Brad Fitzpatrick

That's mostly accurate except the ACLs part: the router isn't involved in that. The ACLs are enforced in shared code that's not OS-specific.

> If so it seems that keeping it in the netstack/userspace mode is the direction that tailscale is going and maybe that is what should be done here? That's not...

https://datatracker.ietf.org/doc/html/rfc4254#section-6.3

This is now fixed upstream in Go; see https://github.com/golang/go/issues/57333 It was backported to Go 1.18.x and Go 1.19.x branches (so will be in Go 1.18.10 or Go 1.19.5), and will...

(I haven't looked into what the panic is; just filing before I forget.)

Removing the recover, here's one of the panic stacks: ``` app.bsky.actor.profile/self panic: unreachable goroutine 1 [running]: github.com/polydawn/refmt/json.(*Encoder).flushValue(0x140002104d0?, 0x101ebddf9?) github.com/polydawn/[email protected]/json/jsonEncoder.go:218 +0x204 github.com/polydawn/refmt/json.(*Encoder).Step(0x140002104d0, 0x14000562150) github.com/polydawn/[email protected]/json/jsonEncoder.go:121 +0x89c github.com/polydawn/refmt/shared.TokenPump.Run({{0x1019c9000?, 0x14000032960?}, {0x1019c9080?, 0x140002104d0?}}) github.com/polydawn/[email protected]/shared/pump.go:35 +0x80...

It could be just an environment variable for now. But that's hard for Windows users and doesn't work at all currently with netext/sysext macOS.

But I agree there needs to be a plan for CLI and config overall. I guess ignored interfaces really is account specific. I could imagine difficult tailnets wanting that to...

Sorry, I should've been more explicit that I didn't actually see a data race. I never ran the code. I just read the diff and was suspicious. Thanks for looking!

@dblohm7 wrote on #6428: > How should we solve this? > Prereq: No more NSIS installer. 100% MSI. > Needs changes both on client and server-side (probably pkgs)