cmd/tailscale: add --json-docs flag

This prints all command and flag docs as JSON. To be used for generating
the contents of https://tailscale.com/kb/1080/cli.

Updates https://github.com/tailscale/tailscale-www/issues/4722

.github/workflows/checklocks.yml

@@ -24,5 +24,11 @@ jobs:
         run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks
 
       - name: Run checklocks vet
-        # TODO: remove || true once we have applied checklocks annotations everywhere.
-        run: ./tool/go vet -vettool=/tmp/checklocks ./... || true
+        # TODO(#12625): add more packages as we add annotations
+        run: |-
+          ./tool/go vet -vettool=/tmp/checklocks \
+            ./envknob           \
+            ./ipn/store/mem     \
+            ./net/stun/stuntest \
+            ./net/wsconn        \
+            ./proxymap

.github/workflows/installer.yml

@@ -67,6 +67,11 @@ jobs:
       image: ${{ matrix.image }}
       options: --user root
     steps:
+    - name: install dependencies (pacman)
+      # Refresh the package databases to ensure that the tailscale package is
+      # defined.
+      run: pacman -Sy
+      if: contains(matrix.image, 'archlinux')
     - name: install dependencies (yum)
       # tar and gzip are needed by the actions/checkout below.
       run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}

.github/workflows/ssh-integrationtest.yml

@@ -0,0 +1,23 @@
+# Run the ssh integration tests with `make sshintegrationtest`.
+# These tests can also be running locally.
+name: "ssh-integrationtest"
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    paths:
+      - "ssh/**"
+      - "tempfork/gliderlabs/ssh/**"
+      - ".github/workflows/ssh-integrationtest"
+jobs:
+  ssh-integrationtest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Run SSH integration tests
+        run: |
+          make sshintegrationtest

.github/workflows/test.yml

@@ -194,7 +194,7 @@ jobs:
     - name: chown
       run: chown -R $(id -u):$(id -g) $PWD
     - name: privileged tests
-      run: ./tool/go test ./util/linuxfw
+      run: ./tool/go test ./util/linuxfw ./derp/xdp
 
   vm:
     runs-on: ["self-hosted", "linux", "vm"]
@@ -480,7 +480,7 @@ jobs:
       uses: actions/checkout@v4
     - name: check that 'go generate' is clean
       run: |
-        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator')
+        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator|xdp')
         ./tool/go generate $pkgs
         echo
         echo

Dockerfile

@@ -1,17 +1,13 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
 
-############################################################################
+# Note that this Dockerfile is currently NOT used to build any of the published
+# Tailscale container images and may have drifted from the image build mechanism
+# we use.
+# Tailscale images are currently built using https://github.com/tailscale/mkctr,
+# and the build script can be found in ./build_docker.sh.
 #
-# WARNING: Tailscale is not yet officially supported in container
-# environments, such as Docker and Kubernetes. Though it should work, we
-# don't regularly test it, and we know there are some feature limitations.
 #
-# See current bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
-#
-############################################################################
-
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:

Makefile

@@ -21,6 +21,7 @@ updatedeps: ## Update depaware deps
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
+		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund
 
 depaware: ## Run depaware checks
@@ -30,6 +31,7 @@ depaware: ## Run depaware checks
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
+		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund
 
 buildwindows: ## Build tailscale CLI for windows/amd64
@@ -110,8 +112,8 @@ publishdevnameserver: ## Build and publish k8s-nameserver image to location spec
 
 .PHONY: sshintegrationtest
 sshintegrationtest: ## Run the SSH integration tests in various Docker containers
-	@GOOS=linux GOARCH=amd64 go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
-	GOOS=linux GOARCH=amd64 go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
+	@GOOS=linux GOARCH=amd64 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
+	GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
 	echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
 	echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
 	echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \

VERSION.txt

@@ -1 +1 @@
-1.67.0
+1.71.0

api.md

@@ -1,3 +1,6 @@
+> [!IMPORTANT]
+> The Tailscale API documentation has moved to https://tailscale.com/api
+
 # Tailscale API
 
 The Tailscale API documentation is located in **[tailscale/publicapi](./publicapi/readme.md#tailscale-api)**.

appc/appconnector.go

@@ -11,6 +11,7 @@ package appc
 
 import (
 	"context"
+	"fmt"
 	"net/netip"
 	"slices"
 	"strings"
@@ -21,6 +22,7 @@ import (
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/views"
+	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/execqueue"
 	"tailscale.com/util/mak"
@@ -78,6 +80,42 @@ type RouteAdvertiser interface {
 	UnadvertiseRoute(...netip.Prefix) error
 }
 
+var (
+	metricStoreRoutesRateBuckets = []int64{1, 2, 3, 4, 5, 10, 100, 1000}
+	metricStoreRoutesNBuckets    = []int64{1, 2, 3, 4, 5, 10, 100, 1000, 10000}
+	metricStoreRoutesRate        []*clientmetric.Metric
+	metricStoreRoutesN           []*clientmetric.Metric
+)
+
+func initMetricStoreRoutes() {
+	for _, n := range metricStoreRoutesRateBuckets {
+		metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_rate_%d", n)))
+	}
+	metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter("appc_store_routes_rate_over"))
+	for _, n := range metricStoreRoutesNBuckets {
+		metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_n_routes_%d", n)))
+	}
+	metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter("appc_store_routes_n_routes_over"))
+}
+
+func recordMetric(val int64, buckets []int64, metrics []*clientmetric.Metric) {
+	if len(buckets) < 1 {
+		return
+	}
+	// finds the first bucket where val <=, or len(buckets) if none match
+	// for bucket values of 1, 10, 100; 0-1 goes to [0], 2-10 goes to [1], 11-100 goes to [2], 101+ goes to [3]
+	bucket, _ := slices.BinarySearch(buckets, val)
+	metrics[bucket].Add(1)
+}
+
+func metricStoreRoutes(rate, nRoutes int64) {
+	if len(metricStoreRoutesRate) == 0 {
+		initMetricStoreRoutes()
+	}
+	recordMetric(rate, metricStoreRoutesRateBuckets, metricStoreRoutesRate)
+	recordMetric(nRoutes, metricStoreRoutesNBuckets, metricStoreRoutesN)
+}
+
 // RouteInfo is a data structure used to persist the in memory state of an AppConnector
 // so that we can know, even after a restart, which routes came from ACLs and which were
 // learned from domains.
@@ -141,6 +179,7 @@ func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser, routeInf
 	}
 	ac.writeRateMinute = newRateLogger(time.Now, time.Minute, func(c int64, s time.Time, l int64) {
 		ac.logf("routeInfo write rate: %d in minute starting at %v (%d routes)", c, s, l)
+		metricStoreRoutes(c, l)
 	})
 	ac.writeRateDay = newRateLogger(time.Now, 24*time.Hour, func(c int64, s time.Time, l int64) {
 		ac.logf("routeInfo write rate: %d in 24 hours starting at %v (%d routes)", c, s, l)
@@ -442,8 +481,10 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 			}
 		}
 
-		e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
-		e.scheduleAdvertisement(domain, toAdvertise...)
+		if len(toAdvertise) > 0 {
+			e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
+			e.scheduleAdvertisement(domain, toAdvertise...)
+		}
 	}
 }
 

appc/appconnector_test.go

@@ -15,6 +15,7 @@ import (
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/appc/appctest"
 	"tailscale.com/tstest"
+	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/mak"
 	"tailscale.com/util/must"
 )
@@ -569,3 +570,35 @@ func TestRateLogger(t *testing.T) {
 		t.Fatalf("wasCalled: got false, want true")
 	}
 }
+
+func TestRouteStoreMetrics(t *testing.T) {
+	metricStoreRoutes(1, 1)
+	metricStoreRoutes(1, 1)         // the 1 buckets value should be 2
+	metricStoreRoutes(5, 5)         // the 5 buckets value should be 1
+	metricStoreRoutes(6, 6)         // the 10 buckets value should be 1
+	metricStoreRoutes(10001, 10001) // the over buckets value should be 1
+	wanted := map[string]int64{
+		"appc_store_routes_n_routes_1":    2,
+		"appc_store_routes_rate_1":        2,
+		"appc_store_routes_n_routes_5":    1,
+		"appc_store_routes_rate_5":        1,
+		"appc_store_routes_n_routes_10":   1,
+		"appc_store_routes_rate_10":       1,
+		"appc_store_routes_n_routes_over": 1,
+		"appc_store_routes_rate_over":     1,
+	}
+	for _, x := range clientmetric.Metrics() {
+		if x.Value() != wanted[x.Name()] {
+			t.Errorf("%s: want: %d, got: %d", x.Name(), wanted[x.Name()], x.Value())
+		}
+	}
+}
+
+func TestMetricBucketsAreSorted(t *testing.T) {
+	if !slices.IsSorted(metricStoreRoutesRateBuckets) {
+		t.Errorf("metricStoreRoutesRateBuckets must be in order")
+	}
+	if !slices.IsSorted(metricStoreRoutesNBuckets) {
+		t.Errorf("metricStoreRoutesNBuckets must be in order")
+	}
+}

appc/appctest/appctest.go

@@ -1,6 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
+// Package appctest contains code to help test App Connectors.
 package appctest
 
 import (

build_docker.sh

@@ -1,21 +1,11 @@
 #!/usr/bin/env sh
-
 #
-# Runs `go build` with flags configured for docker distribution. All
-# it does differently from `go build` is burn git commit and version
-# information into the binaries inside docker, so that we can track down user
-# issues.
-#
-############################################################################
-#
-# WARNING: Tailscale is not yet officially supported in container
-# environments, such as Docker and Kubernetes. Though it should work, we
-# don't regularly test it, and we know there are some feature limitations.
-#
-# See current bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
-#
-############################################################################
+# This script builds Tailscale container images using
+# github.com/tailscale/mkctr.
+# By default the images will be tagged with the current version and git
+# hash of this repository as produced by ./cmd/mkversion.
+# This is the image build mechanim used to build the official Tailscale
+# container images.
 
 set -eu
 
@@ -49,7 +39,7 @@ case "$TARGET" in
         -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
       --base="${BASE}" \
       --tags="${TAGS}" \
-      --gotags="ts_kube" \
+      --gotags="ts_kube,ts_package_container" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
       --target="${PLATFORM}" \

client/tailscale/acl.go

@@ -37,6 +37,16 @@ type ACLTest struct {
 	Allow []string `json:"allow,omitempty"` // old name for accept
 }
 
+// NodeAttrGrant defines additional string attributes that apply to specific devices.
+type NodeAttrGrant struct {
+	// Target specifies which nodes the attributes apply to. The nodes can be a
+	// tag (tag:server), user (alice@example.com), group (group:kids), or *.
+	Target []string `json:"target,omitempty"`
+
+	// Attr are the attributes to set on Target(s).
+	Attr []string `json:"attr,omitempty"`
+}
+
 // ACLDetails contains all the details for an ACL.
 type ACLDetails struct {
 	Tests     []ACLTest           `json:"tests,omitempty"`
@@ -44,6 +54,7 @@ type ACLDetails struct {
 	Groups    map[string][]string `json:"groups,omitempty"`
 	TagOwners map[string][]string `json:"tagowners,omitempty"`
 	Hosts     map[string]string   `json:"hosts,omitempty"`
+	NodeAttrs []NodeAttrGrant     `json:"nodeAttrs,omitempty"`
 }
 
 // ACL contains an ACLDetails and metadata.
@@ -150,7 +161,12 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 // ACLTestFailureSummary specifies the JSON format sent to the
 // JavaScript client to be rendered in the HTML.
 type ACLTestFailureSummary struct {
-	User     string   `json:"user,omitempty"`
+	// User is the source ("src") value of the ACL test that failed.
+	// The name "user" is a legacy holdover from the original naming and
+	// is kept for compatibility but it may also contain any value
+	// that's valid in a ACL test "src" field.
+	User string `json:"user,omitempty"`
+
 	Errors   []string `json:"errors,omitempty"`
 	Warnings []string `json:"warnings,omitempty"`
 }

client/tailscale/devices.go

@@ -10,6 +10,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log"
 	"net/http"
 	"net/url"
 
@@ -39,6 +40,7 @@ type Device struct {
 	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
 	Addresses []string `json:"addresses"`
 	DeviceID  string   `json:"id"`
+	NodeID    string   `json:"nodeId"`
 	User      string   `json:"user"`
 	Name      string   `json:"name"`
 	Hostname  string   `json:"hostname"`
@@ -213,6 +215,9 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 	if err != nil {
 		return err
 	}
+
+	log.Printf("RESP: %di, path: %s", resp.StatusCode, path)
+
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {

client/tailscale/localclient.go

@@ -103,7 +103,7 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 			return d.DialContext(ctx, "tcp", "127.0.0.1:"+strconv.Itoa(port))
 		}
 	}
-	return safesocket.Connect(lc.socket())
+	return safesocket.ConnectContext(ctx, lc.socket())
 }
 
 // DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
@@ -253,11 +253,16 @@ func (lc *LocalClient) sendWithHeaders(
 	}
 	if res.StatusCode != wantStatus {
 		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
-		return nil, nil, bestError(err, slurp)
+		return nil, nil, httpStatusError{bestError(err, slurp), res.StatusCode}
 	}
 	return slurp, res.Header, nil
 }
 
+type httpStatusError struct {
+	error
+	HTTPStatus int
+}
+
 func (lc *LocalClient) get200(ctx context.Context, path string) ([]byte, error) {
 	return lc.send(ctx, "GET", path, 200, nil)
 }
@@ -278,9 +283,50 @@ func decodeJSON[T any](b []byte) (ret T, err error) {
 }
 
 // WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
+//
+// If not found, the error is ErrPeerNotFound.
+//
+// For connections proxied by tailscaled, this looks up the owner of the given
+// address as TCP first, falling back to UDP; if you want to only check a
+// specific address family, use WhoIsProto.
 func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
 	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
 	if err != nil {
+		if hs, ok := err.(httpStatusError); ok && hs.HTTPStatus == http.StatusNotFound {
+			return nil, ErrPeerNotFound
+		}
+		return nil, err
+	}
+	return decodeJSON[*apitype.WhoIsResponse](body)
+}
+
+// ErrPeerNotFound is returned by WhoIs and WhoIsNodeKey when a peer is not found.
+var ErrPeerNotFound = errors.New("peer not found")
+
+// WhoIsNodeKey returns the owner of the given wireguard public key.
+//
+// If not found, the error is ErrPeerNotFound.
+func (lc *LocalClient) WhoIsNodeKey(ctx context.Context, key key.NodePublic) (*apitype.WhoIsResponse, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(key.String()))
+	if err != nil {
+		if hs, ok := err.(httpStatusError); ok && hs.HTTPStatus == http.StatusNotFound {
+			return nil, ErrPeerNotFound
+		}
+		return nil, err
+	}
+	return decodeJSON[*apitype.WhoIsResponse](body)
+}
+
+// WhoIsProto returns the owner of the remoteAddr, which must be an IP or
+// IP:port, for the given protocol (tcp or udp).
+//
+// If not found, the error is ErrPeerNotFound.
+func (lc *LocalClient) WhoIsProto(ctx context.Context, proto, remoteAddr string) (*apitype.WhoIsResponse, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/whois?proto="+url.QueryEscape(proto)+"&addr="+url.QueryEscape(remoteAddr))
+	if err != nil {
+		if hs, ok := err.(httpStatusError); ok && hs.HTTPStatus == http.StatusNotFound {
+			return nil, ErrPeerNotFound
+		}
 		return nil, err
 	}
 	return decodeJSON[*apitype.WhoIsResponse](body)
@@ -887,7 +933,20 @@ func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err e
 //
 // API maturity: this is considered a stable API.
 func (lc *LocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	res, err := lc.send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
+	return lc.CertPairWithValidity(ctx, domain, 0)
+}
+
+// CertPairWithValidity returns a cert and private key for the provided DNS
+// domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+// When minValidity is non-zero, the returned certificate will be valid for at
+// least the given duration, if permitted by the CA. If the certificate is
+// valid, but for less than minValidity, it will be synchronously renewed.
+//
+// API maturity: this is considered a stable API.
+func (lc *LocalClient) CertPairWithValidity(ctx context.Context, domain string, minValidity time.Duration) (certPEM, keyPEM []byte, err error) {
+	res, err := lc.send(ctx, "GET", fmt.Sprintf("/localapi/v0/cert/%s?type=pair&min_validity=%s", domain, minValidity), 200, nil)
 	if err != nil {
 		return nil, nil, err
 	}

client/tailscale/localclient_test.go

@@ -6,9 +6,14 @@
 package tailscale
 
 import (
+	"context"
+	"net"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"tailscale.com/tstest/deptest"
+	"tailscale.com/types/key"
 )
 
 func TestGetServeConfigFromJSON(t *testing.T) {
@@ -30,6 +35,32 @@ func TestGetServeConfigFromJSON(t *testing.T) {
 	}
 }
 
+func TestWhoIsPeerNotFound(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(404)
+	}))
+	defer ts.Close()
+
+	lc := &LocalClient{
+		Dial: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			var std net.Dialer
+			return std.DialContext(ctx, network, ts.Listener.Addr().(*net.TCPAddr).String())
+		},
+	}
+	var k key.NodePublic
+	if err := k.UnmarshalText([]byte("nodekey:5c8f86d5fc70d924e55f02446165a5dae8f822994ad26bcf4b08fd841f9bf261")); err != nil {
+		t.Fatal(err)
+	}
+	res, err := lc.WhoIsNodeKey(context.Background(), k)
+	if err != ErrPeerNotFound {
+		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
+	}
+	res, err = lc.WhoIs(context.Background(), "1.2.3.4:5678")
+	if err != ErrPeerNotFound {
+		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
+	}
+}
+
 func TestDeps(t *testing.T) {
 	deptest.DepChecker{
 		BadDeps: map[string]string{

client/web/package.json

@@ -3,7 +3,7 @@
   "version": "0.0.1",
   "license": "BSD-3-Clause",
   "engines": {
-    "node": "18.16.1",
+    "node": "18.20.4",
     "yarn": "1.22.19"
   },
   "type": "module",

clientupdate/clientupdate.go

@@ -37,11 +37,18 @@ import (
 )
 
 const (
-	CurrentTrack  = ""
 	StableTrack   = "stable"
 	UnstableTrack = "unstable"
 )
 
+var CurrentTrack = func() string {
+	if version.IsUnstableBuild() {
+		return UnstableTrack
+	} else {
+		return StableTrack
+	}
+}()
+
 func versionToTrack(v string) (string, error) {
 	_, rest, ok := strings.Cut(v, ".")
 	if !ok {
@@ -106,7 +113,7 @@ func (args Arguments) validate() error {
 		return fmt.Errorf("only one of Version(%q) or Track(%q) can be set", args.Version, args.Track)
 	}
 	switch args.Track {
-	case StableTrack, UnstableTrack, CurrentTrack:
+	case StableTrack, UnstableTrack, "":
 		// All valid values.
 	default:
 		return fmt.Errorf("unsupported track %q", args.Track)
@@ -119,11 +126,17 @@ type Updater struct {
 	// Update is a platform-specific method that updates the installation. May be
 	// nil (not all platforms support updates from within Tailscale).
 	Update func() error
+
+	// currentVersion is the short form of the current client version as
+	// returned by version.Short(), typically "x.y.z". Used for tests to
+	// override the actual current version.
+	currentVersion string
 }
 
 func NewUpdater(args Arguments) (*Updater, error) {
 	up := Updater{
-		Arguments: args,
+		Arguments:      args,
+		currentVersion: version.Short(),
 	}
 	if up.Stdout == nil {
 		up.Stdout = os.Stdout
@@ -139,18 +152,15 @@ func NewUpdater(args Arguments) (*Updater, error) {
 	if args.ForAutoUpdate && !canAutoUpdate {
 		return nil, errors.ErrUnsupported
 	}
-	if up.Track == CurrentTrack {
-		switch {
-		case up.Version != "":
+	if up.Track == "" {
+		if up.Version != "" {
 			var err error
 			up.Track, err = versionToTrack(args.Version)
 			if err != nil {
 				return nil, err
 			}
-		case version.IsUnstableBuild():
-			up.Track = UnstableTrack
-		default:
-			up.Track = StableTrack
+		} else {
+			up.Track = CurrentTrack
 		}
 	}
 	if up.Arguments.PkgsAddr == "" {
@@ -238,6 +248,11 @@ func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
 // CanAutoUpdate reports whether auto-updating via the clientupdate package
 // is supported for the current os/distro.
 func CanAutoUpdate() bool {
+	if version.IsMacSysExt() {
+		// Macsys uses Sparkle for auto-updates, which doesn't have an update
+		// function in this package.
+		return true
+	}
 	_, canAutoUpdate := (&Updater{}).getUpdateFunction()
 	return canAutoUpdate
 }
@@ -259,13 +274,16 @@ func Update(args Arguments) error {
 }
 
 func (up *Updater) confirm(ver string) bool {
-	switch cmpver.Compare(version.Short(), ver) {
-	case 0:
-		up.Logf("already running %v version %v; no update needed", up.Track, ver)
-		return false
-	case 1:
-		up.Logf("installed %v version %v is newer than the latest available version %v; no update needed", up.Track, version.Short(), ver)
-		return false
+	// Only check version when we're not switching tracks.
+	if up.Track == "" || up.Track == CurrentTrack {
+		switch c := cmpver.Compare(up.currentVersion, ver); {
+		case c == 0:
+			up.Logf("already running %v version %v; no update needed", up.Track, ver)
+			return false
+		case c > 0:
+			up.Logf("installed %v version %v is newer than the latest available version %v; no update needed", up.Track, up.currentVersion, ver)
+			return false
+		}
 	}
 	if up.Confirm != nil {
 		return up.Confirm(ver)
@@ -681,7 +699,7 @@ func parseAlpinePackageVersion(out []byte) (string, error) {
 			return "", fmt.Errorf("malformed info line: %q", line)
 		}
 		ver := parts[1]
-		if cmpver.Compare(ver, maxVer) == 1 {
+		if cmpver.Compare(ver, maxVer) > 0 {
 			maxVer = ver
 		}
 	}
@@ -880,7 +898,7 @@ func (up *Updater) installMSI(msi string) error {
 			break
 		}
 		up.Logf("Install attempt failed: %v", err)
-		uninstallVersion := version.Short()
+		uninstallVersion := up.currentVersion
 		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
 			uninstallVersion = v
 		}
@@ -1331,12 +1349,8 @@ func requestedTailscaleVersion(ver, track string) (string, error) {
 // LatestTailscaleVersion returns the latest released version for the given
 // track from pkgs.tailscale.com.
 func LatestTailscaleVersion(track string) (string, error) {
-	if track == CurrentTrack {
-		if version.IsUnstableBuild() {
-			track = UnstableTrack
-		} else {
-			track = StableTrack
-		}
+	if track == "" {
+		track = CurrentTrack
 	}
 
 	latest, err := latestPackages(track)

clientupdate/clientupdate_test.go

@@ -846,3 +846,107 @@ func TestParseUnraidPluginVersion(t *testing.T) {
 		})
 	}
 }
+
+func TestConfirm(t *testing.T) {
+	curTrack := CurrentTrack
+	defer func() { CurrentTrack = curTrack }()
+
+	tests := []struct {
+		desc      string
+		fromTrack string
+		toTrack   string
+		fromVer   string
+		toVer     string
+		confirm   func(string) bool
+		want      bool
+	}{
+		{
+			desc:      "on latest stable",
+			fromTrack: StableTrack,
+			toTrack:   StableTrack,
+			fromVer:   "1.66.0",
+			toVer:     "1.66.0",
+			want:      false,
+		},
+		{
+			desc:      "stable upgrade",
+			fromTrack: StableTrack,
+			toTrack:   StableTrack,
+			fromVer:   "1.66.0",
+			toVer:     "1.68.0",
+			want:      true,
+		},
+		{
+			desc:      "unstable upgrade",
+			fromTrack: UnstableTrack,
+			toTrack:   UnstableTrack,
+			fromVer:   "1.67.1",
+			toVer:     "1.67.2",
+			want:      true,
+		},
+		{
+			desc:      "from stable to unstable",
+			fromTrack: StableTrack,
+			toTrack:   UnstableTrack,
+			fromVer:   "1.66.0",
+			toVer:     "1.67.1",
+			want:      true,
+		},
+		{
+			desc:      "from unstable to stable",
+			fromTrack: UnstableTrack,
+			toTrack:   StableTrack,
+			fromVer:   "1.67.1",
+			toVer:     "1.66.0",
+			want:      true,
+		},
+		{
+			desc:      "confirm callback rejects",
+			fromTrack: StableTrack,
+			toTrack:   StableTrack,
+			fromVer:   "1.66.0",
+			toVer:     "1.66.1",
+			confirm: func(string) bool {
+				return false
+			},
+			want: false,
+		},
+		{
+			desc:      "confirm callback allows",
+			fromTrack: StableTrack,
+			toTrack:   StableTrack,
+			fromVer:   "1.66.0",
+			toVer:     "1.66.1",
+			confirm: func(string) bool {
+				return true
+			},
+			want: true,
+		},
+		{
+			desc:      "downgrade",
+			fromTrack: StableTrack,
+			toTrack:   StableTrack,
+			fromVer:   "1.66.1",
+			toVer:     "1.66.0",
+			want:      false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.desc, func(t *testing.T) {
+			CurrentTrack = tt.fromTrack
+			up := Updater{
+				currentVersion: tt.fromVer,
+				Arguments: Arguments{
+					Track:   tt.toTrack,
+					Confirm: tt.confirm,
+					Logf:    t.Logf,
+				},
+			}
+
+			if got := up.confirm(tt.toVer); got != tt.want {
+				t.Errorf("got %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

cmd/cloner/cloner.go

@@ -78,7 +78,11 @@ func main() {
 		w("	return false")
 		w("}")
 	}
-	cloneOutput := pkg.Name + "_clone.go"
+	cloneOutput := pkg.Name + "_clone"
+	if *flagBuildTags == "test" {
+		cloneOutput += "_test"
+	}
+	cloneOutput += ".go"
 	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
 		log.Fatal(err)
 	}
@@ -91,16 +95,19 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	}
 
 	name := typ.Obj().Name()
+	typeParams := typ.Origin().TypeParams()
+	_, typeParamNames := codegen.FormatTypeParams(typeParams, it)
+	nameWithParams := name + typeParamNames
 	fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
 	fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
-	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
+	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", nameWithParams, nameWithParams)
 	writef := func(format string, args ...any) {
 		fmt.Fprintf(buf, "\t"+format+"\n", args...)
 	}
 	writef("if src == nil {")
 	writef("\treturn nil")
 	writef("}")
-	writef("dst := new(%s)", name)
+	writef("dst := new(%s)", nameWithParams)
 	writef("*dst = *src")
 	for i := range t.NumFields() {
 		fname := t.Field(i).Name()
@@ -126,16 +133,23 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
 				writef("for i := range dst.%s {", fname)
 				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
-						it.Import("tailscale.com/types/ptr")
-						writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
-						writef("\tdst.%s[i] = ptr.To(*src.%s[i])", fname, fname)
-						writef("}")
+					writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
+					if codegen.ContainsPointers(ptr.Elem()) {
+						if _, isIface := ptr.Elem().Underlying().(*types.Interface); isIface {
+							it.Import("tailscale.com/types/ptr")
+							writef("\tdst.%s[i] = ptr.To((*src.%s[i]).Clone())", fname, fname)
+						} else {
+							writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+						}
 					} else {
-						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+						it.Import("tailscale.com/types/ptr")
+						writef("\tdst.%s[i] = ptr.To(*src.%s[i])", fname, fname)
 					}
+					writef("}")
 				} else if ft.Elem().String() == "encoding/json.RawMessage" {
 					writef("\tdst.%s[i] = append(src.%s[i][:0:0], src.%s[i]...)", fname, fname, fname)
+				} else if _, isIface := ft.Elem().Underlying().(*types.Interface); isIface {
+					writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
@@ -145,14 +159,19 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
 			}
 		case *types.Pointer:
-			if named, _ := ft.Elem().(*types.Named); named != nil && codegen.ContainsPointers(ft.Elem()) {
+			base := ft.Elem()
+			hasPtrs := codegen.ContainsPointers(base)
+			if named, _ := base.(*types.Named); named != nil && hasPtrs {
 				writef("dst.%s = src.%s.Clone()", fname, fname)
 				continue
 			}
 			it.Import("tailscale.com/types/ptr")
 			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
-			if codegen.ContainsPointers(ft.Elem()) {
+			if _, isIface := base.Underlying().(*types.Interface); isIface && hasPtrs {
+				writef("\tdst.%s = ptr.To((*src.%s).Clone())", fname, fname)
+			} else if !hasPtrs {
+				writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
+			} else {
 				writef("\t" + `panic("TODO pointers in pointers")`)
 			}
 			writef("}")
@@ -172,18 +191,50 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("if dst.%s != nil {", fname)
 				writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
 				writef("\tfor k, v := range src.%s {", fname)
-				switch elem.(type) {
+
+				switch elem := elem.Underlying().(type) {
 				case *types.Pointer:
-					writef("\t\tdst.%s[k] = v.Clone()", fname)
+					writef("\t\tif v == nil { dst.%s[k] = nil } else {", fname)
+					if base := elem.Elem().Underlying(); codegen.ContainsPointers(base) {
+						if _, isIface := base.(*types.Interface); isIface {
+							it.Import("tailscale.com/types/ptr")
+							writef("\t\t\tdst.%s[k] = ptr.To((*v).Clone())", fname)
+						} else {
+							writef("\t\t\tdst.%s[k] = v.Clone()", fname)
+						}
+					} else {
+						it.Import("tailscale.com/types/ptr")
+						writef("\t\t\tdst.%s[k] = ptr.To(*v)", fname)
+					}
+					writef("}")
+				case *types.Interface:
+					if cloneResultType := methodResultType(elem, "Clone"); cloneResultType != nil {
+						if _, isPtr := cloneResultType.(*types.Pointer); isPtr {
+							writef("\t\tdst.%s[k] = *(v.Clone())", fname)
+						} else {
+							writef("\t\tdst.%s[k] = v.Clone()", fname)
+						}
+					} else {
+						writef(`panic("%s (%v) does not have a Clone method")`, fname, elem)
+					}
 				default:
 					writef("\t\tdst.%s[k] = *(v.Clone())", fname)
 				}
+
 				writef("\t}")
 				writef("}")
 			} else {
 				it.Import("maps")
 				writef("\tdst.%s = maps.Clone(src.%s)", fname, fname)
 			}
+		case *types.Interface:
+			// If ft is an interface with a "Clone() ft" method, it can be used to clone the field.
+			// This includes scenarios where ft is a constrained type parameter.
+			if cloneResultType := methodResultType(ft, "Clone"); cloneResultType.Underlying() == ft {
+				writef("dst.%s = src.%s.Clone()", fname, fname)
+				continue
+			}
+			writef(`panic("%s (%v) does not have a compatible Clone method")`, fname, ft)
 		default:
 			writef(`panic("TODO: %s (%T)")`, fname, ft)
 		}
@@ -191,7 +242,7 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	writef("return dst")
 	fmt.Fprintf(buf, "}\n\n")
 
-	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
+	buf.Write(codegen.AssertStructUnchanged(t, name, typeParams, "Clone", it))
 }
 
 // hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
@@ -203,3 +254,15 @@ func hasBasicUnderlying(typ types.Type) bool {
 		return false
 	}
 }
+
+func methodResultType(typ types.Type, method string) types.Type {
+	viewMethod := codegen.LookupMethod(typ, method)
+	if viewMethod == nil {
+		return nil
+	}
+	sig, ok := viewMethod.Type().(*types.Signature)
+	if !ok || sig.Results().Len() != 1 {
+		return nil
+	}
+	return sig.Results().At(0).Type()
+}

cmd/cloner/clonerex/clonerex.go

@@ -3,6 +3,7 @@
 
 //go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type SliceContainer
 
+// Package clonerex is an example package for the cloner tool.
 package clonerex
 
 type SliceContainer struct {

cmd/containerboot/kube.go

@@ -19,22 +19,20 @@ import (
 	"tailscale.com/tailcfg"
 )
 
-// storeDeviceInfo writes deviceID into the "device_id" data field of the kube
-// secret secretName.
-func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string, addresses []netip.Prefix) error {
-	// First check if the secret exists at all. Even if running on
-	// kubernetes, we do not necessarily store state in a k8s secret.
-	if _, err := kc.GetSecret(ctx, secretName); err != nil {
-		if s, ok := err.(*kube.Status); ok {
-			if s.Code >= 400 && s.Code <= 499 {
-				// Assume the secret doesn't exist, or we don't have
-				// permission to access it.
-				return nil
-			}
-		}
-		return err
+// storeDeviceID writes deviceID to 'device_id' data field of the named
+// Kubernetes Secret.
+func storeDeviceID(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID) error {
+	s := &kube.Secret{
+		Data: map[string][]byte{
+			"device_id": []byte(deviceID),
+		},
 	}
+	return kc.StrategicMergePatchSecret(ctx, secretName, s, "tailscale-container")
+}
 
+// storeDeviceEndpoints writes device's tailnet IPs and MagicDNS name to fields
+// 'device_ips', 'device_fqdn' of the named Kubernetes Secret.
+func storeDeviceEndpoints(ctx context.Context, secretName string, fqdn string, addresses []netip.Prefix) error {
 	var ips []string
 	for _, addr := range addresses {
 		ips = append(ips, addr.Addr().String())
@@ -44,14 +42,13 @@ func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.St
 		return err
 	}
 
-	m := &kube.Secret{
+	s := &kube.Secret{
 		Data: map[string][]byte{
-			"device_id":   []byte(deviceID),
 			"device_fqdn": []byte(fqdn),
 			"device_ips":  deviceIPs,
 		},
 	}
-	return kc.StrategicMergePatchSecret(ctx, secretName, m, "tailscale-container")
+	return kc.StrategicMergePatchSecret(ctx, secretName, s, "tailscale-container")
 }
 
 // deleteAuthKey deletes the 'authkey' field of the given kube

cmd/containerboot/main.go

@@ -321,7 +321,7 @@ authLoop:
 		}
 	}
 
-	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && isTwoStepConfigAuthOnce(cfg) {
+	if hasKubeStateStore(cfg) && isTwoStepConfigAuthOnce(cfg) {
 		// We were told to only auth once, so any secret-bound
 		// authkey is no longer needed. We don't strictly need to
 		// wipe it, but it's good hygiene.
@@ -337,11 +337,10 @@ authLoop:
 	}
 
 	var (
-		wantProxy         = cfg.ProxyTargetIP != "" || cfg.ProxyTargetDNSName != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" || cfg.AllowProxyingClusterTrafficViaIngress
-		wantDeviceInfo    = cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch
-		startupTasksDone  = false
-		currentIPs        deephash.Sum // tailscale IPs assigned to device
-		currentDeviceInfo deephash.Sum // device ID and fqdn
+		startupTasksDone       = false
+		currentIPs             deephash.Sum // tailscale IPs assigned to device
+		currentDeviceID        deephash.Sum // device ID
+		currentDeviceEndpoints deephash.Sum // device FQDN and IPs
 
 		currentEgressIPs deephash.Sum
 
@@ -355,7 +354,7 @@ authLoop:
 		go watchServeConfigChanges(ctx, cfg.ServeConfigPath, certDomainChanged, certDomain, client)
 	}
 	var nfr linuxfw.NetfilterRunner
-	if wantProxy {
+	if isL3Proxy(cfg) {
 		nfr, err = newNetfilterRunner(log.Printf)
 		if err != nil {
 			log.Fatalf("error creating new netfilter runner: %v", err)
@@ -440,6 +439,20 @@ runLoop:
 				newCurrentIPs := deephash.Hash(&addrs)
 				ipsHaveChanged := newCurrentIPs != currentIPs
 
+				// Store device ID in a Kubernetes Secret before
+				// setting up any routing rules. This ensures
+				// that, for containerboot instances that are
+				// Kubernetes operator proxies, the operator is
+				// able to retrieve the device ID from the
+				// Kubernetes Secret to clean up tailnet nodes
+				// for proxies whose route setup continuously
+				// fails.
+				deviceID := n.NetMap.SelfNode.StableID()
+				if hasKubeStateStore(cfg) && deephash.Update(&currentDeviceID, &deviceID) {
+					if err := storeDeviceID(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID()); err != nil {
+						log.Fatalf("storing device ID in Kubernetes Secret: %v", err)
+					}
+				}
 				if cfg.TailnetTargetFQDN != "" {
 					var (
 						egressAddrs          []netip.Prefix
@@ -463,18 +476,20 @@ runLoop:
 					newCurentEgressIPs = deephash.Hash(&egressAddrs)
 					egressIPsHaveChanged = newCurentEgressIPs != currentEgressIPs
 					if egressIPsHaveChanged && len(egressAddrs) != 0 {
+						var rulesInstalled bool
 						for _, egressAddr := range egressAddrs {
 							ea := egressAddr.Addr()
-							// TODO (irbekrm): make it work for IPv6 too.
-							if ea.Is6() {
-								log.Println("Not installing egress forwarding rules for IPv6 as this is currently not supported")
-								continue
-							}
-							log.Printf("Installing forwarding rules for destination %v", ea.String())
-							if err := installEgressForwardingRule(ctx, ea.String(), addrs, nfr); err != nil {
-								log.Fatalf("installing egress proxy rules for destination %s: %v", ea.String(), err)
+							if ea.Is4() || (ea.Is6() && nfr.HasIPV6NAT()) {
+								rulesInstalled = true
+								log.Printf("Installing forwarding rules for destination %v", ea.String())
+								if err := installEgressForwardingRule(ctx, ea.String(), addrs, nfr); err != nil {
+									log.Fatalf("installing egress proxy rules for destination %s: %v", ea.String(), err)
+								}
 							}
 						}
+						if !rulesInstalled {
+							log.Fatalf("no forwarding rules for egress addresses %v, host supports IPv6: %v", egressAddrs, nfr.HasIPV6NAT())
+						}
 					}
 					currentEgressIPs = newCurentEgressIPs
 				}
@@ -533,15 +548,36 @@ runLoop:
 				}
 				currentIPs = newCurrentIPs
 
-				deviceInfo := []any{n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name()}
-				if cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != "" && deephash.Update(&currentDeviceInfo, &deviceInfo) {
-					if err := storeDeviceInfo(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses().AsSlice()); err != nil {
-						log.Fatalf("storing device ID in kube secret: %v", err)
+				// Only store device FQDN and IP addresses to
+				// Kubernetes Secret when any required proxy
+				// route setup has succeeded. IPs and FQDN are
+				// read from the Secret by the Tailscale
+				// Kubernetes operator and, for some proxy
+				// types, such as Tailscale Ingress, advertized
+				// on the Ingress status. Writing them to the
+				// Secret only after the proxy routing has been
+				// set up ensures that the operator does not
+				// advertize endpoints of broken proxies.
+				// TODO (irbekrm): instead of using the IP and FQDN, have some other mechanism for the proxy signal that it is 'Ready'.
+				deviceEndpoints := []any{n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses()}
+				if hasKubeStateStore(cfg) && deephash.Update(&currentDeviceEndpoints, &deviceEndpoints) {
+					if err := storeDeviceEndpoints(ctx, cfg.KubeSecret, n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses().AsSlice()); err != nil {
+						log.Fatalf("storing device IPs and FQDN in Kubernetes Secret: %v", err)
 					}
 				}
 			}
 			if !startupTasksDone {
-				if (!wantProxy || currentIPs != deephash.Sum{}) && (!wantDeviceInfo || currentDeviceInfo != deephash.Sum{}) {
+				// For containerboot instances that act as TCP
+				// proxies (proxying traffic to an endpoint
+				// passed via one of the env vars that
+				// containerbot reads) and store state in a
+				// Kubernetes Secret, we consider startup tasks
+				// done at the point when device info has been
+				// successfully stored to state Secret.
+				// For all other containerboot instances, if we
+				// just get to this point the startup tasks can
+				// be considered done.
+				if !isL3Proxy(cfg) || !hasKubeStateStore(cfg) || (currentDeviceEndpoints != deephash.Sum{} && currentDeviceID != deephash.Sum{}) {
 					// This log message is used in tests to detect when all
 					// post-auth configuration is done.
 					log.Println("Startup complete, waiting for shutdown signal")
@@ -907,7 +943,7 @@ func enableIPForwarding(v4Forwarding, v6Forwarding bool, root string) error {
 	return nil
 }
 
-func installEgressForwardingRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
+func installEgressForwardingRule(_ context.Context, dstStr string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
 	dst, err := netip.ParseAddr(dstStr)
 	if err != nil {
 		return err
@@ -1287,6 +1323,19 @@ func isOneStepConfig(cfg *settings) bool {
 	return cfg.TailscaledConfigFilePath != ""
 }
 
+// isL3Proxy returns true if the Tailscale node needs to be configured to act
+// as an L3 proxy, proxying to an endpoint provided via one of the config env
+// vars.
+func isL3Proxy(cfg *settings) bool {
+	return cfg.ProxyTargetIP != "" || cfg.ProxyTargetDNSName != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" || cfg.AllowProxyingClusterTrafficViaIngress
+}
+
+// hasKubeStateStore returns true if the state must be stored in a Kubernetes
+// Secret.
+func hasKubeStateStore(cfg *settings) bool {
+	return cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != ""
+}
+
 // tailscaledConfigFilePath returns the path to the tailscaled config file that
 // should be used for the current capability version. It is determined by the
 // TS_EXPERIMENTAL_VERSIONED_CONFIG_DIR environment variable and looks for a

cmd/containerboot/main_test.go

@@ -52,7 +52,7 @@ func TestContainerBoot(t *testing.T) {
 	}
 	defer kube.Close()
 
-	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: func(s string) *string { return &s }("foo"), Version: "alpha0"}
+	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: ptr.To("foo"), Version: "alpha0"}
 	tailscaledConfBytes, err := json.Marshal(tailscaledConf)
 	if err != nil {
 		t.Fatalf("error unmarshaling tailscaled config: %v", err)
@@ -116,6 +116,9 @@ func TestContainerBoot(t *testing.T) {
 		// WantFiles files that should exist in the container and their
 		// contents.
 		WantFiles map[string]string
+		// WantFatalLog is the fatal log message we expect from containerboot.
+		// If set for a phase, the test will finish on that phase.
+		WantFatalLog string
 	}
 	runningNotify := &ipn.Notify{
 		State: ptr.To(ipn.Running),
@@ -349,12 +352,57 @@ func TestContainerBoot(t *testing.T) {
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
 						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
+					WantFiles: map[string]string{
+						"proc/sys/net/ipv4/ip_forward":          "1",
+						"proc/sys/net/ipv6/conf/all/forwarding": "0",
+					},
 				},
 				{
 					Notify: runningNotify,
 				},
 			},
 		},
+		{
+			Name: "egress_proxy_fqdn_ipv6_target_on_ipv4_host",
+			Env: map[string]string{
+				"TS_AUTHKEY":               "tskey-key",
+				"TS_TAILNET_TARGET_FQDN":   "ipv6-node.test.ts.net", // resolves to IPv6 address
+				"TS_USERSPACE":             "false",
+				"TS_TEST_FAKE_NETFILTER_6": "false",
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+					WantFiles: map[string]string{
+						"proc/sys/net/ipv4/ip_forward":          "1",
+						"proc/sys/net/ipv6/conf/all/forwarding": "0",
+					},
+				},
+				{
+					Notify: &ipn.Notify{
+						State: ptr.To(ipn.Running),
+						NetMap: &netmap.NetworkMap{
+							SelfNode: (&tailcfg.Node{
+								StableID:  tailcfg.StableNodeID("myID"),
+								Name:      "test-node.test.ts.net",
+								Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
+							}).View(),
+							Peers: []tailcfg.NodeView{
+								(&tailcfg.Node{
+									StableID:  tailcfg.StableNodeID("ipv6ID"),
+									Name:      "ipv6-node.test.ts.net",
+									Addresses: []netip.Prefix{netip.MustParsePrefix("::1/128")},
+								}).View(),
+							},
+						},
+					},
+					WantFatalLog: "no forwarding rules for egress addresses [::1/128], host supports IPv6: false",
+				},
+			},
+		},
 		{
 			Name: "authkey_once",
 			Env: map[string]string{
@@ -697,6 +745,25 @@ func TestContainerBoot(t *testing.T) {
 			var wantCmds []string
 			for i, p := range test.Phases {
 				lapi.Notify(p.Notify)
+				if p.WantFatalLog != "" {
+					err := tstest.WaitFor(2*time.Second, func() error {
+						state, err := cmd.Process.Wait()
+						if err != nil {
+							return err
+						}
+						if state.ExitCode() != 1 {
+							return fmt.Errorf("process exited with code %d but wanted %d", state.ExitCode(), 1)
+						}
+						waitLogLine(t, time.Second, cbOut, p.WantFatalLog)
+						return nil
+					})
+					if err != nil {
+						t.Fatal(err)
+					}
+
+					// Early test return, we don't expect the successful startup log message.
+					return
+				}
 				wantCmds = append(wantCmds, p.WantCmds...)
 				waitArgs(t, 2*time.Second, d, argFile, strings.Join(wantCmds, "\n"))
 				err := tstest.WaitFor(2*time.Second, func() error {

cmd/derper/README.md

@@ -0,0 +1,109 @@
+# DERP
+
+This is the code for the [Tailscale DERP server](https://tailscale.com/kb/1232/derp-servers).
+
+In general, you should not need to or want to run this code. The overwhelming
+majority of Tailscale users (both individuals and companies) do not.
+
+In the happy path, Tailscale establishes direct connections between peers and
+data plane traffic flows directly between them, without using DERP for more than
+acting as a low bandwidth side channel to bootstrap the NAT traversal. If you
+find yourself wanting DERP for more bandwidth, the real problem is usually the
+network configuration of your Tailscale node(s), making sure that Tailscale can
+get direction connections via some mechanism.
+
+If you've decided or been advised to run your own `derper`, then read on.
+
+## Caveats
+
+* Node sharing and other cross-Tailnet features don't work when using custom
+  DERP servers.
+
+* DERP servers only see encrypted WireGuard packets and thus are not useful for
+  network-level debugging.
+
+* The Tailscale control plane does certain geo-level steering features and
+  optimizations that are not available when using custom DERP servers.
+
+## Guide to running `cmd/derper`
+
+* You must build and update the `cmd/derper` binary yourself. There are no
+  packages. Use `go install tailscale.com/cmd/derper@latest` with the latest
+  version of Go. You should update this binary approximately as regularly as
+  you update Tailscale nodes. If using `--verify-clients`, the `derper` binary
+  and `tailscaled` binary on the machine must be built from the same git revision.
+  (It might work otherwise, but they're developed and only tested together.)
+
+* The DERP protocol does a protocol switch inside TLS from HTTP to a custom
+  bidirectional binary protocol. It is thus incompatible with many HTTP proxies.
+  Do not put `derper` behind another HTTP proxy.
+
+* The `tailscaled` client does its own selection of the fastest/nearest DERP
+  server based on latency measurements. Do not put `derper` behind a global load
+  balancer.
+
+* DERP servers should ideally have both a static IPv4 and static IPv6 address.
+Both of those should be listed in the DERP map so the client doesn't need to
+rely on its DNS which might be broken and dependent on DERP to get back up.
+
+* A DERP server should not share an IP address with any other DERP server.
+
+* Avoid having multiple DERP nodes in a region. If you must, they all need to be
+  meshed with each other and monitored. Having two one-node "regions" in the
+  same datacenter is usually easier and more reliable than meshing, at the cost
+  of more required connections from clients in some cases. If your clients
+  aren't mobile (battery constrained), one node regions are definitely
+  preferred. If you really need multiple nodes in a region for HA reasons, two
+  is sufficient.
+
+* Monitor your DERP servers with [`cmd/derpprobe`](../derpprobe/).
+
+* If using `--verify-clients`, a `tailscaled` must be running alongside the
+  `derper`, and all clients must be visible to the derper tailscaled in the ACL.
+
+* If using `--verify-clients`, a `tailscaled` must also be running alongside
+  your `derpprobe`, and `derpprobe` needs to use `--derp-map=local`.
+
+* The firewall on the `derper` should permit TCP ports 80 and 443 and UDP port
+  3478.
+
+* Only LetsEncrypt certs are rotated automatically. Other cert updates require a
+  restart.
+
+* Don't use a firewall in front of `derper` that suppresses `RST`s upon
+  receiving traffic to a dead or unknown connection.
+
+* Don't rate-limit UDP STUN packets.
+
+* Don't rate-limit outbound TCP traffic (only inbound).
+
+## Diagnostics
+
+This is not a complete guide on DERP diagnostics.
+
+Running your own DERP services requires exeprtise in multi-layer network and
+application diagnostics. As the DERP runs multiple protocols at multiple layers
+and is not a regular HTTP(s) server you will need expertise in correlative
+analysis to diagnose the most tricky problems. There is no "plain text" or
+"open" mode of operation for DERP.
+
+* The debug handler is accessible at URL path `/debug/`. It is only accessible
+  over localhost or from a Tailscale IP address.
+
+* Go pprof can be accessed via the debug handler at `/debug/pprof/`
+
+* Prometheus compatible metrics can be gathered from the debug handler at
+  `/debug/varz`.
+
+* `cmd/stunc` in the Tailscale repository provides a basic tool for diagnosing
+  issues with STUN.
+
+* `cmd/derpprobe` provides a service for monitoring DERP cluster health.
+
+* `tailscale debug derp` and `tailscale netcheck` provide additional client
+  driven diagnostic information for DERP communications.
+
+* Tailscale logs may provide insight for certain problems, such as if DERPs are
+  unreachable or peers are regularly not reachable in their DERP home regions.
+  There are many possible misconfiguration causes for these problems, but
+  regular log entries are a good first indicator that there is a problem.

