Merge branch 'main' into tomhjp/k8s-proxy-2tomhjp/k8s-proxy-2

Change-Id: I52db310363255589b00a3d981661e905f7da81be

3 files changed, 178 insertions, 161 deletions

diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index 95fe22641..b2998d11c 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -258,7 +258,7 @@ type LocalBackend struct {
 	// We intend to relax this in the future and only require holding b.mu when replacing it,
 	// but that requires a better (strictly ordered?) state machine and better management
 	// of [LocalBackend]'s own state that is not tied to the node context.
-	currentNodeAtomic atomic.Pointer[localNodeContext]
+	currentNodeAtomic atomic.Pointer[nodeBackend]
 
 	conf           *conffile.Config   // latest parsed config, or nil if not in declarative mode
 	pm             *profileManager    // mu guards access
@@ -519,7 +519,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 		captiveCancel:         nil, // so that we start checkCaptivePortalLoop when Running
 		needsCaptiveDetection: make(chan bool),
 	}
-	b.currentNodeAtomic.Store(newLocalNodeContext())
+	b.currentNodeAtomic.Store(newNodeBackend())
 	mConn.SetNetInfoCallback(b.setNetInfo)
 
 	if sys.InitialConfig != nil {
@@ -594,12 +594,12 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 func (b *LocalBackend) Clock() tstime.Clock { return b.clock }
 func (b *LocalBackend) Sys() *tsd.System    { return b.sys }
 
-func (b *LocalBackend) currentNode() *localNodeContext {
+func (b *LocalBackend) currentNode() *nodeBackend {
 	if v := b.currentNodeAtomic.Load(); v != nil || !testenv.InTest() {
 		return v
 	}
 	// Auto-init one in tests for LocalBackend created without the NewLocalBackend constructor...
-	v := newLocalNodeContext()
+	v := newNodeBackend()
 	b.currentNodeAtomic.CompareAndSwap(nil, v)
 	return b.currentNodeAtomic.Load()
 }
@@ -1463,15 +1463,30 @@ func (b *LocalBackend) PeerCaps(src netip.Addr) tailcfg.PeerCapMap {
 	return b.currentNode().PeerCaps(src)
 }
 
-func (b *localNodeContext) AppendMatchingPeers(base []tailcfg.NodeView, pred func(tailcfg.NodeView) bool) []tailcfg.NodeView {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	ret := base
-	if b.netMap == nil {
-		return ret
+// AppendMatchingPeers returns base with all peers that match pred appended.
+//
+// It acquires b.mu to read the netmap but releases it before calling pred.
+func (nb *nodeBackend) AppendMatchingPeers(base []tailcfg.NodeView, pred func(tailcfg.NodeView) bool) []tailcfg.NodeView {
+	var peers []tailcfg.NodeView
+
+	nb.mu.Lock()
+	if nb.netMap != nil {
+		// All fields on b.netMap are immutable, so this is
+		// safe to copy and use outside the lock.
+		peers = nb.netMap.Peers
 	}
-	for _, peer := range b.netMap.Peers {
-		if pred(peer) {
+	nb.mu.Unlock()
+
+	ret := base
+	for _, peer := range peers {
+		// The peers in b.netMap don't contain updates made via
+		// UpdateNetmapDelta. So only use PeerView in b.netMap for its NodeID,
+		// and then look up the latest copy in b.peers which is updated in
+		// response to UpdateNetmapDelta edits.
+		nb.mu.Lock()
+		peer, ok := nb.peers[peer.ID()]
+		nb.mu.Unlock()
+		if ok && pred(peer) {
 			ret = append(ret, peer)
 		}
 	}
@@ -1480,21 +1495,21 @@ func (b *localNodeContext) AppendMatchingPeers(base []tailcfg.NodeView, pred fun
 
 // PeerCaps returns the capabilities that remote src IP has to
 // ths current node.
-func (b *localNodeContext) PeerCaps(src netip.Addr) tailcfg.PeerCapMap {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	return b.peerCapsLocked(src)
+func (nb *nodeBackend) PeerCaps(src netip.Addr) tailcfg.PeerCapMap {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return nb.peerCapsLocked(src)
 }
 
