Request) (*url.URL, error) {
-	if req.URL == nil {
-		return nil, nil
-	}
-
-	cache.Lock()
-	defer cache.Unlock()
-
-	var err error
-	modtime := mtime(synologyProxyConfigPath)
-
-	if modtime != cache.updated {
-		cache.httpProxy, cache.httpsProxy, err = synologyProxiesFromConfig()
-		cache.updated = modtime
-	}
-
-	if req.URL.Scheme == "https" {
-		return cache.httpsProxy, err
-	}
-	return cache.httpProxy, err
-}
-
-func synologyProxiesFromConfig() (*url.URL, *url.URL, error) {
-	r, err := openSynologyProxyConf()
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil, nil, nil
-		}
-		return nil, nil, err
-	}
-	defer r.Close()
-
-	return parseSynologyConfig(r)
-}
-
-// parseSynologyConfig parses the Synology proxy configuration, and returns any
-// http proxy, and any https proxy respectively, or an error if parsing fails.
-func parseSynologyConfig(r io.Reader) (*url.URL, *url.URL, error) {
-	cfg := map[string]string{}
-
-	if err := lineread.Reader(r, func(line []byte) error {
-		// accept and skip over empty lines
-		line = bytes.TrimSpace(line)
-		if len(line) == 0 {
-			return nil
-		}
-
-		key, value, ok := strings.Cut(string(line), "=")
-		if !ok {
-			return fmt.Errorf("missing \"=\" in proxy.conf line: %q", line)
-		}
-		cfg[string(key)] = string(value)
-		return nil
-	}); err != nil {
-		return nil, nil, err
-	}
-
-	if cfg["proxy_enabled"] != "yes" {
-		return nil, nil, nil
-	}
-
-	httpProxyURL := new(url.URL)
-	httpsProxyURL := new(url.URL)
-	if cfg["auth_enabled"] == "yes" {
-		httpProxyURL.User = url.UserPassword(cfg["proxy_user"], cfg["proxy_pwd"])
-		httpsProxyURL.User = url.UserPassword(cfg["proxy_user"], cfg["proxy_pwd"])
-	}
-
-	// As far as we are aware, synology does not support tls proxies.
-	httpProxyURL.Scheme = "http"
-	httpsProxyURL.Scheme = "http"
-
-	httpsProxyURL = addHostPort(httpsProxyURL, cfg["https_host"], cfg["https_port"])
-	httpProxyURL = addHostPort(httpProxyURL, cfg["http_host"], cfg["http_port"])
-
-	return httpProxyURL, httpsProxyURL, nil
-}
-
-// addHostPort adds to u the given host and port and returns the updated url, or
-// if host is empty, it returns nil.
-func addHostPort(u *url.URL, host, port string) *url.URL {
-	if host == "" {
-		return nil
-	}
-
-	if port == "" {
-		u.Host = host
-	} else {
-		u.Host = net.JoinHostPort(host, port)
-	}
-	return u
-}
-
-// mtime stat's path and returns its modification time. If path does not exist,
-// it returns the unix epoch.
-func mtime(path string) time.Time {
-	fi, err := os.Stat(path)
-	if err != nil {
-		return time.Unix(0, 0)
-	}
-	return fi.ModTime()
-}
--- a/net/tshttpproxy/tshttpproxy_synology_test.go
+++ b/net/tshttpproxy/tshttpproxy_synology_test.go
@@ -1,381 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux
-// +build linux
-
-package tshttpproxy
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-	"time"
-)
-
-func TestSynologyProxyFromConfigCached(t *testing.T) {
-	req, err := http.NewRequest("GET", "http://example.org/", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	var orig string
-	orig, synologyProxyConfigPath = synologyProxyConfigPath, filepath.Join(t.TempDir(), "proxy.conf")
-	defer func() { synologyProxyConfigPath = orig }()
-
-	t.Run("no config file", func(t *testing.T) {
-		if _, err := os.Stat(synologyProxyConfigPath); err == nil {
-			t.Fatalf("%s must not exist for this test", synologyProxyConfigPath)
-		}
-
-		cache.updated = time.Time{}
-		cache.httpProxy = nil
-		cache.httpsProxy = nil
-
-		if val, err := synologyProxyFromConfigCached(req); val != nil || err != nil {
-			t.Fatalf("got %s, %v; want nil, nil", val, err)
-		}
-
-		if got, want := cache.updated, time.Unix(0, 0); got != want {
-			t.Fatalf("got %s, want %s", got, want)
-		}
-		if cache.httpProxy != nil {
-			t.Fatalf("got %s, want nil", cache.httpProxy)
-		}
-		if cache.httpsProxy != nil {
-			t.Fatalf("got %s, want nil", cache.httpsProxy)
-		}
-	})
-
-	t.Run("config file updated", func(t *testing.T) {
-		cache.updated = time.Now()
-		cache.httpProxy = nil
-		cache.httpsProxy = nil
-
-		if err := ioutil.WriteFile(synologyProxyConfigPath, []byte(`
-proxy_enabled=yes
-http_host=10.0.0.55
-http_port=80
-https_host=10.0.0.66
-https_port=443
-		`), 0600); err != nil {
-			t.Fatal(err)
-		}
-
-		val, err := synologyProxyFromConfigCached(req)
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if cache.httpProxy == nil {
-			t.Fatal("http proxy was not cached")
-		}
-		if cache.httpsProxy == nil {
-			t.Fatal("https proxy was not cached")
-		}
-
-		if want := urlMustParse("http://10.0.0.55:80"); val.String() != want.String() {
-			t.Fatalf("got %s; want %s", val, want)
-		}
-	})
-
-	t.Run("config file removed", func(t *testing.T) {
-		cache.updated = time.Now()
-		cache.httpProxy = urlMustParse("http://127.0.0.1/")
-		cache.httpsProxy = urlMustParse("http://127.0.0.1/")
-
-		if err := os.Remove(synologyProxyConfigPath); err != nil && !os.IsNotExist(err) {
-			t.Fatal(err)
-		}
-
-		val, err := synologyProxyFromConfigCached(req)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if val != nil {
-			t.Fatalf("got %s; want nil", val)
-		}
-		if cache.httpProxy != nil {
-			t.Fatalf("got %s, want nil", cache.httpProxy)
-		}
-		if cache.httpsProxy != nil {
-			t.Fatalf("got %s, want nil", cache.httpsProxy)
-		}
-	})
-
-	t.Run("picks proxy from request scheme", func(t *testing.T) {
-		cache.updated = time.Now()
-		cache.httpProxy = nil
-		cache.httpsProxy = nil
-
-		if err := ioutil.WriteFile(synologyProxyConfigPath, []byte(`
-proxy_enabled=yes
-http_host=10.0.0.55
-http_port=80
-https_host=10.0.0.66
-https_port=443
-		`), 0600); err != nil {
-			t.Fatal(err)
-		}
-
-		httpReq, err := http.NewRequest("GET", "http://example.com", nil)
-		if err != nil {
-			t.Fatal(err)
-		}
