Update dependencies

vendor/tailscale.com/wgengine/wgcfg/config.go

@@ -0,0 +1,61 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package wgcfg has types and a parser for representing WireGuard config.
+package wgcfg
+
+import (
+	"net/netip"
+
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+	"tailscale.com/types/logid"
+)
+
+//go:generate go run tailscale.com/cmd/cloner -type=Config,Peer
+
+// Config is a WireGuard configuration.
+// It only supports the set of things Tailscale uses.
+type Config struct {
+	Name       string
+	NodeID     tailcfg.StableNodeID
+	PrivateKey key.NodePrivate
+	Addresses  []netip.Prefix
+	MTU        uint16
+	DNS        []netip.Addr
+	Peers      []Peer
+
+	// NetworkLogging enables network logging.
+	// It is disabled if either ID is the zero value.
+	// LogExitFlowEnabled indicates whether or not exit flows should be logged.
+	NetworkLogging struct {
+		NodeID             logid.PrivateID
+		DomainID           logid.PrivateID
+		LogExitFlowEnabled bool
+	}
+}
+
+type Peer struct {
+	PublicKey           key.NodePublic
+	DiscoKey            key.DiscoPublic // present only so we can handle restarts within wgengine, not passed to WireGuard
+	AllowedIPs          []netip.Prefix
+	V4MasqAddr          *netip.Addr // if non-nil, masquerade IPv4 traffic to this peer using this address
+	V6MasqAddr          *netip.Addr // if non-nil, masquerade IPv6 traffic to this peer using this address
+	IsJailed            bool        // if true, this peer is jailed and cannot initiate connections
+	PersistentKeepalive uint16      // in seconds between keep-alives; 0 to disable
+	// wireguard-go's endpoint for this peer. It should always equal Peer.PublicKey.
+	// We represent it explicitly so that we can detect if they diverge and recover.
+	// There is no need to set WGEndpoint explicitly when constructing a Peer by hand.
+	// It is only populated when reading Peers from wireguard-go.
+	WGEndpoint key.NodePublic
+}
+
+// PeerWithKey returns the Peer with key k and reports whether it was found.
+func (config Config) PeerWithKey(k key.NodePublic) (Peer, bool) {
+	for _, p := range config.Peers {
+		if p.PublicKey == k {
+			return p, true
+		}
+	}
+	return Peer{}, false
+}

vendor/tailscale.com/wgengine/wgcfg/device.go

@@ -0,0 +1,68 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package wgcfg
+
+import (
+	"io"
+	"sort"
+
+	"github.com/tailscale/wireguard-go/conn"
+	"github.com/tailscale/wireguard-go/device"
+	"github.com/tailscale/wireguard-go/tun"
+	"tailscale.com/types/logger"
+	"tailscale.com/util/multierr"
+)
+
+// NewDevice returns a wireguard-go Device configured for Tailscale use.
+func NewDevice(tunDev tun.Device, bind conn.Bind, logger *device.Logger) *device.Device {
+	ret := device.NewDevice(tunDev, bind, logger)
+	ret.DisableSomeRoamingForBrokenMobileSemantics()
+	return ret
+}
+
+func DeviceConfig(d *device.Device) (*Config, error) {
+	r, w := io.Pipe()
+	errc := make(chan error, 1)
+	go func() {
+		errc <- d.IpcGetOperation(w)
+		w.Close()
+	}()
+	cfg, fromErr := FromUAPI(r)
+	r.Close()
+	getErr := <-errc
+	err := multierr.New(getErr, fromErr)
+	if err != nil {
+		return nil, err
+	}
+	sort.Slice(cfg.Peers, func(i, j int) bool {
+		return cfg.Peers[i].PublicKey.Less(cfg.Peers[j].PublicKey)
+	})
+	return cfg, nil
+}
+
+// ReconfigDevice replaces the existing device configuration with cfg.
+func ReconfigDevice(d *device.Device, cfg *Config, logf logger.Logf) (err error) {
+	defer func() {
+		if err != nil {
+			logf("wgcfg.Reconfig failed: %v", err)
+		}
+	}()
+
+	prev, err := DeviceConfig(d)
+	if err != nil {
+		return err
+	}
+
+	r, w := io.Pipe()
+	errc := make(chan error, 1)
+	go func() {
+		errc <- d.IpcSetOperation(r)
+		r.Close()
+	}()
+
+	toErr := cfg.ToUAPI(logf, w, prev)
+	w.Close()
+	setErr := <-errc
+	return multierr.New(setErr, toErr)
+}

