VERSION.txt: this is v1.58.2

Signed-off-by: kari-ts <kari@tailscale.com>

Makefile

@@ -3,6 +3,8 @@ SYNO_ARCH ?= "amd64"
 SYNO_DSM ?= "7"
 TAGS ?= "latest"
 
+PLATFORM ?= "flyio" ## flyio==linux/amd64. Set to "" to build all platforms.
+
 vet: ## Run go vet
 	./tool/go vet ./...
 
@@ -88,7 +90,7 @@ publishdevimage: ## Build and publish tailscale image to location specified by $
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh
+	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=client ./build_docker.sh
 
 publishdevoperator: ## Build and publish k8s-operator image to location specified by ${REPO}
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
@@ -96,7 +98,7 @@ publishdevoperator: ## Build and publish k8s-operator image to location specifie
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh
+	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=operator ./build_docker.sh
 
 help: ## Show this help
 	@echo "\nSpecify a command. The choices are:\n"

VERSION.txt

@@ -1 +1 @@
-1.57.0
+1.58.2

appc/appconnector.go

@@ -10,6 +10,7 @@
 package appc
 
 import (
+	"context"
 	"net/netip"
 	"slices"
 	"strings"
@@ -20,14 +21,18 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/views"
 	"tailscale.com/util/dnsname"
+	"tailscale.com/util/execqueue"
 )
 
 // RouteAdvertiser is an interface that allows the AppConnector to advertise
 // newly discovered routes that need to be served through the AppConnector.
 type RouteAdvertiser interface {
-	// AdvertiseRoute adds a new route advertisement if the route is not already
-	// being advertised.
-	AdvertiseRoute(netip.Prefix) error
+	// AdvertiseRoute adds one or more route advertisements skipping any that
+	// are already advertised.
+	AdvertiseRoute(...netip.Prefix) error
+
+	// UnadvertiseRoute removes any matching route advertisements.
+	UnadvertiseRoute(...netip.Prefix) error
 }
 
 // AppConnector is an implementation of an AppConnector that performs
@@ -45,12 +50,19 @@ type AppConnector struct {
 
 	// mu guards the fields that follow
 	mu sync.Mutex
+
 	// domains is a map of lower case domain names with no trailing dot, to a
 	// list of resolved IP addresses.
 	domains map[string][]netip.Addr
 
+	// controlRoutes is the list of routes that were last supplied by control.
+	controlRoutes []netip.Prefix
+
 	// wildcards is the list of domain strings that match subdomains.
 	wildcards []string
+
+	// queue provides ordering for update operations
+	queue execqueue.ExecQueue
 }
 
 // NewAppConnector creates a new AppConnector.
@@ -61,11 +73,33 @@ func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser) *AppConn
 	}
 }
 
-// UpdateDomains replaces the current set of configured domains with the
-// supplied set of domains. Domains must not contain a trailing dot, and should
-// be lower case. If the domain contains a leading '*' label it matches all
-// subdomains of a domain.
+// UpdateDomainsAndRoutes starts an asynchronous update of the configuration
+// given the new domains and routes.
+func (e *AppConnector) UpdateDomainsAndRoutes(domains []string, routes []netip.Prefix) {
+	e.queue.Add(func() {
+		// Add the new routes first.
+		e.updateRoutes(routes)
+		e.updateDomains(domains)
+	})
+}
+
+// UpdateDomains asynchronously replaces the current set of configured domains
+// with the supplied set of domains. Domains must not contain a trailing dot,
+// and should be lower case. If the domain contains a leading '*' label it
+// matches all subdomains of a domain.
 func (e *AppConnector) UpdateDomains(domains []string) {
+	e.queue.Add(func() {
+		e.updateDomains(domains)
+	})
+}
+
+// Wait waits for the currently scheduled asynchronous configuration changes to
+// complete.
+func (e *AppConnector) Wait(ctx context.Context) {
+	e.queue.Wait(ctx)
+}
+
+func (e *AppConnector) updateDomains(domains []string) {
 	e.mu.Lock()
 	defer e.mu.Unlock()
 
@@ -97,6 +131,46 @@ func (e *AppConnector) UpdateDomains(domains []string) {
 	e.logf("handling domains: %v and wildcards: %v", xmaps.Keys(e.domains), e.wildcards)
 }
 
+// updateRoutes merges the supplied routes into the currently configured routes. The routes supplied
+// by control for UpdateRoutes are supplemental to the routes discovered by DNS resolution, but are
+// also more often whole ranges. UpdateRoutes will remove any single address routes that are now
+// covered by new ranges.
+func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	// If there was no change since the last update, no work to do.
+	if slices.Equal(e.controlRoutes, routes) {
+		return
+	}
+
+	if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
+		e.logf("failed to advertise routes: %v: %v", routes, err)
+		return
+	}
+
+	var toRemove []netip.Prefix
+
+nextRoute:
+	for _, r := range routes {
+		for _, addr := range e.domains {
+			for _, a := range addr {
+				if r.Contains(a) && netip.PrefixFrom(a, a.BitLen()) != r {
+					pfx := netip.PrefixFrom(a, a.BitLen())
+					toRemove = append(toRemove, pfx)
+					continue nextRoute
+				}
+			}
+		}
+	}
+
+	if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+		e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
+	}
+
+	e.controlRoutes = routes
+}
+
 // Domains returns the currently configured domain list.
 func (e *AppConnector) Domains() views.Slice[string] {
 	e.mu.Lock()
@@ -132,6 +206,7 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		return
 	}
 
+nextAnswer:
 	for {
 		h, err := p.AnswerHeader()
 		if err == dnsmessage.ErrSectionDone {
@@ -206,6 +281,16 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		if slices.Contains(addrs, addr) {
 			continue
 		}
+		for _, route := range e.controlRoutes {
+			if route.Contains(addr) {
+				// record the new address associated with the domain for faster matching in subsequent
+				// requests and for diagnostic records.
+				e.mu.Lock()
+				e.domains[domain] = append(addrs, addr)
+				e.mu.Unlock()
+				continue nextAnswer
+			}
+		}
 		if err := e.routeAdvertiser.AdvertiseRoute(netip.PrefixFrom(addr, addr.BitLen())); err != nil {
 			e.logf("failed to advertise route for %s: %v: %v", domain, addr, err)
 			continue

appc/appconnector_test.go

@@ -4,6 +4,7 @@
 package appc
 
 import (
+	"context"
 	"net/netip"
 	"reflect"
 	"slices"
@@ -11,12 +12,17 @@ import (
 
 	xmaps "golang.org/x/exp/maps"
 	"golang.org/x/net/dns/dnsmessage"
+	"tailscale.com/appc/appctest"
+	"tailscale.com/util/mak"
 	"tailscale.com/util/must"
 )
 
 func TestUpdateDomains(t *testing.T) {
+	ctx := context.Background()
 	a := NewAppConnector(t.Logf, nil)
 	a.UpdateDomains([]string{"example.com"})
+
+	a.Wait(ctx)
 	if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
@@ -24,6 +30,7 @@ func TestUpdateDomains(t *testing.T) {
 	addr := netip.MustParseAddr("192.0.0.8")
 	a.domains["example.com"] = append(a.domains["example.com"], addr)
 	a.UpdateDomains([]string{"example.com"})
+	a.Wait(ctx)
 
 	if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
@@ -31,15 +38,66 @@ func TestUpdateDomains(t *testing.T) {
 
 	// domains are explicitly downcased on set.
 	a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
+	a.Wait(ctx)
 	if got, want := xmaps.Keys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 }
 
-func TestDomainRoutes(t *testing.T) {
-	rc := &routeCollector{}
+func TestUpdateRoutes(t *testing.T) {
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
 	a := NewAppConnector(t.Logf, rc)
-	a.UpdateDomains([]string{"example.com"})
+	a.updateDomains([]string{"*.example.com"})
+
+	// This route should be collapsed into the range
+	a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1"))
+	a.Wait(ctx)
+
+	if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
+		t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+	}
+
+	// This route should not be collapsed or removed
+	a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1"))
+	a.Wait(ctx)
+
+	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
+	a.updateRoutes(routes)
+
+	slices.SortFunc(rc.Routes(), prefixCompare)
+	rc.SetRoutes(slices.Compact(rc.Routes()))
+	slices.SortFunc(routes, prefixCompare)
+
+	// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
+	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+		t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
+	}
+
+	// Ensure that the contained /32 is removed, replaced by the /24.
+	wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
+	if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
+		t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
+	}
+}
+
+func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
+	rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
+	a.updateRoutes(routes)
+
+	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+		t.Fatalf("got %v, want %v", rc.Routes(), routes)
+	}
+}
+
+func TestDomainRoutes(t *testing.T) {
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	a.updateDomains([]string{"example.com"})
 	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
 
 	want := map[string][]netip.Addr{
@@ -52,51 +110,63 @@ func TestDomainRoutes(t *testing.T) {
 }
 
 func TestObserveDNSResponse(t *testing.T) {
-	rc := &routeCollector{}
+	rc := &appctest.RouteCollector{}
 	a := NewAppConnector(t.Logf, rc)
 
 	// a has no domains configured, so it should not advertise any routes
 	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-	if got, want := rc.routes, ([]netip.Prefix)(nil); !slices.Equal(got, want) {
+	if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 
 	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
 
-	a.UpdateDomains([]string{"example.com"})
+	a.updateDomains([]string{"example.com"})
 	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-	if got, want := rc.routes, wantRoutes; !slices.Equal(got, want) {
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 
 	wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))
 
 	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-	if got, want := rc.routes, wantRoutes; !slices.Equal(got, want) {
+	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 
 	// don't re-advertise routes that have already been advertised
 	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-	if !slices.Equal(rc.routes, wantRoutes) {
-		t.Errorf("got %v; want %v", rc.routes, wantRoutes)
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+	}
+
+	// don't advertise addresses that are already in a control provided route
+	pfx := netip.MustParsePrefix("192.0.2.0/24")
+	a.updateRoutes([]netip.Prefix{pfx})
+	wantRoutes = append(wantRoutes, pfx)
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1"))
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+	}
+	if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
+		t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
 	}
 }
 
 func TestWildcardDomains(t *testing.T) {
-	rc := &routeCollector{}
+	rc := &appctest.RouteCollector{}
 	a := NewAppConnector(t.Logf, rc)
 
-	a.UpdateDomains([]string{"*.example.com"})
+	a.updateDomains([]string{"*.example.com"})
 	a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
-	if got, want := rc.routes, []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
+	if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
 		t.Errorf("routes: got %v; want %v", got, want)
 	}
 	if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
 		t.Errorf("wildcards: got %v; want %v", got, want)
 	}
 
-	a.UpdateDomains([]string{"*.example.com", "example.com"})
+	a.updateDomains([]string{"*.example.com", "example.com"})
 	if _, ok := a.domains["foo.example.com"]; !ok {
 		t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
 	}
@@ -105,7 +175,7 @@ func TestWildcardDomains(t *testing.T) {
 	}
 
 	// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
-	a.UpdateDomains([]string{"*.example.com", "example.com"})
+	a.updateDomains([]string{"*.example.com", "example.com"})
 	if len(a.wildcards) != 1 {
 		t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
 	}
@@ -148,15 +218,13 @@ func dnsResponse(domain, address string) []byte {
 	return must.Get(b.Finish())
 }
 
-// routeCollector is a test helper that collects the list of routes advertised
-type routeCollector struct {
-	routes []netip.Prefix
+func prefixEqual(a, b netip.Prefix) bool {
+	return a == b
 }
 
-// routeCollector implements RouteAdvertiser
-var _ RouteAdvertiser = (*routeCollector)(nil)
-
-func (rc *routeCollector) AdvertiseRoute(pfx netip.Prefix) error {
-	rc.routes = append(rc.routes, pfx)
-	return nil
+func prefixCompare(a, b netip.Prefix) int {
+	if a.Addr().Compare(b.Addr()) == 0 {
+		return a.Bits() - b.Bits()
+	}
+	return a.Addr().Compare(b.Addr())
 }

appc/appctest/appctest.go

@@ -0,0 +1,49 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package appctest
+
+import (
+	"net/netip"
+	"slices"
+)
+
+// RouteCollector is a test helper that collects the list of routes advertised
+type RouteCollector struct {
+	routes        []netip.Prefix
+	removedRoutes []netip.Prefix
+}
+
+func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
+	rc.routes = append(rc.routes, pfx...)
+	return nil
+}
+
+func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
+	routes := rc.routes
+	rc.routes = rc.routes[:0]
+	for _, r := range routes {
+		if !slices.Contains(toRemove, r) {
+			rc.routes = append(rc.routes, r)
+		} else {
+			rc.removedRoutes = append(rc.removedRoutes, r)
+		}
+	}
+	return nil
+}
+
+// RemovedRoutes returns the list of routes that were removed.
+func (rc *RouteCollector) RemovedRoutes() []netip.Prefix {
+	return rc.removedRoutes
+}
+
+// Routes returns the ordered list of routes that were added, including
+// possible duplicates.
+func (rc *RouteCollector) Routes() []netip.Prefix {
+	return rc.routes
+}
+
+func (rc *RouteCollector) SetRoutes(routes []netip.Prefix) error {
+	rc.routes = routes
+	return nil
+}

build_docker.sh

@@ -32,6 +32,7 @@ PUSH="${PUSH:-false}"
 TARGET="${TARGET:-${DEFAULT_TARGET}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"
+PLATFORM="${PLATFORM:-}" # default to all platforms
 
 case "$TARGET" in
   client)
@@ -50,6 +51,7 @@ case "$TARGET" in
       --tags="${TAGS}" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
+      --target="${PLATFORM}" \
       /usr/local/bin/containerboot
     ;;
   operator)
@@ -65,6 +67,7 @@ case "$TARGET" in
       --tags="${TAGS}" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
+      --target="${PLATFORM}" \
       /usr/local/bin/operator
     ;;
   *)

client/web/auth.go

@@ -8,6 +8,7 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -232,3 +233,55 @@ func (s *Server) newSessionID() (string, error) {
 	}
 	return "", errors.New("too many collisions generating new session; please refresh page")
 }
+
+type peerCapabilities map[capFeature]bool // value is true if the peer can edit the given feature
+
+// canEdit is true if the peerCapabilities grant edit access
+// to the given feature.
+func (p peerCapabilities) canEdit(feature capFeature) bool {
+	if p == nil {
+		return false
+	}
+	if p[capFeatureAll] {
+		return true
+	}
+	return p[feature]
+}
+
+type capFeature string
+
+const (
+	// The following values should not be edited.
+	// New caps can be added, but existing ones should not be changed,
+	// as these exact values are used by users in tailnet policy files.
+
+	capFeatureAll      capFeature = "*"        // grants peer management of all features
+	capFeatureFunnel   capFeature = "funnel"   // grants peer serve/funnel management
+	capFeatureSSH      capFeature = "ssh"      // grants peer SSH server management
+	capFeatureSubnet   capFeature = "subnet"   // grants peer subnet routes management
+	capFeatureExitNode capFeature = "exitnode" // grants peer ability to advertise-as and use exit nodes
+	capFeatureAccount  capFeature = "account"  // grants peer ability to turn on auto updates and log out of node
+)
+
+type capRule struct {
+	CanEdit []string `json:"canEdit,omitempty"` // list of features peer is allowed to edit
+}
+
+// toPeerCapabilities parses out the web ui capabilities from the
+// given whois response.
+func toPeerCapabilities(whois *apitype.WhoIsResponse) (peerCapabilities, error) {
+	caps := peerCapabilities{}
+	if whois == nil {
+		return caps, nil
+	}
+	rules, err := tailcfg.UnmarshalCapJSON[capRule](whois.CapMap, tailcfg.PeerCapabilityWebUI)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal capability: %v", err)
+	}
+	for _, c := range rules {
+		for _, f := range c.CanEdit {
+			caps[capFeature(strings.ToLower(f))] = true
+		}
+	}
+	return caps, nil
+}

client/web/src/components/login-toggle.tsx

@@ -95,9 +95,16 @@ function LoginPopoverContent({
   const [canConnectOverTS, setCanConnectOverTS] = useState<boolean>(false)
   const [isRunningCheck, setIsRunningCheck] = useState<boolean>(false)
 