-		val, err := synologyProxyFromConfigCached(httpReq)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if val == nil {
-			t.Fatalf("got nil, want an http URL")
-		}
-		if got, want := val.String(), "http://10.0.0.55:80"; got != want {
-			t.Fatalf("got %q, want %q", got, want)
-		}
-
-		httpsReq, err := http.NewRequest("GET", "https://example.com", nil)
-		if err != nil {
-			t.Fatal(err)
-		}
-		val, err = synologyProxyFromConfigCached(httpsReq)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if val == nil {
-			t.Fatalf("got nil, want an http URL")
-		}
-		if got, want := val.String(), "http://10.0.0.66:443"; got != want {
-			t.Fatalf("got %q, want %q", got, want)
-		}
-	})
-}
-
-func TestSynologyProxiesFromConfig(t *testing.T) {
-	var (
-		openReader io.ReadCloser
-		openErr    error
-	)
-	var origOpen func() (io.ReadCloser, error)
-	origOpen, openSynologyProxyConf = openSynologyProxyConf, func() (io.ReadCloser, error) {
-		return openReader, openErr
-	}
-	defer func() { openSynologyProxyConf = origOpen }()
-
-	t.Run("with config", func(t *testing.T) {
-		mc := &mustCloser{Reader: strings.NewReader(`
-proxy_user=foo
-proxy_pwd=bar
-proxy_enabled=yes
-adv_enabled=yes
-bypass_enabled=yes
-auth_enabled=yes
-https_host=10.0.0.66
-https_port=8443
-http_host=10.0.0.55
-http_port=80
-	`)}
-		defer mc.check(t)
-		openReader = mc
-
-		httpProxy, httpsProxy, err := synologyProxiesFromConfig()
-
-		if got, want := err, openErr; got != want {
-			t.Fatalf("got %s, want %s", got, want)
-		}
-
-		if got, want := httpsProxy, urlMustParse("http://foo:bar@10.0.0.66:8443"); got.String() != want.String() {
-			t.Fatalf("got %s, want %s", got, want)
-		}
-
-		if got, want := err, openErr; got != want {
-			t.Fatalf("got %s, want %s", got, want)
-		}
-
-		if got, want := httpProxy, urlMustParse("http://foo:bar@10.0.0.55:80"); got.String() != want.String() {
-			t.Fatalf("got %s, want %s", got, want)
-		}
-
-	})
-
-	t.Run("non-existent config", func(t *testing.T) {
-		openReader = nil
-		openErr = os.ErrNotExist
-
-		httpProxy, httpsProxy, err := synologyProxiesFromConfig()
-		if err != nil {
-			t.Fatalf("expected no error, got %s", err)
-		}
-		if httpProxy != nil {
-			t.Fatalf("expected no url, got %s", httpProxy)
-		}
-		if httpsProxy != nil {
-			t.Fatalf("expected no url, got %s", httpsProxy)
-		}
-	})
-
-	t.Run("error opening config", func(t *testing.T) {
-		openReader = nil
-		openErr = errors.New("example error")
-
-		httpProxy, httpsProxy, err := synologyProxiesFromConfig()
-		if err != openErr {
-			t.Fatalf("expected %s, got %s", openErr, err)
-		}
-		if httpProxy != nil {
-			t.Fatalf("expected no url, got %s", httpProxy)
-		}
-		if httpsProxy != nil {
-			t.Fatalf("expected no url, got %s", httpsProxy)
-		}
-	})
-
-}
-
-func TestParseSynologyConfig(t *testing.T) {
-	cases := map[string]struct {
-		input      string
-		httpProxy  *url.URL
-		httpsProxy *url.URL
-		err        error
-	}{
-		"populated": {
-			input: `
-proxy_user=foo
-proxy_pwd=bar
-proxy_enabled=yes
-adv_enabled=yes
-bypass_enabled=yes
-auth_enabled=yes
-https_host=10.0.0.66
-https_port=8443
-http_host=10.0.0.55
-http_port=80
-`,
-			httpProxy:  urlMustParse("http://foo:bar@10.0.0.55:80"),
-			httpsProxy: urlMustParse("http://foo:bar@10.0.0.66:8443"),
-			err:        nil,
-		},
-		"no-auth": {
-			input: `
-proxy_user=foo
-proxy_pwd=bar
-proxy_enabled=yes
-adv_enabled=yes
-bypass_enabled=yes
-auth_enabled=no
-https_host=10.0.0.66
-https_port=8443
-http_host=10.0.0.55
-http_port=80
-`,
-			httpProxy:  urlMustParse("http://10.0.0.55:80"),
-			httpsProxy: urlMustParse("http://10.0.0.66:8443"),
-			err:        nil,
-		},
-		"http-only": {
-			input: `
-proxy_user=foo
-proxy_pwd=bar
-proxy_enabled=yes
-adv_enabled=yes
-bypass_enabled=yes
-auth_enabled=yes
-https_host=
-https_port=8443
-http_host=10.0.0.55
-http_port=80
-`,
-			httpProxy:  urlMustParse("http://foo:bar@10.0.0.55:80"),
-			httpsProxy: nil,
-			err:        nil,
-		},
-		"empty": {
-			input: `
-proxy_user=
-proxy_pwd=
-proxy_enabled=
-adv_enabled=
-bypass_enabled=
-auth_enabled=
-https_host=
-https_port=
-http_host=
-http_port=
-`,
-			httpProxy:  nil,
-			httpsProxy: nil,
-			err:        nil,
-		},
-	}
-
-	for name, example := range cases {
-		t.Run(name, func(t *testing.T) {
-			httpProxy, httpsProxy, err := parseSynologyConfig(strings.NewReader(example.input))
-			if err != example.err {
-				t.Fatal(err)
-			}
-			if example.err != nil {
-				return
-			}
-
-			if example.httpProxy == nil && httpProxy != nil {
-				t.Fatalf("got %s, want nil", httpProxy)
-			}
-
-			if example.httpProxy != nil {
-				if httpProxy == nil {
-					t.Fatalf("got nil, want %s", example.httpProxy)
-				}
-
-				if got, want := example.httpProxy.String(), httpProxy.String(); got != want {
-					t.Fatalf("got %s, want %s", got, want)
-				}
-			}
-
-			if example.httpsProxy == nil && httpsProxy != nil {
-				t.Fatalf("got %s, want nil", httpProxy)
-			}
-
-			if example.httpsProxy != nil {
-				if httpsProxy == nil {
-					t.Fatalf("got nil, want %s", example.httpsProxy)
-				}
-
-				if got, want := example.httpsProxy.String(), httpsProxy.String(); got != want {
-					t.Fatalf("got %s, want %s", got, want)
-				}
-			}
-		})
-	}
-}
-func urlMustParse(u string) *url.URL {
-	r, err := url.Parse(u)
-	if err != nil {
-		panic(fmt.Sprintf("urlMustParse: %s", err))
-	}
-	return r
-}
-
-type mustCloser struct {
-	io.Reader
-	closed bool
-}
-
-func (m *mustCloser) Close() error {
-	m.closed = true
-	return nil
-}
-
-func (m *mustCloser) check(t *testing.T) {
-	if !m.closed {
-		t.Errorf("mustCloser wrapping %#v was not closed at time of check", m.Reader)
-	}
-}
--- a/safesocket/unixsocket.go
+++ b/safesocket/unixsocket.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"os"
@@ -18,6 +19,7 @@ import (
 	"path/filepath"
 	"runtime"
 	"strconv"
+	"strings"
 )