vendor/tailscale.com/wgengine/wgcfg/nmcfg/nmcfg.go

@@ -0,0 +1,150 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package nmcfg converts a controlclient.NetMap into a wgcfg config.
+package nmcfg
+
+import (
+	"bytes"
+	"fmt"
+	"net/netip"
+	"strings"
+
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/logger"
+	"tailscale.com/types/logid"
+	"tailscale.com/types/netmap"
+	"tailscale.com/wgengine/wgcfg"
+)
+
+func nodeDebugName(n tailcfg.NodeView) string {
+	name := n.Name()
+	if name == "" {
+		name = n.Hostinfo().Hostname()
+	}
+	if i := strings.Index(name, "."); i != -1 {
+		name = name[:i]
+	}
+	if name == "" && n.Addresses().Len() != 0 {
+		return n.Addresses().At(0).String()
+	}
+	return name
+}
+
+// cidrIsSubnet reports whether cidr is a non-default-route subnet
+// exported by node that is not one of its own self addresses.
+func cidrIsSubnet(node tailcfg.NodeView, cidr netip.Prefix) bool {
+	if cidr.Bits() == 0 {
+		return false
+	}
+	if !cidr.IsSingleIP() {
+		return true
+	}
+	for i := range node.Addresses().Len() {
+		selfCIDR := node.Addresses().At(i)
+		if cidr == selfCIDR {
+			return false
+		}
+	}
+	return true
+}
+
+// WGCfg returns the NetworkMaps's WireGuard configuration.
+func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, exitNode tailcfg.StableNodeID) (*wgcfg.Config, error) {
+	cfg := &wgcfg.Config{
+		Name:       "tailscale",
+		PrivateKey: nm.PrivateKey,
+		Addresses:  nm.GetAddresses().AsSlice(),
+		Peers:      make([]wgcfg.Peer, 0, len(nm.Peers)),
+	}
+
+	// Setup log IDs for data plane audit logging.
+	if nm.SelfNode.Valid() {
+		cfg.NodeID = nm.SelfNode.StableID()
+		canNetworkLog := nm.SelfNode.HasCap(tailcfg.CapabilityDataPlaneAuditLogs)
+		logExitFlowEnabled := nm.SelfNode.HasCap(tailcfg.NodeAttrLogExitFlows)
+		if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID() != "" && nm.DomainAuditLogID != "" {
+			nodeID, errNode := logid.ParsePrivateID(nm.SelfNode.DataPlaneAuditLogID())
+			if errNode != nil {
+				logf("[v1] wgcfg: unable to parse node audit log ID: %v", errNode)
+			}
+			domainID, errDomain := logid.ParsePrivateID(nm.DomainAuditLogID)
+			if errDomain != nil {
+				logf("[v1] wgcfg: unable to parse domain audit log ID: %v", errDomain)
+			}
+			if errNode == nil && errDomain == nil {
+				cfg.NetworkLogging.NodeID = nodeID
+				cfg.NetworkLogging.DomainID = domainID