+  // Whether the current page is loaded over HTTPS.
+  // If it is, then the connectivity check to the management client
+  // will fail with a mixed-content error.
+  const isHTTPS = window.location.protocol === "https:"
+
   const checkTSConnection = useCallback(() => {
-    if (auth.viewerIdentity) {
-      setCanConnectOverTS(true) // already connected over ts
+    if (auth.viewerIdentity || isHTTPS) {
+      // Skip the connectivity check if we either already know we're connected over Tailscale,
+      // or know the connectivity check will fail because the current page is loaded over HTTPS.
+      setCanConnectOverTS(true)
       return
     }
     // Otherwise, test connection to the ts IP.
@@ -111,7 +118,7 @@ function LoginPopoverContent({
         setIsRunningCheck(false)
       })
       .catch(() => setIsRunningCheck(false))
-  }, [auth.viewerIdentity, isRunningCheck, node.IPv4])
+  }, [auth.viewerIdentity, isRunningCheck, node.IPv4, isHTTPS])
 
   /**
    * Checking connection for first time on page load.
@@ -193,6 +200,14 @@ function LoginPopoverContent({
                     You can see most of this device's details. To make changes,
                     you need to sign in.
                   </p>
+                  {isHTTPS && (
+                    // we don't know if the user can connect over TS, so
+                    // provide extra tips in case they have trouble.
+                    <p className="text-gray-500 text-xs font-semibold pt-2">
+                      Make sure you are connected to your tailnet, and that your
+                      policy file allows access.
+                    </p>
+                  )}
                   <SignInButton auth={auth} onClick={handleSignInClick} />
                 </>
               )}

client/web/web.go

@@ -450,10 +450,11 @@ type authResponse struct {
 // viewerIdentity is the Tailscale identity of the source node
 // connected to this web client.
 type viewerIdentity struct {
-	LoginName     string `json:"loginName"`
-	NodeName      string `json:"nodeName"`
-	NodeIP        string `json:"nodeIP"`
-	ProfilePicURL string `json:"profilePicUrl,omitempty"`
+	LoginName     string           `json:"loginName"`
+	NodeName      string           `json:"nodeName"`
+	NodeIP        string           `json:"nodeIP"`
+	ProfilePicURL string           `json:"profilePicUrl,omitempty"`
+	Capabilities  peerCapabilities `json:"capabilities"` // features peer is allowed to edit
 }
 
 // serverAPIAuth handles requests to the /api/auth endpoint
@@ -464,10 +465,16 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 	session, whois, status, sErr := s.getSession(r)
 
 	if whois != nil {
+		caps, err := toPeerCapabilities(whois)
+		if err != nil {
+			http.Error(w, sErr.Error(), http.StatusInternalServerError)
+			return
+		}
 		resp.ViewerIdentity = &viewerIdentity{
 			LoginName:     whois.UserProfile.LoginName,
 			NodeName:      whois.Node.Name,
 			ProfilePicURL: whois.UserProfile.ProfilePicURL,
+			Capabilities:  caps,
 		}
 		if addrs := whois.Node.Addresses; len(addrs) > 0 {
 			resp.ViewerIdentity.NodeIP = addrs[0].Addr().String()

client/web/web_test.go

@@ -450,6 +450,7 @@ func TestServeAuth(t *testing.T) {
 		NodeName:      remoteNode.Node.Name,
 		NodeIP:        remoteIP,
 		ProfilePicURL: user.ProfilePicURL,
+		Capabilities:  peerCapabilities{},
 	}
 
 	testControlURL := &defaultControlURL
@@ -1097,6 +1098,163 @@ func TestRequireTailscaleIP(t *testing.T) {
 	}
 }
 
+func TestPeerCapabilities(t *testing.T) {
+	// Testing web.toPeerCapabilities
+	toPeerCapsTests := []struct {
+		name     string
+		whois    *apitype.WhoIsResponse
+		wantCaps peerCapabilities
+	}{
+		{
+			name:     "empty-whois",
+			whois:    nil,
+			wantCaps: peerCapabilities{},
+		},
+		{
+			name: "no-webui-caps",
+			whois: &apitype.WhoIsResponse{
+				CapMap: tailcfg.PeerCapMap{
+					tailcfg.PeerCapabilityDebugPeer: []tailcfg.RawMessage{},
+				},
+			},
+			wantCaps: peerCapabilities{},
+		},
+		{
+			name: "one-webui-cap",
+			whois: &apitype.WhoIsResponse{
+				CapMap: tailcfg.PeerCapMap{
+					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
+						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
+					},
+				},
+			},
+			wantCaps: peerCapabilities{
+				capFeatureSSH:    true,
+				capFeatureSubnet: true,
+			},
+		},
+		{
+			name: "multiple-webui-cap",
+			whois: &apitype.WhoIsResponse{
+				CapMap: tailcfg.PeerCapMap{
+					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
+						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
+						"{\"canEdit\":[\"subnet\",\"exitnode\",\"*\"]}",
+					},
+				},
+			},
+			wantCaps: peerCapabilities{
+				capFeatureSSH:      true,
+				capFeatureSubnet:   true,
+				capFeatureExitNode: true,
+				capFeatureAll:      true,
+			},
+		},
+		{
+			name: "case=insensitive-caps",
+			whois: &apitype.WhoIsResponse{
+				CapMap: tailcfg.PeerCapMap{
+					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
+						"{\"canEdit\":[\"SSH\",\"sUBnet\"]}",
+					},
+				},
+			},
+			wantCaps: peerCapabilities{
+				capFeatureSSH:    true,
+				capFeatureSubnet: true,
+			},
+		},
+		{
+			name: "random-canEdit-contents-dont-error",
+			whois: &apitype.WhoIsResponse{
+				CapMap: tailcfg.PeerCapMap{
+					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
+						"{\"canEdit\":[\"unknown-feature\"]}",
+					},
+				},
+			},
+			wantCaps: peerCapabilities{
+				"unknown-feature": true,
+			},
+		},
+		{
+			name: "no-canEdit-section",
+			whois: &apitype.WhoIsResponse{
+				CapMap: tailcfg.PeerCapMap{
+					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
+						"{\"canDoSomething\":[\"*\"]}",
+					},
+				},
+			},
+			wantCaps: peerCapabilities{},
+		},
+	}
+	for _, tt := range toPeerCapsTests {
+		t.Run("toPeerCapabilities-"+tt.name, func(t *testing.T) {
+			got, err := toPeerCapabilities(tt.whois)
+			if err != nil {
+				t.Fatalf("unexpected: %v", err)
+			}
+			if diff := cmp.Diff(got, tt.wantCaps); diff != "" {
+				t.Errorf("wrong caps; (-got+want):%v", diff)
+			}
+		})
+	}
+
+	// Testing web.peerCapabilities.canEdit
+	canEditTests := []struct {
+		name        string
+		caps        peerCapabilities
+		wantCanEdit map[capFeature]bool
+	}{
+		{
+			name: "empty-caps",
+			caps: nil,
+			wantCanEdit: map[capFeature]bool{
+				capFeatureAll:      false,
+				capFeatureFunnel:   false,
+				capFeatureSSH:      false,
+				capFeatureSubnet:   false,
+				capFeatureExitNode: false,
+				capFeatureAccount:  false,
+			},
+		},
+		{
+			name: "some-caps",
+			caps: peerCapabilities{capFeatureSSH: true, capFeatureAccount: true},
+			wantCanEdit: map[capFeature]bool{
+				capFeatureAll:      false,
+				capFeatureFunnel:   false,
+				capFeatureSSH:      true,
+				capFeatureSubnet:   false,
+				capFeatureExitNode: false,
+				capFeatureAccount:  true,
+			},
+		},
+		{
+			name: "wildcard-in-caps",
+			caps: peerCapabilities{capFeatureAll: true, capFeatureAccount: true},
+			wantCanEdit: map[capFeature]bool{
+				capFeatureAll:      true,
+				capFeatureFunnel:   true,
+				capFeatureSSH:      true,
+				capFeatureSubnet:   true,
+				capFeatureExitNode: true,
+				capFeatureAccount:  true,
+			},
+		},
+	}
+	for _, tt := range canEditTests {
+		t.Run("canEdit-"+tt.name, func(t *testing.T) {
+			for f, want := range tt.wantCanEdit {
+				if got := tt.caps.canEdit(f); got != want {
+					t.Errorf("wrong canEdit(%s); got=%v, want=%v", f, got, want)
+				}
+			}
+		})
+	}
+}
+
 var (
 	defaultControlURL   = "https://controlplane.tailscale.com"
 	testAuthPath        = "/a/12345"

cmd/derper/depaware.txt

@@ -142,6 +142,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
    W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
         tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
+        tailscale.com/util/ctxkey                                    from tailscale.com/tsweb+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
         tailscale.com/util/httpm                                     from tailscale.com/client/tailscale

cmd/k8s-operator/deploy/chart/templates/deployment.yaml

@@ -59,8 +59,6 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-            - name: ENABLE_CONNECTOR
-              value: "{{ .Values.enableConnector }}"
             - name: CLIENT_ID_FILE
               value: /oauth/client_id
             - name: CLIENT_SECRET_FILE

cmd/k8s-operator/deploy/chart/templates/ingressclass.yaml

@@ -0,0 +1,8 @@
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: tailscale # class name currently can not be changed
+  annotations: {} # we do not support default IngressClass annotation https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
+spec:
+  controller: tailscale.com/ts-ingress # controller name currently can not be changed
+  # parameters: {} # currently no parameters are supported

cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml

@@ -18,6 +18,9 @@ rules:
 - apiGroups: ["networking.k8s.io"]
   resources: ["ingresses", "ingresses/status"]
   verbs: ["*"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingressclasses"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: ["tailscale.com"]
   resources: ["connectors", "connectors/status"]
   verbs: ["get", "list", "watch", "update"]

cmd/k8s-operator/deploy/chart/values.yaml

@@ -8,11 +8,11 @@ oauth: {}
   # clientId: ""
   # clientSecret: ""
 
-# enableConnector determines whether the operator should reconcile
-# connector.tailscale.com custom resources. If set to true you have to install
-# connector CRD in a separate step.
-# You can do so by running 'kubectl apply -f ./cmd/k8s-operator/deploy/crds'.
-enableConnector: "false"
+# installCRDs determines whether tailscale.com CRDs should be installed as part
+# of chart installation. We do not use Helm's CRD installation mechanism as that
+# does not allow for upgrading CRDs.
+# https://helm.sh/docs/chart_best_practices/custom_resource_definitions/
+installCRDs: "true"
 
 operatorConfig:
   image:

cmd/k8s-operator/deploy/manifests/operator.yaml

@@ -27,6 +27,132 @@ metadata:
     name: proxies
     namespace: tailscale
 ---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+    annotations:
+        controller-gen.kubebuilder.io/version: v0.13.0
+    name: connectors.tailscale.com
+spec:
+    group: tailscale.com
+    names:
+        kind: Connector
+        listKind: ConnectorList
+        plural: connectors
+        shortNames:
+            - cn
+        singular: connector
+    scope: Cluster
+    versions:
+        - additionalPrinterColumns:
+            - description: CIDR ranges exposed to tailnet by a subnet router defined via this Connector instance.
+              jsonPath: .status.subnetRoutes
+              name: SubnetRoutes
+              type: string
+            - description: Whether this Connector instance defines an exit node.
+              jsonPath: .status.isExitNode
+              name: IsExitNode
+              type: string
+            - description: Status of the deployed Connector resources.
+              jsonPath: .status.conditions[?(@.type == "ConnectorReady")].reason
+              name: Status
+              type: string
+          name: v1alpha1
+          schema:
+            openAPIV3Schema:
+                properties:
+                    apiVersion:
+                        description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                        type: string
+                    kind:
+                        description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                        type: string
+                    metadata:
+                        type: object
+                    spec:
+                        description: ConnectorSpec describes the desired Tailscale component.
+                        properties:
+                            exitNode:
+                                description: ExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
+                                type: boolean
+                            hostname:
+                                description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
+                                pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
+                                type: string
+                            subnetRouter:
+                                description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
+                                properties:
+                                    advertiseRoutes:
+                                        description: AdvertiseRoutes refer to CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
+                                        items:
+                                            format: cidr
+                                            type: string
+                                        minItems: 1
+                                        type: array
+                                required:
+                                    - advertiseRoutes
+                                type: object
+                            tags:
+                                description: Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes. If you specify custom tags here, you must also make the operator an owner of these tags. See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
+                                items:
+                                    pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
+                                    type: string
+                                type: array
+                        type: object
+                        x-kubernetes-validations:
+                            - message: A Connector needs to be either an exit node or a subnet router, or both.
+                              rule: has(self.subnetRouter) || self.exitNode == true
+                    status:
+                        description: ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator.
+                        properties:
+                            conditions:
+                                description: List of status conditions to indicate the status of the Connector. Known condition types are `ConnectorReady`.
+                                items:
+                                    description: ConnectorCondition contains condition information for a Connector.
+                                    properties:
+                                        lastTransitionTime:
+                                            description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+                                            format: date-time
+                                            type: string
+                                        message:
+                                            description: Message is a human readable description of the details of the last transition, complementing reason.
+                                            type: string
+                                        observedGeneration:
+                                            description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
+                                            format: int64
+                                            type: integer
+                                        reason:
+                                            description: Reason is a brief machine readable explanation for the condition's last transition.
+                                            type: string
+                                        status:
+                                            description: Status of the condition, one of ('True', 'False', 'Unknown').
+                                            type: string
+                                        type:
+                                            description: Type of the condition, known values are (`SubnetRouterReady`).
+                                            type: string
+                                    required:
+                                        - status
+                                        - type
+                                    type: object
+                                type: array
+                                x-kubernetes-list-map-keys:
+                                    - type
+                                x-kubernetes-list-type: map
+                            isExitNode:
+                                description: IsExitNode is set to true if the Connector acts as an exit node.
+                                type: boolean
+                            subnetRoutes:
+                                description: SubnetRoutes are the routes currently exposed to tailnet via this Connector instance.
+                                type: string
+                        type: object
+                required:
+                    - spec
+                type: object
+          served: true
+          storage: true
+          subresources:
+            status: {}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -47,6 +173,14 @@ rules:
         - ingresses/status
       verbs:
         - '*'
+    - apiGroups:
+        - networking.k8s.io
+      resources:
+        - ingressclasses
+      verbs:
+        - get
+        - list
+        - watch
     - apiGroups:
         - tailscale.com
       resources:
@@ -160,8 +294,6 @@ spec:
                       valueFrom:
                         fieldRef:
                             fieldPath: metadata.namespace
-                    - name: ENABLE_CONNECTOR
-                      value: "false"
                     - name: CLIENT_ID_FILE
                       value: /oauth/client_id
                     - name: CLIENT_SECRET_FILE
@@ -188,3 +320,11 @@ spec:
                 - name: oauth
                   secret:
                     secretName: operator-oauth
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+    annotations: {}
+    name: tailscale
+spec:
+    controller: tailscale.com/ts-ingress

cmd/k8s-operator/generate/main.go

@@ -18,15 +18,49 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
+const (
+	operatorDeploymentFilesPath = "cmd/k8s-operator/deploy"
+	crdPath                     = operatorDeploymentFilesPath + "/crds/tailscale.com_connectors.yaml"
+	helmTemplatesPath           = operatorDeploymentFilesPath + "/chart/templates"
+	crdTemplatePath             = helmTemplatesPath + "/connectors.yaml"
+
+	helmConditionalStart = "{{ if .Values.installCRDs -}}\n"
+	helmConditionalEnd   = "{{- end -}}"
+)
+
 func main() {
+	if len(os.Args) < 2 {
+		log.Fatalf("usage ./generate [staticmanifests|helmcrd]")
+	}
 	repoRoot := "../../"
-	cmd := exec.Command("./tool/helm", "template", "operator", "./cmd/k8s-operator/deploy/chart",
+	switch os.Args[1] {
+	case "helmcrd": // insert CRD to Helm templates behind a installCRDs=true conditional check
+		log.Print("Adding Connector CRD to Helm templates")
+		if err := generate("./"); err != nil {
+			log.Fatalf("error adding Connector CRD to Helm templates: %v", err)
+		}
+		return
+	case "staticmanifests": // generate static manifests from Helm templates (including the CRD)
+	default:
+		log.Fatalf("unknown option %s, known options are 'staticmanifests', 'helmcrd'", os.Args[1])
+	}
+	log.Printf("Inserting CRD into the Helm templates")
+	if err := generate(repoRoot); err != nil {
+		log.Fatalf("error adding Connector CRD to Helm templates: %v", err)
+	}
+	defer func() {
+		if err := cleanup(repoRoot); err != nil {
+			log.Fatalf("error cleaning up generated resources")
+		}
+	}()
+	log.Print("Templating Helm chart contents")
+	helmTmplCmd := exec.Command("./tool/helm", "template", "operator", "./cmd/k8s-operator/deploy/chart",
 		"--namespace=tailscale")
-	cmd.Dir = repoRoot
+	helmTmplCmd.Dir = repoRoot
 	var out bytes.Buffer
-	cmd.Stdout = &out
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
+	helmTmplCmd.Stdout = &out
+	helmTmplCmd.Stderr = os.Stderr
+	if err := helmTmplCmd.Run(); err != nil {
 		log.Fatalf("error templating helm manifests: %v", err)
 	}
 