 // TODO(apenwarr): handle magic cookie auth
@@ -112,30 +114,77 @@ func socketPermissionsForOS() os.FileMode {
 	return 0600
 }

-// connectMacOSAppSandbox connects to the Tailscale Network Extension (macOS App
-// Store build) or App Extension (macsys standalone build), where the CLI itself
-// is either running within the macOS App Sandbox or built separately (e.g.
-// homebrew or go install). This little dance to connect a regular user binary
-// to the sandboxed network extension is:
+// connectMacOSAppSandbox connects to the Tailscale Network Extension,
+// which is necessarily running within the macOS App Sandbox.  Our
+// little dance to connect a regular user binary to the sandboxed
+// network extension is:
 //
 //   * the sandboxed IPNExtension picks a random localhost:0 TCP port
 //     to listen on
 //   * it also picks a random hex string that acts as an auth token
-//   * the CLI looks on disk for that TCP port + auth token (see localTCPPortAndTokenDarwin)
-//   * we send it upon TCP connect to prove to the Tailscale daemon that
-//     we're a suitably privileged user to have access the files on disk
-//     which the Network/App Extension wrote.
+//   * it then creates a file named "sameuserproof-$PORT-$TOKEN" and leaves
+//     that file descriptor open forever.
+//
+// Then, we do different things depending on whether the user is
+// running cmd/tailscale that they built themselves (running as
+// themselves, outside the App Sandbox), or whether the user is
+// running the CLI via the GUI binary
+// (e.g. /Applications/Tailscale.app/Contents/MacOS/Tailscale <args>),
+// in which case we're running within the App Sandbox.
+//
+// If we're outside the App Sandbox:
+//
+//   * then we come along here, running as the same UID, but outside
+//     of the sandbox, and look for it. We can run lsof on our own processes,
+//     but other users on the system can't.
+//   * we parse out the localhost port number and the auth token
+//   * we connect to TCP localhost:$PORT
+//   * we send $TOKEN + "\n"
+//   * server verifies $TOKEN, sends "#IPN\n" if okay.
+//   * server is now protocol switched
+//   * we return the net.Conn and the caller speaks the normal protocol
+//
+// If we're inside the App Sandbox, then TS_MACOS_CLI_SHARED_DIR has
+// been set to our shared directory. We now have to find the most
+// recent "sameuserproof" file (there should only be 1, but previous
+// versions of the macOS app didn't clean them up).
 func connectMacOSAppSandbox() (net.Conn, error) {
+	// Are we running the Tailscale.app GUI binary as a CLI, running within the App Sandbox?
+	if d := os.Getenv("TS_MACOS_CLI_SHARED_DIR"); d != "" {
+		fis, err := ioutil.ReadDir(d)
+		if err != nil {
+			return nil, fmt.Errorf("reading TS_MACOS_CLI_SHARED_DIR: %w", err)
+		}
+		var best os.FileInfo
+		for _, fi := range fis {
+			if !strings.HasPrefix(fi.Name(), "sameuserproof-") || strings.Count(fi.Name(), "-") != 2 {
+				continue
+			}
+			if best == nil || fi.ModTime().After(best.ModTime()) {
+				best = fi
+			}
+		}
+		if best == nil {
+			return nil, fmt.Errorf("no sameuserproof token found in TS_MACOS_CLI_SHARED_DIR %q", d)
+		}
+		f := strings.SplitN(best.Name(), "-", 3)
+		portStr, token := f[1], f[2]
+		port, err := strconv.Atoi(portStr)
+		if err != nil {
+			return nil, fmt.Errorf("invalid port %q", portStr)
+		}
+		return connectMacTCP(port, token)
+	}
+
+	// Otherwise, assume we're running the cmd/tailscale binary from outside the
+	// App Sandbox.
 	port, token, err := LocalTCPPortAndToken()
 	if err != nil {
-		return nil, fmt.Errorf("failed to find local Tailscale daemon: %w", err)
+		return nil, err
 	}
 	return connectMacTCP(port, token)
 }

-// connectMacTCP creates an authenticated net.Conn to the local macOS Tailscale
-// daemon for used by the "IPN" JSON message bus protocol (Tailscale's original
-// local non-HTTP IPC protocol).
 func connectMacTCP(port int, token string) (net.Conn, error) {
 	c, err := net.Dial("tcp", "localhost:"+strconv.Itoa(port))
 	if err != nil {
--- a/shell.nix
+++ b/shell.nix
@@ -14,8 +14,8 @@
 {
 	pkgs ? import <nixpkgs> {},
 	nixosUnstable ? import (fetchTarball https://github.com/NixOS/nixpkgs/archive/refs/heads/nixpkgs-unstable.tar.gz) { },
-	tailscale-go-rev ? "710a0d861098c07540ad073bb73a42ce81bf54a8",
-	tailscale-go-sha ? "sha256-hnyddxiyqMFHGwV3I4wkBcYNd56schYFi0SL5/0PnMI=",
+	tailscale-go-rev ? "5ce3ec4d89c72f2a2b6f6f5089c950d7a6a33530",
+	tailscale-go-sha ? "sha256-KMOfzmikh30vEkViEkWUsOHczUifSTiRL6rhKQpHCRI=",
 }:
 let
 	tailscale-go = pkgs.lib.overrideDerivation nixosUnstable.go_1_18 (attrs: rec {
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@@ -2,11 +2,10 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// This file contains the code for the incubator process.  Taiscaled
-// launches the incubator as the same user as it was launched as.  The
-// incubator then registers a new session with the OS, sets its UID
-// and groups to the specified `--uid`, `--gid` and `--groups`, and
-// then lauches the requested `--cmd`.
+// This file contains the code for the incubator process.
+// Taiscaled launches the incubator as the same user as it was launched as.
+// The incbuator then registers a new session with the OS, sets its own UID to
+// the specified `--uid`` and then lauches the requested `--cmd`.

