CI: use BuildJet & large Windows runners

1. Use buildjet for the longer Linux CI workflows.
2. Continue with `ubuntu-latest` for shorter Linux CI workflows.
3. Use a large GitHub-hosted Windows runner.
   https://docs.github.com/en/actions/using-github-hosted-runners/using-larger-runners
4. Make CIFuzz run on merge to main or release branch, not
   in the pull request

Two runs each of the original workflow files and the updated
workflows in this PR. One run of the GitHub Large Ubuntu runners
is included; these are clearly between the regular GitHub and BuildJet
runners in performance.
                              GitHub  GitHub  BuildJet BuildJet  GHLarge
codeql-analysis.yml           4m 30s  cached   2m 56s   2m 59s   4m  0s
cross-darwin.yml              3m 10s  3m 19s   1m 33s   1m 30s   2m 43s
cross-freebsd.yml             3m 33s  3m 10s   1m 28s   1m 22s   2m 15s
cross-openbsd.yml             3m  4s  2m 36s   1m 29s   1m 22s   2m  3s
cross-wasm.yml                1m 59s  2m  2s   1m 12s   1m 16s   1m 46s
cross-windows.yml             2m 45s  3m  0s   1m 44s   1m 25s   2m  6s
linux32.yml                   4m 27s  4m  0s   1m 55s   2m  8s   2m 51s
linux-race.yml                3m 54s  4m  7s   2m 22s   2m 12s   3m 14s
linux.yml                     4m 23s  4m 39s   2m 37s   2m 15s   3m 38s
static-analysis.yml
 /vet                         1m 41s  2m 22s      52s      56s   1m 12s
 /staticcheck(linux, amd64)   2m 47s  2m 38s   1m  7s   1m 10s   1m 52s
 /staticcheck(windows, amd64) 2m  5s  2m  4s   1m  6s   1m  8s   1m 33s
 /staticcheck(darwin, amd64)  2m 14s  2m 20s   1m 10s   1m 10s   1m 50s
 /staticcheck(windows, 386)   2m 36s  1m 58s   1m 23s   1m  8s   1m 39s
vm.yml                        1m 30s  1m 32s   2m 31s   2m 23s   N/A

A few very short workflows are being left on GitHub-hosted runners, like
licenses and gofmt. These benefit from the quicker dispatch to GitHub
hosted runners.

--------

For Windows and the windows.yml test run:
- the regular `windows-latest` runner takes about 6 minutes 20 seconds
- there is enough variability run to run that we get the same ~4 minute
  run with:
    - a GitHub-hosted large runner
    - a self-hosted Windows Server 2022 in an AWS t3.xlarge
    - a self-hosted Windows Server 2022 in an AWS c6i.xlarge
Since there is not a gain from operating our own runner, we'll pay
GitHub to operate a Windows large runner.

Signed-off-by: Denton Gentry <dgentry@tailscale.com>

.github/workflows/cifuzz.yml

@@ -1,13 +1,15 @@
 name: CIFuzz
-on: [pull_request]
+on:
+  push:
+    branches: [ main, release-branch/* ]
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
   Fuzzing:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
     steps:
     - name: Build Fuzzers
       id: build
@@ -20,7 +22,7 @@ jobs:
       uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
       with:
         oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 300
+        fuzz-seconds: 900
         dry-run: false
         language: go
     - name: Upload Crash

.github/workflows/codeql-analysis.yml

@@ -27,7 +27,7 @@ concurrency:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
     permissions:
       actions: read
       contents: read

.github/workflows/cross-android.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/cross-darwin.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/cross-freebsd.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/cross-openbsd.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/cross-wasm.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/cross-windows.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/linux-race.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/linux.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
@@ -38,10 +38,6 @@ jobs:
 
     - name: Get QEMU
       run: |
-        # The qemu in Ubuntu 20.04 (Focal) is too old; we need 5.x something
-        # to run Go binaries. 5.2.0 (Debian bullseye) empirically works, and
-        # use this PPA which brings in a modern qemu.
-        sudo add-apt-repository -y ppa:jacob/virtualisation
         sudo apt-get -y update
         sudo apt-get -y install qemu-user
 

.github/workflows/linux32.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

.github/workflows/static-analysis.yml

@@ -40,7 +40,7 @@ jobs:
       if: failure() && github.event_name == 'push'
 
   vet:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
     steps:
     - name: Set up Go
       uses: actions/setup-go@v3
@@ -66,7 +66,7 @@ jobs:
       if: failure() && github.event_name == 'push'
 
   staticcheck:
-    runs-on: ubuntu-latest
+    runs-on: buildjet-4vcpu-ubuntu-2204
     strategy:
       matrix:
         goos: [linux, windows, darwin]

.github/workflows/vm.yml

@@ -11,7 +11,7 @@ concurrency:
 
 jobs:
   ubuntu2004-LTS-cloud-base:
-    runs-on: ubuntu-22.04
+    runs-on: buildjet-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
@@ -27,12 +27,17 @@ jobs:
         with:
           go-version-file: go.mod
 
+      - name: Get QEMU
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install qemu-system-x86 qemu-user genisoimage qemu-utils
+
       - name: Run VM tests
         run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
         env:
           HOME: "/tmp"
           TMPDIR: "/tmp"
-          XDG_CACHE_HOME: "$HOME/.cache"
+          XDG_CACHE_HOME: "/home/runner/cache"
 
       - uses: k0kubun/action-slack@v2.0.0
         with:

.github/workflows/windows.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   test:
-    runs-on: windows-latest
+    runs-on: windows-8vcpu
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 

chirp/chirp.go

@@ -24,17 +24,11 @@ func New(socket string) (*BIRDClient, error) {
 	return newWithTimeout(socket, responseTimeout)
 }
 
-func newWithTimeout(socket string, timeout time.Duration) (_ *BIRDClient, err error) {
+func newWithTimeout(socket string, timeout time.Duration) (*BIRDClient, error) {
 	conn, err := net.Dial("unix", socket)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
 	}
-	defer func() {
-		if err != nil {
-			conn.Close()
-		}
-	}()
-
 	b := &BIRDClient{
 		socket:  socket,
 		conn:    conn,

client/tailscale/localclient.go

@@ -267,47 +267,15 @@ func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) (
 	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
 }
 
-// BugReportOpts contains options to pass to the Tailscale daemon when
-// generating a bug report.
-type BugReportOpts struct {
-	// Note contains an optional user-provided note to add to the logs.
-	Note string
-
-	// Diagnose specifies whether to print additional diagnostic information to
-	// the logs when generating this bugreport.
-	Diagnose bool
-}
-
-// BugReportWithOpts logs and returns a log marker that can be shared by the
-// user with support.
-//
-// The opts type specifies options to pass to the Tailscale daemon when
-// generating this bug report.
-func (lc *LocalClient) BugReportWithOpts(ctx context.Context, opts BugReportOpts) (string, error) {
-	var qparams url.Values
-	if opts.Note != "" {
-		qparams.Set("note", opts.Note)
-	}
-	if opts.Diagnose {
-		qparams.Set("diagnose", "true")
-	}
-
-	uri := fmt.Sprintf("/localapi/v0/bugreport?%s", qparams.Encode())
-	body, err := lc.send(ctx, "POST", uri, 200, nil)
+// BugReport logs and returns a log marker that can be shared by the user with support.
+func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
 	if err != nil {
 		return "", err
 	}
 	return strings.TrimSpace(string(body)), nil
 }
 
-// BugReport logs and returns a log marker that can be shared by the user with support.
-//
-// This is the same as calling BugReportWithOpts and only specifying the Note
-// field.
-func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
-	return lc.BugReportWithOpts(ctx, BugReportOpts{Note: note})
-}
-
 // DebugAction invokes a debug action, such as "rebind" or "restun".
 // These are development tools and subject to change or removal over time.
 func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {

cmd/tailscale/cli/bugreport.go

@@ -7,10 +7,8 @@ package cli
 import (
 	"context"
 	"errors"
-	"flag"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 )
 
 var bugReportCmd = &ffcli.Command{
@@ -18,15 +16,6 @@ var bugReportCmd = &ffcli.Command{
 	Exec:       runBugReport,
 	ShortHelp:  "Print a shareable identifier to help diagnose issues",
 	ShortUsage: "bugreport [note]",
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("bugreport")
-		fs.BoolVar(&bugReportArgs.diagnose, "diagnose", false, "run additional in-depth checks")
-		return fs
-	})(),
-}
-
-var bugReportArgs struct {
-	diagnose bool
 }
 
 func runBugReport(ctx context.Context, args []string) error {
@@ -38,10 +27,7 @@ func runBugReport(ctx context.Context, args []string) error {
 	default:
 		return errors.New("unknown argumets")
 	}
-	logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{
-		Note:     note,
-		Diagnose: bugReportArgs.diagnose,
-	})
+	logMarker, err := localClient.BugReport(ctx, note)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/configure-host.go

@@ -48,7 +48,7 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if uid := os.Getuid(); uid != 0 {
 		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
 	}
-	hi := hostinfo.New()
+	hi:= hostinfo.New()
 	isDSM6 := strings.HasPrefix(hi.DistroVersion, "6.")
 	isDSM7 := strings.HasPrefix(hi.DistroVersion, "7.")
 	if !isDSM6 && !isDSM7 {

cmd/tailscaled/depaware.txt

@@ -109,7 +109,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
         github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
         github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router+
+   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
   LD    github.com/u-root/u-root/pkg/termios                         from tailscale.com/ssh/tailssh
    L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
@@ -190,8 +190,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/derp                                           from tailscale.com/derp/derphttp+
         tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
         tailscale.com/disco                                          from tailscale.com/derp+
-        tailscale.com/doctor                                         from tailscale.com/ipn/ipnlocal
-        tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
         tailscale.com/envknob                                        from tailscale.com/control/controlclient+
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
@@ -232,7 +230,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
-        tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
         tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
         tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
@@ -275,7 +272,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
   LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
-        tailscale.com/util/goroutines                                from tailscale.com/control/controlclient+
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+

control/controlclient/debug.go

@@ -8,11 +8,12 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
+	"fmt"
 	"log"
 	"net/http"
+	"runtime"
+	"strconv"
 	"time"
-
-	"tailscale.com/util/goroutines"
 )
 
 func dumpGoroutinesToURL(c *http.Client, targetURL string) {
@@ -21,7 +22,7 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {
 
 	zbuf := new(bytes.Buffer)
 	zw := gzip.NewWriter(zbuf)
-	zw.Write(goroutines.ScrubbedGoroutineDump())
+	zw.Write(scrubbedGoroutineDump())
 	zw.Close()
 