+				cfg.NetworkLogging.LogExitFlowEnabled = logExitFlowEnabled
+			}
+		}
+	}
+
+	// Logging buffers
+	skippedUnselected := new(bytes.Buffer)
+	skippedIPs := new(bytes.Buffer)
+	skippedSubnets := new(bytes.Buffer)
+
+	for _, peer := range nm.Peers {
+		if peer.DiscoKey().IsZero() && peer.DERP() == "" && !peer.IsWireGuardOnly() {
+			// Peer predates both DERP and active discovery, we cannot
+			// communicate with it.
+			logf("[v1] wgcfg: skipped peer %s, doesn't offer DERP or disco", peer.Key().ShortString())
+			continue
+		}
+		// Skip expired peers; we'll end up failing to connect to them
+		// anyway, since control intentionally breaks node keys for
+		// expired peers so that we can't discover endpoints via DERP.
+		if peer.Expired() {
+			logf("[v1] wgcfg: skipped expired peer %s", peer.Key().ShortString())
+			continue
+		}
+
+		cfg.Peers = append(cfg.Peers, wgcfg.Peer{
+			PublicKey: peer.Key(),
+			DiscoKey:  peer.DiscoKey(),
+		})
+		cpeer := &cfg.Peers[len(cfg.Peers)-1]
+
+		didExitNodeWarn := false
+		cpeer.V4MasqAddr = peer.SelfNodeV4MasqAddrForThisPeer()
+		cpeer.V6MasqAddr = peer.SelfNodeV6MasqAddrForThisPeer()
+		cpeer.IsJailed = peer.IsJailed()
+		for i := range peer.AllowedIPs().Len() {
+			allowedIP := peer.AllowedIPs().At(i)
+			if allowedIP.Bits() == 0 && peer.StableID() != exitNode {
+				if didExitNodeWarn {
+					// Don't log about both the IPv4 /0 and IPv6 /0.
+					continue
+				}
+				didExitNodeWarn = true
+				if skippedUnselected.Len() > 0 {
+					skippedUnselected.WriteString(", ")
+				}
+				fmt.Fprintf(skippedUnselected, "%q (%v)", nodeDebugName(peer), peer.Key().ShortString())
+				continue
+			} else if cidrIsSubnet(peer, allowedIP) {
+				if (flags & netmap.AllowSubnetRoutes) == 0 {
+					if skippedSubnets.Len() > 0 {
+						skippedSubnets.WriteString(", ")
+					}
+					fmt.Fprintf(skippedSubnets, "%v from %q (%v)", allowedIP, nodeDebugName(peer), peer.Key().ShortString())
+					continue
+				}
+			}
+			cpeer.AllowedIPs = append(cpeer.AllowedIPs, allowedIP)
+		}
+	}
+
+	if skippedUnselected.Len() > 0 {
+		logf("[v1] wgcfg: skipped unselected default routes from: %s", skippedUnselected.Bytes())
+	}
+	if skippedIPs.Len() > 0 {
+		logf("[v1] wgcfg: skipped node IPs: %s", skippedIPs)
+	}
+	if skippedSubnets.Len() > 0 {
+		logf("[v1] wgcfg: did not accept subnet routes: %s", skippedSubnets)
+	}
+
+	return cfg, nil
+}