-func (b *localNodeContext) peerCapsLocked(src netip.Addr) tailcfg.PeerCapMap {
-	if b.netMap == nil {
+func (nb *nodeBackend) peerCapsLocked(src netip.Addr) tailcfg.PeerCapMap {
+	if nb.netMap == nil {
 		return nil
 	}
-	filt := b.filterAtomic.Load()
+	filt := nb.filterAtomic.Load()
 	if filt == nil {
 		return nil
 	}
-	addrs := b.netMap.GetAddresses()
+	addrs := nb.netMap.GetAddresses()
 	for i := range addrs.Len() {
 		a := addrs.At(i)
 		if !a.IsSingleIP() {
@@ -1508,8 +1523,8 @@ func (b *localNodeContext) peerCapsLocked(src netip.Addr) tailcfg.PeerCapMap {
 	return nil
 }
 
-func (b *localNodeContext) GetFilterForTest() *filter.Filter {
-	return b.filterAtomic.Load()
+func (nb *nodeBackend) GetFilterForTest() *filter.Filter {
+	return nb.filterAtomic.Load()
 }
 
 // SetControlClientStatus is the callback invoked by the control client whenever it posts a new status.
@@ -2019,14 +2034,14 @@ func (b *LocalBackend) UpdateNetmapDelta(muts []netmap.NodeMutation) (handled bo
 	return true
 }
 
-func (c *localNodeContext) netMapWithPeers() *netmap.NetworkMap {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.netMap == nil {
+func (nb *nodeBackend) netMapWithPeers() *netmap.NetworkMap {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	if nb.netMap == nil {
 		return nil
 	}
-	nm := ptr.To(*c.netMap) // shallow clone
-	nm.Peers = slicesx.MapValues(c.peers)
+	nm := ptr.To(*nb.netMap) // shallow clone
+	nm.Peers = slicesx.MapValues(nb.peers)
 	slices.SortFunc(nm.Peers, func(a, b tailcfg.NodeView) int {
 		return cmp.Compare(a.ID(), b.ID())
 	})
@@ -2063,10 +2078,10 @@ func (b *LocalBackend) pickNewAutoExitNode() {
 	b.send(ipn.Notify{Prefs: &newPrefs})
 }
 
-func (c *localNodeContext) UpdateNetmapDelta(muts []netmap.NodeMutation) (handled bool) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.netMap == nil || len(c.peers) == 0 {
+func (nb *nodeBackend) UpdateNetmapDelta(muts []netmap.NodeMutation) (handled bool) {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	if nb.netMap == nil || len(nb.peers) == 0 {
 		return false
 	}
 
@@ -2078,7 +2093,7 @@ func (c *localNodeContext) UpdateNetmapDelta(muts []netmap.NodeMutation) (handle
 	for _, m := range muts {
 		n, ok := mutableNodes[m.NodeIDBeingMutated()]
 		if !ok {
-			nv, ok := c.peers[m.NodeIDBeingMutated()]
+			nv, ok := nb.peers[m.NodeIDBeingMutated()]
 			if !ok {
 				// TODO(bradfitz): unexpected metric?
 				return false
@@ -2089,7 +2104,7 @@ func (c *localNodeContext) UpdateNetmapDelta(muts []netmap.NodeMutation) (handle
 		m.Apply(n)
 	}
 	for nid, n := range mutableNodes {
-		c.peers[nid] = n.View()
+		nb.peers[nid] = n.View()
 	}
 	return true
 }
@@ -2250,10 +2265,10 @@ func (b *LocalBackend) PeersForTest() []tailcfg.NodeView {
 	return b.currentNode().PeersForTest()
 }
 