@@ -54,7 +88,6 @@ func main() {
 		if err != nil {
 			log.Fatalf("failed read from input data: %v", err)
 		}
-
 		bytes, err := yaml.Marshal(document)
 		if err != nil {
 			log.Fatalf("failed to marshal YAML document: %v", err)
@@ -72,3 +105,35 @@ func main() {
 		log.Fatalf("error writing new file: %v", err)
 	}
 }
+
+func generate(baseDir string) error {
+	log.Print("Placing Connector CRD into Helm templates..")
+	chartBytes, err := os.ReadFile(filepath.Join(baseDir, crdPath))
+	if err != nil {
+		return fmt.Errorf("error reading CRD contents: %w", err)
+	}
+	// Place a new temporary Helm template file with the templated CRD
+	// contents into Helm templates.
+	file, err := os.Create(filepath.Join(baseDir, crdTemplatePath))
+	if err != nil {
+		return fmt.Errorf("error creating CRD template file: %w", err)
+	}
+	if _, err := file.Write([]byte(helmConditionalStart)); err != nil {
+		return fmt.Errorf("error writing helm if statement start: %w", err)
+	}
+	if _, err := file.Write(chartBytes); err != nil {
+		return fmt.Errorf("error writing chart bytes: %w", err)
+	}
+	if _, err := file.Write([]byte(helmConditionalEnd)); err != nil {
+		return fmt.Errorf("error writing helm if-statement end: %w", err)
+	}
+	return nil
+}
+
+func cleanup(baseDir string) error {
+	log.Print("Cleaning up CRD from Helm templates")
+	if err := os.Remove(filepath.Join(baseDir, crdTemplatePath)); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("error cleaning up CRD template: %w", err)
+	}
+	return nil
+}

cmd/k8s-operator/generate/main_test.go

@@ -0,0 +1,68 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !plan9 && !windows
+
+package main
+
+import (
+	"bytes"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func Test_generate(t *testing.T) {
+	base, err := os.Getwd()
+	base = filepath.Join(base, "../../../")
+	if err != nil {
+		t.Fatalf("error getting current working directory: %v", err)
+	}
+	defer cleanup(base)
+	if err := generate(base); err != nil {
+		t.Fatalf("CRD template generation: %v", err)
+	}
+
+	tempDir := t.TempDir()
+	helmCLIPath := filepath.Join(base, "tool/helm")
+	helmChartTemplatesPath := filepath.Join(base, "cmd/k8s-operator/deploy/chart")
+	helmPackageCmd := exec.Command(helmCLIPath, "package", helmChartTemplatesPath, "--destination", tempDir, "--version", "0.0.1")
+	helmPackageCmd.Stderr = os.Stderr
+	helmPackageCmd.Stdout = os.Stdout
+	if err := helmPackageCmd.Run(); err != nil {
+		t.Fatalf("error packaging Helm chart: %v", err)
+	}
+	helmPackagePath := filepath.Join(tempDir, "tailscale-operator-0.0.1.tgz")
+	helmLintCmd := exec.Command(helmCLIPath, "lint", helmPackagePath)
+	helmLintCmd.Stderr = os.Stderr
+	helmLintCmd.Stdout = os.Stdout
+	if err := helmLintCmd.Run(); err != nil {
+		t.Fatalf("Helm chart linter failed: %v", err)
+	}
+
+	// Test that default Helm install contains the CRD
+	installContentsWithCRD := bytes.NewBuffer([]byte{})
+	helmTemplateWithCRDCmd := exec.Command(helmCLIPath, "template", helmPackagePath)
+	helmTemplateWithCRDCmd.Stderr = os.Stderr
+	helmTemplateWithCRDCmd.Stdout = installContentsWithCRD
+	if err := helmTemplateWithCRDCmd.Run(); err != nil {
+		t.Fatalf("templating Helm chart with CRDs failed: %v", err)
+	}
+	if !strings.Contains(installContentsWithCRD.String(), "name: connectors.tailscale.com") {
+		t.Errorf("CRD not found in default chart install")
+	}
+
+	// Test that CRD can be excluded from Helm chart install
+	installContentsWithoutCRD := bytes.NewBuffer([]byte{})
+	helmTemplateWithoutCRDCmd := exec.Command(helmCLIPath, "template", helmPackagePath, "--set", "installCRDs=false")
+	helmTemplateWithoutCRDCmd.Stderr = os.Stderr
+	helmTemplateWithoutCRDCmd.Stdout = installContentsWithoutCRD
+	if err := helmTemplateWithoutCRDCmd.Run(); err != nil {
+		t.Fatalf("templating Helm chart without CRDs failed: %v", err)
+	}
+	if strings.Contains(installContentsWithoutCRD.String(), "name: connectors.tailscale.com") {
+		t.Errorf("CRD found in chart install that should not contain a CRD")
+	}
+}

cmd/k8s-operator/ingress.go

@@ -12,10 +12,12 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/pkg/errors"
 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -26,6 +28,12 @@ import (
 	"tailscale.com/util/set"
 )
 
+const (
+	tailscaleIngressClassName      = "tailscale"                                   // ingressClass.metadata.name for tailscale IngressClass resource
+	tailscaleIngressControllerName = "tailscale.com/ts-ingress"                    // ingressClass.spec.controllerName for tailscale IngressClass resource
+	ingressClassDefaultAnnotation  = "ingressclass.kubernetes.io/is-default-class" // we do not support this https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
+)
+
 type IngressReconciler struct {
 	client.Client
 
@@ -109,6 +117,10 @@ func (a *IngressReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 // This function adds a finalizer to ing, ensuring that we can handle orderly
 // deprovisioning later.
 func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, ing *networkingv1.Ingress) error {
+	if err := a.validateIngressClass(ctx); err != nil {
+		logger.Warnf("error validating tailscale IngressClass: %v. In future this might be a terminal error.", err)
+
+	}
 	if !slices.Contains(ing.Finalizers, FinalizerName) {
 		// This log line is printed exactly once during initial provisioning,
 		// because once the finalizer is in place this block gets skipped. So,
@@ -205,6 +217,15 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 			continue
 		}
 		for _, p := range rule.HTTP.Paths {
+			// Send a warning if folks use Exact path type - to make
+			// it easier for us to support Exact path type matching
+			// in the future if needed.
+			// https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
+			if *p.PathType == networkingv1.PathTypeExact {
+				msg := "Exact path type strict matching is currently not supported and requests will be routed as for Prefix path type. This behaviour might change in the future."
+				logger.Warnf(fmt.Sprintf("Unsupported Path type exact for path %s. %s", p.Path, msg))
+				a.recorder.Eventf(ing, corev1.EventTypeWarning, "UnsupportedPathTypeExact", msg)
+			}
 			addIngressBackend(&p.Backend, p.Path)
 		}
 	}
@@ -267,5 +288,28 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 func (a *IngressReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
 	return ing != nil &&
 		ing.Spec.IngressClassName != nil &&
-		*ing.Spec.IngressClassName == "tailscale"
+		*ing.Spec.IngressClassName == tailscaleIngressClassName
+}
+
+// validateIngressClass attempts to validate that 'tailscale' IngressClass
+// included in Tailscale installation manifests exists and has not been modified
+// to attempt to enable features that we do not support.
+func (a *IngressReconciler) validateIngressClass(ctx context.Context) error {
+	ic := &networkingv1.IngressClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: tailscaleIngressClassName,
+		},
+	}
+	if err := a.Get(ctx, client.ObjectKeyFromObject(ic), ic); apierrors.IsNotFound(err) {
+		return errors.New("Tailscale IngressClass not found in cluster. Latest installation manifests include a tailscale IngressClass - please update")
+	} else if err != nil {
+		return fmt.Errorf("error retrieving 'tailscale' IngressClass: %w", err)
+	}
+	if ic.Spec.Controller != tailscaleIngressControllerName {
+		return fmt.Errorf("Tailscale Ingress class controller name %s does not match tailscale Ingress controller name %s. Ensure that you are using 'tailscale' IngressClass from latest Tailscale installation manifests", ic.Spec.Controller, tailscaleIngressControllerName)
+	}
+	if ic.GetAnnotations()[ingressClassDefaultAnnotation] != "" {
+		return fmt.Errorf("%s annotation is set on 'tailscale' IngressClass, but Tailscale Ingress controller does not support default Ingress class. Ensure that you are using 'tailscale' IngressClass from latest Tailscale installation manifests", ingressClassDefaultAnnotation)
+	}
+	return nil
 }

cmd/k8s-operator/operator.go

@@ -45,7 +45,7 @@ import (
 )
 
 // Generate static manifests for deploying Tailscale operator on Kubernetes from the operator's Helm chart.
-//go:generate go run tailscale.com/cmd/k8s-operator/generate
+//go:generate go run tailscale.com/cmd/k8s-operator/generate staticmanifests
 
 // Generate Connector CustomResourceDefinition yaml from its Go types.
 //go:generate go run sigs.k8s.io/controller-tools/cmd/controller-gen crd schemapatch:manifests=./deploy/crds output:dir=./deploy/crds paths=../../k8s-operator/apis/...
@@ -62,7 +62,6 @@ func main() {
 		priorityClassName = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
 		tags              = defaultEnv("PROXY_TAGS", "tag:k8s")
 		tsFirewallMode    = defaultEnv("PROXY_FIREWALL_MODE", "")
-		tsEnableConnector = defaultBool("ENABLE_CONNECTOR", false)
 	)
 
 	var opts []kzap.Opts
@@ -93,7 +92,7 @@ func main() {
 	maybeLaunchAPIServerProxy(zlog, restConfig, s, mode)
 	// TODO (irbekrm): gather the reconciler options into an opts struct
 	// rather than passing a million of them in one by one.
-	runReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags, tsFirewallMode, tsEnableConnector)
+	runReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags, tsFirewallMode)
 }
 
 // initTSNet initializes the tsnet.Server and logs in to Tailscale. It uses the
@@ -201,7 +200,7 @@ waitOnline:
 
 // runReconcilers starts the controller-runtime manager and registers the
 // ServiceReconciler. It blocks forever.
-func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string, restConfig *rest.Config, tsClient *tailscale.Client, image, priorityClassName, tags, tsFirewallMode string, enableConnector bool) {
+func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string, restConfig *rest.Config, tsClient *tailscale.Client, image, priorityClassName, tags, tsFirewallMode string) {
 	var (
 		isDefaultLoadBalancer = defaultBool("OPERATOR_DEFAULT_LOAD_BALANCER", false)
 	)
@@ -216,15 +215,16 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 		Field: client.InNamespace(tsNamespace).AsSelector(),
 	}
 	mgrOpts := manager.Options{
+		// TODO (irbekrm): stricter filtering what we watch/cache/call
+		// reconcilers on. c/r by default starts a watch on any
+		// resources that we GET via the controller manager's client.
 		Cache: cache.Options{
 			ByObject: map[client.Object]cache.ByObject{
 				&corev1.Secret{}:      nsFilter,
 				&appsv1.StatefulSet{}: nsFilter,
 			},
 		},
-	}
-	if enableConnector {
-		mgrOpts.Scheme = tsapi.GlobalScheme
+		Scheme: tsapi.GlobalScheme,
 	}
 	mgr, err := manager.New(restConfig, mgrOpts)
 	if err != nil {
@@ -278,22 +278,20 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 		startlog.Fatalf("could not create controller: %v", err)
 	}
 
-	if enableConnector {
-		connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("subnetrouter"))
-		err = builder.ControllerManagedBy(mgr).
-			For(&tsapi.Connector{}).
-			Watches(&appsv1.StatefulSet{}, connectorFilter).
-			Watches(&corev1.Secret{}, connectorFilter).
-			Complete(&ConnectorReconciler{
-				ssr:      ssr,
-				recorder: eventRecorder,
-				Client:   mgr.GetClient(),
-				logger:   zlog.Named("connector-reconciler"),
-				clock:    tstime.DefaultClock{},
-			})
-		if err != nil {
-			startlog.Fatal("could not create connector reconciler: %v", err)
-		}
+	connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("connector"))
+	err = builder.ControllerManagedBy(mgr).
+		For(&tsapi.Connector{}).
+		Watches(&appsv1.StatefulSet{}, connectorFilter).
+		Watches(&corev1.Secret{}, connectorFilter).
+		Complete(&ConnectorReconciler{
+			ssr:      ssr,
+			recorder: eventRecorder,
+			Client:   mgr.GetClient(),
+			logger:   zlog.Named("connector-reconciler"),
+			clock:    tstime.DefaultClock{},
+		})
+	if err != nil {
+		startlog.Fatal("could not create connector reconciler: %v", err)
 	}
 	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {

cmd/k8s-operator/proxy.go

@@ -6,7 +6,6 @@
 package main
 
 import (
-	"context"
 	"crypto/tls"
 	"fmt"
 	"log"
@@ -24,22 +23,11 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/ctxkey"
 	"tailscale.com/util/set"
 )
 
-type whoIsKey struct{}
-
-// whoIsFromRequest returns the WhoIsResponse previously stashed by a call to
-// addWhoIsToRequest.
-func whoIsFromRequest(r *http.Request) *apitype.WhoIsResponse {
-	return r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
-}
-
-// addWhoIsToRequest stashes who in r's context, retrievable by a call to
-// whoIsFromRequest.
-func addWhoIsToRequest(r *http.Request, who *apitype.WhoIsResponse) *http.Request {
-	return r.WithContext(context.WithValue(r.Context(), whoIsKey{}, who))
-}
+var whoIsKey = ctxkey.New("", (*apitype.WhoIsResponse)(nil))
 
 var counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")
 
@@ -127,7 +115,7 @@ func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	counterNumRequestsProxied.Add(1)
-	h.rp.ServeHTTP(w, addWhoIsToRequest(r, who))
+	h.rp.ServeHTTP(w, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
 }
 
 // runAPIServerProxy runs an HTTP server that authenticates requests using the
@@ -240,7 +228,7 @@ type impersonateRule struct {
 // in the context by the apiserverProxy.
 func addImpersonationHeaders(r *http.Request, log *zap.SugaredLogger) error {
 	log = log.With("remote", r.RemoteAddr)
-	who := whoIsFromRequest(r)
+	who := whoIsKey.Value(r.Context())
 	rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, capabilityName)
 	if len(rules) == 0 && err == nil {
 		// Try the old capability name for backwards compatibility.