cmd/derper/depaware.txt

@@ -10,6 +10,12 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
    W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
+        github.com/go-json-experiment/json                           from tailscale.com/types/opt
+        github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/jsontext                  from github.com/go-json-experiment/json+
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
    L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
    L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
@@ -46,7 +52,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
    L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
         github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
      💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/net/tsaddr+
+        go4.org/netipx                                               from tailscale.com/net/tsaddr
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/netmon+
         google.golang.org/protobuf/encoding/protodelim               from github.com/prometheus/common/expfmt
         google.golang.org/protobuf/encoding/prototext                from github.com/prometheus/common/expfmt+
@@ -95,14 +101,12 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
         tailscale.com/metrics                                        from tailscale.com/cmd/derper+
         tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
-        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
         tailscale.com/net/ktimeout                                   from tailscale.com/cmd/derper
         tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
      💣 tailscale.com/net/netmon                                     from tailscale.com/derp/derphttp+
-        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
+     💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
-        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
         tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
         tailscale.com/net/stun                                       from tailscale.com/net/stunserver
         tailscale.com/net/stunserver                                 from tailscale.com/cmd/derper
@@ -116,16 +120,16 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/syncs                                          from tailscale.com/cmd/derper+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
         tailscale.com/tka                                            from tailscale.com/client/tailscale+
-   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon
+   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon+
         tailscale.com/tstime                                         from tailscale.com/derp+
         tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/derp+
+        tailscale.com/tstime/rate                                    from tailscale.com/derp
         tailscale.com/tsweb                                          from tailscale.com/cmd/derper
         tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
         tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
         tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
         tailscale.com/types/empty                                    from tailscale.com/ipn
-        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
+        tailscale.com/types/ipproto                                  from tailscale.com/tailcfg+
         tailscale.com/types/key                                      from tailscale.com/client/tailscale+
         tailscale.com/types/lazy                                     from tailscale.com/version+
         tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
@@ -157,10 +161,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/util/syspolicy                                 from tailscale.com/ipn
         tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
    W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
-   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo
+   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo+
         tailscale.com/version                                        from tailscale.com/derp+
         tailscale.com/version/distro                                 from tailscale.com/envknob+
-        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
+        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap
         golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
         golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
         golang.org/x/crypto/argon2                                   from tailscale.com/tka

cmd/derper/derper.go

@@ -2,6 +2,12 @@
 // SPDX-License-Identifier: BSD-3-Clause
 
 // The derper binary is a simple DERP server.
+//
+// For more information, see:
+//
+//   - About: https://tailscale.com/kb/1232/derp-servers
+//   - Protocol & Go docs: https://pkg.go.dev/tailscale.com/derp
+//   - Running a DERP server: https://github.com/tailscale/tailscale/tree/main/cmd/derper#derp
 package main // import "tailscale.com/cmd/derper"
 
 import (
@@ -22,6 +28,9 @@ import (
 	"os/signal"
 	"path/filepath"
 	"regexp"
+	"runtime"
+	runtimemetrics "runtime/metrics"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -206,11 +215,16 @@ func main() {
 		io.WriteString(w, `<html><body>
 <h1>DERP</h1>
 <p>
-  This is a
-  <a href="https://tailscale.com/">Tailscale</a>
-  <a href="https://pkg.go.dev/tailscale.com/derp">DERP</a>
-  server.
+  This is a <a href="https://tailscale.com/">Tailscale</a> DERP server.
 </p>
+<p>
+  Documentation:
+</p>
+<ul>
+  <li><a href="https://tailscale.com/kb/1232/derp-servers">About DERP</a></li>
+  <li><a href="https://pkg.go.dev/tailscale.com/derp">Protocol & Go docs</a></li>
+  <li><a href="https://github.com/tailscale/tailscale/tree/main/cmd/derper#derp">How to run a DERP server</a></li>
+</ul>
 `)
 		if !*runDERP {
 			io.WriteString(w, `<p>Status: <b>disabled</b></p>`)
@@ -236,6 +250,20 @@ func main() {
 		}
 	}))
 	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))
+	debug.Handle("set-mutex-profile-fraction", "SetMutexProfileFraction", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		s := r.FormValue("rate")
+		if s == "" || r.Header.Get("Sec-Debug") != "derp" {
+			http.Error(w, "To set, use: curl -HSec-Debug:derp 'http://derp/debug/set-mutex-profile-fraction?rate=100'", http.StatusBadRequest)
+			return
+		}
+		v, err := strconv.Atoi(s)
+		if err != nil {
+			http.Error(w, "bad rate value", http.StatusBadRequest)
+			return
+		}
+		old := runtime.SetMutexProfileFraction(v)
+		fmt.Fprintf(w, "mutex changed from %v to %v\n", old, v)
+	}))
 
 	// Longer lived DERP connections send an application layer keepalive. Note
 	// if the keepalive is hit, the user timeout will take precedence over the
@@ -452,3 +480,16 @@ func (l *rateLimitedListener) Accept() (net.Conn, error) {
 	l.numAccepts.Add(1)
 	return cn, nil
 }
+
+func init() {
+	expvar.Publish("go_sync_mutex_wait_seconds", expvar.Func(func() any {
+		const name = "/sync/mutex/wait/total:seconds" // Go 1.20+
+		var s [1]runtimemetrics.Sample
+		s[0].Name = name
+		runtimemetrics.Read(s[:])
+		if v := s[0].Value; v.Kind() == runtimemetrics.KindFloat64 {
+			return v.Float64()
+		}
+		return 0
+	}))
+}

cmd/derper/derper_test.go

@@ -104,6 +104,8 @@ func TestDeps(t *testing.T) {
 			"gvisor.dev/gvisor/pkg/cpuid":        "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/tcpip":        "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/tcpip/header": "https://github.com/tailscale/tailscale/issues/9756",
+			"tailscale.com/net/packet":           "not needed in derper",
+			"github.com/gaissmai/bart":           "not needed in derper",
 		},
 	}.Check(t)
 }

cmd/derper/mesh.go

@@ -9,14 +9,12 @@ import (
 	"fmt"
 	"log"
 	"net"
-	"net/netip"
 	"strings"
 	"time"
 
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/net/netmon"
-	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
 
@@ -71,8 +69,8 @@ func startMeshWithHost(s *derp.Server, host string) error {
 		return d.DialContext(ctx, network, addr)
 	})
 
-	add := func(k key.NodePublic, _ netip.AddrPort) { s.AddPacketForwarder(k, c) }
-	remove := func(k key.NodePublic) { s.RemovePacketForwarder(k, c) }
+	add := func(m derp.PeerPresentMessage) { s.AddPacketForwarder(m.Key, c) }
+	remove := func(m derp.PeerGoneMessage) { s.RemovePacketForwarder(m.Peer, c) }
 	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)
 	return nil
 }

cmd/derpprobe/derpprobe.go

@@ -7,8 +7,6 @@ package main
 import (
 	"flag"
 	"fmt"
-	"html"
-	"io"
 	"log"
 	"net/http"
 	"sort"
@@ -70,8 +68,13 @@ func main() {
 	}
 
 	mux := http.NewServeMux()
-	tsweb.Debugger(mux)
-	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
+	d := tsweb.Debugger(mux)
+	d.Handle("probe-run", "Run a probe", tsweb.StdHandler(tsweb.ReturnHandlerFunc(p.RunHandler), tsweb.HandlerOptions{Logf: log.Printf}))
+	mux.Handle("/", tsweb.StdHandler(p.StatusHandler(
+		prober.WithTitle("DERP Prober"),
+		prober.WithPageLink("Prober metrics", "/debug/varz"),
+		prober.WithProbeLink("Run Probe", "/debug/probe-run?name={{.Name}}"),
+	), tsweb.HandlerOptions{Logf: log.Printf}))
 	log.Printf("Listening on %s", *listen)
 	log.Fatal(http.ListenAndServe(*listen, mux))
 }
@@ -105,26 +108,3 @@ func getOverallStatus(p *prober.Prober) (o overallStatus) {
 	sort.Strings(o.good)
 	return
 }
-
-func serveFunc(p *prober.Prober) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		st := getOverallStatus(p)
-		summary := "All good"
-		if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
-			// Returning a 500 allows monitoring this server externally and configuring
-			// an alert on HTTP response code.
-			w.WriteHeader(500)
-			summary = fmt.Sprintf("%d problems", len(st.bad))
-		}
-
-		io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
-		fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
-		for _, s := range st.bad {
-			fmt.Fprintf(w, "<li class=bad>%s</li>\n", html.EscapeString(s))
-		}
-		for _, s := range st.good {
-			fmt.Fprintf(w, "<li>%s</li>\n", html.EscapeString(s))
-		}
-		io.WriteString(w, "</ul></body></html>\n")
-	}
-}

cmd/k8s-operator/connector.go

@@ -33,11 +33,8 @@ import (
 
 const (
 	reasonConnectorCreationFailed = "ConnectorCreationFailed"
-
-	reasonConnectorCreated           = "ConnectorCreated"
-	reasonConnectorCleanupFailed     = "ConnectorCleanupFailed"
-	reasonConnectorCleanupInProgress = "ConnectorCleanupInProgress"
-	reasonConnectorInvalid           = "ConnectorInvalid"
+	reasonConnectorCreated        = "ConnectorCreated"
+	reasonConnectorInvalid        = "ConnectorInvalid"
 
 	messageConnectorCreationFailed = "Failed creating Connector: %v"
 	messageConnectorInvalid        = "Connector is invalid: %v"
@@ -108,7 +105,7 @@ func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Reque
 	}
 
 	oldCnStatus := cn.Status.DeepCopy()
-	setStatus := func(cn *tsapi.Connector, _ tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string) (reconcile.Result, error) {
+	setStatus := func(cn *tsapi.Connector, _ tsapi.ConditionType, status metav1.ConditionStatus, reason, message string) (reconcile.Result, error) {
 		tsoperator.SetConnectorCondition(cn, tsapi.ConnectorReady, status, reason, message, cn.Generation, a.clock, logger)
 		if !apiequality.Semantic.DeepEqual(oldCnStatus, cn.Status) {
 			// An error encountered here should get returned by the Reconcile function.

cmd/k8s-operator/connector_test.go

@@ -272,9 +272,9 @@ func TestConnectorWithProxyClass(t *testing.T) {
 	// its resources.
 	mustUpdateStatus(t, fc, "", "custom-metadata", func(pc *tsapi.ProxyClass) {
 		pc.Status = tsapi.ProxyClassStatus{
-			Conditions: []tsapi.ConnectorCondition{{
+			Conditions: []metav1.Condition{{
 				Status:             metav1.ConditionTrue,
-				Type:               tsapi.ProxyClassready,
+				Type:               string(tsapi.ProxyClassready),
 				ObservedGeneration: pc.Generation,
 			}}}
 	})

cmd/k8s-operator/depaware.txt

@@ -0,0 +1,997 @@
+tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/depaware)
+
+        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
+        filippo.io/edwards25519/field                                from filippo.io/edwards25519
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
+   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+   L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/defaults+
+   L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/awsstore
+   L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/aws/middleware                  from github.com/aws/aws-sdk-go-v2/aws/retry+
+   L    github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics  from github.com/aws/aws-sdk-go-v2/aws/retry+
+   L    github.com/aws/aws-sdk-go-v2/aws/protocol/query              from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/aws-sdk-go-v2/aws/protocol/restjson           from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/aws/protocol/xml                from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/aws-sdk-go-v2/aws/ratelimit                   from github.com/aws/aws-sdk-go-v2/aws/retry
+   L    github.com/aws/aws-sdk-go-v2/aws/retry                       from github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client+
+   L    github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4          from github.com/aws/aws-sdk-go-v2/aws/signer/v4
+   L    github.com/aws/aws-sdk-go-v2/aws/signer/v4                   from github.com/aws/aws-sdk-go-v2/internal/auth/smithy+
+   L    github.com/aws/aws-sdk-go-v2/aws/transport/http              from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/config                          from tailscale.com/ipn/store/awsstore
+   L    github.com/aws/aws-sdk-go-v2/credentials                     from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds        from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/endpointcreds       from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client from github.com/aws/aws-sdk-go-v2/credentials/endpointcreds
+   L    github.com/aws/aws-sdk-go-v2/credentials/processcreds        from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/ssocreds            from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/credentials/stscreds            from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds                from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config from github.com/aws/aws-sdk-go-v2/feature/ec2/imds
+   L    github.com/aws/aws-sdk-go-v2/internal/auth                   from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
+   L    github.com/aws/aws-sdk-go-v2/internal/auth/smithy            from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/internal/configsources          from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/internal/endpoints              from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn   from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/internal/endpoints/v2           from github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints+
+   L    github.com/aws/aws-sdk-go-v2/internal/ini                    from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/aws-sdk-go-v2/internal/sdk                    from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/aws-sdk-go-v2/internal/sdkio                  from github.com/aws/aws-sdk-go-v2/credentials/processcreds
+   L    github.com/aws/aws-sdk-go-v2/internal/shareddefaults         from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/internal/strings                from github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4
+   L    github.com/aws/aws-sdk-go-v2/internal/sync/singleflight      from github.com/aws/aws-sdk-go-v2/aws
+   L    github.com/aws/aws-sdk-go-v2/internal/timeconv               from github.com/aws/aws-sdk-go-v2/aws/retry
+   L    github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/aws-sdk-go-v2/service/internal/presigned-url  from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/aws-sdk-go-v2/service/ssm                     from tailscale.com/ipn/store/awsstore
+   L    github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/ssm
+   L    github.com/aws/aws-sdk-go-v2/service/ssm/types               from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/aws-sdk-go-v2/service/sso                     from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sso
+   L    github.com/aws/aws-sdk-go-v2/service/sso/types               from github.com/aws/aws-sdk-go-v2/service/sso
+   L    github.com/aws/aws-sdk-go-v2/service/ssooidc                 from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints from github.com/aws/aws-sdk-go-v2/service/ssooidc
+   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/types           from github.com/aws/aws-sdk-go-v2/service/ssooidc
+   L    github.com/aws/aws-sdk-go-v2/service/sts                     from github.com/aws/aws-sdk-go-v2/config+
+   L    github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/aws-sdk-go-v2/service/sts/types               from github.com/aws/aws-sdk-go-v2/credentials/stscreds+
+   L    github.com/aws/smithy-go                                     from github.com/aws/aws-sdk-go-v2/aws/protocol/restjson+
+   L    github.com/aws/smithy-go/auth                                from github.com/aws/aws-sdk-go-v2/internal/auth+
+   L    github.com/aws/smithy-go/auth/bearer                         from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/smithy-go/context                             from github.com/aws/smithy-go/auth/bearer
+   L    github.com/aws/smithy-go/document                            from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/smithy-go/encoding                            from github.com/aws/smithy-go/encoding/json+
+   L    github.com/aws/smithy-go/encoding/httpbinding                from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
+   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/smithy-go/encoding/xml                        from github.com/aws/aws-sdk-go-v2/service/sts
+   L    github.com/aws/smithy-go/endpoints                           from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/smithy-go/internal/sync/singleflight          from github.com/aws/smithy-go/auth/bearer
+   L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
+   L    github.com/aws/smithy-go/logging                             from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/smithy-go/middleware                          from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/smithy-go/private/requestcompression          from github.com/aws/aws-sdk-go-v2/config
+   L    github.com/aws/smithy-go/ptr                                 from github.com/aws/aws-sdk-go-v2/aws+
+   L    github.com/aws/smithy-go/rand                                from github.com/aws/aws-sdk-go-v2/aws/middleware+
+   L    github.com/aws/smithy-go/time                                from github.com/aws/aws-sdk-go-v2/service/ssm+
+   L    github.com/aws/smithy-go/transport/http                      from github.com/aws/aws-sdk-go-v2/aws/middleware+
+   L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
+   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
+        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
+        github.com/bits-and-blooms/bitset                            from github.com/gaissmai/bart
+     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
+     💣 github.com/davecgh/go-spew/spew                              from k8s.io/apimachinery/pkg/util/dump
+   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com+
+   W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/util/osdiag+
+   W 💣 github.com/dblohm7/wingoes/com/automation                    from tailscale.com/util/osdiag/internal/wsc
+   W    github.com/dblohm7/wingoes/internal                          from github.com/dblohm7/wingoes/com
+   W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/osdiag+
+  LW 💣 github.com/digitalocean/go-smbios/smbios                     from tailscale.com/posture
+        github.com/distribution/reference                            from tailscale.com/cmd/k8s-operator
+        github.com/emicklei/go-restful/v3                            from k8s.io/kube-openapi/pkg/common
+        github.com/emicklei/go-restful/v3/log                        from github.com/emicklei/go-restful/v3
+        github.com/evanphx/json-patch/v5                             from sigs.k8s.io/controller-runtime/pkg/client
+        github.com/evanphx/json-patch/v5/internal/json               from github.com/evanphx/json-patch/v5
+     💣 github.com/fsnotify/fsnotify                                 from sigs.k8s.io/controller-runtime/pkg/certwatcher
+        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
+        github.com/gaissmai/bart                                     from tailscale.com/net/ipset+
+        github.com/go-json-experiment/json                           from tailscale.com/types/opt
+        github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json/internal/jsonflags+
+        github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json/internal/jsonopts+
+        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json/jsontext+
+        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json/jsontext+
+        github.com/go-json-experiment/json/jsontext                  from tailscale.com/logtail+
+        github.com/go-logr/logr                                      from github.com/go-logr/logr/slogr+
+        github.com/go-logr/logr/slogr                                from github.com/go-logr/zapr
+        github.com/go-logr/zapr                                      from sigs.k8s.io/controller-runtime/pkg/log/zap+
+   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
+   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
+        github.com/go-openapi/jsonpointer                            from github.com/go-openapi/jsonreference
+        github.com/go-openapi/jsonreference                          from k8s.io/kube-openapi/pkg/internal+
+        github.com/go-openapi/jsonreference/internal                 from github.com/go-openapi/jsonreference
+        github.com/go-openapi/swag                                   from github.com/go-openapi/jsonpointer+
+   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
+     💣 github.com/gogo/protobuf/proto                               from k8s.io/api/admission/v1+
+        github.com/gogo/protobuf/sortkeys                            from k8s.io/api/admission/v1+
+        github.com/golang/groupcache/lru                             from k8s.io/client-go/tools/record+
+        github.com/golang/protobuf/proto                             from k8s.io/client-go/discovery+
+        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
+        github.com/google/gnostic-models/compiler                    from github.com/google/gnostic-models/openapiv2+
+        github.com/google/gnostic-models/extensions                  from github.com/google/gnostic-models/compiler
+        github.com/google/gnostic-models/jsonschema                  from github.com/google/gnostic-models/compiler
+        github.com/google/gnostic-models/openapiv2                   from k8s.io/client-go/discovery+
+        github.com/google/gnostic-models/openapiv3                   from k8s.io/kube-openapi/pkg/handler3+
+     💣 github.com/google/go-cmp/cmp                                 from k8s.io/apimachinery/pkg/util/diff+
+        github.com/google/go-cmp/cmp/internal/diff                   from github.com/google/go-cmp/cmp
+        github.com/google/go-cmp/cmp/internal/flags                  from github.com/google/go-cmp/cmp+
+        github.com/google/go-cmp/cmp/internal/function               from github.com/google/go-cmp/cmp
+     💣 github.com/google/go-cmp/cmp/internal/value                  from github.com/google/go-cmp/cmp
+        github.com/google/gofuzz                                     from k8s.io/apimachinery/pkg/apis/meta/v1+
+        github.com/google/gofuzz/bytesource                          from github.com/google/gofuzz
+   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
+   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
+   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
+   L    github.com/google/nftables/expr                              from github.com/google/nftables+
+   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
+   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
+        github.com/google/uuid                                       from github.com/prometheus-community/pro-bing+
+        github.com/gorilla/csrf                                      from tailscale.com/client/web
+        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/clientupdate/distsign+
+   L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
+        github.com/imdario/mergo                                     from k8s.io/client-go/tools/clientcmd
+   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
+   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
+   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
+   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
+   L    github.com/jmespath/go-jmespath                              from github.com/aws/aws-sdk-go-v2/service/ssm
+        github.com/josharian/intern                                  from github.com/mailru/easyjson/jlexer
+   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/netmon
+   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
+     💣 github.com/json-iterator/go                                  from sigs.k8s.io/structured-merge-diff/v4/fieldpath+
+        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
+        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/huff0+
+        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/zstd                           from tailscale.com/util/zstdframe
+        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
+        github.com/kortschak/wol                                     from tailscale.com/ipn/ipnlocal
+        github.com/mailru/easyjson/buffer                            from github.com/mailru/easyjson/jwriter
+     💣 github.com/mailru/easyjson/jlexer                            from github.com/go-openapi/swag
+        github.com/mailru/easyjson/jwriter                           from github.com/go-openapi/swag
+   L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
+   L 💣 github.com/mdlayher/netlink                                  from github.com/google/nftables+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
+   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
+   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
+        github.com/miekg/dns                                         from tailscale.com/net/dns/recursive
+     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
+        github.com/modern-go/concurrent                              from github.com/json-iterator/go
+     💣 github.com/modern-go/reflect2                                from github.com/json-iterator/go
+        github.com/munnerz/goautoneg                                 from k8s.io/kube-openapi/pkg/handler3
+        github.com/opencontainers/go-digest                          from github.com/distribution/reference
+   L    github.com/pierrec/lz4/v4                                    from github.com/u-root/uio/uio
+   L    github.com/pierrec/lz4/v4/internal/lz4block                  from github.com/pierrec/lz4/v4+
+   L    github.com/pierrec/lz4/v4/internal/lz4errors                 from github.com/pierrec/lz4/v4+
+   L    github.com/pierrec/lz4/v4/internal/lz4stream                 from github.com/pierrec/lz4/v4
+   L    github.com/pierrec/lz4/v4/internal/xxh32                     from github.com/pierrec/lz4/v4/internal/lz4stream
+        github.com/pkg/errors                                        from github.com/evanphx/json-patch/v5+
+   D    github.com/prometheus-community/pro-bing                     from tailscale.com/wgengine/netstack
+     💣 github.com/prometheus/client_golang/prometheus               from github.com/prometheus/client_golang/prometheus/collectors+
+        github.com/prometheus/client_golang/prometheus/collectors    from sigs.k8s.io/controller-runtime/pkg/internal/controller/metrics
+        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/client_golang/prometheus/promhttp      from sigs.k8s.io/controller-runtime/pkg/metrics/server+
+        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
+        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
+        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
+  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
+  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
+  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
+   L 💣 github.com/safchain/ethtool                                  from tailscale.com/doctor/ethtool+
+        github.com/spf13/pflag                                       from k8s.io/client-go/tools/clientcmd
+   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+   W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
+   W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
+   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
+   W    github.com/tailscale/go-winio/internal/stringbuffer          from github.com/tailscale/go-winio/internal/fs
+   W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
+        github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
+  LD    github.com/tailscale/golang-x-crypto/internal/poly1305       from github.com/tailscale/golang-x-crypto/ssh
+  LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal
+  LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
+        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
+        github.com/tailscale/goupnp/dcps/internetgateway2            from tailscale.com/net/portmapper
+        github.com/tailscale/goupnp/httpu                            from github.com/tailscale/goupnp+
+        github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
+        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
+        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
+        github.com/tailscale/hujson                                  from tailscale.com/ipn/conffile
+   L 💣 github.com/tailscale/netlink                                 from tailscale.com/net/routetable+
+        github.com/tailscale/peercred                                from tailscale.com/ipn/ipnauth
+        github.com/tailscale/web-client-prebuilt                     from tailscale.com/client/web
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/conn/winrio                from github.com/tailscale/wireguard-go/conn
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/net/tstun+
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/namedpipe              from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
+        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
+   L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
+   L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
+   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
+   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
+        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
+        go.uber.org/multierr                                         from go.uber.org/zap+
+        go.uber.org/zap                                              from github.com/go-logr/zapr+
+        go.uber.org/zap/buffer                                       from go.uber.org/zap/internal/bufferpool+
+        go.uber.org/zap/internal                                     from go.uber.org/zap
+        go.uber.org/zap/internal/bufferpool                          from go.uber.org/zap+
+        go.uber.org/zap/internal/color                               from go.uber.org/zap/zapcore
+        go.uber.org/zap/internal/exit                                from go.uber.org/zap/zapcore
+        go.uber.org/zap/internal/pool                                from go.uber.org/zap+
+        go.uber.org/zap/internal/stacktrace                          from go.uber.org/zap
+        go.uber.org/zap/zapcore                                      from github.com/go-logr/zapr+
+     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
+        go4.org/netipx                                               from tailscale.com/ipn/ipnlocal+
+   W 💣 golang.zx2c4.com/wintun                                      from github.com/tailscale/wireguard-go/tun
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/dns+
+        gomodules.xyz/jsonpatch/v2                                   from sigs.k8s.io/controller-runtime/pkg/webhook+
+        google.golang.org/protobuf/encoding/protodelim               from github.com/prometheus/common/expfmt
+        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
+        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
+        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
+        google.golang.org/protobuf/internal/editiondefaults          from google.golang.org/protobuf/internal/filedesc+
+        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
+        google.golang.org/protobuf/internal/encoding/text            from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/errors                   from google.golang.org/protobuf/encoding/protodelim+
+        google.golang.org/protobuf/internal/filedesc                 from google.golang.org/protobuf/internal/encoding/tag+
+        google.golang.org/protobuf/internal/filetype                 from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/internal/flags                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/genid                    from google.golang.org/protobuf/encoding/prototext+
+     💣 google.golang.org/protobuf/internal/impl                     from google.golang.org/protobuf/internal/filetype+
+        google.golang.org/protobuf/internal/order                    from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/pragma                   from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
+     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
+        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
+        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
+     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/types/descriptorpb                from github.com/google/gnostic-models/openapiv3+
+        google.golang.org/protobuf/types/gofeaturespb                from google.golang.org/protobuf/reflect/protodesc
+        google.golang.org/protobuf/types/known/anypb                 from github.com/google/gnostic-models/compiler+
+        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
+        gopkg.in/inf.v0                                              from k8s.io/apimachinery/pkg/api/resource
+        gopkg.in/yaml.v2                                             from k8s.io/kube-openapi/pkg/util/proto+
+        gopkg.in/yaml.v3                                             from github.com/go-openapi/swag+
+        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/buffer
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip+
+        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
+     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
+        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
+        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
+        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/buffer+
+     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
+     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
+     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/atomicbitops+
+     💣 gvisor.dev/gvisor/pkg/sync/locking                           from gvisor.dev/gvisor/pkg/tcpip/stack
+        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
+     💣 gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/buffer+
+        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
+        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/internal/tcp                     from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
+        gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/internal/multicast       from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/net/tstun+
+        gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
+     💣 gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/stack/gro                        from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/transport                        from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+        gvisor.dev/gvisor/pkg/tcpip/transport/icmp                   from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/transport/internal/network       from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+        gvisor.dev/gvisor/pkg/tcpip/transport/internal/noop          from gvisor.dev/gvisor/pkg/tcpip/transport/raw
+        gvisor.dev/gvisor/pkg/tcpip/transport/packet                 from gvisor.dev/gvisor/pkg/tcpip/transport/raw
+        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+     💣 gvisor.dev/gvisor/pkg/tcpip/transport/tcp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
+        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
+        k8s.io/api/admission/v1                                      from sigs.k8s.io/controller-runtime/pkg/webhook/admission
+        k8s.io/api/admission/v1beta1                                 from sigs.k8s.io/controller-runtime/pkg/webhook/admission
+        k8s.io/api/admissionregistration/v1                          from k8s.io/api/admissionregistration/v1alpha1+
+        k8s.io/api/admissionregistration/v1alpha1                    from k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1+
+        k8s.io/api/admissionregistration/v1beta1                     from k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1+
+        k8s.io/api/apidiscovery/v2                                   from k8s.io/client-go/discovery
+        k8s.io/api/apidiscovery/v2beta1                              from k8s.io/client-go/discovery
+        k8s.io/api/apiserverinternal/v1alpha1                        from k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1+
+        k8s.io/api/apps/v1                                           from k8s.io/client-go/applyconfigurations/apps/v1+
+        k8s.io/api/apps/v1beta1                                      from k8s.io/api/extensions/v1beta1+
+        k8s.io/api/apps/v1beta2                                      from k8s.io/client-go/applyconfigurations/apps/v1beta2+
+        k8s.io/api/authentication/v1                                 from k8s.io/api/admission/v1+
+        k8s.io/api/authentication/v1alpha1                           from k8s.io/client-go/kubernetes/scheme+
+        k8s.io/api/authentication/v1beta1                            from k8s.io/client-go/kubernetes/scheme+
+        k8s.io/api/authorization/v1                                  from k8s.io/client-go/kubernetes/scheme+
+        k8s.io/api/authorization/v1beta1                             from k8s.io/client-go/kubernetes/scheme+
+        k8s.io/api/autoscaling/v1                                    from k8s.io/client-go/applyconfigurations/autoscaling/v1+
+        k8s.io/api/autoscaling/v2                                    from k8s.io/client-go/applyconfigurations/autoscaling/v2+
+        k8s.io/api/autoscaling/v2beta1                               from k8s.io/client-go/applyconfigurations/autoscaling/v2beta1+
+        k8s.io/api/autoscaling/v2beta2                               from k8s.io/client-go/applyconfigurations/autoscaling/v2beta2+
+        k8s.io/api/batch/v1                                          from k8s.io/api/batch/v1beta1+
+        k8s.io/api/batch/v1beta1                                     from k8s.io/client-go/applyconfigurations/batch/v1beta1+
+        k8s.io/api/certificates/v1                                   from k8s.io/client-go/applyconfigurations/certificates/v1+
+        k8s.io/api/certificates/v1alpha1                             from k8s.io/client-go/applyconfigurations/certificates/v1alpha1+
+        k8s.io/api/certificates/v1beta1                              from k8s.io/client-go/applyconfigurations/certificates/v1beta1+
+        k8s.io/api/coordination/v1                                   from k8s.io/client-go/applyconfigurations/coordination/v1+
+        k8s.io/api/coordination/v1beta1                              from k8s.io/client-go/applyconfigurations/coordination/v1beta1+
+        k8s.io/api/core/v1                                           from k8s.io/api/apps/v1+
+        k8s.io/api/discovery/v1                                      from k8s.io/client-go/applyconfigurations/discovery/v1+
+        k8s.io/api/discovery/v1beta1                                 from k8s.io/client-go/applyconfigurations/discovery/v1beta1+
+        k8s.io/api/events/v1                                         from k8s.io/client-go/applyconfigurations/events/v1+
+        k8s.io/api/events/v1beta1                                    from k8s.io/client-go/applyconfigurations/events/v1beta1+
+        k8s.io/api/extensions/v1beta1                                from k8s.io/client-go/applyconfigurations/extensions/v1beta1+
+        k8s.io/api/flowcontrol/v1                                    from k8s.io/client-go/applyconfigurations/flowcontrol/v1+
+        k8s.io/api/flowcontrol/v1beta1                               from k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1+
+        k8s.io/api/flowcontrol/v1beta2                               from k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2+
+        k8s.io/api/flowcontrol/v1beta3                               from k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3+
+        k8s.io/api/networking/v1                                     from k8s.io/client-go/applyconfigurations/networking/v1+
+        k8s.io/api/networking/v1alpha1                               from k8s.io/client-go/applyconfigurations/networking/v1alpha1+
+        k8s.io/api/networking/v1beta1                                from k8s.io/client-go/applyconfigurations/networking/v1beta1+
+        k8s.io/api/node/v1                                           from k8s.io/client-go/applyconfigurations/node/v1+
+        k8s.io/api/node/v1alpha1                                     from k8s.io/client-go/applyconfigurations/node/v1alpha1+
+        k8s.io/api/node/v1beta1                                      from k8s.io/client-go/applyconfigurations/node/v1beta1+
+        k8s.io/api/policy/v1                                         from k8s.io/client-go/applyconfigurations/policy/v1+
+        k8s.io/api/policy/v1beta1                                    from k8s.io/client-go/applyconfigurations/policy/v1beta1+
+        k8s.io/api/rbac/v1                                           from k8s.io/client-go/applyconfigurations/rbac/v1+
+        k8s.io/api/rbac/v1alpha1                                     from k8s.io/client-go/applyconfigurations/rbac/v1alpha1+
+        k8s.io/api/rbac/v1beta1                                      from k8s.io/client-go/applyconfigurations/rbac/v1beta1+
+        k8s.io/api/resource/v1alpha2                                 from k8s.io/client-go/applyconfigurations/resource/v1alpha2+
+        k8s.io/api/scheduling/v1                                     from k8s.io/client-go/applyconfigurations/scheduling/v1+
+        k8s.io/api/scheduling/v1alpha1                               from k8s.io/client-go/applyconfigurations/scheduling/v1alpha1+
+        k8s.io/api/scheduling/v1beta1                                from k8s.io/client-go/applyconfigurations/scheduling/v1beta1+
+        k8s.io/api/storage/v1                                        from k8s.io/client-go/applyconfigurations/storage/v1+
+        k8s.io/api/storage/v1alpha1                                  from k8s.io/client-go/applyconfigurations/storage/v1alpha1+
+        k8s.io/api/storage/v1beta1                                   from k8s.io/client-go/applyconfigurations/storage/v1beta1+
+        k8s.io/api/storagemigration/v1alpha1                         from k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1+
+        k8s.io/apiextensions-apiserver/pkg/apis/apiextensions        from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+     💣 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1     from sigs.k8s.io/controller-runtime/pkg/webhook/conversion
+        k8s.io/apimachinery/pkg/api/equality                         from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
+        k8s.io/apimachinery/pkg/api/errors                           from k8s.io/apimachinery/pkg/util/managedfields/internal+
+        k8s.io/apimachinery/pkg/api/meta                             from k8s.io/apimachinery/pkg/api/validation+
+        k8s.io/apimachinery/pkg/api/resource                         from k8s.io/api/autoscaling/v1+
+        k8s.io/apimachinery/pkg/api/validation                       from k8s.io/apimachinery/pkg/util/managedfields/internal+
+     💣 k8s.io/apimachinery/pkg/apis/meta/internalversion            from k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme+
+        k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme     from k8s.io/client-go/metadata
+     💣 k8s.io/apimachinery/pkg/apis/meta/v1                         from k8s.io/api/admission/v1+
+        k8s.io/apimachinery/pkg/apis/meta/v1/unstructured            from k8s.io/apimachinery/pkg/runtime/serializer/versioning+
+        k8s.io/apimachinery/pkg/apis/meta/v1/validation              from k8s.io/apimachinery/pkg/api/validation+
+     💣 k8s.io/apimachinery/pkg/apis/meta/v1beta1                    from k8s.io/apimachinery/pkg/apis/meta/internalversion
+        k8s.io/apimachinery/pkg/conversion                           from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
+        k8s.io/apimachinery/pkg/conversion/queryparams               from k8s.io/apimachinery/pkg/runtime+
+        k8s.io/apimachinery/pkg/fields                               from k8s.io/apimachinery/pkg/api/equality+
+        k8s.io/apimachinery/pkg/labels                               from k8s.io/apimachinery/pkg/api/equality+
+        k8s.io/apimachinery/pkg/runtime                              from k8s.io/api/admission/v1+
+        k8s.io/apimachinery/pkg/runtime/schema                       from k8s.io/api/admission/v1+
+        k8s.io/apimachinery/pkg/runtime/serializer                   from k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme+
+        k8s.io/apimachinery/pkg/runtime/serializer/json              from k8s.io/apimachinery/pkg/runtime/serializer+
+        k8s.io/apimachinery/pkg/runtime/serializer/protobuf          from k8s.io/apimachinery/pkg/runtime/serializer
+        k8s.io/apimachinery/pkg/runtime/serializer/recognizer        from k8s.io/apimachinery/pkg/runtime/serializer+
+        k8s.io/apimachinery/pkg/runtime/serializer/streaming         from k8s.io/client-go/rest+
+        k8s.io/apimachinery/pkg/runtime/serializer/versioning        from k8s.io/apimachinery/pkg/runtime/serializer+
+        k8s.io/apimachinery/pkg/selection                            from k8s.io/apimachinery/pkg/apis/meta/v1+
+        k8s.io/apimachinery/pkg/types                                from k8s.io/api/admission/v1+
+        k8s.io/apimachinery/pkg/util/cache                           from k8s.io/client-go/tools/cache
+        k8s.io/apimachinery/pkg/util/diff                            from k8s.io/client-go/tools/cache
+        k8s.io/apimachinery/pkg/util/dump                            from k8s.io/apimachinery/pkg/util/diff+
+        k8s.io/apimachinery/pkg/util/errors                          from k8s.io/apimachinery/pkg/api/meta+
+        k8s.io/apimachinery/pkg/util/framer                          from k8s.io/apimachinery/pkg/runtime/serializer/json+
+        k8s.io/apimachinery/pkg/util/intstr                          from k8s.io/api/apps/v1+
+        k8s.io/apimachinery/pkg/util/json                            from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
+        k8s.io/apimachinery/pkg/util/managedfields                   from k8s.io/client-go/applyconfigurations/admissionregistration/v1+
+        k8s.io/apimachinery/pkg/util/managedfields/internal          from k8s.io/apimachinery/pkg/util/managedfields
+        k8s.io/apimachinery/pkg/util/mergepatch                      from k8s.io/apimachinery/pkg/util/strategicpatch
+        k8s.io/apimachinery/pkg/util/naming                          from k8s.io/apimachinery/pkg/runtime+
+        k8s.io/apimachinery/pkg/util/net                             from k8s.io/apimachinery/pkg/watch+
+        k8s.io/apimachinery/pkg/util/rand                            from k8s.io/apiserver/pkg/storage/names
+        k8s.io/apimachinery/pkg/util/runtime                         from k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme+
+        k8s.io/apimachinery/pkg/util/sets                            from k8s.io/apimachinery/pkg/api/meta+
+        k8s.io/apimachinery/pkg/util/strategicpatch                  from k8s.io/client-go/tools/record+
+        k8s.io/apimachinery/pkg/util/uuid                            from sigs.k8s.io/controller-runtime/pkg/internal/controller+
+        k8s.io/apimachinery/pkg/util/validation                      from k8s.io/apimachinery/pkg/api/validation+
+        k8s.io/apimachinery/pkg/util/validation/field                from k8s.io/apimachinery/pkg/api/errors+
+        k8s.io/apimachinery/pkg/util/wait                            from k8s.io/client-go/tools/cache+
+        k8s.io/apimachinery/pkg/util/yaml                            from k8s.io/apimachinery/pkg/runtime/serializer/json
+        k8s.io/apimachinery/pkg/version                              from k8s.io/client-go/discovery+
+        k8s.io/apimachinery/pkg/watch                                from k8s.io/apimachinery/pkg/apis/meta/v1+
+        k8s.io/apimachinery/third_party/forked/golang/json           from k8s.io/apimachinery/pkg/util/strategicpatch
+        k8s.io/apimachinery/third_party/forked/golang/reflect        from k8s.io/apimachinery/pkg/conversion
+        k8s.io/apiserver/pkg/storage/names                           from tailscale.com/cmd/k8s-operator
+        k8s.io/client-go/applyconfigurations/admissionregistration/v1 from k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1+
+        k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1 from k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1
+        k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1 from k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1
+        k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1 from k8s.io/client-go/kubernetes/typed/apiserverinternal/v1alpha1
+        k8s.io/client-go/applyconfigurations/apps/v1                 from k8s.io/client-go/kubernetes/typed/apps/v1
+        k8s.io/client-go/applyconfigurations/apps/v1beta1            from k8s.io/client-go/kubernetes/typed/apps/v1beta1
+        k8s.io/client-go/applyconfigurations/apps/v1beta2            from k8s.io/client-go/kubernetes/typed/apps/v1beta2
+        k8s.io/client-go/applyconfigurations/autoscaling/v1          from k8s.io/client-go/kubernetes/typed/apps/v1+
+        k8s.io/client-go/applyconfigurations/autoscaling/v2          from k8s.io/client-go/kubernetes/typed/autoscaling/v2
+        k8s.io/client-go/applyconfigurations/autoscaling/v2beta1     from k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1
+        k8s.io/client-go/applyconfigurations/autoscaling/v2beta2     from k8s.io/client-go/kubernetes/typed/autoscaling/v2beta2
+        k8s.io/client-go/applyconfigurations/batch/v1                from k8s.io/client-go/applyconfigurations/batch/v1beta1+
+        k8s.io/client-go/applyconfigurations/batch/v1beta1           from k8s.io/client-go/kubernetes/typed/batch/v1beta1
+        k8s.io/client-go/applyconfigurations/certificates/v1         from k8s.io/client-go/kubernetes/typed/certificates/v1
+        k8s.io/client-go/applyconfigurations/certificates/v1alpha1   from k8s.io/client-go/kubernetes/typed/certificates/v1alpha1
+        k8s.io/client-go/applyconfigurations/certificates/v1beta1    from k8s.io/client-go/kubernetes/typed/certificates/v1beta1
+        k8s.io/client-go/applyconfigurations/coordination/v1         from k8s.io/client-go/kubernetes/typed/coordination/v1
+        k8s.io/client-go/applyconfigurations/coordination/v1beta1    from k8s.io/client-go/kubernetes/typed/coordination/v1beta1
+        k8s.io/client-go/applyconfigurations/core/v1                 from k8s.io/client-go/applyconfigurations/apps/v1+
+        k8s.io/client-go/applyconfigurations/discovery/v1            from k8s.io/client-go/kubernetes/typed/discovery/v1
+        k8s.io/client-go/applyconfigurations/discovery/v1beta1       from k8s.io/client-go/kubernetes/typed/discovery/v1beta1
+        k8s.io/client-go/applyconfigurations/events/v1               from k8s.io/client-go/kubernetes/typed/events/v1
+        k8s.io/client-go/applyconfigurations/events/v1beta1          from k8s.io/client-go/kubernetes/typed/events/v1beta1
+        k8s.io/client-go/applyconfigurations/extensions/v1beta1      from k8s.io/client-go/kubernetes/typed/extensions/v1beta1
+        k8s.io/client-go/applyconfigurations/flowcontrol/v1          from k8s.io/client-go/kubernetes/typed/flowcontrol/v1
+        k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1     from k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta1
+        k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2     from k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta2
+        k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3     from k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta3
+        k8s.io/client-go/applyconfigurations/internal                from k8s.io/client-go/applyconfigurations/admissionregistration/v1+
+        k8s.io/client-go/applyconfigurations/meta/v1                 from k8s.io/client-go/applyconfigurations/admissionregistration/v1+
+        k8s.io/client-go/applyconfigurations/networking/v1           from k8s.io/client-go/kubernetes/typed/networking/v1
+        k8s.io/client-go/applyconfigurations/networking/v1alpha1     from k8s.io/client-go/kubernetes/typed/networking/v1alpha1
+        k8s.io/client-go/applyconfigurations/networking/v1beta1      from k8s.io/client-go/kubernetes/typed/networking/v1beta1
+        k8s.io/client-go/applyconfigurations/node/v1                 from k8s.io/client-go/kubernetes/typed/node/v1
+        k8s.io/client-go/applyconfigurations/node/v1alpha1           from k8s.io/client-go/kubernetes/typed/node/v1alpha1
+        k8s.io/client-go/applyconfigurations/node/v1beta1            from k8s.io/client-go/kubernetes/typed/node/v1beta1
+        k8s.io/client-go/applyconfigurations/policy/v1               from k8s.io/client-go/kubernetes/typed/policy/v1
+        k8s.io/client-go/applyconfigurations/policy/v1beta1          from k8s.io/client-go/kubernetes/typed/policy/v1beta1
+        k8s.io/client-go/applyconfigurations/rbac/v1                 from k8s.io/client-go/kubernetes/typed/rbac/v1
+        k8s.io/client-go/applyconfigurations/rbac/v1alpha1           from k8s.io/client-go/kubernetes/typed/rbac/v1alpha1
+        k8s.io/client-go/applyconfigurations/rbac/v1beta1            from k8s.io/client-go/kubernetes/typed/rbac/v1beta1
+        k8s.io/client-go/applyconfigurations/resource/v1alpha2       from k8s.io/client-go/kubernetes/typed/resource/v1alpha2
+        k8s.io/client-go/applyconfigurations/scheduling/v1           from k8s.io/client-go/kubernetes/typed/scheduling/v1
+        k8s.io/client-go/applyconfigurations/scheduling/v1alpha1     from k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1
+        k8s.io/client-go/applyconfigurations/scheduling/v1beta1      from k8s.io/client-go/kubernetes/typed/scheduling/v1beta1
+        k8s.io/client-go/applyconfigurations/storage/v1              from k8s.io/client-go/kubernetes/typed/storage/v1
+        k8s.io/client-go/applyconfigurations/storage/v1alpha1        from k8s.io/client-go/kubernetes/typed/storage/v1alpha1
+        k8s.io/client-go/applyconfigurations/storage/v1beta1         from k8s.io/client-go/kubernetes/typed/storage/v1beta1
+        k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1 from k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1
+        k8s.io/client-go/discovery                                   from k8s.io/client-go/applyconfigurations/meta/v1+
+        k8s.io/client-go/dynamic                                     from sigs.k8s.io/controller-runtime/pkg/cache/internal+
+        k8s.io/client-go/features                                    from k8s.io/client-go/tools/cache
+        k8s.io/client-go/kubernetes                                  from k8s.io/client-go/tools/leaderelection/resourcelock
+        k8s.io/client-go/kubernetes/scheme                           from k8s.io/client-go/discovery+
+        k8s.io/client-go/kubernetes/typed/admissionregistration/v1   from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1 from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1 from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/apiserverinternal/v1alpha1 from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/apps/v1                    from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/apps/v1beta1               from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/apps/v1beta2               from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/authentication/v1          from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/authentication/v1alpha1    from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/authentication/v1beta1     from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/authorization/v1           from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/authorization/v1beta1      from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/autoscaling/v1             from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/autoscaling/v2             from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1        from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/autoscaling/v2beta2        from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/batch/v1                   from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/batch/v1beta1              from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/certificates/v1            from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/certificates/v1alpha1      from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/certificates/v1beta1       from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/coordination/v1            from k8s.io/client-go/kubernetes+
+        k8s.io/client-go/kubernetes/typed/coordination/v1beta1       from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/core/v1                    from k8s.io/client-go/kubernetes+
+        k8s.io/client-go/kubernetes/typed/discovery/v1               from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/discovery/v1beta1          from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/events/v1                  from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/events/v1beta1             from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/extensions/v1beta1         from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/flowcontrol/v1             from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta1        from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta2        from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta3        from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/networking/v1              from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/networking/v1alpha1        from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/networking/v1beta1         from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/node/v1                    from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/node/v1alpha1              from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/node/v1beta1               from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/policy/v1                  from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/policy/v1beta1             from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/rbac/v1                    from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/rbac/v1alpha1              from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/rbac/v1beta1               from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/resource/v1alpha2          from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/scheduling/v1              from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1        from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/scheduling/v1beta1         from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/storage/v1                 from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/storage/v1alpha1           from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/storage/v1beta1            from k8s.io/client-go/kubernetes
+        k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1  from k8s.io/client-go/kubernetes
+        k8s.io/client-go/metadata                                    from sigs.k8s.io/controller-runtime/pkg/cache/internal+
+        k8s.io/client-go/openapi                                     from k8s.io/client-go/discovery
+        k8s.io/client-go/pkg/apis/clientauthentication               from k8s.io/client-go/pkg/apis/clientauthentication/install+
+        k8s.io/client-go/pkg/apis/clientauthentication/install       from k8s.io/client-go/plugin/pkg/client/auth/exec
+     💣 k8s.io/client-go/pkg/apis/clientauthentication/v1            from k8s.io/client-go/pkg/apis/clientauthentication/install+
+     💣 k8s.io/client-go/pkg/apis/clientauthentication/v1beta1       from k8s.io/client-go/pkg/apis/clientauthentication/install+
+        k8s.io/client-go/pkg/version                                 from k8s.io/client-go/rest
+        k8s.io/client-go/plugin/pkg/client/auth/exec                 from k8s.io/client-go/rest
+        k8s.io/client-go/rest                                        from k8s.io/client-go/discovery+
+        k8s.io/client-go/rest/watch                                  from k8s.io/client-go/rest
+        k8s.io/client-go/restmapper                                  from sigs.k8s.io/controller-runtime/pkg/client/apiutil
+        k8s.io/client-go/tools/auth                                  from k8s.io/client-go/tools/clientcmd
+        k8s.io/client-go/tools/cache                                 from sigs.k8s.io/controller-runtime/pkg/cache+
+        k8s.io/client-go/tools/cache/synctrack                       from k8s.io/client-go/tools/cache
+        k8s.io/client-go/tools/clientcmd                             from sigs.k8s.io/controller-runtime/pkg/client/config
+        k8s.io/client-go/tools/clientcmd/api                         from k8s.io/client-go/plugin/pkg/client/auth/exec+
+        k8s.io/client-go/tools/clientcmd/api/latest                  from k8s.io/client-go/tools/clientcmd
+     💣 k8s.io/client-go/tools/clientcmd/api/v1                      from k8s.io/client-go/tools/clientcmd/api/latest
+        k8s.io/client-go/tools/internal/events                       from k8s.io/client-go/tools/record
+        k8s.io/client-go/tools/leaderelection                        from sigs.k8s.io/controller-runtime/pkg/manager+
+        k8s.io/client-go/tools/leaderelection/resourcelock           from k8s.io/client-go/tools/leaderelection+
+        k8s.io/client-go/tools/metrics                               from k8s.io/client-go/plugin/pkg/client/auth/exec+
+        k8s.io/client-go/tools/pager                                 from k8s.io/client-go/tools/cache
+        k8s.io/client-go/tools/record                                from sigs.k8s.io/controller-runtime/pkg/cluster+
+        k8s.io/client-go/tools/record/util                           from k8s.io/client-go/tools/record
+        k8s.io/client-go/tools/reference                             from k8s.io/client-go/kubernetes/typed/core/v1+
+        k8s.io/client-go/transport                                   from k8s.io/client-go/plugin/pkg/client/auth/exec+
+        k8s.io/client-go/util/cert                                   from k8s.io/client-go/rest+
+        k8s.io/client-go/util/connrotation                           from k8s.io/client-go/plugin/pkg/client/auth/exec+
+        k8s.io/client-go/util/flowcontrol                            from k8s.io/client-go/kubernetes+
+        k8s.io/client-go/util/homedir                                from k8s.io/client-go/tools/clientcmd
+        k8s.io/client-go/util/keyutil                                from k8s.io/client-go/util/cert
+        k8s.io/client-go/util/workqueue                              from k8s.io/client-go/transport+
+        k8s.io/klog/v2                                               from k8s.io/apimachinery/pkg/api/meta+
+        k8s.io/klog/v2/internal/buffer                               from k8s.io/klog/v2
+        k8s.io/klog/v2/internal/clock                                from k8s.io/klog/v2
+        k8s.io/klog/v2/internal/dbg                                  from k8s.io/klog/v2
+        k8s.io/klog/v2/internal/serialize                            from k8s.io/klog/v2
+        k8s.io/klog/v2/internal/severity                             from k8s.io/klog/v2+
+        k8s.io/klog/v2/internal/sloghandler                          from k8s.io/klog/v2
+        k8s.io/kube-openapi/pkg/cached                               from k8s.io/kube-openapi/pkg/handler3
+        k8s.io/kube-openapi/pkg/common                               from k8s.io/kube-openapi/pkg/handler3
+        k8s.io/kube-openapi/pkg/handler3                             from k8s.io/client-go/openapi
+        k8s.io/kube-openapi/pkg/internal                             from k8s.io/kube-openapi/pkg/spec3+
+        k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json from k8s.io/kube-openapi/pkg/internal+
+        k8s.io/kube-openapi/pkg/schemaconv                           from k8s.io/apimachinery/pkg/util/managedfields+
+        k8s.io/kube-openapi/pkg/spec3                                from k8s.io/client-go/openapi+
+        k8s.io/kube-openapi/pkg/util/proto                           from k8s.io/apimachinery/pkg/util/managedfields+
+        k8s.io/kube-openapi/pkg/validation/spec                      from k8s.io/apimachinery/pkg/util/managedfields+
+        k8s.io/utils/buffer                                          from k8s.io/client-go/tools/cache
+        k8s.io/utils/clock                                           from k8s.io/apimachinery/pkg/util/cache+
+        k8s.io/utils/clock/testing                                   from k8s.io/client-go/util/flowcontrol
+        k8s.io/utils/internal/third_party/forked/golang/net          from k8s.io/utils/net
+        k8s.io/utils/net                                             from k8s.io/apimachinery/pkg/util/net+
+        k8s.io/utils/pointer                                         from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
+        k8s.io/utils/ptr                                             from k8s.io/client-go/tools/cache+
+        k8s.io/utils/strings/slices                                  from k8s.io/apimachinery/pkg/labels
+        k8s.io/utils/trace                                           from k8s.io/client-go/tools/cache
+        nhooyr.io/websocket                                          from tailscale.com/control/controlhttp+
+        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
+        nhooyr.io/websocket/internal/util                            from nhooyr.io/websocket
+        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
+        sigs.k8s.io/controller-runtime/pkg/builder                   from tailscale.com/cmd/k8s-operator
+        sigs.k8s.io/controller-runtime/pkg/cache                     from sigs.k8s.io/controller-runtime/pkg/cluster+
+        sigs.k8s.io/controller-runtime/pkg/cache/internal            from sigs.k8s.io/controller-runtime/pkg/cache
+        sigs.k8s.io/controller-runtime/pkg/certwatcher               from sigs.k8s.io/controller-runtime/pkg/metrics/server+
+        sigs.k8s.io/controller-runtime/pkg/certwatcher/metrics       from sigs.k8s.io/controller-runtime/pkg/certwatcher
+        sigs.k8s.io/controller-runtime/pkg/client                    from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/client/apiutil            from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/client/config             from tailscale.com/cmd/k8s-operator
+        sigs.k8s.io/controller-runtime/pkg/cluster                   from sigs.k8s.io/controller-runtime/pkg/manager
+        sigs.k8s.io/controller-runtime/pkg/config                    from sigs.k8s.io/controller-runtime/pkg/manager
+        sigs.k8s.io/controller-runtime/pkg/controller                from sigs.k8s.io/controller-runtime/pkg/builder
+        sigs.k8s.io/controller-runtime/pkg/conversion                from sigs.k8s.io/controller-runtime/pkg/webhook/conversion
+        sigs.k8s.io/controller-runtime/pkg/event                     from sigs.k8s.io/controller-runtime/pkg/handler+
+        sigs.k8s.io/controller-runtime/pkg/handler                   from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/healthz                   from sigs.k8s.io/controller-runtime/pkg/manager+
+        sigs.k8s.io/controller-runtime/pkg/internal/controller       from sigs.k8s.io/controller-runtime/pkg/controller
+        sigs.k8s.io/controller-runtime/pkg/internal/controller/metrics from sigs.k8s.io/controller-runtime/pkg/internal/controller
+        sigs.k8s.io/controller-runtime/pkg/internal/field/selector   from sigs.k8s.io/controller-runtime/pkg/cache/internal
+        sigs.k8s.io/controller-runtime/pkg/internal/httpserver       from sigs.k8s.io/controller-runtime/pkg/manager+
+        sigs.k8s.io/controller-runtime/pkg/internal/log              from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/internal/recorder         from sigs.k8s.io/controller-runtime/pkg/cluster+
+        sigs.k8s.io/controller-runtime/pkg/internal/source           from sigs.k8s.io/controller-runtime/pkg/source
+        sigs.k8s.io/controller-runtime/pkg/internal/syncs            from sigs.k8s.io/controller-runtime/pkg/cache/internal
+        sigs.k8s.io/controller-runtime/pkg/leaderelection            from sigs.k8s.io/controller-runtime/pkg/manager
+        sigs.k8s.io/controller-runtime/pkg/log                       from sigs.k8s.io/controller-runtime/pkg/client+
+        sigs.k8s.io/controller-runtime/pkg/log/zap                   from tailscale.com/cmd/k8s-operator
+        sigs.k8s.io/controller-runtime/pkg/manager                   from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/manager/signals           from tailscale.com/cmd/k8s-operator
+        sigs.k8s.io/controller-runtime/pkg/metrics                   from sigs.k8s.io/controller-runtime/pkg/certwatcher/metrics+
+        sigs.k8s.io/controller-runtime/pkg/metrics/server            from sigs.k8s.io/controller-runtime/pkg/manager
+        sigs.k8s.io/controller-runtime/pkg/predicate                 from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/ratelimiter               from sigs.k8s.io/controller-runtime/pkg/controller+
+        sigs.k8s.io/controller-runtime/pkg/reconcile                 from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/recorder                  from sigs.k8s.io/controller-runtime/pkg/leaderelection+
+        sigs.k8s.io/controller-runtime/pkg/source                    from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/webhook                   from sigs.k8s.io/controller-runtime/pkg/manager
+        sigs.k8s.io/controller-runtime/pkg/webhook/admission         from sigs.k8s.io/controller-runtime/pkg/builder+
+        sigs.k8s.io/controller-runtime/pkg/webhook/conversion        from sigs.k8s.io/controller-runtime/pkg/builder
+        sigs.k8s.io/controller-runtime/pkg/webhook/internal/metrics  from sigs.k8s.io/controller-runtime/pkg/webhook+
+        sigs.k8s.io/json                                             from k8s.io/apimachinery/pkg/runtime/serializer/json+
+        sigs.k8s.io/json/internal/golang/encoding/json               from sigs.k8s.io/json
+     💣 sigs.k8s.io/structured-merge-diff/v4/fieldpath               from k8s.io/apimachinery/pkg/util/managedfields+
+        sigs.k8s.io/structured-merge-diff/v4/merge                   from k8s.io/apimachinery/pkg/util/managedfields/internal
+        sigs.k8s.io/structured-merge-diff/v4/schema                  from k8s.io/apimachinery/pkg/util/managedfields+
+        sigs.k8s.io/structured-merge-diff/v4/typed                   from k8s.io/apimachinery/pkg/util/managedfields+
+        sigs.k8s.io/structured-merge-diff/v4/value                   from k8s.io/apimachinery/pkg/runtime+
+        sigs.k8s.io/yaml                                             from k8s.io/apimachinery/pkg/runtime/serializer/json+
+        sigs.k8s.io/yaml/goyaml.v2                                   from sigs.k8s.io/yaml
+        tailscale.com                                                from tailscale.com/version
+        tailscale.com/appc                                           from tailscale.com/ipn/ipnlocal
+        tailscale.com/atomicfile                                     from tailscale.com/ipn+
+        tailscale.com/client/tailscale                               from tailscale.com/client/web+
+        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
+        tailscale.com/client/web                                     from tailscale.com/ipn/ipnlocal
+        tailscale.com/clientupdate                                   from tailscale.com/client/web+
+        tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
+        tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp+
+        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
+        tailscale.com/control/controlhttp                            from tailscale.com/control/controlclient
+        tailscale.com/control/controlknobs                           from tailscale.com/control/controlclient+
+        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
+        tailscale.com/derp/derphttp                                  from tailscale.com/ipn/localapi+
+        tailscale.com/disco                                          from tailscale.com/derp+
+        tailscale.com/doctor                                         from tailscale.com/ipn/ipnlocal
+        tailscale.com/doctor/ethtool                                 from tailscale.com/ipn/ipnlocal
+     💣 tailscale.com/doctor/permissions                             from tailscale.com/ipn/ipnlocal
+        tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
+        tailscale.com/drive                                          from tailscale.com/client/tailscale+
+        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
+        tailscale.com/health                                         from tailscale.com/control/controlclient+
+        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
+        tailscale.com/hostinfo                                       from tailscale.com/client/web+
+        tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
+        tailscale.com/ipn                                            from tailscale.com/client/tailscale+
+        tailscale.com/ipn/conffile                                   from tailscale.com/ipn/ipnlocal+
+     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
+        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/localapi+
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
+        tailscale.com/ipn/localapi                                   from tailscale.com/tsnet
+        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
+        tailscale.com/ipn/store                                      from tailscale.com/ipn/ipnlocal+
+   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
+        tailscale.com/ipn/store/kubestore                            from tailscale.com/cmd/k8s-operator+
+        tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/ipnlocal+
+        tailscale.com/k8s-operator                                   from tailscale.com/cmd/k8s-operator
+        tailscale.com/k8s-operator/apis                              from tailscale.com/k8s-operator/apis/v1alpha1
+        tailscale.com/k8s-operator/apis/v1alpha1                     from tailscale.com/cmd/k8s-operator+
+        tailscale.com/k8s-operator/sessionrecording                  from tailscale.com/cmd/k8s-operator
+        tailscale.com/k8s-operator/sessionrecording/conn             from tailscale.com/k8s-operator/sessionrecording/spdy
+        tailscale.com/k8s-operator/sessionrecording/spdy             from tailscale.com/k8s-operator/sessionrecording
+        tailscale.com/k8s-operator/sessionrecording/tsrecorder       from tailscale.com/k8s-operator/sessionrecording+
+        tailscale.com/kube                                           from tailscale.com/cmd/k8s-operator+
+        tailscale.com/licenses                                       from tailscale.com/client/web
+        tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
+        tailscale.com/log/sockstatlog                                from tailscale.com/ipn/ipnlocal
+        tailscale.com/logpolicy                                      from tailscale.com/ipn/ipnlocal+
+        tailscale.com/logtail                                        from tailscale.com/control/controlclient+
+        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
+        tailscale.com/logtail/filch                                  from tailscale.com/log/sockstatlog+
+        tailscale.com/metrics                                        from tailscale.com/derp+
+        tailscale.com/net/captivedetection                           from tailscale.com/ipn/ipnlocal+
+        tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
+        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
+        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns+
+        tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
+        tailscale.com/net/dns/resolvconffile                         from tailscale.com/cmd/k8s-operator+
+        tailscale.com/net/dns/resolver                               from tailscale.com/net/dns
+        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
+        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient+
+        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
+        tailscale.com/net/ipset                                      from tailscale.com/ipn/ipnlocal+
+        tailscale.com/net/memnet                                     from tailscale.com/tsnet
+        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
+        tailscale.com/net/netcheck                                   from tailscale.com/ipn/ipnlocal+
+        tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
+        tailscale.com/net/netkernelconf                              from tailscale.com/ipn/ipnlocal
+        tailscale.com/net/netknob                                    from tailscale.com/logpolicy+
+     💣 tailscale.com/net/netmon                                     from tailscale.com/control/controlclient+
+     💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
+   W 💣 tailscale.com/net/netstat                                    from tailscale.com/portlist
+        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
+        tailscale.com/net/packet                                     from tailscale.com/net/connstats+
+        tailscale.com/net/packet/checksum                            from tailscale.com/net/tstun
+        tailscale.com/net/ping                                       from tailscale.com/net/netcheck+
+        tailscale.com/net/portmapper                                 from tailscale.com/ipn/localapi+
+        tailscale.com/net/proxymux                                   from tailscale.com/tsnet
+        tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
+        tailscale.com/net/socks5                                     from tailscale.com/tsnet
+        tailscale.com/net/sockstats                                  from tailscale.com/control/controlclient+
+        tailscale.com/net/stun                                       from tailscale.com/ipn/localapi+
+   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
+        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
+        tailscale.com/net/tsaddr                                     from tailscale.com/client/web+
+        tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/clientupdate/distsign+
+        tailscale.com/net/tstun                                      from tailscale.com/tsd+
+        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
+        tailscale.com/omit                                           from tailscale.com/ipn/conffile
+        tailscale.com/paths                                          from tailscale.com/client/tailscale+
+     💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
+        tailscale.com/posture                                        from tailscale.com/ipn/ipnlocal
+        tailscale.com/proxymap                                       from tailscale.com/tsd+
+     💣 tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
+        tailscale.com/sessionrecording                               from tailscale.com/cmd/k8s-operator+
+        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
+        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
+        tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal+
+        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
+        tailscale.com/tka                                            from tailscale.com/client/tailscale+
+   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon+
+        tailscale.com/tsd                                            from tailscale.com/ipn/ipnlocal+
+        tailscale.com/tsnet                                          from tailscale.com/cmd/k8s-operator+
+        tailscale.com/tstime                                         from tailscale.com/cmd/k8s-operator+
+        tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
+        tailscale.com/tstime/rate                                    from tailscale.com/derp+
+        tailscale.com/types/appctype                                 from tailscale.com/ipn/ipnlocal
+        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
+        tailscale.com/types/empty                                    from tailscale.com/ipn+
+        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
+        tailscale.com/types/key                                      from tailscale.com/client/tailscale+
+        tailscale.com/types/lazy                                     from tailscale.com/ipn/ipnlocal+
+        tailscale.com/types/logger                                   from tailscale.com/appc+
+        tailscale.com/types/logid                                    from tailscale.com/ipn/ipnlocal+
+        tailscale.com/types/netlogtype                               from tailscale.com/net/connstats+
+        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
+        tailscale.com/types/nettype                                  from tailscale.com/ipn/localapi+
+        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
+        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
+        tailscale.com/types/preftype                                 from tailscale.com/ipn+
+        tailscale.com/types/ptr                                      from tailscale.com/cmd/k8s-operator+
+        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
+        tailscale.com/types/tkatype                                  from tailscale.com/client/tailscale+
+        tailscale.com/types/views                                    from tailscale.com/appc+
+        tailscale.com/util/cibuild                                   from tailscale.com/health
+        tailscale.com/util/clientmetric                              from tailscale.com/cmd/k8s-operator+
+        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
+        tailscale.com/util/cmpver                                    from tailscale.com/clientupdate+
+        tailscale.com/util/ctxkey                                    from tailscale.com/cmd/k8s-operator+
+     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
+   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
+        tailscale.com/util/dnsname                                   from tailscale.com/appc+
+        tailscale.com/util/execqueue                                 from tailscale.com/appc+
+        tailscale.com/util/goroutines                                from tailscale.com/ipn/ipnlocal
+        tailscale.com/util/groupmember                               from tailscale.com/client/web+
+     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
+        tailscale.com/util/httphdr                                   from tailscale.com/ipn/ipnlocal+
+        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale+
+        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
+   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns+
+        tailscale.com/util/mak                                       from tailscale.com/appc+
+        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
+        tailscale.com/util/must                                      from tailscale.com/clientupdate/distsign+
+        tailscale.com/util/nocasemaps                                from tailscale.com/types/ipproto
+     💣 tailscale.com/util/osdiag                                    from tailscale.com/ipn/localapi
+   W 💣 tailscale.com/util/osdiag/internal/wsc                       from tailscale.com/util/osdiag
+        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal
+        tailscale.com/util/osuser                                    from tailscale.com/ipn/ipnlocal+
+        tailscale.com/util/progresstracking                          from tailscale.com/ipn/localapi
+        tailscale.com/util/race                                      from tailscale.com/net/dns/resolver
+        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
+        tailscale.com/util/rands                                     from tailscale.com/ipn/ipnlocal+
+        tailscale.com/util/ringbuffer                                from tailscale.com/wgengine/magicsock
+        tailscale.com/util/set                                       from tailscale.com/cmd/k8s-operator+
+        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
+        tailscale.com/util/slicesx                                   from tailscale.com/appc+
+        tailscale.com/util/syspolicy                                 from tailscale.com/control/controlclient+
+        tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
+        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
+        tailscale.com/util/testenv                                   from tailscale.com/control/controlclient+
+        tailscale.com/util/truncate                                  from tailscale.com/logtail
+        tailscale.com/util/uniq                                      from tailscale.com/ipn/ipnlocal+
+        tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
+     💣 tailscale.com/util/winutil                                   from tailscale.com/clientupdate+
+   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/clientupdate+
+   W 💣 tailscale.com/util/winutil/gp                                from tailscale.com/net/dns
+   W    tailscale.com/util/winutil/policy                            from tailscale.com/ipn/ipnlocal
+   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo+
+        tailscale.com/util/zstdframe                                 from tailscale.com/control/controlclient+
+        tailscale.com/version                                        from tailscale.com/client/web+
+        tailscale.com/version/distro                                 from tailscale.com/client/web+
+        tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
+        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap+
+     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/netlog                                from tailscale.com/wgengine
+        tailscale.com/wgengine/netstack                              from tailscale.com/tsnet
+        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
+        tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
+     💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine+
+        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
+   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
+        golang.org/x/crypto/argon2                                   from tailscale.com/tka
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
+  LD    golang.org/x/crypto/blowfish                                 from github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf
+        golang.org/x/crypto/chacha20                                 from github.com/tailscale/golang-x-crypto/ssh+
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
+        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
+        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
+        golang.org/x/crypto/curve25519                               from github.com/tailscale/golang-x-crypto/ssh+
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
+        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
+        golang.org/x/exp/maps                                        from sigs.k8s.io/controller-runtime/pkg/cache+
+        golang.org/x/exp/slices                                      from tailscale.com/cmd/k8s-operator+
+        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
+        golang.org/x/net/dns/dnsmessage                              from net+
+        golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
+        golang.org/x/net/http/httpproxy                              from net/http+
+        golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
+        golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
+        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
+        golang.org/x/net/icmp                                        from github.com/prometheus-community/pro-bing+
+        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/ipv4                                        from github.com/miekg/dns+
+        golang.org/x/net/ipv6                                        from github.com/miekg/dns+
+        golang.org/x/net/proxy                                       from tailscale.com/net/netns
+   D    golang.org/x/net/route                                       from net+
+        golang.org/x/oauth2                                          from golang.org/x/oauth2/clientcredentials+
+        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/k8s-operator
+        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
+        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
+        golang.org/x/sys/cpu                                         from github.com/josharian/native+
+  LD    golang.org/x/sys/unix                                        from github.com/fsnotify/fsnotify+
+   W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
+   W    golang.org/x/sys/windows/registry                            from github.com/dblohm7/wingoes+
+   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
+        golang.org/x/term                                            from k8s.io/client-go/plugin/pkg/client/auth/exec+
+        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
+        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
+        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
+        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
+        golang.org/x/time/rate                                       from gvisor.dev/gvisor/pkg/log+
+        archive/tar                                                  from tailscale.com/clientupdate
+        bufio                                                        from compress/flate+
+        bytes                                                        from archive/tar+
+        cmp                                                          from github.com/gaissmai/bart+
+        compress/flate                                               from compress/gzip+
+        compress/gzip                                                from github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding+
+        compress/zlib                                                from debug/pe+
+        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp+
+        container/list                                               from crypto/tls+
+        context                                                      from crypto/tls+
+        crypto                                                       from crypto/ecdh+
+        crypto/aes                                                   from crypto/ecdsa+
+        crypto/cipher                                                from crypto/aes+
+        crypto/des                                                   from crypto/tls+
+        crypto/dsa                                                   from crypto/x509+
+        crypto/ecdh                                                  from crypto/ecdsa+
+        crypto/ecdsa                                                 from crypto/tls+
+        crypto/ed25519                                               from crypto/tls+
+        crypto/elliptic                                              from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls+
+        crypto/md5                                                   from crypto/tls+
+        crypto/rand                                                  from crypto/ed25519+
+        crypto/rc4                                                   from crypto/tls+
+        crypto/rsa                                                   from crypto/tls+
+        crypto/sha1                                                  from crypto/tls+
+        crypto/sha256                                                from crypto/tls+
+        crypto/sha512                                                from crypto/ecdsa+
+        crypto/subtle                                                from crypto/aes+
+        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
+        crypto/x509                                                  from crypto/tls+
+        crypto/x509/pkix                                             from crypto/x509+
+        database/sql                                                 from github.com/prometheus/client_golang/prometheus/collectors
+        database/sql/driver                                          from database/sql+
+   W    debug/dwarf                                                  from debug/pe
+   W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
+        embed                                                        from crypto/internal/nistec+
+        encoding                                                     from encoding/gob+
+        encoding/asn1                                                from crypto/x509+
+        encoding/base32                                              from github.com/fxamacker/cbor/v2+
+        encoding/base64                                              from encoding/json+
+        encoding/binary                                              from compress/gzip+
+        encoding/csv                                                 from github.com/spf13/pflag
+        encoding/gob                                                 from github.com/gorilla/securecookie
+        encoding/hex                                                 from crypto/x509+
+        encoding/json                                                from expvar+
+        encoding/pem                                                 from crypto/tls+
+        encoding/xml                                                 from github.com/aws/aws-sdk-go-v2/aws/protocol/xml+
+        errors                                                       from archive/tar+
+        expvar                                                       from github.com/prometheus/client_golang/prometheus+
+        flag                                                         from github.com/spf13/pflag+
+        fmt                                                          from archive/tar+
+        go/ast                                                       from go/doc+
+        go/build/constraint                                          from go/parser
+        go/doc                                                       from k8s.io/apimachinery/pkg/runtime
+        go/doc/comment                                               from go/doc
+        go/parser                                                    from k8s.io/apimachinery/pkg/runtime
+        go/scanner                                                   from go/ast+
+        go/token                                                     from go/ast+
+        hash                                                         from compress/zlib+
+        hash/adler32                                                 from compress/zlib+
+        hash/crc32                                                   from compress/gzip+
+        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
+        hash/maphash                                                 from go4.org/mem
+        html                                                         from html/template+
+        html/template                                                from github.com/gorilla/csrf
+        io                                                           from archive/tar+
+        io/fs                                                        from archive/tar+
+        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
+        log                                                          from expvar+
+        log/internal                                                 from log+
+        log/slog                                                     from github.com/go-logr/logr+
+        log/slog/internal                                            from log/slog
+        maps                                                         from sigs.k8s.io/controller-runtime/pkg/predicate+
+        math                                                         from archive/tar+
+        math/big                                                     from crypto/dsa+
+        math/bits                                                    from compress/flate+
+        math/rand                                                    from github.com/google/go-cmp/cmp+
+        math/rand/v2                                                 from tailscale.com/derp+
+        mime                                                         from github.com/prometheus/common/expfmt+
+        mime/multipart                                               from github.com/go-openapi/swag+
+        mime/quotedprintable                                         from mime/multipart
+        net                                                          from crypto/tls+
+        net/http                                                     from expvar+
+        net/http/httptest                                            from tailscale.com/control/controlclient
+        net/http/httptrace                                           from github.com/prometheus-community/pro-bing+
+        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
+        net/http/internal                                            from net/http+
+        net/http/pprof                                               from sigs.k8s.io/controller-runtime/pkg/manager+
+        net/netip                                                    from github.com/gaissmai/bart+
+        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
+        net/url                                                      from crypto/x509+
+        os                                                           from crypto/rand+
+        os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
+        os/signal                                                    from sigs.k8s.io/controller-runtime/pkg/manager/signals
+        os/user                                                      from archive/tar+
+        path                                                         from archive/tar+
+        path/filepath                                                from archive/tar+
+        reflect                                                      from archive/tar+
+        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints+
+        regexp/syntax                                                from regexp
+        runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
+        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
+        runtime/pprof                                                from net/http/pprof+
+        runtime/trace                                                from net/http/pprof
+        slices                                                       from encoding/base32+
+        sort                                                         from archive/tar+
+        strconv                                                      from archive/tar+
+        strings                                                      from archive/tar+
+        sync                                                         from archive/tar+
+        sync/atomic                                                  from context+
+        syscall                                                      from archive/tar+
+        text/tabwriter                                               from k8s.io/apimachinery/pkg/util/diff+
+        text/template                                                from html/template
+        text/template/parse                                          from html/template+
+        time                                                         from archive/tar+
+        unicode                                                      from bytes+
+        unicode/utf16                                                from crypto/x509+
+        unicode/utf8                                                 from bufio+