-func (b *localNodeContext) PeersForTest() []tailcfg.NodeView {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	ret := slicesx.MapValues(b.peers)
+func (nb *nodeBackend) PeersForTest() []tailcfg.NodeView {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	ret := slicesx.MapValues(nb.peers)
 	slices.SortFunc(ret, func(a, b tailcfg.NodeView) int {
 		return cmp.Compare(a.ID(), b.ID())
 	})
@@ -2532,12 +2547,12 @@ var invalidPacketFilterWarnable = health.Register(&health.Warnable{
 // b.mu must be held.
 func (b *LocalBackend) updateFilterLocked(prefs ipn.PrefsView) {
 	// TODO(nickkhyl) split this into two functions:
-	// - (*localNodeContext).RebuildFilters() (normalFilter, jailedFilter *filter.Filter, changed bool),
+	// - (*nodeBackend).RebuildFilters() (normalFilter, jailedFilter *filter.Filter, changed bool),
 	//   which would return packet filters for the current state and whether they changed since the last call.
 	// - (*LocalBackend).updateFilters(), which would use the above to update the engine with the new filters,
 	//    notify b.sshServer, etc.
 	//
-	// For this, we would need to plumb a few more things into the [localNodeContext]. Most importantly,
+	// For this, we would need to plumb a few more things into the [nodeBackend]. Most importantly,
 	// the current [ipn.PrefsView]), but also maybe also a b.logf and a b.health?
 	//
 	// NOTE(danderson): keep change detection as the first thing in
@@ -2823,8 +2838,8 @@ func (b *LocalBackend) setFilter(f *filter.Filter) {
 	b.e.SetFilter(f)
 }
 
-func (c *localNodeContext) setFilter(f *filter.Filter) {
-	c.filterAtomic.Store(f)
+func (nb *nodeBackend) setFilter(f *filter.Filter) {
+	nb.filterAtomic.Store(f)
 }
 
 var removeFromDefaultRoute = []netip.Prefix{
@@ -3886,7 +3901,7 @@ func (b *LocalBackend) parseWgStatusLocked(s *wgengine.Status) (ret ipn.EngineSt
 // in Hostinfo. When the user preferences currently request "shields up"
 // mode, all inbound connections are refused, so services are not reported.
 // Otherwise, shouldUploadServices respects NetMap.CollectServices.
-// TODO(nickkhyl): move this into [localNodeContext]?
+// TODO(nickkhyl): move this into [nodeBackend]?
 func (b *LocalBackend) shouldUploadServices() bool {
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -4758,10 +4773,10 @@ func (b *LocalBackend) NetMap() *netmap.NetworkMap {
 	return b.currentNode().NetMap()
 }
 
-func (c *localNodeContext) NetMap() *netmap.NetworkMap {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return c.netMap
+func (nb *nodeBackend) NetMap() *netmap.NetworkMap {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return nb.netMap
 }
 
 func (b *LocalBackend) isEngineBlocked() bool {
@@ -5003,10 +5018,10 @@ func shouldUseOneCGNATRoute(logf logger.Logf, mon *netmon.Monitor, controlKnobs
 	return false
 }
 
-func (c *localNodeContext) dnsConfigForNetmap(prefs ipn.PrefsView, selfExpired bool, logf logger.Logf, versionOS string) *dns.Config {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return dnsConfigForNetmap(c.netMap, c.peers, prefs, selfExpired, logf, versionOS)
+func (nb *nodeBackend) dnsConfigForNetmap(prefs ipn.PrefsView, selfExpired bool, logf logger.Logf, versionOS string) *dns.Config {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return dnsConfigForNetmap(nb.netMap, nb.peers, prefs, selfExpired, logf, versionOS)
 }
 
 // dnsConfigForNetmap returns a *dns.Config for the given netmap,
@@ -5041,6 +5056,8 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
 		!nm.GetAddresses().ContainsFunc(tsaddr.PrefixIs4)
 	dcfg.OnlyIPv6 = selfV6Only
 