 	req, err := http.NewRequestWithContext(ctx, "PUT", targetURL, zbuf)
@@ -39,3 +40,83 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {
 		log.Printf("dumpGoroutinesToURL complete to %v (after %v)", targetURL, d)
 	}
 }
+
+// scrubbedGoroutineDump returns the list of all current goroutines, but with the actual
+// values of arguments scrubbed out, lest it contain some private key material.
+func scrubbedGoroutineDump() []byte {
+	var buf []byte
+	// Grab stacks multiple times into increasingly larger buffer sizes
+	// to minimize the risk that we blow past our iOS memory limit.
+	for size := 1 << 10; size <= 1<<20; size += 1 << 10 {
+		buf = make([]byte, size)
+		buf = buf[:runtime.Stack(buf, true)]
+		if len(buf) < size {
+			// It fit.
+			break
+		}
+	}
+	return scrubHex(buf)
+}
+
+func scrubHex(buf []byte) []byte {
+	saw := map[string][]byte{} // "0x123" => "v1%3" (unique value 1 and its value mod 8)
+
+	foreachHexAddress(buf, func(in []byte) {
+		if string(in) == "0x0" {
+			return
+		}
+		if v, ok := saw[string(in)]; ok {
+			for i := range in {
+				in[i] = '_'
+			}
+			copy(in, v)
+			return
+		}
+		inStr := string(in)
+		u64, err := strconv.ParseUint(string(in[2:]), 16, 64)
+		for i := range in {
+			in[i] = '_'
+		}
+		if err != nil {
+			in[0] = '?'
+			return
+		}
+		v := []byte(fmt.Sprintf("v%d%%%d", len(saw)+1, u64%8))
+		saw[inStr] = v
+		copy(in, v)
+	})
+	return buf
+}
+
+var ohx = []byte("0x")
+
+// foreachHexAddress calls f with each subslice of b that matches
+// regexp `0x[0-9a-f]*`.
+func foreachHexAddress(b []byte, f func([]byte)) {
+	for len(b) > 0 {
+		i := bytes.Index(b, ohx)
+		if i == -1 {
+			return
+		}
+		b = b[i:]
+		hx := hexPrefix(b)
+		f(hx)
+		b = b[len(hx):]
+	}
+}
+
+func hexPrefix(b []byte) []byte {
+	for i, c := range b {
+		if i < 2 {
+			continue
+		}
+		if !isHexByte(c) {
+			return b[:i]
+		}
+	}
+	return b
+}
+
+func isHexByte(b byte) bool {
+	return '0' <= b && b <= '9' || 'a' <= b && b <= 'f' || 'A' <= b && b <= 'F'
+}

control/controlclient/debug_test.go

@@ -2,12 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package goroutines
+package controlclient
 
 import "testing"
 
 func TestScrubbedGoroutineDump(t *testing.T) {
-	t.Logf("Got:\n%s\n", ScrubbedGoroutineDump())
+	t.Logf("Got:\n%s\n", scrubbedGoroutineDump())
 }
 
 func TestScrubHex(t *testing.T) {

control/controlclient/direct.go

@@ -1438,7 +1438,7 @@ func (c *Direct) setDNSNoise(ctx context.Context, req *tailcfg.SetDNSRequest) er
 	if err != nil {
 		return err
 	}
-	res, err := nc.post(ctx, "/machine/set-dns", &newReq)
+	res, err := nc.post(ctx, "/machine/set-dns", req)
 	if err != nil {
 		return err
 	}

control/controlhttp/client_js.go

@@ -29,11 +29,9 @@ func (d *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {
 
 	wsScheme := "wss"
 	host := d.Hostname
-	// If using a custom control server (on a non-standard port), prefer that.
-	// This mirrors the port selection in newNoiseClient from noise.go.
-	if d.HTTPPort != "" && d.HTTPPort != "80" && d.HTTPSPort == "443" {
+	if host == "localhost" {
 		wsScheme = "ws"
-		host = net.JoinHostPort(host, d.HTTPPort)
+		host = net.JoinHostPort(host, strDef(d.HTTPPort, "80"))
 	}
 	wsURL := &url.URL{
 		Scheme: wsScheme,

doctor/doctor.go

@@ -1,80 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package doctor contains more in-depth healthchecks that can be run to aid in
-// diagnosing Tailscale issues.
-package doctor
-
-import (
-	"context"
-	"sync"
-
-	"tailscale.com/types/logger"
-)
-
-// Check is the interface defining a singular check.
-//
-// A check should log information that it gathers using the provided log
-// function, and should attempt to make as much progress as possible in error
-// conditions.
-type Check interface {
-	// Name should return a name describing this check, in lower-kebab-case
-	// (i.e. "my-check", not "MyCheck" or "my_check").
-	Name() string
-	// Run executes the check, logging diagnostic information to the
-	// provided logger function.
-	Run(context.Context, logger.Logf) error
-}
-
-// RunChecks runs a list of checks in parallel, and logs any returned errors
-// after all checks have returned.
-func RunChecks(ctx context.Context, log logger.Logf, checks ...Check) {
-	if len(checks) == 0 {
-		return
-	}
-
-	type namedErr struct {
-		name string
-		err  error
-	}
-	errs := make(chan namedErr, len(checks))
-
-	var wg sync.WaitGroup
-	wg.Add(len(checks))
-	for _, check := range checks {
-		go func(c Check) {
-			defer wg.Done()
-
-			plog := logger.WithPrefix(log, c.Name()+": ")
-			errs <- namedErr{
-				name: c.Name(),
-				err:  c.Run(ctx, plog),
-			}
-		}(check)
-	}
-
-	wg.Wait()
-	close(errs)
-
-	for n := range errs {
-		if n.err == nil {
-			continue
-		}
-
-		log("check %s: %v", n.name, n.err)
-	}
-}
-
-// CheckFunc creates a Check from a name and a function.
-func CheckFunc(name string, run func(context.Context, logger.Logf) error) Check {
-	return checkFunc{name, run}
-}
-
-type checkFunc struct {
-	name string
-	run  func(context.Context, logger.Logf) error
-}
-
-func (c checkFunc) Name() string                                   { return c.name }
-func (c checkFunc) Run(ctx context.Context, log logger.Logf) error { return c.run(ctx, log) }

doctor/doctor_test.go

@@ -1,50 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package doctor
-
-import (
-	"context"
-	"fmt"
-	"sync"
-	"testing"
-
-	qt "github.com/frankban/quicktest"
-	"tailscale.com/types/logger"
-)
-
-func TestRunChecks(t *testing.T) {
-	c := qt.New(t)
-	var (
-		mu    sync.Mutex
-		lines []string
-	)
-	logf := func(format string, args ...any) {
-		mu.Lock()
-		defer mu.Unlock()
-		lines = append(lines, fmt.Sprintf(format, args...))
-	}
-
-	ctx := context.Background()
-	RunChecks(ctx, logf,
-		testCheck1{},
-		CheckFunc("testcheck2", func(_ context.Context, log logger.Logf) error {
-			log("check 2")
-			return nil
-		}),
-	)
-
-	mu.Lock()
-	defer mu.Unlock()
-	c.Assert(lines, qt.Contains, "testcheck1: check 1")
-	c.Assert(lines, qt.Contains, "testcheck2: check 2")
-}
-
-type testCheck1 struct{}
-
-func (t testCheck1) Name() string { return "testcheck1" }
-func (t testCheck1) Run(_ context.Context, log logger.Logf) error {
-	log("check 1")
-	return nil
-}

doctor/routetable/routetable.go

@@ -1,35 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package routetable provides a doctor.Check that dumps the current system's
-// route table to the log.
-package routetable
-
-import (
-	"context"
-
-	"tailscale.com/net/routetable"
-	"tailscale.com/types/logger"
-)
-
-// MaxRoutes is the maximum number of routes that will be displayed.
-const MaxRoutes = 1000
-
-// Check implements the doctor.Check interface.
-type Check struct{}
-
-func (Check) Name() string {
-	return "routetable"
-}
-
-func (Check) Run(_ context.Context, logf logger.Logf) error {
-	rs, err := routetable.Get(MaxRoutes)
-	if err != nil {
-		return err
-	}
-	for _, r := range rs {
-		logf("%s", r)
-	}
-	return nil
-}

ipn/ipnlocal/c2n.go

@@ -10,28 +10,14 @@ import (
 	"net/http"
 
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/goroutines"
 )
 
 func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
-	writeJSON := func(v any) {
-		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(v)
-	}
 	switch r.URL.Path {
 	case "/echo":
 		// Test handler.
 		body, _ := io.ReadAll(r.Body)
 		w.Write(body)
-	case "/debug/goroutines":
-		w.Header().Set("Content-Type", "text/plain")
-		w.Write(goroutines.ScrubbedGoroutineDump())
-	case "/debug/prefs":
-		writeJSON(b.Prefs())
-	case "/debug/metrics":
-		w.Header().Set("Content-Type", "text/plain")
-		clientmetric.WritePrometheusExpositionFormat(w)
 	case "/ssh/usernames":
 		var req tailcfg.C2NSSHUsernamesRequest
 		if r.Method == "POST" {
@@ -45,7 +31,8 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, err.Error(), 500)
 			return
 		}
-		writeJSON(res)
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(res)
 	default:
 		http.Error(w, "unknown c2n path", http.StatusBadRequest)
 	}

ipn/ipnlocal/local.go

@@ -26,8 +26,6 @@ import (
 	"go4.org/netipx"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
-	"tailscale.com/doctor"
-	"tailscale.com/doctor/routetable"
 	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
@@ -3686,19 +3684,3 @@ func (b *LocalBackend) handleQuad100Port80Conn(w http.ResponseWriter, r *http.Re
 	}
 	io.WriteString(w, "</ul>\n")
 }
-
-func (b *LocalBackend) Doctor(ctx context.Context, logf logger.Logf) {
-	var checks []doctor.Check
-
-	checks = append(checks, routetable.Check{})
-
-	// TODO(andrew): more
-
-	numChecks := len(checks)
-	checks = append(checks, doctor.CheckFunc("numchecks", func(_ context.Context, log logger.Logf) error {
-		log("%d checks", numChecks)
-		return nil
-	}))
-
-	doctor.RunChecks(ctx, logf, checks...)
-}

ipn/ipnlocal/network-lock.go

@@ -55,6 +55,9 @@ func (b *LocalBackend) tkaSyncIfNeededLocked(nm *netmap.NetworkMap) error {
 		// If the feature flag is not enabled, pretend we don't exist.
 		return nil
 	}
+	if nm.SelfNode == nil {
+		return errors.New("SelfNode missing")
+	}
 
 	isEnabled := b.tka != nil
 	wantEnabled := nm.TKAEnabled
@@ -66,9 +69,8 @@ func (b *LocalBackend) tkaSyncIfNeededLocked(nm *netmap.NetworkMap) error {
 
 		// Regardless of whether we are moving to disabled or enabled, we
 		// need information from the tka bootstrap endpoint.
-		ourNodeKey := b.prefs.Persist.PrivateNodeKey.Public()
 		b.mu.Unlock()
-		bs, err := b.tkaFetchBootstrap(ourNodeKey, ourHead)
+		bs, err := b.tkaFetchBootstrap(nm.SelfNode.ID, ourHead)
 		b.mu.Lock()
 		if err != nil {
 			return fmt.Errorf("fetching bootstrap: %v", err)
@@ -200,15 +202,9 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	if !b.CanSupportNetworkLock() {
 		return errors.New("network-lock is not supported in this configuration. Did you supply a --statedir?")
 	}
-
-	var ourNodeKey key.NodePublic
-	b.mu.Lock()
-	if b.prefs != nil {
-		ourNodeKey = b.prefs.Persist.PrivateNodeKey.Public()
-	}
-	b.mu.Unlock()
-	if ourNodeKey.IsZero() {
-		return errors.New("no node-key: is tailscale logged in?")
+	nm := b.NetMap()
+	if nm == nil {
+		return errors.New("no netmap: are you logged into tailscale?")
 	}
 
 	// Generates a genesis AUM representing trust in the provided keys.
@@ -230,7 +226,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	}
 
 	// Phase 1/2 of initialization: Transmit the genesis AUM to Control.
-	initResp, err := b.tkaInitBegin(ourNodeKey, genesisAUM)
+	initResp, err := b.tkaInitBegin(nm, genesisAUM)
 	if err != nil {
 		return fmt.Errorf("tka init-begin RPC: %w", err)
 	}
@@ -251,7 +247,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	}
 