cmd/k8s-operator/deploy/chart/templates/deployment.yaml

@@ -77,6 +77,9 @@ spec:
               value: "{{ .Values.apiServerProxyConfig.mode }}"
             - name: PROXY_FIREWALL_MODE
               value: {{ .Values.proxyConfig.firewallMode }}
+            {{- with .Values.operatorConfig.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           volumeMounts:
           - name: oauth
             mountPath: /oauth

cmd/k8s-operator/deploy/chart/values.yaml

@@ -48,6 +48,13 @@ operatorConfig:
 
   securityContext: {}
 
+  extraEnv: []
+  # - name: EXTRA_VAR1
+  #   value: "value1"
+  # - name: EXTRA_VAR2
+  #   value: "value2"
+
+
 # proxyConfig contains configuraton that will be applied to any ingress/egress
 # proxies created by the operator.
 # https://tailscale.com/kb/1236/kubernetes-operator/#cluster-ingress

cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
   name: connectors.tailscale.com
 spec:
   group: tailscale.com
@@ -31,48 +31,95 @@ spec:
       name: v1alpha1
       schema:
         openAPIV3Schema:
-          description: 'Connector defines a Tailscale node that will be deployed in the cluster. The node can be configured to act as a Tailscale subnet router and/or a Tailscale exit node. Connector is a cluster-scoped resource. More info: https://tailscale.com/kb/1236/kubernetes-operator#deploying-exit-nodes-and-subnet-routers-on-kubernetes-using-connector-custom-resource'
+          description: |-
+            Connector defines a Tailscale node that will be deployed in the cluster. The
+            node can be configured to act as a Tailscale subnet router and/or a Tailscale
+            exit node.
+            Connector is a cluster-scoped resource.
+            More info:
+            https://tailscale.com/kb/1236/kubernetes-operator#deploying-exit-nodes-and-subnet-routers-on-kubernetes-using-connector-custom-resource
           type: object
           required:
             - spec
           properties:
             apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
               type: string
             kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
               type: string
             metadata:
               type: object
             spec:
-              description: 'ConnectorSpec describes the desired Tailscale component. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+              description: |-
+                ConnectorSpec describes the desired Tailscale component.
+                More info:
+                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
               type: object
               properties:
                 exitNode:
-                  description: ExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
+                  description: |-
+                    ExitNode defines whether the Connector node should act as a
+                    Tailscale exit node. Defaults to false.
+                    https://tailscale.com/kb/1103/exit-nodes
                   type: boolean
                 hostname:
-                  description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
+                  description: |-
+                    Hostname is the tailnet hostname that should be assigned to the
+                    Connector node. If unset, hostname defaults to <connector
+                    name>-connector. Hostname can contain lower case letters, numbers and
+                    dashes, it must not start or end with a dash and must be between 2
+                    and 63 characters long.
                   type: string
                   pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
                 proxyClass:
-                  description: ProxyClass is the name of the ProxyClass custom resource that contains configuration options that should be applied to the resources created for this Connector. If unset, the operator will create resources with the default configuration.
+                  description: |-
+                    ProxyClass is the name of the ProxyClass custom resource that
+                    contains configuration options that should be applied to the
+                    resources created for this Connector. If unset, the operator will
+                    create resources with the default configuration.
                   type: string
                 subnetRouter:
-                  description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
+                  description: |-
+                    SubnetRouter defines subnet routes that the Connector node should
+                    expose to tailnet. If unset, none are exposed.
+                    https://tailscale.com/kb/1019/subnets/
                   type: object
                   required:
                     - advertiseRoutes
                   properties:
                     advertiseRoutes:
-                      description: AdvertiseRoutes refer to CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
+                      description: |-
+                        AdvertiseRoutes refer to CIDRs that the subnet router should make
+                        available. Route values must be strings that represent a valid IPv4
+                        or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes.
+                        https://tailscale.com/kb/1201/4via6-subnets/
                       type: array
                       minItems: 1
                       items:
                         type: string
                         format: cidr
                 tags:
-                  description: Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes. If you specify custom tags here, you must also make the operator an owner of these tags. See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
+                  description: |-
+                    Tags that the Tailscale node will be tagged with.
+                    Defaults to [tag:k8s].
+                    To autoapprove the subnet routes or exit node defined by a Connector,
+                    you can configure Tailscale ACLs to give these tags the necessary
+                    permissions.
+                    See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes.
+                    If you specify custom tags here, you must also make the operator an owner of these tags.
+                    See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
+                    Tags cannot be changed once a Connector node has been created.
+                    Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
                   type: array
                   items:
                     type: string
@@ -81,53 +128,90 @@ spec:
                 - rule: has(self.subnetRouter) || self.exitNode == true
                   message: A Connector needs to be either an exit node or a subnet router, or both.
             status:
-              description: ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator.
+              description: |-
+                ConnectorStatus describes the status of the Connector. This is set
+                and managed by the Tailscale operator.
               type: object
               properties:
                 conditions:
-                  description: List of status conditions to indicate the status of the Connector. Known condition types are `ConnectorReady`.
+                  description: |-
+                    List of status conditions to indicate the status of the Connector.
+                    Known condition types are `ConnectorReady`.
                   type: array
                   items:
-                    description: ConnectorCondition contains condition information for a Connector.
+                    description: Condition contains details for one aspect of the current state of this API Resource.
                     type: object
                     required:
+                      - lastTransitionTime
+                      - message
+                      - reason
                       - status
                       - type
                     properties:
                       lastTransitionTime:
-                        description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+                        description: |-
+                          lastTransitionTime is the last time the condition transitioned from one status to another.
+                          This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                         type: string
                         format: date-time
                       message:
-                        description: Message is a human readable description of the details of the last transition, complementing reason.
+                        description: |-
+                          message is a human readable message indicating details about the transition.
+                          This may be an empty string.
                         type: string
+                        maxLength: 32768
                       observedGeneration:
-                        description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
+                        description: |-
+                          observedGeneration represents the .metadata.generation that the condition was set based upon.
+                          For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                          with respect to the current state of the instance.
                         type: integer
                         format: int64
+                        minimum: 0
                       reason:
-                        description: Reason is a brief machine readable explanation for the condition's last transition.
+                        description: |-
+                          reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                          Producers of specific condition types may define expected values and meanings for this field,
+                          and whether the values are considered a guaranteed API.
+                          The value should be a CamelCase string.
+                          This field may not be empty.
                         type: string
+                        maxLength: 1024
+                        minLength: 1
+                        pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                       status:
-                        description: Status of the condition, one of ('True', 'False', 'Unknown').
+                        description: status of the condition, one of True, False, Unknown.
                         type: string
+                        enum:
+                          - "True"
+                          - "False"
+                          - Unknown
                       type:
-                        description: Type of the condition, known values are (`SubnetRouterReady`).
+                        description: type of condition in CamelCase or in foo.example.com/CamelCase.
                         type: string
+                        maxLength: 316
+                        pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                   x-kubernetes-list-map-keys:
                     - type
                   x-kubernetes-list-type: map
                 hostname:
-                  description: Hostname is the fully qualified domain name of the Connector node. If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the node.
+                  description: |-
+                    Hostname is the fully qualified domain name of the Connector node.
+                    If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the
+                    node.
                   type: string
                 isExitNode:
                   description: IsExitNode is set to true if the Connector acts as an exit node.
                   type: boolean
                 subnetRoutes:
-                  description: SubnetRoutes are the routes currently exposed to tailnet via this Connector instance.
+                  description: |-
+                    SubnetRoutes are the routes currently exposed to tailnet via this
+                    Connector instance.
                   type: string
                 tailnetIPs:
-                  description: TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6) assigned to the Connector node.
+                  description: |-
+                    TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6)
+                    assigned to the Connector node.
                   type: array
                   items:
                     type: string

cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.13.0
+    controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
   name: dnsconfigs.tailscale.com
 spec:
   group: tailscale.com
@@ -23,27 +23,69 @@ spec:
       name: v1alpha1
       schema:
         openAPIV3Schema:
-          description: 'DNSConfig can be deployed to cluster to make a subset of Tailscale MagicDNS names resolvable by cluster workloads. Use this if: A) you need to refer to tailnet services, exposed to cluster via Tailscale Kubernetes operator egress proxies by the MagicDNS names of those tailnet services (usually because the services run over HTTPS) B) you have exposed a cluster workload to the tailnet using Tailscale Ingress and you also want to refer to the workload from within the cluster over the Ingress''s MagicDNS name (usually because you have some callback component that needs to use the same URL as that used by a non-cluster client on tailnet). When a DNSConfig is applied to a cluster, Tailscale Kubernetes operator will deploy a nameserver for ts.net DNS names and automatically populate it with records for any Tailscale egress or Ingress proxies deployed to that cluster. Currently you must manually update your cluster DNS configuration to add the IP address of the deployed nameserver as a ts.net stub nameserver. Instructions for how to do it: https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns (for CoreDNS), https://cloud.google.com/kubernetes-engine/docs/how-to/kube-dns (for kube-dns). Tailscale Kubernetes operator will write the address of a Service fronting the nameserver to dsnconfig.status.nameserver.ip. DNSConfig is a singleton - you must not create more than one. NB: if you want cluster workloads to be able to refer to Tailscale Ingress using its MagicDNS name, you must also annotate the Ingress resource with tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation to ensure that the proxy created for the Ingress listens on its Pod IP address. NB: Clusters where Pods get assigned IPv6 addresses only are currently not supported.'
+          description: |-
+            DNSConfig can be deployed to cluster to make a subset of Tailscale MagicDNS
+            names resolvable by cluster workloads. Use this if: A) you need to refer to
+            tailnet services, exposed to cluster via Tailscale Kubernetes operator egress
+            proxies by the MagicDNS names of those tailnet services (usually because the
+            services run over HTTPS)
+            B) you have exposed a cluster workload to the tailnet using Tailscale Ingress
+            and you also want to refer to the workload from within the cluster over the
+            Ingress's MagicDNS name (usually because you have some callback component
+            that needs to use the same URL as that used by a non-cluster client on
+            tailnet).
+            When a DNSConfig is applied to a cluster, Tailscale Kubernetes operator will
+            deploy a nameserver for ts.net DNS names and automatically populate it with records
+            for any Tailscale egress or Ingress proxies deployed to that cluster.
+            Currently you must manually update your cluster DNS configuration to add the
+            IP address of the deployed nameserver as a ts.net stub nameserver.
+            Instructions for how to do it:
+            https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns (for CoreDNS),
+            https://cloud.google.com/kubernetes-engine/docs/how-to/kube-dns (for kube-dns).
+            Tailscale Kubernetes operator will write the address of a Service fronting
+            the nameserver to dsnconfig.status.nameserver.ip.
+            DNSConfig is a singleton - you must not create more than one.
+            NB: if you want cluster workloads to be able to refer to Tailscale Ingress
+            using its MagicDNS name, you must also annotate the Ingress resource with
+            tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation to
+            ensure that the proxy created for the Ingress listens on its Pod IP address.
+            NB: Clusters where Pods get assigned IPv6 addresses only are currently not supported.
           type: object
           required:
             - spec
           properties:
             apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
               type: string
             kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
               type: string
             metadata:
               type: object
             spec:
-              description: 'Spec describes the desired DNS configuration. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
+              description: |-
+                Spec describes the desired DNS configuration.
+                More info:
+                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
               type: object
               required:
                 - nameserver
               properties:
                 nameserver:
-                  description: Configuration for a nameserver that can resolve ts.net DNS names associated with in-cluster proxies for Tailscale egress Services and Tailscale Ingresses. The operator will always deploy this nameserver when a DNSConfig is applied.
+                  description: |-
+                    Configuration for a nameserver that can resolve ts.net DNS names
+                    associated with in-cluster proxies for Tailscale egress Services and
+                    Tailscale Ingresses. The operator will always deploy this nameserver
+                    when a DNSConfig is applied.
                   type: object
                   properties:
                     image:
@@ -57,38 +99,66 @@ spec:
                           description: Tag defaults to operator's own tag.
                           type: string
             status:
-              description: Status describes the status of the DNSConfig. This is set and managed by the Tailscale operator.
+              description: |-
+                Status describes the status of the DNSConfig. This is set
+                and managed by the Tailscale operator.
               type: object
               properties:
                 conditions:
                   type: array
                   items:
-                    description: ConnectorCondition contains condition information for a Connector.
+                    description: Condition contains details for one aspect of the current state of this API Resource.
                     type: object
                     required:
+                      - lastTransitionTime
+                      - message
+                      - reason
                       - status
                       - type
                     properties:
                       lastTransitionTime:
-                        description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+                        description: |-
+                          lastTransitionTime is the last time the condition transitioned from one status to another.
+                          This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                         type: string
                         format: date-time
                       message:
-                        description: Message is a human readable description of the details of the last transition, complementing reason.
+                        description: |-
+                          message is a human readable message indicating details about the transition.
+                          This may be an empty string.
                         type: string
+                        maxLength: 32768
                       observedGeneration:
-                        description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
+                        description: |-
+                          observedGeneration represents the .metadata.generation that the condition was set based upon.
+                          For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                          with respect to the current state of the instance.
                         type: integer
                         format: int64
+                        minimum: 0
                       reason:
-                        description: Reason is a brief machine readable explanation for the condition's last transition.
+                        description: |-
+                          reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                          Producers of specific condition types may define expected values and meanings for this field,
+                          and whether the values are considered a guaranteed API.
+                          The value should be a CamelCase string.
+                          This field may not be empty.
                         type: string
+                        maxLength: 1024
+                        minLength: 1
+                        pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                       status:
-                        description: Status of the condition, one of ('True', 'False', 'Unknown').
+                        description: status of the condition, one of True, False, Unknown.
                         type: string
+                        enum:
+                          - "True"
+                          - "False"
+                          - Unknown
                       type:
-                        description: Type of the condition, known values are (`SubnetRouterReady`).
+                        description: type of condition in CamelCase or in foo.example.com/CamelCase.
                         type: string
+                        maxLength: 316
+                        pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                   x-kubernetes-list-map-keys:
                     - type
                   x-kubernetes-list-type: map
@@ -97,7 +167,13 @@ spec:
                   type: object
                   properties:
                     ip:
-                      description: IP is the ClusterIP of the Service fronting the deployed ts.net nameserver. Currently you must manually update your cluster DNS config to add this address as a stub nameserver for ts.net for cluster workloads to be able to resolve MagicDNS names associated with egress or Ingress proxies. The IP address will change if you delete and recreate the DNSConfig.
+                      description: |-
+                        IP is the ClusterIP of the Service fronting the deployed ts.net nameserver.
+                        Currently you must manually update your cluster DNS config to add
+                        this address as a stub nameserver for ts.net for cluster workloads to be
+                        able to resolve MagicDNS names associated with egress or Ingress
+                        proxies.
+                        The IP address will change if you delete and recreate the DNSConfig.
                       type: string
       served: true
       storage: true

cmd/k8s-operator/dnsrecords.go

@@ -3,9 +3,6 @@
 
 //go:build !plan9
 
-// tailscale-operator provides a way to expose services running in a Kubernetes
-// cluster to your Tailnet and to make Tailscale nodes available to cluster
-// workloads
 package main
 
 import (

cmd/k8s-operator/generate/main.go

@@ -3,6 +3,7 @@
 
 //go:build !plan9
 
+// The generate command creates tailscale.com CRDs.
 package main
 
 import (

cmd/k8s-operator/ingress_test.go

@@ -248,9 +248,9 @@ func TestTailscaleIngressWithProxyClass(t *testing.T) {
 	// created proxy resources.
 	mustUpdateStatus(t, fc, "", "custom-metadata", func(pc *tsapi.ProxyClass) {
 		pc.Status = tsapi.ProxyClassStatus{
-			Conditions: []tsapi.ConnectorCondition{{
+			Conditions: []metav1.Condition{{
 				Status:             metav1.ConditionTrue,
-				Type:               tsapi.ProxyClassready,
+				Type:               string(tsapi.ProxyClassready),
 				ObservedGeneration: pc.Generation,
 			}}}
 	})

cmd/k8s-operator/nameserver.go

@@ -101,7 +101,7 @@ func (a *NameserverReconciler) Reconcile(ctx context.Context, req reconcile.Requ
 	}
 
 	oldCnStatus := dnsCfg.Status.DeepCopy()
-	setStatus := func(dnsCfg *tsapi.DNSConfig, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string) (reconcile.Result, error) {
+	setStatus := func(dnsCfg *tsapi.DNSConfig, conditionType tsapi.ConditionType, status metav1.ConditionStatus, reason, message string) (reconcile.Result, error) {
 		tsoperator.SetDNSConfigCondition(dnsCfg, tsapi.NameserverReady, status, reason, message, dnsCfg.Generation, a.clock, logger)
 		if !apiequality.Semantic.DeepEqual(oldCnStatus, dnsCfg.Status) {
 			// An error encountered here should get returned by the Reconcile function.

cmd/k8s-operator/nameserver_test.go

@@ -81,12 +81,12 @@ func TestNameserverReconciler(t *testing.T) {
 		IP: "1.2.3.4",
 	}
 	dnsCfg.Finalizers = []string{FinalizerName}
-	dnsCfg.Status.Conditions = append(dnsCfg.Status.Conditions, tsapi.ConnectorCondition{
-		Type:               tsapi.NameserverReady,
+	dnsCfg.Status.Conditions = append(dnsCfg.Status.Conditions, metav1.Condition{
+		Type:               string(tsapi.NameserverReady),
 		Status:             metav1.ConditionTrue,
 		Reason:             reasonNameserverCreated,
 		Message:            reasonNameserverCreated,
-		LastTransitionTime: &metav1.Time{Time: cl.Now().Truncate(time.Second)},
+		LastTransitionTime: metav1.Time{Time: cl.Now().Truncate(time.Second)},
 	})
 	expectEqual(t, fc, dnsCfg, nil)
 

cmd/k8s-operator/operator.go

@@ -51,8 +51,8 @@ import (
 // Generate static manifests for deploying Tailscale operator on Kubernetes from the operator's Helm chart.
 //go:generate go run tailscale.com/cmd/k8s-operator/generate staticmanifests
 