+	wantAAAA := nm.AllCaps.Contains(tailcfg.NodeAttrMagicDNSPeerAAAA)
+
 	// Populate MagicDNS records. We do this unconditionally so that
 	// quad-100 can always respond to MagicDNS queries, even if the OS
 	// isn't configured to make MagicDNS resolution truly
@@ -5077,7 +5094,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
 			// https://github.com/tailscale/tailscale/issues/1152
 			// tracks adding the right capability reporting to
 			// enable AAAA in MagicDNS.
-			if addr.Addr().Is6() && have4 {
+			if addr.Addr().Is6() && have4 && !wantAAAA {
 				continue
 			}
 			ips = append(ips, addr.Addr())
@@ -6129,12 +6146,12 @@ func (b *LocalBackend) setAutoExitNodeIDLockedOnEntry(unlock unlockOnce) (newPre
 	return newPrefs
 }
 
-func (c *localNodeContext) SetNetMap(nm *netmap.NetworkMap) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	c.netMap = nm
-	c.updateNodeByAddrLocked()
-	c.updatePeersLocked()
+func (nb *nodeBackend) SetNetMap(nm *netmap.NetworkMap) {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	nb.netMap = nm
+	nb.updateNodeByAddrLocked()
+	nb.updatePeersLocked()
 }
 
 // setNetMapLocked updates the LocalBackend state to reflect the newly
@@ -6209,25 +6226,25 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	b.driveNotifyCurrentSharesLocked()
 }
 
-func (b *localNodeContext) updateNodeByAddrLocked() {
-	nm := b.netMap
+func (nb *nodeBackend) updateNodeByAddrLocked() {
+	nm := nb.netMap
 	if nm == nil {
-		b.nodeByAddr = nil
+		nb.nodeByAddr = nil
 		return
 	}
 
 	// Update the nodeByAddr index.
-	if b.nodeByAddr == nil {
-		b.nodeByAddr = map[netip.Addr]tailcfg.NodeID{}
+	if nb.nodeByAddr == nil {
+		nb.nodeByAddr = map[netip.Addr]tailcfg.NodeID{}
 	}
 	// First pass, mark everything unwanted.
-	for k := range b.nodeByAddr {
-		b.nodeByAddr[k] = 0
+	for k := range nb.nodeByAddr {
+		nb.nodeByAddr[k] = 0
 	}
 	addNode := func(n tailcfg.NodeView) {
 		for _, ipp := range n.Addresses().All() {
 			if ipp.IsSingleIP() {
-				b.nodeByAddr[ipp.Addr()] = n.ID()
+				nb.nodeByAddr[ipp.Addr()] = n.ID()
 			}
 		}
 	}
@@ -6238,34 +6255,34 @@ func (b *localNodeContext) updateNodeByAddrLocked() {
 		addNode(p)
 	}
 	// Third pass, actually delete the unwanted items.
-	for k, v := range b.nodeByAddr {
+	for k, v := range nb.nodeByAddr {
 		if v == 0 {
-			delete(b.nodeByAddr, k)
+			delete(nb.nodeByAddr, k)
 		}
 	}
 }
 
-func (b *localNodeContext) updatePeersLocked() {
-	nm := b.netMap
+func (nb *nodeBackend) updatePeersLocked() {
+	nm := nb.netMap
 	if nm == nil {
-		b.peers = nil
+		nb.peers = nil
 		return
 	}
 
 	// First pass, mark everything unwanted.
-	for k := range b.peers {
-		b.peers[k] = tailcfg.NodeView{}
+	for k := range nb.peers {
+		nb.peers[k] = tailcfg.NodeView{}
 	}
 
 	// Second pass, add everything wanted.
 	for _, p := range nm.Peers {
-		mak.Set(&b.peers, p.ID(), p)
+		mak.Set(&nb.peers, p.ID(), p)
 	}
 
 	// Third pass, remove deleted things.
-	for k, v := range b.peers {
+	for k, v := range nb.peers {
 		if !v.Valid() {
-			delete(b.peers, k)
+			delete(nb.peers, k)
 		}
 	}
 }
@@ -6652,14 +6669,14 @@ func (b *LocalBackend) TestOnlyPublicKeys() (machineKey key.MachinePublic, nodeK
 