 //go:build linux || (darwin && !ios)
 // +build linux darwin,!ios
@@ -14,6 +13,7 @@
 package tailssh

 import (
+	"context"
 	"errors"
 	"flag"
 	"fmt"
@@ -25,12 +25,10 @@ import (
 	"os/user"
 	"path/filepath"
 	"runtime"
-	"strconv"
 	"strings"
 	"syscall"

 	"github.com/creack/pty"
-	"github.com/pkg/sftp"
 	"github.com/u-root/u-root/pkg/termios"
 	gossh "golang.org/x/crypto/ssh"
 	"golang.org/x/sys/unix"
@@ -60,29 +58,9 @@ var maybeStartLoginSession = func(logf logger.Logf, uid uint32, localUser, remot
 //
 // If ss.srv.tailscaledPath is empty, this method is equivalent to
 // exec.CommandContext.
-func (ss *sshSession) newIncubatorCommand() *exec.Cmd {
-	var (
-		name   string
-		args   []string
-		isSFTP bool
-	)
-	switch ss.Subsystem() {
-	case "sftp":
-		isSFTP = true
-	case "":
-		name = loginShell(ss.conn.localUser.Uid)
-		if rawCmd := ss.RawCommand(); rawCmd != "" {
-			args = append(args, "-c", rawCmd)
-		} else {
-			args = append(args, "-l") // login shell
-		}
-	default:
-		panic(fmt.Sprintf("unexpected subsystem: %v", ss.Subsystem()))
-	}
-
+func (ss *sshSession) newIncubatorCommand(ctx context.Context, name string, args []string) *exec.Cmd {
 	if ss.conn.srv.tailscaledPath == "" {
-		// TODO(maisem): this doesn't work with sftp
-		return exec.CommandContext(ss.ctx, name, args...)
+		return exec.CommandContext(ctx, name, args...)
 	}
 	lu := ss.conn.localUser
 	ci := ss.conn.info
@@ -95,66 +73,41 @@ func (ss *sshSession) newIncubatorCommand() *exec.Cmd {
 		"be-child",
 		"ssh",
 		"--uid=" + lu.Uid,
-		"--gid=" + lu.Gid,
-		"--groups=" + strings.Join(ss.conn.userGroupIDs, ","),
 		"--local-user=" + lu.Username,
 		"--remote-user=" + remoteUser,
 		"--remote-ip=" + ci.src.IP().String(),
+		"--cmd=" + name,
 		"--has-tty=false", // updated in-place by startWithPTY
 		"--tty-name=",     // updated in-place by startWithPTY
 	}
-
-	if isSFTP {
-		incubatorArgs = append(incubatorArgs, "--sftp")
-	} else {
-		incubatorArgs = append(incubatorArgs, "--cmd="+name)
-		if len(args) > 0 {
-			incubatorArgs = append(incubatorArgs, "--")
-			incubatorArgs = append(incubatorArgs, args...)
-		}
+	if len(args) > 0 {
+		incubatorArgs = append(incubatorArgs, "--")
+		incubatorArgs = append(incubatorArgs, args...)
 	}
-	return exec.CommandContext(ss.ctx, ss.conn.srv.tailscaledPath, incubatorArgs...)
+
+	return exec.CommandContext(ctx, ss.conn.srv.tailscaledPath, incubatorArgs...)
 }

 const debugIncubator = false

-type stdRWC struct{}
-
-func (stdRWC) Read(p []byte) (n int, err error) {
-	return os.Stdin.Read(p)
-}
-
-func (stdRWC) Write(b []byte) (n int, err error) {
-	return os.Stdout.Write(b)
-}
-
-func (stdRWC) Close() error {
-	os.Exit(0)
-	return nil
-}
-
 // beIncubator is the entrypoint to the `tailscaled be-child ssh` subcommand.
 // It is responsible for informing the system of a new login session for the user.
 // This is sometimes necessary for mounting home directories and decrypting file
 // systems.
 //
-// Tailscaled launches the incubator as the same user as it was
-// launched as.  The incubator then registers a new session with the
-// OS, sets its UID and groups to the specified `--uid`, `--gid` and
-// `--groups` and then launches the requested `--cmd`.
+// Taiscaled launches the incubator as the same user as it was launched as.
+// The incbuator then registers a new session with the OS, sets its own UID to
+// the specified `--uid`` and then lauches the requested `--cmd`.
 func beIncubator(args []string) error {
 	var (
 		flags      = flag.NewFlagSet("", flag.ExitOnError)
 		uid        = flags.Uint64("uid", 0, "the uid of local-user")
-		gid        = flags.Int("gid", 0, "the gid of local-user")
-		groups     = flags.String("groups", "", "comma-separated list of gids of local-user")
 		localUser  = flags.String("local-user", "", "the user to run as")
 		remoteUser = flags.String("remote-user", "", "the remote user/tags")
 		remoteIP   = flags.String("remote-ip", "", "the remote Tailscale IP")
 		ttyName    = flags.String("tty-name", "", "the tty name (pts/3)")
 		hasTTY     = flags.Bool("has-tty", false, "is the output attached to a tty")
-		cmdName    = flags.String("cmd", "", "the cmd to launch (ignored in sftp mode)")
-		sftpMode   = flags.Bool("sftp", false, "run sftp server (cmd is ignored)")
+		cmdName    = flags.String("cmd", "", "the cmd to launch")
 	)
 	if err := flags.Parse(args); err != nil {
 		return err
@@ -173,28 +126,11 @@ func beIncubator(args []string) error {
 	// Inform the system that we are about to log someone in.
 	// We can only do this if we are running as root.
 	// This is best effort to still allow running on machines where
-	// we don't support starting sessions, e.g. darwin.
+	// we don't support starting session, e.g. darwin.
 	sessionCloser, err := maybeStartLoginSession(logf, uint32(*uid), *localUser, *remoteUser, *remoteIP, *ttyName)
 	if err == nil && sessionCloser != nil {
 		defer sessionCloser()
 	}
-	var groupIDs []int
-	for _, g := range strings.Split(*groups, ",") {
-		gid, err := strconv.ParseInt(g, 10, 32)
-		if err != nil {
-			return err
-		}
-		groupIDs = append(groupIDs, int(gid))
-	}
-	if err := syscall.Setgroups(groupIDs); err != nil {
-		return err
-	}
-	if egid := os.Getegid(); egid != *gid {
-		if err := syscall.Setgid(int(*gid)); err != nil {
-			logf(err.Error())
-			os.Exit(1)
-		}
-	}
 	if euid != *uid {
 		// Switch users if required before starting the desired process.
 		if err := syscall.Setuid(int(*uid)); err != nil {
@@ -202,15 +138,6 @@ func beIncubator(args []string) error {
 			os.Exit(1)
 		}
 	}
-	if *sftpMode {
-		logf("handling sftp")
-
-		server, err := sftp.NewServer(stdRWC{})
-		if err != nil {
-			return err
-		}
-		return server.Serve()
-	}

 	cmd := exec.Command(*cmdName, cmdArgs...)
 	cmd.Stdin = os.Stdin
@@ -238,24 +165,27 @@ func beIncubator(args []string) error {
 // The caller can wait for the process to exit by calling cmd.Wait().
 //
 // It sets ss.cmd, stdin, stdout, and stderr.
-func (ss *sshSession) launchProcess() error {
-	ss.cmd = ss.newIncubatorCommand()
-
-	cmd := ss.cmd
-	cmd.Dir = ss.conn.localUser.HomeDir
-	cmd.Env = append(cmd.Env, envForUser(ss.conn.localUser)...)
-	for _, kv := range ss.Environ() {
-		if acceptEnvPair(kv) {
-			cmd.Env = append(cmd.Env, kv)
-		}
+func (ss *sshSession) launchProcess(ctx context.Context) error {
+	shell := loginShell(ss.conn.localUser.Uid)
+	var args []string
+	if rawCmd := ss.RawCommand(); rawCmd != "" {
+		args = append(args, "-c", rawCmd)
+	} else {
+		args = append(args, "-l") // login shell
 	}

 	ci := ss.conn.info
+	cmd := ss.newIncubatorCommand(ctx, shell, args)
+	cmd.Dir = ss.conn.localUser.HomeDir
+	cmd.Env = append(cmd.Env, envForUser(ss.conn.localUser)...)
+	cmd.Env = append(cmd.Env, ss.Environ()...)
 	cmd.Env = append(cmd.Env,
 		fmt.Sprintf("SSH_CLIENT=%s %d %d", ci.src.IP(), ci.src.Port(), ci.dst.Port()),
 		fmt.Sprintf("SSH_CONNECTION=%s %d %s %d", ci.src.IP(), ci.src.Port(), ci.dst.IP(), ci.dst.Port()),
 	)