-// Generate CRD docs from the yamls
-//go:generate go run fybrik.io/crdoc --resources=./deploy/crds --output=../../k8s-operator/api.md
+// Generate CRD API docs.
+//go:generate go run github.com/elastic/crd-ref-docs --renderer=markdown --source-path=../../k8s-operator/apis/ --config=../../k8s-operator/api-docs-config.yaml --output-path=../../k8s-operator/api.md
 
 func main() {
 	// Required to use our client API. We're fine with the instability since the
@@ -278,6 +278,7 @@ func runReconcilers(opts reconcilerOpts) {
 			isDefaultLoadBalancer: opts.proxyActAsDefaultLoadBalancer,
 			recorder:              eventRecorder,
 			tsNamespace:           opts.tailscaleNamespace,
+			clock:                 tstime.DefaultClock{},
 		})
 	if err != nil {
 		startlog.Fatalf("could not create service reconciler: %v", err)

cmd/k8s-operator/operator_test.go

@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"testing"
+	"time"
 
 	"github.com/google/go-cmp/cmp"
 	"go.uber.org/zap"
@@ -17,10 +18,13 @@ import (
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/net/dns/resolvconffile"
+	"tailscale.com/tstest"
+	"tailscale.com/tstime"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
@@ -33,6 +37,7 @@ func TestLoadBalancerClass(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -42,11 +47,13 @@ func TestLoadBalancerClass(t *testing.T) {
 			operatorNamespace: "operator-ns",
 			proxyImage:        "tailscale/tailscale",
 		},
-		logger: zl.Sugar(),
+		logger:   zl.Sugar(),
+		clock:    clock,
+		recorder: record.NewFakeRecorder(100),
 	}
 
-	// Create a service that we should manage, and check that the initial round
-	// of objects looks right.
+	// Create a service that we should manage, but start with a miconfiguration
+	// in the annotations.
 	mustCreate(t, fc, &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test",
@@ -55,6 +62,9 @@ func TestLoadBalancerClass(t *testing.T) {
 			// doesn't. So, set it explicitly because other code later depends
 			// on it being set.
 			UID: types.UID("1234-UID"),
+			Annotations: map[string]string{
+				AnnotationTailnetTargetFQDN: "invalid.example.com",
+			},
 		},
 		Spec: corev1.ServiceSpec{
 			ClusterIP:         "10.20.30.40",
@@ -65,6 +75,46 @@ func TestLoadBalancerClass(t *testing.T) {
 
 	expectReconciled(t, sr, "default", "test")
 
+	// The expected value of .status.conditions[0].LastTransitionTime until the
+	// proxy becomes ready.
+	t0 := conditionTime(clock)
+
+	// Should have an error about invalid config.
+	want := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			UID:       types.UID("1234-UID"),
+			Annotations: map[string]string{
+				AnnotationTailnetTargetFQDN: "invalid.example.com",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP:         "10.20.30.40",
+			Type:              corev1.ServiceTypeLoadBalancer,
+			LoadBalancerClass: ptr.To("tailscale"),
+		},
+		Status: corev1.ServiceStatus{
+			Conditions: []metav1.Condition{{
+				Type:               string(tsapi.ProxyReady),
+				Status:             metav1.ConditionFalse,
+				LastTransitionTime: t0,
+				Reason:             reasonProxyInvalid,
+				Message:            `unable to provision proxy resources: invalid Service: invalid value of annotation tailscale.com/tailnet-fqdn: "invalid.example.com" does not appear to be a valid MagicDNS name`,
+			}},
+		},
+	}
+	expectEqual(t, fc, want, nil)
+
+	// Delete the misconfiguration so the proxy starts getting created on the
+	// next reconcile.
+	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
+		s.ObjectMeta.Annotations = nil
+	})
+
+	clock.Advance(time.Second)
+	expectReconciled(t, sr, "default", "test")
+
 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
 	opts := configOpts{
 		stsName:         shortName,
@@ -79,6 +129,19 @@ func TestLoadBalancerClass(t *testing.T) {
 	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
 	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
 
+	want.Annotations = nil
+	want.ObjectMeta.Finalizers = []string{"tailscale.com/finalizer"}
+	want.Status = corev1.ServiceStatus{
+		Conditions: []metav1.Condition{{
+			Type:               string(tsapi.ProxyReady),
+			Status:             metav1.ConditionFalse,
+			LastTransitionTime: t0, // Status is still false, no update to transition time
+			Reason:             reasonProxyPending,
+			Message:            "no Tailscale hostname known yet, waiting for proxy pod to finish auth",
+		}},
+	}
+	expectEqual(t, fc, want, nil)
+
 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
 	// that we get to the end.
@@ -90,33 +153,16 @@ func TestLoadBalancerClass(t *testing.T) {
 		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
 		s.Data["device_ips"] = []byte(`["100.99.98.97", "2c0a:8083:94d4:2012:3165:34a5:3616:5fdf"]`)
 	})
+	clock.Advance(time.Second)
 	expectReconciled(t, sr, "default", "test")
-	want := &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "test",
-			Namespace:  "default",
-			Finalizers: []string{"tailscale.com/finalizer"},
-			UID:        types.UID("1234-UID"),
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP:         "10.20.30.40",
-			Type:              corev1.ServiceTypeLoadBalancer,
-			LoadBalancerClass: ptr.To("tailscale"),
-		},
-		Status: corev1.ServiceStatus{
-			LoadBalancer: corev1.LoadBalancerStatus{
-				Ingress: []corev1.LoadBalancerIngress{
-					{
-						Hostname: "tailscale.device.name",
-					},
-					{
-						IP: "100.99.98.97",
-					},
-				},
+	want.Status.Conditions = proxyCreatedCondition(clock)
+	want.Status.LoadBalancer = corev1.LoadBalancerStatus{
+		Ingress: []corev1.LoadBalancerIngress{
+			{
+				Hostname: "tailscale.device.name",
+			},
+			{
+				IP: "100.99.98.97",
 			},
 		},
 	}
@@ -144,11 +190,9 @@ func TestLoadBalancerClass(t *testing.T) {
 	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
+
+	// Note that the Tailscale-specific condition status should be gone now.
 	want = &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test",
 			Namespace: "default",
@@ -170,6 +214,7 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 		t.Fatal(err)
 	}
 	tailnetTargetFQDN := "foo.bar.ts.net."
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -180,6 +225,7 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger: zl.Sugar(),
+		clock:  clock,
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -220,10 +266,6 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
 	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 	want := &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
 			Namespace:  "default",
@@ -238,6 +280,9 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 			Type:         corev1.ServiceTypeExternalName,
 			Selector:     nil,
 		},
+		Status: corev1.ServiceStatus{
+			Conditions: proxyCreatedCondition(clock),
+		},
 	}
 	expectEqual(t, fc, want, nil)
 	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
@@ -280,6 +325,7 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 		t.Fatal(err)
 	}
 	tailnetTargetIP := "100.66.66.66"
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -290,6 +336,7 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger: zl.Sugar(),
+		clock:  clock,
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -330,10 +377,6 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
 	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 	want := &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
 			Namespace:  "default",
@@ -348,6 +391,9 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 			Type:         corev1.ServiceTypeExternalName,
 			Selector:     nil,
 		},
+		Status: corev1.ServiceStatus{
+			Conditions: proxyCreatedCondition(clock),
+		},
 	}
 	expectEqual(t, fc, want, nil)
 	expectEqual(t, fc, expectedSecret(t, fc, o), nil)
@@ -389,6 +435,7 @@ func TestAnnotations(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -399,6 +446,7 @@ func TestAnnotations(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger: zl.Sugar(),
+		clock:  clock,
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -437,10 +485,6 @@ func TestAnnotations(t *testing.T) {
 	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
 	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 	want := &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
 			Namespace:  "default",
@@ -454,6 +498,9 @@ func TestAnnotations(t *testing.T) {
 			ClusterIP: "10.20.30.40",
 			Type:      corev1.ServiceTypeClusterIP,
 		},
+		Status: corev1.ServiceStatus{
+			Conditions: proxyCreatedCondition(clock),
+		},
 	}
 	expectEqual(t, fc, want, nil)
 
@@ -473,10 +520,6 @@ func TestAnnotations(t *testing.T) {
 	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
 	want = &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test",
 			Namespace: "default",
@@ -497,6 +540,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -507,6 +551,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger: zl.Sugar(),
+		clock:  clock,
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -558,10 +603,6 @@ func TestAnnotationIntoLB(t *testing.T) {
 	})
 	expectReconciled(t, sr, "default", "test")
 	want := &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
 			Namespace:  "default",
@@ -575,6 +616,9 @@ func TestAnnotationIntoLB(t *testing.T) {
 			ClusterIP: "10.20.30.40",
 			Type:      corev1.ServiceTypeClusterIP,
 		},
+		Status: corev1.ServiceStatus{
+			Conditions: proxyCreatedCondition(clock),
+		},
 	}
 	expectEqual(t, fc, want, nil)
 
@@ -592,10 +636,6 @@ func TestAnnotationIntoLB(t *testing.T) {
 	// ... but the service should have a LoadBalancer status.
 
 	want = &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
 			Namespace:  "default",
@@ -618,6 +658,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 					},
 				},
 			},
+			Conditions: proxyCreatedCondition(clock),
 		},
 	}
 	expectEqual(t, fc, want, nil)
@@ -630,6 +671,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -640,6 +682,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger: zl.Sugar(),
+		clock:  clock,
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -689,10 +732,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 	})
 	expectReconciled(t, sr, "default", "test")
 	want := &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
 			Namespace:  "default",
@@ -715,6 +754,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 					},
 				},
 			},
+			Conditions: proxyCreatedCondition(clock),
 		},
 	}
 	expectEqual(t, fc, want, nil)
@@ -740,10 +780,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 
 	want = &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
 			Namespace:  "default",
@@ -757,6 +793,9 @@ func TestLBIntoAnnotation(t *testing.T) {
 			ClusterIP: "10.20.30.40",
 			Type:      corev1.ServiceTypeClusterIP,
 		},
+		Status: corev1.ServiceStatus{
+			Conditions: proxyCreatedCondition(clock),
+		},
 	}
 	expectEqual(t, fc, want, nil)
 }
@@ -768,6 +807,7 @@ func TestCustomHostname(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -778,6 +818,7 @@ func TestCustomHostname(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger: zl.Sugar(),
+		clock:  clock,
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -817,10 +858,6 @@ func TestCustomHostname(t *testing.T) {
 	expectEqual(t, fc, expectedHeadlessService(shortName, "svc"), nil)
 	expectEqual(t, fc, expectedSTS(t, fc, o), removeHashAnnotation)
 	want := &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:       "test",
 			Namespace:  "default",
@@ -835,6 +872,9 @@ func TestCustomHostname(t *testing.T) {
 			ClusterIP: "10.20.30.40",
 			Type:      corev1.ServiceTypeClusterIP,
 		},
+		Status: corev1.ServiceStatus{
+			Conditions: proxyCreatedCondition(clock),
+		},
 	}
 	expectEqual(t, fc, want, nil)
 
@@ -854,10 +894,6 @@ func TestCustomHostname(t *testing.T) {
 	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
 	want = &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test",
 			Namespace: "default",
@@ -881,6 +917,7 @@ func TestCustomPriorityClassName(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -892,6 +929,7 @@ func TestCustomPriorityClassName(t *testing.T) {
 			proxyPriorityClassName: "custom-priority-class-name",
 		},
 		logger: zl.Sugar(),
+		clock:  clock,
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -954,6 +992,7 @@ func TestProxyClassForService(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -964,6 +1003,7 @@ func TestProxyClassForService(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger: zl.Sugar(),
+		clock:  clock,
 	}
 
 	// 1. A new tailscale LoadBalancer Service is created without any
@@ -1012,9 +1052,9 @@ func TestProxyClassForService(t *testing.T) {
 	// applied to the proxy resources.
 	mustUpdateStatus(t, fc, "", "custom-metadata", func(pc *tsapi.ProxyClass) {
 		pc.Status = tsapi.ProxyClassStatus{
-			Conditions: []tsapi.ConnectorCondition{{
+			Conditions: []metav1.Condition{{
 				Status:             metav1.ConditionTrue,
-				Type:               tsapi.ProxyClassready,
+				Type:               string(tsapi.ProxyClassready),
 				ObservedGeneration: pc.Generation,
 			}}}
 	})
@@ -1041,6 +1081,7 @@ func TestDefaultLoadBalancer(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -1051,6 +1092,7 @@ func TestDefaultLoadBalancer(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger:                zl.Sugar(),
+		clock:                 clock,
 		isDefaultLoadBalancer: true,
 	}
 
@@ -1095,6 +1137,7 @@ func TestProxyFirewallMode(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -1106,6 +1149,7 @@ func TestProxyFirewallMode(t *testing.T) {
 			tsFirewallMode:    "nftables",
 		},
 		logger:                zl.Sugar(),
+		clock:                 clock,
 		isDefaultLoadBalancer: true,
 	}
 
@@ -1148,6 +1192,7 @@ func TestTailscaledConfigfileHash(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -1158,6 +1203,7 @@ func TestTailscaledConfigfileHash(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger:                zl.Sugar(),
+		clock:                 clock,
 		isDefaultLoadBalancer: true,
 	}
 
@@ -1439,6 +1485,7 @@ func Test_externalNameService(t *testing.T) {
 
 	// 1. A External name Service that should be exposed via Tailscale gets
 	// created.
+	clock := tstest.NewClock(tstest.ClockOpts{})
 	sr := &ServiceReconciler{
 		Client: fc,
 		ssr: &tailscaleSTSReconciler{
@@ -1449,6 +1496,7 @@ func Test_externalNameService(t *testing.T) {
 			proxyImage:        "tailscale/tailscale",
 		},
 		logger: zl.Sugar(),
+		clock:  clock,
 	}
 
 	// 1. Create an ExternalName Service that we should manage, and check that the initial round
@@ -1504,3 +1552,18 @@ func toFQDN(t *testing.T, s string) dnsname.FQDN {
 	}
 	return fqdn
 }
+
+func proxyCreatedCondition(clock tstime.Clock) []metav1.Condition {
+	return []metav1.Condition{{
+		Type:               string(tsapi.ProxyReady),
+		Status:             metav1.ConditionTrue,
+		ObservedGeneration: 0,
+		LastTransitionTime: conditionTime(clock),
+		Reason:             reasonProxyCreated,
+		Message:            reasonProxyCreated,
+	}}
+}
+
+func conditionTime(clock tstime.Clock) metav1.Time {
+	return metav1.NewTime(clock.Now().Truncate(time.Second))
+}

cmd/k8s-operator/proxy.go

@@ -11,16 +11,20 @@ import (
 	"log"
 	"net/http"
 	"net/http/httputil"
+	"net/netip"
 	"net/url"
 	"os"
 	"strings"
 
+	"github.com/pkg/errors"
 	"go.uber.org/zap"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
+	kubesessionrecording "tailscale.com/k8s-operator/sessionrecording"
 	tskube "tailscale.com/kube"
+	"tailscale.com/sessionrecording"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/util/clientmetric"
@@ -30,10 +34,26 @@ import (
 
 var whoIsKey = ctxkey.New("", (*apitype.WhoIsResponse)(nil))
 
-var counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")
+var (
+	// counterNumRequestsproxies counts the number of API server requests proxied via this proxy.
+	counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")
+)
 
 type apiServerProxyMode int
 
+func (a apiServerProxyMode) String() string {
+	switch a {
+	case apiserverProxyModeDisabled:
+		return "disabled"
+	case apiserverProxyModeEnabled:
+		return "auth"
+	case apiserverProxyModeNoAuth:
+		return "noauth"
+	default:
+		return "unknown"
+	}
+}
+
 const (
 	apiserverProxyModeDisabled apiServerProxyMode = iota
 	apiserverProxyModeEnabled
@@ -97,26 +117,7 @@ func maybeLaunchAPIServerProxy(zlog *zap.SugaredLogger, restConfig *rest.Config,
 	if err != nil {
 		startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
 	}
-	go runAPIServerProxy(s, rt, zlog.Named("apiserver-proxy"), mode)
-}
-
-// apiserverProxy is an http.Handler that authenticates requests using the Tailscale
-// LocalAPI and then proxies them to the Kubernetes API.
-type apiserverProxy struct {
-	log *zap.SugaredLogger
-	lc  *tailscale.LocalClient
-	rp  *httputil.ReverseProxy
-}
-
-func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	who, err := h.lc.WhoIs(r.Context(), r.RemoteAddr)
-	if err != nil {
-		h.log.Errorf("failed to authenticate caller: %v", err)
-		http.Error(w, "failed to authenticate caller", http.StatusInternalServerError)
-		return
-	}
-	counterNumRequestsProxied.Add(1)
-	h.rp.ServeHTTP(w, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
+	go runAPIServerProxy(s, rt, zlog.Named("apiserver-proxy"), mode, restConfig.Host)
 }
 
 // runAPIServerProxy runs an HTTP server that authenticates requests using the
@@ -133,64 +134,42 @@ func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 //     are passed through to the Kubernetes API.
 //
 // It never returns.
-func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLogger, mode apiServerProxyMode) {
+func runAPIServerProxy(ts *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLogger, mode apiServerProxyMode, host string) {
 	if mode == apiserverProxyModeDisabled {
 		return
 	}
-	ln, err := s.Listen("tcp", ":443")
+	ln, err := ts.Listen("tcp", ":443")
 	if err != nil {
 		log.Fatalf("could not listen on :443: %v", err)
 	}
-	u, err := url.Parse(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
+	u, err := url.Parse(host)
 	if err != nil {
 		log.Fatalf("runAPIServerProxy: failed to parse URL %v", err)
 	}
 
-	lc, err := s.LocalClient()
+	lc, err := ts.LocalClient()
 	if err != nil {
 		log.Fatalf("could not get local client: %v", err)
 	}
+
 	ap := &apiserverProxy{
-		log: log,
-		lc:  lc,
-		rp: &httputil.ReverseProxy{
-			Rewrite: func(r *httputil.ProxyRequest) {
-				// Replace the URL with the Kubernetes APIServer.
-
-				r.Out.URL.Scheme = u.Scheme
-				r.Out.URL.Host = u.Host
-				if mode == apiserverProxyModeNoAuth {
-					// If we are not providing authentication, then we are just
-					// proxying to the Kubernetes API, so we don't need to do
-					// anything else.
-					return
-				}
-
-				// We want to proxy to the Kubernetes API, but we want to use
-				// the caller's identity to do so. We do this by impersonating
-				// the caller using the Kubernetes User Impersonation feature:
-				// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
-
-				// Out of paranoia, remove all authentication headers that might
-				// have been set by the client.
-				r.Out.Header.Del("Authorization")
-				r.Out.Header.Del("Impersonate-Group")
-				r.Out.Header.Del("Impersonate-User")
-				r.Out.Header.Del("Impersonate-Uid")
-				for k := range r.Out.Header {
-					if strings.HasPrefix(k, "Impersonate-Extra-") {
-						r.Out.Header.Del(k)
-					}
-				}
-
-				// Now add the impersonation headers that we want.
-				if err := addImpersonationHeaders(r.Out, log); err != nil {
-					panic("failed to add impersonation headers: " + err.Error())
-				}
-			},
-			Transport: rt,
-		},
+		log:         log,
+		lc:          lc,
+		mode:        mode,
+		upstreamURL: u,
+		ts:          ts,
 	}
+	ap.rp = &httputil.ReverseProxy{
+		Rewrite: func(pr *httputil.ProxyRequest) {
+			ap.addImpersonationHeadersAsRequired(pr.Out)
+		},
+		Transport: rt,
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", ap.serveDefault)
+	mux.HandleFunc("/api/v1/namespaces/{namespace}/pods/{pod}/exec", ap.serveExec)
+
 	hs := &http.Server{
 		// Kubernetes uses SPDY for exec and port-forward, however SPDY is
 		// incompatible with HTTP/2; so disable HTTP/2 in the proxy.
@@ -199,14 +178,120 @@ func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLo
 			NextProtos:     []string{"http/1.1"},
 		},
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
-		Handler:      ap,
+		Handler:      mux,
 	}
-	log.Infof("listening on %s", ln.Addr())
+	log.Infof("API server proxy in %q mode is listening on %s", mode, ln.Addr())
 	if err := hs.ServeTLS(ln, "", ""); err != nil {
 		log.Fatalf("runAPIServerProxy: failed to serve %v", err)
 	}
 }
 
+// apiserverProxy is an [net/http.Handler] that authenticates requests using the Tailscale
+// LocalAPI and then proxies them to the Kubernetes API.
+type apiserverProxy struct {
+	log *zap.SugaredLogger
+	lc  *tailscale.LocalClient
+	rp  *httputil.ReverseProxy
+
+	mode        apiServerProxyMode
+	ts          *tsnet.Server
+	upstreamURL *url.URL
+}
+
+// serveDefault is the default handler for Kubernetes API server requests.
+func (ap *apiserverProxy) serveDefault(w http.ResponseWriter, r *http.Request) {
+	who, err := ap.whoIs(r)
+	if err != nil {
+		ap.authError(w, err)
+		return
+	}
+	counterNumRequestsProxied.Add(1)
+	ap.rp.ServeHTTP(w, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
+}
+
+// serveExec serves 'kubectl exec' requests, optionally configuring the kubectl
+// exec sessions to be recorded.
+func (ap *apiserverProxy) serveExec(w http.ResponseWriter, r *http.Request) {
+	who, err := ap.whoIs(r)
+	if err != nil {
+		ap.authError(w, err)
+		return
+	}
+	counterNumRequestsProxied.Add(1)
+	failOpen, addrs, err := determineRecorderConfig(who)
+	if err != nil {
+		ap.log.Errorf("error trying to determine whether the 'kubectl exec' session needs to be recorded: %v", err)
+		return
+	}
+	if failOpen && len(addrs) == 0 { // will not record
+		ap.rp.ServeHTTP(w, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
+		return
+	}
+	kubesessionrecording.CounterSessionRecordingsAttempted.Add(1) // at this point we know that users intended for this session to be recorded
+	if !failOpen && len(addrs) == 0 {
+		msg := "forbidden: 'kubectl exec' session must be recorded, but no recorders are available."
+		ap.log.Error(msg)
+		http.Error(w, msg, http.StatusForbidden)
+		return
+	}
+	if r.Method != "POST" || r.Header.Get("Upgrade") != "SPDY/3.1" {
+		msg := "'kubectl exec' session recording is configured, but the request is not over SPDY. Session recording is currently only supported for SPDY based clients"
+		if failOpen {
+			msg = msg + "; failure mode is 'fail open'; continuing session without recording."
+			ap.log.Warn(msg)
+			ap.rp.ServeHTTP(w, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
+			return
+		}
+		ap.log.Error(msg)
+		msg += "; failure mode is 'fail closed'; closing connection."
+		http.Error(w, msg, http.StatusForbidden)
+		return
+	}
+	spdyH := kubesessionrecording.New(ap.ts, r, who, w, r.PathValue("pod"), r.PathValue("namespace"), kubesessionrecording.SPDYProtocol, addrs, failOpen, sessionrecording.ConnectToRecorder, ap.log)
+
+	ap.rp.ServeHTTP(spdyH, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
+}
+
+func (h *apiserverProxy) addImpersonationHeadersAsRequired(r *http.Request) {
+	r.URL.Scheme = h.upstreamURL.Scheme
+	r.URL.Host = h.upstreamURL.Host
+	if h.mode == apiserverProxyModeNoAuth {
+		// If we are not providing authentication, then we are just
+		// proxying to the Kubernetes API, so we don't need to do
+		// anything else.
+		return
+	}
+
+	// We want to proxy to the Kubernetes API, but we want to use
+	// the caller's identity to do so. We do this by impersonating
+	// the caller using the Kubernetes User Impersonation feature:
+	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
+
+	// Out of paranoia, remove all authentication headers that might
+	// have been set by the client.
+	r.Header.Del("Authorization")
+	r.Header.Del("Impersonate-Group")
+	r.Header.Del("Impersonate-User")
+	r.Header.Del("Impersonate-Uid")
+	for k := range r.Header {
+		if strings.HasPrefix(k, "Impersonate-Extra-") {
+			r.Header.Del(k)
+		}
+	}
+
+	// Now add the impersonation headers that we want.
+	if err := addImpersonationHeaders(r, h.log); err != nil {
+		log.Printf("failed to add impersonation headers: " + err.Error())
+	}
+}
+func (ap *apiserverProxy) whoIs(r *http.Request) (*apitype.WhoIsResponse, error) {
+	return ap.lc.WhoIs(r.Context(), r.RemoteAddr)
+}
+func (ap *apiserverProxy) authError(w http.ResponseWriter, err error) {
+	ap.log.Errorf("failed to authenticate caller: %v", err)
+	http.Error(w, "failed to authenticate caller", http.StatusInternalServerError)
+}
+
 const (
 	// oldCapabilityName is a legacy form of
 	// tailfcg.PeerCapabilityKubernetes capability. The only capability rule
@@ -266,3 +351,34 @@ func addImpersonationHeaders(r *http.Request, log *zap.SugaredLogger) error {
 	}
 	return nil
 }
+
+// determineRecorderConfig determines recorder config from requester's peer
+// capabilities. Determines whether a 'kubectl exec' session from this requester
+// needs to be recorded and what recorders the recording should be sent to.
+func determineRecorderConfig(who *apitype.WhoIsResponse) (failOpen bool, recorderAddresses []netip.AddrPort, _ error) {
+	if who == nil {
+		return false, nil, errors.New("[unexpected] cannot determine caller")
+	}
+	failOpen = true
+	rules, err := tailcfg.UnmarshalCapJSON[tskube.KubernetesCapRule](who.CapMap, tailcfg.PeerCapabilityKubernetes)
+	if err != nil {
+		return failOpen, nil, fmt.Errorf("failed to unmarshal Kubernetes capability: %w", err)
+	}
+	if len(rules) == 0 {
+		return failOpen, nil, nil
+	}
+
+	for _, rule := range rules {
+		if len(rule.RecorderAddrs) != 0 {
+			// TODO (irbekrm): here or later determine if the
+			// recorders behind those addrs are online - else we
+			// spend 30s trying to reach a recorder whose tailscale
+			// status is offline.
+			recorderAddresses = append(recorderAddresses, rule.RecorderAddrs...)
+		}
+		if rule.EnforceRecorder {
+			failOpen = false
+		}
+	}
+	return failOpen, recorderAddresses, nil
+}

cmd/k8s-operator/proxy_test.go

@@ -7,6 +7,8 @@ package main
 
 import (
 	"net/http"
+	"net/netip"
+	"reflect"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -126,3 +128,72 @@ func TestImpersonationHeaders(t *testing.T) {
 		}
 	}
 }
+
+func Test_determineRecorderConfig(t *testing.T) {
+	addr1, addr2 := netip.MustParseAddrPort("[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:80"), netip.MustParseAddrPort("100.99.99.99:80")
+	tests := []struct {
+		name                  string
+		wantFailOpen          bool
+		wantRecorderAddresses []netip.AddrPort
+		who                   *apitype.WhoIsResponse
+	}{
+		{
+			name:                  "two_ips_fail_closed",
+			who:                   whoResp(map[string][]string{string(tailcfg.PeerCapabilityKubernetes): {`{"recorderAddrs":["[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:80","100.99.99.99:80"],"enforceRecorder":true}`}}),
+			wantRecorderAddresses: []netip.AddrPort{addr1, addr2},
+		},
+		{
+			name:                  "two_ips_fail_open",
+			who:                   whoResp(map[string][]string{string(tailcfg.PeerCapabilityKubernetes): {`{"recorderAddrs":["[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:80","100.99.99.99:80"]}`}}),
+			wantRecorderAddresses: []netip.AddrPort{addr1, addr2},
+			wantFailOpen:          true,
+		},
+		{
+			name:                  "odd_rule_combination_fail_closed",
+			who:                   whoResp(map[string][]string{string(tailcfg.PeerCapabilityKubernetes): {`{"recorderAddrs":["100.99.99.99:80"],"enforceRecorder":false}`, `{"recorderAddrs":["[fd7a:115c:a1e0:ab12:4843:cd96:626b:628b]:80"]}`, `{"enforceRecorder":true,"impersonate":{"groups":["system:masters"]}}`}}),
+			wantRecorderAddresses: []netip.AddrPort{addr2, addr1},
+		},
+		{
+			name:         "no_caps",
+			who:          whoResp(map[string][]string{}),
+			wantFailOpen: true,
+		},
+		{
+			name:         "no_recorder_caps",
+			who:          whoResp(map[string][]string{"foo": {`{"x":"y"}`}, string(tailcfg.PeerCapabilityKubernetes): {`{"impersonate":{"groups":["system:masters"]}}`}}),
+			wantFailOpen: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotFailOpen, gotRecorderAddresses, err := determineRecorderConfig(tt.who)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if gotFailOpen != tt.wantFailOpen {
+				t.Errorf("determineRecorderConfig() gotFailOpen = %v, want %v", gotFailOpen, tt.wantFailOpen)
+			}
+			if !reflect.DeepEqual(gotRecorderAddresses, tt.wantRecorderAddresses) {
+				t.Errorf("determineRecorderConfig() gotRecorderAddresses = %v, want %v", gotRecorderAddresses, tt.wantRecorderAddresses)
+			}
+		})
+	}
+}
+
+func whoResp(capMap map[string][]string) *apitype.WhoIsResponse {
+	resp := &apitype.WhoIsResponse{
+		CapMap: tailcfg.PeerCapMap{},
+	}
+	for cap, rules := range capMap {
+		resp.CapMap[tailcfg.PeerCapability(cap)] = raw(rules...)
+	}
+	return resp
+}
+
+func raw(in ...string) []tailcfg.RawMessage {
+	var out []tailcfg.RawMessage
+	for _, i := range in {
+		out = append(out, tailcfg.RawMessage(i))
+	}
+	return out
+}

cmd/k8s-operator/proxyclass.go

@@ -8,7 +8,9 @@ package main
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
+	"sync"
 
 	dockerref "github.com/distribution/reference"
 	"go.uber.org/zap"
@@ -18,6 +20,7 @@ import (
 	apivalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	metavalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -25,6 +28,8 @@ import (
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/tstime"
+	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/set"
 )
 
 const (
@@ -41,8 +46,20 @@ type ProxyClassReconciler struct {
 	recorder record.EventRecorder
 	logger   *zap.SugaredLogger
 	clock    tstime.Clock
+
+	mu sync.Mutex // protects following
+
+	// managedProxyClasses is a set of all ProxyClass resources that we're currently
+	// managing. This is only used for metrics.
+	managedProxyClasses set.Slice[types.UID]
 }
 
+var (
+	// gaugeProxyClassResources tracks the number of ProxyClass resources
+	// that we're currently managing.
+	gaugeProxyClassResources = clientmetric.NewGauge("k8s_proxyclass_resources")
+)
+
 func (pcr *ProxyClassReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
 	logger := pcr.logger.With("ProxyClass", req.Name)
 	logger.Debugf("starting reconcile")
@@ -57,9 +74,26 @@ func (pcr *ProxyClassReconciler) Reconcile(ctx context.Context, req reconcile.Re
 		return reconcile.Result{}, fmt.Errorf("failed to get tailscale.com ProxyClass: %w", err)
 	}
 	if !pc.DeletionTimestamp.IsZero() {
-		logger.Debugf("ProxyClass is being deleted, do nothing")
-		return reconcile.Result{}, nil
+		logger.Debugf("ProxyClass is being deleted")
+		return reconcile.Result{}, pcr.maybeCleanup(ctx, logger, pc)
 	}
+
+	// Add a finalizer so that we can ensure that metrics get updated when
+	// this ProxyClass is deleted.
+	if !slices.Contains(pc.Finalizers, FinalizerName) {
+		logger.Debugf("updating ProxyClass finalizers")
+		pc.Finalizers = append(pc.Finalizers, FinalizerName)
+		if err := pcr.Update(ctx, pc); err != nil {
+			return res, fmt.Errorf("failed to add finalizer: %w", err)
+		}
+	}
+
+	// Ensure this ProxyClass is tracked in metrics.
+	pcr.mu.Lock()
+	pcr.managedProxyClasses.Add(pc.UID)
+	gaugeProxyClassResources.Set(int64(pcr.managedProxyClasses.Len()))
+	pcr.mu.Unlock()
+
 	oldPCStatus := pc.Status.DeepCopy()
 	if errs := pcr.validate(pc); errs != nil {
 		msg := fmt.Sprintf(messageProxyClassInvalid, errs.ToAggregate().Error())
@@ -77,7 +111,7 @@ func (pcr *ProxyClassReconciler) Reconcile(ctx context.Context, req reconcile.Re
 	return reconcile.Result{}, nil
 }
 
-func (a *ProxyClassReconciler) validate(pc *tsapi.ProxyClass) (violations field.ErrorList) {
+func (pcr *ProxyClassReconciler) validate(pc *tsapi.ProxyClass) (violations field.ErrorList) {
 	if sts := pc.Spec.StatefulSet; sts != nil {
 		if len(sts.Labels) > 0 {
 			if errs := metavalidation.ValidateLabels(sts.Labels, field.NewPath(".spec.statefulSet.labels")); errs != nil {
@@ -103,13 +137,13 @@ func (a *ProxyClassReconciler) validate(pc *tsapi.ProxyClass) (violations field.
 			if tc := pod.TailscaleContainer; tc != nil {
 				for _, e := range tc.Env {
 					if strings.HasPrefix(string(e.Name), "TS_") {
-						a.recorder.Event(pc, corev1.EventTypeWarning, reasonCustomTSEnvVar, fmt.Sprintf(messageCustomTSEnvVar, string(e.Name), "tailscale"))
+						pcr.recorder.Event(pc, corev1.EventTypeWarning, reasonCustomTSEnvVar, fmt.Sprintf(messageCustomTSEnvVar, string(e.Name), "tailscale"))
 					}
 					if strings.EqualFold(string(e.Name), "EXPERIMENTAL_TS_CONFIGFILE_PATH") {
-						a.recorder.Event(pc, corev1.EventTypeWarning, reasonCustomTSEnvVar, fmt.Sprintf(messageCustomTSEnvVar, string(e.Name), "tailscale"))
+						pcr.recorder.Event(pc, corev1.EventTypeWarning, reasonCustomTSEnvVar, fmt.Sprintf(messageCustomTSEnvVar, string(e.Name), "tailscale"))
 					}
 					if strings.EqualFold(string(e.Name), "EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS") {
-						a.recorder.Event(pc, corev1.EventTypeWarning, reasonCustomTSEnvVar, fmt.Sprintf(messageCustomTSEnvVar, string(e.Name), "tailscale"))
+						pcr.recorder.Event(pc, corev1.EventTypeWarning, reasonCustomTSEnvVar, fmt.Sprintf(messageCustomTSEnvVar, string(e.Name), "tailscale"))
 					}
 				}
 				if tc.Image != "" {
@@ -135,3 +169,27 @@ func (a *ProxyClassReconciler) validate(pc *tsapi.ProxyClass) (violations field.
 	// time.
 	return violations
 }
+
+// maybeCleanup removes tailscale.com finalizer and ensures that the ProxyClass
+// is no longer counted towards k8s_proxyclass_resources.
+func (pcr *ProxyClassReconciler) maybeCleanup(ctx context.Context, logger *zap.SugaredLogger, pc *tsapi.ProxyClass) error {
+	ix := slices.Index(pc.Finalizers, FinalizerName)
+	if ix < 0 {
+		logger.Debugf("no finalizer, nothing to do")
+		pcr.mu.Lock()
+		defer pcr.mu.Unlock()
+		pcr.managedProxyClasses.Remove(pc.UID)
+		gaugeProxyClassResources.Set(int64(pcr.managedProxyClasses.Len()))
+		return nil
+	}
+	pc.Finalizers = append(pc.Finalizers[:ix], pc.Finalizers[ix+1:]...)
+	if err := pcr.Update(ctx, pc); err != nil {
+		return fmt.Errorf("failed to remove finalizer: %w", err)
+	}
+	pcr.mu.Lock()
+	defer pcr.mu.Unlock()
+	pcr.managedProxyClasses.Remove(pc.UID)
+	gaugeProxyClassResources.Set(int64(pcr.managedProxyClasses.Len()))
+	logger.Infof("ProxyClass resources have been cleaned up")
+	return nil
+}

cmd/k8s-operator/proxyclass_test.go

@@ -29,7 +29,8 @@ func TestProxyClass(t *testing.T) {
 			// The apiserver is supposed to set the UID, but the fake client
 			// doesn't. So, set it explicitly because other code later depends
 			// on it being set.
-			UID: types.UID("1234-UID"),
+			UID:        types.UID("1234-UID"),
+			Finalizers: []string{"tailscale.com/finalizer"},
 		},
 		Spec: tsapi.ProxyClassSpec{
 			StatefulSet: &tsapi.StatefulSet{
@@ -67,12 +68,12 @@ func TestProxyClass(t *testing.T) {
 
 	// 1. A valid ProxyClass resource gets its status updated to Ready.
 	expectReconciled(t, pcr, "", "test")
-	pc.Status.Conditions = append(pc.Status.Conditions, tsapi.ConnectorCondition{
-		Type:               tsapi.ProxyClassready,
+	pc.Status.Conditions = append(pc.Status.Conditions, metav1.Condition{
+		Type:               string(tsapi.ProxyClassready),
 		Status:             metav1.ConditionTrue,
 		Reason:             reasonProxyClassValid,
 		Message:            reasonProxyClassValid,
-		LastTransitionTime: &metav1.Time{Time: cl.Now().Truncate(time.Second)},
+		LastTransitionTime: metav1.Time{Time: cl.Now().Truncate(time.Second)},
 	})
 
 	expectEqual(t, fc, pc, nil)

cmd/k8s-operator/sts.go

@@ -35,7 +35,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/ptr"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
 )
 
@@ -295,6 +294,7 @@ func (a *tailscaleSTSReconciler) reconcileHeadlessService(ctx context.Context, l
 			Selector: map[string]string{
 				"app": sts.ParentResourceUID,
 			},
+			IPFamilyPolicy: ptr.To(corev1.IPFamilyPolicyPreferDualStack),
 		},
 	}
 	logger.Debugf("reconciling headless service for StatefulSet")
@@ -406,8 +406,10 @@ func sanitizeConfigBytes(c ipn.ConfigVAlpha) string {
 	return string(sanitizedBytes)
 }
 
-// DeviceInfo returns the device ID and hostname for the Tailscale device
-// associated with the given labels.
+// DeviceInfo returns the device ID, hostname and IPs for the Tailscale device
+// that acts as an operator proxy. It retrieves info from a Kubernetes Secret
+// labeled with the provided labels.
+// Either of device ID, hostname and IPs can be empty string if not found in the Secret.
 func (a *tailscaleSTSReconciler) DeviceInfo(ctx context.Context, childLabels map[string]string) (id tailcfg.StableNodeID, hostname string, ips []string, err error) {
 	sec, err := getSingleObject[corev1.Secret](ctx, a.Client, a.operatorNamespace, childLabels)
 	if err != nil {
@@ -424,7 +426,12 @@ func (a *tailscaleSTSReconciler) DeviceInfo(ctx context.Context, childLabels map
 	// to remove it.
 	hostname = strings.TrimSuffix(string(sec.Data["device_fqdn"]), ".")
 	if hostname == "" {
-		return "", "", nil, nil
+		// Device ID gets stored and retrieved in a different flow than
+		// FQDN and IPs. A device that acts as Kubernetes operator
+		// proxy, but whose route setup has failed might have an device
+		// ID, but no FQDN/IPs. If so, return the ID, to allow the
+		// operator to clean up such devices.
+		return id, "", nil, nil
 	}
 	if rawDeviceIPs, ok := sec.Data["device_ips"]; ok {
 		if err := json.Unmarshal(rawDeviceIPs, &ips); err != nil {
@@ -940,14 +947,11 @@ func defaultEnv(envName, defVal string) string {
 	return v
 }
 
-func nameForService(svc *corev1.Service) (string, error) {
+func nameForService(svc *corev1.Service) string {
 	if h, ok := svc.Annotations[AnnotationHostname]; ok {
-		if err := dnsname.ValidLabel(h); err != nil {
-			return "", fmt.Errorf("invalid Tailscale hostname %q: %w", h, err)
-		}
-		return h, nil
+		return h
 	}
-	return svc.Namespace + "-" + svc.Name, nil
+	return svc.Namespace + "-" + svc.Name
 }
 
 func isValidFirewallMode(m string) bool {

cmd/k8s-operator/svc.go

@@ -7,6 +7,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/netip"
 	"slices"
@@ -15,7 +16,9 @@ import (
 
 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -23,13 +26,20 @@ import (
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/net/dns/resolvconffile"
+	"tailscale.com/tstime"
 	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/util/set"
 )
 
 const (
 	resolvConfPath       = "/etc/resolv.conf"
 	defaultClusterDomain = "cluster.local"
+
+	reasonProxyCreated = "ProxyCreated"
+	reasonProxyInvalid = "ProxyInvalid"
+	reasonProxyFailed  = "ProxyFailed"
+	reasonProxyPending = "ProxyPending"
 )
 
 type ServiceReconciler struct {
@@ -50,6 +60,8 @@ type ServiceReconciler struct {
 	recorder record.EventRecorder
 
 	tsNamespace string
+
+	clock tstime.Clock
 }
 
 var (
@@ -76,6 +88,12 @@ func childResourceLabels(name, ns, typ string) map[string]string {
 	}
 }
 
+func (a *ServiceReconciler) isTailscaleService(svc *corev1.Service) bool {
+	targetIP := tailnetTargetAnnotation(svc)
+	targetFQDN := svc.Annotations[AnnotationTailnetTargetFQDN]
+	return a.shouldExpose(svc) || targetIP != "" || targetFQDN != ""
+}
+
 func (a *ServiceReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
 	logger := a.logger.With("service-ns", req.Namespace, "service-name", req.Name)
 	logger.Debugf("starting reconcile")
@@ -90,9 +108,8 @@ func (a *ServiceReconciler) Reconcile(ctx context.Context, req reconcile.Request
 	} else if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to get svc: %w", err)
 	}
-	targetIP := tailnetTargetAnnotation(svc)
-	targetFQDN := svc.Annotations[AnnotationTailnetTargetFQDN]
-	if !svc.DeletionTimestamp.IsZero() || !a.shouldExpose(svc) && targetIP == "" && targetFQDN == "" {
+
+	if !svc.DeletionTimestamp.IsZero() || !a.isTailscaleService(svc) {
 		logger.Debugf("service is being deleted or is (no longer) referring to Tailscale ingress/egress, ensuring any created resources are cleaned up")
 		return reconcile.Result{}, a.maybeCleanup(ctx, logger, svc)
 	}
@@ -104,7 +121,14 @@ func (a *ServiceReconciler) Reconcile(ctx context.Context, req reconcile.Request
 //
 // This function is responsible for removing the finalizer from the service,
 // once all associated resources are gone.
-func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
+func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) (err error) {
+	oldSvcStatus := svc.Status.DeepCopy()
+	defer func() {
+		if !apiequality.Semantic.DeepEqual(oldSvcStatus, svc.Status) {
+			// An error encountered here should get returned by the Reconcile function.
+			err = errors.Join(err, a.Client.Status().Update(ctx, svc))
+		}
+	}()
 	ix := slices.Index(svc.Finalizers, FinalizerName)
 	if ix < 0 {
 		logger.Debugf("no finalizer, nothing to do")
@@ -114,6 +138,10 @@ func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 		a.managedEgressProxies.Remove(svc.UID)
 		gaugeIngressProxies.Set(int64(a.managedIngressProxies.Len()))
 		gaugeEgressProxies.Set(int64(a.managedEgressProxies.Len()))
+
+		if !a.isTailscaleService(svc) {
+			tsoperator.RemoveServiceCondition(svc, tsapi.ProxyReady)
+		}
 		return nil
 	}
 
@@ -133,7 +161,7 @@ func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 	// exactly once at the very end of cleanup, because the final step of
 	// cleanup removes the tailscale finalizer, which will make all future
 	// reconciles exit early.
-	logger.Infof("unexposed service from tailnet")
+	logger.Infof("unexposed Service from tailnet")
 
 	a.mu.Lock()
 	defer a.mu.Unlock()
@@ -141,6 +169,10 @@ func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 	a.managedEgressProxies.Remove(svc.UID)
 	gaugeIngressProxies.Set(int64(a.managedIngressProxies.Len()))
 	gaugeEgressProxies.Set(int64(a.managedEgressProxies.Len()))
+
+	if !a.isTailscaleService(svc) {
+		tsoperator.RemoveServiceCondition(svc, tsapi.ProxyReady)
+	}
 	return nil
 }
 
@@ -149,7 +181,15 @@ func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 //
 // This function adds a finalizer to svc, ensuring that we can handle orderly
 // deprovisioning later.
-func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
+func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) (err error) {
+	oldSvcStatus := svc.Status.DeepCopy()
+	defer func() {
+		if !apiequality.Semantic.DeepEqual(oldSvcStatus, svc.Status) {
+			// An error encountered here should get returned by the Reconcile function.
+			err = errors.Join(err, a.Client.Status().Update(ctx, svc))
+		}
+	}()
+
 	// Run for proxy config related validations here as opposed to running
 	// them earlier. This is to prevent cleanup being blocked on a
 	// misconfigured proxy param.
@@ -157,30 +197,31 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		msg := fmt.Sprintf("unable to provision proxy resources: invalid config: %v", err)
 		a.recorder.Event(svc, corev1.EventTypeWarning, "INVALIDCONFIG", msg)
 		a.logger.Error(msg)
+		tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyInvalid, msg, a.clock, logger)
 		return nil
 	}
 	if violations := validateService(svc); len(violations) > 0 {
 		msg := fmt.Sprintf("unable to provision proxy resources: invalid Service: %s", strings.Join(violations, ", "))
 		a.recorder.Event(svc, corev1.EventTypeWarning, "INVALIDSERVICE", msg)
 		a.logger.Error(msg)
+		tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyInvalid, msg, a.clock, logger)
 		return nil
 	}
 
 	proxyClass := proxyClassForObject(svc)
 	if proxyClass != "" {
 		if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
-			return fmt.Errorf("error verifying ProxyClass for Service: %w", err)
+			errMsg := fmt.Errorf("error verifying ProxyClass for Service: %w", err)
+			tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyFailed, errMsg.Error(), a.clock, logger)
+			return errMsg
 		} else if !ready {
-			logger.Infof("ProxyClass %s specified for the Service, but is not (yet) Ready, waiting..", proxyClass)
+			msg := fmt.Sprintf("ProxyClass %s specified for the Service, but is not (yet) Ready, waiting..", proxyClass)
+			tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyPending, msg, a.clock, logger)
+			logger.Info(msg)
 			return nil
 		}
 	}
 
-	hostname, err := nameForService(svc)
-	if err != nil {
-		return err
-	}
-
 	if !slices.Contains(svc.Finalizers, FinalizerName) {
 		// This log line is printed exactly once during initial provisioning,
 		// because once the finalizer is in place this block gets skipped. So,
@@ -189,7 +230,9 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		logger.Infof("exposing service over tailscale")
 		svc.Finalizers = append(svc.Finalizers, FinalizerName)
 		if err := a.Update(ctx, svc); err != nil {
-			return fmt.Errorf("failed to add finalizer: %w", err)
+			errMsg := fmt.Errorf("failed to add finalizer: %w", err)
+			tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyFailed, errMsg.Error(), a.clock, logger)
+			return errMsg
 		}
 	}
 	crl := childResourceLabels(svc.Name, svc.Namespace, "svc")
@@ -201,7 +244,7 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 	sts := &tailscaleSTSConfig{
 		ParentResourceName:  svc.Name,
 		ParentResourceUID:   string(svc.UID),
-		Hostname:            hostname,
+		Hostname:            nameForService(svc),
 		Tags:                tags,
 		ChildResourceLabels: crl,
 		ProxyClassName:      proxyClass,
@@ -233,10 +276,12 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 
 	var hsvc *corev1.Service
 	if hsvc, err = a.ssr.Provision(ctx, logger, sts); err != nil {
-		return fmt.Errorf("failed to provision: %w", err)
+		errMsg := fmt.Errorf("failed to provision: %w", err)
+		tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyFailed, errMsg.Error(), a.clock, logger)
+		return errMsg
 	}
 