cmd/k8s-operator/proxy_test.go

@@ -95,7 +95,7 @@ func TestImpersonationHeaders(t *testing.T) {
 
 	for _, tc := range tests {
 		r := must.Get(http.NewRequest("GET", "https://op.ts.net/api/foo", nil))
-		r = addWhoIsToRequest(r, &apitype.WhoIsResponse{
+		r = r.WithContext(whoIsKey.WithValue(r.Context(), &apitype.WhoIsResponse{
 			Node: &tailcfg.Node{
 				Name: "node.ts.net",
 				Tags: tc.tags,
@@ -104,7 +104,7 @@ func TestImpersonationHeaders(t *testing.T) {
 				LoginName: tc.emailish,
 			},
 			CapMap: tc.capMap,
-		})
+		}))
 		addImpersonationHeaders(r, zl.Sugar())
 
 		if d := cmp.Diff(tc.wantHeaders, r.Header); d != "" {

cmd/k8s-operator/sts.go

@@ -214,18 +214,17 @@ const maxStatefulSetNameLength = 63 - 10 - 1
 // generation will NOT result in a StatefulSet name longer than 52 chars.
 // This is done because of https://github.com/kubernetes/kubernetes/issues/64023.
 func statefulSetNameBase(parent string) string {
-
 	base := fmt.Sprintf("ts-%s-", parent)
-
-	// Calculate what length name GenerateName returns for this base.
 	generator := names.SimpleNameGenerator
-	generatedName := generator.GenerateName(base)
-
-	if excess := len(generatedName) - maxStatefulSetNameLength; excess > 0 {
-		base = base[:len(base)-excess-1] // take extra char off to make space for hyphen
-		base = base + "-"                // re-instate hyphen
+	for {
+		generatedName := generator.GenerateName(base)
+		excess := len(generatedName) - maxStatefulSetNameLength
+		if excess <= 0 {
+			return base
+		}
+		base = base[:len(base)-1-excess] // cut off the excess chars
+		base = base + "-"                // re-instate the dash
 	}
-	return base
 }
 
 func (a *tailscaleSTSReconciler) reconcileHeadlessService(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) (*corev1.Service, error) {
@@ -412,6 +411,9 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 		},
 	}
 	mak.Set(&ss.Spec.Template.Labels, "app", sts.ParentResourceUID)
+	for key, val := range sts.ChildResourceLabels {
+		ss.Spec.Template.Labels[key] = val // sync StatefulSet labels to Pod to make it easier for users to select the Pod
+	}
 
 	// Generic containerboot configuration options.
 	container.Env = append(container.Env,

cmd/k8s-operator/sts_test.go

@@ -6,6 +6,9 @@
 package main
 
 import (
+	"fmt"
+	"regexp"
+	"strings"
 	"testing"
 )
 
@@ -19,32 +22,20 @@ import (
 // https://github.com/kubernetes/kubernetes/blob/v1.28.4/staging/src/k8s.io/apiserver/pkg/storage/names/generate.go#L45.
 // https://github.com/kubernetes/kubernetes/pull/116430
 func Test_statefulSetNameBase(t *testing.T) {
-	tests := []struct {
-		name string
-		in   string
-		out  string
-	}{
-		{
-			name: "43 chars",
-			in:   "oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9xb",
-			out:  "ts-oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9xb-",
-		},
-		{
-			name: "44 chars",
-			in:   "oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9xbo",
-			out:  "ts-oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9xb-",
-		},
-		{
-			name: "42 chars",
-			in:   "oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9x",
-			out:  "ts-oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9x-",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := statefulSetNameBase(tt.in); got != tt.out {
-				t.Errorf("stsNamePrefix(%s) = %q, want %s", tt.in, got, tt.out)
-			}
-		})
+	// Service name lengths can be 1 - 63 chars, be paranoid and test them all.
+	var b strings.Builder
+	for b.Len() < 63 {
+		if _, err := b.WriteString("a"); err != nil {
+			t.Fatalf("error writing to string builder: %v", err)
+		}
+		baseLength := b.Len()
+		if baseLength > 43 {
+			baseLength = 43 // currently 43 is the max base length
+		}
+		wantsNameR := regexp.MustCompile(`^ts-a{` + fmt.Sprint(baseLength) + `}-$`) // to match a string like ts-aaaa-
+		gotName := statefulSetNameBase(b.String())
+		if !wantsNameR.MatchString(gotName) {
+			t.Fatalf("expected string %s to match regex %s ", gotName, wantsNameR.String()) // fatal rather than error as this test is called 63 times
+		}
 	}
 }

cmd/k8s-operator/testutils_test.go

@@ -147,7 +147,13 @@ func expectedSTS(opts configOpts) *appsv1.StatefulSet {
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations:                annots,
 					DeletionGracePeriodSeconds: ptr.To[int64](10),
-					Labels:                     map[string]string{"app": "1234-UID"},
+					Labels: map[string]string{
+						"tailscale.com/managed":              "true",
+						"tailscale.com/parent-resource":      "test",
+						"tailscale.com/parent-resource-ns":   opts.namespace,
+						"tailscale.com/parent-resource-type": opts.parentType,
+						"app":                                "1234-UID",
+					},
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "proxies",

cmd/stund/depaware.txt

@@ -66,6 +66,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         tailscale.com/types/tkatype                                  from tailscale.com/tailcfg+
         tailscale.com/types/views                                    from tailscale.com/net/tsaddr+
         tailscale.com/util/cmpx                                      from tailscale.com/tailcfg+
+        tailscale.com/util/ctxkey                                    from tailscale.com/tsweb+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/tailcfg
         tailscale.com/util/lineread                                  from tailscale.com/version/distro

cmd/tailscale/cli/exitnode.go

@@ -23,6 +23,8 @@ import (
 var exitNodeCmd = &ffcli.Command{
 	Name:       "exit-node",
 	ShortUsage: "exit-node [flags]",
+	ShortHelp:  "Show machines on your tailnet configured as exit nodes",
+	LongHelp:   "Show machines on your tailnet configured as exit nodes",
 	Subcommands: []*ffcli.Command{
 		{
 			Name:       "list",

cmd/tailscale/depaware.txt

@@ -143,6 +143,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
         tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy+
         tailscale.com/util/cmpx                                      from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/util/ctxkey                                    from tailscale.com/types/logger
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
         tailscale.com/util/groupmember                               from tailscale.com/client/web
@@ -267,7 +268,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         image/png                                                    from github.com/skip2/go-qrcode
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from golang.org/x/sys/cpu+
+        io/ioutil                                                    from github.com/godbus/dbus/v5+
         log                                                          from expvar+
         log/internal                                                 from log
         maps                                                         from tailscale.com/types/views+

cmd/tailscaled/depaware.txt

@@ -141,8 +141,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W    github.com/tailscale/go-winio/internal/stringbuffer          from github.com/tailscale/go-winio/internal/fs
    W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
         github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
-  LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
-  LD 💣 github.com/tailscale/golang-x-crypto/internal/alias          from github.com/tailscale/golang-x-crypto/chacha20
+  LD    github.com/tailscale/golang-x-crypto/internal/poly1305       from github.com/tailscale/golang-x-crypto/ssh
   LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal+
   LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
         github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
@@ -345,9 +344,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
         tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
         tailscale.com/util/cmpx                                      from tailscale.com/derp/derphttp+
+        tailscale.com/util/ctxkey                                    from tailscale.com/ipn/ipnlocal+
      💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
+        tailscale.com/util/execqueue                                 from tailscale.com/control/controlclient+
         tailscale.com/util/goroutines                                from tailscale.com/ipn/ipnlocal
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnauth+
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
@@ -403,11 +404,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from github.com/tailscale/golang-x-crypto/ssh+
-  LD    golang.org/x/crypto/ed25519                                  from github.com/tailscale/golang-x-crypto/ssh
         golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from github.com/tailscale/golang-x-crypto/ssh+
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
         golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+

control/controlclient/auto.go

@@ -22,6 +22,7 @@ import (
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/structs"
+	"tailscale.com/util/execqueue"
 )
 
 type LoginGoal struct {
@@ -118,7 +119,7 @@ type Auto struct {
 	closed        bool
 	updateCh      chan struct{} // readable when we should inform the server of a change
 	observer      Observer      // called to update Client status; always non-nil
-	observerQueue execQueue
+	observerQueue execqueue.ExecQueue
 
 	unregisterHealthWatch func()
 
@@ -675,7 +676,7 @@ func (c *Auto) Shutdown() {
 	direct := c.direct
 	if !closed {
 		c.closed = true
-		c.observerQueue.shutdown()
+		c.observerQueue.Shutdown()
 		c.cancelAuthCtxLocked()
 		c.cancelMapCtxLocked()
 		for _, w := range c.unpauseWaiters {
@@ -696,7 +697,7 @@ func (c *Auto) Shutdown() {
 		}
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
-		c.observerQueue.wait(ctx)
+		c.observerQueue.Wait(ctx)
 		c.logf("Client.Shutdown done.")
 	}
 }
@@ -737,95 +738,3 @@ func (c *Auto) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 func (c *Auto) GetSingleUseNoiseRoundTripper(ctx context.Context) (http.RoundTripper, *tailcfg.EarlyNoise, error) {
 	return c.direct.GetSingleUseNoiseRoundTripper(ctx)
 }
-
-type execQueue struct {
-	mu         sync.Mutex
-	closed     bool
-	inFlight   bool          // whether a goroutine is running q.run
-	doneWaiter chan struct{} // non-nil if waiter is waiting, then closed
-	queue      []func()
-}
-
-func (q *execQueue) Add(f func()) {
-	q.mu.Lock()
-	defer q.mu.Unlock()
-	if q.closed {
-		return
-	}
-	if q.inFlight {
-		q.queue = append(q.queue, f)
-	} else {
-		q.inFlight = true
-		go q.run(f)
-	}
-}
-
-// RunSync waits for the queue to be drained and then synchronously runs f.
-// It returns an error if the queue is closed before f is run or ctx expires.
-func (q *execQueue) RunSync(ctx context.Context, f func()) error {
-	for {
-		if err := q.wait(ctx); err != nil {
-			return err
-		}
-		q.mu.Lock()
-		if q.inFlight {
-			q.mu.Unlock()
-			continue
-		}
-		defer q.mu.Unlock()
-		if q.closed {
-			return errors.New("closed")
-		}
-		f()
-		return nil
-	}
-}
-
-func (q *execQueue) run(f func()) {
-	f()
-
-	q.mu.Lock()
-	for len(q.queue) > 0 && !q.closed {
-		f := q.queue[0]
-		q.queue[0] = nil
-		q.queue = q.queue[1:]
-		q.mu.Unlock()
-		f()
-		q.mu.Lock()
-	}
-	q.inFlight = false
-	q.queue = nil
-	if q.doneWaiter != nil {
-		close(q.doneWaiter)
-		q.doneWaiter = nil
-	}
-	q.mu.Unlock()
-}
-
-func (q *execQueue) shutdown() {
-	q.mu.Lock()
-	defer q.mu.Unlock()
-	q.closed = true
-}
-
-// wait waits for the queue to be empty.
-func (q *execQueue) wait(ctx context.Context) error {
-	q.mu.Lock()
-	waitCh := q.doneWaiter
-	if q.inFlight && waitCh == nil {
-		waitCh = make(chan struct{})
-		q.doneWaiter = waitCh
-	}
-	q.mu.Unlock()
-
-	if waitCh == nil {
-		return nil
-	}
-
-	select {
-	case <-waitCh:
-		return nil
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-}

derp/derp_client.go

@@ -159,16 +159,16 @@ func (c *Client) parseServerInfo(b []byte) (*serverInfo, error) {
 }
 
 type clientInfo struct {
-	// Version is the DERP protocol version that the client was built with.
-	// See the ProtocolVersion const.
-	Version int `json:"version,omitempty"`
-
 	// MeshKey optionally specifies a pre-shared key used by
 	// trusted clients.  It's required to subscribe to the
 	// connection list & forward packets. It's empty for regular
 	// users.
 	MeshKey string `json:"meshKey,omitempty"`
 
+	// Version is the DERP protocol version that the client was built with.
+	// See the ProtocolVersion const.
+	Version int `json:"version,omitempty"`
+
 	// CanAckPings is whether the client declares it's able to ack
 	// pings.
 	CanAckPings bool

derp/derp_server.go

@@ -712,7 +712,6 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 		bw:             bw,
 		logf:           logger.WithPrefix(s.logf, fmt.Sprintf("derp client %v%s: ", remoteAddr, clientKey.ShortString())),
 		done:           ctx.Done(),
-		remoteAddr:     remoteAddr,
 		remoteIPPort:   remoteIPPort,
 		connectedAt:    s.clock.Now(),
 		sendQueue:      make(chan pkt, perClientSendQueueDepth),
@@ -1317,7 +1316,6 @@ type sclient struct {
 	info           clientInfo
 	logf           logger.Logf
 	done           <-chan struct{}  // closed when connection closes
-	remoteAddr     string           // usually ip:port from net.Conn.RemoteAddr().String()
 	remoteIPPort   netip.AddrPort   // zero if remoteAddr is not ip:port.
 	sendQueue      chan pkt         // packets queued to this client; never closed
 	discoSendQueue chan pkt         // important packets queued to this client; never closed
@@ -1354,16 +1352,13 @@ type sclient struct {
 // peerConnState represents whether a peer is connected to the server
 // or not.
 type peerConnState struct {
+	ipPort  netip.AddrPort // if present, the peer's IP:port
 	peer    key.NodePublic
 	present bool
-	ipPort  netip.AddrPort // if present, the peer's IP:port
 }
 
 // pkt is a request to write a data frame to an sclient.
 type pkt struct {
-	// src is the who's the sender of the packet.
-	src key.NodePublic
-
 	// enqueuedAt is when a packet was put onto a queue before it was sent,
 	// and is used for reporting metrics on the duration of packets in the queue.
 	enqueuedAt time.Time
@@ -1371,6 +1366,9 @@ type pkt struct {
 	// bs is the data packet bytes.
 	// The memory is owned by pkt.
 	bs []byte
+
+	// src is the who's the sender of the packet.
+	src key.NodePublic
 }
 
 // peerGoneMsg is a request to write a peerGone frame to an sclient
@@ -1573,6 +1571,17 @@ func (c *sclient) sendMeshUpdates() error {
 	c.s.mu.Lock()
 	defer c.s.mu.Unlock()
 