 // PeerHasCap reports whether the peer with the given Tailscale IP addresses
 // contains the given capability string, with any value(s).
-func (b *localNodeContext) PeerHasCap(addr netip.Addr, wantCap tailcfg.PeerCapability) bool {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	return b.peerHasCapLocked(addr, wantCap)
+func (nb *nodeBackend) PeerHasCap(addr netip.Addr, wantCap tailcfg.PeerCapability) bool {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return nb.peerHasCapLocked(addr, wantCap)
 }
 
-func (b *localNodeContext) peerHasCapLocked(addr netip.Addr, wantCap tailcfg.PeerCapability) bool {
-	return b.peerCapsLocked(addr).HasCapability(wantCap)
+func (nb *nodeBackend) peerHasCapLocked(addr netip.Addr, wantCap tailcfg.PeerCapability) bool {
+	return nb.peerCapsLocked(addr).HasCapability(wantCap)
 }
 
 // SetDNS adds a DNS record for the given domain name & TXT record
@@ -6722,16 +6739,16 @@ func peerAPIURL(ip netip.Addr, port uint16) string {
 	return fmt.Sprintf("http://%v", netip.AddrPortFrom(ip, port))
 }
 
-func (c *localNodeContext) PeerHasPeerAPI(p tailcfg.NodeView) bool {
-	return c.PeerAPIBase(p) != ""
+func (nb *nodeBackend) PeerHasPeerAPI(p tailcfg.NodeView) bool {
+	return nb.PeerAPIBase(p) != ""
 }
 
 // PeerAPIBase returns the "http://ip:port" URL base to reach peer's PeerAPI,
 // or the empty string if the peer is invalid or doesn't support PeerAPI.
-func (c *localNodeContext) PeerAPIBase(p tailcfg.NodeView) string {
-	c.mu.Lock()
-	nm := c.netMap
-	c.mu.Unlock()
+func (nb *nodeBackend) PeerAPIBase(p tailcfg.NodeView) string {
+	nb.mu.Lock()
+	nm := nb.netMap
+	nb.mu.Unlock()
 	return peerAPIBase(nm, p)
 }
 
@@ -6972,10 +6989,10 @@ func exitNodeCanProxyDNS(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg
 	return "", false
 }
 
-func (c *localNodeContext) exitNodeCanProxyDNS(exitNodeID tailcfg.StableNodeID) (dohURL string, ok bool) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return exitNodeCanProxyDNS(c.netMap, c.peers, exitNodeID)
+func (nb *nodeBackend) exitNodeCanProxyDNS(exitNodeID tailcfg.StableNodeID) (dohURL string, ok bool) {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return exitNodeCanProxyDNS(nb.netMap, nb.peers, exitNodeID)
 }
 
 // wireguardExitNodeDNSResolvers returns the DNS resolvers to use for a
@@ -7396,7 +7413,7 @@ func (b *LocalBackend) resetForProfileChangeLockedOnEntry(unlock unlockOnce) err
 		// down, so no need to do any work.
 		return nil
 	}
-	b.currentNodeAtomic.Store(newLocalNodeContext())
+	b.currentNodeAtomic.Store(newNodeBackend())
 	b.setNetMapLocked(nil) // Reset netmap.
 	b.updateFilterLocked(ipn.PrefsView{})
 	// Reset the NetworkMap in the engine
@@ -8086,7 +8103,7 @@ func (b *LocalBackend) startAutoUpdate(logPrefix string) (retErr error) {
 // rules that require a source IP to have a certain node capability.
 //
 // TODO(bradfitz): optimize this later if/when it matters.
-// TODO(nickkhyl): move this into [localNodeContext] along with [LocalBackend.updateFilterLocked].
+// TODO(nickkhyl): move this into [nodeBackend] along with [LocalBackend.updateFilterLocked].
 func (b *LocalBackend) srcIPHasCapForFilter(srcIP netip.Addr, cap tailcfg.NodeCapability) bool {
 	if cap == "" {
 		// Shouldn't happen, but just in case.
diff --git a/ipn/ipnlocal/local_node_context.go b/ipn/ipnlocal/node_backend.go
index 871880893..415c32ccf 100644
--- a/ipn/ipnlocal/local_node_context.go
+++ b/ipn/ipnlocal/node_backend.go
@@ -18,29 +18,29 @@ import (
 	"tailscale.com/wgengine/filter"
 )
 