vendor/tailscale.com/wgengine/wgcfg/parser.go

@@ -0,0 +1,186 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package wgcfg
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"net"
+	"net/netip"
+	"strconv"
+	"strings"
+
+	"go4.org/mem"
+	"tailscale.com/types/key"
+)
+
+type ParseError struct {
+	why      string
+	offender string
+}
+
+func (e *ParseError) Error() string {
+	return fmt.Sprintf("%s: %q", e.why, e.offender)
+}
+
+func parseEndpoint(s string) (host string, port uint16, err error) {
+	i := strings.LastIndexByte(s, ':')
+	if i < 0 {
+		return "", 0, &ParseError{"Missing port from endpoint", s}
+	}
+	host, portStr := s[:i], s[i+1:]
+	if len(host) < 1 {
+		return "", 0, &ParseError{"Invalid endpoint host", host}
+	}
+	uport, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return "", 0, err
+	}
+	hostColon := strings.IndexByte(host, ':')
+	if host[0] == '[' || host[len(host)-1] == ']' || hostColon > 0 {
+		err := &ParseError{"Brackets must contain an IPv6 address", host}
+		if len(host) > 3 && host[0] == '[' && host[len(host)-1] == ']' && hostColon > 0 {
+			maybeV6 := net.ParseIP(host[1 : len(host)-1])
+			if maybeV6 == nil || len(maybeV6) != net.IPv6len {
+				return "", 0, err
+			}
+		} else {
+			return "", 0, err
+		}
+		host = host[1 : len(host)-1]
+	}
+	return host, uint16(uport), nil
+}
+
+// memROCut separates a mem.RO at the separator if it exists, otherwise
+// it returns two empty ROs and reports that it was not found.
+func memROCut(s mem.RO, sep byte) (before, after mem.RO, found bool) {
+	if i := mem.IndexByte(s, sep); i >= 0 {
+		return s.SliceTo(i), s.SliceFrom(i + 1), true
+	}
+	found = false
+	return
+}
+
+// FromUAPI generates a Config from r.
+// r should be generated by calling device.IpcGetOperation;
+// it is not compatible with other uapi streams.
+func FromUAPI(r io.Reader) (*Config, error) {
+	cfg := new(Config)
+	var peer *Peer // current peer being operated on
+	deviceConfig := true
+
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		line := mem.B(scanner.Bytes())
+		if line.Len() == 0 {
+			continue
+		}
+		key, value, ok := memROCut(line, '=')
+		if !ok {
+			return nil, fmt.Errorf("failed to cut line %q on =", line.StringCopy())
+		}
+		valueBytes := scanner.Bytes()[key.Len()+1:]
+
+		if key.EqualString("public_key") {
+			if deviceConfig {
+				deviceConfig = false
+			}
+			// Load/create the peer we are now configuring.
+			var err error
+			peer, err = cfg.handlePublicKeyLine(valueBytes)
+			if err != nil {
+				return nil, err
+			}
+			continue
+		}
+
+		var err error
+		if deviceConfig {
+			err = cfg.handleDeviceLine(key, value, valueBytes)
+		} else {
+			err = cfg.handlePeerLine(peer, key, value, valueBytes)
+		}
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	return cfg, nil
+}
+
+func (cfg *Config) handleDeviceLine(k, value mem.RO, valueBytes []byte) error {
+	switch {
+	case k.EqualString("private_key"):
+		// wireguard-go guarantees not to send zero value; private keys are already clamped.
+		var err error
+		cfg.PrivateKey, err = key.ParseNodePrivateUntyped(value)
+		if err != nil {
+			return err
+		}
+	case k.EqualString("listen_port") || k.EqualString("fwmark"):
+	// ignore
+	default:
+		return fmt.Errorf("unexpected IpcGetOperation key: %q", k.StringCopy())
+	}
+	return nil
+}
+
+func (cfg *Config) handlePublicKeyLine(valueBytes []byte) (*Peer, error) {
+	p := Peer{}
+	var err error
+	p.PublicKey, err = key.ParseNodePublicUntyped(mem.B(valueBytes))
+	if err != nil {
+		return nil, err
+	}
+	cfg.Peers = append(cfg.Peers, p)
+	return &cfg.Peers[len(cfg.Peers)-1], nil
+}
+
+func (cfg *Config) handlePeerLine(peer *Peer, k, value mem.RO, valueBytes []byte) error {
+	switch {
+	case k.EqualString("endpoint"):
+		nk, err := key.ParseNodePublicUntyped(value)
+		if err != nil {
+			return fmt.Errorf("invalid endpoint %q for peer %q, expected a hex public key", value.StringCopy(), peer.PublicKey.ShortString())
+		}
+		// nk ought to equal peer.PublicKey.
+		// Under some rare circumstances, it might not. See corp issue #3016.
+		// Even if that happens, don't stop early, so that we can recover from it.
+		// Instead, note the value of nk so we can fix as needed.
+		peer.WGEndpoint = nk
+	case k.EqualString("persistent_keepalive_interval"):
+		n, err := mem.ParseUint(value, 10, 16)
+		if err != nil {
+			return err
+		}
+		peer.PersistentKeepalive = uint16(n)
+	case k.EqualString("allowed_ip"):
+		ipp := netip.Prefix{}
+		err := ipp.UnmarshalText(valueBytes)
+		if err != nil {
+			return err
+		}
+		peer.AllowedIPs = append(peer.AllowedIPs, ipp)
+	case k.EqualString("protocol_version"):
+		if !value.EqualString("1") {
+			return fmt.Errorf("invalid protocol version: %q", value.StringCopy())
+		}
+	case k.EqualString("replace_allowed_ips") ||
+		k.EqualString("preshared_key") ||
+		k.EqualString("last_handshake_time_sec") ||
+		k.EqualString("last_handshake_time_nsec") ||
+		k.EqualString("tx_bytes") ||
+		k.EqualString("rx_bytes"):
+	// ignore
+	default:
+		return fmt.Errorf("unexpected IpcGetOperation key: %q", k.StringCopy())
+	}
+	return nil
+}