+	ss.cmd = cmd
+
 	if ss.agentListener != nil {
 		cmd.Env = append(cmd.Env, fmt.Sprintf("SSH_AUTH_SOCK=%s", ss.agentListener.Addr()))
 	}
@@ -287,7 +217,7 @@ func resizeWindow(f *os.File, winCh <-chan ssh.Window) {
 }

 // opcodeShortName is a mapping of SSH opcode
-// to mnemonic names expected by the termios package.
+// to mnemonic names expected by the termios packaage.
 // These are meant to be platform independent.
 var opcodeShortName = map[uint8]string{
 	gossh.VINTR:         "intr",
@@ -500,7 +430,7 @@ func loginShell(uid string) string {
 	if e := os.Getenv("SHELL"); e != "" {
 		return e
 	}
-	return "/bin/sh"
+	return "/bin/bash"
 }

 func envForUser(u *user.User) []string {
@@ -521,14 +451,3 @@ func updateStringInSlice(ss []string, a, b string) {
 		}
 	}
 }
-
-// acceptEnvPair reports whether the environment variable key=value pair
-// should be accepted from the client. It uses the same default as OpenSSH
-// AcceptEnv.
-func acceptEnvPair(kv string) bool {
-	k, _, ok := strings.Cut(kv, "=")
-	if !ok {
-		return false
-	}
-	return k == "TERM" || k == "LANG" || strings.HasPrefix(k, "LC_")
-}
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -40,7 +40,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tempfork/gliderlabs/ssh"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/mak"
 )

 var (
@@ -119,11 +118,10 @@ type conn struct {
 	// purposes of rule evaluation.
 	now time.Time

-	action0      *tailcfg.SSHAction // first matching action
-	srv          *server
-	info         *sshConnInfo // set by setInfo
-	localUser    *user.User   // set by checkAuth
-	userGroupIDs []string     // set by checkAuth
+	action0   *tailcfg.SSHAction // first matching action
+	srv       *server
+	info      *sshConnInfo // set by setInfo
+	localUser *user.User   // set by checkAuth

 	insecureSkipTailscaleAuth bool // used by tests.
 }
@@ -193,11 +191,6 @@ func (c *conn) checkAuth(pubKey ssh.PublicKey) error {
 				Message: fmt.Sprintf("failed to lookup %v\r\n", localUser),
 			}
 		}
-		gids, err := lu.GroupIds()
-		if err != nil {
-			return err
-		}
-		c.userGroupIDs = gids
 		c.localUser = lu
 		return nil
 	}
@@ -228,12 +221,10 @@ func (c *conn) ServerConfig(ctx ssh.Context) *gossh.ServerConfig {
 func (srv *server) newConn() (*conn, error) {
 	c := &conn{srv: srv, now: srv.now()}
 	c.Server = &ssh.Server{
-		Version:         "Tailscale",
-		Handler:         c.handleConnPostSSHAuth,
-		RequestHandlers: map[string]ssh.RequestHandler{},
-		SubsystemHandlers: map[string]ssh.SubsystemHandler{
-			"sftp": c.handleConnPostSSHAuth,
-		},
+		Version:           "Tailscale",
+		Handler:           c.handleConnPostSSHAuth,
+		RequestHandlers:   map[string]ssh.RequestHandler{},
+		SubsystemHandlers: map[string]ssh.SubsystemHandler{},

 		// Note: the direct-tcpip channel handler and LocalPortForwardingCallback
 		// only adds support for forwarding ports from the local machine.
@@ -368,8 +359,10 @@ func (c *conn) setInfo(cm gossh.ConnMetadata) error {
 	return nil
 }

-// evaluatePolicy returns the SSHAction and localUser after evaluating
-// the SSHPolicy for this conn. The pubKey may be nil for "none" auth.
+// evaluatePolicy returns the SSHAction, sshConnInfo and localUser after
+// evaluating the sshUser and remoteAddr against the SSHPolicy. The remoteAddr
+// and localAddr params must be Tailscale IPs. The pubKey may be nil for "none"
+// auth.
 func (c *conn) evaluatePolicy(pubKey gossh.PublicKey) (_ *tailcfg.SSHAction, localUser string, _ error) {
 	pol, ok := c.sshPolicy()
 	if !ok {
@@ -472,7 +465,7 @@ func (srv *server) fetchPublicKeysURL(url string) ([]string, error) {

 	srv.mu.Lock()
 	defer srv.mu.Unlock()
-	mak.Set(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{
+	mapSet(&srv.fetchPublicKeysCache, url, pubKeyCacheEntry{
 		at:    srv.now(),
 		lines: lines,
 		etag:  etag,
@@ -482,7 +475,7 @@ func (srv *server) fetchPublicKeysURL(url string) ([]string, error) {

 // handleConnPostSSHAuth runs an SSH session after the SSH-level authentication,
 // but not necessarily before all the Tailscale-level extra verification has
-// completed. It also handles SFTP requests.
+// completed.
 func (c *conn) handleConnPostSSHAuth(s ssh.Session) {
 	sshUser := s.User()
 	action, err := c.resolveTerminalAction(s)
@@ -498,15 +491,6 @@ func (c *conn) handleConnPostSSHAuth(s ssh.Session) {
 		return
 	}

