Update dependencies

vendor/tailscale.com/net/netmon/interfaces_android.go

@@ -5,7 +5,6 @@ package netmon
 
 import (
 	"bytes"
-	"errors"
 	"log"
 	"net/netip"
 	"os/exec"
@@ -15,7 +14,7 @@ import (
 	"golang.org/x/sys/unix"
 	"tailscale.com/net/netaddr"
 	"tailscale.com/syncs"
-	"tailscale.com/util/lineread"
+	"tailscale.com/util/lineiter"
 )
 
 var (
@@ -34,11 +33,6 @@ func init() {
 
 var procNetRouteErr atomic.Bool
 
-// errStopReading is a sentinel error value used internally by
-// lineread.File callers to stop reading. It doesn't escape to
-// callers/users.
-var errStopReading = errors.New("stop reading")
-
 /*
 Parse 10.0.0.1 out of:
 
@@ -54,44 +48,42 @@ func likelyHomeRouterIPAndroid() (ret netip.Addr, myIP netip.Addr, ok bool) {
 	}
 	lineNum := 0
 	var f []mem.RO
-	err := lineread.File(procNetRoutePath, func(line []byte) error {
+	for lr := range lineiter.File(procNetRoutePath) {
+		line, err := lr.Value()
+		if err != nil {
+			procNetRouteErr.Store(true)
+			return likelyHomeRouterIP()
+		}
+
 		lineNum++
 		if lineNum == 1 {
 			// Skip header line.
-			return nil
+			continue
 		}
 		if lineNum > maxProcNetRouteRead {
-			return errStopReading
+			break
 		}
 		f = mem.AppendFields(f[:0], mem.B(line))
 		if len(f) < 4 {
-			return nil
+			continue
 		}
 		gwHex, flagsHex := f[2], f[3]
 		flags, err := mem.ParseUint(flagsHex, 16, 16)
 		if err != nil {
-			return nil // ignore error, skip line and keep going
+			continue // ignore error, skip line and keep going
 		}
 		if flags&(unix.RTF_UP|unix.RTF_GATEWAY) != unix.RTF_UP|unix.RTF_GATEWAY {
-			return nil
+			continue
 		}
 		ipu32, err := mem.ParseUint(gwHex, 16, 32)
 		if err != nil {
-			return nil // ignore error, skip line and keep going
+			continue // ignore error, skip line and keep going
 		}
 		ip := netaddr.IPv4(byte(ipu32), byte(ipu32>>8), byte(ipu32>>16), byte(ipu32>>24))
 		if ip.IsPrivate() {
 			ret = ip
-			return errStopReading
+			break
 		}
-		return nil
-	})
-	if errors.Is(err, errStopReading) {
-		err = nil
-	}
-	if err != nil {
-		procNetRouteErr.Store(true)
-		return likelyHomeRouterIP()
 	}
 	if ret.IsValid() {
 		// Try to get the local IP of the interface associated with
@@ -144,23 +136,26 @@ func likelyHomeRouterIPHelper() (ret netip.Addr, _ netip.Addr, ok bool) {
 		return
 	}
 	// Search for line like "default via 10.0.2.2 dev radio0 table 1016 proto static mtu 1500 "
-	lineread.Reader(out, func(line []byte) error {
+	for lr := range lineiter.Reader(out) {
+		line, err := lr.Value()
+		if err != nil {
+			break
+		}
 		const pfx = "default via "
 		if !mem.HasPrefix(mem.B(line), mem.S(pfx)) {
-			return nil
+			continue
 		}
 		line = line[len(pfx):]
 		sp := bytes.IndexByte(line, ' ')
 		if sp == -1 {
-			return nil
+			continue
 		}
 		ipb := line[:sp]
 		if ip, err := netip.ParseAddr(string(ipb)); err == nil && ip.Is4() {
 			ret = ip
 			log.Printf("interfaces: found Android default route %v", ip)
 		}
-		return nil
-	})
+	}
 	cmd.Process.Kill()
 	cmd.Wait()
 	return ret, netip.Addr{}, ret.IsValid()

vendor/tailscale.com/net/netmon/interfaces_linux.go

@@ -23,7 +23,7 @@ import (
 	"go4.org/mem"
 	"golang.org/x/sys/unix"
 	"tailscale.com/net/netaddr"
-	"tailscale.com/util/lineread"
+	"tailscale.com/util/lineiter"
 )
 
 func init() {
@@ -32,11 +32,6 @@ func init() {
 
 var procNetRouteErr atomic.Bool
 
-// errStopReading is a sentinel error value used internally by
-// lineread.File callers to stop reading. It doesn't escape to
-// callers/users.
-var errStopReading = errors.New("stop reading")
-
 /*
 Parse 10.0.0.1 out of:
 