+	// allow all happened-before mesh update request goroutines to complete, if
+	// we don't finish the task we'll queue another below.
+drainUpdates:
+	for {
+		select {
+		case <-c.meshUpdate:
+		default:
+			break drainUpdates
+		}
+	}
+
 	writes := 0
 	for _, pcs := range c.peerStateChange {
 		if c.bw.Available() <= frameHeaderLen+keyLen {

flake.nix

@@ -120,4 +120,4 @@
   in
     flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-uMVRdgO/HTs0CKqWPUFEL/rFvzio1vblTUaz5Cgi+5Q=
+# nix-direnv cache busting line: sha256-BK1zugKGtx2RpWHDvFZaFqz/YdoewsG8SscGt25uwtQ=

go.mod

@@ -63,12 +63,12 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e
+	github.com/tailscale/golang-x-crypto v0.0.0-20240108194725-7ce1f622c780
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tailscale/mkctr v0.0.0-20240102155253-bf50773ba734
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
-	github.com/tailscale/web-client-prebuilt v0.0.0-20231213172531-a4fa669015b2
+	github.com/tailscale/web-client-prebuilt v0.0.0-20240111230031-5ca22df9e6e7
 	github.com/tailscale/wireguard-go v0.0.0-20231121184858-cc193a0b3272
 	github.com/tc-hib/winres v0.2.1
 	github.com/tcnksm/go-httpstat v0.2.0
@@ -79,14 +79,14 @@ require (
 	go.uber.org/zap v1.26.0
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925
-	golang.org/x/crypto v0.15.0
+	golang.org/x/crypto v0.17.1-0.20240102205709-08396bb92b82
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
 	golang.org/x/mod v0.14.0
 	golang.org/x/net v0.18.0
 	golang.org/x/oauth2 v0.12.0
 	golang.org/x/sync v0.5.0
 	golang.org/x/sys v0.15.0
-	golang.org/x/term v0.14.0
+	golang.org/x/term v0.15.0
 	golang.org/x/time v0.3.0
 	golang.org/x/tools v0.15.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2

go.mod.sri

@@ -1 +1 @@
-sha256-uMVRdgO/HTs0CKqWPUFEL/rFvzio1vblTUaz5Cgi+5Q=
+sha256-BK1zugKGtx2RpWHDvFZaFqz/YdoewsG8SscGt25uwtQ=

go.sum

@@ -888,8 +888,8 @@ github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e h1:JyeJF/HuSwvxWtsR1c0oKX1lzaSH5Wh4aX+MgiStaGQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e/go.mod h1:DjoeCULdP6vTJ/xY+nzzR9LaUHprkbZEpNidX0aqEEk=
+github.com/tailscale/golang-x-crypto v0.0.0-20240108194725-7ce1f622c780 h1:U0J2CUrrTcc2wmr9tSLYEo+USfwNikRRsmxVLD4eZ7E=
+github.com/tailscale/golang-x-crypto v0.0.0-20240108194725-7ce1f622c780/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
@@ -898,8 +898,8 @@ github.com/tailscale/mkctr v0.0.0-20240102155253-bf50773ba734 h1:93cvKHbvsPK3MKf
 github.com/tailscale/mkctr v0.0.0-20240102155253-bf50773ba734/go.mod h1:6v53VHLmLKUaqWMpSGDeRWhltLSCEteMItYoiKLpdJk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/web-client-prebuilt v0.0.0-20231213172531-a4fa669015b2 h1:lR1voET3dwe3CxacGAiva4k08TXtQ6Dlmult4JILlj4=
-github.com/tailscale/web-client-prebuilt v0.0.0-20231213172531-a4fa669015b2/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
+github.com/tailscale/web-client-prebuilt v0.0.0-20240111230031-5ca22df9e6e7 h1:xAgOVncJuuxkFZ2oXXDKFTH4HDdFYSZRYdA6oMrCewg=
+github.com/tailscale/web-client-prebuilt v0.0.0-20240111230031-5ca22df9e6e7/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wireguard-go v0.0.0-20231121184858-cc193a0b3272 h1:zwsem4CaamMdC3tFoTpzrsUSMDPV0K6rhnQdF7kXekQ=
 github.com/tailscale/wireguard-go v0.0.0-20231121184858-cc193a0b3272/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
@@ -1004,8 +1004,8 @@ golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
+golang.org/x/crypto v0.17.1-0.20240102205709-08396bb92b82 h1:Im4GabMwJDxh7eJBIF8XGVAyhmlqdBQmZV49AzWdKEk=
+golang.org/x/crypto v0.17.1-0.20240102205709-08396bb92b82/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1207,8 +1207,8 @@ golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8=
-golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

ipn/ipnauth/ipnauth.go

@@ -46,6 +46,8 @@ type WindowsToken interface {
 	// IsElevated reports whether the receiver is currently executing as an
 	// elevated administrative user.
 	IsElevated() bool
+	// IsLocalSystem reports whether the receiver is the built-in SYSTEM user.
+	IsLocalSystem() bool
 	// UserDir returns the special directory identified by folderID as associated
 	// with the receiver. folderID must be one of the KNOWNFOLDERID values from
 	// the x/sys/windows package, serialized as a stringified GUID.

ipn/ipnauth/ipnauth_windows.go

@@ -93,6 +93,12 @@ func (t *token) IsElevated() bool {
 	return t.t.IsElevated()
 }
 
+func (t *token) IsLocalSystem() bool {
+	// https://web.archive.org/web/2024/https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
+	const systemUID = ipn.WindowsUserID("S-1-5-18")
+	return t.IsUID(systemUID)
+}
+
 func (t *token) UserDir(folderID string) (string, error) {
 	guid, err := windows.GUIDFromString(folderID)
 	if err != nil {

ipn/ipnlocal/local.go

@@ -2735,6 +2735,16 @@ func (b *LocalBackend) CheckIPNConnectionAllowed(ci *ipnauth.ConnIdentity) error
 	if !b.pm.CurrentPrefs().ForceDaemon() {
 		return nil
 	}
+
+	// Always allow Windows SYSTEM user to connect,
+	// even if Tailscale is currently being used by another user.
+	if tok, err := ci.WindowsToken(); err == nil {
+		defer tok.Close()
+		if tok.IsLocalSystem() {
+			return nil
+		}
+	}
+
 	uid := ci.WindowsUserID()
 	if uid == "" {
 		return errors.New("empty user uid in connection identity")
@@ -3436,15 +3446,21 @@ func (b *LocalBackend) reconfigAppConnectorLocked(nm *netmap.NetworkMap, prefs i
 		})
 	}
 
-	var domains []string
+	var (
+		domains []string
+		routes  []netip.Prefix
+	)
 	for _, attr := range attrs {
 		if slices.Contains(attr.Connectors, "*") || selfHasTag(attr.Connectors) {
 			domains = append(domains, attr.Domains...)
+			routes = append(routes, attr.Routes...)
 		}
 	}
 	slices.Sort(domains)
+	slices.SortFunc(routes, func(i, j netip.Prefix) int { return i.Addr().Compare(j.Addr()) })
 	domains = slices.Compact(domains)
-	b.appConnector.UpdateDomains(domains)
+	routes = slices.Compact(routes)
+	b.appConnector.UpdateDomainsAndRoutes(domains, routes)
 }
 
 // authReconfig pushes a new configuration into wgengine, if engine
@@ -5774,21 +5790,73 @@ var ErrDisallowedAutoRoute = errors.New("route is not allowed")
 // AdvertiseRoute implements the appc.RouteAdvertiser interface. It sets a new
 // route advertisement if one is not already present in the existing routes.
 // If the route is disallowed, ErrDisallowedAutoRoute is returned.
-func (b *LocalBackend) AdvertiseRoute(ipp netip.Prefix) error {
-	if !allowedAutoRoute(ipp) {
-		return ErrDisallowedAutoRoute
+func (b *LocalBackend) AdvertiseRoute(ipps ...netip.Prefix) error {
+	finalRoutes := b.Prefs().AdvertiseRoutes().AsSlice()
+	newRoutes := false
+
+	for _, ipp := range ipps {
+		if !allowedAutoRoute(ipp) {
+			continue
+		}
+		if slices.Contains(finalRoutes, ipp) {
+			continue
+		}
+
+		// If the new prefix is already contained by existing routes, skip it.
+		if coveredRouteRange(finalRoutes, ipp) {
+			continue
+		}
+
+		finalRoutes = append(finalRoutes, ipp)
+		newRoutes = true
 	}
-	currentRoutes := b.Prefs().AdvertiseRoutes()
-	if currentRoutes.ContainsFunc(func(r netip.Prefix) bool {
-		// TODO(raggi): add support for subset checks and avoid subset route creations.
-		return ipp.IsSingleIP() && r.Contains(ipp.Addr()) || r == ipp
-	}) {
+
+	if !newRoutes {
 		return nil
 	}
-	routes := append(currentRoutes.AsSlice(), ipp)
+
 	_, err := b.EditPrefs(&ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
-			AdvertiseRoutes: routes,
+			AdvertiseRoutes: finalRoutes,
+		},
+		AdvertiseRoutesSet: true,
+	})
+	return err
+}
+
+// coveredRouteRange checks if a route is already included in a slice of
+// prefixes.
+func coveredRouteRange(finalRoutes []netip.Prefix, ipp netip.Prefix) bool {
+	for _, r := range finalRoutes {
+		if ipp.IsSingleIP() {
+			if r.Contains(ipp.Addr()) {
+				return true
+			}
+		} else {
+			if r.Contains(ipp.Addr()) && r.Contains(netipx.PrefixLastIP(ipp)) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// UnadvertiseRoute implements the appc.RouteAdvertiser interface. It removes
+// a route advertisement if one is present in the existing routes.
+func (b *LocalBackend) UnadvertiseRoute(toRemove ...netip.Prefix) error {
+	currentRoutes := b.Prefs().AdvertiseRoutes().AsSlice()
+	finalRoutes := currentRoutes[:0]
+
+	for _, ipp := range currentRoutes {
+		if slices.Contains(toRemove, ipp) {
+			continue
+		}
+		finalRoutes = append(finalRoutes, ipp)
+	}
+
+	_, err := b.EditPrefs(&ipn.MaskedPrefs{
+		Prefs: ipn.Prefs{
+			AdvertiseRoutes: finalRoutes,
 		},
 		AdvertiseRoutesSet: true,
 	})

ipn/ipnlocal/local_test.go

@@ -18,6 +18,7 @@ import (
 	"go4.org/netipx"
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/appc"
+	"tailscale.com/appc/appctest"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
@@ -1169,6 +1170,13 @@ func TestRouteAdvertiser(t *testing.T) {
 	if routes.Len() != 1 || routes.At(0) != testPrefix {
 		t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
 	}
+
+	must.Do(ra.UnadvertiseRoute(testPrefix))
+
+	routes = b.Prefs().AdvertiseRoutes()
+	if routes.Len() != 0 {
+		t.Fatalf("got routes %v, want none", routes)
+	}
 }
 
 func TestRouterAdvertiserIgnoresContainedRoutes(t *testing.T) {
@@ -1197,14 +1205,52 @@ func TestObserveDNSResponse(t *testing.T) {
 	// ensure no error when no app connector is configured
 	b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
 
-	rc := &routeCollector{}
+	rc := &appctest.RouteCollector{}
 	b.appConnector = appc.NewAppConnector(t.Logf, rc)
 	b.appConnector.UpdateDomains([]string{"example.com"})
+	b.appConnector.Wait(context.Background())
 
 	b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	b.appConnector.Wait(context.Background())
 	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
-	if !slices.Equal(rc.routes, wantRoutes) {
-		t.Fatalf("got routes %v, want %v", rc.routes, wantRoutes)
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Fatalf("got routes %v, want %v", rc.Routes(), wantRoutes)
+	}
+}
+
+func TestCoveredRouteRange(t *testing.T) {
+	tests := []struct {
+		existingRoute netip.Prefix
+		newRoute      netip.Prefix
+		want          bool
+	}{
+		{
+			existingRoute: netip.MustParsePrefix("192.0.0.1/32"),
+			newRoute:      netip.MustParsePrefix("192.0.0.1/32"),
+			want:          true,
+		},
+		{
+			existingRoute: netip.MustParsePrefix("192.0.0.1/32"),
+			newRoute:      netip.MustParsePrefix("192.0.0.2/32"),
+			want:          false,
+		},
+		{
+			existingRoute: netip.MustParsePrefix("192.0.0.0/24"),
+			newRoute:      netip.MustParsePrefix("192.0.0.1/32"),
+			want:          true,
+		},
+		{
+			existingRoute: netip.MustParsePrefix("192.0.0.0/16"),
+			newRoute:      netip.MustParsePrefix("192.0.0.0/24"),
+			want:          true,
+		},
+	}
+
+	for _, tt := range tests {
+		got := coveredRouteRange([]netip.Prefix{tt.existingRoute}, tt.newRoute)
+		if got != tt.want {
+			t.Errorf("coveredRouteRange(%v, %v) = %v, want %v", tt.existingRoute, tt.newRoute, got, tt.want)
+		}
 	}
 }
 
@@ -1243,6 +1289,7 @@ func TestReconfigureAppConnector(t *testing.T) {
 	}).View()
 
 	b.reconfigAppConnectorLocked(b.netMap, b.pm.prefs)
+	b.appConnector.Wait(context.Background())
 
 	want := []string{"example.com"}
 	if !slices.Equal(b.appConnector.Domains().AsSlice(), want) {
@@ -1342,16 +1389,6 @@ func dnsResponse(domain, address string) []byte {
 	return must.Get(b.Finish())
 }
 
-// routeCollector is a test helper that collects the list of routes advertised
-type routeCollector struct {
-	routes []netip.Prefix
-}
-
-func (rc *routeCollector) AdvertiseRoute(pfx netip.Prefix) error {
-	rc.routes = append(rc.routes, pfx)
-	return nil
-}
-
 type errorSyspolicyHandler struct {
 	t         *testing.T
 	err       error

ipn/ipnlocal/peerapi_test.go

@@ -23,6 +23,7 @@ import (
 	"go4.org/netipx"
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/appc"
+	"tailscale.com/appc/appctest"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
@@ -685,10 +686,11 @@ func TestPeerAPIReplyToDNSQueries(t *testing.T) {
 }
 
 func TestPeerAPIReplyToDNSQueriesAreObserved(t *testing.T) {
+	ctx := context.Background()
 	var h peerAPIHandler
 	h.remoteAddr = netip.MustParseAddrPort("100.150.151.152:12345")
 
-	rc := &routeCollector{}
+	rc := &appctest.RouteCollector{}
 	eng, _ := wgengine.NewFakeUserspaceEngine(logger.Discard, 0)
 	pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
 	h.ps = &peerAPIServer{
@@ -700,6 +702,7 @@ func TestPeerAPIReplyToDNSQueriesAreObserved(t *testing.T) {
 		},
 	}
 	h.ps.b.appConnector.UpdateDomains([]string{"example.com"})
+	h.ps.b.appConnector.Wait(ctx)
 
 	h.ps.resolver = &fakeResolver{}
 	f := filter.NewAllowAllForTest(logger.Discard)
@@ -717,10 +720,11 @@ func TestPeerAPIReplyToDNSQueriesAreObserved(t *testing.T) {
 	if w.Code != http.StatusOK {
 		t.Errorf("unexpected status code: %v", w.Code)
 	}
+	h.ps.b.appConnector.Wait(ctx)
 
 	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
-	if !slices.Equal(rc.routes, wantRoutes) {
-		t.Errorf("got %v; want %v", rc.routes, wantRoutes)
+	if !slices.Equal(rc.Routes(), wantRoutes) {
+		t.Errorf("got %v; want %v", rc.Routes(), wantRoutes)
 	}
 }
 

ipn/ipnlocal/serve.go

@@ -34,6 +34,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/lazy"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/ctxkey"
 	"tailscale.com/util/mak"
 	"tailscale.com/version"
 )
@@ -48,8 +49,7 @@ const (
 // current etag of a resource.
 var ErrETagMismatch = errors.New("etag mismatch")
 
-// serveHTTPContextKey is the context.Value key for a *serveHTTPContext.
-type serveHTTPContextKey struct{}
+var serveHTTPContextKey ctxkey.Key[*serveHTTPContext]
 
 type serveHTTPContext struct {
 	SrcAddr  netip.AddrPort
@@ -433,7 +433,7 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 		hs := &http.Server{
 			Handler: http.HandlerFunc(b.serveWebHandler),
 			BaseContext: func(_ net.Listener) context.Context {
-				return context.WithValue(context.Background(), serveHTTPContextKey{}, &serveHTTPContext{
+				return serveHTTPContextKey.WithValue(context.Background(), &serveHTTPContext{
 					SrcAddr:  srcAddr,
 					DestPort: dport,
 				})
@@ -500,11 +500,6 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 	return nil
 }
 
-func getServeHTTPContext(r *http.Request) (c *serveHTTPContext, ok bool) {
-	c, ok = r.Context().Value(serveHTTPContextKey{}).(*serveHTTPContext)
-	return c, ok
-}
-
 func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView, at string, ok bool) {
 	var z ipn.HTTPHandlerView // zero value
 
@@ -521,7 +516,7 @@ func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView,
 		hostname = r.TLS.ServerName
 	}
 
-	sctx, ok := getServeHTTPContext(r)
+	sctx, ok := serveHTTPContextKey.ValueOk(r.Context())
 	if !ok {
 		b.logf("[unexpected] localbackend: no serveHTTPContext in request")
 		return z, "", false
@@ -684,7 +679,7 @@ func addProxyForwardedHeaders(r *httputil.ProxyRequest) {
 	if r.In.TLS != nil {
 		r.Out.Header.Set("X-Forwarded-Proto", "https")
 	}
-	if c, ok := getServeHTTPContext(r.Out); ok {
+	if c, ok := serveHTTPContextKey.ValueOk(r.Out.Context()); ok {
 		r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
 	}
 }
@@ -696,7 +691,7 @@ func (b *LocalBackend) addTailscaleIdentityHeaders(r *httputil.ProxyRequest) {
 	r.Out.Header.Del("Tailscale-User-Profile-Pic")
 	r.Out.Header.Del("Tailscale-Headers-Info")
 