-// localNodeContext holds the [LocalBackend]'s context tied to a local node (usually the current one).
+// nodeBackend is node-specific [LocalBackend] state. It is usually the current node.
 //
 // Its exported methods are safe for concurrent use, but the struct is not a snapshot of state at a given moment;
 // its state can change between calls. For example, asking for the same value (e.g., netmap or prefs) twice
 // may return different results. Returned values are immutable and safe for concurrent use.
 //
-// If both the [LocalBackend]'s internal mutex and the [localNodeContext] mutex must be held at the same time,
+// If both the [LocalBackend]'s internal mutex and the [nodeBackend] mutex must be held at the same time,
 // the [LocalBackend] mutex must be acquired first. See the comment on the [LocalBackend] field for more details.
 //
-// Two pointers to different [localNodeContext] instances represent different local nodes.
-// However, there's currently a bug where a new [localNodeContext] might not be created
+// Two pointers to different [nodeBackend] instances represent different local nodes.
+// However, there's currently a bug where a new [nodeBackend] might not be created
 // during an implicit node switch (see tailscale/corp#28014).
 
 // In the future, we might want to include at least the following in this struct (in addition to the current fields).
 // However, not everything should be exported or otherwise made available to the outside world (e.g. [ipnext] extensions,
 // peer API handlers, etc.).
-//   - [ipn.State]: when the LocalBackend switches to a different [localNodeContext], it can update the state of the old one.
+//   - [ipn.State]: when the LocalBackend switches to a different [nodeBackend], it can update the state of the old one.
 //   - [ipn.LoginProfileView] and [ipn.Prefs]: we should update them when the [profileManager] reports changes to them.
 //     In the future, [profileManager] (and the corresponding methods of the [LocalBackend]) can be made optional,
 //     and something else could be used to set them once or update them as needed.
 //   - [tailcfg.HostinfoView]: it includes certain fields that are tied to the current profile/node/prefs. We should also
 //     update to build it once instead of mutating it in twelvety different places.
-//   - [filter.Filter] (normal and jailed, along with the filterHash): the localNodeContext could have a method to (re-)build
+//   - [filter.Filter] (normal and jailed, along with the filterHash): the nodeBackend could have a method to (re-)build
 //     the filter for the current netmap/prefs (see [LocalBackend.updateFilterLocked]), and it needs to track the current
 //     filters and their hash.
 //   - Fields related to a requested or required (re-)auth: authURL, authURLTime, authActor, keyExpired, etc.
@@ -51,7 +51,7 @@ import (
 // It should not include any fields used by specific features that don't belong in [LocalBackend].
 // Even if they're tied to the local node, instead of moving them here, we should extract the entire feature
 // into a separate package and have it install proper hooks.
-type localNodeContext struct {
+type nodeBackend struct {
 	// filterAtomic is a stateful packet filter. Immutable once created, but can be
 	// replaced with a new one.
 	filterAtomic atomic.Pointer[filter.Filter]
@@ -71,33 +71,33 @@ type localNodeContext struct {
 	// peers is the set of current peers and their current values after applying
 	// delta node mutations as they come in (with mu held). The map values can be
 	// given out to callers, but the map itself can be mutated in place (with mu held)
-	// and must not escape the [localNodeContext].
+	// and must not escape the [nodeBackend].
 	peers map[tailcfg.NodeID]tailcfg.NodeView
 
 	// nodeByAddr maps nodes' own addresses (excluding subnet routes) to node IDs.
-	// It is mutated in place (with mu held) and must not escape the [localNodeContext].
+	// It is mutated in place (with mu held) and must not escape the [nodeBackend].
 	nodeByAddr map[netip.Addr]tailcfg.NodeID
 }
 