-	// Do this check after auth, but before starting the session.
-	switch s.Subsystem() {
-	case "sftp", "":
-	default:
-		fmt.Fprintf(s.Stderr(), "Unsupported subsystem %q \r\n", s.Subsystem())
-		s.Exit(1)
-		return
-	}
-
 	ss := c.newSSHSession(s, action)
 	ss.logf("handling new SSH connection from %v (%v) to ssh-user %q", c.info.uprof.LoginName, c.info.src.IP(), sshUser)
 	ss.logf("access granted to %v as ssh-user %q", c.info.uprof.LoginName, sshUser)
@@ -691,7 +675,7 @@ func (c *conn) fetchSSHAction(ctx context.Context, url string) (*tailcfg.SSHActi
 // unless the process has already exited.
 func (ss *sshSession) killProcessOnContextDone() {
 	<-ss.ctx.Done()
-	// Either the process has already exited, in which case this does nothing.
+	// Either the process has already existed, in which case this does nothing.
 	// Or, the process is still running in which case this will kill it.
 	ss.exitOnce.Do(func() {
 		err := ss.ctx.Err()
@@ -702,8 +686,6 @@ func (ss *sshSession) killProcessOnContextDone() {
 			}
 		}
 		ss.logf("terminating SSH session from %v: %v", ss.conn.info.src.IP(), err)
-		// We don't need to Process.Wait here, sshSession.run() does
-		// the waiting regardless of termination reason.
 		ss.cmd.Process.Kill()
 	})
 }
@@ -732,8 +714,8 @@ func (srv *server) startSession(ss *sshSession) {
 	if _, dup := srv.activeSessionBySharedID[ss.sharedID]; dup {
 		panic("dup sharedID")
 	}
-	mak.Set(&srv.activeSessionByH, ss.idH, ss)
-	mak.Set(&srv.activeSessionBySharedID, ss.sharedID, ss)
+	mapSet(&srv.activeSessionByH, ss.idH, ss)
+	mapSet(&srv.activeSessionBySharedID, ss.sharedID, ss)
 }

 // endSession unregisters s from the list of active sessions.
@@ -747,7 +729,7 @@ func (srv *server) endSession(ss *sshSession) {
 var errSessionDone = errors.New("session is done")

 // handleSSHAgentForwarding starts a Unix socket listener and in the background
-// forwards agent connections between the listener and the ssh.Session.
+// forwards agent connections between the listenr and the ssh.Session.
 // On success, it assigns ss.agentListener.
 func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) error {
 	if !ssh.AgentRequested(ss) || !ss.action.AllowAgentForwarding {
@@ -774,14 +756,10 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) err
 	}
 	socket := ln.Addr().String()
 	dir := filepath.Dir(socket)
-	// Make sure the socket is accessible only by the user.
-	if err := os.Chmod(socket, 0600); err != nil {
-		return err
-	}
+	// Make sure the socket is accessible by the user.
 	if err := os.Chown(socket, int(uid), int(gid)); err != nil {
 		return err
 	}
-	// Make sure the dir is also accessible.
 	if err := os.Chmod(dir, 0755); err != nil {
 		return err
 	}
@@ -808,10 +786,10 @@ func (ss *sshSession) run() {

 	defer ss.ctx.CloseWithError(errSessionDone)

-	if ss.action.SessionDuration != 0 {
-		t := time.AfterFunc(ss.action.SessionDuration, func() {
+	if ss.action.SesssionDuration != 0 {
+		t := time.AfterFunc(ss.action.SesssionDuration, func() {
 			ss.ctx.CloseWithError(userVisibleError{
-				fmt.Sprintf("Session timeout of %v elapsed.", ss.action.SessionDuration),
+				fmt.Sprintf("Session timeout of %v elapsed.", ss.action.SesssionDuration),
 				context.DeadlineExceeded,
 			})
 		})
@@ -835,29 +813,27 @@ func (ss *sshSession) run() {
 	// See https://github.com/tailscale/tailscale/issues/4146
 	ss.DisablePTYEmulation()

-	var rec *recording // or nil if disabled
-	if ss.Subsystem() != "sftp" {
-		if err := ss.handleSSHAgentForwarding(ss, lu); err != nil {
-			ss.logf("agent forwarding failed: %v", err)
-		} else if ss.agentListener != nil {
-			// TODO(maisem/bradfitz): add a way to close all session resources
-			defer ss.agentListener.Close()
-		}
-
-		if ss.shouldRecord() {
-			var err error
-			rec, err = ss.startNewRecording()
-			if err != nil {
-				fmt.Fprintf(ss, "can't start new recording\r\n")
-				ss.logf("startNewRecording: %v", err)
-				ss.Exit(1)
-				return
-			}
-			defer rec.Close()
-		}
+	if err := ss.handleSSHAgentForwarding(ss, lu); err != nil {
+		ss.logf("agent forwarding failed: %v", err)
+	} else if ss.agentListener != nil {
+		// TODO(maisem/bradfitz): add a way to close all session resources
+		defer ss.agentListener.Close()
 	}

-	err := ss.launchProcess()
+	var rec *recording // or nil if disabled
+	if ss.shouldRecord() {
+		var err error
+		rec, err = ss.startNewRecording()
+		if err != nil {
+			fmt.Fprintf(ss, "can't start new recording\r\n")
+			ss.logf("startNewRecording: %v", err)
+			ss.Exit(1)
+			return
+		}
+		defer rec.Close()
+	}
+
+	err := ss.launchProcess(ss.ctx)
 	if err != nil {
 		logf("start failed: %v", err.Error())
 		ss.Exit(1)
@@ -897,6 +873,7 @@ func (ss *sshSession) run() {
 	ss.exitOnce.Do(func() {})

 	if err == nil {
+		ss.logf("Wait: ok")
 		ss.Exit(0)
 		return
 	}
@@ -976,10 +953,7 @@ func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg
 	if c.ruleExpired(r) {
 		return nil, "", errRuleExpired
 	}
-	if !r.Action.Reject {
-		// For all but Reject rules, SSHUsers is required.
-		// If SSHUsers is nil or empty, mapLocalUser will return an
-		// empty string anyway.
+	if !r.Action.Reject || r.SSHUsers != nil {
 		localUser = mapLocalUser(r.SSHUsers, c.info.sshUser)
 		if localUser == "" {
 			return nil, "", errUserMatch
@@ -1214,7 +1188,7 @@ func (w loggingWriter) Write(p []byte) (n int, err error) {
 	}
 	j = append(j, '\n')
 	if err := w.writeCastLine(j); err != nil {
-		return 0, err
+		return 0, nil
 	}
 	return w.w.Write(p)
 }
@@ -1249,3 +1223,11 @@ func envEq(a, b string) bool {
 	}
 	return a == b
 }
+
+// mapSet assigns m[k] = v, making m if necessary.
+func mapSet[K comparable, V any](m *map[K]V, k K, v V) {
+	if *m == nil {
+		*m = make(map[K]V)
+	}
+	(*m)[k] = v
+}
--- a/ssh/tailssh/tailssh_test.go
+++ b/ssh/tailssh/tailssh_test.go
@@ -265,8 +265,6 @@ func TestSSH(t *testing.T) {

 	execSSH := func(args ...string) *exec.Cmd {
 		cmd := exec.Command("ssh",
-			"-F",
-			"none",
 			"-v",
 			"-p", fmt.Sprint(port),
 			"-o", "StrictHostKeyChecking=no",
@@ -433,22 +431,3 @@ func TestExpandPublicKeyURL(t *testing.T) {
 		t.Errorf("on empty: got %q; want %q", got, want)
 	}
 }
-
-func TestAcceptEnvPair(t *testing.T) {
-	tests := []struct {
-		in   string
-		want bool
-	}{
-		{"TERM=x", true},
-		{"term=x", false},
-		{"TERM", false},
-		{"LC_FOO=x", true},
-		{"LD_PRELOAD=naah", false},
-		{"TERM=screen-256color", true},
-	}
-	for _, tt := range tests {
-		if got := acceptEnvPair(tt.in); got != tt.want {
-			t.Errorf("for %q, got %v; want %v", tt.in, got, tt.want)
-		}
-	}
-}
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -1730,9 +1730,9 @@ type SSHAction struct {
 	// without further prompts.
 	Accept bool `json:"accept,omitempty"`