-	if sts.TailnetTargetIP != "" || sts.TailnetTargetFQDN != "" {
+	if sts.TailnetTargetIP != "" || sts.TailnetTargetFQDN != "" { // if an egress proxy
 		clusterDomain := retrieveClusterDomain(a.tsNamespace, logger)
 		headlessSvcName := hsvc.Name + "." + hsvc.Namespace + ".svc." + clusterDomain
 		if svc.Spec.ExternalName != headlessSvcName || svc.Spec.Type != corev1.ServiceTypeExternalName {
@@ -244,14 +289,18 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 			svc.Spec.Selector = nil
 			svc.Spec.Type = corev1.ServiceTypeExternalName
 			if err := a.Update(ctx, svc); err != nil {
-				return fmt.Errorf("failed to update service: %w", err)
+				errMsg := fmt.Errorf("failed to update service: %w", err)
+				tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyFailed, errMsg.Error(), a.clock, logger)
+				return errMsg
 			}
 		}
+		tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionTrue, reasonProxyCreated, reasonProxyCreated, a.clock, logger)
 		return nil
 	}
 
 	if !isTailscaleLoadBalancerService(svc, a.isDefaultLoadBalancer) {
 		logger.Debugf("service is not a LoadBalancer, so not updating ingress")
+		tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionTrue, reasonProxyCreated, reasonProxyCreated, a.clock, logger)
 		return nil
 	}
 
@@ -260,22 +309,23 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		return fmt.Errorf("failed to get device ID: %w", err)
 	}
 	if tsHost == "" {
-		logger.Debugf("no Tailscale hostname known yet, waiting for proxy pod to finish auth")
+		msg := "no Tailscale hostname known yet, waiting for proxy pod to finish auth"
+		logger.Debug(msg)
 		// No hostname yet. Wait for the proxy pod to auth.
 		svc.Status.LoadBalancer.Ingress = nil
-		if err := a.Status().Update(ctx, svc); err != nil {
-			return fmt.Errorf("failed to update service status: %w", err)
-		}
+		tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyPending, msg, a.clock, logger)
 		return nil
 	}
 
-	logger.Debugf("setting ingress to %q, %s", tsHost, strings.Join(tsIPs, ", "))
+	logger.Debugf("setting Service LoadBalancer status to %q, %s", tsHost, strings.Join(tsIPs, ", "))
 	ingress := []corev1.LoadBalancerIngress{
 		{Hostname: tsHost},
 	}
 	clusterIPAddr, err := netip.ParseAddr(svc.Spec.ClusterIP)
 	if err != nil {
-		return fmt.Errorf("failed to parse cluster IP: %w", err)
+		msg := fmt.Sprintf("failed to parse cluster IP: %v", err)
+		tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionFalse, reasonProxyFailed, msg, a.clock, logger)
+		return fmt.Errorf(msg)
 	}
 	for _, ip := range tsIPs {
 		addr, err := netip.ParseAddr(ip)
@@ -287,9 +337,7 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 		}
 	}
 	svc.Status.LoadBalancer.Ingress = ingress
-	if err := a.Status().Update(ctx, svc); err != nil {
-		return fmt.Errorf("failed to update service status: %w", err)
-	}
+	tsoperator.SetServiceCondition(svc, tsapi.ProxyReady, metav1.ConditionTrue, reasonProxyCreated, reasonProxyCreated, a.clock, logger)
 	return nil
 }
 
@@ -303,6 +351,14 @@ func validateService(svc *corev1.Service) []string {
 			violations = append(violations, fmt.Sprintf("invalid value of annotation %s: %q does not appear to be a valid MagicDNS name", AnnotationTailnetTargetFQDN, fqdn))
 		}
 	}
+	svcName := nameForService(svc)
+	if err := dnsname.ValidLabel(svcName); err != nil {
+		if _, ok := svc.Annotations[AnnotationHostname]; ok {
+			violations = append(violations, fmt.Sprintf("invalid Tailscale hostname specified %q: %s", svcName, err))
+		} else {
+			violations = append(violations, fmt.Sprintf("invalid Tailscale hostname %q, use %q annotation to override: %s", svcName, AnnotationHostname, err))
+		}
+	}
 	return violations
 }
 
@@ -334,7 +390,7 @@ func hasExposeAnnotation(svc *corev1.Service) bool {
 	return svc != nil && svc.Annotations[AnnotationExpose] == "true"
 }
 
-// hasTailnetTargetAnnotation returns the value of tailscale.com/tailnet-ip
+// tailnetTargetAnnotation returns the value of tailscale.com/tailnet-ip
 // annotation or of the deprecated tailscale.com/ts-tailnet-target-ip
 // annotation. If neither is set, it returns an empty string. If both are set,
 // it returns the value of the new annotation.

cmd/k8s-operator/testutils_test.go

@@ -304,10 +304,6 @@ func expectedSTSUserspace(t *testing.T, cl client.Client, opts configOpts) *apps
 
 func expectedHeadlessService(name string, parentType string) *corev1.Service {
 	return &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:         name,
 			GenerateName: "ts-test-",
@@ -323,7 +319,8 @@ func expectedHeadlessService(name string, parentType string) *corev1.Service {
 			Selector: map[string]string{
 				"app": "1234-UID",
 			},
-			ClusterIP: "None",
+			ClusterIP:      "None",
+			IPFamilyPolicy: ptr.To(corev1.IPFamilyPolicyPreferDualStack),
 		},
 	}
 }
@@ -331,10 +328,6 @@ func expectedHeadlessService(name string, parentType string) *corev1.Service {
 func expectedSecret(t *testing.T, cl client.Client, opts configOpts) *corev1.Secret {
 	t.Helper()
 	s := &corev1.Secret{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Secret",
-			APIVersion: "v1",
-		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      opts.secretName,
 			Namespace: "operator-ns",

cmd/natc/natc.go

@@ -448,7 +448,7 @@ func (c *connector) handleTCPFlow(src, dst netip.AddrPort) (handler func(net.Con
 // in --ignore-destinations
 func (c *connector) ignoreDestination(dstAddrs []netip.Addr) bool {
 	for _, a := range dstAddrs {
-		if _, ok := c.ignoreDsts.Get(a); ok {
+		if _, ok := c.ignoreDsts.Lookup(a); ok {
 			return true
 		}
 	}
@@ -489,7 +489,7 @@ type perPeerState struct {
 func (ps *perPeerState) domainForIP(ip netip.Addr) (_ string, ok bool) {
 	ps.mu.Lock()
 	defer ps.mu.Unlock()
-	return ps.addrToDomain.Get(ip)
+	return ps.addrToDomain.Lookup(ip)
 }
 
 // ipForDomain assigns a pair of unique IP addresses for the given domain and
@@ -515,7 +515,7 @@ func (ps *perPeerState) ipForDomain(domain string) ([]netip.Addr, error) {
 // domain.
 // ps.mu must be held.
 func (ps *perPeerState) isIPUsedLocked(ip netip.Addr) bool {
-	_, ok := ps.addrToDomain.Get(ip)
+	_, ok := ps.addrToDomain.Lookup(ip)
 	return ok
 }
 

cmd/proxy-to-grafana/proxy-to-grafana.go

@@ -46,6 +46,7 @@ var (
 	backendAddr  = flag.String("backend-addr", "", "Address of the Grafana server served over HTTP, in host:port format. Typically localhost:nnnn.")
 	tailscaleDir = flag.String("state-dir", "./", "Alternate directory to use for Tailscale state storage. If empty, a default is used.")
 	useHTTPS     = flag.Bool("use-https", false, "Serve over HTTPS via your *.ts.net subdomain if enabled in Tailscale admin.")
+	loginServer  = flag.String("login-server", "", "URL to alternative control server. If empty, the default Tailscale control is used.")
 )
 
 func main() {
@@ -57,8 +58,9 @@ func main() {
 		log.Fatal("missing --backend-addr")
 	}
 	ts := &tsnet.Server{
-		Dir:      *tailscaleDir,
-		Hostname: *hostname,
+		Dir:        *tailscaleDir,
+		Hostname:   *hostname,
+		ControlURL: *loginServer,
 	}
 
 	// TODO(bradfitz,maisem): move this to a method on tsnet.Server probably.

cmd/stunc/stunc.go

@@ -8,6 +8,7 @@ import (
 	"log"
 	"net"
 	"os"
+	"strconv"
 
 	"tailscale.com/net/stun"
 )
@@ -15,12 +16,20 @@ import (
 func main() {
 	log.SetFlags(0)
 
-	if len(os.Args) != 2 {
-		log.Fatalf("usage: %s <hostname>", os.Args[0])
+	if len(os.Args) < 2 || len(os.Args) > 3 {
+		log.Fatalf("usage: %s <hostname> [port]", os.Args[0])
 	}
 	host := os.Args[1]
+	port := "3478"
+	if len(os.Args) == 3 {
+		port = os.Args[2]
+	}
+	_, err := strconv.ParseUint(port, 10, 16)
+	if err != nil {
+		log.Fatalf("invalid port: %v", err)
+	}
 
-	uaddr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(host, "3478"))
+	uaddr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(host, port))
 	if err != nil {
 		log.Fatal(err)
 	}

cmd/stund/depaware.txt

@@ -2,6 +2,12 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
 
         github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
      💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
+        github.com/go-json-experiment/json                           from tailscale.com/types/opt
+        github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/jsontext                  from github.com/go-json-experiment/json+
         github.com/google/uuid                                       from tailscale.com/util/fastuuid
      💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
         github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
@@ -59,7 +65,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         tailscale.com/types/lazy                                     from tailscale.com/version+
         tailscale.com/types/logger                                   from tailscale.com/tsweb
         tailscale.com/types/opt                                      from tailscale.com/envknob+
-        tailscale.com/types/ptr                                      from tailscale.com/tailcfg
+        tailscale.com/types/ptr                                      from tailscale.com/tailcfg+
         tailscale.com/types/structs                                  from tailscale.com/tailcfg+
         tailscale.com/types/tkatype                                  from tailscale.com/tailcfg+
         tailscale.com/types/views                                    from tailscale.com/net/tsaddr+
@@ -128,6 +134,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         embed                                                        from crypto/internal/nistec+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
+        encoding/base32                                              from github.com/go-json-experiment/json
         encoding/base64                                              from encoding/json+
         encoding/binary                                              from compress/gzip+
         encoding/hex                                                 from crypto/x509+

cmd/stunstamp/api.go

@@ -1,142 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"compress/gzip"
-	"encoding/json"
-	"errors"
-	"net/http"
-	"net/url"
-	"strconv"
-	"strings"
-	"time"
-
-	sq "github.com/Masterminds/squirrel"
-)
-
-type api struct {
-	db  *db
-	mux *http.ServeMux
-}
-
-func newAPI(db *db) *api {
-	a := &api{
-		db: db,
-	}
-	mux := http.NewServeMux()
-	mux.HandleFunc("/query", a.query)
-	a.mux = mux
-	return a
-}
-
-type apiResult struct {
-	At         int    `json:"at"` // time.Time.Unix()
-	RegionID   int    `json:"regionID"`
-	Hostname   string `json:"hostname"`
-	Af         int    `json:"af"` // 4 or 6
-	Addr       string `json:"addr"`
-	Source     int    `json:"source"` // timestampSourceUserspace (0) or timestampSourceKernel (1)
-	StableConn bool   `json:"stableConn"`
-	DstPort    int    `json:"dstPort"`
-	RttNS      *int   `json:"rttNS"`
-}
-
-func getTimeBounds(vals url.Values) (from time.Time, to time.Time, err error) {
-	lastForm, ok := vals["last"]
-	if ok && len(lastForm) > 0 {
-		dur, err := time.ParseDuration(lastForm[0])
-		if err != nil {
-			return time.Time{}, time.Time{}, err
-		}
-		now := time.Now()
-		return now.Add(-dur), now, nil
-	}
-
-	fromForm, ok := vals["from"]
-	if ok && len(fromForm) > 0 {
-		fromUnixSec, err := strconv.Atoi(fromForm[0])
-		if err != nil {
-			return time.Time{}, time.Time{}, err
-		}
-		from = time.Unix(int64(fromUnixSec), 0)
-		toForm, ok := vals["to"]
-		if ok && len(toForm) > 0 {
-			toUnixSec, err := strconv.Atoi(toForm[0])
-			if err != nil {
-				return time.Time{}, time.Time{}, err
-			}
-			to = time.Unix(int64(toUnixSec), 0)
-		} else {
-			return time.Time{}, time.Time{}, errors.New("from specified without to")
-		}
-		return from, to, nil
-	}
-
-	// no time bounds specified, default to last 1h
-	now := time.Now()
-	return now.Add(-time.Hour), now, nil
-}
-
-func (a *api) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	a.mux.ServeHTTP(w, r)
-}
-
-func (a *api) query(w http.ResponseWriter, r *http.Request) {
-	err := r.ParseForm()
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-		return
-	}
-	from, to, err := getTimeBounds(r.Form)
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-		return
-	}
-
-	sb := sq.Select("at_unix", "region_id", "hostname", "af", "address", "timestamp_source", "stable_conn", "dst_port", "rtt_ns").From("rtt")
-	sb = sb.Where(sq.And{
-		sq.GtOrEq{"at_unix": from.Unix()},
-		sq.LtOrEq{"at_unix": to.Unix()},
-	})
-	query, args, err := sb.ToSql()
-	if err != nil {
-		return
-	}
-
-	rows, err := a.db.Query(query, args...)
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-		return
-	}
-	results := make([]apiResult, 0)
-	for rows.Next() {
-		rtt := 0
-		result := apiResult{
-			RttNS: &rtt,
-		}
-		err = rows.Scan(&result.At, &result.RegionID, &result.Hostname, &result.Af, &result.Addr, &result.Source, &result.StableConn, &result.DstPort, &result.RttNS)
-		if err != nil {
-			http.Error(w, err.Error(), 500)
-			return
-		}
-		results = append(results, result)
-	}
-	if rows.Err() != nil {
-		http.Error(w, rows.Err().Error(), 500)
-		return
-	}
-	if strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") {
-		gz := gzip.NewWriter(w)
-		defer gz.Close()
-		w.Header().Set("Content-Encoding", "gzip")
-		err = json.NewEncoder(gz).Encode(&results)
-	} else {
-		err = json.NewEncoder(w).Encode(&results)
-	}
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-		return
-	}
-}

cmd/stunstamp/stunstamp.go

@@ -38,11 +38,8 @@ import (
 
 var (
 	flagDERPMap        = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map")
-	flagOut            = flag.String("out", "", "output sqlite filename")
 	flagInterval       = flag.Duration("interval", time.Minute, "interval to probe at in time.ParseDuration() format")
-	flagAPI            = flag.String("api", "", "listen addr for HTTP API")
 	flagIPv6           = flag.Bool("ipv6", false, "probe IPv6 addresses")
-	flagRetention      = flag.Duration("retention", time.Hour*24*7, "sqlite retention period in time.ParseDuration() format")
 	flagRemoteWriteURL = flag.String("rw-url", "", "prometheus remote write URL")
 	flagInstance       = flag.String("instance", "", "instance label value; defaults to hostname if unspecified")
 	flagDstPorts       = flag.String("dst-ports", "", "comma-separated list of destination ports to monitor")
@@ -63,10 +60,13 @@ func getDERPMap(ctx context.Context, url string) (*tailcfg.DERPMap, error) {
 		return nil, err
 	}
 	defer resp.Body.Close()
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("non-200 derp map resp: %d", resp.StatusCode)
+	}
 	dm := tailcfg.DERPMap{}
 	err = json.NewDecoder(resp.Body).Decode(&dm)
 	if err != nil {
-		return nil, nil
+		return nil, fmt.Errorf("failed to decode derp map resp: %v", err)
 	}
 	return &dm, nil
 }
@@ -89,13 +89,19 @@ func (t timestampSource) String() string {
 	}
 }
 
-type result struct {
-	at              time.Time
+// resultKey contains the stable dimensions and their values for a given
+// timeseries, i.e. not time and not rtt/timeout.
+type resultKey struct {
 	meta            nodeMeta
 	timestampSource timestampSource
 	connStability   connStability
 	dstPort         int
-	rtt             *time.Duration // nil signifies failure, e.g. timeout
+}
+
+type result struct {
+	key resultKey
+	at  time.Time
+	rtt *time.Duration // nil signifies failure, e.g. timeout
 }
 
 func measureRTT(conn io.ReadWriteCloser, dst *net.UDPAddr) (rtt time.Duration, err error) {
@@ -149,6 +155,10 @@ type nodeMeta struct {
 
 type measureFn func(conn io.ReadWriteCloser, dst *net.UDPAddr) (rtt time.Duration, err error)
 
+// probe measures STUN round trip time for the node described by meta over
+// conn against dstPort. It may return a nil duration and nil error if the
+// STUN request timed out. A non-nil error indicates an unrecoverable or
+// non-temporary error.
 func probe(meta nodeMeta, conn io.ReadWriteCloser, fn measureFn, dstPort int) (*time.Duration, error) {
 	ua := &net.UDPAddr{
 		IP:   net.IP(meta.addr.AsSlice()),
@@ -162,10 +172,15 @@ func probe(meta nodeMeta, conn io.ReadWriteCloser, fn measureFn, dstPort int) (*
 			log.Printf("temp error measuring RTT to %s(%s): %v", meta.hostname, ua.String(), err)
 			return nil, nil
 		}
+		return nil, err
 	}
 	return &rtt, nil
 }
 
+// nodeMetaFromDERPMap parses the provided DERP map in order to update nodeMeta
+// in the provided nodeMetaByAddr. It returns a slice of nodeMeta containing
+// the nodes that are no longer seen in the DERP map, but were previously held
+// in nodeMetaByAddr.
 func nodeMetaFromDERPMap(dm *tailcfg.DERPMap, nodeMetaByAddr map[netip.Addr]nodeMeta, ipv6 bool) (stale []nodeMeta, err error) {
 	// Parse the new derp map before making any state changes in nodeMetaByAddr.
 	// If parse fails we just stick with the old state.
@@ -271,10 +286,12 @@ func probeNodes(nodeMetaByAddr map[netip.Addr]nodeMeta, stableConns map[netip.Ad
 	doProbe := func(conn io.ReadWriteCloser, meta nodeMeta, source timestampSource, dstPort int) {
 		defer wg.Done()
 		r := result{
-			at:              at,
-			meta:            meta,
-			timestampSource: source,
-			dstPort:         dstPort,
+			key: resultKey{
+				meta:            meta,
+				timestampSource: source,
+				dstPort:         dstPort,
+			},
+			at: at,
 		}
 		if conn == nil {
 			var err error
@@ -293,7 +310,7 @@ func probeNodes(nodeMetaByAddr map[netip.Addr]nodeMeta, stableConns map[netip.Ad
 			}
 			defer conn.Close()
 		} else {
-			r.connStability = stableConn
+			r.key.connStability = stableConn
 		}
 		fn := measureRTT
 		if source == timestampSourceKernel {
@@ -373,7 +390,12 @@ const (
 	stableConn   connStability = true
 )
 
-func timeSeriesLabels(meta nodeMeta, instance string, source timestampSource, stability connStability, dstPort int) []prompb.Label {
+const (
+	rttMetricName      = "stunstamp_derp_stun_rtt_ns"
+	timeoutsMetricName = "stunstamp_derp_stun_timeouts_total"
+)
+
+func timeSeriesLabels(metricName string, meta nodeMeta, instance string, source timestampSource, stability connStability, dstPort int) []prompb.Label {
 	addressFamily := "ipv4"
 	if meta.addr.Is6() {
 		addressFamily = "ipv6"
@@ -409,7 +431,7 @@ func timeSeriesLabels(meta nodeMeta, instance string, source timestampSource, st
 	})
 	labels = append(labels, prompb.Label{
 		Name:  "__name__",
-		Value: "stunstamp_derp_stun_rtt_ns",
+		Value: metricName,
 	})
 	labels = append(labels, prompb.Label{
 		Name:  "timestamp_source",
@@ -443,20 +465,36 @@ func staleMarkersFromNodeMeta(stale []nodeMeta, instance string, dstPorts []int)
 				},
 			}
 			staleMarkers = append(staleMarkers, prompb.TimeSeries{
-				Labels:  timeSeriesLabels(s, instance, timestampSourceUserspace, unstableConn, dstPort),
+				Labels:  timeSeriesLabels(rttMetricName, s, instance, timestampSourceUserspace, unstableConn, dstPort),
 				Samples: samples,
 			})
 			staleMarkers = append(staleMarkers, prompb.TimeSeries{
-				Labels:  timeSeriesLabels(s, instance, timestampSourceUserspace, stableConn, dstPort),
+				Labels:  timeSeriesLabels(rttMetricName, s, instance, timestampSourceUserspace, stableConn, dstPort),
+				Samples: samples,
+			})
+			staleMarkers = append(staleMarkers, prompb.TimeSeries{
+				Labels:  timeSeriesLabels(timeoutsMetricName, s, instance, timestampSourceUserspace, unstableConn, dstPort),
+				Samples: samples,
+			})
+			staleMarkers = append(staleMarkers, prompb.TimeSeries{
+				Labels:  timeSeriesLabels(timeoutsMetricName, s, instance, timestampSourceUserspace, stableConn, dstPort),
 				Samples: samples,
 			})
 			if supportsKernelTS() {
 				staleMarkers = append(staleMarkers, prompb.TimeSeries{
-					Labels:  timeSeriesLabels(s, instance, timestampSourceKernel, unstableConn, dstPort),
+					Labels:  timeSeriesLabels(rttMetricName, s, instance, timestampSourceKernel, unstableConn, dstPort),
 					Samples: samples,
 				})
 				staleMarkers = append(staleMarkers, prompb.TimeSeries{
-					Labels:  timeSeriesLabels(s, instance, timestampSourceKernel, stableConn, dstPort),
+					Labels:  timeSeriesLabels(rttMetricName, s, instance, timestampSourceKernel, stableConn, dstPort),
+					Samples: samples,
+				})
+				staleMarkers = append(staleMarkers, prompb.TimeSeries{
+					Labels:  timeSeriesLabels(timeoutsMetricName, s, instance, timestampSourceKernel, unstableConn, dstPort),
+					Samples: samples,
+				})
+				staleMarkers = append(staleMarkers, prompb.TimeSeries{
+					Labels:  timeSeriesLabels(timeoutsMetricName, s, instance, timestampSourceKernel, stableConn, dstPort),
 					Samples: samples,
 				})
 			}
@@ -465,25 +503,47 @@ func staleMarkersFromNodeMeta(stale []nodeMeta, instance string, dstPorts []int)
 	return staleMarkers
 }
 
-func resultToPromTimeSeries(r result, instance string) prompb.TimeSeries {
-	labels := timeSeriesLabels(r.meta, instance, r.timestampSource, r.connStability, r.dstPort)
-	samples := make([]prompb.Sample, 1)
-	samples[0].Timestamp = r.at.UnixMilli()
-	if r.rtt != nil {
-		samples[0].Value = float64(*r.rtt)
-	} else {
-		samples[0].Value = math.NaN()
-		// TODO: timeout counter
+// resultsToPromTimeSeries returns a slice of prometheus TimeSeries for the
+// provided results and instance. timeouts is updated based on results, i.e.
+// all result.key's are added to timeouts if they do not exist, and removed
+// from timeouts if they are not present in results.
+func resultsToPromTimeSeries(results []result, instance string, timeouts map[resultKey]uint64) []prompb.TimeSeries {
+	all := make([]prompb.TimeSeries, 0, len(results)*2)
+	seenKeys := make(map[resultKey]bool)
+	for _, r := range results {
+		timeoutsCount := timeouts[r.key] // a non-existent key will return a zero val
+		seenKeys[r.key] = true
+		rttLabels := timeSeriesLabels(rttMetricName, r.key.meta, instance, r.key.timestampSource, r.key.connStability, r.key.dstPort)
+		rttSamples := make([]prompb.Sample, 1)
+		rttSamples[0].Timestamp = r.at.UnixMilli()
+		if r.rtt != nil {
+			rttSamples[0].Value = float64(*r.rtt)
+		} else {
+			rttSamples[0].Value = math.NaN()
+			timeoutsCount++
+		}
+		rttTS := prompb.TimeSeries{
+			Labels:  rttLabels,
+			Samples: rttSamples,
+		}
+		all = append(all, rttTS)
+		timeouts[r.key] = timeoutsCount
+		timeoutsLabels := timeSeriesLabels(timeoutsMetricName, r.key.meta, instance, r.key.timestampSource, r.key.connStability, r.key.dstPort)
+		timeoutsSamples := make([]prompb.Sample, 1)
+		timeoutsSamples[0].Timestamp = r.at.UnixMilli()
+		timeoutsSamples[0].Value = float64(timeoutsCount)
+		timeoutsTS := prompb.TimeSeries{
+			Labels:  timeoutsLabels,
+			Samples: timeoutsSamples,
+		}
+		all = append(all, timeoutsTS)
 	}
-	ts := prompb.TimeSeries{
-		Labels:  labels,
-		Samples: samples,
+	for k := range timeouts {
+		if !seenKeys[k] {
+			delete(timeouts, k)
+		}
 	}
-	slices.SortFunc(ts.Labels, func(a, b prompb.Label) int {
-		// prometheus remote-write spec requires lexicographically sorted label names
-		return cmp.Compare(a.Name, b.Name)
-	})
-	return ts
+	return all
 }
 
 type remoteWriteClient struct {
@@ -579,15 +639,9 @@ func main() {
 	if len(*flagDERPMap) < 1 {
 		log.Fatal("derp-map flag is unset")
 	}
-	if len(*flagOut) < 1 {
-		log.Fatal("out flag is unset")
-	}
 	if *flagInterval < minInterval || *flagInterval > maxBufferDuration {
 		log.Fatalf("interval must be >= %s and <= %s", minInterval, maxBufferDuration)
 	}
-	if *flagRetention < *flagInterval {
-		log.Fatal("retention must be >= interval")
-	}
 	if len(*flagRemoteWriteURL) < 1 {
 		log.Fatal("rw-url flag is unset")
 	}
@@ -633,49 +687,6 @@ func main() {
 		}
 	}
 
-	db, err := newDB(*flagOut)
-	if err != nil {
-		log.Fatalf("error opening output file for writing: %v", err)
-	}
-	defer db.Close()
-
-	_, err = db.Exec("PRAGMA journal_mode=WAL")
-	if err != nil {
-		log.Fatalf("error enabling WAL mode: %v", err)
-	}
-
-	// No indices or primary key. Keep it simple for now. Reads will be full
-	// scans. We can AUTOINCREMENT rowid in the future and hold an in-memory
-	// index to at_unix if needed as reads are almost always going to be
-	// time-bound (e.g. WHERE at_unix >= ?). At the time of authorship we have
-	// ~300 data points per-interval w/o ipv6 w/kernel timestamping resulting
-	// in ~2.6m rows in 24h w/a 10s probe interval.
-	_, err = db.Exec(`
-CREATE TABLE IF NOT EXISTS rtt(at_unix INT, region_id INT, hostname TEXT, af INT, address TEXT, timestamp_source INT, stable_conn INT, dst_port INT, rtt_ns INT)
-`)
-	if err != nil {
-		log.Fatalf("error initializing db: %v", err)
-	}
-
-	wg := sync.WaitGroup{}
-	httpErrCh := make(chan error, 1)
-	var httpServer *http.Server
-	if len(*flagAPI) > 0 {
-		api := newAPI(db)
-		httpServer = &http.Server{
-			Addr:         *flagAPI,
-			Handler:      api,
-			ReadTimeout:  time.Second * 60,
-			WriteTimeout: time.Second * 60,
-		}
-		wg.Add(1)
-		go func() {
-			err := httpServer.ListenAndServe()
-			httpErrCh <- err
-			wg.Done()
-		}()
-	}
-
 	tsCh := make(chan []prompb.TimeSeries, maxBufferDuration / *flagInterval)
 	remoteWriteDoneCh := make(chan struct{})
 	rwc := newRemoteWriteClient(*flagRemoteWriteURL)
@@ -685,9 +696,6 @@ CREATE TABLE IF NOT EXISTS rtt(at_unix INT, region_id INT, hostname TEXT, af INT
 	}()
 
 	shutdown := func() {
-		if httpServer != nil {
-			httpServer.Close()
-		}
 		close(tsCh)
 		select {
 		case <-time.After(time.Second * 10): // give goroutine some time to flush
@@ -706,7 +714,6 @@ CREATE TABLE IF NOT EXISTS rtt(at_unix INT, region_id INT, hostname TEXT, af INT
 			cancel()
 		}
 
-		wg.Wait()
 		return
 	}
 
@@ -719,24 +726,17 @@ CREATE TABLE IF NOT EXISTS rtt(at_unix INT, region_id INT, hostname TEXT, af INT
 	// comes into play.
 	stableConns := make(map[netip.Addr]map[int][2]io.ReadWriteCloser)
 
+	// timeouts holds counts of timeout events. Values are persisted for the
+	// lifetime of the related node in the DERP map.
+	timeouts := make(map[resultKey]uint64)
+
 	derpMapTicker := time.NewTicker(time.Minute * 5)
 	defer derpMapTicker.Stop()
 	probeTicker := time.NewTicker(*flagInterval)
 	defer probeTicker.Stop()
-	cleanupTicker := time.NewTicker(time.Hour)
-	defer cleanupTicker.Stop()
 
 	for {
 		select {
-		case <-cleanupTicker.C:
-			older := time.Now().Add(-*flagRetention)
-			log.Printf("cleaning up measurements older than %v", older)
-			_, err := db.Exec("DELETE FROM rtt WHERE at_unix < ?", older.Unix())
-			if err != nil {
-				log.Printf("error cleaning up old data: %v", err)
-				shutdown()
-				return
-			}
 		case <-probeTicker.C:
 			results, err := probeNodes(nodeMetaByAddr, stableConns, dstPorts)
 			if err != nil {
@@ -744,10 +744,7 @@ CREATE TABLE IF NOT EXISTS rtt(at_unix INT, region_id INT, hostname TEXT, af INT
 				shutdown()
 				return
 			}
-			ts := make([]prompb.TimeSeries, 0, len(results))
-			for _, r := range results {
-				ts = append(ts, resultToPromTimeSeries(r, *flagInstance))
-			}
+			ts := resultsToPromTimeSeries(results, *flagInstance, timeouts)
 			select {
 			case tsCh <- ts:
 			default:
@@ -758,32 +755,6 @@ CREATE TABLE IF NOT EXISTS rtt(at_unix INT, region_id INT, hostname TEXT, af INT
 					tsCh <- ts
 				}
 			}
-			tx, err := db.Begin()
-			if err != nil {
-				log.Printf("error beginning sqlite tx: %v", err)
-				shutdown()
-				return
-			}
-			for _, result := range results {
-				af := 4
-				if result.meta.addr.Is6() {
-					af = 6
-				}
-				_, err = tx.Exec("INSERT INTO rtt(at_unix, region_id, hostname, af, address, timestamp_source, stable_conn, dst_port, rtt_ns) VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?)",
-					result.at.Unix(), result.meta.regionID, result.meta.hostname, af, result.meta.addr.String(), result.timestampSource, result.connStability, result.dstPort, result.rtt)
-				if err != nil {
-					tx.Rollback()
-					log.Printf("error adding result to tx: %v", err)
-					shutdown()
-					return
-				}
-			}
-			err = tx.Commit()
-			if err != nil {
-				log.Printf("error committing tx: %v", err)
-				shutdown()
-				return
-			}
 		case dm := <-dmCh:
 			staleMeta, err := nodeMetaFromDERPMap(dm, nodeMetaByAddr, *flagIPv6)
 			if err != nil {
@@ -813,10 +784,6 @@ CREATE TABLE IF NOT EXISTS rtt(at_unix INT, region_id INT, hostname TEXT, af INT
 					dmCh <- updatedDM
 				}
 			}()
-		case err := <-httpErrCh:
-			log.Printf("http server error: %v", err)
-			shutdown()
-			return
 		case <-sigCh:
 			shutdown()
 			return

cmd/stunstamp/stunstamp_db_default.go

@@ -1,26 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !(windows && 386)
-
-package main
-
-import (
-	"database/sql"
-
-	_ "modernc.org/sqlite"
-)
-
-type db struct {
-	*sql.DB
-}
-
-func newDB(path string) (*db, error) {
-	d, err := sql.Open("sqlite", *flagOut)
-	if err != nil {
-		return nil, err
-	}
-	return &db{
-		DB: d,
-	}, nil
-}

cmd/stunstamp/stunstamp_db_windows_386.go

@@ -1,17 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"database/sql"
-	"errors"
-)
-
-type db struct {
-	*sql.DB
-}
-
-func newDB(path string) (*db, error) {
-	return nil, errors.New("unsupported platform")
-}

cmd/tailscale/cli/cert.go

@@ -16,6 +16,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"software.sslmate.com/src/go-pkcs12"
@@ -34,14 +35,16 @@ var certCmd = &ffcli.Command{
 		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
 		fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
 		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
+		fs.DurationVar(&certArgs.minValidity, "min-validity", 0, "ensure the certificate is valid for at least this duration; the output certificate is never expired if this flag is unset or 0, but the lifetime may vary; the maximum allowed min-validity depends on the CA")
 		return fs
 	})(),
 }
 
 var certArgs struct {
-	certFile string
-	keyFile  string
-	serve    bool
+	certFile    string
+	keyFile     string
+	serve       bool
+	minValidity time.Duration
 }
 
 func runCert(ctx context.Context, args []string) error {
@@ -102,7 +105,7 @@ func runCert(ctx context.Context, args []string) error {
 		certArgs.certFile = domain + ".crt"
 		certArgs.keyFile = domain + ".key"
 	}
-	certPEM, keyPEM, err := localClient.CertPair(ctx, domain)
+	certPEM, keyPEM, err := localClient.CertPairWithValidity(ctx, domain, certArgs.minValidity)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/cli.go

@@ -7,6 +7,7 @@ package cli
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
@@ -159,8 +160,10 @@ func newRootCmd() *ffcli.Command {
 		return nil
 	})
 	rootfs.Lookup("socket").DefValue = localClient.Socket
+	jsonDocs := rootfs.Bool("json-docs", false, hidden+"print JSON-encoded docs for all subcommands and flags")
 
-	rootCmd := &ffcli.Command{
+	var rootCmd *ffcli.Command
+	rootCmd = &ffcli.Command{
 		Name:       "tailscale",
 		ShortUsage: "tailscale [flags] <subcommand> [command flags]",
 		ShortHelp:  "The easiest, most secure way to use WireGuard.",
@@ -202,6 +205,9 @@ change in the future.
 		},
 		FlagSet: rootfs,
 		Exec: func(ctx context.Context, args []string) error {
+			if *jsonDocs {
+				return printJSONDocs(rootCmd)
+			}
 			if len(args) > 0 {
 				return fmt.Errorf("tailscale: unknown subcommand: %s", args[0])
 			}
@@ -401,3 +407,54 @@ func colorableOutput() (w io.Writer, ok bool) {
 	}
 	return colorable.NewColorableStdout(), true
 }
+
+type commandDoc struct {
+	Name        string
+	Desc        string
+	Subcommands []commandDoc `json:",omitempty"`
+	Flags       []flagDoc    `json:",omitempty"`
+}
+
+type flagDoc struct {
+	Name string
+	Desc string
+}
+
+func printJSONDocs(root *ffcli.Command) error {
+	docs := jsonDocsWalk(root)
+	return json.NewEncoder(os.Stdout).Encode(docs)
+}
+
+func jsonDocsWalk(cmd *ffcli.Command) *commandDoc {
+	res := &commandDoc{
+		Name: cmd.Name,
+	}
+	if cmd.LongHelp != "" {
+		res.Desc = cmd.LongHelp
+	} else if cmd.ShortHelp != "" {
+		res.Desc = cmd.ShortHelp
+	} else {
+		res.Desc = cmd.ShortUsage
+	}
+	if strings.HasPrefix(res.Desc, hidden) {
+		return nil
+	}
+	if cmd.FlagSet != nil {
+		cmd.FlagSet.VisitAll(func(f *flag.Flag) {
+			if strings.HasPrefix(f.Usage, hidden) {
+				return
+			}
+			res.Flags = append(res.Flags, flagDoc{
+				Name: f.Name,
+				Desc: f.Usage,
+			})
+		})
+	}
+	for _, sub := range cmd.Subcommands {
+		subj := jsonDocsWalk(sub)
+		if subj != nil {
+			res.Subcommands = append(res.Subcommands, *subj)
+		}
+	}
+	return res
+}

cmd/tailscale/cli/debug.go

@@ -28,10 +28,12 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/net/http/httpproxy"
+	"golang.org/x/net/http2"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlhttp"
 	"tailscale.com/hostinfo"
+	"tailscale.com/internal/noiseconn"
 	"tailscale.com/ipn"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tshttpproxy"
@@ -801,7 +803,10 @@ func runTS2021(ctx context.Context, args []string) error {
 		log.Printf("Dial(%q, %q) ...", network, address)
 		c, err := dialer.DialContext(ctx, network, address)
 		if err != nil {
-			log.Printf("Dial(%q, %q) = %v", network, address, err)
+			// skip logging context cancellation errors
+			if !errors.Is(err, context.Canceled) {
+				log.Printf("Dial(%q, %q) = %v", network, address, err)
+			}
 		} else {
 			log.Printf("Dial(%q, %q) = %v / %v", network, address, c.LocalAddr(), c.RemoteAddr())
 		}
@@ -834,6 +839,52 @@ func runTS2021(ctx context.Context, args []string) error {
 	}
 
 	log.Printf("final underlying conn: %v / %v", conn.LocalAddr(), conn.RemoteAddr())
+
+	h2Transport, err := http2.ConfigureTransports(&http.Transport{
+		IdleConnTimeout: time.Second,
+	})
+	if err != nil {
+		return fmt.Errorf("http2.ConfigureTransports: %w", err)
+	}
+
+	// Now, create a Noise conn over the existing conn.
+	nc, err := noiseconn.New(conn.Conn, h2Transport, 0, nil)
+	if err != nil {
+		return fmt.Errorf("noiseconn.New: %w", err)
+	}
+	defer nc.Close()
+
+	// Reserve a RoundTrip for the whoami request.
+	ok, _, err := nc.ReserveNewRequest(ctx)
+	if err != nil {
+		return fmt.Errorf("ReserveNewRequest: %w", err)
+	}
+	if !ok {
+		return errors.New("ReserveNewRequest failed")
+	}
+
+	// Make a /whoami request to the server to verify that we can actually
+	// communicate over the newly-established connection.
+	whoamiURL := "http://" + ts2021Args.host + "/machine/whoami"
+	req, err = http.NewRequestWithContext(ctx, "GET", whoamiURL, nil)
+	if err != nil {
+		return err
+	}
+	resp, err := nc.RoundTrip(req)
+	if err != nil {
+		return fmt.Errorf("RoundTrip whoami request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		log.Printf("whoami request returned status %v", resp.Status)
+	} else {
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return fmt.Errorf("reading whoami response: %w", err)
+		}
+		log.Printf("whoami response: %q", body)
+	}
 	return nil
 }
 

cmd/tailscale/cli/drive.go

@@ -6,6 +6,7 @@ package cli
 import (
 	"context"
 	"fmt"
+	"path/filepath"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
@@ -66,9 +67,14 @@ func runDriveShare(ctx context.Context, args []string) error {
 
 	name, path := args[0], args[1]
 
-	err := localClient.DriveShareSet(ctx, &drive.Share{
+	absolutePath, err := filepath.Abs(path)
+	if err != nil {
+		return err
+	}
+
+	err = localClient.DriveShareSet(ctx, &drive.Share{
 		Name: name,
-		Path: path,
+		Path: absolutePath,
 	})
 	if err == nil {
 		fmt.Printf("Sharing %q as %q\n", path, name)

cmd/tailscale/cli/exitnode.go

@@ -13,6 +13,7 @@ import (
 	"strings"
 	"text/tabwriter"
 
+	"github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	xmaps "golang.org/x/exp/maps"
 	"tailscale.com/envknob"
@@ -136,6 +137,7 @@ func runExitNodeList(ctx context.Context, args []string) error {
 	}
 	fmt.Fprintln(w)
 	fmt.Fprintln(w)
+	fmt.Fprintln(w, "# To view the complete list of exit nodes for a country, use `tailscale exit-node list --filter=` followed by the country name.")
 	fmt.Fprintln(w, "# To use an exit node, use `tailscale set --exit-node=` followed by the hostname or IP.")
 	if hasAnyExitNodeSuggestions(peers) {
 		fmt.Fprintln(w, "# To have Tailscale suggest an exit node, use `tailscale exit-node suggest`.")
@@ -154,7 +156,7 @@ func runExitNodeSuggest(ctx context.Context, args []string) error {
 		fmt.Println("No exit node suggestion is available.")
 		return nil
 	}
-	fmt.Printf("Suggested exit node: %v\nTo accept this suggestion, use `tailscale set --exit-node=%v`.\n", res.Name, res.ID)
+	fmt.Printf("Suggested exit node: %v\nTo accept this suggestion, use `tailscale set --exit-node=%v`.\n", res.Name, shellquote.Join(res.Name))
 	return nil
 }
 
@@ -229,7 +231,7 @@ func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string)
 	for _, ps := range peers {
 		loc := cmp.Or(ps.Location, noLocation)
 
-		if filterBy != "" && loc.Country != filterBy {
+		if filterBy != "" && !strings.EqualFold(loc.Country, filterBy) {
 			continue
 		}
 
@@ -269,9 +271,14 @@ func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string)
 			countryAnyPeer = append(countryAnyPeer, city.Peers...)
 			var reducedCityPeers []*ipnstate.PeerStatus
 			for i, peer := range city.Peers {
+				if filterBy != "" {
+					// If the peers are being filtered, we return all peers to the user.
+					reducedCityPeers = append(reducedCityPeers, city.Peers...)
+					break
+				}
+				// If the peers are not being filtered, we only return the highest priority peer and any peer that
+				// is currently the active exit node.
 				if i == 0 || peer.ExitNode {
-					// We only return the highest priority peer and any peer that
-					// is currently the active exit node.
 					reducedCityPeers = append(reducedCityPeers, peer)
 				}
 			}

cmd/tailscale/cli/exitnode_test.go

@@ -219,7 +219,7 @@ func TestFilterFormatAndSortExitNodes(t *testing.T) {
 						{
 							Name: "Rainier",
 							Peers: []*ipnstate.PeerStatus{
-								ps[2],
+								ps[2], ps[3],
 							},
 						},
 					},

cmd/tailscale/cli/ffcomplete/internal/complete.go

@@ -1,6 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
+// Package internal contains internal code for the ffcomplete package.
 package internal
 
 import (

cmd/tailscale/cli/netcheck.go

@@ -52,9 +52,15 @@ func runNetcheck(ctx context.Context, args []string) error {
 	if err != nil {
 		return err
 	}
+
+	// Ensure that we close the portmapper after running a netcheck; this
+	// will release any port mappings created.
+	pm := portmapper.NewClient(logf, netMon, nil, nil, nil)
+	defer pm.Close()
+
 	c := &netcheck.Client{
 		NetMon:      netMon,
-		PortMapper:  portmapper.NewClient(logf, netMon, nil, nil, nil),
+		PortMapper:  pm,
 		UseDNSCache: false, // always resolve, don't cache
 	}
 	if netcheckArgs.verbose {
@@ -78,9 +84,13 @@ func runNetcheck(ctx context.Context, args []string) error {
 		log.Printf("No DERP map from tailscaled; using default.")
 	}
 	if err != nil || noRegions {
-		hc := &http.Client{Transport: tlsdial.NewTransport()}
+		hc := &http.Client{
+			Transport: tlsdial.NewTransport(),
+			Timeout:   10 * time.Second,
+		}
 		dm, err = prodDERPMap(ctx, hc)
 		if err != nil {
+			log.Println("Failed to fetch a DERP map, so netcheck cannot continue. Check your Internet connection.")
 			return err
 		}
 	}
@@ -209,6 +219,7 @@ func portMapping(r *netcheck.Report) string {
 }
 
 func prodDERPMap(ctx context.Context, httpc *http.Client) (*tailcfg.DERPMap, error) {
+	log.Printf("attempting to fetch a DERPMap from %s", ipn.DefaultControlURL)
 	req, err := http.NewRequestWithContext(ctx, "GET", ipn.DefaultControlURL+"/derpmap/default", nil)
 	if err != nil {
 		return nil, fmt.Errorf("create prodDERPMap request: %w", err)

cmd/tailscale/cli/network-lock.go

@@ -789,7 +789,7 @@ func runNetworkLockRevokeKeys(ctx context.Context, args []string) error {
 		}
 
 		fmt.Printf(`Run the following command on another machine with a trusted tailnet lock key:
-	%s lock recover-compromised-key --cosign %X
+	%s lock revoke-keys --cosign %X
 `, os.Args[0], aumBytes)
 		return nil
 	}
@@ -813,10 +813,10 @@ func runNetworkLockRevokeKeys(ctx context.Context, args []string) error {
 		fmt.Printf(`Co-signing completed successfully.
 