-	c, ok := getServeHTTPContext(r.Out)
+	c, ok := serveHTTPContextKey.ValueOk(r.Out.Context())
 	if !ok {
 		return
 	}

ipn/ipnlocal/serve_test.go

@@ -158,7 +158,7 @@ func TestGetServeHandler(t *testing.T) {
 				TLS: &tls.ConnectionState{ServerName: serverName},
 			}
 			port := cmpx.Or(tt.port, 443)
-			req = req.WithContext(context.WithValue(req.Context(), serveHTTPContextKey{}, &serveHTTPContext{
+			req = req.WithContext(serveHTTPContextKey.WithValue(req.Context(), &serveHTTPContext{
 				DestPort: port,
 			}))
 
@@ -428,7 +428,7 @@ func TestServeHTTPProxy(t *testing.T) {
 				URL: &url.URL{Path: "/"},
 				TLS: &tls.ConnectionState{ServerName: "example.ts.net"},
 			}
-			req = req.WithContext(context.WithValue(req.Context(), serveHTTPContextKey{}, &serveHTTPContext{
+			req = req.WithContext(serveHTTPContextKey.WithValue(req.Context(), &serveHTTPContext{
 				DestPort: 443,
 				SrcAddr:  netip.MustParseAddrPort(tt.srcIP + ":1234"), // random src port for tests
 			}))

ipn/ipnserver/server.go

@@ -251,6 +251,12 @@ func (s *Server) checkConnIdentityLocked(ci *ipnauth.ConnIdentity) error {
 				return err
 			}
 
+			// Always allow Windows SYSTEM user to connect,
+			// even if Tailscale is currently being used by another user.
+			if chkTok != nil && chkTok.IsLocalSystem() {
+				return nil
+			}
+
 			activeTok, err := active.WindowsToken()
 			if err == nil {
 				defer activeTok.Close()
@@ -401,8 +407,10 @@ func (s *Server) addActiveHTTPRequest(req *http.Request, ci *ipnauth.ConnIdentit
 			if !errors.Is(err, ipnauth.ErrNotImplemented) {
 				s.logf("error obtaining access token: %v", err)
 			}
-		} else {
-			// Tell the LocalBackend about the identity we're now running as.
+		} else if !token.IsLocalSystem() {
+			// Tell the LocalBackend about the identity we're now running as,
+			// unless its the SYSTEM user. That user is not a real account and
+			// doesn't have a home directory.
 			uid, err := lb.SetCurrentUser(token)
 			if err != nil {
 				token.Close()

licenses/android.md

@@ -50,9 +50,9 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
  - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
  - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
  - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
  - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.3.2/LICENSE.md))
  - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
@@ -64,12 +64,12 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/pkg/errors](https://pkg.go.dev/github.com/pkg/errors) ([BSD-2-Clause](https://github.com/pkg/errors/blob/v0.9.1/LICENSE))
  - [github.com/safchain/ethtool](https://pkg.go.dev/github.com/safchain/ethtool) ([Apache-2.0](https://github.com/safchain/ethtool/blob/v0.3.0/LICENSE))
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/7ce1f622c780/LICENSE))
  - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
  - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
  - [github.com/tailscale/tailscale-android](https://pkg.go.dev/github.com/tailscale/tailscale-android) ([BSD-3-Clause](https://github.com/tailscale/tailscale-android/blob/HEAD/LICENSE))
- - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/9b3142ca6f79/LICENSE))
+ - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/26bf65339dda/LICENSE))
  - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/cc193a0b3272/LICENSE))
  - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
  - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/3e8cd9d6bf63/LICENSE))
@@ -80,14 +80,14 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
  - [go4.org/unsafe/assume-no-moving-gc](https://pkg.go.dev/go4.org/unsafe/assume-no-moving-gc) ([BSD-3-Clause](https://github.com/go4org/unsafe-assume-no-moving-gc/blob/e7c30c78aeb2/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.15.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/08396bb9:LICENSE))
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
  - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/334a2380:shiny/LICENSE))
  - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.12.0:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.18.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.5.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.15.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.14.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.15.0:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.14.0:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
  - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/4fe30062272c/LICENSE))

licenses/apple.md

@@ -1,10 +1,10 @@
-# Tailscale for macOS/iOS dependencies
+# Tailscale for macOS/iOS/tvOS dependencies
 
-The following open source dependencies are used to build Tailscale on [macOS][]
-and [iOS][].  See also the dependencies in the [Tailscale CLI][].
+The following open source dependencies are used to build Tailscale on [macOS][], [iOS][] and [tvOS][].  See also the dependencies in the [Tailscale CLI][].
 
 [macOS]: https://tailscale.com/kb/1016/install-mac/
 [iOS]: https://tailscale.com/kb/1020/install-ios/
+[tvOS]: https://tailscale.com/kb/1280/appletv/
 [Tailscale CLI]: ./tailscale.md
 
 ## Go Packages
@@ -53,7 +53,7 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
  - [github.com/pierrec/lz4/v4](https://pkg.go.dev/github.com/pierrec/lz4/v4) ([BSD-3-Clause](https://github.com/pierrec/lz4/blob/v4.1.18/LICENSE))
  - [github.com/safchain/ethtool](https://pkg.go.dev/github.com/safchain/ethtool) ([Apache-2.0](https://github.com/safchain/ethtool/blob/v0.3.0/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/7ce1f622c780/LICENSE))
  - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
  - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
@@ -65,12 +65,12 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.15.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/08396bb9:LICENSE))
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.18.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.5.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.15.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.14.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.15.0:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.14.0:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
  - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/4fe30062272c/LICENSE))

licenses/tailscale.md

@@ -74,10 +74,10 @@ Some packages may only be included on certain architectures or operating systems
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
  - [github.com/tailscale/certstore](https://pkg.go.dev/github.com/tailscale/certstore) ([MIT](https://github.com/tailscale/certstore/blob/d3fa0460f47e/LICENSE.md))
  - [github.com/tailscale/go-winio](https://pkg.go.dev/github.com/tailscale/go-winio) ([MIT](https://github.com/tailscale/go-winio/blob/c4f33415bf55/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/7ce1f622c780/LICENSE))
  - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/a4fa669015b2/LICENSE))
+ - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/5ca22df9e6e7/LICENSE))
  - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/cc193a0b3272/LICENSE))
  - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
  - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))
@@ -88,13 +88,13 @@ Some packages may only be included on certain architectures or operating systems
  - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.15.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/08396bb9:LICENSE))
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.18.0:LICENSE))
  - [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) ([BSD-3-Clause](https://cs.opensource.google/go/x/oauth2/+/v0.12.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.5.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.15.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.14.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.15.0:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.14.0:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
  - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))

licenses/windows.md

@@ -52,7 +52,7 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
  - [github.com/tailscale/go-winio](https://pkg.go.dev/github.com/tailscale/go-winio) ([MIT](https://github.com/tailscale/go-winio/blob/c4f33415bf55/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/95b7e17614b9/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/6a278000867c/LICENSE))
  - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/d2e5cdeed6dc/LICENSE))
  - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.2.1/LICENSE))
  - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/v1.2.1-beta.2/LICENSE))
@@ -60,14 +60,14 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.15.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/08396bb9:LICENSE))
  - [golang.org/x/exp/constraints](https://pkg.go.dev/golang.org/x/exp/constraints) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
- - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.12.0:LICENSE))
+ - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.14.0:LICENSE))
  - [golang.org/x/mod](https://pkg.go.dev/golang.org/x/mod) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.14.0:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.18.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.5.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.15.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.14.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.15.0:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.14.0:LICENSE))
  - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))
  - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))

net/netmon/netmon.go

@@ -478,6 +478,28 @@ func (m *Monitor) IsMajorChangeFrom(s1, s2 *interfaces.State) bool {
 			return true
 		}
 	}
+	// Iterate over s2 in case there is a field in s2 that doesn't exist in s1
+	for iname, i := range s2.Interface {
+		if iname == m.tsIfName {
+			// Ignore changes in the Tailscale interface itself.
+			continue
+		}
+		ips := s2.InterfaceIPs[iname]
+		if !m.isInterestingInterface(i, ips) {
+			continue
+		}
+		i1, ok := s1.Interface[iname]
+		if !ok {
+			return true
+		}
+		ips1, ok := s1.InterfaceIPs[iname]
+		if !ok {
+			return true
+		}
+		if !i.Equal(i1) || !prefixesMajorEqual(ips, ips1) {
+			return true
+		}
+	}
 	return false
 }
 

net/portmapper/upnp.go

@@ -252,7 +252,8 @@ func getUPnPRootDevice(ctx context.Context, logf logger.Logf, debug DebugKnobs,
 }
 
 // selectBestService picks the "best" service from the given UPnP root device
-// to use to create a port mapping.
+// to use to create a port mapping. It may return (nil, nil) if no supported
+// service was found in the provided *goupnp.RootDevice.
 //
 // loc is the parsed location that was used to fetch the given RootDevice.
 //
@@ -559,6 +560,20 @@ func (c *Client) tryUPnPPortmapWithDevice(
 		return netip.AddrPort{}, nil, err
 	}
 
+	// If we have no client, we cannot continue; this can happen if we get
+	// a valid UPnP response that does not contain any of the service types
+	// that we know how to use.
+	if client == nil {
+		// For debugging, print all available services that we aren't
+		// using because they're not supported; use c.vlogf so we don't
+		// spam the logs unless verbose debugging is turned on.
+		rootDev.Device.VisitServices(func(s *goupnp.Service) {
+			c.vlogf("unsupported UPnP service: Type=%q ID=%q ControlURL=%q", s.ServiceType, s.ServiceId, s.ControlURL.Str)
+		})
+
+		return netip.AddrPort{}, nil, fmt.Errorf("no supported UPnP clients")
+	}
+
 	// Start by trying to make a temporary lease with a duration.
 	var newPort uint16
 	newPort, err = addAnyPortMapping(

net/portmapper/upnp_test.go

@@ -165,6 +165,172 @@ const (
   </device>
   <disabledForTestURLBase>http://10.0.0.1:2828</disabledForTestURLBase>
 </root>
+`
+
+	// Huawei, https://github.com/tailscale/tailscale/issues/10911
+	huaweiRootDescXML = `<?xml version="1.0"?>
+<root xmlns="urn:schemas-upnp-org:device-1-0">
+  <specVersion>
+    <major>1</major>
+    <minor>0</minor>
+  </specVersion>
+  <device>
+    <deviceType>urn:dslforum-org:device:InternetGatewayDevice:1</deviceType>
+    <friendlyName>HG531 V1</friendlyName>
+    <manufacturer>Huawei Technologies Co., Ltd.</manufacturer>
+    <manufacturerURL>http://www.huawei.com</manufacturerURL>
+    <modelDescription>Huawei Home Gateway</modelDescription>
+    <modelName>HG531 V1</modelName>
+    <modelNumber>Huawei Model</modelNumber>
+    <modelURL>http://www.huawei.com</modelURL>
+    <serialNumber>G6J8W15326003974</serialNumber>
+    <UDN>uuid:00e0fc37-2626-2828-2600-587f668bdd9a</UDN>
+    <UPC>000000000001</UPC>
+    <serviceList>
+      <service>
+        <serviceType>urn:www-huawei-com:service:DeviceConfig:1</serviceType>
+        <serviceId>urn:www-huawei-com:serviceId:DeviceConfig1</serviceId>
+        <SCPDURL>/desc/DevCfg.xml</SCPDURL>
+        <controlURL>/ctrlt/DeviceConfig_1</controlURL>
+        <eventSubURL>/evt/DeviceConfig_1</eventSubURL>
+      </service>
+      <service>
+        <serviceType>urn:dslforum-org:service:LANConfigSecurity:1</serviceType>
+        <serviceId>urn:dslforum-org:serviceId:LANConfigSecurity1</serviceId>
+        <SCPDURL>/desc/LANSec.xml</SCPDURL>
+        <controlURL>/ctrlt/LANConfigSecurity_1</controlURL>
+        <eventSubURL>/evt/LANConfigSecurity_1</eventSubURL>
+      </service>
+      <service>
+        <serviceType>urn:dslforum-org:service:Layer3Forwarding:1</serviceType>
+        <serviceId>urn:dslforum-org:serviceId:Layer3Forwarding1</serviceId>
+        <SCPDURL>/desc/L3Fwd.xml</SCPDURL>
+        <controlURL>/ctrlt/Layer3Forwarding_1</controlURL>
+        <eventSubURL>/evt/Layer3Forwarding_1</eventSubURL>
+      </service>
+    </serviceList>
+    <deviceList>
+      <device>
+        <deviceType>urn:dslforum-org:device:WANDevice:1</deviceType>
+        <friendlyName>WANDevice</friendlyName>
+        <manufacturer>Huawei Technologies Co., Ltd.</manufacturer>
+        <manufacturerURL>http://www.huawei.com</manufacturerURL>
+        <modelDescription>Huawei Home Gateway</modelDescription>
+        <modelName>HG531 V1</modelName>
+        <modelNumber>Huawei Model</modelNumber>
+        <modelURL>http://www.huawei.com</modelURL>
+        <serialNumber>G6J8W15326003974</serialNumber>
+        <UDN>uuid:00e0fc37-2626-2828-2601-587f668bdd9a</UDN>
+        <UPC>000000000001</UPC>
+        <serviceList>
+          <service>
+            <serviceType>urn:dslforum-org:service:WANDSLInterfaceConfig:1</serviceType>
+            <serviceId>urn:dslforum-org:serviceId:WANDSLInterfaceConfig1</serviceId>
+            <SCPDURL>/desc/WanDslIfCfg.xml</SCPDURL>
+            <controlURL>/ctrlt/WANDSLInterfaceConfig_1</controlURL>
+            <eventSubURL>/evt/WANDSLInterfaceConfig_1</eventSubURL>
+          </service>
+          <service>
+            <serviceType>urn:dslforum-org:service:WANCommonInterfaceConfig:1</serviceType>
+            <serviceId>urn:dslforum-org:serviceId:WANCommonInterfaceConfig1</serviceId>
+            <SCPDURL>/desc/WanCommonIfc1.xml</SCPDURL>
+            <controlURL>/ctrlt/WANCommonInterfaceConfig_1</controlURL>
+            <eventSubURL>/evt/WANCommonInterfaceConfig_1</eventSubURL>
+          </service>
+        </serviceList>
+        <deviceList>
+          <device>
+            <deviceType>urn:dslforum-org:device:WANConnectionDevice:1</deviceType>
+            <friendlyName>WANConnectionDevice</friendlyName>
+            <manufacturer>Huawei Technologies Co., Ltd.</manufacturer>
+            <manufacturerURL>http://www.huawei.com</manufacturerURL>
+            <modelDescription>Huawei Home Gateway</modelDescription>
+            <modelName>HG531 V1</modelName>
+            <modelNumber>Huawei Model</modelNumber>
+            <modelURL>http://www.huawei.com</modelURL>
+            <serialNumber>G6J8W15326003974</serialNumber>
+            <UDN>uuid:00e0fc37-2626-2828-2603-587f668bdd9a</UDN>
+            <UPC>000000000001</UPC>
+            <serviceList>
+              <service>
+                <serviceType>urn:dslforum-org:service:WANPPPConnection:1</serviceType>
+                <serviceId>urn:dslforum-org:serviceId:WANPPPConnection1</serviceId>
+                <SCPDURL>/desc/WanPppConn.xml</SCPDURL>
+                <controlURL>/ctrlt/WANPPPConnection_1</controlURL>
+                <eventSubURL>/evt/WANPPPConnection_1</eventSubURL>
+              </service>
+              <service>
+                <serviceType>urn:dslforum-org:service:WANEthernetConnectionManagement:1</serviceType>
+                <serviceId>urn:dslforum-org:serviceId:WANEthernetConnectionManagement1</serviceId>
+                <SCPDURL>/desc/WanEthConnMgt.xml</SCPDURL>
+                <controlURL>/ctrlt/WANEthernetConnectionManagement_1</controlURL>
+                <eventSubURL>/evt/WANEthernetConnectionManagement_1</eventSubURL>
+              </service>
+              <service>
+                <serviceType>urn:dslforum-org:service:WANDSLLinkConfig:1</serviceType>
+                <serviceId>urn:dslforum-org:serviceId:WANDSLLinkConfig1</serviceId>
+                <SCPDURL>/desc/WanDslLink.xml</SCPDURL>
+                <controlURL>/ctrlt/WANDSLLinkConfig_1</controlURL>
+                <eventSubURL>/evt/WANDSLLinkConfig_1</eventSubURL>
+              </service>
+            </serviceList>
+          </device>
+        </deviceList>
+      </device>
+      <device>
+        <deviceType>urn:dslforum-org:device:LANDevice:1</deviceType>
+        <friendlyName>LANDevice</friendlyName>
+        <manufacturer>Huawei Technologies Co., Ltd.</manufacturer>
+        <manufacturerURL>http://www.huawei.com</manufacturerURL>
+        <modelDescription>Huawei Home Gateway</modelDescription>
+        <modelName>HG531 V1</modelName>
+        <modelNumber>Huawei Model</modelNumber>
+        <modelURL>http://www.huawei.com</modelURL>
+        <serialNumber>G6J8W15326003974</serialNumber>
+        <UDN>uuid:00e0fc37-2626-2828-2602-587f668bdd9a</UDN>
+        <UPC>000000000001</UPC>
+        <serviceList>
+          <service>
+            <serviceType>urn:dslforum-org:service:WLANConfiguration:1</serviceType>
+            <serviceId>urn:dslforum-org:serviceId:WLANConfiguration4</serviceId>
+            <SCPDURL>/desc/WLANCfg.xml</SCPDURL>
+            <controlURL>/ctrlt/WLANConfiguration_4</controlURL>
+            <eventSubURL>/evt/WLANConfiguration_4</eventSubURL>
+          </service>
+          <service>
+            <serviceType>urn:dslforum-org:service:WLANConfiguration:1</serviceType>
+            <serviceId>urn:dslforum-org:serviceId:WLANConfiguration3</serviceId>
+            <SCPDURL>/desc/WLANCfg.xml</SCPDURL>
+            <controlURL>/ctrlt/WLANConfiguration_3</controlURL>
+            <eventSubURL>/evt/WLANConfiguration_3</eventSubURL>
+          </service>
+          <service>
+            <serviceType>urn:dslforum-org:service:WLANConfiguration:1</serviceType>
+            <serviceId>urn:dslforum-org:serviceId:WLANConfiguration2</serviceId>
+            <SCPDURL>/desc/WLANCfg.xml</SCPDURL>
+            <controlURL>/ctrlt/WLANConfiguration_2</controlURL>
+            <eventSubURL>/evt/WLANConfiguration_2</eventSubURL>
+          </service>
+          <service>
+            <serviceType>urn:dslforum-org:service:WLANConfiguration:1</serviceType>
+            <serviceId>urn:dslforum-org:serviceId:WLANConfiguration1</serviceId>
+            <SCPDURL>/desc/WLANCfg.xml</SCPDURL>
+            <controlURL>/ctrlt/WLANConfiguration_1</controlURL>
+            <eventSubURL>/evt/WLANConfiguration_1</eventSubURL>
+          </service>
+          <service>
+            <serviceType>urn:dslforum-org:service:LANHostConfigManagement:1</serviceType>
+            <serviceId>urn:dslforum-org:serviceId:LANHostConfigManagement1</serviceId>
+            <SCPDURL>/desc/LanHostCfgMgmt.xml</SCPDURL>
+            <controlURL>/ctrlt/LANHostConfigManagement_1</controlURL>
+            <eventSubURL>/evt/LANHostConfigManagement_1</eventSubURL>
+          </service>
+        </serviceList>
+      </device>
+    </deviceList>
+    <presentationURL>http://127.0.0.1</presentationURL>
+  </device>
+</root>
 `
 )
 