-	// SessionDuration, if non-zero, is how long the session can stay open
+	// SesssionDuration, if non-zero, is how long the session can stay open
 	// before being forcefully terminated.
-	SessionDuration time.Duration `json:"sessionDuration,omitempty"`
+	SesssionDuration time.Duration `json:"sessionDuration,omitempty"`

 	// AllowAgentForwarding, if true, allows accepted connections to forward
 	// the ssh agent if requested.
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -105,7 +105,6 @@ func (s *Server) Close() error {
 	s.shutdownCancel()
 	s.lb.Shutdown()
 	s.linkMon.Close()
-	s.dialer.Close()
 	s.localAPIListener.Close()

 	s.mu.Lock()
@@ -138,9 +137,8 @@ func (s *Server) start() error {
 	}

 	s.rootPath = s.Dir
-	if s.Store != nil {
-		_, isMemStore := s.Store.(*mem.Store)
-		if isMemStore && !s.Ephemeral {
+	if s.Store != nil && !s.Ephemeral {
+		if _, ok := s.Store.(*mem.Store); !ok {
 			return fmt.Errorf("in-memory store is only supported for Ephemeral nodes")
 		}
 	}
--- a/util/mak/mak.go
+++ b/util/mak/mak.go
@@ -1,53 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package mak helps make maps. It contains generic helpers to make/assign
-// things, notably to maps, but also slices.
-package mak
-
-import (
-	"fmt"
-	"reflect"
-)
-
-// Set populates an entry in a map, making the map if necessary.
-//
-// That is, it assigns (*m)[k] = v, making *m if it was nil.
-func Set[K comparable, V any, T ~map[K]V](m *T, k K, v V) {
-	if *m == nil {
-		*m = make(map[K]V)
-	}
-	(*m)[k] = v
-}
-
-// NonNil takes a pointer to a Go data structure
-// (currently only a slice or a map) and makes sure it's non-nil for
-// JSON serialization. (In particular, JavaScript clients usually want
-// the field to be defined after they decode the JSON.)
-// MakeNonNil takes a pointer to a Go data structure
-// (currently only a slice or a map) and makes sure it's non-nil for
-// JSON serialization. (In particular, JavaScript clients usually want
-// the field to be defined after they decode the JSON.)
-func NonNil(ptr interface{}) {
-	if ptr == nil {
-		panic("nil interface")
-	}
-	rv := reflect.ValueOf(ptr)
-	if rv.Kind() != reflect.Ptr {
-		panic(fmt.Sprintf("kind %v, not Ptr", rv.Kind()))
-	}
-	if rv.Pointer() == 0 {
-		panic("nil pointer")
-	}
-	rv = rv.Elem()
-	if rv.Pointer() != 0 {
-		return
-	}
-	switch rv.Type().Kind() {
-	case reflect.Slice:
-		rv.Set(reflect.MakeSlice(rv.Type(), 0, 0))
-	case reflect.Map:
-		rv.Set(reflect.MakeMap(rv.Type()))
-	}
-}
--- a/util/mak/mak_test.go
+++ b/util/mak/mak_test.go
@@ -1,71 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package mak contains code to help make things.
-package mak
-
-import (
-	"reflect"
-	"testing"
-)
-
-type M map[string]int
-
-func TestSet(t *testing.T) {
-	t.Run("unnamed", func(t *testing.T) {
-		var m map[string]int
-		Set(&m, "foo", 42)
-		Set(&m, "bar", 1)
-		Set(&m, "bar", 2)
-		want := map[string]int{
-			"foo": 42,
-			"bar": 2,
-		}
-		if got := m; !reflect.DeepEqual(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-	})
-	t.Run("named", func(t *testing.T) {
-		var m M
-		Set(&m, "foo", 1)
-		Set(&m, "bar", 1)
-		Set(&m, "bar", 2)
-		want := M{
-			"foo": 1,
-			"bar": 2,
-		}
-		if got := m; !reflect.DeepEqual(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-	})
-}
-
-func TestNonNil(t *testing.T) {
-	var s []string
-	NonNil(&s)
-	if len(s) != 0 {
-		t.Errorf("slice len = %d; want 0", len(s))
-	}
-	if s == nil {
-		t.Error("slice still nil")
-	}
-
-	s = append(s, "foo")
-	NonNil(&s)
-	if len(s) != 1 {
-		t.Errorf("len = %d; want 1", len(s))
-	}
-	if s[0] != "foo" {
-		t.Errorf("value = %q; want foo", s)
-	}
-
-	var m map[string]string
-	NonNil(&m)
-	if len(m) != 0 {
-		t.Errorf("map len = %d; want 0", len(s))
-	}
-	if m == nil {
-		t.Error("map still nil")
-	}
-}
--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -54,7 +54,6 @@ import (
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/nettype"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/mak"
 	"tailscale.com/util/netconv"
 	"tailscale.com/util/uniq"
 	"tailscale.com/version"
@@ -439,7 +438,11 @@ func (c *Conn) removeDerpPeerRoute(peer key.NodePublic, derpID int, dc *derphttp
 func (c *Conn) addDerpPeerRoute(peer key.NodePublic, derpID int, dc *derphttp.Client) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	mak.Set(&c.derpRoute, peer, derpRoute{derpID, dc})
+	if c.derpRoute == nil {
+		c.derpRoute = make(map[key.NodePublic]derpRoute)
+	}
+	r := derpRoute{derpID, dc}
+	c.derpRoute[peer] = r
 }

 // DerpMagicIP is a fake WireGuard endpoint IP address that means
@@ -603,7 +606,6 @@ func (c *Conn) stopPeriodicReSTUNTimerLocked() {

 // c.mu must NOT be held.
 func (c *Conn) updateEndpoints(why string) {
-	metricUpdateEndpoints.Add(1)
 	defer func() {
 		c.mu.Lock()
 		defer c.mu.Unlock()
@@ -1048,8 +1050,8 @@ func (c *Conn) determineEndpoints(ctx context.Context) ([]tailcfg.Endpoint, erro
 		}, nil
 	}

-	var already map[netaddr.IPPort]tailcfg.EndpointType // endpoint -> how it was found
-	var eps []tailcfg.Endpoint                          // unique endpoints
+	already := make(map[netaddr.IPPort]tailcfg.EndpointType) // endpoint -> how it was found
+	var eps []tailcfg.Endpoint                               // unique endpoints

 	ipp := func(s string) (ipp netaddr.IPPort) {
 		ipp, _ = netaddr.ParseIPPort(s)
@@ -1060,7 +1062,7 @@ func (c *Conn) determineEndpoints(ctx context.Context) ([]tailcfg.Endpoint, erro
 			return
 		}
 		if _, ok := already[ipp]; !ok {
-			mak.Set(&already, ipp, et)
+			already[ipp] = et
 			eps = append(eps, tailcfg.Endpoint{Addr: ipp, Type: et})
 		}
 	}
@@ -2769,7 +2771,6 @@ func (c *Conn) ReSTUN(why string) {
 		// raced with a shutdown.
 		return
 	}
-	metricReSTUNCalls.Add(1)