 To accumulate an additional signature, run the following command on another machine with a trusted tailnet lock key:
-	%s lock recover-compromised-key --cosign %X
+	%s lock revoke-keys --cosign %X
 
 Alternatively if you are done with co-signing, complete recovery by running the following command:
-	%s lock recover-compromised-key --finish %X
+	%s lock revoke-keys --finish %X
 `, os.Args[0], aumBytes, os.Args[0], aumBytes)
 	}
 

cmd/tailscale/cli/serve_v2_test.go

@@ -74,7 +74,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 					TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 					Web: map[ipn.HostPort]*ipn.WebServerConfig{
 						"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-							"/": {Proxy: "http://127.0.0.1:3000"},
+							"/": {Proxy: "http://localhost:3000"},
 						}},
 					},
 					AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
@@ -89,7 +89,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 					TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 					Web: map[ipn.HostPort]*ipn.WebServerConfig{
 						"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-							"/": {Proxy: "http://127.0.0.1:3000"},
+							"/": {Proxy: "http://localhost:3000"},
 						}},
 					},
 				},
@@ -103,7 +103,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 					TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 					Web: map[ipn.HostPort]*ipn.WebServerConfig{
 						"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-							"/": {Proxy: "http://127.0.0.1:3000"},
+							"/": {Proxy: "http://localhost:3000"},
 						}},
 					},
 				},
@@ -117,7 +117,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 					TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
 					Web: map[ipn.HostPort]*ipn.WebServerConfig{
 						"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-							"/": {Proxy: "http://127.0.0.1:3000"},
+							"/": {Proxy: "http://localhost:3000"},
 						}},
 					},
 				},
@@ -131,7 +131,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 					TCP: map[uint16]*ipn.TCPPortHandler{8443: {HTTPS: true}},
 					Web: map[ipn.HostPort]*ipn.WebServerConfig{
 						"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-							"/": {Proxy: "http://127.0.0.1:3000"},
+							"/": {Proxy: "http://localhost:3000"},
 						}},
 					},
 				},
@@ -146,7 +146,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -157,10 +157,10 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 9999: {HTTP: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 							"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-								"/abc": {Proxy: "http://127.0.0.1:3001"},
+								"/abc": {Proxy: "http://localhost:3001"},
 							}},
 						},
 					},
@@ -171,7 +171,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -182,7 +182,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 8080: {HTTP: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 							"foo.test.ts.net:8080": {Handlers: map[string]*ipn.HTTPHandler{
 								"/abc": {Proxy: "http://127.0.0.1:3001"},
@@ -236,7 +236,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -247,10 +247,10 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 9999: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 							"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-								"/abc": {Proxy: "http://127.0.0.1:3001"},
+								"/abc": {Proxy: "http://localhost:3001"},
 							}},
 						},
 					},
@@ -261,7 +261,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -272,7 +272,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 							"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
 								"/abc": {Proxy: "http://127.0.0.1:3001"},
@@ -361,7 +361,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/foo": {Proxy: "http://127.0.0.1:3000"},
+								"/foo": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -372,10 +372,10 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/foo": {Proxy: "http://127.0.0.1:3000"},
+								"/foo": {Proxy: "http://localhost:3000"},
 							}},
 							"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/foo": {Proxy: "http://127.0.0.1:3000"},
+								"/foo": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -439,7 +439,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 					want: &ipn.ServeConfig{
 						TCP: map[uint16]*ipn.TCPPortHandler{
 							443: {
-								TCPForward:   "127.0.0.1:5432",
+								TCPForward:   "localhost:5432",
 								TerminateTLS: "foo.test.ts.net",
 							},
 						},
@@ -466,7 +466,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 					want: &ipn.ServeConfig{
 						TCP: map[uint16]*ipn.TCPPortHandler{
 							443: {
-								TCPForward:   "127.0.0.1:123",
+								TCPForward:   "localhost:123",
 								TerminateTLS: "foo.test.ts.net",
 							},
 						},
@@ -560,7 +560,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -572,7 +572,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -584,10 +584,10 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 							"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/bar": {Proxy: "http://127.0.0.1:3001"},
+								"/bar": {Proxy: "http://localhost:3001"},
 							}},
 						},
 					},
@@ -599,10 +599,10 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 							"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/bar": {Proxy: "http://127.0.0.1:3001"},
+								"/bar": {Proxy: "http://localhost:3001"},
 							}},
 						},
 					},
@@ -614,10 +614,10 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 							"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/bar": {Proxy: "http://127.0.0.1:3001"},
+								"/bar": {Proxy: "http://localhost:3001"},
 							}},
 						},
 					},
@@ -628,7 +628,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -636,10 +636,10 @@ func TestServeDevConfigMutations(t *testing.T) {
 				{ // start a tcp forwarder on 8443
 					command: cmd("serve --bg --tcp=8443 tcp://localhost:5432"),
 					want: &ipn.ServeConfig{
-						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {TCPForward: "127.0.0.1:5432"}},
+						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {TCPForward: "localhost:5432"}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -647,7 +647,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 				{ // remove primary port http handler
 					command: cmd("serve off"),
 					want: &ipn.ServeConfig{
-						TCP: map[uint16]*ipn.TCPPortHandler{8443: {TCPForward: "127.0.0.1:5432"}},
+						TCP: map[uint16]*ipn.TCPPortHandler{8443: {TCPForward: "localhost:5432"}},
 					},
 				},
 				{ // remove tcp forwarder
@@ -717,7 +717,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 					want: &ipn.ServeConfig{
 						TCP: map[uint16]*ipn.TCPPortHandler{
 							443: {
-								TCPForward:   "127.0.0.1:5432",
+								TCPForward:   "localhost:5432",
 								TerminateTLS: "foo.test.ts.net",
 							},
 						},
@@ -738,7 +738,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -758,7 +758,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{4545: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:4545": {Handlers: map[string]*ipn.HTTPHandler{
-								"/foo": {Proxy: "http://127.0.0.1:3000"},
+								"/foo": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -769,8 +769,8 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{4545: {HTTPS: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:4545": {Handlers: map[string]*ipn.HTTPHandler{
-								"/foo": {Proxy: "http://127.0.0.1:3000"},
-								"/bar": {Proxy: "http://127.0.0.1:3000"},
+								"/foo": {Proxy: "http://localhost:3000"},
+								"/bar": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},
@@ -800,7 +800,7 @@ func TestServeDevConfigMutations(t *testing.T) {
 						TCP: map[uint16]*ipn.TCPPortHandler{3000: {HTTP: true}},
 						Web: map[ipn.HostPort]*ipn.WebServerConfig{
 							"foo.test.ts.net:3000": {Handlers: map[string]*ipn.HTTPHandler{
-								"/": {Proxy: "http://127.0.0.1:3000"},
+								"/": {Proxy: "http://localhost:3000"},
 							}},
 						},
 					},

cmd/tailscale/cli/set.go

@@ -210,6 +210,9 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 		}
 	}
 	if maskedPrefs.AutoUpdateSet.ApplySet {
+		if !clientupdate.CanAutoUpdate() {
+			return errors.New("automatic updates are not supported on this platform")
+		}
 		// On macsys, tailscaled will set the Sparkle auto-update setting. It
 		// does not use clientupdate.
 		if version.IsMacSysExt() {
@@ -221,10 +224,6 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 			if err != nil {
 				return fmt.Errorf("failed to enable automatic updates: %v, %q", err, out)
 			}
-		} else {
-			if !clientupdate.CanAutoUpdate() {
-				return errors.New("automatic updates are not supported on this platform")
-			}
 		}
 	}
 	checkPrefs := curPrefs.Clone()

cmd/tailscale/cli/update.go

@@ -33,11 +33,13 @@ var updateCmd = &ffcli.Command{
 		//  - Alpine (and other apk-based distros)
 		//  - FreeBSD (and other pkg-based distros)
 		//  - Unraid/QNAP/Synology
+		//  - macOS
 		if distro.Get() != distro.Arch &&
 			distro.Get() != distro.Alpine &&
 			distro.Get() != distro.QNAP &&
 			distro.Get() != distro.Synology &&
-			runtime.GOOS != "freebsd" {
+			runtime.GOOS != "freebsd" &&
+			runtime.GOOS != "darwin" {
 			fs.StringVar(&updateArgs.track, "track", "", `which track to check for updates: "stable" or "unstable" (dev); empty means same as current`)
 			fs.StringVar(&updateArgs.version, "version", "", `explicit version to update/downgrade to`)
 		}

cmd/tailscale/cli/whois.go

@@ -26,12 +26,14 @@ var whoisCmd = &ffcli.Command{
 	FlagSet: func() *flag.FlagSet {
 		fs := newFlagSet("whois")
 		fs.BoolVar(&whoIsArgs.json, "json", false, "output in JSON format")
+		fs.StringVar(&whoIsArgs.proto, "proto", "", `protocol; one of "tcp" or "udp"; empty mans both `)
 		return fs
 	}(),
 }
 
 var whoIsArgs struct {
-	json bool // output in JSON format
+	json  bool   // output in JSON format
+	proto string // "tcp" or "udp"
 }
 
 func runWhoIs(ctx context.Context, args []string) error {
@@ -40,7 +42,7 @@ func runWhoIs(ctx context.Context, args []string) error {
 	} else if len(args) == 0 {
 		return errors.New("missing argument, expected one peer")
 	}
-	who, err := localClient.WhoIs(ctx, args[0])
+	who, err := localClient.WhoIsProto(ctx, whoIsArgs.proto, args[0])
 	if err != nil {
 		return err
 	}

cmd/tailscale/depaware.txt

@@ -9,6 +9,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/pe+
    W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/winutil/authenticode
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
+        github.com/go-json-experiment/json                           from tailscale.com/types/opt
+        github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json+
+        github.com/go-json-experiment/json/jsontext                  from github.com/go-json-experiment/json+
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
    L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
    L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
@@ -57,7 +63,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
         github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
      💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/net/tsaddr+
+        go4.org/netipx                                               from tailscale.com/net/tsaddr
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/netmon+
         k8s.io/client-go/util/homedir                                from tailscale.com/cmd/tailscale/cli
         nhooyr.io/websocket                                          from tailscale.com/control/controlhttp+
@@ -78,7 +84,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
         tailscale.com/cmd/tailscale/cli/ffcomplete                   from tailscale.com/cmd/tailscale/cli
         tailscale.com/cmd/tailscale/cli/ffcomplete/internal          from tailscale.com/cmd/tailscale/cli/ffcomplete
-        tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp
+        tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp+
         tailscale.com/control/controlhttp                            from tailscale.com/cmd/tailscale/cli
         tailscale.com/control/controlknobs                           from tailscale.com/net/portmapper
         tailscale.com/derp                                           from tailscale.com/derp/derphttp
@@ -89,22 +95,24 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/health                                         from tailscale.com/net/tlsdial+
         tailscale.com/health/healthmsg                               from tailscale.com/cmd/tailscale/cli
         tailscale.com/hostinfo                                       from tailscale.com/client/web+
+        tailscale.com/internal/noiseconn                             from tailscale.com/cmd/tailscale/cli
         tailscale.com/ipn                                            from tailscale.com/client/tailscale+
         tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
         tailscale.com/licenses                                       from tailscale.com/client/web+
         tailscale.com/metrics                                        from tailscale.com/derp
+        tailscale.com/net/captivedetection                           from tailscale.com/net/netcheck
         tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
         tailscale.com/net/dnscache                                   from tailscale.com/control/controlhttp+
-        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp
-        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
+        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp+
+        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet
         tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
         tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
      💣 tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
+     💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
-        tailscale.com/net/packet                                     from tailscale.com/wgengine/capture+
+        tailscale.com/net/packet                                     from tailscale.com/wgengine/capture
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/net/sockstats                                  from tailscale.com/control/controlhttp+
@@ -120,7 +128,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
         tailscale.com/tempfork/spf13/cobra                           from tailscale.com/cmd/tailscale/cli/ffcomplete+
         tailscale.com/tka                                            from tailscale.com/client/tailscale+
-   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon
+   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon+
         tailscale.com/tstime                                         from tailscale.com/control/controlhttp+
         tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
         tailscale.com/tstime/rate                                    from tailscale.com/cmd/tailscale/cli+
@@ -164,11 +172,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
      💣 tailscale.com/util/winutil                                   from tailscale.com/clientupdate+
    W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/clientupdate
-   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo
+   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo+
         tailscale.com/version                                        from tailscale.com/client/web+
         tailscale.com/version/distro                                 from tailscale.com/client/web+
         tailscale.com/wgengine/capture                               from tailscale.com/cmd/tailscale/cli
-        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
+        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap
         golang.org/x/crypto/argon2                                   from tailscale.com/tka
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+
         golang.org/x/crypto/blake2s                                  from tailscale.com/clientupdate/distsign+
@@ -188,7 +196,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http+
         golang.org/x/net/http/httpproxy                              from net/http+
-        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/http2                                       from tailscale.com/cmd/tailscale/cli+
+        golang.org/x/net/http2/hpack                                 from net/http+
         golang.org/x/net/icmp                                        from tailscale.com/net/ping
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
         golang.org/x/net/ipv4                                        from github.com/miekg/dns+

cmd/tailscale/tailscale_test.go

@@ -17,6 +17,10 @@ func TestDeps(t *testing.T) {
 			"gvisor.dev/gvisor/pkg/cpuid":        "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/tcpip":        "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/tcpip/header": "https://github.com/tailscale/tailscale/issues/9756",
+			"tailscale.com/wgengine/filter":      "brings in bart, etc",
+			"github.com/bits-and-blooms/bitset":  "unneeded in CLI",
+			"github.com/gaissmai/bart":           "unneeded in CLI",
+			"tailscale.com/net/ipset":            "unneeded in CLI",
 		},
 	}.Check(t)
 }

cmd/tailscaled/depaware.txt

@@ -90,11 +90,12 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 github.com/djherbis/times                                    from tailscale.com/drive/driveimpl
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
         github.com/gaissmai/bart                                     from tailscale.com/net/tstun+
+        github.com/go-json-experiment/json                           from tailscale.com/types/opt
         github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json/internal/jsonflags+
         github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json/internal/jsonopts+
-        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json/jsontext
-        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json/jsontext
-        github.com/go-json-experiment/json/jsontext                  from tailscale.com/logtail
+        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json/jsontext+
+        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json/jsontext+
+        github.com/go-json-experiment/json/jsontext                  from tailscale.com/logtail+
    W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
    W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
    L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns+
@@ -211,7 +212,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
         gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/internal/tcp                     from gvisor.dev/gvisor/pkg/tcpip/stack+
-        gvisor.dev/gvisor/pkg/tcpip/link/channel                     from tailscale.com/wgengine/netstack
         gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
         gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -221,6 +221,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
         gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
      💣 gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/stack/gro                        from tailscale.com/wgengine/netstack
         gvisor.dev/gvisor/pkg/tcpip/transport                        from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
         gvisor.dev/gvisor/pkg/tcpip/transport/icmp                   from tailscale.com/wgengine/netstack
         gvisor.dev/gvisor/pkg/tcpip/transport/internal/network       from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
@@ -245,7 +246,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/clientupdate                                   from tailscale.com/client/web+
         tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
         tailscale.com/cmd/tailscaled/childproc                       from tailscale.com/cmd/tailscaled+
-        tailscale.com/control/controlbase                            from tailscale.com/control/controlclient+
+        tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp+
         tailscale.com/control/controlclient                          from tailscale.com/cmd/tailscaled+
         tailscale.com/control/controlhttp                            from tailscale.com/control/controlclient
         tailscale.com/control/controlknobs                           from tailscale.com/control/controlclient+
@@ -265,6 +266,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
         tailscale.com/hostinfo                                       from tailscale.com/client/web+
+        tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
         tailscale.com/ipn                                            from tailscale.com/client/tailscale+
         tailscale.com/ipn/conffile                                   from tailscale.com/cmd/tailscaled+
      💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
@@ -286,6 +288,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/logtail/backoff                                from tailscale.com/cmd/tailscaled+
         tailscale.com/logtail/filch                                  from tailscale.com/log/sockstatlog+
         tailscale.com/metrics                                        from tailscale.com/derp+
+        tailscale.com/net/captivedetection                           from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
         tailscale.com/net/dns                                        from tailscale.com/cmd/tailscaled+
         tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns+
@@ -295,13 +298,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
         tailscale.com/net/dnsfallback                                from tailscale.com/cmd/tailscaled+
         tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
+        tailscale.com/net/ipset                                      from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock+
         tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
         tailscale.com/net/netkernelconf                              from tailscale.com/ipn/ipnlocal
         tailscale.com/net/netknob                                    from tailscale.com/logpolicy+
      💣 tailscale.com/net/netmon                                     from tailscale.com/cmd/tailscaled+
-        tailscale.com/net/netns                                      from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/net/netns                                      from tailscale.com/cmd/tailscaled+
    W 💣 tailscale.com/net/netstat                                    from tailscale.com/portlist
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
         tailscale.com/net/packet                                     from tailscale.com/net/connstats+
@@ -326,6 +330,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/posture                                        from tailscale.com/ipn/ipnlocal
         tailscale.com/proxymap                                       from tailscale.com/tsd+
      💣 tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
+  LD    tailscale.com/sessionrecording                               from tailscale.com/ssh/tailssh
   LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
         tailscale.com/syncs                                          from tailscale.com/cmd/tailscaled+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
@@ -333,7 +338,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
         tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
         tailscale.com/tka                                            from tailscale.com/client/tailscale+
-   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon
+   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon+
         tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
         tailscale.com/tstime                                         from tailscale.com/control/controlclient+
         tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
@@ -399,8 +404,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
      💣 tailscale.com/util/winutil                                   from tailscale.com/clientupdate+
    W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/clientupdate+
+   W 💣 tailscale.com/util/winutil/gp                                from tailscale.com/net/dns
    W    tailscale.com/util/winutil/policy                            from tailscale.com/ipn/ipnlocal
-   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo
+   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo+
         tailscale.com/util/zstdframe                                 from tailscale.com/control/controlclient+
         tailscale.com/version                                        from tailscale.com/client/web+
         tailscale.com/version/distro                                 from tailscale.com/client/web+
@@ -408,6 +414,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
         tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
+        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap+
      💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/netlog                                from tailscale.com/wgengine
         tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled

cmd/tailscaled/tailscaled.go

@@ -394,7 +394,7 @@ func run() (err error) {
 	// Always clean up, even if we're going to run the server. This covers cases
 	// such as when a system was rebooted without shutting down, or tailscaled
 	// crashed, and would for example restore system DNS configuration.
-	dns.CleanUp(logf, netMon, args.tunname)
+	dns.CleanUp(logf, netMon, sys.HealthTracker(), args.tunname)
 	router.CleanUp(logf, netMon, args.tunname)
 	// If the cleanUp flag was passed, then exit.
 	if args.cleanUp {
@@ -698,7 +698,7 @@ func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack boo
 			// configuration being unavailable (from the noop
 			// manager). More in Issue 4017.
 			// TODO(bradfitz): add a Synology-specific DNS manager.
-			conf.DNS, err = dns.NewOSConfigurator(logf, sys.HealthTracker(), "") // empty interface name
+			conf.DNS, err = dns.NewOSConfigurator(logf, sys.HealthTracker(), sys.ControlKnobs(), "") // empty interface name
 			if err != nil {
 				return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 			}
@@ -726,7 +726,7 @@ func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack boo
 			return false, fmt.Errorf("creating router: %w", err)
 		}
 
-		d, err := dns.NewOSConfigurator(logf, sys.HealthTracker(), devName)
+		d, err := dns.NewOSConfigurator(logf, sys.HealthTracker(), sys.ControlKnobs(), devName)
 		if err != nil {
 			dev.Close()
 			r.Close()

cmd/viewer/tests/tests.go

@@ -7,9 +7,13 @@ package tests
 import (
 	"fmt"
 	"net/netip"
+
+	"golang.org/x/exp/constraints"
+	"tailscale.com/types/ptr"
+	"tailscale.com/types/views"
 )
 
-//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded --clone-only-type=OnlyGetClone
+//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded,GenericIntStruct,GenericNoPtrsStruct,GenericCloneableStruct,StructWithContainers --clone-only-type=OnlyGetClone
 
 type StructWithoutPtrs struct {
 	Int int
@@ -25,12 +29,12 @@ type Map struct {
 	SlicesWithPtrs      map[string][]*StructWithPtrs
 	SlicesWithoutPtrs   map[string][]*StructWithoutPtrs
 	StructWithoutPtrKey map[StructWithoutPtrs]int `json:"-"`
+	StructWithPtr       map[string]StructWithPtrs
 
 	// Unsupported views.
 	SliceIntPtr      map[string][]*int
 	PointerKey       map[*string]int        `json:"-"`
 	StructWithPtrKey map[StructWithPtrs]int `json:"-"`
-	StructWithPtr    map[string]StructWithPtrs
 }
 
 type StructWithPtrs struct {
@@ -50,12 +54,14 @@ type StructWithSlices struct {
 	Values         []StructWithoutPtrs
 	ValuePointers  []*StructWithoutPtrs
 	StructPointers []*StructWithPtrs
-	Structs        []StructWithPtrs
-	Ints           []*int
 
 	Slice    []string
 	Prefixes []netip.Prefix
 	Data     []byte
+
+	// Unsupported views.
+	Structs []StructWithPtrs
+	Ints    []*int
 }
 
 type OnlyGetClone struct {
@@ -66,3 +72,93 @@ type StructWithEmbedded struct {
 	A *StructWithPtrs
 	StructWithSlices
 }
+
+type GenericIntStruct[T constraints.Integer] struct {
+	Value   T
+	Pointer *T
+	Slice   []T
+	Map     map[string]T
+
+	// Unsupported views.
+	PtrSlice    []*T
+	PtrKeyMap   map[*T]string `json:"-"`
+	PtrValueMap map[string]*T
+	SliceMap    map[string][]T
+}
+
+type BasicType interface {
+	~bool | constraints.Integer | constraints.Float | constraints.Complex | ~string
+}
+
+type GenericNoPtrsStruct[T StructWithoutPtrs | netip.Prefix | BasicType] struct {
+	Value   T
+	Pointer *T
+	Slice   []T
+	Map     map[string]T
+
+	// Unsupported views.
+	PtrSlice    []*T
+	PtrKeyMap   map[*T]string `json:"-"`
+	PtrValueMap map[string]*T
+	SliceMap    map[string][]T
+}
+
+type GenericCloneableStruct[T views.ViewCloner[T, V], V views.StructView[T]] struct {
+	Value T
+	Slice []T
+	Map   map[string]T
+
+	// Unsupported views.
+	Pointer     *T
+	PtrSlice    []*T
+	PtrKeyMap   map[*T]string `json:"-"`
+	PtrValueMap map[string]*T
+	SliceMap    map[string][]T
+}
+
+// Container is a pre-defined container type, such as a collection, an optional
+// value or a generic wrapper.
+type Container[T any] struct {
+	Item T
+}
+
+func (c *Container[T]) Clone() *Container[T] {
+	if c == nil {
+		return nil
+	}
+	if cloner, ok := any(c.Item).(views.Cloner[T]); ok {
+		return &Container[T]{cloner.Clone()}
+	}
+	if !views.ContainsPointers[T]() {
+		return ptr.To(*c)
+	}
+	panic(fmt.Errorf("%T contains pointers, but is not cloneable", c.Item))
+}
+
+// ContainerView is a pre-defined readonly view of a Container[T].
+type ContainerView[T views.ViewCloner[T, V], V views.StructView[T]] struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *Container[T]
+}
+
+func (cv ContainerView[T, V]) Item() V {
+	return cv.ж.Item.View()
+}
+
+func ContainerViewOf[T views.ViewCloner[T, V], V views.StructView[T]](c *Container[T]) ContainerView[T, V] {
+	return ContainerView[T, V]{c}
+}
+
+type GenericBasicStruct[T BasicType] struct {
+	Value T
+}
+
+type StructWithContainers struct {
+	IntContainer             Container[int]
+	CloneableContainer       Container[*StructWithPtrs]
+	BasicGenericContainer    Container[GenericBasicStruct[int]]
+	ClonableGenericContainer Container[*GenericNoPtrsStruct[int]]
+}

cmd/viewer/tests/tests_clone.go

@@ -9,7 +9,9 @@ import (
 	"maps"
 	"net/netip"
 
+	"golang.org/x/exp/constraints"
 	"tailscale.com/types/ptr"
+	"tailscale.com/types/views"
 )
 
 // Clone makes a deep copy of StructWithPtrs.
@@ -71,13 +73,21 @@ func (src *Map) Clone() *Map {
 	if dst.StructPtrWithPtr != nil {
 		dst.StructPtrWithPtr = map[string]*StructWithPtrs{}
 		for k, v := range src.StructPtrWithPtr {
-			dst.StructPtrWithPtr[k] = v.Clone()
+			if v == nil {
+				dst.StructPtrWithPtr[k] = nil
+			} else {
+				dst.StructPtrWithPtr[k] = v.Clone()
+			}
 		}
 	}
 	if dst.StructPtrWithoutPtr != nil {
 		dst.StructPtrWithoutPtr = map[string]*StructWithoutPtrs{}
 		for k, v := range src.StructPtrWithoutPtr {
-			dst.StructPtrWithoutPtr[k] = v.Clone()
+			if v == nil {
+				dst.StructPtrWithoutPtr[k] = nil
+			} else {
+				dst.StructPtrWithoutPtr[k] = ptr.To(*v)
+			}
 		}
 	}
 	dst.StructWithoutPtr = maps.Clone(src.StructWithoutPtr)
@@ -94,6 +104,12 @@ func (src *Map) Clone() *Map {
 		}
 	}
 	dst.StructWithoutPtrKey = maps.Clone(src.StructWithoutPtrKey)
+	if dst.StructWithPtr != nil {
+		dst.StructWithPtr = map[string]StructWithPtrs{}
+		for k, v := range src.StructWithPtr {
+			dst.StructWithPtr[k] = *(v.Clone())
+		}
+	}
 	if dst.SliceIntPtr != nil {
 		dst.SliceIntPtr = map[string][]*int{}
 		for k := range src.SliceIntPtr {
@@ -102,12 +118,6 @@ func (src *Map) Clone() *Map {
 	}
 	dst.PointerKey = maps.Clone(src.PointerKey)
 	dst.StructWithPtrKey = maps.Clone(src.StructWithPtrKey)
-	if dst.StructWithPtr != nil {
-		dst.StructWithPtr = map[string]StructWithPtrs{}
-		for k, v := range src.StructWithPtr {
-			dst.StructWithPtr[k] = *(v.Clone())
-		}
-	}
 	return dst
 }
 
@@ -121,10 +131,10 @@ var _MapCloneNeedsRegeneration = Map(struct {
 	SlicesWithPtrs      map[string][]*StructWithPtrs
 	SlicesWithoutPtrs   map[string][]*StructWithoutPtrs
 	StructWithoutPtrKey map[StructWithoutPtrs]int
+	StructWithPtr       map[string]StructWithPtrs
 	SliceIntPtr         map[string][]*int
 	PointerKey          map[*string]int
 	StructWithPtrKey    map[StructWithPtrs]int
-	StructWithPtr       map[string]StructWithPtrs
 }{})
 
 // Clone makes a deep copy of StructWithSlices.
@@ -139,15 +149,26 @@ func (src *StructWithSlices) Clone() *StructWithSlices {
 	if src.ValuePointers != nil {
 		dst.ValuePointers = make([]*StructWithoutPtrs, len(src.ValuePointers))
 		for i := range dst.ValuePointers {
-			dst.ValuePointers[i] = src.ValuePointers[i].Clone()
+			if src.ValuePointers[i] == nil {
+				dst.ValuePointers[i] = nil
+			} else {
+				dst.ValuePointers[i] = ptr.To(*src.ValuePointers[i])
+			}
 		}
 	}
 	if src.StructPointers != nil {
 		dst.StructPointers = make([]*StructWithPtrs, len(src.StructPointers))
 		for i := range dst.StructPointers {
-			dst.StructPointers[i] = src.StructPointers[i].Clone()
+			if src.StructPointers[i] == nil {
+				dst.StructPointers[i] = nil
+			} else {
+				dst.StructPointers[i] = src.StructPointers[i].Clone()
+			}
 		}
 	}
+	dst.Slice = append(src.Slice[:0:0], src.Slice...)
+	dst.Prefixes = append(src.Prefixes[:0:0], src.Prefixes...)
+	dst.Data = append(src.Data[:0:0], src.Data...)
 	if src.Structs != nil {
 		dst.Structs = make([]StructWithPtrs, len(src.Structs))
 		for i := range dst.Structs {
@@ -164,9 +185,6 @@ func (src *StructWithSlices) Clone() *StructWithSlices {
 			}
 		}
 	}
-	dst.Slice = append(src.Slice[:0:0], src.Slice...)
-	dst.Prefixes = append(src.Prefixes[:0:0], src.Prefixes...)
-	dst.Data = append(src.Data[:0:0], src.Data...)
 	return dst
 }
 
@@ -175,11 +193,11 @@ var _StructWithSlicesCloneNeedsRegeneration = StructWithSlices(struct {
 	Values         []StructWithoutPtrs
 	ValuePointers  []*StructWithoutPtrs
 	StructPointers []*StructWithPtrs
-	Structs        []StructWithPtrs
-	Ints           []*int
 	Slice          []string
 	Prefixes       []netip.Prefix
 	Data           []byte
+	Structs        []StructWithPtrs
+	Ints           []*int
 }{})
 
 // Clone makes a deep copy of OnlyGetClone.
@@ -216,3 +234,206 @@ var _StructWithEmbeddedCloneNeedsRegeneration = StructWithEmbedded(struct {
 	A *StructWithPtrs
 	StructWithSlices
 }{})
+
+// Clone makes a deep copy of GenericIntStruct.
+// The result aliases no memory with the original.
+func (src *GenericIntStruct[T]) Clone() *GenericIntStruct[T] {
+	if src == nil {
+		return nil
+	}
+	dst := new(GenericIntStruct[T])
+	*dst = *src
+	if dst.Pointer != nil {
+		dst.Pointer = ptr.To(*src.Pointer)
+	}
+	dst.Slice = append(src.Slice[:0:0], src.Slice...)
+	dst.Map = maps.Clone(src.Map)
+	if src.PtrSlice != nil {
+		dst.PtrSlice = make([]*T, len(src.PtrSlice))
+		for i := range dst.PtrSlice {
+			if src.PtrSlice[i] == nil {
+				dst.PtrSlice[i] = nil
+			} else {
+				dst.PtrSlice[i] = ptr.To(*src.PtrSlice[i])
+			}
+		}
+	}
+	dst.PtrKeyMap = maps.Clone(src.PtrKeyMap)
+	if dst.PtrValueMap != nil {
+		dst.PtrValueMap = map[string]*T{}
+		for k, v := range src.PtrValueMap {
+			if v == nil {
+				dst.PtrValueMap[k] = nil
+			} else {
+				dst.PtrValueMap[k] = ptr.To(*v)
+			}
+		}
+	}
+	if dst.SliceMap != nil {
+		dst.SliceMap = map[string][]T{}
+		for k := range src.SliceMap {
+			dst.SliceMap[k] = append([]T{}, src.SliceMap[k]...)
+		}
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+func _GenericIntStructCloneNeedsRegeneration[T constraints.Integer](GenericIntStruct[T]) {
+	_GenericIntStructCloneNeedsRegeneration(struct {
+		Value       T
+		Pointer     *T
+		Slice       []T
+		Map         map[string]T
+		PtrSlice    []*T
+		PtrKeyMap   map[*T]string `json:"-"`
+		PtrValueMap map[string]*T
+		SliceMap    map[string][]T
+	}{})
+}
+
+// Clone makes a deep copy of GenericNoPtrsStruct.
+// The result aliases no memory with the original.
+func (src *GenericNoPtrsStruct[T]) Clone() *GenericNoPtrsStruct[T] {
+	if src == nil {
+		return nil
+	}
+	dst := new(GenericNoPtrsStruct[T])
+	*dst = *src
+	if dst.Pointer != nil {
+		dst.Pointer = ptr.To(*src.Pointer)
+	}
+	dst.Slice = append(src.Slice[:0:0], src.Slice...)
+	dst.Map = maps.Clone(src.Map)
+	if src.PtrSlice != nil {
+		dst.PtrSlice = make([]*T, len(src.PtrSlice))
+		for i := range dst.PtrSlice {
+			if src.PtrSlice[i] == nil {
+				dst.PtrSlice[i] = nil
+			} else {
+				dst.PtrSlice[i] = ptr.To(*src.PtrSlice[i])
+			}
+		}
+	}
+	dst.PtrKeyMap = maps.Clone(src.PtrKeyMap)
+	if dst.PtrValueMap != nil {
+		dst.PtrValueMap = map[string]*T{}
+		for k, v := range src.PtrValueMap {
+			if v == nil {
+				dst.PtrValueMap[k] = nil
+			} else {
+				dst.PtrValueMap[k] = ptr.To(*v)
+			}
+		}
+	}
+	if dst.SliceMap != nil {
+		dst.SliceMap = map[string][]T{}
+		for k := range src.SliceMap {
+			dst.SliceMap[k] = append([]T{}, src.SliceMap[k]...)
+		}
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+func _GenericNoPtrsStructCloneNeedsRegeneration[T StructWithoutPtrs | netip.Prefix | BasicType](GenericNoPtrsStruct[T]) {
+	_GenericNoPtrsStructCloneNeedsRegeneration(struct {
+		Value       T
+		Pointer     *T
+		Slice       []T
+		Map         map[string]T
+		PtrSlice    []*T
+		PtrKeyMap   map[*T]string `json:"-"`
+		PtrValueMap map[string]*T
+		SliceMap    map[string][]T
+	}{})
+}
+
+// Clone makes a deep copy of GenericCloneableStruct.
+// The result aliases no memory with the original.
+func (src *GenericCloneableStruct[T, V]) Clone() *GenericCloneableStruct[T, V] {
+	if src == nil {
+		return nil
+	}
+	dst := new(GenericCloneableStruct[T, V])
+	*dst = *src
+	dst.Value = src.Value.Clone()
+	if src.Slice != nil {
+		dst.Slice = make([]T, len(src.Slice))
+		for i := range dst.Slice {
+			dst.Slice[i] = src.Slice[i].Clone()
+		}
+	}
+	if dst.Map != nil {
+		dst.Map = map[string]T{}
+		for k, v := range src.Map {
+			dst.Map[k] = v.Clone()
+		}
+	}
+	if dst.Pointer != nil {
+		dst.Pointer = ptr.To((*src.Pointer).Clone())
+	}
+	if src.PtrSlice != nil {
+		dst.PtrSlice = make([]*T, len(src.PtrSlice))
+		for i := range dst.PtrSlice {
+			if src.PtrSlice[i] == nil {
+				dst.PtrSlice[i] = nil
+			} else {
+				dst.PtrSlice[i] = ptr.To((*src.PtrSlice[i]).Clone())
+			}
+		}
+	}
+	dst.PtrKeyMap = maps.Clone(src.PtrKeyMap)
+	if dst.PtrValueMap != nil {
+		dst.PtrValueMap = map[string]*T{}
+		for k, v := range src.PtrValueMap {
+			if v == nil {
+				dst.PtrValueMap[k] = nil
+			} else {
+				dst.PtrValueMap[k] = ptr.To((*v).Clone())
+			}
+		}
+	}
+	if dst.SliceMap != nil {
+		dst.SliceMap = map[string][]T{}
+		for k := range src.SliceMap {
+			dst.SliceMap[k] = append([]T{}, src.SliceMap[k]...)
+		}
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+func _GenericCloneableStructCloneNeedsRegeneration[T views.ViewCloner[T, V], V views.StructView[T]](GenericCloneableStruct[T, V]) {
+	_GenericCloneableStructCloneNeedsRegeneration(struct {
+		Value       T
+		Slice       []T
+		Map         map[string]T
+		Pointer     *T
+		PtrSlice    []*T
+		PtrKeyMap   map[*T]string `json:"-"`
+		PtrValueMap map[string]*T
+		SliceMap    map[string][]T
+	}{})
+}
+
+// Clone makes a deep copy of StructWithContainers.
+// The result aliases no memory with the original.
+func (src *StructWithContainers) Clone() *StructWithContainers {
+	if src == nil {
+		return nil
+	}
+	dst := new(StructWithContainers)
+	*dst = *src
+	dst.CloneableContainer = *src.CloneableContainer.Clone()
+	dst.ClonableGenericContainer = *src.ClonableGenericContainer.Clone()
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithContainersCloneNeedsRegeneration = StructWithContainers(struct {
+	IntContainer             Container[int]
+	CloneableContainer       Container[*StructWithPtrs]
+	BasicGenericContainer    Container[GenericBasicStruct[int]]
+	ClonableGenericContainer Container[*GenericNoPtrsStruct[int]]
+}{})

cmd/viewer/tests/tests_view.go

@@ -10,10 +10,11 @@ import (
 	"errors"
 	"net/netip"
 
+	"golang.org/x/exp/constraints"
 	"tailscale.com/types/views"
 )
 
-//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded,GenericIntStruct,GenericNoPtrsStruct,GenericCloneableStruct,StructWithContainers
 
 // View returns a readonly view of StructWithPtrs.
 func (p *StructWithPtrs) View() StructWithPtrsView {
@@ -188,11 +189,7 @@ func (v *MapView) UnmarshalJSON(b []byte) error {
 
 func (v MapView) Int() views.Map[string, int] { return views.MapOf(v.ж.Int) }
 
-func (v MapView) SliceInt() views.MapFn[string, []int, views.Slice[int]] {
-	return views.MapFnOf(v.ж.SliceInt, func(t []int) views.Slice[int] {
-		return views.SliceOf(t)
-	})
-}
+func (v MapView) SliceInt() views.MapSlice[string, int] { return views.MapSliceOf(v.ж.SliceInt) }
 
 func (v MapView) StructPtrWithPtr() views.MapFn[string, *StructWithPtrs, StructWithPtrsView] {
 	return views.MapFnOf(v.ж.StructPtrWithPtr, func(t *StructWithPtrs) StructWithPtrsView {
@@ -225,15 +222,15 @@ func (v MapView) SlicesWithoutPtrs() views.MapFn[string, []*StructWithoutPtrs, v
 func (v MapView) StructWithoutPtrKey() views.Map[StructWithoutPtrs, int] {
 	return views.MapOf(v.ж.StructWithoutPtrKey)
 }
-func (v MapView) SliceIntPtr() map[string][]*int           { panic("unsupported") }
-func (v MapView) PointerKey() map[*string]int              { panic("unsupported") }
-func (v MapView) StructWithPtrKey() map[StructWithPtrs]int { panic("unsupported") }
 
 func (v MapView) StructWithPtr() views.MapFn[string, StructWithPtrs, StructWithPtrsView] {
 	return views.MapFnOf(v.ж.StructWithPtr, func(t StructWithPtrs) StructWithPtrsView {
 		return t.View()
 	})
 }
+func (v MapView) SliceIntPtr() map[string][]*int           { panic("unsupported") }
+func (v MapView) PointerKey() map[*string]int              { panic("unsupported") }
+func (v MapView) StructWithPtrKey() map[StructWithPtrs]int { panic("unsupported") }
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _MapViewNeedsRegeneration = Map(struct {
@@ -245,10 +242,10 @@ var _MapViewNeedsRegeneration = Map(struct {
 	SlicesWithPtrs      map[string][]*StructWithPtrs
 	SlicesWithoutPtrs   map[string][]*StructWithoutPtrs
 	StructWithoutPtrKey map[StructWithoutPtrs]int
+	StructWithPtr       map[string]StructWithPtrs
 	SliceIntPtr         map[string][]*int
 	PointerKey          map[*string]int
 	StructWithPtrKey    map[StructWithPtrs]int
-	StructWithPtr       map[string]StructWithPtrs
 }{})
 
 // View returns a readonly view of StructWithSlices.
@@ -305,24 +302,24 @@ func (v StructWithSlicesView) ValuePointers() views.SliceView[*StructWithoutPtrs
 func (v StructWithSlicesView) StructPointers() views.SliceView[*StructWithPtrs, StructWithPtrsView] {
 	return views.SliceOfViews[*StructWithPtrs, StructWithPtrsView](v.ж.StructPointers)
 }
-func (v StructWithSlicesView) Structs() StructWithPtrs    { panic("unsupported") }
-func (v StructWithSlicesView) Ints() *int                 { panic("unsupported") }
 func (v StructWithSlicesView) Slice() views.Slice[string] { return views.SliceOf(v.ж.Slice) }
 func (v StructWithSlicesView) Prefixes() views.Slice[netip.Prefix] {
 	return views.SliceOf(v.ж.Prefixes)
 }
 func (v StructWithSlicesView) Data() views.ByteSlice[[]byte] { return views.ByteSliceOf(v.ж.Data) }
+func (v StructWithSlicesView) Structs() StructWithPtrs       { panic("unsupported") }
+func (v StructWithSlicesView) Ints() *int                    { panic("unsupported") }
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _StructWithSlicesViewNeedsRegeneration = StructWithSlices(struct {
 	Values         []StructWithoutPtrs
 	ValuePointers  []*StructWithoutPtrs
 	StructPointers []*StructWithPtrs
-	Structs        []StructWithPtrs
-	Ints           []*int
 	Slice          []string
 	Prefixes       []netip.Prefix
 	Data           []byte
+	Structs        []StructWithPtrs
+	Ints           []*int
 }{})
 
 // View returns a readonly view of StructWithEmbedded.
@@ -380,3 +377,294 @@ var _StructWithEmbeddedViewNeedsRegeneration = StructWithEmbedded(struct {
 	A *StructWithPtrs
 	StructWithSlices
 }{})
+
+// View returns a readonly view of GenericIntStruct.
+func (p *GenericIntStruct[T]) View() GenericIntStructView[T] {
+	return GenericIntStructView[T]{ж: p}
+}
+
+// GenericIntStructView[T] provides a read-only view over GenericIntStruct[T].
+//
+// Its methods should only be called if `Valid()` returns true.
+type GenericIntStructView[T constraints.Integer] struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *GenericIntStruct[T]
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v GenericIntStructView[T]) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v GenericIntStructView[T]) AsStruct() *GenericIntStruct[T] {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v GenericIntStructView[T]) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *GenericIntStructView[T]) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x GenericIntStruct[T]
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v GenericIntStructView[T]) Value() T { return v.ж.Value }
+func (v GenericIntStructView[T]) Pointer() *T {
+	if v.ж.Pointer == nil {
+		return nil
+	}
+	x := *v.ж.Pointer
+	return &x
+}
+
+func (v GenericIntStructView[T]) Slice() views.Slice[T] { return views.SliceOf(v.ж.Slice) }
+
+func (v GenericIntStructView[T]) Map() views.Map[string, T]  { return views.MapOf(v.ж.Map) }
+func (v GenericIntStructView[T]) PtrSlice() *T               { panic("unsupported") }
+func (v GenericIntStructView[T]) PtrKeyMap() map[*T]string   { panic("unsupported") }
+func (v GenericIntStructView[T]) PtrValueMap() map[string]*T { panic("unsupported") }
+func (v GenericIntStructView[T]) SliceMap() map[string][]T   { panic("unsupported") }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+func _GenericIntStructViewNeedsRegeneration[T constraints.Integer](GenericIntStruct[T]) {
+	_GenericIntStructViewNeedsRegeneration(struct {
+		Value       T
+		Pointer     *T
+		Slice       []T
+		Map         map[string]T
+		PtrSlice    []*T
+		PtrKeyMap   map[*T]string `json:"-"`
+		PtrValueMap map[string]*T
+		SliceMap    map[string][]T
+	}{})
+}
+
+// View returns a readonly view of GenericNoPtrsStruct.
+func (p *GenericNoPtrsStruct[T]) View() GenericNoPtrsStructView[T] {
+	return GenericNoPtrsStructView[T]{ж: p}
+}
+
+// GenericNoPtrsStructView[T] provides a read-only view over GenericNoPtrsStruct[T].
+//
+// Its methods should only be called if `Valid()` returns true.
+type GenericNoPtrsStructView[T StructWithoutPtrs | netip.Prefix | BasicType] struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *GenericNoPtrsStruct[T]
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v GenericNoPtrsStructView[T]) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v GenericNoPtrsStructView[T]) AsStruct() *GenericNoPtrsStruct[T] {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v GenericNoPtrsStructView[T]) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *GenericNoPtrsStructView[T]) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x GenericNoPtrsStruct[T]
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v GenericNoPtrsStructView[T]) Value() T { return v.ж.Value }
+func (v GenericNoPtrsStructView[T]) Pointer() *T {
+	if v.ж.Pointer == nil {
+		return nil
+	}
+	x := *v.ж.Pointer
+	return &x
+}
+
+func (v GenericNoPtrsStructView[T]) Slice() views.Slice[T] { return views.SliceOf(v.ж.Slice) }
+
+func (v GenericNoPtrsStructView[T]) Map() views.Map[string, T]  { return views.MapOf(v.ж.Map) }
+func (v GenericNoPtrsStructView[T]) PtrSlice() *T               { panic("unsupported") }
+func (v GenericNoPtrsStructView[T]) PtrKeyMap() map[*T]string   { panic("unsupported") }
+func (v GenericNoPtrsStructView[T]) PtrValueMap() map[string]*T { panic("unsupported") }
+func (v GenericNoPtrsStructView[T]) SliceMap() map[string][]T   { panic("unsupported") }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+func _GenericNoPtrsStructViewNeedsRegeneration[T StructWithoutPtrs | netip.Prefix | BasicType](GenericNoPtrsStruct[T]) {
+	_GenericNoPtrsStructViewNeedsRegeneration(struct {
+		Value       T
+		Pointer     *T
+		Slice       []T
+		Map         map[string]T
+		PtrSlice    []*T
+		PtrKeyMap   map[*T]string `json:"-"`
+		PtrValueMap map[string]*T
+		SliceMap    map[string][]T
+	}{})
+}
+
+// View returns a readonly view of GenericCloneableStruct.
+func (p *GenericCloneableStruct[T, V]) View() GenericCloneableStructView[T, V] {
+	return GenericCloneableStructView[T, V]{ж: p}
+}
+
+// GenericCloneableStructView[T, V] provides a read-only view over GenericCloneableStruct[T, V].
+//
+// Its methods should only be called if `Valid()` returns true.
+type GenericCloneableStructView[T views.ViewCloner[T, V], V views.StructView[T]] struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *GenericCloneableStruct[T, V]
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v GenericCloneableStructView[T, V]) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v GenericCloneableStructView[T, V]) AsStruct() *GenericCloneableStruct[T, V] {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v GenericCloneableStructView[T, V]) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *GenericCloneableStructView[T, V]) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x GenericCloneableStruct[T, V]
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v GenericCloneableStructView[T, V]) Value() V { return v.ж.Value.View() }
+func (v GenericCloneableStructView[T, V]) Slice() views.SliceView[T, V] {
+	return views.SliceOfViews[T, V](v.ж.Slice)
+}
+
+func (v GenericCloneableStructView[T, V]) Map() views.MapFn[string, T, V] {
+	return views.MapFnOf(v.ж.Map, func(t T) V {
+		return t.View()
+	})
+}
+func (v GenericCloneableStructView[T, V]) Pointer() map[string]T      { panic("unsupported") }
+func (v GenericCloneableStructView[T, V]) PtrSlice() *T               { panic("unsupported") }
+func (v GenericCloneableStructView[T, V]) PtrKeyMap() map[*T]string   { panic("unsupported") }
+func (v GenericCloneableStructView[T, V]) PtrValueMap() map[string]*T { panic("unsupported") }
+func (v GenericCloneableStructView[T, V]) SliceMap() map[string][]T   { panic("unsupported") }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+func _GenericCloneableStructViewNeedsRegeneration[T views.ViewCloner[T, V], V views.StructView[T]](GenericCloneableStruct[T, V]) {
+	_GenericCloneableStructViewNeedsRegeneration(struct {
+		Value       T
+		Slice       []T
+		Map         map[string]T
+		Pointer     *T
+		PtrSlice    []*T
+		PtrKeyMap   map[*T]string `json:"-"`
+		PtrValueMap map[string]*T
+		SliceMap    map[string][]T
+	}{})
+}
+
+// View returns a readonly view of StructWithContainers.
+func (p *StructWithContainers) View() StructWithContainersView {
+	return StructWithContainersView{ж: p}
+}
+
+// StructWithContainersView provides a read-only view over StructWithContainers.
+//
+// Its methods should only be called if `Valid()` returns true.
+type StructWithContainersView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *StructWithContainers
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v StructWithContainersView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v StructWithContainersView) AsStruct() *StructWithContainers {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v StructWithContainersView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *StructWithContainersView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x StructWithContainers
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v StructWithContainersView) IntContainer() Container[int] { return v.ж.IntContainer }
+func (v StructWithContainersView) CloneableContainer() ContainerView[*StructWithPtrs, StructWithPtrsView] {
+	return ContainerViewOf(&v.ж.CloneableContainer)
+}
+func (v StructWithContainersView) BasicGenericContainer() Container[GenericBasicStruct[int]] {
+	return v.ж.BasicGenericContainer
+}
+func (v StructWithContainersView) ClonableGenericContainer() ContainerView[*GenericNoPtrsStruct[int], GenericNoPtrsStructView[int]] {
+	return ContainerViewOf(&v.ж.ClonableGenericContainer)
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithContainersViewNeedsRegeneration = StructWithContainers(struct {
+	IntContainer             Container[int]
+	CloneableContainer       Container[*StructWithPtrs]
+	BasicGenericContainer    Container[GenericBasicStruct[int]]
+	ClonableGenericContainer Container[*GenericNoPtrsStruct[int]]
+}{})

cmd/viewer/viewer.go

@@ -13,50 +13,52 @@ import (
 	"html/template"
 	"log"
 	"os"
+	"slices"
 	"strings"
 
 	"tailscale.com/util/codegen"
+	"tailscale.com/util/must"
 )
 
 const viewTemplateStr = `{{define "common"}}
 // View returns a readonly view of {{.StructName}}.
-func (p *{{.StructName}}) View() {{.ViewName}} {
-	return {{.ViewName}}{ж: p}
+func (p *{{.StructName}}{{.TypeParamNames}}) View() {{.ViewName}}{{.TypeParamNames}} {
+	return {{.ViewName}}{{.TypeParamNames}}{ж: p}
 }
 
