From 50c976d3f18fde14728a6e1099d4c738ff434963 Mon Sep 17 00:00:00 2001
From: David Crawshaw <crawshaw@tailscale.com>
Date: Thu, 27 May 2021 10:09:35 -0700
Subject: [PATCH 1/4] cmd/tailscale: show web 'login' error message

For #1939

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
---
 cmd/tailscale/cli/web.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cmd/tailscale/cli/web.go b/cmd/tailscale/cli/web.go
index 67de1c29c..ecfb5c481 100644
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -214,7 +214,8 @@ type mi map[string]interface{
 		w.Header().Set("Content-Type", "application/json")
 		url, err := tailscaleUpForceReauth(r.Context())
 		if err != nil {
-			json.NewEncoder(w).Encode(mi{"error": err})
+			w.WriteHeader(500)
+			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
 		json.NewEncoder(w).Encode(mi{"url": url})

From 82b217f82e83749967e382a48869a800c5e93600 Mon Sep 17 00:00:00 2001
From: David Crawshaw <crawshaw@tailscale.com>
Date: Thu, 27 May 2021 10:18:42 -0700
Subject: [PATCH 2/4] cmd/tailscale: have web POST wait for authURL

Fixes #1939

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
---
 cmd/tailscale/cli/web.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cmd/tailscale/cli/web.go b/cmd/tailscale/cli/web.go
index ecfb5c481..38fb737e5 100644
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -321,6 +321,10 @@ func tailscaleUpForceReauth(ctx context.Context) (authURL string, retErr error)
 	})
 	bc.StartLoginInteractive()
 
+	<-pumpCtx.Done() // wait for authURL or complete failure
+	if authURL == "" && retErr == nil {
+		retErr = pumpCtx.Err()
+	}
 	if authURL == "" && retErr == nil {
 		return "", fmt.Errorf("login failed with no backend error message")
 	}

From a04801e037367a1bcbed309d3c44e57b4c011688 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Thu, 27 May 2021 10:07:17 -0700
Subject: [PATCH 3/4] ipn/ipnlocal: ignore NetfilterMode pref on Synology

On clean installs we didn't set use iptables, but during upgrades it
looks like we could use old prefs that directed us to go into the iptables
paths that might fail on Synology.

Updates #1995
Fixes tailscale/tailscale-synology#57 (I think)

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 ipn/ipnlocal/local.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index da4600ba3..6c00814a1 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -44,11 +44,13 @@
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
+	"tailscale.com/types/preftype"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
 	"tailscale.com/version"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -2026,6 +2028,11 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		Routes:           peerRoutes(cfg.Peers, 10_000),
 	}
 
+	if distro.Get() == distro.Synology {
+		// Issue 1995: we don't use iptables on Synology.
+		rs.NetfilterMode = preftype.NetfilterOff
+	}
+
 	// Sanity check: we expect the control server to program both a v4
 	// and a v6 default route, if default routing is on. Fill in
 	// blackhole routes appropriately if we're missing some. This is

From 35749ec2973e7ec6d7b7436faa4d2d0989e29821 Mon Sep 17 00:00:00 2001
From: Christine Dodrill <xe@tailscale.com>
Date: Thu, 27 May 2021 14:29:29 -0400
Subject: [PATCH 4/4] tstest/integration/vms: small cleanups (#1989)

Updates #1988

Signed-off-by: Christine Dodrill <xe@tailscale.com>
---
 tstest/integration/vms/vms_test.go | 43 +++++++++++++++++-------------
 1 file changed, 24 insertions(+), 19 deletions(-)

diff --git a/tstest/integration/vms/vms_test.go b/tstest/integration/vms/vms_test.go
index 65826923b..ddbd86dc2 100644
--- a/tstest/integration/vms/vms_test.go
+++ b/tstest/integration/vms/vms_test.go
@@ -35,9 +35,8 @@
 
 type Distro struct {
 	name           string // amazon-linux
-	size           string // 5
 	url            string // URL to a qcow2 image
-	sha256sum      string // hex-encoded sha256 sum
+	sha256sum      string // hex-encoded sha256 sum of contents of URL
 	mem            int    // VM memory in megabytes
 	packageManager string // yum/apt/dnf/zypper
 }
@@ -109,8 +108,8 @@ func fetchDistro(t *testing.T, resultDistro Distro) {
 		hash := hex.EncodeToString(hasher.Sum(nil))
 
 		if hash != resultDistro.sha256sum {
-			t.Logf("want: %q", resultDistro.sha256sum)
 			t.Logf("got:  %q", hash)
+			t.Logf("want: %q", resultDistro.sha256sum)
 			t.Fatal("hash mismatch, someone is doing something nasty")
 		}
 