@@ -233,6 +399,14 @@ func TestGetUPnPClient(t *testing.T) {
 			"*internetgateway2.WANIPConnection1",
 			"saw UPnP type WANIPConnection1 at http://127.0.0.1:NNN/rootDesc.xml; MikroTik Router (MikroTik), method=none\n",
 		},
+		{
+			"huawei",
+			huaweiRootDescXML,
+			// services not supported and thus returns nil, but shouldn't crash
+			"<nil>",
+			"",
+		},
+
 		// TODO(bradfitz): find a PPP one in the wild
 	}
 	for _, tt := range tests {
@@ -375,6 +549,48 @@ func TestGetUPnPPortMapping(t *testing.T) {
 	}
 }
 
+// TestGetUPnPPortMapping_NoValidServices tests that getUPnPPortMapping doesn't
+// crash when a valid UPnP response with no supported services is discovered
+// and parsed.
+//
+// See https://github.com/tailscale/tailscale/issues/10911
+func TestGetUPnPPortMapping_NoValidServices(t *testing.T) {
+	igd, err := NewTestIGD(t.Logf, TestIGDOptions{UPnP: true})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer igd.Close()
+
+	igd.SetUPnPHandler(&upnpServer{
+		t:    t,
+		Desc: huaweiRootDescXML,
+	})
+
+	c := newTestClient(t, igd)
+	defer c.Close()
+	c.debug.VerboseLogs = true
+
+	ctx := context.Background()
+	res, err := c.Probe(ctx)
+	if err != nil {
+		t.Fatalf("Probe: %v", err)
+	}
+	if !res.UPnP {
+		t.Errorf("didn't detect UPnP")
+	}
+
+	gw, myIP, ok := c.gatewayAndSelfIP()
+	if !ok {
+		t.Fatalf("could not get gateway and self IP")
+	}
+
+	// This shouldn't panic
+	_, ok = c.getUPnPPortMapping(ctx, gw, netip.AddrPortFrom(myIP, 12345), 0)
+	if ok {
+		t.Fatal("did not expect to get UPnP port mapping")
+	}
+}
+
 func TestGetUPnPPortMappingNoResponses(t *testing.T) {
 	igd, err := NewTestIGD(t.Logf, TestIGDOptions{UPnP: true})
 	if err != nil {

safesocket/safesocket_darwin.go

@@ -16,6 +16,8 @@ import (
 	"strings"
 	"sync"
 	"time"
+
+	"tailscale.com/version"
 )
 
 func init() {
@@ -72,7 +74,7 @@ func localTCPPortAndTokenDarwin() (port int, token string, err error) {
 
 	if dir := os.Getenv("TS_MACOS_CLI_SHARED_DIR"); dir != "" {
 		// First see if we're running as the non-AppStore "macsys" variant.
-		if strings.Contains(os.Getenv("HOME"), "/Containers/io.tailscale.ipn.macsys/") {
+		if version.IsMacSysExt() {
 			if port, token, err := localTCPPortAndTokenMacsys(); err == nil {
 				return port, token, nil
 			}

shell.nix

@@ -16,4 +16,4 @@
 ) {
   src =  ./.;
 }).shellNix
-# nix-direnv cache busting line: sha256-uMVRdgO/HTs0CKqWPUFEL/rFvzio1vblTUaz5Cgi+5Q=
+# nix-direnv cache busting line: sha256-BK1zugKGtx2RpWHDvFZaFqz/YdoewsG8SscGt25uwtQ=

tailcfg/tailcfg.go

@@ -1341,6 +1341,9 @@ const (
 	PeerCapabilityWakeOnLAN PeerCapability = "https://tailscale.com/cap/wake-on-lan"
 	// PeerCapabilityIngress grants the ability for a peer to send ingress traffic.
 	PeerCapabilityIngress PeerCapability = "https://tailscale.com/cap/ingress"
+	// PeerCapabilityWebUI grants the ability for a peer to edit features from the
+	// device Web UI.
+	PeerCapabilityWebUI PeerCapability = "tailscale.com/cap/webui"
 )
 
 // NodeCapMap is a map of capabilities to their optional values. It is valid for

tstime/rate/value.go

@@ -4,6 +4,7 @@
 package rate
 
 import (
+	"encoding/json"
 	"fmt"
 	"math"
 	"sync"
@@ -181,3 +182,41 @@ func (r *Value) rateNow(now mono.Time) float64 {
 func (r *Value) normalizedIntegral() float64 {
 	return r.halfLife() / math.Ln2
 }
+
+type jsonValue struct {
+	// TODO: Use v2 "encoding/json" for native time.Duration formatting.
+	HalfLife string    `json:"halfLife,omitempty,omitzero"`
+	Value    float64   `json:"value,omitempty,omitzero"`
+	Updated  mono.Time `json:"updated,omitempty,omitzero"`
+}
+
+func (r *Value) MarshalJSON() ([]byte, error) {
+	if r == nil {
+		return []byte("null"), nil
+	}
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	v := jsonValue{Value: r.value, Updated: r.updated}
+	if r.HalfLife > 0 {
+		v.HalfLife = r.HalfLife.String()
+	}
+	return json.Marshal(v)
+}
+
+func (r *Value) UnmarshalJSON(b []byte) error {
+	var v jsonValue
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	halfLife, err := time.ParseDuration(v.HalfLife)
+	if err != nil && v.HalfLife != "" {
+		return fmt.Errorf("invalid halfLife: %w", err)
+	}
+
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	r.HalfLife = halfLife
+	r.value = v.Value
+	r.updated = v.Updated
+	return nil
+}

tstime/rate/value_test.go

@@ -6,12 +6,14 @@ package rate
 import (
 	"flag"
 	"math"
+	"reflect"
 	"testing"
 	"time"
 
 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"tailscale.com/tstime/mono"
+	"tailscale.com/util/must"
 )
 
 const (
@@ -234,3 +236,26 @@ func BenchmarkValue(b *testing.B) {
 		v.Add(1)
 	}
 }
+
+func TestValueMarshal(t *testing.T) {
+	now := mono.Now()
+	tests := []struct {
+		val *Value
+		str string
+	}{
+		{val: &Value{}, str: `{}`},
+		{val: &Value{HalfLife: 5 * time.Minute}, str: `{"halfLife":"` + (5 * time.Minute).String() + `"}`},
+		{val: &Value{value: 12345, updated: now}, str: `{"value":12345,"updated":` + string(must.Get(now.MarshalJSON())) + `}`},
+	}
+	for _, tt := range tests {
+		str := string(must.Get(tt.val.MarshalJSON()))
+		if str != tt.str {
+			t.Errorf("string mismatch: got %v, want %v", str, tt.str)
+		}
+		var val Value
+		must.Do(val.UnmarshalJSON([]byte(str)))
+		if !reflect.DeepEqual(&val, tt.val) {
+			t.Errorf("value mismatch: %+v, want %+v", &val, tt.val)
+		}
+	}
+}

tsweb/request_id.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 
 	"github.com/google/uuid"
+	"tailscale.com/util/ctxkey"
 )
 
 // RequestID is an opaque identifier for a HTTP request, used to correlate
@@ -24,6 +25,9 @@ import (
 // opaque string. The current implementation uses a UUID.
 type RequestID string
 
+// RequestIDKey stores and loads [RequestID] values within a [context.Context].
+var RequestIDKey ctxkey.Key[RequestID]
+
 // RequestIDHeader is a custom HTTP header that the WithRequestID middleware
 // uses to determine whether to re-use a given request ID from the client
 // or generate a new one.
@@ -42,22 +46,16 @@ func SetRequestID(h http.Handler) http.Handler {
 			// transitions if needed.
 			id = "REQ-1" + uuid.NewString()
 		}
-		ctx := withRequestID(r.Context(), RequestID(id))
+		ctx := RequestIDKey.WithValue(r.Context(), RequestID(id))
 		r = r.WithContext(ctx)
 		h.ServeHTTP(w, r)
 	})
 }
 
-type requestIDKey struct{}
-
 // RequestIDFromContext retrieves the RequestID from context that can be set by
 // the SetRequestID function.
+//
+// Deprecated: Use [RequestIDKey.Value] instead.
 func RequestIDFromContext(ctx context.Context) RequestID {
-	val, _ := ctx.Value(requestIDKey{}).(RequestID)
-	return val
-}
-
-// withRequestID sets the given request id value in the given context.
-func withRequestID(ctx context.Context, rid RequestID) context.Context {
-	return context.WithValue(ctx, requestIDKey{}, rid)
+	return RequestIDKey.Value(ctx)
 }

tsweb/tsweb_test.go

@@ -166,7 +166,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns 404 via HTTPError with request ID",
 			rh:       handlerErr(0, Error(404, "not found", testErr)),
-			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 404,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -203,7 +203,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns 404 with request ID and nil child error",
 			rh:       handlerErr(0, Error(404, "not found", nil)),
-			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 404,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -240,7 +240,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns user-visible error with request ID",
 			rh:       handlerErr(0, vizerror.New("visible error")),
-			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 500,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -277,7 +277,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns user-visible error wrapped by private error with request ID",
 			rh:       handlerErr(0, fmt.Errorf("private internal error: %w", vizerror.New("visible error"))),
-			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 500,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -314,7 +314,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns generic error with request ID",
 			rh:       handlerErr(0, testErr),
-			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 500,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -350,7 +350,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns error after writing response with request ID",
 			rh:       handlerErr(200, testErr),
-			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 200,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -446,7 +446,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "error handler gets run with request ID",
 			rh:       handlerErr(0, Error(404, "not found", nil)), // status code changed in errHandler
-			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/"),
+			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/"),
 			wantCode: 200,
 			errHandler: func(w http.ResponseWriter, r *http.Request, e HTTPError) {
 				requestID := RequestIDFromContext(r.Context())

types/appctype/appconnector.go

@@ -66,6 +66,8 @@ type AppConnectorAttr struct {
 	// Domains enumerates the domains serviced by the specified app connectors.
 	// Domains can be of the form: example.com, or *.example.com.
 	Domains []string `json:"domains,omitempty"`
+	// Routes enumerates the predetermined routes to be advertised by the specified app connectors.
+	Routes []netip.Prefix `json:"routes,omitempty"`
 	// Connectors enumerates the app connectors which service these domains.
 	// These can either be "*" to match any advertising connector, or a
 	// tag of the form tag:<tag-name>.

types/logger/logger.go

@@ -21,6 +21,7 @@ import (
 	"context"
 
 	"tailscale.com/envknob"
+	"tailscale.com/util/ctxkey"
 )
 
 // Logf is the basic Tailscale logger type: a printf-like func.
@@ -28,13 +29,16 @@ import (
 // Logf functions must be safe for concurrent use.
 type Logf func(format string, args ...any)
 
+// LogfKey stores and loads [Logf] values within a [context.Context].
+var LogfKey = ctxkey.New("", Logf(log.Printf))
+
 // A Context is a context.Context that should contain a custom log function, obtainable from FromContext.
 // If no log function is present, FromContext will return log.Printf.
 // To construct a Context, use Add
+//
+// Deprecated: Do not use.
 type Context context.Context
 
-type logfKey struct{}
-
 // jenc is a json.Encode + bytes.Buffer pair wired up to be reused in a pool.
 type jenc struct {
 	buf bytes.Buffer
@@ -79,17 +83,17 @@ func (logf Logf) JSON(level int, recType string, v any) {
 }
 
 // FromContext extracts a log function from ctx.
+//
+// Deprecated: Use [LogfKey.Value] instead.
 func FromContext(ctx Context) Logf {
-	v := ctx.Value(logfKey{})
-	if v == nil {
-		return log.Printf
-	}
-	return v.(Logf)
+	return LogfKey.Value(ctx)
 }
 
 // Ctx constructs a Context from ctx with fn as its custom log function.
+//
+// Deprecated: Use [LogfKey.WithValue] instead.
 func Ctx(ctx context.Context, fn Logf) Context {
-	return context.WithValue(ctx, logfKey{}, fn)
+	return LogfKey.WithValue(ctx, fn)
 }
 
 // WithPrefix wraps f, prefixing each format with the provided prefix.