-func newLocalNodeContext() *localNodeContext {
-	cn := &localNodeContext{}
+func newNodeBackend() *nodeBackend {
+	cn := &nodeBackend{}
 	// Default filter blocks everything and logs nothing.
 	noneFilter := filter.NewAllowNone(logger.Discard, &netipx.IPSet{})
 	cn.filterAtomic.Store(noneFilter)
 	return cn
 }
 
-func (c *localNodeContext) Self() tailcfg.NodeView {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.netMap == nil {
+func (nb *nodeBackend) Self() tailcfg.NodeView {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	if nb.netMap == nil {
 		return tailcfg.NodeView{}
 	}
-	return c.netMap.SelfNode
+	return nb.netMap.SelfNode
 }
 
-func (c *localNodeContext) SelfUserID() tailcfg.UserID {
-	self := c.Self()
+func (nb *nodeBackend) SelfUserID() tailcfg.UserID {
+	self := nb.Self()
 	if !self.Valid() {
 		return 0
 	}
@@ -105,59 +105,59 @@ func (c *localNodeContext) SelfUserID() tailcfg.UserID {
 }
 
 // SelfHasCap reports whether the specified capability was granted to the self node in the most recent netmap.
-func (c *localNodeContext) SelfHasCap(wantCap tailcfg.NodeCapability) bool {
-	return c.SelfHasCapOr(wantCap, false)
+func (nb *nodeBackend) SelfHasCap(wantCap tailcfg.NodeCapability) bool {
+	return nb.SelfHasCapOr(wantCap, false)
 }
 
-// SelfHasCapOr is like [localNodeContext.SelfHasCap], but returns the specified default value
+// SelfHasCapOr is like [nodeBackend.SelfHasCap], but returns the specified default value
 // if the netmap is not available yet.
-func (c *localNodeContext) SelfHasCapOr(wantCap tailcfg.NodeCapability, def bool) bool {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.netMap == nil {
+func (nb *nodeBackend) SelfHasCapOr(wantCap tailcfg.NodeCapability, def bool) bool {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	if nb.netMap == nil {
 		return def
 	}
-	return c.netMap.AllCaps.Contains(wantCap)
+	return nb.netMap.AllCaps.Contains(wantCap)
 }
 
-func (c *localNodeContext) NetworkProfile() ipn.NetworkProfile {
-	c.mu.Lock()
-	defer c.mu.Unlock()
+func (nb *nodeBackend) NetworkProfile() ipn.NetworkProfile {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
 	return ipn.NetworkProfile{
 		// These are ok to call with nil netMap.
-		MagicDNSName: c.netMap.MagicDNSSuffix(),
-		DomainName:   c.netMap.DomainName(),
+		MagicDNSName: nb.netMap.MagicDNSSuffix(),
+		DomainName:   nb.netMap.DomainName(),
 	}
 }
 
 // TODO(nickkhyl): update it to return a [tailcfg.DERPMapView]?
-func (c *localNodeContext) DERPMap() *tailcfg.DERPMap {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.netMap == nil {
+func (nb *nodeBackend) DERPMap() *tailcfg.DERPMap {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	if nb.netMap == nil {
 		return nil
 	}
-	return c.netMap.DERPMap
+	return nb.netMap.DERPMap
 }
 
-func (c *localNodeContext) NodeByAddr(ip netip.Addr) (_ tailcfg.NodeID, ok bool) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	nid, ok := c.nodeByAddr[ip]
+func (nb *nodeBackend) NodeByAddr(ip netip.Addr) (_ tailcfg.NodeID, ok bool) {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	nid, ok := nb.nodeByAddr[ip]
 	return nid, ok
 }
 
