Update

vendor/tailscale.com/wgengine/wgcfg/config.go

@@ -6,8 +6,8 @@ package wgcfg
 
 import (
 	"net/netip"
+	"slices"
 
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logid"
 )
@@ -17,8 +17,6 @@ import (
 // Config is a WireGuard configuration.
 // It only supports the set of things Tailscale uses.
 type Config struct {
-	Name       string
-	NodeID     tailcfg.StableNodeID
 	PrivateKey key.NodePrivate
 	Addresses  []netip.Prefix
 	MTU        uint16
@@ -35,6 +33,18 @@ type Config struct {
 	}
 }
 
+func (c *Config) Equal(o *Config) bool {
+	if c == nil || o == nil {
+		return c == o
+	}
+	return c.PrivateKey.Equal(o.PrivateKey) &&
+		c.MTU == o.MTU &&
+		c.NetworkLogging == o.NetworkLogging &&
+		slices.Equal(c.Addresses, o.Addresses) &&
+		slices.Equal(c.DNS, o.DNS) &&
+		slices.EqualFunc(c.Peers, o.Peers, Peer.Equal)
+}
+
 type Peer struct {
 	PublicKey           key.NodePublic
 	DiscoKey            key.DiscoPublic // present only so we can handle restarts within wgengine, not passed to WireGuard
@@ -50,6 +60,24 @@ type Peer struct {
 	WGEndpoint key.NodePublic
 }
 
+func addrPtrEq(a, b *netip.Addr) bool {
+	if a == nil || b == nil {
+		return a == b
+	}
+	return *a == *b
+}
+
+func (p Peer) Equal(o Peer) bool {
+	return p.PublicKey == o.PublicKey &&
+		p.DiscoKey == o.DiscoKey &&
+		slices.Equal(p.AllowedIPs, o.AllowedIPs) &&
+		p.IsJailed == o.IsJailed &&
+		p.PersistentKeepalive == o.PersistentKeepalive &&
+		addrPtrEq(p.V4MasqAddr, o.V4MasqAddr) &&
+		addrPtrEq(p.V6MasqAddr, o.V6MasqAddr) &&
+		p.WGEndpoint == o.WGEndpoint
+}
+
 // PeerWithKey returns the Peer with key k and reports whether it was found.
 func (config Config) PeerWithKey(k key.NodePublic) (Peer, bool) {
 	for _, p := range config.Peers {

vendor/tailscale.com/wgengine/wgcfg/device.go

@@ -4,6 +4,7 @@
 package wgcfg
 
 import (
+	"errors"
 	"io"
 	"sort"
 
@@ -11,7 +12,6 @@ import (
 	"github.com/tailscale/wireguard-go/device"
 	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/multierr"
 )
 
 // NewDevice returns a wireguard-go Device configured for Tailscale use.
@@ -31,7 +31,7 @@ func DeviceConfig(d *device.Device) (*Config, error) {
 	cfg, fromErr := FromUAPI(r)
 	r.Close()
 	getErr := <-errc
-	err := multierr.New(getErr, fromErr)
+	err := errors.Join(getErr, fromErr)
 	if err != nil {
 		return nil, err
 	}
@@ -64,5 +64,5 @@ func ReconfigDevice(d *device.Device, cfg *Config, logf logger.Logf) (err error)
 	toErr := cfg.ToUAPI(logf, w, prev)
 	w.Close()
 	setErr := <-errc
-	return multierr.New(setErr, toErr)
+	return errors.Join(setErr, toErr)
 }

vendor/tailscale.com/wgengine/wgcfg/nmcfg/nmcfg.go

@@ -5,12 +5,15 @@
 package nmcfg
 
 import (
-	"bytes"
+	"bufio"
+	"cmp"
 	"fmt"
 	"net/netip"
 	"strings"
 
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netmap"
@@ -18,16 +21,7 @@ import (
 )
 
 func nodeDebugName(n tailcfg.NodeView) string {
-	name := n.Name()
-	if name == "" {
-		name = n.Hostinfo().Hostname()
-	}
-	if i := strings.Index(name, "."); i != -1 {
-		name = name[:i]
-	}
-	if name == "" && n.Addresses().Len() != 0 {
-		return n.Addresses().At(0).String()
-	}
+	name, _, _ := strings.Cut(cmp.Or(n.Name(), n.Hostinfo().Hostname()), ".")
 	return name
 }
 
@@ -40,6 +34,9 @@ func cidrIsSubnet(node tailcfg.NodeView, cidr netip.Prefix) bool {
 	if !cidr.IsSingleIP() {
 		return true
 	}
+	if tsaddr.IsTailscaleIP(cidr.Addr()) {
+		return false
+	}
 	for _, selfCIDR := range node.Addresses().All() {
 		if cidr == selfCIDR {
 			return false
@@ -49,17 +46,15 @@ func cidrIsSubnet(node tailcfg.NodeView, cidr netip.Prefix) bool {
 }
 
 // WGCfg returns the NetworkMaps's WireGuard configuration.
-func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, exitNode tailcfg.StableNodeID) (*wgcfg.Config, error) {
+func WGCfg(pk key.NodePrivate, nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, exitNode tailcfg.StableNodeID) (*wgcfg.Config, error) {
 	cfg := &wgcfg.Config{
-		Name:       "tailscale",
-		PrivateKey: nm.PrivateKey,
+		PrivateKey: pk,
 		Addresses:  nm.GetAddresses().AsSlice(),
 		Peers:      make([]wgcfg.Peer, 0, len(nm.Peers)),
 	}
 