@@ -175,7 +174,10 @@ func mkSeed(t *testing.T, d Distro, sshKey, hostURL, tdir string, port int) {
 			t.Fatal(err)
 		}
 
-		fout.Close()
+		err = fout.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 	}
 
 	// make user-data
@@ -202,7 +204,10 @@ func mkSeed(t *testing.T, d Distro, sshKey, hostURL, tdir string, port int) {
 			t.Fatal(err)
 		}
 
-		fout.Close()
+		err = fout.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
 	}
 
 	run(t, tdir, "genisoimage",
@@ -285,20 +290,20 @@ func TestVMIntegrationEndToEnd(t *testing.T) {
 	}
 
 	distros := []Distro{
-		{"amazon-linux", "25", "https://cdn.amazonlinux.com/os-images/2.0.20210427.0/kvm/amzn2-kvm-2.0.20210427.0-x86_64.xfs.gpt.qcow2", "6ef9daef32cec69b2d0088626ec96410cd24afc504d57278bbf2f2ba2b7e529b", 512, "yum"},
-		{"centos-7", "8", "https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2", "1db30c9c272fb37b00111b93dcebff16c278384755bdbe158559e9c240b73b80", 512, "yum"},
-		{"centos-8", "10", "https://cloud.centos.org/centos/8/x86_64/images/CentOS-8-GenericCloud-8.3.2011-20201204.2.x86_64.qcow2", "7ec97062618dc0a7ebf211864abf63629da1f325578868579ee70c495bed3ba0", 768, "dnf"},
-		{"debian-9", "5", "https://cdimage.debian.org/cdimage/openstack/9.13.21-20210511/debian-9.13.21-20210511-openstack-amd64.qcow2", "0667a08e2d947b331aee068db4bbf3a703e03edaf5afa52e23d534adff44b62a", 512, "apt"},
-		{"debian-10", "5", "https://cdimage.debian.org/images/cloud/buster/20210329-591/debian-10-generic-amd64-20210329-591.qcow2", "70c61956095870c4082103d1a7a1cb5925293f8405fc6cb348588ec97e8611b0", 768, "apt"},
-		{"fedora-34", "5", "https://download.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-34-1.2.x86_64.qcow2", "b9b621b26725ba95442d9a56cbaa054784e0779a9522ec6eafff07c6e6f717ea", 768, "dnf"},
-		{"opensuse-leap-15.1", "10", "https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.1/images/openSUSE-Leap-15.1-OpenStack.x86_64.qcow2", "3203e256dab5981ca3301408574b63bc522a69972fbe9850b65b54ff44a96e0a", 512, "zypper"},
-		{"opensuse-leap-15.2", "10", "https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.2/images/openSUSE-Leap-15.2-OpenStack.x86_64.qcow2", "4df9cee9281d1f57d20f79dc65d76e255592b904760e73c0dd44ac753a54330f", 512, "zypper"},
-		{"opensuse-tumbleweed", "5", "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-JeOS.x86_64-OpenStack-Cloud.qcow2", "f5a40c693187dddc524b0877b0aba31cdb6f2e78f12acce0bbb2975ec120dfc0", 512, "zypper"},
-		{"ubuntu-16-04", "5", "https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-disk1.img", "50a21bc067c05e0c73bf5d8727ab61152340d93073b3dc32eff18b626f7d813b", 512, "apt"},
-		{"ubuntu-18-04", "5", "https://cloud-images.ubuntu.com/bionic/current/bionic-server-cloudimg-amd64.img", "78f09b6086367914d23f26e38c3cd88a2aaf1a6a4500ebd46c74ad60c56c1585", 512, "apt"},
-		{"ubuntu-20-04", "5", "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img", "513158b22ff0f08d0a078d8d60293bcddffdb17094a7809c76c52aba415ecc54", 512, "apt"},