-func (c *localNodeContext) NodeByKey(k key.NodePublic) (_ tailcfg.NodeID, ok bool) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.netMap == nil {
+func (nb *nodeBackend) NodeByKey(k key.NodePublic) (_ tailcfg.NodeID, ok bool) {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	if nb.netMap == nil {
 		return 0, false
 	}
-	if self := c.netMap.SelfNode; self.Valid() && self.Key() == k {
+	if self := nb.netMap.SelfNode; self.Valid() && self.Key() == k {
 		return self.ID(), true
 	}
 	// TODO(bradfitz,nickkhyl): add nodeByKey like nodeByAddr instead of walking peers.
-	for _, n := range c.peers {
+	for _, n := range nb.peers {
 		if n.Key() == k {
 			return n.ID(), true
 		}
@@ -165,17 +165,17 @@ func (c *localNodeContext) NodeByKey(k key.NodePublic) (_ tailcfg.NodeID, ok boo
 	return 0, false
 }
 
-func (c *localNodeContext) PeerByID(id tailcfg.NodeID) (_ tailcfg.NodeView, ok bool) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	n, ok := c.peers[id]
+func (nb *nodeBackend) PeerByID(id tailcfg.NodeID) (_ tailcfg.NodeView, ok bool) {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	n, ok := nb.peers[id]
 	return n, ok
 }
 
-func (c *localNodeContext) UserByID(id tailcfg.UserID) (_ tailcfg.UserProfileView, ok bool) {
-	c.mu.Lock()
-	nm := c.netMap
-	c.mu.Unlock()
+func (nb *nodeBackend) UserByID(id tailcfg.UserID) (_ tailcfg.UserProfileView, ok bool) {
+	nb.mu.Lock()
+	nm := nb.netMap
+	nb.mu.Unlock()
 	if nm == nil {
 		return tailcfg.UserProfileView{}, false
 	}
@@ -184,10 +184,10 @@ func (c *localNodeContext) UserByID(id tailcfg.UserID) (_ tailcfg.UserProfileVie
 }
 
 // Peers returns all the current peers in an undefined order.
-func (c *localNodeContext) Peers() []tailcfg.NodeView {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return slicesx.MapValues(c.peers)
+func (nb *nodeBackend) Peers() []tailcfg.NodeView {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return slicesx.MapValues(nb.peers)
 }
 
 // unlockedNodesPermitted reports whether any peer with theUnsignedPeerAPIOnly bool set true has any of its allowed IPs
@@ -195,13 +195,13 @@ func (c *localNodeContext) Peers() []tailcfg.NodeView {
 //
 // TODO(nickkhyl): It is here temporarily until we can move the whole [LocalBackend.updateFilterLocked] here,
 // but change it so it builds and returns a filter for the current netmap/prefs instead of re-configuring the engine filter.
-// Something like (*localNodeContext).RebuildFilters() (filter, jailedFilter *filter.Filter, changed bool) perhaps?
-func (c *localNodeContext) unlockedNodesPermitted(packetFilter []filter.Match) bool {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	return packetFilterPermitsUnlockedNodes(c.peers, packetFilter)
+// Something like (*nodeBackend).RebuildFilters() (filter, jailedFilter *filter.Filter, changed bool) perhaps?
+func (nb *nodeBackend) unlockedNodesPermitted(packetFilter []filter.Match) bool {
+	nb.mu.Lock()
+	defer nb.mu.Unlock()
+	return packetFilterPermitsUnlockedNodes(nb.peers, packetFilter)
 }
 
-func (c *localNodeContext) filter() *filter.Filter {
-	return c.filterAtomic.Load()
+func (nb *nodeBackend) filter() *filter.Filter {
+	return nb.filterAtomic.Load()
 }
diff --git a/ipn/ipnlocal/taildrop.go b/ipn/ipnlocal/taildrop.go
index 17ca40926..d8113d219 100644
--- a/ipn/ipnlocal/taildrop.go
+++ b/ipn/ipnlocal/taildrop.go
@@ -194,8 +194,8 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 		if !p.Valid() || p.Hostinfo().OS() == "tvOS" {
 			return false
 		}
-		if self != p.User() {
-			return false
+		if self == p.User() {
+			return true
 		}
 		if p.Addresses().Len() != 0 && cn.PeerHasCap(p.Addresses().At(0).Addr(), tailcfg.PeerCapabilityFileSharingTarget) {
 			// Explicitly noted in the netmap ACL caps as a target.