 	// Finalize enablement by transmitting signature for all nodes to Control.
-	_, err = b.tkaInitFinish(ourNodeKey, sigs)
+	_, err = b.tkaInitFinish(nm, sigs)
 	return err
 }
 
@@ -274,11 +270,10 @@ func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeK
 	return &sig, nil
 }
 
-func (b *LocalBackend) tkaInitBegin(ourNodeKey key.NodePublic, aum tka.AUM) (*tailcfg.TKAInitBeginResponse, error) {
+func (b *LocalBackend) tkaInitBegin(nm *netmap.NetworkMap, aum tka.AUM) (*tailcfg.TKAInitBeginResponse, error) {
 	var req bytes.Buffer
 	if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitBeginRequest{
-		Version:    tailcfg.CurrentCapabilityVersion,
-		NodeKey:    ourNodeKey,
+		NodeID:     nm.SelfNode.ID,
 		GenesisAUM: aum.Serialize(),
 	}); err != nil {
 		return nil, fmt.Errorf("encoding request: %v", err)
@@ -316,11 +311,10 @@ func (b *LocalBackend) tkaInitBegin(ourNodeKey key.NodePublic, aum tka.AUM) (*ta
 	}
 }
 
-func (b *LocalBackend) tkaInitFinish(ourNodeKey key.NodePublic, nks map[tailcfg.NodeID]tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
+func (b *LocalBackend) tkaInitFinish(nm *netmap.NetworkMap, nks map[tailcfg.NodeID]tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
 	var req bytes.Buffer
 	if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitFinishRequest{
-		Version:    tailcfg.CurrentCapabilityVersion,
-		NodeKey:    ourNodeKey,
+		NodeID:     nm.SelfNode.ID,
 		Signatures: nks,
 	}); err != nil {
 		return nil, fmt.Errorf("encoding request: %v", err)
@@ -360,10 +354,9 @@ func (b *LocalBackend) tkaInitFinish(ourNodeKey key.NodePublic, nks map[tailcfg.
 
 // tkaFetchBootstrap sends a /machine/tka/bootstrap RPC to the control plane
 // over noise. This is used to get values necessary to enable or disable TKA.
-func (b *LocalBackend) tkaFetchBootstrap(ourNodeKey key.NodePublic, head tka.AUMHash) (*tailcfg.TKABootstrapResponse, error) {
+func (b *LocalBackend) tkaFetchBootstrap(nodeID tailcfg.NodeID, head tka.AUMHash) (*tailcfg.TKABootstrapResponse, error) {
 	bootstrapReq := tailcfg.TKABootstrapRequest{
-		Version: tailcfg.CurrentCapabilityVersion,
-		NodeKey: ourNodeKey,
+		NodeID: nodeID,
 	}
 	if !head.IsZero() {
 		head, err := head.MarshalText()

ipn/ipnlocal/network-lock_test.go

@@ -17,12 +17,10 @@ import (
 
 	"tailscale.com/control/controlclient"
 	"tailscale.com/hostinfo"
-	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
-	"tailscale.com/types/persist"
 )
 
 func fakeControlClient(t *testing.T, c *http.Client) *controlclient.Auto {
@@ -64,7 +62,6 @@ func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server,
 
 func TestTKAEnablementFlow(t *testing.T) {
 	networkLockAvailable = func() bool { return true } // Enable the feature flag
-	nodePriv := key.NewNode()
 
 	// Make a fake TKA authority, getting a usable genesis AUM which
 	// our mock server can communicate.
@@ -86,11 +83,8 @@ func TestTKAEnablementFlow(t *testing.T) {
 			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
 				t.Fatal(err)
 			}
-			if body.Version != tailcfg.CurrentCapabilityVersion {
-				t.Errorf("bootstrap CapVer = %v, want %v", body.Version, tailcfg.CurrentCapabilityVersion)
-			}
-			if body.NodeKey != nodePriv.Public() {
-				t.Errorf("bootstrap nodeKey=%v, want %v", body.NodeKey, nodePriv.Public())
+			if body.NodeID != 420 {
+				t.Errorf("bootstrap nodeID=%v, want 420", body.NodeID)
 			}
 			if body.Head != "" {
 				t.Errorf("bootstrap head=%s, want empty hash", body.Head)
@@ -118,13 +112,11 @@ func TestTKAEnablementFlow(t *testing.T) {
 		cc:      cc,
 		ccAuto:  cc,
 		logf:    t.Logf,
-		prefs: &ipn.Prefs{
-			Persist: &persist.Persist{PrivateNodeKey: nodePriv},
-		},
 	}
 
 	b.mu.Lock()
 	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+		SelfNode:   &tailcfg.Node{ID: 420},
 		TKAEnabled: true,
 		TKAHead:    tka.AUMHash{},
 	})
@@ -144,7 +136,6 @@ func TestTKADisablementFlow(t *testing.T) {
 	networkLockAvailable = func() bool { return true } // Enable the feature flag
 	temp := t.TempDir()
 	os.Mkdir(filepath.Join(temp, "tka"), 0755)
-	nodePriv := key.NewNode()
 
 	// Make a fake TKA authority, to seed local state.
 	disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
@@ -162,7 +153,6 @@ func TestTKADisablementFlow(t *testing.T) {
 		t.Fatalf("tka.Create() failed: %v", err)
 	}
 
-	returnWrongSecret := false
 	ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		defer r.Body.Close()
 		switch r.URL.Path {
@@ -171,11 +161,14 @@ func TestTKADisablementFlow(t *testing.T) {
 			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
 				t.Fatal(err)
 			}
-			if body.Version != tailcfg.CurrentCapabilityVersion {
-				t.Errorf("bootstrap CapVer = %v, want %v", body.Version, tailcfg.CurrentCapabilityVersion)
-			}
-			if body.NodeKey != nodePriv.Public() {
-				t.Errorf("nodeKey=%v, want %v", body.NodeKey, nodePriv.Public())
+			var disablement []byte
+			switch body.NodeID {
+			case 42:
+				disablement = bytes.Repeat([]byte{0x42}, 32) // wrong secret
+			case 420:
+				disablement = disablementSecret
+			default:
+				t.Errorf("bootstrap nodeID=%v, wanted 42 or 420", body.NodeID)
 			}
 			var head tka.AUMHash
 			if err := head.UnmarshalText([]byte(body.Head)); err != nil {
@@ -185,13 +178,6 @@ func TestTKADisablementFlow(t *testing.T) {
 				t.Errorf("reported head = %x, want %x", head, authority.Head())
 			}
 
-			var disablement []byte
-			if returnWrongSecret {
-				disablement = bytes.Repeat([]byte{0x42}, 32) // wrong secret
-			} else {
-				disablement = disablementSecret
-			}
-
 			w.WriteHeader(200)
 			out := tailcfg.TKABootstrapResponse{
 				DisablementSecret: disablement,
@@ -217,15 +203,13 @@ func TestTKADisablementFlow(t *testing.T) {
 			authority: authority,
 			storage:   chonk,
 		},
-		prefs: &ipn.Prefs{
-			Persist: &persist.Persist{PrivateNodeKey: nodePriv},
-		},
 	}
 
 	// Test that the wrong disablement secret does not shut down the authority.
-	returnWrongSecret = true
+	// NodeID == 42 indicates this scenario to our mock server.
 	b.mu.Lock()
 	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+		SelfNode:   &tailcfg.Node{ID: 42},
 		TKAEnabled: false,
 		TKAHead:    authority.Head(),
 	})
@@ -238,9 +222,10 @@ func TestTKADisablementFlow(t *testing.T) {
 	}
 
 	// Test the correct disablement secret shuts down the authority.
-	returnWrongSecret = false
+	// NodeID == 420 indicates this scenario to our mock server.
 	b.mu.Lock()
 	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
+		SelfNode:   &tailcfg.Node{ID: 420},
 		TKAEnabled: false,
 		TKAHead:    authority.Head(),
 	})

ipn/localapi/localapi.go

@@ -221,9 +221,6 @@ func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
 	if note := r.FormValue("note"); len(note) > 0 {
 		h.logf("user bugreport note: %s", note)
 	}
-	if defBool(r.FormValue("diagnose"), false) {
-		h.b.Doctor(r.Context(), logger.WithPrefix(h.logf, "diag: "))
-	}
 	w.Header().Set("Content-Type", "text/plain")
 	fmt.Fprintln(w, logMarker)
 }

net/dns/osconfig.go

@@ -5,12 +5,9 @@
 package dns
 
 import (
-	"bufio"
 	"errors"
-	"fmt"
 	"net/netip"
 
-	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
 )
 
@@ -100,44 +97,6 @@ func (a OSConfig) Equal(b OSConfig) bool {
 	return true
 }
 
-// Format implements the fmt.Formatter interface to ensure that Hosts is
-// printed correctly (i.e. not as a bunch of pointers).
-//
-// Fixes https://github.com/tailscale/tailscale/issues/5669
-func (a OSConfig) Format(f fmt.State, verb rune) {
-	logger.ArgWriter(func(w *bufio.Writer) {
-		w.WriteString(`{Nameservers:[`)
-		for i, ns := range a.Nameservers {
-			if i != 0 {
-				w.WriteString(" ")
-			}
-			fmt.Fprintf(w, "%+v", ns)
-		}
-		w.WriteString(`] SearchDomains:[`)
-		for i, domain := range a.SearchDomains {
-			if i != 0 {
-				w.WriteString(" ")
-			}
-			fmt.Fprintf(w, "%+v", domain)
-		}
-		w.WriteString(`] MatchDomains:[`)
-		for i, domain := range a.MatchDomains {
-			if i != 0 {
-				w.WriteString(" ")
-			}
-			fmt.Fprintf(w, "%+v", domain)
-		}
-		w.WriteString(`] Hosts:[`)
-		for i, host := range a.Hosts {
-			if i != 0 {
-				w.WriteString(" ")
-			}
-			fmt.Fprintf(w, "%+v", host)
-		}
-		w.WriteString(`]}`)
-	}).Format(f, verb)
-}
-
 // ErrGetBaseConfigNotSupported is the error
 // OSConfigurator.GetBaseConfig returns when the OSConfigurator
 // doesn't support reading the underlying configuration out of the OS.