-		{"ubuntu-20-10", "5", "https://cloud-images.ubuntu.com/groovy/current/groovy-server-cloudimg-amd64.img", "c1332c24557389a129ff98fa169e34cb53c02555ed702a235e26b8978dd004c3", 512, "apt"},
-		{"ubuntu-21-04", "5", "https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64.img", "2f8a562637340a026f712594f1257673543d74725d8e3daf88d533d7b8bf448f", 512, "apt"},
+		{"amazon-linux", "https://cdn.amazonlinux.com/os-images/2.0.20210427.0/kvm/amzn2-kvm-2.0.20210427.0-x86_64.xfs.gpt.qcow2", "6ef9daef32cec69b2d0088626ec96410cd24afc504d57278bbf2f2ba2b7e529b", 512, "yum"},
+		{"centos-7", "https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2", "1db30c9c272fb37b00111b93dcebff16c278384755bdbe158559e9c240b73b80", 512, "yum"},
+		{"centos-8", "https://cloud.centos.org/centos/8/x86_64/images/CentOS-8-GenericCloud-8.3.2011-20201204.2.x86_64.qcow2", "7ec97062618dc0a7ebf211864abf63629da1f325578868579ee70c495bed3ba0", 768, "dnf"},
+		{"debian-9", "https://cdimage.debian.org/cdimage/openstack/9.13.21-20210511/debian-9.13.21-20210511-openstack-amd64.qcow2", "0667a08e2d947b331aee068db4bbf3a703e03edaf5afa52e23d534adff44b62a", 512, "apt"},
+		{"debian-10", "https://cdimage.debian.org/images/cloud/buster/20210329-591/debian-10-generic-amd64-20210329-591.qcow2", "70c61956095870c4082103d1a7a1cb5925293f8405fc6cb348588ec97e8611b0", 768, "apt"},
+		{"fedora-34", "https://download.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-34-1.2.x86_64.qcow2", "b9b621b26725ba95442d9a56cbaa054784e0779a9522ec6eafff07c6e6f717ea", 768, "dnf"},
+		{"opensuse-leap-15.1", "https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.1/images/openSUSE-Leap-15.1-OpenStack.x86_64.qcow2", "3203e256dab5981ca3301408574b63bc522a69972fbe9850b65b54ff44a96e0a", 512, "zypper"},
+		{"opensuse-leap-15.2", "https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.2/images/openSUSE-Leap-15.2-OpenStack.x86_64.qcow2", "4df9cee9281d1f57d20f79dc65d76e255592b904760e73c0dd44ac753a54330f", 512, "zypper"},
+		{"opensuse-tumbleweed", "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-JeOS.x86_64-OpenStack-Cloud.qcow2", "f5a40c693187dddc524b0877b0aba31cdb6f2e78f12acce0bbb2975ec120dfc0", 512, "zypper"},
+		{"ubuntu-16-04", "https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-disk1.img", "50a21bc067c05e0c73bf5d8727ab61152340d93073b3dc32eff18b626f7d813b", 512, "apt"},
+		{"ubuntu-18-04", "https://cloud-images.ubuntu.com/bionic/current/bionic-server-cloudimg-amd64.img", "78f09b6086367914d23f26e38c3cd88a2aaf1a6a4500ebd46c74ad60c56c1585", 512, "apt"},
+		{"ubuntu-20-04", "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img", "513158b22ff0f08d0a078d8d60293bcddffdb17094a7809c76c52aba415ecc54", 512, "apt"},
+		{"ubuntu-20-10", "https://cloud-images.ubuntu.com/groovy/current/groovy-server-cloudimg-amd64.img", "c1332c24557389a129ff98fa169e34cb53c02555ed702a235e26b8978dd004c3", 512, "apt"},
+		{"ubuntu-21-04", "https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64.img", "2f8a562637340a026f712594f1257673543d74725d8e3daf88d533d7b8bf448f", 512, "apt"},
 	}
 
 	dir := t.TempDir()