vendor/tailscale.com/wgengine/wgcfg/wgcfg_clone.go

@@ -0,0 +1,80 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
+
+package wgcfg
+
+import (
+	"net/netip"
+
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+	"tailscale.com/types/logid"
+	"tailscale.com/types/ptr"
+)
+
+// Clone makes a deep copy of Config.
+// The result aliases no memory with the original.
+func (src *Config) Clone() *Config {
+	if src == nil {
+		return nil
+	}
+	dst := new(Config)
+	*dst = *src
+	dst.Addresses = append(src.Addresses[:0:0], src.Addresses...)
+	dst.DNS = append(src.DNS[:0:0], src.DNS...)
+	if src.Peers != nil {
+		dst.Peers = make([]Peer, len(src.Peers))
+		for i := range dst.Peers {
+			dst.Peers[i] = *src.Peers[i].Clone()
+		}
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _ConfigCloneNeedsRegeneration = Config(struct {
+	Name           string
+	NodeID         tailcfg.StableNodeID
+	PrivateKey     key.NodePrivate
+	Addresses      []netip.Prefix
+	MTU            uint16
+	DNS            []netip.Addr
+	Peers          []Peer
+	NetworkLogging struct {
+		NodeID             logid.PrivateID
+		DomainID           logid.PrivateID
+		LogExitFlowEnabled bool
+	}
+}{})
+
+// Clone makes a deep copy of Peer.
+// The result aliases no memory with the original.
+func (src *Peer) Clone() *Peer {
+	if src == nil {
+		return nil
+	}
+	dst := new(Peer)
+	*dst = *src
+	dst.AllowedIPs = append(src.AllowedIPs[:0:0], src.AllowedIPs...)
+	if dst.V4MasqAddr != nil {
+		dst.V4MasqAddr = ptr.To(*src.V4MasqAddr)
+	}
+	if dst.V6MasqAddr != nil {
+		dst.V6MasqAddr = ptr.To(*src.V6MasqAddr)
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _PeerCloneNeedsRegeneration = Peer(struct {
+	PublicKey           key.NodePublic
+	DiscoKey            key.DiscoPublic
+	AllowedIPs          []netip.Prefix
+	V4MasqAddr          *netip.Addr
+	V6MasqAddr          *netip.Addr
+	IsJailed            bool
+	PersistentKeepalive uint16
+	WGEndpoint          key.NodePublic
+}{})