@@ -52,44 +47,42 @@ func likelyHomeRouterIPLinux() (ret netip.Addr, myIP netip.Addr, ok bool) {
 	}
 	lineNum := 0
 	var f []mem.RO
-	err := lineread.File(procNetRoutePath, func(line []byte) error {
+	for lr := range lineiter.File(procNetRoutePath) {
+		line, err := lr.Value()
+		if err != nil {
+			procNetRouteErr.Store(true)
+			log.Printf("interfaces: failed to read /proc/net/route: %v", err)
+			return ret, myIP, false
+		}
 		lineNum++
 		if lineNum == 1 {
 			// Skip header line.
-			return nil
+			continue
 		}
 		if lineNum > maxProcNetRouteRead {
-			return errStopReading
+			break
 		}
 		f = mem.AppendFields(f[:0], mem.B(line))
 		if len(f) < 4 {
-			return nil
+			continue
 		}
 		gwHex, flagsHex := f[2], f[3]
 		flags, err := mem.ParseUint(flagsHex, 16, 16)
 		if err != nil {
-			return nil // ignore error, skip line and keep going
+			continue // ignore error, skip line and keep going
 		}
 		if flags&(unix.RTF_UP|unix.RTF_GATEWAY) != unix.RTF_UP|unix.RTF_GATEWAY {
-			return nil
+			continue
 		}
 		ipu32, err := mem.ParseUint(gwHex, 16, 32)
 		if err != nil {
-			return nil // ignore error, skip line and keep going
+			continue // ignore error, skip line and keep going
 		}
 		ip := netaddr.IPv4(byte(ipu32), byte(ipu32>>8), byte(ipu32>>16), byte(ipu32>>24))
 		if ip.IsPrivate() {
 			ret = ip
-			return errStopReading
+			break
 		}
-		return nil
-	})
-	if errors.Is(err, errStopReading) {
-		err = nil
-	}
-	if err != nil {
-		procNetRouteErr.Store(true)
-		log.Printf("interfaces: failed to read /proc/net/route: %v", err)
 	}
 	if ret.IsValid() {
 		// Try to get the local IP of the interface associated with

vendor/tailscale.com/net/netmon/loghelper.go

@@ -0,0 +1,42 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package netmon
+
+import (
+	"sync"
+
+	"tailscale.com/types/logger"
+)
+
+// LinkChangeLogLimiter returns a new [logger.Logf] that logs each unique
+// format string to the underlying logger only once per major LinkChange event.
+//
+// The returned function should be called when the logger is no longer needed,
+// to release resources from the Monitor.
+func LinkChangeLogLimiter(logf logger.Logf, nm *Monitor) (_ logger.Logf, unregister func()) {
+	var formatSeen sync.Map // map[string]bool
+	unregister = nm.RegisterChangeCallback(func(cd *ChangeDelta) {
+		// If we're in a major change or a time jump, clear the seen map.
+		if cd.Major || cd.TimeJumped {
+			formatSeen.Clear()
+		}
+	})
+
+	return func(format string, args ...any) {
+		// We only store 'true' in the map, so if it's present then it
+		// means we've already logged this format string.
+		_, loaded := formatSeen.LoadOrStore(format, true)
+		if loaded {
+			// TODO(andrew-d): we may still want to log this
+			// message every N minutes (1x/hour?) even if it's been
+			// seen, so that debugging doesn't require searching
+			// back in the logs for an unbounded amount of time.
+			//
+			// See: https://github.com/tailscale/tailscale/issues/13145
+			return
+		}
+
+		logf(format, args...)
+	}, unregister
+}

vendor/tailscale.com/net/netmon/netmon.go

@@ -161,7 +161,7 @@ func (m *Monitor) InterfaceState() *State {
 }
 
 func (m *Monitor) interfaceStateUncached() (*State, error) {
-	return GetState()
+	return getState(m.tsIfName)
 }
 