util/ctxkey/key.go

@@ -0,0 +1,140 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// ctxkey provides type-safe key-value pairs for use with [context.Context].
+//
+// Example usage:
+//
+//	// Create a context key.
+//	var TimeoutKey = ctxkey.New("mapreduce.Timeout", 5*time.Second)
+//
+//	// Store a context value.
+//	ctx = mapreduce.TimeoutKey.WithValue(ctx, 10*time.Second)
+//
+//	// Load a context value.
+//	timeout := mapreduce.TimeoutKey.Value(ctx)
+//	... // use timeout of type time.Duration
+//
+// This is inspired by https://go.dev/issue/49189.
+package ctxkey
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+)
+
+// TODO(https://go.dev/issue/60088): Use reflect.TypeFor instead.
+func reflectTypeFor[T any]() reflect.Type {
+	return reflect.TypeOf((*T)(nil)).Elem()
+}
+
+// Key is a generic key type associated with a specific value type.
+//
+// A zero Key is valid where the Value type itself is used as the context key.
+// This pattern should only be used with locally declared Go types,
+// otherwise different packages risk producing key conflicts.
+//
+// Example usage:
+//
+//	type peerInfo struct { ... }           // peerInfo is a locally declared type
+//	var peerInfoKey ctxkey.Key[peerInfo]
+//	ctx = peerInfoKey.WithValue(ctx, info) // store a context value
+//	info = peerInfoKey.Value(ctx)          // load a context value
+type Key[Value any] struct {
+	name   *stringer[string]
+	defVal *Value
+}
+
+// New constructs a new context key with an associated value type
+// where the default value for an unpopulated value is the provided value.
+//
+// The provided name is an arbitrary name only used for human debugging.
+// As a convention, it is recommended that the name be the dot-delimited
+// combination of the package name of the caller with the variable name.
+// If the name is not provided, then the name of the Value type is used.
+// Every key is unique, even if provided the same name.
+//
+// Example usage:
+//
+//	package mapreduce
+//	var NumWorkersKey = ctxkey.New("mapreduce.NumWorkers", runtime.NumCPU())
+func New[Value any](name string, defaultValue Value) Key[Value] {
+	// Allocate a new stringer to ensure that every invocation of New
+	// creates a universally unique context key even for the same name
+	// since newly allocated pointers are globally unique within a process.
+	key := Key[Value]{name: new(stringer[string])}
+	if name == "" {
+		name = reflectTypeFor[Value]().String()
+	}
+	key.name.v = name
+	if v := reflect.ValueOf(defaultValue); v.IsValid() && !v.IsZero() {
+		key.defVal = &defaultValue
+	}
+	return key
+}
+
+// contextKey returns the context key to use.
+func (key Key[Value]) contextKey() any {
+	if key.name == nil {
+		// Use the reflect.Type of the Value (implies key not created by New).
+		return reflectTypeFor[Value]()
+	} else {
+		// Use the name pointer directly (implies key created by New).
+		return key.name
+	}
+}
+
+// WithValue returns a copy of parent in which the value associated with key is val.
+//
+// It is a type-safe equivalent of [context.WithValue].
+func (key Key[Value]) WithValue(parent context.Context, val Value) context.Context {
+	return context.WithValue(parent, key.contextKey(), stringer[Value]{val})
+}
+
+// ValueOk returns the value in the context associated with this key
+// and also reports whether it was present.
+// If the value is not present, it returns the default value.
+func (key Key[Value]) ValueOk(ctx context.Context) (v Value, ok bool) {
+	vv, ok := ctx.Value(key.contextKey()).(stringer[Value])
+	if !ok && key.defVal != nil {
+		vv.v = *key.defVal
+	}
+	return vv.v, ok
+}
+
+// Value returns the value in the context associated with this key.
+// If the value is not present, it returns the default value.
+func (key Key[Value]) Value(ctx context.Context) (v Value) {
+	v, _ = key.ValueOk(ctx)
+	return v
+}
+
+// Has reports whether the context has a value for this key.
+func (key Key[Value]) Has(ctx context.Context) (ok bool) {
+	_, ok = key.ValueOk(ctx)
+	return ok
+}
+
+// String returns the name of the key.
+func (key Key[Value]) String() string {
+	if key.name == nil {
+		return reflectTypeFor[Value]().String()
+	}
+	return key.name.String()
+}
+
+// stringer implements [fmt.Stringer] on a generic T.
+//
+// This assists in debugging such that printing a context prints key and value.
+// Note that the [context] package lacks a dependency on [reflect],
+// so it cannot print arbitrary values. By implementing [fmt.Stringer],
+// we functionally teach a context how to print itself.
+//
+// Wrapping values within a struct has an added bonus that interface kinds
+// are properly handled. Without wrapping, we would be unable to distinguish
+// between a nil value that was explicitly set or not.
+// However, the presence of a stringer indicates an explicit nil value.
+type stringer[T any] struct{ v T }
+
+func (v stringer[T]) String() string { return fmt.Sprint(v.v) }

util/ctxkey/key_test.go

@@ -0,0 +1,104 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package ctxkey
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"regexp"
+	"testing"
+	"time"
+
+	qt "github.com/frankban/quicktest"
+)
+
+func TestKey(t *testing.T) {
+	c := qt.New(t)
+	ctx := context.Background()
+
+	// Test keys with the same name as being distinct.
+	k1 := New("same.Name", "")
+	c.Assert(k1.String(), qt.Equals, "same.Name")
+	k2 := New("same.Name", "")
+	c.Assert(k2.String(), qt.Equals, "same.Name")
+	c.Assert(k1 == k2, qt.Equals, false)
+	ctx = k1.WithValue(ctx, "hello")
+	c.Assert(k1.Has(ctx), qt.Equals, true)
+	c.Assert(k1.Value(ctx), qt.Equals, "hello")
+	c.Assert(k2.Has(ctx), qt.Equals, false)
+	c.Assert(k2.Value(ctx), qt.Equals, "")
+	ctx = k2.WithValue(ctx, "goodbye")
+	c.Assert(k1.Has(ctx), qt.Equals, true)
+	c.Assert(k1.Value(ctx), qt.Equals, "hello")
+	c.Assert(k2.Has(ctx), qt.Equals, true)
+	c.Assert(k2.Value(ctx), qt.Equals, "goodbye")
+
+	// Test default value.
+	k3 := New("mapreduce.Timeout", time.Hour)
+	c.Assert(k3.Has(ctx), qt.Equals, false)
+	c.Assert(k3.Value(ctx), qt.Equals, time.Hour)
+	ctx = k3.WithValue(ctx, time.Minute)
+	c.Assert(k3.Has(ctx), qt.Equals, true)
+	c.Assert(k3.Value(ctx), qt.Equals, time.Minute)
+
+	// Test incomparable value.
+	k4 := New("slice", []int(nil))
+	c.Assert(k4.Has(ctx), qt.Equals, false)
+	c.Assert(k4.Value(ctx), qt.DeepEquals, []int(nil))
+	ctx = k4.WithValue(ctx, []int{1, 2, 3})
+	c.Assert(k4.Has(ctx), qt.Equals, true)
+	c.Assert(k4.Value(ctx), qt.DeepEquals, []int{1, 2, 3})
+
+	// Accessors should be allocation free.
+	c.Assert(testing.AllocsPerRun(100, func() {
+		k1.Value(ctx)
+		k1.Has(ctx)
+		k1.ValueOk(ctx)
+	}), qt.Equals, 0.0)
+
+	// Test keys that are created without New.
+	var k5 Key[string]
+	c.Assert(k5.String(), qt.Equals, "string")
+	c.Assert(k1 == k5, qt.Equals, false) // should be different from key created by New
+	c.Assert(k5.Has(ctx), qt.Equals, false)
+	ctx = k5.WithValue(ctx, "fizz")
+	c.Assert(k5.Value(ctx), qt.Equals, "fizz")
+	var k6 Key[string]
+	c.Assert(k6.String(), qt.Equals, "string")
+	c.Assert(k5 == k6, qt.Equals, true)
+	c.Assert(k6.Has(ctx), qt.Equals, true)
+	ctx = k6.WithValue(ctx, "fizz")
+
+	// Test interface value types.
+	var k7 Key[any]
+	c.Assert(k7.Has(ctx), qt.Equals, false)
+	ctx = k7.WithValue(ctx, "whatever")
+	c.Assert(k7.Value(ctx), qt.DeepEquals, "whatever")
+	ctx = k7.WithValue(ctx, []int{1, 2, 3})
+	c.Assert(k7.Value(ctx), qt.DeepEquals, []int{1, 2, 3})
+	ctx = k7.WithValue(ctx, nil)
+	c.Assert(k7.Has(ctx), qt.Equals, true)
+	c.Assert(k7.Value(ctx), qt.DeepEquals, nil)
+	k8 := New[error]("error", io.EOF)
+	c.Assert(k8.Has(ctx), qt.Equals, false)
+	c.Assert(k8.Value(ctx), qt.Equals, io.EOF)
+	ctx = k8.WithValue(ctx, nil)
+	c.Assert(k8.Value(ctx), qt.Equals, nil)
+	c.Assert(k8.Has(ctx), qt.Equals, true)
+	err := fmt.Errorf("read error: %w", io.ErrUnexpectedEOF)
+	ctx = k8.WithValue(ctx, err)
+	c.Assert(k8.Value(ctx), qt.Equals, err)
+	c.Assert(k8.Has(ctx), qt.Equals, true)
+}
+
+func TestStringer(t *testing.T) {
+	t.SkipNow() // TODO(https://go.dev/cl/555697): Enable this after fix is merged upstream.
+	c := qt.New(t)
+	ctx := context.Background()
+	c.Assert(fmt.Sprint(New("foo.Bar", "").WithValue(ctx, "baz")), qt.Matches, regexp.MustCompile("foo.Bar.*baz"))
+	c.Assert(fmt.Sprint(New("", []int{}).WithValue(ctx, []int{1, 2, 3})), qt.Matches, regexp.MustCompile(fmt.Sprintf("%[1]T.*%[1]v", []int{1, 2, 3})))
+	c.Assert(fmt.Sprint(New("", 0).WithValue(ctx, 5)), qt.Matches, regexp.MustCompile("int.*5"))
+	c.Assert(fmt.Sprint(Key[time.Duration]{}.WithValue(ctx, time.Hour)), qt.Matches, regexp.MustCompile(fmt.Sprintf("%[1]T.*%[1]v", time.Hour)))
+}

util/execqueue/execqueue.go

@@ -0,0 +1,104 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package execqueue implements an ordered asynchronous queue for executing functions.
+package execqueue
+
+import (
+	"context"
+	"errors"
+	"sync"
+)
+
+type ExecQueue struct {
+	mu         sync.Mutex
+	closed     bool
+	inFlight   bool          // whether a goroutine is running q.run
+	doneWaiter chan struct{} // non-nil if waiter is waiting, then closed
+	queue      []func()
+}
+
+func (q *ExecQueue) Add(f func()) {
+	q.mu.Lock()
+	defer q.mu.Unlock()
+	if q.closed {
+		return
+	}
+	if q.inFlight {
+		q.queue = append(q.queue, f)
+	} else {
+		q.inFlight = true
+		go q.run(f)
+	}
+}
+
+// RunSync waits for the queue to be drained and then synchronously runs f.
+// It returns an error if the queue is closed before f is run or ctx expires.
+func (q *ExecQueue) RunSync(ctx context.Context, f func()) error {
+	for {
+		if err := q.Wait(ctx); err != nil {
+			return err
+		}
+		q.mu.Lock()
+		if q.inFlight {
+			q.mu.Unlock()
+			continue
+		}
+		defer q.mu.Unlock()
+		if q.closed {
+			return errors.New("closed")
+		}
+		f()
+		return nil
+	}
+}
+
+func (q *ExecQueue) run(f func()) {
+	f()
+
+	q.mu.Lock()
+	for len(q.queue) > 0 && !q.closed {
+		f := q.queue[0]
+		q.queue[0] = nil
+		q.queue = q.queue[1:]
+		q.mu.Unlock()
+		f()
+		q.mu.Lock()
+	}
+	q.inFlight = false
+	q.queue = nil
+	if q.doneWaiter != nil {
+		close(q.doneWaiter)
+		q.doneWaiter = nil
+	}
+	q.mu.Unlock()
+}
+
+// Shutdown asynchronously signals the queue to stop.
+func (q *ExecQueue) Shutdown() {
+	q.mu.Lock()
+	defer q.mu.Unlock()
+	q.closed = true
+}
+
+// Wait waits for the queue to be empty.
+func (q *ExecQueue) Wait(ctx context.Context) error {
+	q.mu.Lock()
+	waitCh := q.doneWaiter
+	if q.inFlight && waitCh == nil {
+		waitCh = make(chan struct{})
+		q.doneWaiter = waitCh
+	}
+	q.mu.Unlock()
+
+	if waitCh == nil {
+		return nil
+	}
+
+	select {
+	case <-waitCh:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}

util/execqueue/execqueue_test.go

@@ -0,0 +1,22 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package execqueue
+
+import (
+	"context"
+	"sync/atomic"
+	"testing"
+)
+
+func TestExecQueue(t *testing.T) {
+	ctx := context.Background()
+	var n atomic.Int32
+	q := &ExecQueue{}
+	defer q.Shutdown()
+	q.Add(func() { n.Add(1) })
+	q.Wait(ctx)
+	if got := n.Load(); got != 1 {
+		t.Errorf("n=%d; want 1", got)
+	}
+}

version/mkversion/mkversion.go

@@ -199,6 +199,13 @@ func tailscaleModuleRef(modBs []byte) (string, error) {
 }
 
 func mkOutput(v verInfo) (VersionInfo, error) {
+	if override := os.Getenv("TS_VERSION_OVERRIDE"); override != "" {
+		var err error
+		v.major, v.minor, v.patch, err = parseVersion(override)
+		if err != nil {
+			return VersionInfo{}, fmt.Errorf("failed to parse TS_VERSION_OVERRIDE: %w", err)
+		}
+	}
 	var changeSuffix string
 	if v.minor%2 == 1 {
 		// Odd minor numbers are unstable builds.

wgengine/router/router_windows.go

@@ -12,6 +12,7 @@ import (
 	"net/netip"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"slices"
 	"strings"
 	"sync"
@@ -155,6 +156,13 @@ type firewallTweaker struct {
 	// stop makes fwProc exit when closed.
 	fwProcWriter  io.WriteCloser
 	fwProcEncoder *json.Encoder
+
+	// The path to the 'netsh.exe' binary, populated during the first call
+	// to runFirewall.
+	//
+	// not protected by mu; netshPath is only mutated inside netshPathOnce
+	netshPathOnce sync.Once
+	netshPath     string
 }
 
 func (ft *firewallTweaker) clear() { ft.set(nil, nil, nil) }
@@ -185,10 +193,43 @@ func (ft *firewallTweaker) set(cidrs []string, routes, localRoutes []netip.Prefi
 	go ft.doAsyncSet()
 }
 
+// getNetshPath returns the path that should be used to execute netsh.
+//
+// We've seen a report from a customer that we're triggering the "cannot run
+// executable found relative to current directory" protection that was added to
+// prevent running possibly attacker-controlled binaries. To mitigate this,
+// first try looking up the path to netsh.exe in the System32 directory
+// explicitly, and then fall back to the prior behaviour of passing "netsh" to
+// os/exec.Command.
+func (ft *firewallTweaker) getNetshPath() string {
+	ft.netshPathOnce.Do(func() {
+		// The default value is the old approach: just run "netsh" and
+		// let os/exec resolve that into a full path.
+		ft.netshPath = "netsh"
+
+		path, err := windows.KnownFolderPath(windows.FOLDERID_System, 0)
+		if err != nil {
+			ft.logf("getNetshPath: error getting FOLDERID_System: %v", err)
+			return
+		}
+
+		expath := filepath.Join(path, "netsh.exe")
+		if _, err := os.Stat(expath); err == nil {
+			ft.netshPath = expath
+			return
+		} else if !os.IsNotExist(err) {
+			ft.logf("getNetshPath: error checking for existence of %q: %v", expath, err)
+		}
+
+		// Keep default
+	})
+	return ft.netshPath
+}
+
 func (ft *firewallTweaker) runFirewall(args ...string) (time.Duration, error) {
 	t0 := time.Now()
 	args = append([]string{"advfirewall", "firewall"}, args...)
-	cmd := exec.Command("netsh", args...)
+	cmd := exec.Command(ft.getNetshPath(), args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	b, err := cmd.CombinedOutput()
 	if err != nil {

wgengine/router/router_windows_test.go

@@ -0,0 +1,19 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package router
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func TestGetNetshPath(t *testing.T) {
+	ft := &firewallTweaker{
+		logf: t.Logf,
+	}
+	path := ft.getNetshPath()
+	if !filepath.IsAbs(path) {
+		t.Errorf("expected absolute path for netsh.exe: %q", path)
+	}
+}