net/dns/osconfig_test.go

@@ -1,44 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"fmt"
-	"net/netip"
-	"testing"
-
-	"tailscale.com/util/dnsname"
-)
-
-func TestOSConfigPrintable(t *testing.T) {
-	ocfg := OSConfig{
-		Hosts: []*HostEntry{
-			{
-				Addr:  netip.AddrFrom4([4]byte{100, 1, 2, 3}),
-				Hosts: []string{"server", "client"},
-			},
-			{
-				Addr:  netip.AddrFrom4([4]byte{100, 1, 2, 4}),
-				Hosts: []string{"otherhost"},
-			},
-		},
-		Nameservers: []netip.Addr{
-			netip.AddrFrom4([4]byte{8, 8, 8, 8}),
-		},
-		SearchDomains: []dnsname.FQDN{
-			dnsname.FQDN("foo.beta.tailscale.net."),
-			dnsname.FQDN("bar.beta.tailscale.net."),
-		},
-		MatchDomains: []dnsname.FQDN{
-			dnsname.FQDN("ts.com."),
-		},
-	}
-	s := fmt.Sprintf("%+v", ocfg)
-
-	const expected = `{Nameservers:[8.8.8.8] SearchDomains:[foo.beta.tailscale.net. bar.beta.tailscale.net.] MatchDomains:[ts.com.] Hosts:[&{Addr:100.1.2.3 Hosts:[server client]} &{Addr:100.1.2.4 Hosts:[otherhost]}]}`
-	if s != expected {
-		t.Errorf("format mismatch:\n   got: %s\n  want: %s", s, expected)
-	}
-}

net/netcheck/netcheck.go

@@ -1188,8 +1188,6 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	var ip netip.Addr
 
 	dc := derphttp.NewNetcheckClient(c.logf)
-	defer dc.Close()
-
 	tlsConn, tcpConn, node, err := dc.DialRegionTLS(ctx, reg)
 	if err != nil {
 		return 0, ip, err

net/nettest/listener.go

@@ -61,7 +61,7 @@ func (l *Listener) Accept() (net.Conn, error) {
 // The provided Context must be non-nil. If the context expires before the
 // connection is complete, an error is returned. Once successfully connected
 // any expiration of the context will not affect the connection.
-func (l *Listener) Dial(ctx context.Context, network, addr string) (_ net.Conn, err error) {
+func (l *Listener) Dial(ctx context.Context, network, addr string) (net.Conn, error) {
 	if !strings.HasSuffix(network, "tcp") {
 		return nil, net.UnknownNetworkError(network)
 	}
@@ -72,13 +72,6 @@ func (l *Listener) Dial(ctx context.Context, network, addr string) (_ net.Conn,
 		}
 	}
 	c, s := NewConn(addr, bufferSize)
-	defer func() {
-		if err != nil {
-			c.Close()
-			s.Close()
-		}
-	}()
-
 	select {
 	case <-ctx.Done():
 		return nil, ctx.Err()

net/routetable/routetable.go

@@ -1,151 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package routetable provides functions that operate on the system's route
-// table.
-package routetable
-
-import (
-	"bufio"
-	"fmt"
-	"net/netip"
-	"strconv"
-
-	"tailscale.com/types/logger"
-)
-
-var (
-	defaultRouteIPv4 = RouteDestination{Prefix: netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
-	defaultRouteIPv6 = RouteDestination{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
-)
-
-// RouteEntry contains common cross-platform fields describing an entry in the
-// system route table.
-type RouteEntry struct {
-	// Family is the IP family of the route; it will be either 4 or 6.
-	Family int
-	// Type is the type of this route.
-	Type RouteType
-	// Dst is the destination of the route.
-	Dst RouteDestination
-	// Gatewayis the gateway address specified for this route.
-	// This value will be invalid (where !r.Gateway.IsValid()) in cases
-	// where there is no gateway address for this route.
-	Gateway netip.Addr
-	// Interface is the name of the network interface to use when sending
-	// packets that match this route. This field can be empty.
-	Interface string
-	// Sys contains platform-specific information about this route.
-	Sys any
-}
-
-// Format implements the fmt.Formatter interface.
-func (r RouteEntry) Format(f fmt.State, verb rune) {
-	logger.ArgWriter(func(w *bufio.Writer) {
-		switch r.Family {
-		case 4:
-			fmt.Fprintf(w, "{Family: IPv4")
-		case 6:
-			fmt.Fprintf(w, "{Family: IPv6")
-		default:
-			fmt.Fprintf(w, "{Family: unknown(%d)", r.Family)
-		}
-
-		// Match 'ip route' and other tools by not printing the route
-		// type if it's a unicast route.
-		if r.Type != RouteTypeUnicast {
-			fmt.Fprintf(w, ", Type: %s", r.Type)
-		}
-
-		if r.Dst.IsValid() {
-			fmt.Fprintf(w, ", Dst: %s", r.Dst)
-		} else {
-			w.WriteString(", Dst: invalid")
-		}
-
-		if r.Gateway.IsValid() {
-			fmt.Fprintf(w, ", Gateway: %s", r.Gateway)
-		}
-
-		if r.Interface != "" {
-			fmt.Fprintf(w, ", Interface: %s", r.Interface)
-		}
-
-		if r.Sys != nil {
-			var formatVerb string
-			switch {
-			case f.Flag('#'):
-				formatVerb = "%#v"
-			case f.Flag('+'):
-				formatVerb = "%+v"
-			default:
-				formatVerb = "%v"
-			}
-			fmt.Fprintf(w, ", Sys: "+formatVerb, r.Sys)
-		}
-
-		w.WriteString("}")
-	}).Format(f, verb)
-}
-
-// RouteDestination is the destination of a route.
-//
-// This is similar to net/netip.Prefix, but also contains an optional IPv6
-// zone.
-type RouteDestination struct {
-	netip.Prefix
-	Zone string
-}
-
-func (r RouteDestination) String() string {
-	ip := r.Prefix.Addr()
-	if r.Zone != "" {
-		ip = ip.WithZone(r.Zone)
-	}
-	return ip.String() + "/" + strconv.Itoa(r.Prefix.Bits())
-}
-
-// RouteType describes the type of a route.
-type RouteType int
-
-const (
-	// RouteTypeUnspecified is the unspecified route type.
-	RouteTypeUnspecified RouteType = iota
-	// RouteTypeLocal indicates that the destination of this route is an
-	// address that belongs to this system.
-	RouteTypeLocal
-	// RouteTypeUnicast indicates that the destination of this route is a
-	// "regular" address--one that neither belongs to this host, nor is a
-	// broadcast/multicast/etc. address.
-	RouteTypeUnicast
-	// RouteTypeBroadcast indicates that the destination of this route is a
-	// broadcast address.
-	RouteTypeBroadcast
-	// RouteTypeMulticast indicates that the destination of this route is a
-	// multicast address.
-	RouteTypeMulticast
-	// RouteTypeOther indicates that the route is of some other valid type;
-	// see the Sys field for the OS-provided route information to determine
-	// the exact type.
-	RouteTypeOther
-)
-
-func (r RouteType) String() string {
-	switch r {
-	case RouteTypeUnspecified:
-		return "unspecified"
-	case RouteTypeLocal:
-		return "local"
-	case RouteTypeUnicast:
-		return "unicast"
-	case RouteTypeBroadcast:
-		return "broadcast"
-	case RouteTypeMulticast:
-		return "multicast"
-	case RouteTypeOther:
-		return "other"
-	default:
-		return "invalid"
-	}
-}

net/routetable/routetable_bsd.go

@@ -1,285 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build darwin || freebsd
-// +build darwin freebsd
-
-package routetable
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"net/netip"
-	"runtime"
-	"sort"
-	"strings"
-	"syscall"
-
-	"golang.org/x/net/route"
-	"golang.org/x/sys/unix"
-	"tailscale.com/net/interfaces"
-	"tailscale.com/types/logger"
-)
-
-type RouteEntryBSD struct {
-	// GatewayInterface is the name of the interface specified as a gateway
-	// for this route, if any.
-	GatewayInterface string
-	// GatewayIdx is the index of the interface specified as a gateway for
-	// this route, if any.
-	GatewayIdx int
-	// GatewayAddr is the link-layer address of the gateway for this route,
-	// if any.
-	GatewayAddr string
-	// Flags contains a string representation of common flags for this
-	// route.
-	Flags []string
-	// RawFlags contains the raw flags that were returned by the operating
-	// system for this route.
-	RawFlags int
-}
-
-// Format implements the fmt.Formatter interface.
-func (r RouteEntryBSD) Format(f fmt.State, verb rune) {
-	logger.ArgWriter(func(w *bufio.Writer) {
-		var pstart bool
-		pr := func(format string, args ...any) {
-			if pstart {
-				fmt.Fprintf(w, ", "+format, args...)
-			} else {
-				fmt.Fprintf(w, format, args...)
-				pstart = true
-			}
-		}
-
-		w.WriteString("{")
-		if r.GatewayInterface != "" {
-			pr("GatewayInterface: %s", r.GatewayInterface)
-		}
-		if r.GatewayIdx > 0 {
-			pr("GatewayIdx: %d", r.GatewayIdx)
-		}
-		if r.GatewayAddr != "" {
-			pr("GatewayAddr: %s", r.GatewayAddr)
-		}
-		pr("Flags: %v", r.Flags)
-
-		w.WriteString("}")
-	}).Format(f, verb)
-}
-
-// ipFromRMAddr returns a netip.Addr converted from one of the
-// route.Inet{4,6}Addr types.
-func ipFromRMAddr(ifs map[int]interfaces.Interface, addr any) netip.Addr {
-	switch v := addr.(type) {
-	case *route.Inet4Addr:
-		return netip.AddrFrom4(v.IP)
-
-	case *route.Inet6Addr:
-		ip := netip.AddrFrom16(v.IP)
-		if v.ZoneID != 0 {
-			if iif, ok := ifs[v.ZoneID]; ok {
-				ip = ip.WithZone(iif.Name)
-			} else {
-				ip = ip.WithZone(fmt.Sprint(v.ZoneID))
-			}
-		}
-
-		return ip
-	}
-
-	return netip.Addr{}
-}
-
-// populateGateway populates gateway fields on a RouteEntry/RouteEntryBSD.
-func populateGateway(re *RouteEntry, reSys *RouteEntryBSD, ifs map[int]interfaces.Interface, addr any) {
-	// If the address type has a valid IP, use that.
-	if ip := ipFromRMAddr(ifs, addr); ip.IsValid() {
-		re.Gateway = ip
-		return
-	}
-
-	switch v := addr.(type) {
-	case *route.LinkAddr:
-		reSys.GatewayIdx = v.Index
-		if iif, ok := ifs[v.Index]; ok {
-			reSys.GatewayInterface = iif.Name
-		}
-		var sb strings.Builder
-		for i, x := range v.Addr {
-			if i != 0 {
-				sb.WriteByte(':')
-			}
-			fmt.Fprintf(&sb, "%02x", x)
-		}
-		reSys.GatewayAddr = sb.String()
-	}
-}
-
-// populateDestination populates the 'Dst' field on a RouteEntry based on the
-// RouteMessage's destination and netmask fields.
-func populateDestination(re *RouteEntry, ifs map[int]interfaces.Interface, rm *route.RouteMessage) {
-	dst := rm.Addrs[unix.RTAX_DST]
-	if dst == nil {
-		return
-	}
-
-	ip := ipFromRMAddr(ifs, dst)
-	if !ip.IsValid() {
-		return
-	}
-
-	if ip.Is4() {
-		re.Family = 4
-	} else {
-		re.Family = 6
-	}
-	re.Dst = RouteDestination{
-		Prefix: netip.PrefixFrom(ip, 32), // default if nothing more specific
-	}
-
-	// If the RTF_HOST flag is set, then this is a host route and there's
-	// no netmask in this RouteMessage.
-	if rm.Flags&unix.RTF_HOST != 0 {
-		return
-	}
-
-	// As above if there's no netmask in the list of addrs
-	if len(rm.Addrs) < unix.RTAX_NETMASK || rm.Addrs[unix.RTAX_NETMASK] == nil {
-		return
-	}
-
-	nm := ipFromRMAddr(ifs, rm.Addrs[unix.RTAX_NETMASK])
-	if !ip.IsValid() {
-		return
-	}
-
-	// Count the number of bits in the netmask IP and use that to make our prefix.
-	ones, _ /* bits */ := net.IPMask(nm.AsSlice()).Size()
-
-	// Print this ourselves instead of using netip.Prefix so that we don't
-	// lose the zone (since netip.Prefix strips that).
-	//
-	// NOTE(andrew): this doesn't print the same values as the 'netstat' tool
-	// for some addresses on macOS, and I have no idea why. Specifically,
-	// 'netstat -rn' will show something like:
-	//    ff00::/8   ::1      UmCI     lo0
-	//
-	// But we will get:
-	//    destination=ff00::/40 [...]
-	//
-	// The netmask that we get back from FetchRIB has 32 more bits in it
-	// than netstat prints, but only for multicast routes.
-	//
-	// For consistency's sake, we're going to do the same here so that we
-	// get the same values as netstat returns.
-	if runtime.GOOS == "darwin" && ip.Is6() && ip.IsMulticast() && ones > 32 {
-		ones -= 32
-	}
-	re.Dst = RouteDestination{
-		Prefix: netip.PrefixFrom(ip, ones),
-		Zone:   ip.Zone(),
-	}
-}
-
-// routeEntryFromMsg returns a RouteEntry from a single route.Message
-// returned by the operating system.
-func routeEntryFromMsg(ifsByIdx map[int]interfaces.Interface, msg route.Message) (RouteEntry, bool) {
-	rm, ok := msg.(*route.RouteMessage)
-	if !ok {
-		return RouteEntry{}, false
-	}
-
-	// Ignore things that we don't understand
-	if rm.Version < 3 || rm.Version > 5 {
-		return RouteEntry{}, false
-	}
-	if rm.Type != rmExpectedType {
-		return RouteEntry{}, false
-	}
-	if len(rm.Addrs) < unix.RTAX_GATEWAY {
-		return RouteEntry{}, false
-	}
-
-	if rm.Flags&skipFlags != 0 {
-		return RouteEntry{}, false
-	}
-
-	reSys := RouteEntryBSD{
-		RawFlags: rm.Flags,
-	}
-	for fv, fs := range flags {
-		if rm.Flags&fv == fv {
-			reSys.Flags = append(reSys.Flags, fs)
-		}
-	}
-	sort.Strings(reSys.Flags)
-
-	re := RouteEntry{}
-	hasFlag := func(f int) bool { return rm.Flags&f != 0 }
-	switch {
-	case hasFlag(unix.RTF_LOCAL):
-		re.Type = RouteTypeLocal
-	case hasFlag(unix.RTF_BROADCAST):
-		re.Type = RouteTypeBroadcast
-	case hasFlag(unix.RTF_MULTICAST):
-		re.Type = RouteTypeMulticast
-
-	// From the manpage: "host entry (net otherwise)"
-	case !hasFlag(unix.RTF_HOST):
-		re.Type = RouteTypeUnicast
-
-	default:
-		re.Type = RouteTypeOther
-	}
-	populateDestination(&re, ifsByIdx, rm)
-	if unix.RTAX_GATEWAY < len(rm.Addrs) {
-		populateGateway(&re, &reSys, ifsByIdx, rm.Addrs[unix.RTAX_GATEWAY])
-	}
-
-	if outif, ok := ifsByIdx[rm.Index]; ok {
-		re.Interface = outif.Name
-	}
-
-	re.Sys = reSys
-	return re, true
-}
-
-// Get returns route entries from the system route table, limited to at most
-// 'max' results.
-func Get(max int) ([]RouteEntry, error) {
-	// Fetching the list of interfaces can race with fetching our route
-	// table, but we do it anyway since it's helpful for debugging.
-	ifs, err := interfaces.GetList()
-	if err != nil {
-		return nil, err
-	}
-
-	ifsByIdx := make(map[int]interfaces.Interface)
-	for _, iif := range ifs {
-		ifsByIdx[iif.Index] = iif
-	}
-
-	rib, err := route.FetchRIB(syscall.AF_UNSPEC, ribType, 0)
-	if err != nil {
-		return nil, err
-	}
-	msgs, err := route.ParseRIB(parseType, rib)
-	if err != nil {
-		return nil, err
-	}
-
-	var ret []RouteEntry
-	for _, m := range msgs {
-		re, ok := routeEntryFromMsg(ifsByIdx, m)
-		if ok {
-			ret = append(ret, re)
-			if len(ret) == max {
-				break
-			}
-		}
-	}
-	return ret, nil
-}