vendor/tailscale.com/wgengine/wgcfg/writer.go

@@ -0,0 +1,154 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package wgcfg
+
+import (
+	"fmt"
+	"io"
+	"net/netip"
+	"strconv"
+
+	"tailscale.com/types/key"
+	"tailscale.com/types/logger"
+)
+
+// ToUAPI writes cfg in UAPI format to w.
+// Prev is the previous device Config.
+//
+// Prev is required so that we can remove now-defunct peers without having to
+// remove and re-add all peers, and so that we can avoid writing information
+// about peers that have not changed since the previous time we wrote our
+// Config.
+func (cfg *Config) ToUAPI(logf logger.Logf, w io.Writer, prev *Config) error {
+	var stickyErr error
+	set := func(key, value string) {
+		if stickyErr != nil {
+			return
+		}
+		_, err := fmt.Fprintf(w, "%s=%s\n", key, value)
+		if err != nil {
+			stickyErr = err
+		}
+	}
+	setUint16 := func(key string, value uint16) {
+		set(key, strconv.FormatUint(uint64(value), 10))
+	}
+	setPeer := func(peer Peer) {
+		set("public_key", peer.PublicKey.UntypedHexString())
+	}
+
+	// Device config.
+	if !prev.PrivateKey.Equal(cfg.PrivateKey) {
+		set("private_key", cfg.PrivateKey.UntypedHexString())
+	}
+
+	old := make(map[key.NodePublic]Peer)
+	for _, p := range prev.Peers {
+		old[p.PublicKey] = p
+	}
+
+	// Add/configure all new peers.
+	for _, p := range cfg.Peers {
+		oldPeer, wasPresent := old[p.PublicKey]
+
+		// We only want to write the peer header/version if we're about
+		// to change something about that peer, or if it's a new peer.
+		// Figure out up-front whether we'll need to do anything for
+		// this peer, and skip doing anything if not.
+		//
+		// If the peer was not present in the previous config, this
+		// implies that this is a new peer; set all of these to 'true'
+		// to ensure that we're writing the full peer configuration.
+		willSetEndpoint := oldPeer.WGEndpoint != p.PublicKey || !wasPresent
+		willChangeIPs := !cidrsEqual(oldPeer.AllowedIPs, p.AllowedIPs) || !wasPresent
+		willChangeKeepalive := oldPeer.PersistentKeepalive != p.PersistentKeepalive // if not wasPresent, no need to redundantly set zero (default)
+
+		if !willSetEndpoint && !willChangeIPs && !willChangeKeepalive {
+			// It's safe to skip doing anything here; wireguard-go
+			// will not remove a peer if it's unspecified unless we
+			// tell it to (which we do below if necessary).
+			continue
+		}
+
+		setPeer(p)
+		set("protocol_version", "1")
+
+		// Avoid setting endpoints if the correct one is already known
+		// to WireGuard, because doing so generates a bit more work in
+		// calling magicsock's ParseEndpoint for effectively a no-op.
+		if willSetEndpoint {
+			if wasPresent {
+				// We had an endpoint, and it was wrong.
+				// By construction, this should not happen.
+				// If it does, keep going so that we can recover from it,
+				// but log so that we know about it,
+				// because it is an indicator of other failed invariants.
+				// See corp issue 3016.
+				logf("[unexpected] endpoint changed from %s to %s", oldPeer.WGEndpoint, p.PublicKey)
+			}
+			set("endpoint", p.PublicKey.UntypedHexString())
+		}
+
+		// TODO: replace_allowed_ips is expensive.
+		// If p.AllowedIPs is a strict superset of oldPeer.AllowedIPs,
+		// then skip replace_allowed_ips and instead add only
+		// the new ipps with allowed_ip.
+		if willChangeIPs {
+			set("replace_allowed_ips", "true")
+			for _, ipp := range p.AllowedIPs {
+				set("allowed_ip", ipp.String())
+			}
+		}
+
+		// Set PersistentKeepalive after the peer is otherwise configured,
+		// because it can trigger handshake packets.
+		if willChangeKeepalive {
+			setUint16("persistent_keepalive_interval", p.PersistentKeepalive)
+		}
+	}
+
+	// Remove peers that were present but should no longer be.
+	for _, p := range cfg.Peers {
+		delete(old, p.PublicKey)
+	}
+	for _, p := range old {
+		setPeer(p)
+		set("remove", "true")
+	}
+
+	if stickyErr != nil {
+		stickyErr = fmt.Errorf("ToUAPI: %w", stickyErr)
+	}
+	return stickyErr
+}
+
+func cidrsEqual(x, y []netip.Prefix) bool {
+	// TODO: re-implement using netaddr.IPSet.Equal.
+	if len(x) != len(y) {
+		return false
+	}
+	// First see if they're equal in order, without allocating.
+	exact := true
+	for i := range x {
+		if x[i] != y[i] {
+			exact = false
+			break
+		}
+	}
+	if exact {
+		return true
+	}
+
+	// Otherwise, see if they're the same, but out of order.
+	m := make(map[netip.Prefix]bool)
+	for _, v := range x {
+		m[v] = true
+	}
+	for _, v := range y {
+		if !m[v] {
+			return false
+		}
+	}
+	return true
+}