 // SetTailscaleInterfaceName sets the name of the Tailscale interface. For

vendor/tailscale.com/net/netmon/netmon_darwin.go

@@ -56,7 +56,19 @@ func (m *darwinRouteMon) Receive() (message, error) {
 		if err != nil {
 			return nil, err
 		}
-		msgs, err := route.ParseRIB(route.RIBTypeRoute, m.buf[:n])
+		msgs, err := func() (msgs []route.Message, err error) {
+			defer func() {
+				// #14201: permanent panic protection, as we have been burned by
+				// ParseRIB panics too many times.
+				msg := recover()
+				if msg != nil {
+					msgs = nil
+					m.logf("[unexpected] netmon: panic in route.ParseRIB from % 02x", m.buf[:n])
+					err = fmt.Errorf("panic in route.ParseRIB: %s", msg)
+				}
+			}()
+			return route.ParseRIB(route.RIBTypeRoute, m.buf[:n])
+		}()
 		if err != nil {
 			if debugRouteMessages {
 				m.logf("read %d bytes (% 02x), failed to parse RIB: %v", n, m.buf[:n], err)

vendor/tailscale.com/net/netmon/state.go

@@ -19,8 +19,14 @@ import (
 	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/util/mak"
 )
 
+// forceAllIPv6Endpoints is a debug knob that when set forces the client to
+// report all IPv6 endpoints rather than trim endpoints that are siblings on the
+// same interface and subnet.
+var forceAllIPv6Endpoints = envknob.RegisterBool("TS_DEBUG_FORCE_ALL_IPV6_ENDPOINTS")
+
 // LoginEndpointForProxyDetermination is the URL used for testing
 // which HTTP proxy the system should use.
 var LoginEndpointForProxyDetermination = "https://controlplane.tailscale.com/"
@@ -65,6 +71,7 @@ func LocalAddresses() (regular, loopback []netip.Addr, err error) {
 		if err != nil {
 			return nil, nil, err
 		}
+		var subnets map[netip.Addr]int
 		for _, a := range addrs {
 			switch v := a.(type) {
 			case *net.IPNet:
@@ -102,7 +109,15 @@ func LocalAddresses() (regular, loopback []netip.Addr, err error) {
 					if ip.Is4() {
 						regular4 = append(regular4, ip)
 					} else {
-						regular6 = append(regular6, ip)
+						curMask, _ := netip.AddrFromSlice(v.IP.Mask(v.Mask))
+						// Limit the number of addresses reported per subnet for
+						// IPv6, as we have seen some nodes with extremely large
+						// numbers of assigned addresses being carved out of
+						// same-subnet allocations.
+						if forceAllIPv6Endpoints() || subnets[curMask] < 2 {
+							regular6 = append(regular6, ip)
+						}
+						mak.Set(&subnets, curMask, subnets[curMask]+1)
 					}
 				}
 			}
@@ -446,21 +461,22 @@ func isTailscaleInterface(name string, ips []netip.Prefix) bool {
 // getPAC, if non-nil, returns the current PAC file URL.
 var getPAC func() string
 
-// GetState returns the state of all the current machine's network interfaces.
+// getState returns the state of all the current machine's network interfaces.
 //
 // It does not set the returned State.IsExpensive. The caller can populate that.
 //
-// Deprecated: use netmon.Monitor.InterfaceState instead.
-func GetState() (*State, error) {
+// optTSInterfaceName is the name of the Tailscale interface, if known.
+func getState(optTSInterfaceName string) (*State, error) {
 	s := &State{
 		InterfaceIPs: make(map[string][]netip.Prefix),
 		Interface:    make(map[string]Interface),
 	}
 	if err := ForeachInterface(func(ni Interface, pfxs []netip.Prefix) {
+		isTSInterfaceName := optTSInterfaceName != "" && ni.Name == optTSInterfaceName
 		ifUp := ni.IsUp()
 		s.Interface[ni.Name] = ni
 		s.InterfaceIPs[ni.Name] = append(s.InterfaceIPs[ni.Name], pfxs...)
-		if !ifUp || isTailscaleInterface(ni.Name, pfxs) {
+		if !ifUp || isTSInterfaceName || isTailscaleInterface(ni.Name, pfxs) {
 			return
 		}
 		for _, pfx := range pfxs {
@@ -740,11 +756,12 @@ func DefaultRoute() (DefaultRouteDetails, error) {
 
 // HasCGNATInterface reports whether there are any non-Tailscale interfaces that
 // use a CGNAT IP range.
-func HasCGNATInterface() (bool, error) {
+func (m *Monitor) HasCGNATInterface() (bool, error) {
 	hasCGNATInterface := false
 	cgnatRange := tsaddr.CGNATRange()
 	err := ForeachInterface(func(i Interface, pfxs []netip.Prefix) {
-		if hasCGNATInterface || !i.IsUp() || isTailscaleInterface(i.Name, pfxs) {
+		isTSInterfaceName := m.tsIfName != "" && i.Name == m.tsIfName
+		if hasCGNATInterface || !i.IsUp() || isTSInterfaceName || isTailscaleInterface(i.Name, pfxs) {
 			return
 		}
 		for _, pfx := range pfxs {