 	// If the user stopped the app, stop doing work. (When the
 	// user stops Tailscale via the GUI apps, ipn/local.go
@@ -2919,7 +2920,6 @@ func (c *Conn) rebind(curPortFate currentPortFate) error {
 // Rebind closes and re-binds the UDP sockets and resets the DERP connection.
 // It should be followed by a call to ReSTUN.
 func (c *Conn) Rebind() {
-	metricRebindCalls.Add(1)
 	if err := c.rebind(keepCurrentPort); err != nil {
 		c.logf("%w", err)
 		return
@@ -3957,6 +3957,9 @@ func (de *endpoint) handleCallMeMaybe(m *disco.CallMeMaybe) {
 	for ep := range de.isCallMeMaybeEP {
 		de.isCallMeMaybeEP[ep] = false // mark for deletion
 	}
+	if de.isCallMeMaybeEP == nil {
+		de.isCallMeMaybeEP = map[netaddr.IPPort]bool{}
+	}
 	var newEPs []netaddr.IPPort
 	for _, ep := range m.MyNumber {
 		if ep.IP().Is6() && ep.IP().IsLinkLocalUnicast() {
@@ -3965,7 +3968,7 @@ func (de *endpoint) handleCallMeMaybe(m *disco.CallMeMaybe) {
 			// for these.
 			continue
 		}
-		mak.Set(&de.isCallMeMaybeEP, ep, true)
+		de.isCallMeMaybeEP[ep] = true
 		if es, ok := de.endpointState[ep]; ok {
 			es.callMeMaybeTime = now
 		} else {
@@ -4141,10 +4144,6 @@ var (
 	metricNumPeers     = clientmetric.NewGauge("magicsock_netmap_num_peers")
 	metricNumDERPConns = clientmetric.NewGauge("magicsock_num_derp_conns")

-	metricRebindCalls     = clientmetric.NewCounter("magicsock_rebind_calls")
-	metricReSTUNCalls     = clientmetric.NewCounter("magicsock_restun_calls")
-	metricUpdateEndpoints = clientmetric.NewCounter("magicsock_update_endpoints")
-
 	// Sends (data or disco)
 	metricSendDERPQueued      = clientmetric.NewCounter("magicsock_send_derp_queued")
 	metricSendDERPErrorChan   = clientmetric.NewCounter("magicsock_send_derp_error_chan")
--- a/wgengine/monitor/monitor_darwin.go
+++ b/wgengine/monitor/monitor_darwin.go
@@ -115,8 +115,7 @@ func addrType(addrs []route.Addr, rtaxType int) route.Addr {
 func (m *darwinRouteMon) IsInterestingInterface(iface string) bool {
 	baseName := strings.TrimRight(iface, "0123456789")
 	switch baseName {
-	// TODO(maisem): figure out what this list should actually be.
-	case "llw", "awdl", "ipsec":
+	case "llw", "awdl", "pdp_ip", "ipsec":
 		return false
 	}
 	return true
--- a/wgengine/monitor/monitor_linux_test.go
+++ b/wgengine/monitor/monitor_linux_test.go
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

+//go:build !android
+// +build !android
+
 package monitor

 import (
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -651,21 +651,6 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 	}
 	r.Complete(false)

-	// SetKeepAlive so that idle connections to peers that have forgotten about
-	// the connection or gone completely offline eventually time out.
-	// Applications might be setting this on a forwarded connection, but from
-	// userspace we can not see those, so the best we can do is to always
-	// perform them with conservative timing.
-	// TODO(tailscale/tailscale#4522): Netstack defaults match the Linux
-	// defaults, and results in a little over two hours before the socket would
-	// be closed due to keepalive. A shorter default might be better, or seeking
-	// a default from the host IP stack. This also might be a useful
-	// user-tunable, as in userspace mode this can have broad implications such
-	// as lingering connections to fork style daemons. On the other side of the
-	// fence, the long duration timers are low impact values for battery powered
-	// peers.
-	ep.SocketOptions().SetKeepAlive(true)
-
 	// The ForwarderRequest.CreateEndpoint above asynchronously
 	// starts the TCP handshake. Note that the gonet.TCPConn
 	// methods c.RemoteAddr() and c.LocalAddr() will return nil
--- a/wgengine/pendopen.go
+++ b/wgengine/pendopen.go
@@ -15,7 +15,6 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tstun"
 	"tailscale.com/types/ipproto"
-	"tailscale.com/util/mak"
 	"tailscale.com/wgengine/filter"
 )

@@ -116,11 +115,14 @@ func (e *userspaceEngine) trackOpenPostFilterOut(pp *packet.Parsed, t *tstun.Wra

 	e.mu.Lock()
 	defer e.mu.Unlock()
+	if e.pendOpen == nil {
+		e.pendOpen = make(map[flowtrack.Tuple]*pendingOpenFlow)
+	}
 	if _, dup := e.pendOpen[flow]; dup {
 		// Duplicates are expected when the OS retransmits. Ignore.
 		return
 	}
-	mak.Set(&e.pendOpen, flow, &pendingOpenFlow{timer: timer})
+	e.pendOpen[flow] = &pendingOpenFlow{timer: timer}

 	return filter.Accept
 }
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -1203,10 +1203,7 @@ func (e *userspaceEngine) linkChange(changed bool, cur *interfaces.State) {
 	why := "link-change-minor"
 	if changed {
 		why = "link-change-major"
-		metricNumMajorChanges.Add(1)
 		e.magicConn.Rebind()
-	} else {
-		metricNumMinorChanges.Add(1)
 	}
 	e.magicConn.ReSTUN(why)
 }
@@ -1554,7 +1551,4 @@ func (ls fwdDNSLinkSelector) PickLink(ip netaddr.IP) (linkName string) {
 var (
 	metricMagicDNSPacketIn = clientmetric.NewGauge("magicdns_packet_in") // for 100.100.100.100
 	metricReflectToOS      = clientmetric.NewGauge("packet_reflect_to_os")
-
-	metricNumMajorChanges = clientmetric.NewCounter("wgengine_major_changes")
-	metricNumMinorChanges = clientmetric.NewCounter("wgengine_minor_changes")
 )
Author	SHA1	Message	Date
James Tucker	20cd690970	.github/workflows: add cross-android Fixes 4482 Signed-off-by: James Tucker <james@tailscale.com>	2022-04-21 10:26:40 -07:00
James Tucker	26fe00e7bd	.github/workflows: add cross-android Fixes 4482 Signed-off-by: James Tucker <james@tailscale.com>	2022-04-21 10:13:27 -07:00
James Tucker	972df80be2	.github/workflows: add cross-android Fixes 4482 Signed-off-by: James Tucker <james@tailscale.com>	2022-04-21 10:00:02 -07:00
@@ -1 +1 @@
 .24.2
 .23.0