 	// Setup log IDs for data plane audit logging.
 	if nm.SelfNode.Valid() {
-		cfg.NodeID = nm.SelfNode.StableID()
 		canNetworkLog := nm.SelfNode.HasCap(tailcfg.CapabilityDataPlaneAuditLogs)
 		logExitFlowEnabled := nm.SelfNode.HasCap(tailcfg.NodeAttrLogExitFlows)
 		if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID() != "" && nm.DomainAuditLogID != "" {
@@ -79,10 +74,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		}
 	}
 
-	// Logging buffers
-	skippedUnselected := new(bytes.Buffer)
-	skippedSubnets := new(bytes.Buffer)
-	skippedExpired := new(bytes.Buffer)
+	var skippedExitNode, skippedSubnetRouter, skippedExpired []tailcfg.NodeView
 
 	for _, peer := range nm.Peers {
 		if peer.DiscoKey().IsZero() && peer.HomeDERP() == 0 && !peer.IsWireGuardOnly() {
@@ -95,16 +87,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		// anyway, since control intentionally breaks node keys for
 		// expired peers so that we can't discover endpoints via DERP.
 		if peer.Expired() {
-			if skippedExpired.Len() >= 1<<10 {
-				if !bytes.HasSuffix(skippedExpired.Bytes(), []byte("...")) {
-					skippedExpired.WriteString("...")
-				}
-			} else {
-				if skippedExpired.Len() > 0 {
-					skippedExpired.WriteString(", ")
-				}
-				fmt.Fprintf(skippedExpired, "%s/%v", peer.StableID(), peer.Key().ShortString())
-			}
+			skippedExpired = append(skippedExpired, peer)
 			continue
 		}
 
@@ -114,28 +97,22 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		})
 		cpeer := &cfg.Peers[len(cfg.Peers)-1]
 
-		didExitNodeWarn := false
+		didExitNodeLog := false
 		cpeer.V4MasqAddr = peer.SelfNodeV4MasqAddrForThisPeer().Clone()
 		cpeer.V6MasqAddr = peer.SelfNodeV6MasqAddrForThisPeer().Clone()
 		cpeer.IsJailed = peer.IsJailed()
 		for _, allowedIP := range peer.AllowedIPs().All() {
 			if allowedIP.Bits() == 0 && peer.StableID() != exitNode {
-				if didExitNodeWarn {
+				if didExitNodeLog {
 					// Don't log about both the IPv4 /0 and IPv6 /0.
 					continue
 				}
-				didExitNodeWarn = true
-				if skippedUnselected.Len() > 0 {
-					skippedUnselected.WriteString(", ")
-				}
-				fmt.Fprintf(skippedUnselected, "%q (%v)", nodeDebugName(peer), peer.Key().ShortString())
+				didExitNodeLog = true
+				skippedExitNode = append(skippedExitNode, peer)
 				continue
 			} else if cidrIsSubnet(peer, allowedIP) {
 				if (flags & netmap.AllowSubnetRoutes) == 0 {
-					if skippedSubnets.Len() > 0 {
-						skippedSubnets.WriteString(", ")
-					}
-					fmt.Fprintf(skippedSubnets, "%v from %q (%v)", allowedIP, nodeDebugName(peer), peer.Key().ShortString())
+					skippedSubnetRouter = append(skippedSubnetRouter, peer)
 					continue
 				}
 			}
@@ -143,14 +120,27 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		}
 	}
 
-	if skippedUnselected.Len() > 0 {
-		logf("[v1] wgcfg: skipped unselected default routes from: %s", skippedUnselected.Bytes())
-	}
-	if skippedSubnets.Len() > 0 {
-		logf("[v1] wgcfg: did not accept subnet routes: %s", skippedSubnets)
-	}
-	if skippedExpired.Len() > 0 {
-		logf("[v1] wgcfg: skipped expired peer: %s", skippedExpired)
+	logList := func(title string, nodes []tailcfg.NodeView) {
+		if len(nodes) == 0 {
+			return
+		}
+		logf("[v1] wgcfg: %s from %d nodes: %s", title, len(nodes), logger.ArgWriter(func(bw *bufio.Writer) {
+			const max = 5
+			for i, n := range nodes {
+				if i == max {
+					fmt.Fprintf(bw, "... +%d", len(nodes)-max)
+					return
+				}
+				if i > 0 {
+					bw.WriteString(", ")
+				}
+				fmt.Fprintf(bw, "%s (%s)", nodeDebugName(n), n.StableID())
+			}
+		}))
 	}
+	logList("skipped unselected exit nodes", skippedExitNode)
+	logList("did not accept subnet routes", skippedSubnetRouter)
+	logList("skipped expired peers", skippedExpired)
+
 	return cfg, nil
 }

vendor/tailscale.com/wgengine/wgcfg/wgcfg_clone.go

@@ -8,7 +8,6 @@ package wgcfg
 import (
 	"net/netip"
 
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/ptr"
@@ -35,8 +34,6 @@ func (src *Config) Clone() *Config {
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _ConfigCloneNeedsRegeneration = Config(struct {
-	Name           string
-	NodeID         tailcfg.StableNodeID
 	PrivateKey     key.NodePrivate
 	Addresses      []netip.Prefix
 	MTU            uint16