-// {{.ViewName}} provides a read-only view over {{.StructName}}.
+// {{.ViewName}}{{.TypeParamNames}} provides a read-only view over {{.StructName}}{{.TypeParamNames}}.
 //
 // Its methods should only be called if ` + "`Valid()`" + ` returns true.
-type {{.ViewName}} struct {
+type {{.ViewName}}{{.TypeParams}} struct {
 	// ж is the underlying mutable value, named with a hard-to-type
 	// character that looks pointy like a pointer.
 	// It is named distinctively to make you think of how dangerous it is to escape
 	// to callers. You must not let callers be able to mutate it.
-	ж *{{.StructName}}
+	ж *{{.StructName}}{{.TypeParamNames}}
 }
 
 // Valid reports whether underlying value is non-nil.
-func (v {{.ViewName}}) Valid() bool { return v.ж != nil }
+func (v {{.ViewName}}{{.TypeParamNames}}) Valid() bool { return v.ж != nil }
 
 // AsStruct returns a clone of the underlying value which aliases no memory with
 // the original.
-func (v {{.ViewName}}) AsStruct() *{{.StructName}}{ 
+func (v {{.ViewName}}{{.TypeParamNames}}) AsStruct() *{{.StructName}}{{.TypeParamNames}}{ 
 	if v.ж == nil {
 		return nil
 	}
 	return v.ж.Clone()
 }
 
-func (v {{.ViewName}}) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+func (v {{.ViewName}}{{.TypeParamNames}}) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
 
-func (v *{{.ViewName}}) UnmarshalJSON(b []byte) error {
+func (v *{{.ViewName}}{{.TypeParamNames}}) UnmarshalJSON(b []byte) error {
 	if v.ж != nil {
 		return errors.New("already initialized")
 	}
 	if len(b) == 0 {
 		return nil
 	}
-	var x {{.StructName}}
+	var x {{.StructName}}{{.TypeParamNames}}
 	if err := json.Unmarshal(b, &x); err != nil {
 		return err
 	}
@@ -65,17 +67,19 @@ func (v *{{.ViewName}}) UnmarshalJSON(b []byte) error {
 }
 
 {{end}}
-{{define "valueField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} { return v.ж.{{.FieldName}} }
+{{define "valueField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() {{.FieldType}} { return v.ж.{{.FieldName}} }
 {{end}}
-{{define "byteSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.ByteSlice[{{.FieldType}}] { return views.ByteSliceOf(v.ж.{{.FieldName}}) }
+{{define "byteSliceField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() views.ByteSlice[{{.FieldType}}] { return views.ByteSliceOf(v.ж.{{.FieldName}}) }
 {{end}}
-{{define "sliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.Slice[{{.FieldType}}] { return views.SliceOf(v.ж.{{.FieldName}}) }
+{{define "sliceField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() views.Slice[{{.FieldType}}] { return views.SliceOf(v.ж.{{.FieldName}}) }
 {{end}}
-{{define "viewSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.SliceView[{{.FieldType}},{{.FieldViewName}}] { return views.SliceOfViews[{{.FieldType}},{{.FieldViewName}}](v.ж.{{.FieldName}}) }
+{{define "viewSliceField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() views.SliceView[{{.FieldType}},{{.FieldViewName}}] { return views.SliceOfViews[{{.FieldType}},{{.FieldViewName}}](v.ж.{{.FieldName}}) }
 {{end}}
-{{define "viewField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}}View { return v.ж.{{.FieldName}}.View() }
+{{define "viewField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() {{.FieldViewName}} { return v.ж.{{.FieldName}}.View() }
 {{end}}
-{{define "valuePointerField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {
+{{define "makeViewField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() {{.FieldViewName}} { return {{.MakeViewFnName}}(&v.ж.{{.FieldName}}) }
+{{end}}
+{{define "valuePointerField"}}func (v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() {{.FieldType}} {
 	if v.ж.{{.FieldName}} == nil {
 		return nil
 	}
@@ -85,18 +89,21 @@ func (v *{{.ViewName}}) UnmarshalJSON(b []byte) error {
 
 {{end}}
 {{define "mapField"}}
-func(v {{.ViewName}}) {{.FieldName}}() views.Map[{{.MapKeyType}},{{.MapValueType}}] { return views.MapOf(v.ж.{{.FieldName}})}
+func(v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() views.Map[{{.MapKeyType}},{{.MapValueType}}] { return views.MapOf(v.ж.{{.FieldName}})}
 {{end}}
 {{define "mapFnField"}}
-func(v {{.ViewName}}) {{.FieldName}}() views.MapFn[{{.MapKeyType}},{{.MapValueType}},{{.MapValueView}}] { return views.MapFnOf(v.ж.{{.FieldName}}, func (t {{.MapValueType}}) {{.MapValueView}} {
+func(v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() views.MapFn[{{.MapKeyType}},{{.MapValueType}},{{.MapValueView}}] { return views.MapFnOf(v.ж.{{.FieldName}}, func (t {{.MapValueType}}) {{.MapValueView}} {
 	return {{.MapFn}}
 })}
 {{end}}
-{{define "unsupportedField"}}func(v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {panic("unsupported")}
+{{define "mapSliceField"}}
+func(v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() views.MapSlice[{{.MapKeyType}},{{.MapValueType}}] { return views.MapSliceOf(v.ж.{{.FieldName}}) }
 {{end}}
-{{define "stringFunc"}}func(v {{.ViewName}}) String() string { return v.ж.String() }
+{{define "unsupportedField"}}func(v {{.ViewName}}{{.TypeParamNames}}) {{.FieldName}}() {{.FieldType}} {panic("unsupported")}
 {{end}}
-{{define "equalFunc"}}func(v {{.ViewName}}) Equal(v2 {{.ViewName}}) bool { return v.ж.Equal(v2.ж) }
+{{define "stringFunc"}}func(v {{.ViewName}}{{.TypeParamNames}}) String() string { return v.ж.String() }
+{{end}}
+{{define "equalFunc"}}func(v {{.ViewName}}{{.TypeParamNames}}) Equal(v2 {{.ViewName}}{{.TypeParamNames}}) bool { return v.ж.Equal(v2.ж) }
 {{end}}
 `
 
@@ -128,8 +135,11 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 	it.Import("errors")
 
 	args := struct {
-		StructName    string
-		ViewName      string
+		StructName     string
+		ViewName       string
+		TypeParams     string // e.g. [T constraints.Integer]
+		TypeParamNames string // e.g. [T]
+
 		FieldName     string
 		FieldType     string
 		FieldViewName string
@@ -138,11 +148,17 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 		MapValueType string
 		MapValueView string
 		MapFn        string
+
+		// MakeViewFnName is the name of the function that accepts a value and returns a readonly view of it.
+		MakeViewFnName string
 	}{
 		StructName: typ.Obj().Name(),
-		ViewName:   typ.Obj().Name() + "View",
+		ViewName:   typ.Origin().Obj().Name() + "View",
 	}
 
+	typeParams := typ.Origin().TypeParams()
+	args.TypeParams, args.TypeParamNames = codegen.FormatTypeParams(typeParams, it)
+
 	writeTemplate := func(name string) {
 		if err := viewTemplate.ExecuteTemplate(buf, name, args); err != nil {
 			log.Fatal(err)
@@ -179,19 +195,35 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 				it.Import("tailscale.com/types/views")
 				shallow, deep, base := requiresCloning(elem)
 				if deep {
-					if _, isPtr := elem.(*types.Pointer); isPtr {
-						args.FieldViewName = it.QualifiedName(base) + "View"
-						writeTemplate("viewSliceField")
-					} else {
-						writeTemplate("unsupportedField")
+					switch elem.Underlying().(type) {
+					case *types.Pointer:
+						if _, isIface := base.Underlying().(*types.Interface); !isIface {
+							args.FieldViewName = appendNameSuffix(it.QualifiedName(base), "View")
+							writeTemplate("viewSliceField")
+						} else {
+							writeTemplate("unsupportedField")
+						}
+						continue
+					case *types.Interface:
+						if viewType := viewTypeForValueType(elem); viewType != nil {
+							args.FieldViewName = it.QualifiedName(viewType)
+							writeTemplate("viewSliceField")
+							continue
+						}
 					}
+					writeTemplate("unsupportedField")
 					continue
 				} else if shallow {
-					if _, isBasic := base.(*types.Basic); isBasic {
+					switch base.Underlying().(type) {
+					case *types.Basic, *types.Interface:
 						writeTemplate("unsupportedField")
-					} else {
-						args.FieldViewName = it.QualifiedName(base) + "View"
-						writeTemplate("viewSliceField")
+					default:
+						if _, isIface := base.Underlying().(*types.Interface); !isIface {
+							args.FieldViewName = appendNameSuffix(it.QualifiedName(base), "View")
+							writeTemplate("viewSliceField")
+						} else {
+							writeTemplate("unsupportedField")
+						}
 					}
 					continue
 				}
@@ -202,7 +234,18 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 			strucT := underlying
 			args.FieldType = it.QualifiedName(fieldType)
 			if codegen.ContainsPointers(strucT) {
-				writeTemplate("viewField")
+				if viewType := viewTypeForValueType(fieldType); viewType != nil {
+					args.FieldViewName = it.QualifiedName(viewType)
+					writeTemplate("viewField")
+					continue
+				}
+				if viewType, makeViewFn := viewTypeForContainerType(fieldType); viewType != nil {
+					args.FieldViewName = it.QualifiedName(viewType)
+					args.MakeViewFnName = it.PackagePrefix(makeViewFn.Pkg()) + makeViewFn.Name()
+					writeTemplate("makeViewField")
+					continue
+				}
+				writeTemplate("unsupportedField")
 				continue
 			}
 			writeTemplate("valueField")
@@ -226,7 +269,7 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 					args.MapFn = "t.View()"
 					template = "mapFnField"
 					args.MapValueType = it.QualifiedName(mElem)
-					args.MapValueView = args.MapValueType + "View"
+					args.MapValueView = appendNameSuffix(args.MapValueType, "View")
 				} else {
 					template = "mapField"
 					args.MapValueType = it.QualifiedName(mElem)
@@ -241,21 +284,25 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 				case *types.Basic, *types.Named:
 					sElem := it.QualifiedName(sElem)
 					args.MapValueView = fmt.Sprintf("views.Slice[%v]", sElem)
-					args.MapValueType = "[]" + sElem
-					args.MapFn = "views.SliceOf(t)"
-					template = "mapFnField"
+					args.MapValueType = sElem
+					template = "mapSliceField"
 				case *types.Pointer:
 					ptr := x
 					pElem := ptr.Elem()
-					switch pElem.(type) {
-					case *types.Struct, *types.Named:
-						ptrType := it.QualifiedName(ptr)
-						viewType := it.QualifiedName(pElem) + "View"
-						args.MapFn = fmt.Sprintf("views.SliceOfViews[%v,%v](t)", ptrType, viewType)
-						args.MapValueView = fmt.Sprintf("views.SliceView[%v,%v]", ptrType, viewType)
-						args.MapValueType = "[]" + ptrType
-						template = "mapFnField"
-					default:
+					template = "unsupportedField"
+					if _, isIface := pElem.Underlying().(*types.Interface); !isIface {
+						switch pElem.(type) {
+						case *types.Struct, *types.Named:
+							ptrType := it.QualifiedName(ptr)
+							viewType := appendNameSuffix(it.QualifiedName(pElem), "View")
+							args.MapFn = fmt.Sprintf("views.SliceOfViews[%v,%v](t)", ptrType, viewType)
+							args.MapValueView = fmt.Sprintf("views.SliceView[%v,%v]", ptrType, viewType)
+							args.MapValueType = "[]" + ptrType
+							template = "mapFnField"
+						default:
+							template = "unsupportedField"
+						}
+					} else {
 						template = "unsupportedField"
 					}
 				default:
@@ -264,13 +311,29 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 			case *types.Pointer:
 				ptr := u
 				pElem := ptr.Elem()
-				switch pElem.(type) {
-				case *types.Struct, *types.Named:
-					args.MapValueType = it.QualifiedName(ptr)
-					args.MapValueView = it.QualifiedName(pElem) + "View"
+				if _, isIface := pElem.Underlying().(*types.Interface); !isIface {
+					switch pElem.(type) {
+					case *types.Struct, *types.Named:
+						args.MapValueType = it.QualifiedName(ptr)
+						args.MapValueView = appendNameSuffix(it.QualifiedName(pElem), "View")
+						args.MapFn = "t.View()"
+						template = "mapFnField"
+					default:
+						template = "unsupportedField"
+					}
+				} else {
+					template = "unsupportedField"
+				}
+			case *types.Interface, *types.TypeParam:
+				if viewType := viewTypeForValueType(u); viewType != nil {
+					args.MapValueType = it.QualifiedName(u)
+					args.MapValueView = it.QualifiedName(viewType)
 					args.MapFn = "t.View()"
 					template = "mapFnField"
-				default:
+				} else if !codegen.ContainsPointers(u) {
+					args.MapValueType = it.QualifiedName(mElem)
+					template = "mapField"
+				} else {
 					template = "unsupportedField"
 				}
 			default:
@@ -281,14 +344,28 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 		case *types.Pointer:
 			ptr := underlying
 			_, deep, base := requiresCloning(ptr)
+
 			if deep {
-				args.FieldType = it.QualifiedName(base)
-				writeTemplate("viewField")
+				if _, isIface := base.Underlying().(*types.Interface); !isIface {
+					args.FieldType = it.QualifiedName(base)
+					args.FieldViewName = appendNameSuffix(args.FieldType, "View")
+					writeTemplate("viewField")
+				} else {
+					writeTemplate("unsupportedField")
+				}
 			} else {
 				args.FieldType = it.QualifiedName(ptr)
 				writeTemplate("valuePointerField")
 			}
 			continue
+		case *types.Interface:
+			// If fieldType is an interface with a "View() {ViewType}" method, it can be used to clone the field.
+			// This includes scenarios where fieldType is a constrained type parameter.
+			if viewType := viewTypeForValueType(underlying); viewType != nil {
+				args.FieldViewName = it.QualifiedName(viewType)
+				writeTemplate("viewField")
+				continue
+			}
 		}
 		writeTemplate("unsupportedField")
 	}
@@ -316,7 +393,132 @@ func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thi
 		}
 	}
 	fmt.Fprintf(buf, "\n")
-	buf.Write(codegen.AssertStructUnchanged(t, args.StructName, "View", it))
+	buf.Write(codegen.AssertStructUnchanged(t, args.StructName, typeParams, "View", it))
+}
+
+func appendNameSuffix(name, suffix string) string {
+	if idx := strings.IndexRune(name, '['); idx != -1 {
+		// Insert suffix after the type name, but before type parameters.
+		return name[:idx] + suffix + name[idx:]
+	}
+	return name + suffix
+}
+
+func viewTypeForValueType(typ types.Type) types.Type {
+	if ptr, ok := typ.(*types.Pointer); ok {
+		return viewTypeForValueType(ptr.Elem())
+	}
+	viewMethod := codegen.LookupMethod(typ, "View")
+	if viewMethod == nil {
+		return nil
+	}
+	sig, ok := viewMethod.Type().(*types.Signature)
+	if !ok || sig.Results().Len() != 1 {
+		return nil
+	}
+	return sig.Results().At(0).Type()
+}
+
+func viewTypeForContainerType(typ types.Type) (*types.Named, *types.Func) {
+	// The container type should be an instantiated generic type,
+	// with its first type parameter specifying the element type.
+	containerType, ok := typ.(*types.Named)
+	if !ok || containerType.TypeArgs().Len() == 0 {
+		return nil, nil
+	}
+
+	// Look up the view type for the container type.
+	// It must include an additional type parameter specifying the element's view type.
+	// For example, Container[T] => ContainerView[T, V].
+	containerViewTypeName := containerType.Obj().Name() + "View"
+	containerViewTypeObj, ok := containerType.Obj().Pkg().Scope().Lookup(containerViewTypeName).(*types.TypeName)
+	if !ok {
+		return nil, nil
+	}
+	containerViewGenericType, ok := containerViewTypeObj.Type().(*types.Named)
+	if !ok || containerViewGenericType.TypeParams().Len() != containerType.TypeArgs().Len()+1 {
+		return nil, nil
+	}
+
+	// Create a list of type arguments for instantiating the container view type.
+	// Include all type arguments specified for the container type...
+	containerViewTypeArgs := make([]types.Type, containerViewGenericType.TypeParams().Len())
+	for i := range containerType.TypeArgs().Len() {
+		containerViewTypeArgs[i] = containerType.TypeArgs().At(i)
+	}
+	// ...and add the element view type.
+	// For that, we need to first determine the named elem type...
+	elemType, ok := baseType(containerType.TypeArgs().At(0)).(*types.Named)
+	if !ok {
+		return nil, nil
+	}
+	// ...then infer the view type from it.
+	var elemViewType *types.Named
+	elemTypeName := elemType.Obj().Name()
+	elemViewTypeBaseName := elemType.Obj().Name() + "View"
+	if elemViewTypeName, ok := elemType.Obj().Pkg().Scope().Lookup(elemViewTypeBaseName).(*types.TypeName); ok {
+		// The elem's view type is already defined in the same package as the elem type.
+		elemViewType = elemViewTypeName.Type().(*types.Named)
+	} else if slices.Contains(typeNames, elemTypeName) {
+		// The elem's view type has not been generated yet, but we can define
+		// and use a blank type with the expected view type name.
+		elemViewTypeName = types.NewTypeName(0, elemType.Obj().Pkg(), elemViewTypeBaseName, nil)
+		elemViewType = types.NewNamed(elemViewTypeName, types.NewStruct(nil, nil), nil)
+		if elemTypeParams := elemType.TypeParams(); elemTypeParams != nil {
+			elemViewType.SetTypeParams(collectTypeParams(elemTypeParams))
+		}
+	} else {
+		// The elem view type does not exist and won't be generated.
+		return nil, nil
+	}
+	// If elemType is an instantiated generic type, instantiate the elemViewType as well.
+	if elemTypeArgs := elemType.TypeArgs(); elemTypeArgs != nil {
+		elemViewType = must.Get(types.Instantiate(nil, elemViewType, collectTypes(elemTypeArgs), false)).(*types.Named)
+	}
+	// And finally set the elemViewType as the last type argument.
+	containerViewTypeArgs[len(containerViewTypeArgs)-1] = elemViewType
+
+	// Instantiate the container view type with the specified type arguments.
+	containerViewType := must.Get(types.Instantiate(nil, containerViewGenericType, containerViewTypeArgs, false))
+	// Look up a function to create a view of a container.
+	// It should be in the same package as the container type, named {ViewType}Of,
+	// and have a signature like {ViewType}Of(c *Container[T]) ContainerView[T, V].
+	makeContainerView, ok := containerType.Obj().Pkg().Scope().Lookup(containerViewTypeName + "Of").(*types.Func)
+	if !ok {
+		return nil, nil
+	}
+	return containerViewType.(*types.Named), makeContainerView
+}
+
+func baseType(typ types.Type) types.Type {
+	if ptr, ok := typ.(*types.Pointer); ok {
+		return ptr.Elem()
+	}
+	return typ
+}
+
+func collectTypes(list *types.TypeList) []types.Type {
+	// TODO(nickkhyl): use slices.Collect in Go 1.23?
+	if list.Len() == 0 {
+		return nil
+	}
+	res := make([]types.Type, list.Len())
+	for i := range res {
+		res[i] = list.At(i)
+	}
+	return res
+}
+
+func collectTypeParams(list *types.TypeParamList) []*types.TypeParam {
+	if list.Len() == 0 {
+		return nil
+	}
+	res := make([]*types.TypeParam, list.Len())
+	for i := range res {
+		p := list.At(i)
+		res[i] = types.NewTypeParam(p.Obj(), p.Constraint())
+	}
+	return res
 }
 
 var (
@@ -325,6 +527,8 @@ var (
 	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
 
 	flagCloneOnlyTypes = flag.String("clone-only-type", "", "comma-separated list of types (a subset of --type) that should only generate a go:generate clone line and not actual views")
+
+	typeNames []string
 )
 
 func main() {
@@ -335,7 +539,7 @@ func main() {
 		flag.Usage()
 		os.Exit(2)
 	}
-	typeNames := strings.Split(*flagTypes, ",")
+	typeNames = strings.Split(*flagTypes, ",")
 
 	var flagArgs []string
 	flagArgs = append(flagArgs, fmt.Sprintf("-clonefunc=%v", *flagCloneFunc))
@@ -379,7 +583,11 @@ func main() {
 		}
 		genView(buf, it, typ, pkg.Types)
 	}
-	out := pkg.Name + "_view.go"
+	out := pkg.Name + "_view"
+	if *flagBuildTags == "test" {
+		out += "_test"
+	}
+	out += ".go"
 	if err := codegen.WritePackageFile("tailscale/cmd/viewer", pkg, out, it, buf); err != nil {
 		log.Fatal(err)
 	}

cmd/xdpderper/xdpderper.go

@@ -0,0 +1,108 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Command xdpderper runs the XDP STUN server.
+package main
+
+import (
+	"flag"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"tailscale.com/derp/xdp"
+	"tailscale.com/net/netutil"
+	"tailscale.com/tsweb"
+)
+
+var (
+	flagDevice  = flag.String("device", "", "target device name (default: autodetect)")
+	flagPort    = flag.Int("dst-port", 0, "destination UDP port to serve")
+	flagVerbose = flag.Bool("verbose", false, "verbose output including verifier errors")
+	flagMode    = flag.String("mode", "xdp", "XDP mode; valid modes: [xdp, xdpgeneric, xdpdrv, xdpoffload]")
+	flagHTTP    = flag.String("http", ":8230", "HTTP listen address")
+)
+
+func main() {
+	flag.Parse()
+	var attachFlags xdp.XDPAttachFlags
+	switch strings.ToLower(*flagMode) {
+	case "xdp":
+		attachFlags = 0
+	case "xdpgeneric":
+		attachFlags = xdp.XDPGenericMode
+	case "xdpdrv":
+		attachFlags = xdp.XDPDriverMode
+	case "xdpoffload":
+		attachFlags = xdp.XDPOffloadMode
+	default:
+		log.Fatal("invalid mode")
+	}
+	deviceName := *flagDevice
+	if deviceName == "" {
+		var err error
+		deviceName, _, err = netutil.DefaultInterfacePortable()
+		if err != nil || deviceName == "" {
+			log.Fatalf("failed to detect default route interface: %v", err)
+		}
+	}
+	log.Printf("binding to device: %s", deviceName)
+
+	server, err := xdp.NewSTUNServer(&xdp.STUNServerConfig{
+		DeviceName:      deviceName,
+		DstPort:         *flagPort,
+		AttachFlags:     attachFlags,
+		FullVerifierErr: *flagVerbose,
+	})
+	if err != nil {
+		log.Fatalf("failed to init XDP STUN server: %v", err)
+	}
+	defer server.Close()
+	err = prometheus.Register(server)
+	if err != nil {
+		log.Fatalf("failed to register XDP STUN server as a prometheus collector: %v", err)
+	}
+	log.Println("XDP STUN server started")
+
+	mux := http.NewServeMux()
+	debug := tsweb.Debugger(mux)
+	debug.KVFunc("Drop STUN", func() any {
+		return server.GetDropSTUN()
+	})
+	debug.Handle("drop-stun-on", "Drop STUN packets", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		err := server.SetDropSTUN(true)
+		if err != nil {
+			http.Error(w, err.Error(), 500)
+		} else {
+			io.WriteString(w, "STUN packets are now being dropped.")
+		}
+	}))
+	debug.Handle("drop-stun-off", "Handle STUN packets", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		err := server.SetDropSTUN(false)
+		if err != nil {
+			http.Error(w, err.Error(), 500)
+		} else {
+			io.WriteString(w, "STUN packets are now being handled.")
+		}
+	}))
+	errCh := make(chan error, 1)
+	go func() {
+		err := http.ListenAndServe(*flagHTTP, mux)
+		errCh <- err
+	}()
+
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+	select {
+	case err := <-errCh:
+		log.Printf("HTTP serve err: %v", err)
+	case sig := <-sigCh:
+		log.Printf("received signal: %s", sig)
+	}
+
+}

control/controlclient/direct.go

@@ -7,14 +7,13 @@ import (
 	"bufio"
 	"bytes"
 	"context"
-	"crypto/ed25519"
-	"encoding/base64"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"log"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/netip"
@@ -25,6 +24,7 @@ import (
 	"slices"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"go4.org/mem"
@@ -62,6 +62,7 @@ import (
 // Direct is the client that connects to a tailcontrol server for a node.
 type Direct struct {
 	httpc                      *http.Client // HTTP client used to talk to tailcontrol
+	interceptedDial            *atomic.Bool // if non-nil, pointer to bool whether ScreenTime intercepted our dial
 	dialer                     *tsdial.Dialer
 	dnsCache                   *dnscache.Resolver
 	controlKnobs               *controlknobs.Knobs // always non-nil
@@ -258,23 +259,28 @@ func NewDirect(opts Options) (*Direct, error) {
 		// etc set).
 		httpc = http.DefaultClient
 	}
+	var interceptedDial *atomic.Bool
 	if httpc == nil {
 		tr := http.DefaultTransport.(*http.Transport).Clone()
 		tr.Proxy = tshttpproxy.ProxyFromEnvironment
 		tshttpproxy.SetTransportGetProxyConnectHeader(tr)
 		tr.TLSClientConfig = tlsdial.Config(serverURL.Hostname(), opts.HealthTracker, tr.TLSClientConfig)
-		tr.DialContext = dnscache.Dialer(opts.Dialer.SystemDial, dnsCache)
-		tr.DialTLSContext = dnscache.TLSDialer(opts.Dialer.SystemDial, dnsCache, tr.TLSClientConfig)
+		var dialFunc dialFunc
+		dialFunc, interceptedDial = makeScreenTimeDetectingDialFunc(opts.Dialer.SystemDial)
+		tr.DialContext = dnscache.Dialer(dialFunc, dnsCache)
+		tr.DialTLSContext = dnscache.TLSDialer(dialFunc, dnsCache, tr.TLSClientConfig)
 		tr.ForceAttemptHTTP2 = true
 		// Disable implicit gzip compression; the various
 		// handlers (register, map, set-dns, etc) do their own
 		// zstd compression per naclbox.
 		tr.DisableCompression = true
+
 		httpc = &http.Client{Transport: tr}
 	}
 
 	c := &Direct{
 		httpc:                      httpc,
+		interceptedDial:            interceptedDial,
 		controlKnobs:               opts.ControlKnobs,
 		getMachinePrivKey:          opts.GetMachinePrivateKey,
 		serverURL:                  opts.ServerURL,
@@ -327,6 +333,9 @@ func (c *Direct) Close() error {
 		}
 	}
 	c.noiseClient = nil
+	if tr, ok := c.httpc.Transport.(*http.Transport); ok {
+		tr.CloseIdleConnections()
+	}
 	return nil
 }
 
@@ -464,6 +473,16 @@ func (c *Direct) hostInfoLocked() *tailcfg.Hostinfo {
 	return hi
 }
 
+var macOSScreenTime = health.Register(&health.Warnable{
+	Code:     "macos-screen-time-controlclient",
+	Severity: health.SeverityHigh,
+	Title:    "Tailscale blocked by Screen Time",
+	Text: func(args health.Args) string {
+		return "macOS Screen Time seems to be blocking Tailscale. Try disabling Screen Time in System Settings > Screen Time > Content & Privacy > Access to Web Content."
+	},
+	ImpactsConnectivity: true,
+})
+
 func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, nks tkatype.MarshaledSignature, err error) {
 	if c.panicOnUse {
 		panic("tainted client")
@@ -473,7 +492,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	tryingNewKey := c.tryingNewKey
 	serverKey := c.serverLegacyKey
 	serverNoiseKey := c.serverNoiseKey
-	authKey, isWrapped, wrappedSig, wrappedKey := decodeWrappedAuthkey(c.authKey, c.logf)
+	authKey, isWrapped, wrappedSig, wrappedKey := tka.DecodeWrappedAuthkey(c.authKey, c.logf)
 	hi := c.hostInfoLocked()
 	backendLogID := hi.BackendLogID
 	expired := !c.expiry.IsZero() && c.expiry.Before(c.clock.Now())
@@ -505,6 +524,11 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	c.logf("doLogin(regen=%v, hasUrl=%v)", regen, opt.URL != "")
 	if serverKey.IsZero() {
 		keys, err := loadServerPubKeys(ctx, c.httpc, c.serverURL)
+		if err != nil && c.interceptedDial != nil && c.interceptedDial.Load() {
+			c.health.SetUnhealthy(macOSScreenTime, nil)
+		} else {
+			c.health.SetHealthy(macOSScreenTime)
+		}
 		if err != nil {
 			return regen, opt.URL, nil, err
 		}
@@ -565,18 +589,10 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		// We were given a wrapped pre-auth key, which means that in addition
 		// to being a regular pre-auth key there was a suffix with information to
 		// generate a tailnet-lock signature.
-		nk, err := tryingNewKey.Public().MarshalBinary()
+		nodeKeySignature, err = tka.SignByCredential(wrappedKey, wrappedSig, tryingNewKey.Public())
 		if err != nil {
-			return false, "", nil, fmt.Errorf("marshalling node-key: %w", err)
+			return false, "", nil, err
 		}
-		sig := &tka.NodeKeySignature{
-			SigKind: tka.SigRotation,
-			Pubkey:  nk,
-			Nested:  wrappedSig,
-		}
-		sigHash := sig.SigHash()
-		sig.Signature = ed25519.Sign(wrappedKey, sigHash[:])
-		nodeKeySignature = sig.Serialize()
 	}
 
 	if backendLogID == "" {
@@ -1581,9 +1597,9 @@ func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailc
 }
 
 // ReportHealthChange reports to the control plane a change to this node's
-// health.
-func (c *Direct) ReportHealthChange(sys health.Subsystem, sysErr error) {
-	if sys == health.SysOverall {
+// health. w must be non-nil. us can be nil to indicate a healthy state for w.
+func (c *Direct) ReportHealthChange(w *health.Warnable, us *health.UnhealthyState) {
+	if w == health.NetworkStatusWarnable || w == health.IPNStateWarnable || w == health.LoginStateWarnable {
 		// We don't report these. These include things like the network is down
 		// (in which case we can't report anyway) or the user wanted things
 		// stopped, as opposed to the more unexpected failure types in the other
@@ -1602,12 +1618,13 @@ func (c *Direct) ReportHealthChange(sys health.Subsystem, sysErr error) {
 	if c.panicOnUse {
 		panic("tainted client")
 	}
+	// TODO(angott): at some point, update `Subsys` in the request to be `Warnable`
 	req := &tailcfg.HealthChangeRequest{
-		Subsys:  string(sys),
+		Subsys:  string(w.Code),
 		NodeKey: nodeKey,
 	}
-	if sysErr != nil {
-		req.Error = sysErr.Error()
+	if us != nil {
+		req.Error = us.Text
 	}
 
 	// Best effort, no logging:
@@ -1620,49 +1637,44 @@ func (c *Direct) ReportHealthChange(sys health.Subsystem, sysErr error) {
 	res.Body.Close()
 }
 
-// decodeWrappedAuthkey separates wrapping information from an authkey, if any.
-// In all cases the authkey is returned, sans wrapping information if any.
-//
-// If the authkey is wrapped, isWrapped returns true, along with the wrapping signature
-// and private key.
-func decodeWrappedAuthkey(key string, logf logger.Logf) (authKey string, isWrapped bool, sig *tka.NodeKeySignature, priv ed25519.PrivateKey) {
-	authKey, suffix, found := strings.Cut(key, "--TL")
-	if !found {
-		return key, false, nil, nil
-	}
-	sigBytes, privBytes, found := strings.Cut(suffix, "-")
-	if !found {
-		logf("decoding wrapped auth-key: did not find delimiter")
-		return key, false, nil, nil
-	}
-
-	rawSig, err := base64.RawStdEncoding.DecodeString(sigBytes)
-	if err != nil {
-		logf("decoding wrapped auth-key: signature decode: %v", err)
-		return key, false, nil, nil
-	}
-	rawPriv, err := base64.RawStdEncoding.DecodeString(privBytes)
-	if err != nil {
-		logf("decoding wrapped auth-key: priv decode: %v", err)
-		return key, false, nil, nil
-	}
-
-	sig = new(tka.NodeKeySignature)
-	if err := sig.Unserialize([]byte(rawSig)); err != nil {
-		logf("decoding wrapped auth-key: signature: %v", err)
-		return key, false, nil, nil
-	}
-	priv = ed25519.PrivateKey(rawPriv)
-
-	return authKey, true, sig, priv
-}
-
 func addLBHeader(req *http.Request, nodeKey key.NodePublic) {
 	if !nodeKey.IsZero() {
 		req.Header.Add(tailcfg.LBHeader, nodeKey.String())
 	}
 }
 
+type dialFunc = func(ctx context.Context, network, addr string) (net.Conn, error)
+
+// makeScreenTimeDetectingDialFunc returns dialFunc, optionally wrapped (on
+// Apple systems) with a func that sets the returned atomic.Bool for whether
+// Screen Time seemed to intercept the connection.
+//
+// The returned *atomic.Bool is nil on non-Apple systems.
+func makeScreenTimeDetectingDialFunc(dial dialFunc) (dialFunc, *atomic.Bool) {
+	switch runtime.GOOS {
+	case "darwin", "ios":
+		// Continue below.
+	default:
+		return dial, nil
+	}
+	ab := new(atomic.Bool)
+	return func(ctx context.Context, network, addr string) (net.Conn, error) {
+		c, err := dial(ctx, network, addr)
+		if err != nil {
+			return nil, err
+		}
+		ab.Store(isTCPLoopback(c.LocalAddr()) && isTCPLoopback(c.RemoteAddr()))
+		return c, nil
+	}, ab
+}
+
+func isTCPLoopback(a net.Addr) bool {
+	if ta, ok := a.(*net.TCPAddr); ok {
+		return ta.IP.IsLoopback()
+	}
+	return false
+}
+
 var (
 	metricMapRequestsActive = clientmetric.NewGauge("controlclient_map_requests_active")
 

control/controlclient/direct_test.go

@@ -4,7 +4,6 @@
 package controlclient
 
 import (
-	"crypto/ed25519"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -147,42 +146,3 @@ func TestTsmpPing(t *testing.T) {
 		t.Fatal(err)
 	}
 }
-
-func TestDecodeWrappedAuthkey(t *testing.T) {
-	k, isWrapped, sig, priv := decodeWrappedAuthkey("tskey-32mjsdkdsffds9o87dsfkjlh", nil)
-	if want := "tskey-32mjsdkdsffds9o87dsfkjlh"; k != want {
-		t.Errorf("decodeWrappedAuthkey(<unwrapped-key>).key = %q, want %q", k, want)
-	}
-	if isWrapped {
-		t.Error("decodeWrappedAuthkey(<unwrapped-key>).isWrapped = true, want false")
-	}
-	if sig != nil {
-		t.Errorf("decodeWrappedAuthkey(<unwrapped-key>).sig = %v, want nil", sig)
-	}
-	if priv != nil {
-		t.Errorf("decodeWrappedAuthkey(<unwrapped-key>).priv = %v, want nil", priv)
-	}
-
-	k, isWrapped, sig, priv = decodeWrappedAuthkey("tskey-auth-k7UagY1CNTRL-ZZZZZ--TLpAEDA1ggnXuw4/fWnNWUwcoOjLemhOvml1juMl5lhLmY5sBUsj8EWEAfL2gdeD9g8VDw5tgcxCiHGlEb67BgU2DlFzZApi4LheLJraA+pYjTGChVhpZz1iyiBPD+U2qxDQAbM3+WFY0EBlggxmVqG53Hu0Rg+KmHJFMlUhfgzo+AQP6+Kk9GzvJJOs4-k36RdoSFqaoARfQo0UncHAV0t3YTqrkD5r/z2jTrE43GZWobnce7RGD4qYckUyVSF+DOj4BA/r4qT0bO8kk6zg", nil)
-	if want := "tskey-auth-k7UagY1CNTRL-ZZZZZ"; k != want {
-		t.Errorf("decodeWrappedAuthkey(<wrapped-key>).key = %q, want %q", k, want)
-	}
-	if !isWrapped {
-		t.Error("decodeWrappedAuthkey(<wrapped-key>).isWrapped = false, want true")
-	}
-
-	if sig == nil {
-		t.Fatal("decodeWrappedAuthkey(<wrapped-key>).sig = nil, want non-nil signature")
-	}
-	sigHash := sig.SigHash()
-	if !ed25519.Verify(sig.KeyID, sigHash[:], sig.Signature) {
-		t.Error("signature failed to verify")
-	}
-
-	// Make sure the private is correct by using it.
-	someSig := ed25519.Sign(priv, []byte{1, 2, 3, 4})
-	if !ed25519.Verify(sig.WrappingPubkey, []byte{1, 2, 3, 4}, someSig) {
-		t.Error("failed to use priv")
-	}
-
-}

control/controlclient/noise.go

@@ -6,10 +6,8 @@ package controlclient
 import (
 	"bytes"
 	"context"
-	"encoding/binary"
 	"encoding/json"
 	"errors"
-	"io"
 	"math"
 	"net/http"
 	"net/url"
@@ -17,9 +15,9 @@ import (
 	"time"
 
 	"golang.org/x/net/http2"
-	"tailscale.com/control/controlbase"
 	"tailscale.com/control/controlhttp"
 	"tailscale.com/health"
+	"tailscale.com/internal/noiseconn"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/tsdial"
@@ -32,113 +30,6 @@ import (
 	"tailscale.com/util/singleflight"
 )
 
-// noiseConn is a wrapper around controlbase.Conn.
-// It allows attaching an ID to a connection to allow
-// cleaning up references in the pool when the connection
-// is closed.
-type noiseConn struct {
-	*controlbase.Conn
-	id   int
-	pool *NoiseClient
-	h2cc *http2.ClientConn
-
-	readHeaderOnce    sync.Once     // guards init of reader field
-	reader            io.Reader     // (effectively Conn.Reader after header)
-	earlyPayloadReady chan struct{} // closed after earlyPayload is set (including set to nil)
-	earlyPayload      *tailcfg.EarlyNoise
-	earlyPayloadErr   error
-}
-
-func (c *noiseConn) RoundTrip(r *http.Request) (*http.Response, error) {
-	return c.h2cc.RoundTrip(r)
-}
-
-// getEarlyPayload waits for the early noise payload to arrive.
-// It may return (nil, nil) if the server begins HTTP/2 without one.
-func (c *noiseConn) getEarlyPayload(ctx context.Context) (*tailcfg.EarlyNoise, error) {
-	select {
-	case <-c.earlyPayloadReady:
-		return c.earlyPayload, c.earlyPayloadErr
-	case <-ctx.Done():
-		return nil, ctx.Err()
-	}
-}
-
-// The first 9 bytes from the server to client over Noise are either an HTTP/2
-// settings frame (a normal HTTP/2 setup) or, as we added later, an "early payload"
-// header that's also 9 bytes long: 5 bytes (earlyPayloadMagic) followed by 4 bytes
-// of length. Then that many bytes of JSON-encoded tailcfg.EarlyNoise.
-// The early payload is optional. Some servers may not send it.
-const (
-	hdrLen            = 9 // http2 frame header size; also size of our early payload size header
-	earlyPayloadMagic = "\xff\xff\xffTS"
-)
-
-// returnErrReader is an io.Reader that always returns an error.
-type returnErrReader struct {
-	err error // the error to return
-}
-
-func (r returnErrReader) Read([]byte) (int, error) { return 0, r.err }
-
-// Read is basically the same as controlbase.Conn.Read, but it first reads the
-// "early payload" header from the server which may or may not be present,
-// depending on the server.
-func (c *noiseConn) Read(p []byte) (n int, err error) {
-	c.readHeaderOnce.Do(c.readHeader)
-	return c.reader.Read(p)
-}
-
-// readHeader reads the optional "early payload" from the server that arrives
-// after the Noise handshake but before the HTTP/2 session begins.
-//
-// readHeader is responsible for reading the header (if present), initializing
-// c.earlyPayload, closing c.earlyPayloadReady, and initializing c.reader for
-// future reads.
-func (c *noiseConn) readHeader() {
-	defer close(c.earlyPayloadReady)
-
-	setErr := func(err error) {
-		c.reader = returnErrReader{err}
-		c.earlyPayloadErr = err
-	}
-
-	var hdr [hdrLen]byte
-	if _, err := io.ReadFull(c.Conn, hdr[:]); err != nil {
-		setErr(err)
-		return
-	}
-	if string(hdr[:len(earlyPayloadMagic)]) != earlyPayloadMagic {
-		// No early payload. We have to return the 9 bytes read we already
-		// consumed.
-		c.reader = io.MultiReader(bytes.NewReader(hdr[:]), c.Conn)
-		return
-	}
-	epLen := binary.BigEndian.Uint32(hdr[len(earlyPayloadMagic):])
-	if epLen > 10<<20 {
-		setErr(errors.New("invalid early payload length"))
-		return
-	}
-	payBuf := make([]byte, epLen)
-	if _, err := io.ReadFull(c.Conn, payBuf); err != nil {
-		setErr(err)
-		return
-	}
-	if err := json.Unmarshal(payBuf, &c.earlyPayload); err != nil {
-		setErr(err)
-		return
-	}
-	c.reader = c.Conn
-}
-
-func (c *noiseConn) Close() error {
-	if err := c.Conn.Close(); err != nil {
-		return err
-	}
-	c.pool.connClosed(c.id)
-	return nil
-}
-
 // NoiseClient provides a http.Client to connect to tailcontrol over
 // the ts2021 protocol.
 type NoiseClient struct {
@@ -158,7 +49,7 @@ type NoiseClient struct {
 
 	// sfDial ensures that two concurrent requests for a noise connection only
 	// produce one shared one between the two callers.
-	sfDial singleflight.Group[struct{}, *noiseConn]
+	sfDial singleflight.Group[struct{}, *noiseconn.Conn]
 
 	dialer       *tsdial.Dialer
 	dnsCache     *dnscache.Resolver
@@ -180,9 +71,9 @@ type NoiseClient struct {
 	// mu only protects the following variables.
 	mu       sync.Mutex
 	closed   bool
-	last     *noiseConn // or nil
+	last     *noiseconn.Conn // or nil
 	nextID   int
-	connPool map[int]*noiseConn // active connections not yet closed; see noiseConn.Close
+	connPool map[int]*noiseconn.Conn // active connections not yet closed; see noiseconn.Conn.Close
 }
 
 // NoiseOpts contains options for the NewNoiseClient function. All fields are
@@ -283,11 +174,11 @@ func (nc *NoiseClient) GetSingleUseRoundTripper(ctx context.Context) (http.Round
 		if err != nil {
 			return nil, nil, err
 		}
-		earlyPayloadMaybeNil, err := conn.getEarlyPayload(ctx)
+		ok, earlyPayloadMaybeNil, err := conn.ReserveNewRequest(ctx)
 		if err != nil {
 			return nil, nil, err
 		}
-		if conn.h2cc.ReserveNewRequest() {
+		if ok {
 			return conn, earlyPayloadMaybeNil, nil
 		}
 	}
@@ -308,14 +199,14 @@ func (e contextErr) Unwrap() error {
 	return e.err
 }
 
-// getConn returns a noiseConn that can be used to make requests to the
+// getConn returns a noiseconn.Conn that can be used to make requests to the
 // coordination server. It may return a cached connection or create a new one.
 // Dials are singleflighted, so concurrent calls to getConn may only dial once.
 // As such, context values may not be respected as there are no guarantees that
 // the context passed to getConn is the same as the context passed to dial.
-func (nc *NoiseClient) getConn(ctx context.Context) (*noiseConn, error) {
+func (nc *NoiseClient) getConn(ctx context.Context) (*noiseconn.Conn, error) {
 	nc.mu.Lock()
-	if last := nc.last; last != nil && last.canTakeNewRequest() {
+	if last := nc.last; last != nil && last.CanTakeNewRequest() {
 		nc.mu.Unlock()
 		return last, nil
 	}
@@ -327,7 +218,7 @@ func (nc *NoiseClient) getConn(ctx context.Context) (*noiseConn, error) {
 		// canceled. Instead, we have to additionally check that the context
 		// which was canceled is our context and retry if our context is still
 		// valid.
-		conn, err, _ := nc.sfDial.Do(struct{}{}, func() (*noiseConn, error) {
+		conn, err, _ := nc.sfDial.Do(struct{}{}, func() (*noiseconn.Conn, error) {
 			c, err := nc.dial(ctx)
 			if err != nil {
 				if ctx.Err() != nil {
@@ -395,7 +286,7 @@ func (nc *NoiseClient) Close() error {
 
 // dial opens a new connection to tailcontrol, fetching the server noise key
 // if not cached.
-func (nc *NoiseClient) dial(ctx context.Context) (*noiseConn, error) {
+func (nc *NoiseClient) dial(ctx context.Context) (*noiseconn.Conn, error) {
 	nc.mu.Lock()
 	connID := nc.nextID
 	nc.nextID++
@@ -465,18 +356,10 @@ func (nc *NoiseClient) dial(ctx context.Context) (*noiseConn, error) {
 		return nil, err
 	}
 
-	ncc := &noiseConn{
-		Conn:              clientConn.Conn,
-		id:                connID,
-		pool:              nc,
-		earlyPayloadReady: make(chan struct{}),
-	}
-
-	h2cc, err := nc.h2t.NewClientConn(ncc)
+	ncc, err := noiseconn.New(clientConn.Conn, nc.h2t, connID, nc.connClosed)
 	if err != nil {
 		return nil, err
 	}
-	ncc.h2cc = h2cc
 
 	nc.mu.Lock()
 	if nc.closed {
@@ -485,7 +368,7 @@ func (nc *NoiseClient) dial(ctx context.Context) (*noiseConn, error) {
 		return nil, errors.New("noise client closed")
 	}
 	defer nc.mu.Unlock()
-	mak.Set(&nc.connPool, ncc.id, ncc)
+	mak.Set(&nc.connPool, connID, ncc)
 	nc.last = ncc
 	return ncc, nil
 }
@@ -508,9 +391,5 @@ func (nc *NoiseClient) post(ctx context.Context, path string, nodeKey key.NodePu
 	if err != nil {
 		return nil, err
 	}
-	return conn.h2cc.RoundTrip(req)
-}
-
-func (c *noiseConn) canTakeNewRequest() bool {
-	return c.h2cc.CanTakeNewRequest()
+	return conn.RoundTrip(req)
 }

control/controlclient/noise_test.go

@@ -16,6 +16,7 @@ import (
 
 	"golang.org/x/net/http2"
 	"tailscale.com/control/controlhttp"
+	"tailscale.com/internal/noiseconn"
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
@@ -93,22 +94,21 @@ func (tt noiseClientTest) run(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	select {
-	case <-c.earlyPayloadReady:
-		gotNonNil := c.earlyPayload != nil
-		if gotNonNil != tt.sendEarlyPayload {
-			t.Errorf("sendEarlyPayload = %v but got earlyPayload = %T", tt.sendEarlyPayload, c.earlyPayload)
-		}
-		if c.earlyPayload != nil {
-			if c.earlyPayload.NodeKeyChallenge != chalPrivate.Public() {
-				t.Errorf("earlyPayload.NodeKeyChallenge = %v; want %v", c.earlyPayload.NodeKeyChallenge, chalPrivate.Public())
-			}
-		}
-
-	case <-ctx.Done():
+	payload, err := c.GetEarlyPayload(ctx)
+	if err != nil {
 		t.Fatal("timed out waiting for didReadHeaderCh")
 	}
 
