tailscale, branch main

all: fix duplicate package docs and tighten TestPackageDocs

2026-04-25T02:01:43Z

TestPackageDocs walked into directories starting with "." (such as .claude worktrees) and only logged warnings on duplicate package docs across files in a directory. Skip dot-directories (which covers the old .git but also .claude), ignore files with "//go:build ignore" so command files don't falsely trip the duplicate check, and promote the duplicate-doc warning to a t.Errorf. While here, deduplicate the package docs that were previously only logged: drop the redundant comment from client/systray/startup-creator.go, move the comprehensive taildrop doc into feature/taildrop/doc.go, and remove a leftover doc fragment from feature/condlite/expvar/omit.go. The tstest/integration/vms allowlist is no longer needed since the //go:build ignore filter now handles its dns_tester.go and udp_tester.go files generically. Fixes #19526 Change-Id: Id794d96bd728826a1883a054e4a244f90fa05d3d Signed-off-by: Brad Fitzpatrick

maths: remove unused package (#19516)

2026-04-24T23:17:10Z

Added in 2025 and appears to be unused. Updates #cleanup Signed-off-by: Andrew Lytvynov

util/expvarx: remove unused package (#19519)

2026-04-24T23:16:42Z

Added in 2024 and appears to be unused. Updates #cleanup Signed-off-by: Andrew Lytvynov

util/cstruct: remove unused package (#19518)

2026-04-24T23:09:54Z

Added in 2022 and appears to be unused. Updates #cleanup Signed-off-by: Andrew Lytvynov

envknob/logknob: remove unused package (#19515)

2026-04-24T22:48:06Z

Added in 2023 and appears to be unused. Updates #cleanup Signed-off-by: Andrew Lytvynov

wgengine/netstack: absorb all quad-100 traffic locally, never leak to peers

2026-04-24T19:42:16Z

Previously, handleLocalPackets intercepted traffic to the Tailscale service IP (100.100.100.100 / fd7a:115c:a1e0::53) only for an allow-list of ports: TCP 53/80/8080 and UDP 53. Any other port returned filter.Accept, letting the packet fall through to the ACL filter and wireguard-go, which would attempt a peer lookup. No peer owns the quad-100 AllowedIP, so after ~5s pendopen.go would log: open-conn-track: timeout opening ...; no associated peer node This is the common "conntrack error no peer found for 100.100.100.100:853" log spam seen in the wild (e.g. from systemd-resolved or another resolver speculatively trying DoT on quad-100). It also leaks quad-100 packets onto the tailnet. Remove the port allow-list so handleLocalPackets absorbs every quad-100 packet into netstack regardless of IP protocol or port. Traffic never reaches the conntrack / peer-routing layers. With the allow-list gone, acceptTCP needs a corresponding guard: on a quad-100 TCP port we don't serve, execution used to fall through to the isTailscaleIP case (quad-100 is in the tailscale IP range), which rewrote the dial target to 127.0.0.1: and forwardTCP'd the connection to whatever happened to be listening on the host's loopback at that port. Add a hittingServiceIP case that RSTs cleanly instead, placed before the isTailscaleIP fallthrough. TestQuad100UnservedTCPPortDoesNotForward is a new integration test that injects a TCP SYN to 100.100.100.100:853 via handleLocalPackets, stubs forwardDialFunc, and asserts the dialer is not invoked; it catches regressions of the acceptTCP recursion/loopback-redirection case. Fixes #15796 Fixes #19421 Updates #3261 Updates #11305 Signed-off-by: James Tucker

version: use debug.ReadBuildInfo in CmdName on non-Windows

2026-04-24T16:48:11Z

CmdName was re-opening the running executable and scanning it in 64KiB chunks for the Go modinfo markers on every call. The same modinfo is already parsed at startup and exposed via runtime/debug.ReadBuildInfo, so prefer that on non-Windows. Windows still takes the scanning path because its GUI-binary override keys off the on-disk executable name. benchstat of BenchmarkCmdName (Linux, before vs after): goos: linux goarch: amd64 pkg: tailscale.com/version cpu: Intel(R) Xeon(R) 6975P-C │ /tmp/old.txt │ /tmp/new.txt │ │ sec/op │ sec/op vs base │ CmdName-16 556045.5n ± 1% 825.6n ± 1% -99.85% (p=0.000 n=10) │ /tmp/old.txt │ /tmp/new.txt │ │ B/op │ B/op vs base │ CmdName-16 64.587Ki ± 0% 1.156Ki ± 0% -98.21% (p=0.000 n=10) │ /tmp/old.txt │ /tmp/new.txt │ │ allocs/op │ allocs/op vs base │ CmdName-16 8.000 ± 0% 7.000 ± 0% -12.50% (p=0.000 n=10) Fixes #19486 Change-Id: I925c5e28b64815a602459beb6c8dab8779339a6c Signed-off-by: Brad Fitzpatrick

feature/conn25: add the ability to return addresses to the IP Pools

2026-04-24T15:48:48Z

This will be used as part of the address assignment expiry work. Updates tailscale/corp#39975 Signed-off-by: Fran Bull

ipnlocal/drive: reduce noisey per-peer remote logs (#19493)

2026-04-24T15:26:33Z

This drops the per peer "appending remote" log while constructing the remote list, which can get noisy on big tailnets, and keeps logs around remote availability checks, including whether a peer is missing, offline, lacks PeerAPI reachability, lacks sharing permission, or is available. Updates tailscale/corp#40580 Signed-off-by: kari-ts

go.mod: bump github.com/google/go-containerregistry (#19500)

2026-04-23T17:39:27Z

This drops an indirect dependency on the old github.com/docker/docker (which was replaced with github.com/moby/moby) and fixes a couple recent CVEs. Updates #cleanup Signed-off-by: Andrew Lytvynov