net/routetable/routetable_bsd_test.go

@@ -1,435 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build darwin || freebsd
-// +build darwin freebsd
-
-package routetable
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"reflect"
-	"runtime"
-	"testing"
-
-	"golang.org/x/net/route"
-	"golang.org/x/sys/unix"
-	"tailscale.com/net/interfaces"
-)
-
-func TestRouteEntryFromMsg(t *testing.T) {
-	ifs := map[int]interfaces.Interface{
-		1: {
-			Interface: &net.Interface{
-				Name: "iface0",
-			},
-		},
-		2: {
-			Interface: &net.Interface{
-				Name: "tailscale0",
-			},
-		},
-	}
-
-	ip4 := func(s string) *route.Inet4Addr {
-		ip := netip.MustParseAddr(s)
-		return &route.Inet4Addr{IP: ip.As4()}
-	}
-	ip6 := func(s string) *route.Inet6Addr {
-		ip := netip.MustParseAddr(s)
-		return &route.Inet6Addr{IP: ip.As16()}
-	}
-	ip6zone := func(s string, idx int) *route.Inet6Addr {
-		ip := netip.MustParseAddr(s)
-		return &route.Inet6Addr{IP: ip.As16(), ZoneID: idx}
-	}
-	link := func(idx int, addr string) *route.LinkAddr {
-		if _, found := ifs[idx]; !found {
-			panic("index not found")
-		}
-
-		ret := &route.LinkAddr{
-			Index: idx,
-		}
-		if addr != "" {
-			ret.Addr = make([]byte, 6)
-			fmt.Sscanf(addr, "%02x:%02x:%02x:%02x:%02x:%02x",
-				&ret.Addr[0],
-				&ret.Addr[1],
-				&ret.Addr[2],
-				&ret.Addr[3],
-				&ret.Addr[4],
-				&ret.Addr[5],
-			)
-		}
-		return ret
-	}
-
-	type testCase struct {
-		name string
-		msg  *route.RouteMessage
-		want RouteEntry
-		fail bool
-	}
-
-	testCases := []testCase{
-		{
-			name: "BasicIPv4",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip4("1.2.3.4"),       // dst
-					ip4("1.2.3.1"),       // gateway
-					ip4("255.255.255.0"), // netmask
-				},
-			},
-			want: RouteEntry{
-				Family:  4,
-				Type:    RouteTypeUnicast,
-				Dst:     RouteDestination{Prefix: netip.MustParsePrefix("1.2.3.4/24")},
-				Gateway: netip.MustParseAddr("1.2.3.1"),
-				Sys:     RouteEntryBSD{},
-			},
-		},
-		{
-			name: "BasicIPv6",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip6("fd7a:115c:a1e0::"), // dst
-					ip6("1234::"),           // gateway
-					ip6("ffff:ffff:ffff::"), // netmask
-				},
-			},
-			want: RouteEntry{
-				Family:  6,
-				Type:    RouteTypeUnicast,
-				Dst:     RouteDestination{Prefix: netip.MustParsePrefix("fd7a:115c:a1e0::/48")},
-				Gateway: netip.MustParseAddr("1234::"),
-				Sys:     RouteEntryBSD{},
-			},
-		},
-		{
-			name: "IPv6WithZone",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip6zone("fe80::", 2),         // dst
-					ip6("1234::"),                // gateway
-					ip6("ffff:ffff:ffff:ffff::"), // netmask
-				},
-			},
-			want: RouteEntry{
-				Family:  6,
-				Type:    RouteTypeUnicast, // TODO
-				Dst:     RouteDestination{Prefix: netip.MustParsePrefix("fe80::/64"), Zone: "tailscale0"},
-				Gateway: netip.MustParseAddr("1234::"),
-				Sys:     RouteEntryBSD{},
-			},
-		},
-		{
-			name: "IPv6WithUnknownZone",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip6zone("fe80::", 4),         // dst
-					ip6("1234::"),                // gateway
-					ip6("ffff:ffff:ffff:ffff::"), // netmask
-				},
-			},
-			want: RouteEntry{
-				Family:  6,
-				Type:    RouteTypeUnicast, // TODO
-				Dst:     RouteDestination{Prefix: netip.MustParsePrefix("fe80::/64"), Zone: "4"},
-				Gateway: netip.MustParseAddr("1234::"),
-				Sys:     RouteEntryBSD{},
-			},
-		},
-		{
-			name: "DefaultIPv4",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip4("0.0.0.0"), // dst
-					ip4("1.2.3.4"), // gateway
-					ip4("0.0.0.0"), // netmask
-				},
-			},
-			want: RouteEntry{
-				Family:  4,
-				Type:    RouteTypeUnicast,
-				Dst:     defaultRouteIPv4,
-				Gateway: netip.MustParseAddr("1.2.3.4"),
-				Sys:     RouteEntryBSD{},
-			},
-		},
-		{
-			name: "DefaultIPv6",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip6("0::"),    // dst
-					ip6("1234::"), // gateway
-					ip6("0::"),    // netmask
-				},
-			},
-			want: RouteEntry{
-				Family:  6,
-				Type:    RouteTypeUnicast,
-				Dst:     defaultRouteIPv6,
-				Gateway: netip.MustParseAddr("1234::"),
-				Sys:     RouteEntryBSD{},
-			},
-		},
-		{
-			name: "ShortAddrs",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip4("1.2.3.4"), // dst
-				},
-			},
-			want: RouteEntry{
-				Family: 4,
-				Type:   RouteTypeUnicast,
-				Dst:    RouteDestination{Prefix: netip.MustParsePrefix("1.2.3.4/32")},
-				Sys:    RouteEntryBSD{},
-			},
-		},
-		{
-			name: "TailscaleIPv4",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip4("100.64.0.0"), // dst
-					link(2, ""),
-					ip4("255.192.0.0"), // netmask
-				},
-			},
-			want: RouteEntry{
-				Family: 4,
-				Type:   RouteTypeUnicast,
-				Dst:    RouteDestination{Prefix: netip.MustParsePrefix("100.64.0.0/10")},
-				Sys: RouteEntryBSD{
-					GatewayInterface: "tailscale0",
-					GatewayIdx:       2,
-				},
-			},
-		},
-		{
-			name: "Flags",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip4("1.2.3.4"),       // dst
-					ip4("1.2.3.1"),       // gateway
-					ip4("255.255.255.0"), // netmask
-				},
-				Flags: unix.RTF_STATIC | unix.RTF_GATEWAY | unix.RTF_UP,
-			},
-			want: RouteEntry{
-				Family:  4,
-				Type:    RouteTypeUnicast,
-				Dst:     RouteDestination{Prefix: netip.MustParsePrefix("1.2.3.4/24")},
-				Gateway: netip.MustParseAddr("1.2.3.1"),
-				Sys: RouteEntryBSD{
-					Flags:    []string{"gateway", "static", "up"},
-					RawFlags: unix.RTF_STATIC | unix.RTF_GATEWAY | unix.RTF_UP,
-				},
-			},
-		},
-		{
-			name: "SkipNoAddrs",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs:   []route.Addr{},
-			},
-			fail: true,
-		},
-		{
-			name: "SkipBadVersion",
-			msg: &route.RouteMessage{
-				Version: 1,
-			},
-			fail: true,
-		},
-		{
-			name: "SkipBadType",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType + 1,
-			},
-			fail: true,
-		},
-		{
-			name: "OutputIface",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Index:   1,
-				Addrs: []route.Addr{
-					ip4("1.2.3.4"), // dst
-				},
-			},
-			want: RouteEntry{
-				Family:    4,
-				Type:      RouteTypeUnicast,
-				Dst:       RouteDestination{Prefix: netip.MustParsePrefix("1.2.3.4/32")},
-				Interface: "iface0",
-				Sys:       RouteEntryBSD{},
-			},
-		},
-		{
-			name: "GatewayMAC",
-			msg: &route.RouteMessage{
-				Version: 3,
-				Type:    rmExpectedType,
-				Addrs: []route.Addr{
-					ip4("100.64.0.0"), // dst
-					link(1, "01:02:03:04:05:06"),
-					ip4("255.192.0.0"), // netmask
-				},
-			},
-			want: RouteEntry{
-				Family: 4,
-				Type:   RouteTypeUnicast,
-				Dst:    RouteDestination{Prefix: netip.MustParsePrefix("100.64.0.0/10")},
-				Sys: RouteEntryBSD{
-					GatewayAddr:      "01:02:03:04:05:06",
-					GatewayInterface: "iface0",
-					GatewayIdx:       1,
-				},
-			},
-		},
-	}
-
-	if runtime.GOOS == "darwin" {
-		testCases = append(testCases,
-			testCase{
-				name: "SkipFlags",
-				msg: &route.RouteMessage{
-					Version: 3,
-					Type:    rmExpectedType,
-					Addrs: []route.Addr{
-						ip4("1.2.3.4"),       // dst
-						ip4("1.2.3.1"),       // gateway
-						ip4("255.255.255.0"), // netmask
-					},
-					Flags: unix.RTF_UP | skipFlags,
-				},
-				fail: true,
-			},
-			testCase{
-				name: "NetmaskAdjust",
-				msg: &route.RouteMessage{
-					Version: 3,
-					Type:    rmExpectedType,
-					Flags:   unix.RTF_MULTICAST,
-					Addrs: []route.Addr{
-						ip6("ff00::"),           // dst
-						ip6("1234::"),           // gateway
-						ip6("ffff:ffff:ff00::"), // netmask
-					},
-				},
-				want: RouteEntry{
-					Family:  6,
-					Type:    RouteTypeMulticast,
-					Dst:     RouteDestination{Prefix: netip.MustParsePrefix("ff00::/8")},
-					Gateway: netip.MustParseAddr("1234::"),
-					Sys: RouteEntryBSD{
-						Flags:    []string{"multicast"},
-						RawFlags: unix.RTF_MULTICAST,
-					},
-				},
-			},
-		)
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			re, ok := routeEntryFromMsg(ifs, tc.msg)
-			if wantOk := !tc.fail; ok != wantOk {
-				t.Fatalf("ok = %v; want %v", ok, wantOk)
-			}
-
-			if !reflect.DeepEqual(re, tc.want) {
-				t.Fatalf("RouteEntry mismatch:\n got: %+v\nwant: %+v", re, tc.want)
-			}
-		})
-	}
-}
-
-func TestRouteEntryFormatting(t *testing.T) {
-	testCases := []struct {
-		re   RouteEntry
-		want string
-	}{
-		{
-			re: RouteEntry{
-				Family:    4,
-				Type:      RouteTypeUnicast,
-				Dst:       RouteDestination{Prefix: netip.MustParsePrefix("1.2.3.0/24")},
-				Interface: "en0",
-				Sys: RouteEntryBSD{
-					GatewayInterface: "en0",
-					Flags:            []string{"static", "up"},
-				},
-			},
-			want: `{Family: IPv4, Dst: 1.2.3.0/24, Interface: en0, Sys: {GatewayInterface: en0, Flags: [static up]}}`,
-		},
-		{
-			re: RouteEntry{
-				Family:    6,
-				Type:      RouteTypeUnicast,
-				Dst:       RouteDestination{Prefix: netip.MustParsePrefix("fd7a:115c:a1e0::/24")},
-				Interface: "en0",
-				Sys: RouteEntryBSD{
-					GatewayIdx: 3,
-					Flags:      []string{"static", "up"},
-				},
-			},
-			want: `{Family: IPv6, Dst: fd7a:115c:a1e0::/24, Interface: en0, Sys: {GatewayIdx: 3, Flags: [static up]}}`,
-		},
-	}
-	for _, tc := range testCases {
-		t.Run("", func(t *testing.T) {
-			got := fmt.Sprint(tc.re)
-			if got != tc.want {
-				t.Fatalf("RouteEntry.String() mismatch\n got: %q\nwant: %q", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestGetRouteTable(t *testing.T) {
-	routes, err := Get(1000)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Basic assertion: we have at least one 'default' route
-	var (
-		hasDefault bool
-	)
-	for _, route := range routes {
-		if route.Dst == defaultRouteIPv4 || route.Dst == defaultRouteIPv6 {
-			hasDefault = true
-		}
-	}
-	if !hasDefault {
-		t.Errorf("expected at least one default route; routes=%v", routes)
-	}
-}

net/routetable/routetable_darwin.go

@@ -1,33 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build darwin
-// +build darwin
-
-package routetable
-
-import "golang.org/x/sys/unix"
-
-const (
-	ribType        = unix.NET_RT_DUMP2
-	parseType      = unix.NET_RT_IFLIST2
-	rmExpectedType = unix.RTM_GET2
-
-	// Skip routes that were cloned from a parent
-	skipFlags = unix.RTF_WASCLONED
-)
-
-var flags = map[int]string{
-	unix.RTF_BLACKHOLE: "blackhole",
-	unix.RTF_BROADCAST: "broadcast",
-	unix.RTF_GATEWAY:   "gateway",
-	unix.RTF_GLOBAL:    "global",
-	unix.RTF_HOST:      "host",
-	unix.RTF_IFSCOPE:   "ifscope",
-	unix.RTF_MULTICAST: "multicast",
-	unix.RTF_REJECT:    "reject",
-	unix.RTF_ROUTER:    "router",
-	unix.RTF_STATIC:    "static",
-	unix.RTF_UP:        "up",
-}

net/routetable/routetable_freebsd.go

@@ -1,30 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build freebsd
-// +build freebsd
-
-package routetable
-
-import "golang.org/x/sys/unix"
-
-const (
-	ribType        = unix.NET_RT_DUMP
-	parseType      = unix.NET_RT_IFLIST
-	rmExpectedType = unix.RTM_GET
-
-	// Nothing to skip
-	skipFlags = 0
-)
-
-var flags = map[int]string{
-	unix.RTF_BLACKHOLE: "blackhole",
-	unix.RTF_BROADCAST: "broadcast",
-	unix.RTF_GATEWAY:   "gateway",
-	unix.RTF_HOST:      "host",
-	unix.RTF_MULTICAST: "multicast",
-	unix.RTF_REJECT:    "reject",
-	unix.RTF_STATIC:    "static",
-	unix.RTF_UP:        "up",
-}

net/routetable/routetable_linux.go

@@ -1,231 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux
-// +build linux
-
-package routetable
-
-import (
-	"bufio"
-	"fmt"
-	"net/netip"
-	"strconv"
-
-	"github.com/tailscale/netlink"
-	"golang.org/x/sys/unix"
-	"tailscale.com/net/interfaces"
-	"tailscale.com/net/netaddr"
-	"tailscale.com/types/logger"
-)
-
-// RouteEntryLinux is the structure that makes up the Sys field of the
-// RouteEntry structure.
-type RouteEntryLinux struct {
-	// Type is the raw type of the route.
-	Type int
-	// Table is the routing table index of this route.
-	Table int
-	// Src is the source of the route (if any).
-	Src netip.Addr
-	// Proto describes the source of the route--i.e. what caused this route
-	// to be added to the route table.
-	Proto netlink.RouteProtocol
-	// Priority is the route's priority.
-	Priority int
-	// Scope is the route's scope.
-	Scope int
-	// InputInterfaceIdx is the input interface index.
-	InputInterfaceIdx int
-	// InputInterfaceName is the input interface name (if available).
-	InputInterfaceName string
-}
-
-// Format implements the fmt.Formatter interface.
-func (r RouteEntryLinux) Format(f fmt.State, verb rune) {
-	logger.ArgWriter(func(w *bufio.Writer) {
-		// TODO(andrew): should we skip printing anything if type is unicast?
-		fmt.Fprintf(w, "{Type: %s", r.TypeName())
-
-		// Match 'ip route' behaviour when printing these fields
-		if r.Table != unix.RT_TABLE_MAIN {
-			fmt.Fprintf(w, ", Table: %s", r.TableName())
-		}
-		if r.Proto != unix.RTPROT_BOOT {
-			fmt.Fprintf(w, ", Proto: %s", r.Proto)
-		}
-
-		if r.Src.IsValid() {
-			fmt.Fprintf(w, ", Src: %s", r.Src)
-		}
-		if r.Priority != 0 {
-			fmt.Fprintf(w, ", Priority: %d", r.Priority)
-		}
-		if r.Scope != unix.RT_SCOPE_UNIVERSE {
-			fmt.Fprintf(w, ", Scope: %s", r.ScopeName())
-		}
-		if r.InputInterfaceName != "" {
-			fmt.Fprintf(w, ", InputInterfaceName: %s", r.InputInterfaceName)
-		} else if r.InputInterfaceIdx != 0 {
-			fmt.Fprintf(w, ", InputInterfaceIdx: %d", r.InputInterfaceIdx)
-		}
-		w.WriteString("}")
-	}).Format(f, verb)
-}
-
-// TypeName returns the string representation of this route's Type.
-func (r RouteEntryLinux) TypeName() string {
-	switch r.Type {
-	case unix.RTN_UNSPEC:
-		return "none"
-	case unix.RTN_UNICAST:
-		return "unicast"
-	case unix.RTN_LOCAL:
-		return "local"
-	case unix.RTN_BROADCAST:
-		return "broadcast"
-	case unix.RTN_ANYCAST:
-		return "anycast"
-	case unix.RTN_MULTICAST:
-		return "multicast"
-	case unix.RTN_BLACKHOLE:
-		return "blackhole"
-	case unix.RTN_UNREACHABLE:
-		return "unreachable"
-	case unix.RTN_PROHIBIT:
-		return "prohibit"
-	case unix.RTN_THROW:
-		return "throw"
-	case unix.RTN_NAT:
-		return "nat"
-	case unix.RTN_XRESOLVE:
-		return "xresolve"
-	default:
-		return strconv.Itoa(r.Type)
-	}
-}
-
-// TableName returns the string representation of this route's Table.
-func (r RouteEntryLinux) TableName() string {
-	switch r.Table {
-	case unix.RT_TABLE_DEFAULT:
-		return "default"
-	case unix.RT_TABLE_MAIN:
-		return "main"
-	case unix.RT_TABLE_LOCAL:
-		return "local"
-	default:
-		return strconv.Itoa(r.Table)
-	}
-}
-
-// ScopeName returns the string representation of this route's Scope.
-func (r RouteEntryLinux) ScopeName() string {
-	switch r.Scope {
-	case unix.RT_SCOPE_UNIVERSE:
-		return "global"
-	case unix.RT_SCOPE_NOWHERE:
-		return "nowhere"
-	case unix.RT_SCOPE_HOST:
-		return "host"
-	case unix.RT_SCOPE_LINK:
-		return "link"
-	case unix.RT_SCOPE_SITE:
-		return "site"
-	default:
-		return strconv.Itoa(r.Scope)
-	}
-}
-
-// Get returns route entries from the system route table, limited to at most
-// max results.
-func Get(max int) ([]RouteEntry, error) {
-	// Fetching the list of interfaces can race with fetching our route
-	// table, but we do it anyway since it's helpful for debugging.
-	ifs, err := interfaces.GetList()
-	if err != nil {
-		return nil, err
-	}
-
-	ifsByIdx := make(map[int]interfaces.Interface)
-	for _, iif := range ifs {
-		ifsByIdx[iif.Index] = iif
-	}
-
-	filter := &netlink.Route{}
-	routes, err := netlink.RouteListFiltered(netlink.FAMILY_ALL, filter, netlink.RT_FILTER_TABLE)
-	if err != nil {
-		return nil, err
-	}
-
-	var ret []RouteEntry
-	for _, route := range routes {
-		if route.Family != netlink.FAMILY_V4 && route.Family != netlink.FAMILY_V6 {
-			continue
-		}
-
-		re := RouteEntry{}
-		if route.Family == netlink.FAMILY_V4 {
-			re.Family = 4
-		} else {
-			re.Family = 6
-		}
-		switch route.Type {
-		case unix.RTN_UNSPEC:
-			re.Type = RouteTypeUnspecified
-		case unix.RTN_UNICAST:
-			re.Type = RouteTypeUnicast
-		case unix.RTN_LOCAL:
-			re.Type = RouteTypeLocal
-		case unix.RTN_BROADCAST:
-			re.Type = RouteTypeBroadcast
-		case unix.RTN_MULTICAST:
-			re.Type = RouteTypeMulticast
-		default:
-			re.Type = RouteTypeOther
-		}
-		if route.Dst != nil {
-			if d, ok := netaddr.FromStdIPNet(route.Dst); ok {
-				re.Dst = RouteDestination{Prefix: d}
-			}
-		} else if route.Family == netlink.FAMILY_V4 {
-			re.Dst = RouteDestination{Prefix: netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
-		} else {
-			re.Dst = RouteDestination{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
-		}
-		if gw := route.Gw; gw != nil {
-			if gwa, ok := netip.AddrFromSlice(gw); ok {
-				re.Gateway = gwa
-			}
-		}
-		if outif, ok := ifsByIdx[route.LinkIndex]; ok {
-			re.Interface = outif.Name
-		} else if route.LinkIndex > 0 {
-			re.Interface = fmt.Sprintf("link#%d", route.LinkIndex)
-		}
-		reSys := RouteEntryLinux{
-			Type:              route.Type,
-			Table:             route.Table,
-			Proto:             route.Protocol,
-			Priority:          route.Priority,
-			Scope:             int(route.Scope),
-			InputInterfaceIdx: route.ILinkIndex,
-		}
-		if src, ok := netip.AddrFromSlice(route.Src); ok {
-			reSys.Src = src
-		}
-		if iif, ok := ifsByIdx[route.ILinkIndex]; ok {
-			reSys.InputInterfaceName = iif.Name
-		}
-
-		re.Sys = reSys
-		ret = append(ret, re)
-
-		// Stop after we've reached the maximum number of routes
-		if len(ret) == max {
-			break
-		}
-	}
-	return ret, nil
-}

net/routetable/routetable_linux_test.go

@@ -1,83 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux
-// +build linux
-
-package routetable
-
-import (
-	"fmt"
-	"net/netip"
-	"testing"
-
-	"golang.org/x/sys/unix"
-)
-
-func TestGetRouteTable(t *testing.T) {
-	routes, err := Get(1000)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Basic assertion: we have at least one 'default' route in the main table
-	var (
-		hasDefault bool
-	)
-	for _, route := range routes {
-		if route.Dst == defaultRouteIPv4 && route.Sys.(RouteEntryLinux).Table == unix.RT_TABLE_MAIN {
-			hasDefault = true
-		}
-	}
-	if !hasDefault {
-		t.Errorf("expected at least one default route; routes=%v", routes)
-	}
-}
-
-func TestRouteEntryFormatting(t *testing.T) {
-	testCases := []struct {
-		re   RouteEntry
-		want string
-	}{
-		{
-			re: RouteEntry{
-				Family:    4,
-				Type:      RouteTypeMulticast,
-				Dst:       RouteDestination{Prefix: netip.MustParsePrefix("100.64.0.0/10")},
-				Gateway:   netip.MustParseAddr("1.2.3.1"),
-				Interface: "tailscale0",
-				Sys: RouteEntryLinux{
-					Type:     unix.RTN_UNICAST,
-					Table:    52,
-					Proto:    unix.RTPROT_STATIC,
-					Src:      netip.MustParseAddr("1.2.3.4"),
-					Priority: 555,
-				},
-			},
-			want: `{Family: IPv4, Type: multicast, Dst: 100.64.0.0/10, Gateway: 1.2.3.1, Interface: tailscale0, Sys: {Type: unicast, Table: 52, Proto: static, Src: 1.2.3.4, Priority: 555}}`,
-		},
-		{
-			re: RouteEntry{
-				Family:  4,
-				Type:    RouteTypeUnicast,
-				Dst:     RouteDestination{Prefix: netip.MustParsePrefix("1.2.3.0/24")},
-				Gateway: netip.MustParseAddr("1.2.3.1"),
-				Sys: RouteEntryLinux{
-					Type:  unix.RTN_UNICAST,
-					Table: unix.RT_TABLE_MAIN,
-					Proto: unix.RTPROT_BOOT,
-				},
-			},
-			want: `{Family: IPv4, Dst: 1.2.3.0/24, Gateway: 1.2.3.1, Sys: {Type: unicast}}`,
-		},
-	}
-	for _, tc := range testCases {
-		t.Run("", func(t *testing.T) {
-			got := fmt.Sprint(tc.re)
-			if got != tc.want {
-				t.Fatalf("RouteEntry.String() = %q; want %q", got, tc.want)
-			}
-		})
-	}
-}

net/routetable/routetable_other.go

@@ -1,18 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !linux && !darwin && !freebsd
-
-package routetable
-
-import (
-	"errors"
-	"runtime"
-)
-
-var errUnsupported = errors.New("cannot get route table on platform " + runtime.GOOS)
-
-func Get(max int) ([]RouteEntry, error) {
-	return nil, errUnsupported
-}

tailcfg/tailcfg.go

@@ -81,8 +81,7 @@ type CapabilityVersion int
 //   - 42: 2022-09-06: NextDNS DoH support; see https://github.com/tailscale/tailscale/pull/5556
 //   - 43: 2022-09-21: clients can return usernames for SSH
 //   - 44: 2022-09-22: MapResponse.ControlDialPlan
-//   - 45: 2022-09-26: c2n /debug/{goroutines,prefs,metrics}
-const CurrentCapabilityVersion CapabilityVersion = 45
+const CurrentCapabilityVersion CapabilityVersion = 44
 
 type StableID string
 

tailcfg/tka.go

@@ -12,11 +12,9 @@ import (
 // TKAInitBeginRequest submits a genesis AUM to seed the creation of the
 // tailnet's key authority.
 type TKAInitBeginRequest struct {
-	// Version is the client's capabilities.
-	Version CapabilityVersion
-
-	// NodeKey is the client's current node key.
-	NodeKey key.NodePublic
+	// NodeID is the node of the initiating client.
+	// It must match the machine key being used to communicate over noise.
+	NodeID NodeID
 
 	// GenesisAUM is the initial (genesis) AUM that the node generated
 	// to bootstrap tailnet key authority state.
@@ -60,11 +58,8 @@ type TKAInitBeginResponse struct {
 // This RPC finalizes initialization of the tailnet key authority
 // by submitting node-key signatures for all existing nodes.
 type TKAInitFinishRequest struct {
-	// Version is the client's capabilities.
-	Version CapabilityVersion
-
-	// NodeKey is the client's current node key.
-	NodeKey key.NodePublic
+	// NodeID is the node ID of the initiating client.
+	NodeID NodeID
 
 	// Signatures are serialized tka.NodeKeySignatures for all nodes
 	// in the tailnet.
@@ -106,12 +101,8 @@ type TKAInfo struct {
 // TKABootstrapRequest is sent by a node to get information necessary for
 // enabling or disabling the tailnet key authority.
 type TKABootstrapRequest struct {
-	// Version is the client's capabilities.
-	Version CapabilityVersion
-
-	// NodeKey is the client's current node key.
-	NodeKey key.NodePublic
-
+	// NodeID is the node ID of the initiating client.
+	NodeID NodeID
 	// Head represents the node's head AUMHash (tka.Authority.Head), if
 	// network lock is enabled.
 	Head string
@@ -131,12 +122,8 @@ type TKABootstrapResponse struct {
 // state (TKA). Values of type tka.AUMHash are encoded as strings in their
 // MarshalText form.
 type TKASyncOfferRequest struct {
-	// Version is the client's capabilities.
-	Version CapabilityVersion
-
-	// NodeKey is the client's current node key.
-	NodeKey key.NodePublic
-
+	// NodeID is the node ID of the initiating client.
+	NodeID NodeID
 	// Head represents the node's head AUMHash (tka.Authority.Head). This
 	// corresponds to tka.SyncOffer.Head.
 	Head string
@@ -164,12 +151,8 @@ type TKASyncOfferResponse struct {
 // TKASyncSendRequest encodes AUMs that a node believes the control plane
 // is missing.
 type TKASyncSendRequest struct {
-	// Version is the client's capabilities.
-	Version CapabilityVersion
-
-	// NodeKey is the client's current node key.
-	NodeKey key.NodePublic
-
+	// NodeID is the node ID of the initiating client.
+	NodeID NodeID
 	// MissingAUMs encodes AUMs that the node believes the control plane
 	// is missing.
 	MissingAUMs []tkatype.MarshaledAUM

tka/aum.go

@@ -50,6 +50,7 @@ func (h AUMHash) IsZero() bool {
 	return h == (AUMHash{})
 }
 
+
 // AUMKind describes valid AUM types.
 type AUMKind uint8
 

tka/builder.go

@@ -6,7 +6,6 @@ package tka
 
 import (
 	"fmt"
-	"os"
 
 	"tailscale.com/types/tkatype"
 )
@@ -93,62 +92,8 @@ func (b *UpdateBuilder) SetKeyMeta(keyID tkatype.KeyID, meta map[string]string)
 	return b.mkUpdate(AUM{MessageKind: AUMUpdateKey, Meta: meta, KeyID: keyID})
 }
 
-func (b *UpdateBuilder) generateCheckpoint() error {
-	// Compute the checkpoint state.
-	state := b.a.state
-	for i, update := range b.out {
-		var err error
-		if state, err = state.applyVerifiedAUM(update); err != nil {
-			return fmt.Errorf("applying update %d: %v", i, err)
-		}
-	}
-
-	// Checkpoints cant specify a parent AUM.
-	state.LastAUMHash = nil
-	return b.mkUpdate(AUM{MessageKind: AUMCheckpoint, State: &state})
-}
-
-// checkpointEvery sets how often a checkpoint AUM should be generated.
-const checkpointEvery = 50
-
 // Finalize returns the set of update message to actuate the update.
-func (b *UpdateBuilder) Finalize(storage Chonk) ([]AUM, error) {
-	var (
-		needCheckpoint bool    = true
-		cursor         AUMHash = b.a.Head()
-	)
-	for i := len(b.out); i < checkpointEvery; i++ {
-		aum, err := storage.AUM(cursor)
-		if err != nil {
-			if err == os.ErrNotExist {
-				// The available chain is shorter than the interval to checkpoint at.
-				needCheckpoint = false
-				break
-			}
-			return nil, fmt.Errorf("reading AUM: %v", err)
-		}
-
-		if aum.MessageKind == AUMCheckpoint {
-			needCheckpoint = false
-			break
-		}
-
-		parent, hasParent := aum.Parent()
-		if !hasParent {
-			// We've hit the genesis update, so the chain is shorter than the interval to checkpoint at.
-			needCheckpoint = false
-			break
-		}
-		cursor = parent
-	}
-
-	if needCheckpoint {
-		if err := b.generateCheckpoint(); err != nil {
-			return nil, fmt.Errorf("generating checkpoint: %v", err)
-		}
-	}
-
-	// Check no AUMs were applied in the meantime
+func (b *UpdateBuilder) Finalize() ([]AUM, error) {
 	if len(b.out) > 0 {
 		if parent, _ := b.out[0].Parent(); parent != b.a.Head() {
 			return nil, fmt.Errorf("updates no longer apply to head: based on %x but head is %x", parent, b.a.Head())

tka/builder_test.go

@@ -44,7 +44,7 @@ func TestAuthorityBuilderAddKey(t *testing.T) {
 	if err := b.AddKey(key2); err != nil {
 		t.Fatalf("AddKey(%v) failed: %v", key2, err)
 	}
-	updates, err := b.Finalize(storage)
+	updates, err := b.Finalize()
 	if err != nil {
 		t.Fatalf("Finalize() failed: %v", err)
 	}
@@ -78,7 +78,7 @@ func TestAuthorityBuilderRemoveKey(t *testing.T) {
 	if err := b.RemoveKey(key2.ID()); err != nil {
 		t.Fatalf("RemoveKey(%v) failed: %v", key2, err)
 	}
-	updates, err := b.Finalize(storage)
+	updates, err := b.Finalize()
 	if err != nil {
 		t.Fatalf("Finalize() failed: %v", err)
 	}
@@ -110,7 +110,7 @@ func TestAuthorityBuilderSetKeyVote(t *testing.T) {
 	if err := b.SetKeyVote(key.ID(), 5); err != nil {
 		t.Fatalf("SetKeyVote(%v) failed: %v", key.ID(), err)
 	}
-	updates, err := b.Finalize(storage)
+	updates, err := b.Finalize()
 	if err != nil {
 		t.Fatalf("Finalize() failed: %v", err)
 	}
@@ -146,7 +146,7 @@ func TestAuthorityBuilderSetKeyMeta(t *testing.T) {
 	if err := b.SetKeyMeta(key.ID(), map[string]string{"b": "c"}); err != nil {
 		t.Fatalf("SetKeyMeta(%v) failed: %v", key, err)
 	}
-	updates, err := b.Finalize(storage)
+	updates, err := b.Finalize()
 	if err != nil {
 		t.Fatalf("Finalize() failed: %v", err)
 	}
@@ -191,7 +191,7 @@ func TestAuthorityBuilderMultiple(t *testing.T) {
 	if err := b.RemoveKey(key.ID()); err != nil {
 		t.Fatalf("RemoveKey(%v) failed: %v", key, err)
 	}
-	updates, err := b.Finalize(storage)
+	updates, err := b.Finalize()
 	if err != nil {
 		t.Fatalf("Finalize() failed: %v", err)
 	}
@@ -212,60 +212,3 @@ func TestAuthorityBuilderMultiple(t *testing.T) {
 		t.Errorf("GetKey(key).err = %v, want %v", err, ErrNoSuchKey)
 	}
 }
-
-func TestAuthorityBuilderCheckpointsAfterXUpdates(t *testing.T) {
-	pub, priv := testingKey25519(t, 1)
-	key := Key{Kind: Key25519, Public: pub, Votes: 2}
-
-	storage := &Mem{}
-	a, _, err := Create(storage, State{
-		Keys:               []Key{key},
-		DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
-	}, signer25519(priv))
-	if err != nil {
-		t.Fatalf("Create() failed: %v", err)
-	}
-
-	for i := 0; i <= checkpointEvery; i++ {
-		pub2, _ := testingKey25519(t, int64(i+2))
-		key2 := Key{Kind: Key25519, Public: pub2, Votes: 1}
-
-		b := a.NewUpdater(signer25519(priv))
-		if err := b.AddKey(key2); err != nil {
-			t.Fatalf("AddKey(%v) failed: %v", key2, err)
-		}
-		updates, err := b.Finalize(storage)
-		if err != nil {
-			t.Fatalf("Finalize() failed: %v", err)
-		}
-		// See if the update is valid by applying it to the authority
-		// + checking if the new key is there.
-		if err := a.Inform(storage, updates); err != nil {
-			t.Fatalf("could not apply generated updates: %v", err)
-		}
-		if _, err := a.state.GetKey(key2.ID()); err != nil {
-			t.Fatal(err)
-		}
-
-		wantKind := AUMAddKey
-		if i == checkpointEvery-1 { // Genesis + 49 updates == 50 (the value of checkpointEvery)
-			wantKind = AUMCheckpoint
-		}
-		lastAUM, err := storage.AUM(a.Head())
-		if err != nil {
-			t.Fatal(err)
-		}
-		if lastAUM.MessageKind != wantKind {
-			t.Errorf("[%d] HeadAUM.MessageKind = %v, want %v", i, lastAUM.MessageKind, wantKind)
-		}
-	}
-
-	// Try starting an authority just based on storage.
-	a2, err := Open(storage)
-	if err != nil {
-		t.Fatalf("Failed to open from stored AUMs: %v", err)
-	}
-	if a.Head() != a2.Head() {
-		t.Errorf("stored and computed HEAD differ: got %v, want %v", a2.Head(), a.Head())
-	}
-}

tka/tka.go

@@ -10,7 +10,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"reflect"
 	"sort"
 
 	"github.com/fxamacker/cbor/v2"
@@ -182,18 +181,6 @@ func advanceByPrimary(state State, candidates []AUM) (next *AUM, out State, err
 	}
 
 	aum := pickNextAUM(state, candidates)
-
-	// TODO(tom): Remove this before GA, this is just a correctness check during implementation.
-	// Post-GA, we want clients to not error if they dont recognize additional fields in State.
-	if aum.MessageKind == AUMCheckpoint {
-		dupe := state
-		dupe.LastAUMHash = nil
-		// aum.State is non-nil (see aum.StaticValidate).
-		if !reflect.DeepEqual(dupe, *aum.State) {
-			return nil, State{}, errors.New("checkpoint includes changes not represented in earlier AUMs")
-		}
-	}
-
 	if state, err = state.applyVerifiedAUM(aum); err != nil {
 		return nil, State{}, fmt.Errorf("advancing state: %v", err)
 	}
@@ -257,6 +244,10 @@ func fastForward(storage Chonk, maxIter int, startState State, done func(curAUM
 
 // computeStateAt returns the State at wantHash.
 func computeStateAt(storage Chonk, maxIter int, wantHash AUMHash) (State, error) {
+	// TODO(tom): This is going to get expensive for really long
+	//            chains. We should make nodes emit a checkpoint every
+	//            X updates or something.
+
 	topAUM, err := storage.AUM(wantHash)
 	if err != nil {
 		return State{}, err

types/logger/logger.go

@@ -138,8 +138,6 @@ var rateFree = []string{
 	"SetPrefs: %v",
 	"peer keys: %s",
 	"v%v peers: %v",
-	// debug messages printed by 'tailscale bugreport'
-	"diag: ",
 }
 
 // RateLimitedFn is a wrapper for RateLimitedFnWithClock that includes the

util/deephash/deephash.go

@@ -106,20 +106,9 @@ func (s1 *Sum) xor(s2 Sum) {
 }
 
 func (s Sum) String() string {
-	// Note: if we change this, keep in sync with AppendTo
 	return hex.EncodeToString(s.sum[:])
 }
 
-// AppendTo appends the string encoding of this sum (as returned by the String
-// method) to the provided byte slice and returns the extended buffer.
-func (s Sum) AppendTo(b []byte) []byte {
-	// TODO: switch to upstream implementation if accepted:
-	// https://github.com/golang/go/issues/53693
-	var lb [len(s.sum) * 2]byte
-	hex.Encode(lb[:], s.sum[:])
-	return append(b, lb[:]...)
-}
-
 var (
 	seedOnce sync.Once
 	seed     uint64

util/deephash/deephash_test.go

@@ -1050,25 +1050,3 @@ func FuzzAddr(f *testing.F) {
 		}
 	})
 }
-
-func TestAppendTo(t *testing.T) {
-	v := getVal()
-	h := Hash(v)
-	sum := h.AppendTo(nil)
-
-	if s := h.String(); s != string(sum) {
-		t.Errorf("hash sum mismatch; h.String()=%q h.AppendTo()=%q", s, string(sum))
-	}
-}
-
-func BenchmarkAppendTo(b *testing.B) {
-	b.ReportAllocs()
-	v := getVal()
-	h := Hash(v)
-
-	hashBuf := make([]byte, 0, 100)
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		hashBuf = h.AppendTo(hashBuf[:0])
-	}
-}

util/goroutines/goroutines.go

@@ -1,93 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The goroutines package contains utilities for getting active goroutines.
-package goroutines
-
-import (
-	"bytes"
-	"fmt"
-	"runtime"
-	"strconv"
-)
-
-// ScrubbedGoroutineDump returns the list of all current goroutines, but with the actual
-// values of arguments scrubbed out, lest it contain some private key material.
-func ScrubbedGoroutineDump() []byte {
-	var buf []byte
-	// Grab stacks multiple times into increasingly larger buffer sizes
-	// to minimize the risk that we blow past our iOS memory limit.
-	for size := 1 << 10; size <= 1<<20; size += 1 << 10 {
-		buf = make([]byte, size)
-		buf = buf[:runtime.Stack(buf, true)]
-		if len(buf) < size {
-			// It fit.
-			break
-		}
-	}
-	return scrubHex(buf)
-}
-
-func scrubHex(buf []byte) []byte {
-	saw := map[string][]byte{} // "0x123" => "v1%3" (unique value 1 and its value mod 8)
-
-	foreachHexAddress(buf, func(in []byte) {
-		if string(in) == "0x0" {
-			return
-		}
-		if v, ok := saw[string(in)]; ok {
-			for i := range in {
-				in[i] = '_'
-			}
-			copy(in, v)
-			return
-		}
-		inStr := string(in)
-		u64, err := strconv.ParseUint(string(in[2:]), 16, 64)
-		for i := range in {
-			in[i] = '_'
-		}
-		if err != nil {
-			in[0] = '?'
-			return
-		}
-		v := []byte(fmt.Sprintf("v%d%%%d", len(saw)+1, u64%8))
-		saw[inStr] = v
-		copy(in, v)
-	})
-	return buf
-}
-
-var ohx = []byte("0x")
-
-// foreachHexAddress calls f with each subslice of b that matches
-// regexp `0x[0-9a-f]*`.
-func foreachHexAddress(b []byte, f func([]byte)) {
-	for len(b) > 0 {
-		i := bytes.Index(b, ohx)
-		if i == -1 {
-			return
-		}
-		b = b[i:]
-		hx := hexPrefix(b)
-		f(hx)
-		b = b[len(hx):]
-	}
-}
-
-func hexPrefix(b []byte) []byte {
-	for i, c := range b {
-		if i < 2 {
-			continue
-		}
-		if !isHexByte(c) {
-			return b[:i]
-		}
-	}
-	return b
-}
-
-func isHexByte(b byte) bool {
-	return '0' <= b && b <= '9' || 'a' <= b && b <= 'f' || 'A' <= b && b <= 'F'
-}

wgengine/netstack/netstack.go

@@ -987,19 +987,16 @@ func (ns *Impl) acceptUDP(r *udp.ForwarderRequest) {
 	}
 	dstAddr, ok := ipPortOfNetstackAddr(sess.LocalAddress, sess.LocalPort)
 	if !ok {
-		ep.Close()
 		return
 	}
 	srcAddr, ok := ipPortOfNetstackAddr(sess.RemoteAddress, sess.RemotePort)
 	if !ok {
-		ep.Close()
 		return
 	}
 
 	// Handle magicDNS traffic (via UDP) here.
 	if dst := dstAddr.Addr(); dst == magicDNSIP || dst == magicDNSIPv6 {
 		if dstAddr.Port() != 53 {
-			ep.Close()
 			return // Only MagicDNS traffic runs on the service IPs for now.
 		}