+	gotNonNil := payload != nil
+	if gotNonNil != tt.sendEarlyPayload {
+		t.Errorf("sendEarlyPayload = %v but got earlyPayload = %T", tt.sendEarlyPayload, payload)
+	}
+	if payload != nil {
+		if payload.NodeKeyChallenge != chalPrivate.Public() {
+			t.Errorf("earlyPayload.NodeKeyChallenge = %v; want %v", payload.NodeKeyChallenge, chalPrivate.Public())
+		}
+	}
+
 	checkRes := func(t *testing.T, res *http.Response) {
 		t.Helper()
 		defer res.Body.Close()
@@ -184,7 +184,7 @@ func (up *Upgrader) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		// https://httpwg.org/specs/rfc7540.html#rfc.section.4.1 (Especially not
 		// an HTTP/2 settings frame, which isn't of type 'T')
 		var notH2Frame [5]byte
-		copy(notH2Frame[:], earlyPayloadMagic)
+		copy(notH2Frame[:], noiseconn.EarlyPayloadMagic)
 		var lenBuf [4]byte
 		binary.BigEndian.PutUint32(lenBuf[:], uint32(len(earlyJSON)))
 		// These writes are all buffered by caller, so fine to do them

control/controlhttp/client.go

@@ -32,18 +32,21 @@ import (
 	"net/http/httptrace"
 	"net/netip"
 	"net/url"
+	"runtime"
 	"sort"
 	"sync/atomic"
 	"time"
 
 	"tailscale.com/control/controlbase"
 	"tailscale.com/envknob"
+	"tailscale.com/health"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/sockstats"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstime"
 	"tailscale.com/util/multierr"
@@ -396,12 +399,29 @@ func (a *Dialer) resolver() *dnscache.Resolver {
 	}
 }
 
+func isLoopback(a net.Addr) bool {
+	if ta, ok := a.(*net.TCPAddr); ok {
+		return ta.IP.IsLoopback()
+	}
+	return false
+}
+
+var macOSScreenTime = health.Register(&health.Warnable{
+	Code:     "macos-screen-time",
+	Severity: health.SeverityHigh,
+	Title:    "Tailscale blocked by Screen Time",
+	Text: func(args health.Args) string {
+		return "macOS Screen Time seems to be blocking Tailscale. Try disabling Screen Time in System Settings > Screen Time > Content & Privacy > Access to Web Content."
+	},
+	ImpactsConnectivity: true,
+})
+
 // tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn. If addr
 // is valid, then no DNS is used and the connection will be made to the
 // provided address.
 //
 // Only the provided ctx is used, not a.ctx.
-func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr, init []byte) (net.Conn, error) {
+func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr, init []byte) (_ net.Conn, retErr error) {
 	var dns *dnscache.Resolver
 
 	// If we were provided an address to dial, then create a resolver that just
@@ -423,6 +443,30 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr,
 		dialer = stdDialer.DialContext
 	}
 
+	// On macOS, see if Screen Time is blocking things.
+	if runtime.GOOS == "darwin" {
+		var proxydIntercepted atomic.Bool // intercepted by macOS webfilterproxyd
+		origDialer := dialer
+		dialer = func(ctx context.Context, network, address string) (net.Conn, error) {
+			c, err := origDialer(ctx, network, address)
+			if err != nil {
+				return nil, err
+			}
+			if isLoopback(c.LocalAddr()) && isLoopback(c.RemoteAddr()) {
+				proxydIntercepted.Store(true)
+			}
+			return c, nil
+		}
+		defer func() {
+			if retErr != nil && proxydIntercepted.Load() {
+				a.HealthTracker.SetUnhealthy(macOSScreenTime, nil)
+				retErr = fmt.Errorf("macOS Screen Time is blocking network access: %w", retErr)
+			} else {
+				a.HealthTracker.SetHealthy(macOSScreenTime)
+			}
+		}()
+	}
+
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	defer tr.CloseIdleConnections()
 	tr.Proxy = a.getProxyFunc()
@@ -454,11 +498,9 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr,
 	tr.DisableCompression = true
 
 	// (mis)use httptrace to extract the underlying net.Conn from the
-	// transport. We make exactly 1 request using this transport, so
-	// there will be exactly 1 GotConn call. Additionally, the
-	// transport handles 101 Switching Protocols correctly, such that
-	// the Conn will not be reused or kept alive by the transport once
-	// the response has been handed back from RoundTrip.
+	// transport. The transport handles 101 Switching Protocols correctly,
+	// such that the Conn will not be reused or kept alive by the transport
+	// once the response has been handed back from RoundTrip.
 	//
 	// In theory, the machinery of net/http should make it such that
 	// the trace callback happens-before we get the response, but
@@ -474,10 +516,16 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr,
 	// unexpected EOFs...), and we're bound to forget someday and
 	// introduce a protocol optimization at a higher level that starts
 	// eagerly transmitting from the server.
-	connCh := make(chan net.Conn, 1)
+	var lastConn syncs.AtomicValue[net.Conn]
 	trace := httptrace.ClientTrace{
+		// Even though we only make a single HTTP request which should
+		// require a single connection, the context (with the attached
+		// trace configuration) might be used by our custom dialer to
+		// make other HTTP requests (e.g. BootstrapDNS). We only care
+		// about the last connection made, which should be the one to
+		// the control server.
 		GotConn: func(info httptrace.GotConnInfo) {
-			connCh <- info.Conn
+			lastConn.Store(info.Conn)
 		},
 	}
 	ctx = httptrace.WithClientTrace(ctx, &trace)
@@ -505,11 +553,7 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr,
 	// is still a read buffer attached to it within resp.Body. So, we
 	// must direct I/O through resp.Body, but we can still use the
 	// underlying net.Conn for stuff like deadlines.
-	var switchedConn net.Conn
-	select {
-	case switchedConn = <-connCh:
-	default:
-	}
+	switchedConn := lastConn.Load()
 	if switchedConn == nil {
 		resp.Body.Close()
 		return nil, fmt.Errorf("httptrace didn't provide a connection")

control/controlhttp/http_test.go

@@ -11,10 +11,12 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"net/http/httptest"
 	"net/http/httputil"
 	"net/netip"
 	"net/url"
 	"runtime"
+	"slices"
 	"strconv"
 	"sync"
 	"testing"
@@ -41,6 +43,8 @@ type httpTestParam struct {
 	makeHTTPHangAfterUpgrade bool
 
 	doEarlyWrite bool
+
+	httpInDial bool
 }
 
 func TestControlHTTP(t *testing.T) {
@@ -120,6 +124,12 @@ func TestControlHTTP(t *testing.T) {
 			name:         "early_write",
 			doEarlyWrite: true,
 		},
+		// Dialer needed to make another HTTP request along the way (e.g. to
+		// resolve the hostname via BootstrapDNS).
+		{
+			name:       "http_request_in_dial",
+			httpInDial: true,
+		},
 	}
 
 	for _, test := range tests {
@@ -217,6 +227,29 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 		Clock:                clock,
 	}
 
+	if param.httpInDial {
+		// Spin up a separate server to get a different port on localhost.
+		secondServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return }))
+		defer secondServer.Close()
+
+		prev := a.Dialer
+		a.Dialer = func(ctx context.Context, network, addr string) (net.Conn, error) {
+			ctx, cancel := context.WithTimeout(ctx, time.Second)
+			defer cancel()
+			req, err := http.NewRequestWithContext(ctx, "GET", secondServer.URL, nil)
+			if err != nil {
+				t.Errorf("http.NewRequest: %v", err)
+			}
+			r, err := http.DefaultClient.Do(req)
+			if err != nil {
+				t.Errorf("http.Get: %v", err)
+			}
+			r.Body.Close()
+
+			return prev(ctx, network, addr)
+		}
+	}
+
 	if proxy != nil {
 		proxyEnv := proxy.Start(t)
 		defer proxy.Close()
@@ -238,6 +271,7 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 		t.Fatalf("dialing controlhttp: %v", err)
 	}
 	defer conn.Close()
+
 	si := <-sch
 	if si.conn != nil {
 		defer si.conn.Close()
@@ -266,6 +300,19 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 			t.Errorf("early write = %q; want %q", buf, earlyWriteMsg)
 		}
 	}
+
+	// When no proxy is used, the RemoteAddr of the returned connection should match
+	// one of the listeners of the test server.
+	if proxy == nil {
+		var expectedAddrs []string
+		for _, ln := range []net.Listener{httpLn, httpsLn} {
+			expectedAddrs = append(expectedAddrs, fmt.Sprintf("127.0.0.1:%d", ln.Addr().(*net.TCPAddr).Port))
+			expectedAddrs = append(expectedAddrs, fmt.Sprintf("[::1]:%d", ln.Addr().(*net.TCPAddr).Port))
+		}
+		if !slices.Contains(expectedAddrs, conn.RemoteAddr().String()) {
+			t.Errorf("unexpected remote addr: %s, want %s", conn.RemoteAddr(), expectedAddrs)
+		}
+	}
 }
 
 type serverResult struct {

control/controlknobs/controlknobs.go

@@ -19,10 +19,6 @@ type Knobs struct {
 	// DisableUPnP indicates whether to attempt UPnP mapping.
 	DisableUPnP atomic.Bool
 
-	// DisableDRPO is whether control says to disable the
-	// DERP route optimization (Issue 150).
-	DisableDRPO atomic.Bool
-
 	// KeepFullWGConfig is whether we should disable the lazy wireguard
 	// programming and instead give WireGuard the full netmap always, even for
 	// idle peers.
@@ -90,6 +86,23 @@ type Knobs struct {
 	// This is for now (2024-06-06) an iOS-specific battery life optimization,
 	// and this knob allows us to disable the optimization remotely if needed.
 	DisableSplitDNSWhenNoCustomResolvers atomic.Bool
+
+	// DisableLocalDNSOverrideViaNRPT indicates that the node's DNS manager should not
+	// create a default (catch-all) Windows NRPT rule when "Override local DNS" is enabled.
+	// Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers
+	// associated with all network adapters, even when "Override local DNS" is enabled and/or
+	// a Mullvad exit node is being used, resulting in DNS leaks.
+	// We began creating this rule on 2024-06-14, and this knob
+	// allows us to disable the new behavior remotely if needed.
+	DisableLocalDNSOverrideViaNRPT atomic.Bool
+
+	// DisableCryptorouting indicates that the node should not use the
+	// magicsock crypto routing feature.
+	DisableCryptorouting atomic.Bool
+
+	// DisableCaptivePortalDetection is whether the node should not perform captive portal detection
+	// automatically when the network state changes.
+	DisableCaptivePortalDetection atomic.Bool
 }
 
 // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
@@ -101,7 +114,6 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) {
 	has := capMap.Contains
 	var (
 		keepFullWG                           = has(tailcfg.NodeAttrDebugDisableWGTrim)
-		disableDRPO                          = has(tailcfg.NodeAttrDebugDisableDRPO)
 		disableUPnP                          = has(tailcfg.NodeAttrDisableUPnP)
 		randomizeClientPort                  = has(tailcfg.NodeAttrRandomizeClientPort)
 		disableDeltaUpdates                  = has(tailcfg.NodeAttrDisableDeltaUpdates)
@@ -117,6 +129,9 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) {
 		appCStoreRoutes                      = has(tailcfg.NodeAttrStoreAppCRoutes)
 		userDialUseRoutes                    = has(tailcfg.NodeAttrUserDialUseRoutes)
 		disableSplitDNSWhenNoCustomResolvers = has(tailcfg.NodeAttrDisableSplitDNSWhenNoCustomResolvers)
+		disableLocalDNSOverrideViaNRPT       = has(tailcfg.NodeAttrDisableLocalDNSOverrideViaNRPT)
+		disableCryptorouting                 = has(tailcfg.NodeAttrDisableMagicSockCryptoRouting)
+		disableCaptivePortalDetection        = has(tailcfg.NodeAttrDisableCaptivePortalDetection)
 	)
 
 	if has(tailcfg.NodeAttrOneCGNATEnable) {
@@ -126,7 +141,6 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) {
 	}
 
 	k.KeepFullWGConfig.Store(keepFullWG)
-	k.DisableDRPO.Store(disableDRPO)
 	k.DisableUPnP.Store(disableUPnP)
 	k.RandomizeClientPort.Store(randomizeClientPort)
 	k.OneCGNAT.Store(oneCGNAT)
@@ -142,6 +156,9 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) {
 	k.AppCStoreRoutes.Store(appCStoreRoutes)
 	k.UserDialUseRoutes.Store(userDialUseRoutes)
 	k.DisableSplitDNSWhenNoCustomResolvers.Store(disableSplitDNSWhenNoCustomResolvers)
+	k.DisableLocalDNSOverrideViaNRPT.Store(disableLocalDNSOverrideViaNRPT)
+	k.DisableCryptorouting.Store(disableCryptorouting)
+	k.DisableCaptivePortalDetection.Store(disableCaptivePortalDetection)
 }
 
 // AsDebugJSON returns k as something that can be marshalled with json.Marshal
@@ -152,7 +169,6 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 	}
 	return map[string]any{
 		"DisableUPnP":                          k.DisableUPnP.Load(),
-		"DisableDRPO":                          k.DisableDRPO.Load(),
 		"KeepFullWGConfig":                     k.KeepFullWGConfig.Load(),
 		"RandomizeClientPort":                  k.RandomizeClientPort.Load(),
 		"OneCGNAT":                             k.OneCGNAT.Load(),
@@ -168,5 +184,8 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 		"AppCStoreRoutes":                      k.AppCStoreRoutes.Load(),
 		"UserDialUseRoutes":                    k.UserDialUseRoutes.Load(),
 		"DisableSplitDNSWhenNoCustomResolvers": k.DisableSplitDNSWhenNoCustomResolvers.Load(),
+		"DisableLocalDNSOverrideViaNRPT":       k.DisableLocalDNSOverrideViaNRPT.Load(),
+		"DisableCryptorouting":                 k.DisableCryptorouting.Load(),
+		"DisableCaptivePortalDetection":        k.DisableCaptivePortalDetection.Load(),
 	}
 }

derp/derp.go

@@ -83,9 +83,16 @@ const (
 	// a bug).
 	framePeerGone = frameType(0x08) // 32B pub key of peer that's gone + 1 byte reason
 
-	// framePeerPresent is like framePeerGone, but for other
-	// members of the DERP region when they're meshed up together.
-	framePeerPresent = frameType(0x09) // 32B pub key of peer that's connected + optional 18B ip:port (16 byte IP + 2 byte BE uint16 port)
+	// framePeerPresent is like framePeerGone, but for other members of the DERP
+	// region when they're meshed up together.
+	//
+	// The message is at least 32 bytes (the public key of the peer that's
+	// connected). If there are at least 18 bytes remaining after that, it's the
+	// 16 byte IP + 2 byte BE uint16 port of the client. If there's another byte
+	// remaining after that, it's a PeerPresentFlags byte.
+	// While current servers send 41 bytes, old servers will send fewer, and newer
+	// servers might send more.
+	framePeerPresent = frameType(0x09)
 
 	// frameWatchConns is how one DERP node in a regional mesh
 	// subscribes to the others in the region.
@@ -124,8 +131,22 @@ const (
 type PeerGoneReasonType byte
 
 const (
-	PeerGoneReasonDisconnected = PeerGoneReasonType(0x00) // peer disconnected from this server
-	PeerGoneReasonNotHere      = PeerGoneReasonType(0x01) // server doesn't know about this peer, unexpected
+	PeerGoneReasonDisconnected  = PeerGoneReasonType(0x00) // peer disconnected from this server
+	PeerGoneReasonNotHere       = PeerGoneReasonType(0x01) // server doesn't know about this peer, unexpected
+	PeerGoneReasonMeshConnBroke = PeerGoneReasonType(0xf0) // invented by Client.RunWatchConnectionLoop on disconnect; not sent on the wire
+)
+
+// PeerPresentFlags is an optional byte of bit flags sent after a framePeerPresent message.
+//
+// For a modern server, the value should always be non-zero. If the value is zero,
+// that means the server doesn't support this field.
+type PeerPresentFlags byte
+
+// PeerPresentFlags bits.
+const (
+	PeerPresentIsRegular  = 1 << 0
+	PeerPresentIsMeshPeer = 1 << 1
+	PeerPresentIsProber   = 1 << 2
 )
 
 var bin = binary.BigEndian

derp/derp_client.go

@@ -368,6 +368,8 @@ type PeerPresentMessage struct {
 	Key key.NodePublic
 	// IPPort is the remote IP and port of the client.
 	IPPort netip.AddrPort
+	// Flags is a bitmask of info about the client.
+	Flags PeerPresentFlags
 }
 
 func (PeerPresentMessage) msg() {}
@@ -547,18 +549,33 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 			return pg, nil
 
 		case framePeerPresent:
-			if n < keyLen {
+			remain := b
+			chunk, remain, ok := cutLeadingN(remain, keyLen)
+			if !ok {
 				c.logf("[unexpected] dropping short peerPresent frame from DERP server")
 				continue
 			}
 			var msg PeerPresentMessage
-			msg.Key = key.NodePublicFromRaw32(mem.B(b[:keyLen]))
-			if n >= keyLen+16+2 {
-				msg.IPPort = netip.AddrPortFrom(
-					netip.AddrFrom16([16]byte(b[keyLen:keyLen+16])).Unmap(),
-					binary.BigEndian.Uint16(b[keyLen+16:keyLen+16+2]),
-				)
+			msg.Key = key.NodePublicFromRaw32(mem.B(chunk))
+
+			const ipLen = 16
+			const portLen = 2
+			chunk, remain, ok = cutLeadingN(remain, ipLen+portLen)
+			if !ok {
+				// Older server which didn't send the IP.
+				return msg, nil
 			}
+			msg.IPPort = netip.AddrPortFrom(
+				netip.AddrFrom16([16]byte(chunk[:ipLen])).Unmap(),
+				binary.BigEndian.Uint16(chunk[ipLen:]),
+			)
+
+			chunk, _, ok = cutLeadingN(remain, 1)
+			if !ok {
+				// Older server which doesn't send PeerPresentFlags.
+				return msg, nil
+			}
+			msg.Flags = PeerPresentFlags(chunk[0])
 			return msg, nil
 
 		case frameRecvPacket:
@@ -636,3 +653,10 @@ func (c *Client) LocalAddr() (netip.AddrPort, error) {
 	}
 	return netip.ParseAddrPort(a.String())
 }
+
+func cutLeadingN(b []byte, n int) (chunk, remain []byte, ok bool) {
+	if len(b) >= n {
+		return b[:n], b[n:], true
+	}
+	return nil, b, false
+}

derp/derp_server.go

@@ -141,6 +141,8 @@ type Server struct {
 	removePktForwardOther        expvar.Int
 	avgQueueDuration             *uint64          // In milliseconds; accessed atomically
 	tcpRtt                       metrics.LabelMap // histogram
+	meshUpdateBatchSize          *metrics.Histogram
+	meshUpdateLoopCount          *metrics.Histogram
 
 	// verifyClientsLocalTailscaled only accepts client connections to the DERP
 	// server if the clientKey is a known peer in the network, as specified by a
@@ -323,6 +325,8 @@ func NewServer(privateKey key.NodePrivate, logf logger.Logf) *Server {
 		sentTo:               map[key.NodePublic]map[key.NodePublic]int64{},
 		avgQueueDuration:     new(uint64),
 		tcpRtt:               metrics.LabelMap{Label: "le"},
+		meshUpdateBatchSize:  metrics.NewHistogram([]float64{0, 1, 2, 5, 10, 20, 50, 100, 200, 500, 1000}),
+		meshUpdateLoopCount:  metrics.NewHistogram([]float64{0, 1, 2, 5, 10, 20, 50, 100}),
 		keyOfAddr:            map[netip.AddrPort]key.NodePublic{},
 		clock:                tstime.StdClock{},
 	}
@@ -566,7 +570,7 @@ func (s *Server) registerClient(c *sclient) {
 	}
 	s.keyOfAddr[c.remoteIPPort] = c.key
 	s.curClients.Add(1)
-	s.broadcastPeerStateChangeLocked(c.key, c.remoteIPPort, true)
+	s.broadcastPeerStateChangeLocked(c.key, c.remoteIPPort, c.presentFlags(), true)
 }
 
 // broadcastPeerStateChangeLocked enqueues a message to all watchers
@@ -574,12 +578,13 @@ func (s *Server) registerClient(c *sclient) {
 // presence changed.
 //
 // s.mu must be held.
-func (s *Server) broadcastPeerStateChangeLocked(peer key.NodePublic, ipPort netip.AddrPort, present bool) {
+func (s *Server) broadcastPeerStateChangeLocked(peer key.NodePublic, ipPort netip.AddrPort, flags PeerPresentFlags, present bool) {
 	for w := range s.watchers {
 		w.peerStateChange = append(w.peerStateChange, peerConnState{
 			peer:    peer,
 			present: present,
 			ipPort:  ipPort,
+			flags:   flags,
 		})
 		go w.requestMeshUpdate()
 	}
@@ -601,7 +606,7 @@ func (s *Server) unregisterClient(c *sclient) {
 			delete(s.clientsMesh, c.key)
 			s.notePeerGoneFromRegionLocked(c.key)
 		}
-		s.broadcastPeerStateChangeLocked(c.key, netip.AddrPort{}, false)
+		s.broadcastPeerStateChangeLocked(c.key, netip.AddrPort{}, 0, false)
 	case *dupClientSet:
 		c.debugLogf("removed duplicate client")
 		if set.removeClient(c) {
@@ -700,6 +705,7 @@ func (s *Server) addWatcher(c *sclient) {
 			peer:    peer,
 			present: true,
 			ipPort:  ac.remoteIPPort,
+			flags:   ac.presentFlags(),
 		})
 	}
 
@@ -725,7 +731,7 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 
 	clientAP, _ := netip.ParseAddrPort(remoteAddr)
 	if err := s.verifyClient(ctx, clientKey, clientInfo, clientAP.Addr()); err != nil {
-		return fmt.Errorf("client %x rejected: %v", clientKey, err)
+		return fmt.Errorf("client %v rejected: %v", clientKey, err)
 	}
 
 	// At this point we trust the client so we don't time out.
@@ -751,12 +757,12 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 		discoSendQueue: make(chan pkt, perClientSendQueueDepth),
 		sendPongCh:     make(chan [8]byte, 1),
 		peerGone:       make(chan peerGoneMsg),
-		canMesh:        clientInfo.MeshKey != "" && clientInfo.MeshKey == s.meshKey,
+		canMesh:        s.isMeshPeer(clientInfo),
 		peerGoneLim:    rate.NewLimiter(rate.Every(time.Second), 3),
 	}
 
 	if c.canMesh {
-		c.meshUpdate = make(chan struct{})
+		c.meshUpdate = make(chan struct{}, 1) // must be buffered; >1 is fine but wasteful
 	}
 	if clientInfo != nil {
 		c.info = *clientInfo
@@ -939,7 +945,7 @@ func (c *sclient) handleFrameForwardPacket(ft frameType, fl uint32) error {
 
 	srcKey, dstKey, contents, err := s.recvForwardPacket(c.br, fl)
 	if err != nil {
-		return fmt.Errorf("client %x: recvForwardPacket: %v", c.key, err)
+		return fmt.Errorf("client %v: recvForwardPacket: %v", c.key, err)
 	}
 	s.packetsForwardedIn.Add(1)
 
@@ -994,7 +1000,7 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 
 	dstKey, contents, err := s.recvPacket(c.br, fl)
 	if err != nil {
-		return fmt.Errorf("client %x: recvPacket: %v", c.key, err)
+		return fmt.Errorf("client %v: recvPacket: %v", c.key, err)
 	}
 
 	var fwd PacketForwarder
@@ -1141,30 +1147,51 @@ func (c *sclient) requestPeerGoneWrite(peer key.NodePublic, reason PeerGoneReaso
 	}
 }
 
+// requestMeshUpdate notes that a c's peerStateChange has been appended to and
+// should now be written.
+//
+// It does not block. If a meshUpdate is already pending for this client, it
+// does nothing.
 func (c *sclient) requestMeshUpdate() {
 	if !c.canMesh {
 		panic("unexpected requestMeshUpdate")
 	}
 	select {
 	case c.meshUpdate <- struct{}{}:
-	case <-c.done:
+	default:
 	}
 }
 
+var localClient tailscale.LocalClient
+
+// isMeshPeer reports whether the client is a trusted mesh peer
+// node in the DERP region.
+func (s *Server) isMeshPeer(info *clientInfo) bool {
+	return info != nil && info.MeshKey != "" && info.MeshKey == s.meshKey
+}
+
 // verifyClient checks whether the client is allowed to connect to the derper,
 // depending on how & whether the server's been configured to verify.
 func (s *Server) verifyClient(ctx context.Context, clientKey key.NodePublic, info *clientInfo, clientIP netip.Addr) error {
+	if s.isMeshPeer(info) {
+		// Trusted mesh peer. No need to verify further. In fact, verifying
+		// further wouldn't work: it's not part of the tailnet so tailscaled and
+		// likely the admission control URL wouldn't know about it.
+		return nil
+	}
+
 	// tailscaled-based verification:
 	if s.verifyClientsLocalTailscaled {
-		status, err := tailscale.Status(ctx)
+		_, err := localClient.WhoIsNodeKey(ctx, clientKey)
+		if err == tailscale.ErrPeerNotFound {
+			return fmt.Errorf("peer %v not authorized (not found in local tailscaled)", clientKey)
+		}
 		if err != nil {
-			return fmt.Errorf("failed to query local tailscaled status: %w", err)
-		}
-		if clientKey == status.Self.PublicKey {
-			return nil
-		}
-		if _, exists := status.Peer[clientKey]; !exists {
-			return fmt.Errorf("client %v not in set of peers", clientKey)
+			if strings.Contains(err.Error(), "invalid 'addr' parameter") {
+				// Issue 12617
+				return errors.New("tailscaled version is too old (out of sync with derper binary)")
+			}
+			return fmt.Errorf("failed to query local tailscaled status for %v: %w", clientKey, err)
 		}
 	}
 
@@ -1423,11 +1450,26 @@ type sclient struct {
 	peerGoneLim *rate.Limiter
 }
 
+func (c *sclient) presentFlags() PeerPresentFlags {
+	var f PeerPresentFlags
+	if c.info.IsProber {
+		f |= PeerPresentIsProber
+	}
+	if c.canMesh {
+		f |= PeerPresentIsMeshPeer
+	}
+	if f == 0 {
+		return PeerPresentIsRegular
+	}
+	return f
+}
+
 // peerConnState represents whether a peer is connected to the server
 // or not.
 type peerConnState struct {
 	ipPort  netip.AddrPort // if present, the peer's IP:port
 	peer    key.NodePublic
+	flags   PeerPresentFlags
 	present bool
 }
 
@@ -1601,6 +1643,11 @@ func (c *sclient) sendPong(data [8]byte) error {
 	return err
 }
 
+const (
+	peerGoneFrameLen    = keyLen + 1
+	peerPresentFrameLen = keyLen + 16 + 2 + 1 // 16 byte IP + 2 byte port + 1 byte flags
+)
+
 // sendPeerGone sends a peerGone frame, without flushing.
 func (c *sclient) sendPeerGone(peer key.NodePublic, reason PeerGoneReasonType) error {
 	switch reason {
@@ -1610,7 +1657,7 @@ func (c *sclient) sendPeerGone(peer key.NodePublic, reason PeerGoneReasonType) e
 		c.s.peerGoneNotHereFrames.Add(1)
 	}
 	c.setWriteDeadline()
-	data := make([]byte, 0, keyLen+1)
+	data := make([]byte, 0, peerGoneFrameLen)
 	data = peer.AppendTo(data)
 	data = append(data, byte(reason))
 	if err := writeFrameHeader(c.bw.bw(), framePeerGone, uint32(len(data))); err != nil {
@@ -1622,73 +1669,62 @@ func (c *sclient) sendPeerGone(peer key.NodePublic, reason PeerGoneReasonType) e
 }
 
 // sendPeerPresent sends a peerPresent frame, without flushing.
-func (c *sclient) sendPeerPresent(peer key.NodePublic, ipPort netip.AddrPort) error {
+func (c *sclient) sendPeerPresent(peer key.NodePublic, ipPort netip.AddrPort, flags PeerPresentFlags) error {
 	c.setWriteDeadline()
-	const frameLen = keyLen + 16 + 2
-	if err := writeFrameHeader(c.bw.bw(), framePeerPresent, frameLen); err != nil {
+	if err := writeFrameHeader(c.bw.bw(), framePeerPresent, peerPresentFrameLen); err != nil {
 		return err
 	}
-	payload := make([]byte, frameLen)
+	payload := make([]byte, peerPresentFrameLen)
 	_ = peer.AppendTo(payload[:0])
 	a16 := ipPort.Addr().As16()
 	copy(payload[keyLen:], a16[:])
 	binary.BigEndian.PutUint16(payload[keyLen+16:], ipPort.Port())
+	payload[keyLen+18] = byte(flags)
 	_, err := c.bw.Write(payload)
 	return err
 }
 
-// sendMeshUpdates drains as many mesh peerStateChange entries as
-// possible into the write buffer WITHOUT flushing or otherwise
-// blocking (as it holds c.s.mu while working). If it can't drain them
-// all, it schedules itself to be called again in the future.
+// sendMeshUpdates drains all mesh peerStateChange entries into the write buffer
+// without flushing.
 func (c *sclient) sendMeshUpdates() error {
-	c.s.mu.Lock()
-	defer c.s.mu.Unlock()
+	var lastBatch []peerConnState // memory to best effort reuse
 
-	// allow all happened-before mesh update request goroutines to complete, if
-	// we don't finish the task we'll queue another below.
-drainUpdates:
-	for {
-		select {
-		case <-c.meshUpdate:
-		default:
-			break drainUpdates
+	// takeAll returns c.peerStateChange and empties it.
+	takeAll := func() []peerConnState {
+		c.s.mu.Lock()
+		defer c.s.mu.Unlock()
+		if len(c.peerStateChange) == 0 {
+			return nil
 		}
+		batch := c.peerStateChange
+		if cap(lastBatch) > 16 {
+			lastBatch = nil
+		}
+		c.peerStateChange = lastBatch[:0]
+		return batch
 	}
 
-	writes := 0
-	for _, pcs := range c.peerStateChange {
-		if c.bw.Available() <= frameHeaderLen+keyLen {
-			break
+	for loops := 0; ; loops++ {
+		batch := takeAll()
+		if len(batch) == 0 {
+			c.s.meshUpdateLoopCount.Observe(float64(loops))
+			return nil
 		}
-		var err error
-		if pcs.present {
-			err = c.sendPeerPresent(pcs.peer, pcs.ipPort)
-		} else {
-			err = c.sendPeerGone(pcs.peer, PeerGoneReasonDisconnected)
-		}
-		if err != nil {
-			// Shouldn't happen, though, as we're writing
-			// into available buffer space, not the
-			// network.
-			return err
-		}
-		writes++
-	}
+		c.s.meshUpdateBatchSize.Observe(float64(len(batch)))
 
-	remain := copy(c.peerStateChange, c.peerStateChange[writes:])
-	c.peerStateChange = c.peerStateChange[:remain]
-
-	// Did we manage to write them all into the bufio buffer without flushing?
-	if len(c.peerStateChange) == 0 {
-		if cap(c.peerStateChange) > 16 {
-			c.peerStateChange = nil
+		for _, pcs := range batch {
+			var err error
+			if pcs.present {
+				err = c.sendPeerPresent(pcs.peer, pcs.ipPort, pcs.flags)
+			} else {
+				err = c.sendPeerGone(pcs.peer, PeerGoneReasonDisconnected)
+			}
+			if err != nil {
+				return err
+			}
 		}
-	} else {
-		// Didn't finish in the buffer space provided; schedule a future run.
-		go c.requestMeshUpdate()
+		lastBatch = batch
 	}
-	return nil
 }
 
 // sendPacket writes contents to the client in a RecvPacket frame. If
@@ -1917,6 +1953,8 @@ func (s *Server) ExpVar() expvar.Var {
 		return math.Float64frombits(atomic.LoadUint64(s.avgQueueDuration))
 	}))
 	m.Set("counter_tcp_rtt", &s.tcpRtt)
+	m.Set("counter_mesh_update_batch_size", s.meshUpdateBatchSize)
+	m.Set("counter_mesh_update_loop_count", s.meshUpdateLoopCount)
 	var expvarVersion expvar.String
 	expvarVersion.Set(version.Long())
 	m.Set("version", &expvarVersion)
@@ -1956,12 +1994,37 @@ func (s *Server) ConsistencyCheck() error {
 			s.curClients.Value(),
 			len(s.clients)))
 	}
+
+	if s.verifyClientsLocalTailscaled {
+		if err := s.checkVerifyClientsLocalTailscaled(); err != nil {
+			errs = append(errs, err.Error())
+		}
+	}
+
 	if len(errs) == 0 {
 		return nil
 	}
 	return errors.New(strings.Join(errs, ", "))
 }
 
+// checkVerifyClientsLocalTailscaled checks that a verifyClients call can be made successfully for the derper hosts own node key.
+func (s *Server) checkVerifyClientsLocalTailscaled() error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	status, err := localClient.StatusWithoutPeers(ctx)
+	if err != nil {
+		return fmt.Errorf("localClient.Status: %w", err)
+	}
+	info := &clientInfo{
+		IsProber: true,
+	}
+	clientIP := netip.IPv6Loopback()
+	if err := s.verifyClient(ctx, status.Self.PublicKey, info, clientIP); err != nil {
+		return fmt.Errorf("verifyClient for self nodekey: %w", err)
+	}
+	return nil
+}
+
 const minTimeBetweenLogs = 2 * time.Second
 
 // BytesSentRecv records the number of bytes that have been sent since the last traffic check

derp/derp_test.go

@@ -623,7 +623,13 @@ func (tc *testClient) wantPresent(t *testing.T, peers ...key.NodePublic) {
 					}
 				}))
 			}
-			t.Logf("got present with IP %v", m.IPPort)
+			t.Logf("got present with IP %v, flags=%v", m.IPPort, m.Flags)
+			switch m.Flags {
+			case PeerPresentIsMeshPeer, PeerPresentIsRegular:
+				// Okay
+			default:
+				t.Errorf("unexpected PeerPresentIsMeshPeer flags %v", m.Flags)
+			}
 			delete(want, got)
 			if len(want) == 0 {
 				return

derp/derphttp/derphttp_client.go

@@ -381,6 +381,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	}()
 
 	var node *tailcfg.DERPNode // nil when using c.url to dial
+	var idealNodeInRegion bool
 	switch {
 	case useWebsockets():
 		var urlStr string
@@ -421,6 +422,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	default:
 		c.logf("%s: connecting to derp-%d (%v)", caller, reg.RegionID, reg.RegionCode)
 		tcpConn, node, err = c.dialRegion(ctx, reg)
+		idealNodeInRegion = err == nil && reg.Nodes[0] == node
 	}
 	if err != nil {
 		return nil, 0, err
@@ -494,6 +496,18 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	}
 	req.Header.Set("Upgrade", "DERP")
 	req.Header.Set("Connection", "Upgrade")
+	if !idealNodeInRegion && reg != nil {
+		// This is purely informative for now (2024-07-06) for stats:
+		req.Header.Set("Ideal-Node", reg.Nodes[0].Name)
+		// TODO(bradfitz,raggi): start a time.AfterFunc for 30m-1h or so to
+		// dialNode(reg.Nodes[0]) and see if we can even TCP connect to it. If
+		// so, TLS handshake it as well (which is mixed up in this massive
+		// connect method) and then if it all appears good, grab the mutex, bump
+		// connGen, finish the Upgrade, close the old one, and set a new field
+		// on Client that's like "here's the connect result and connGen for the
+		// next connect that comes in"). Tracking bug for all this is:
+		// https://github.com/tailscale/tailscale/issues/12724
+	}
 
 	if !serverPub.IsZero() && serverProtoVersion != 0 {
 		// parseMetaCert found the server's public key (no TLS

derp/derphttp/derphttp_test.go

@@ -11,7 +11,6 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
-	"net/netip"
 	"sync"
 	"testing"
 	"time"
@@ -299,13 +298,13 @@ func TestBreakWatcherConnRecv(t *testing.T) {
 	go func() {
 		defer wg.Done()
 		var peers int
-		add := func(k key.NodePublic, _ netip.AddrPort) {
-			t.Logf("add: %v", k.ShortString())
+		add := func(m derp.PeerPresentMessage) {
+			t.Logf("add: %v", m.Key.ShortString())
 			peers++
 			// Signal that the watcher has run
 			watcherChan <- peers
 		}
-		remove := func(k key.NodePublic) { t.Logf("remove: %v", k.ShortString()); peers-- }
+		remove := func(m derp.PeerGoneMessage) { t.Logf("remove: %v", m.Peer.ShortString()); peers-- }
 
 		watcher1.RunWatchConnectionLoop(ctx, serverPrivateKey1.Public(), t.Logf, add, remove)
 	}()
@@ -370,15 +369,15 @@ func TestBreakWatcherConn(t *testing.T) {
 	go func() {
 		defer wg.Done()
 		var peers int
-		add := func(k key.NodePublic, _ netip.AddrPort) {
-			t.Logf("add: %v", k.ShortString())
+		add := func(m derp.PeerPresentMessage) {
+			t.Logf("add: %v", m.Key.ShortString())
 			peers++
 			// Signal that the watcher has run
 			watcherChan <- peers
 			// Wait for breaker to run
 			<-breakerChan
 		}
-		remove := func(k key.NodePublic) { t.Logf("remove: %v", k.ShortString()); peers-- }
+		remove := func(m derp.PeerGoneMessage) { t.Logf("remove: %v", m.Peer.ShortString()); peers-- }
 
 		watcher1.RunWatchConnectionLoop(ctx, serverPrivateKey1.Public(), t.Logf, add, remove)
 	}()
@@ -407,8 +406,8 @@ func TestBreakWatcherConn(t *testing.T) {
 	}
 }
 
-func noopAdd(key.NodePublic, netip.AddrPort) {}
-func noopRemove(key.NodePublic)              {}
+func noopAdd(derp.PeerPresentMessage) {}
+func noopRemove(derp.PeerGoneMessage) {}
 
 func TestRunWatchConnectionLoopServeConnect(t *testing.T) {
 	defer func() { testHookWatchLookConnectResult = nil }()

derp/derphttp/mesh_client.go

@@ -5,7 +5,6 @@ package derphttp
 
 import (
 	"context"
-	"net/netip"
 	"sync"
 	"time"
 
@@ -35,9 +34,14 @@ var testHookWatchLookConnectResult func(connectError error, wasSelfConnect bool)
 // To force RunWatchConnectionLoop to return quickly, its ctx needs to be
 // closed, and c itself needs to be closed.
 //
-// It is a fatal error to call this on an already-started Client withoutq having
+// It is a fatal error to call this on an already-started Client without having
 // initialized Client.WatchConnectionChanges to true.
-func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key.NodePublic, infoLogf logger.Logf, add func(key.NodePublic, netip.AddrPort), remove func(key.NodePublic)) {
+//
+// If the DERP connection breaks and reconnects, remove will be called for all
+// previously seen peers, with Reason type PeerGoneReasonSynthetic. Those
+// clients are likely still connected and their add message will appear after
+// reconnect.
+func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key.NodePublic, infoLogf logger.Logf, add func(derp.PeerPresentMessage), remove func(derp.PeerGoneMessage)) {
 	if !c.WatchConnectionChanges {
 		if c.isStarted() {
 			panic("invalid use of RunWatchConnectionLoop on already-started Client without setting Client.RunWatchConnectionLoop")
@@ -62,7 +66,7 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 		}
 		logf("reconnected; clearing %d forwarding mappings", len(present))
 		for k := range present {
-			remove(k)
+			remove(derp.PeerGoneMessage{Peer: k, Reason: derp.PeerGoneReasonMeshConnBroke})
 		}
 		present = map[key.NodePublic]bool{}
 	}
@@ -84,13 +88,7 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 	})
 	defer timer.Stop()
 
-	updatePeer := func(k key.NodePublic, ipPort netip.AddrPort, isPresent bool) {
-		if isPresent {
-			add(k, ipPort)
-		} else {
-			remove(k)
-		}
-
+	updatePeer := func(k key.NodePublic, isPresent bool) {
 		mu.Lock()
 		defer mu.Unlock()
 		if isPresent {
@@ -148,7 +146,8 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 			}
 			switch m := m.(type) {
 			case derp.PeerPresentMessage:
-				updatePeer(m.Key, m.IPPort, true)
+				add(m)
+				updatePeer(m.Key, true)
 			case derp.PeerGoneMessage:
 				switch m.Reason {
 				case derp.PeerGoneReasonDisconnected:
@@ -160,7 +159,8 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 					logf("Recv: peer %s not at server %s for unknown reason %v",
 						key.NodePublic(m.Peer).ShortString(), c.ServerPublicKey().ShortString(), m.Reason)
 				}
-				updatePeer(key.NodePublic(m.Peer), netip.AddrPort{}, false)
+				remove(m)
+				updatePeer(m.Peer, false)
 			default:
 				continue
 			}

derp/xdp/bpf_bpfeb.go

@@ -0,0 +1,170 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build mips || mips64 || ppc64 || s390x
+
+package xdp
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfConfig struct {
+	DstPort  uint16
+	DropStun uint16
+}
+
+type bpfCounterKeyAf uint32
+
+const (
+	bpfCounterKeyAfCOUNTER_KEY_AF_UNKNOWN bpfCounterKeyAf = 0
+	bpfCounterKeyAfCOUNTER_KEY_AF_IPV4    bpfCounterKeyAf = 1
+	bpfCounterKeyAfCOUNTER_KEY_AF_IPV6    bpfCounterKeyAf = 2
+	bpfCounterKeyAfCOUNTER_KEY_AF_LEN     bpfCounterKeyAf = 3
+)
+
+type bpfCounterKeyPacketsBytesAction uint32
+
+const (
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_PASS_TOTAL       bpfCounterKeyPacketsBytesAction = 0
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_BYTES_PASS_TOTAL         bpfCounterKeyPacketsBytesAction = 1
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_ABORTED_TOTAL    bpfCounterKeyPacketsBytesAction = 2
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_BYTES_ABORTED_TOTAL      bpfCounterKeyPacketsBytesAction = 3
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_TX_TOTAL         bpfCounterKeyPacketsBytesAction = 4
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_BYTES_TX_TOTAL           bpfCounterKeyPacketsBytesAction = 5
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_DROP_TOTAL       bpfCounterKeyPacketsBytesAction = 6
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_BYTES_DROP_TOTAL         bpfCounterKeyPacketsBytesAction = 7
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_BYTES_ACTION_LEN bpfCounterKeyPacketsBytesAction = 8
+)
+
+type bpfCounterKeyProgEnd uint32
+
+const (
+	bpfCounterKeyProgEndCOUNTER_KEY_END_UNSPECIFIED                bpfCounterKeyProgEnd = 0
+	bpfCounterKeyProgEndCOUNTER_KEY_END_UNEXPECTED_FIRST_STUN_ATTR bpfCounterKeyProgEnd = 1
+	bpfCounterKeyProgEndCOUNTER_KEY_END_INVALID_UDP_CSUM           bpfCounterKeyProgEnd = 2
+	bpfCounterKeyProgEndCOUNTER_KEY_END_INVALID_IP_CSUM            bpfCounterKeyProgEnd = 3
+	bpfCounterKeyProgEndCOUNTER_KEY_END_NOT_STUN_PORT              bpfCounterKeyProgEnd = 4
+	bpfCounterKeyProgEndCOUNTER_KEY_END_INVALID_SW_ATTR_VAL        bpfCounterKeyProgEnd = 5
+	bpfCounterKeyProgEndCOUNTER_KEY_END_DROP_STUN                  bpfCounterKeyProgEnd = 6
+	bpfCounterKeyProgEndCOUNTER_KEY_END_LEN                        bpfCounterKeyProgEnd = 7
+)
+
+type bpfCountersKey struct {
+	Unused  uint8
+	Af      uint8
+	Pba     uint8
+	ProgEnd uint8
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	XdpProgFunc *ebpf.ProgramSpec `ebpf:"xdp_prog_func"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	ConfigMap   *ebpf.MapSpec `ebpf:"config_map"`
+	CountersMap *ebpf.MapSpec `ebpf:"counters_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	ConfigMap   *ebpf.Map `ebpf:"config_map"`
+	CountersMap *ebpf.Map `ebpf:"counters_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.ConfigMap,
+		m.CountersMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	XdpProgFunc *ebpf.Program `ebpf:"xdp_prog_func"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.XdpProgFunc,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte

derp/xdp/bpf_bpfel.go

@@ -0,0 +1,170 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || arm || arm64 || loong64 || mips64le || mipsle || ppc64le || riscv64
+
+package xdp
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+type bpfConfig struct {
+	DstPort  uint16
+	DropStun uint16
+}
+
+type bpfCounterKeyAf uint32
+
+const (
+	bpfCounterKeyAfCOUNTER_KEY_AF_UNKNOWN bpfCounterKeyAf = 0
+	bpfCounterKeyAfCOUNTER_KEY_AF_IPV4    bpfCounterKeyAf = 1
+	bpfCounterKeyAfCOUNTER_KEY_AF_IPV6    bpfCounterKeyAf = 2
+	bpfCounterKeyAfCOUNTER_KEY_AF_LEN     bpfCounterKeyAf = 3
+)
+
+type bpfCounterKeyPacketsBytesAction uint32
+
+const (
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_PASS_TOTAL       bpfCounterKeyPacketsBytesAction = 0
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_BYTES_PASS_TOTAL         bpfCounterKeyPacketsBytesAction = 1
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_ABORTED_TOTAL    bpfCounterKeyPacketsBytesAction = 2
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_BYTES_ABORTED_TOTAL      bpfCounterKeyPacketsBytesAction = 3
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_TX_TOTAL         bpfCounterKeyPacketsBytesAction = 4
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_BYTES_TX_TOTAL           bpfCounterKeyPacketsBytesAction = 5
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_DROP_TOTAL       bpfCounterKeyPacketsBytesAction = 6
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_BYTES_DROP_TOTAL         bpfCounterKeyPacketsBytesAction = 7
+	bpfCounterKeyPacketsBytesActionCOUNTER_KEY_PACKETS_BYTES_ACTION_LEN bpfCounterKeyPacketsBytesAction = 8
+)
+
+type bpfCounterKeyProgEnd uint32
+
+const (
+	bpfCounterKeyProgEndCOUNTER_KEY_END_UNSPECIFIED                bpfCounterKeyProgEnd = 0
+	bpfCounterKeyProgEndCOUNTER_KEY_END_UNEXPECTED_FIRST_STUN_ATTR bpfCounterKeyProgEnd = 1
+	bpfCounterKeyProgEndCOUNTER_KEY_END_INVALID_UDP_CSUM           bpfCounterKeyProgEnd = 2
+	bpfCounterKeyProgEndCOUNTER_KEY_END_INVALID_IP_CSUM            bpfCounterKeyProgEnd = 3
+	bpfCounterKeyProgEndCOUNTER_KEY_END_NOT_STUN_PORT              bpfCounterKeyProgEnd = 4
+	bpfCounterKeyProgEndCOUNTER_KEY_END_INVALID_SW_ATTR_VAL        bpfCounterKeyProgEnd = 5
+	bpfCounterKeyProgEndCOUNTER_KEY_END_DROP_STUN                  bpfCounterKeyProgEnd = 6
+	bpfCounterKeyProgEndCOUNTER_KEY_END_LEN                        bpfCounterKeyProgEnd = 7
+)
+
+type bpfCountersKey struct {
+	Unused  uint8
+	Af      uint8
+	Pba     uint8
+	ProgEnd uint8
+}
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	XdpProgFunc *ebpf.ProgramSpec `ebpf:"xdp_prog_func"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	ConfigMap   *ebpf.MapSpec `ebpf:"config_map"`
+	CountersMap *ebpf.MapSpec `ebpf:"counters_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	ConfigMap   *ebpf.Map `ebpf:"config_map"`
+	CountersMap *ebpf.Map `ebpf:"counters_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.ConfigMap,
+		m.CountersMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	XdpProgFunc *ebpf.Program `ebpf:"xdp_prog_func"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.XdpProgFunc,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte