net/netaddr: start migrating to net/netip via new netaddr adapter package

Updates #5162

Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

wgengine/bench/bench.go

@@ -17,7 +17,7 @@ import (
 	"strconv"
 	"time"
 
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/logger"
 )
 
@@ -87,7 +87,7 @@ func main() {
 	}
 
 	logf("initialized ok.")
-	traf.Start(Addr1.IP(), Addr2.IP(), PayloadSize+ICMPMinSize, 0)
+	traf.Start(Addr1.Addr(), Addr2.Addr(), PayloadSize+ICMPMinSize, 0)
 
 	var cur, prev Snapshot
 	var pps int64

wgengine/bench/bench_test.go

@@ -79,7 +79,7 @@ func runOnce(b *testing.B, setup SetupFunc, payload int) {
 	logf("initialized. (n=%v)", b.N)
 	b.SetBytes(int64(payload))
 
-	traf.Start(Addr1.IP(), Addr2.IP(), payload, int64(b.N))
+	traf.Start(Addr1.Addr(), Addr2.Addr(), payload, int64(b.N))
 
 	var cur, prev Snapshot
 	var pps int64

wgengine/bench/trafficgen.go

@@ -11,7 +11,7 @@ import (
 	"sync"
 	"time"
 
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
 )

wgengine/bench/wg.go

@@ -13,7 +13,7 @@ import (
 	"testing"
 
 	"golang.zx2c4.com/wireguard/tun"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 
 	"tailscale.com/net/dns"
 	"tailscale.com/tailcfg"

wgengine/filter/filter.go

@@ -10,9 +10,10 @@ import (
 	"sync"
 	"time"
 
-	"inet.af/netaddr"
+	"go4.org/netipx"
 	"tailscale.com/envknob"
 	"tailscale.com/net/flowtrack"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/tstime/rate"
 	"tailscale.com/types/ipproto"
@@ -26,12 +27,12 @@ type Filter struct {
 	// this node. All packets coming in over tailscale must have a
 	// destination within local, regardless of the policy filter
 	// below.
-	local *netaddr.IPSet
+	local *netipx.IPSet
 
 	// logIPs is the set of IPs that are allowed to appear in flow
 	// logs. If a packet is to or from an IP not in logIPs, it will
 	// never be logged.
-	logIPs *netaddr.IPSet
+	logIPs *netipx.IPSet
 
 	// matches4 and matches6 are lists of match->action rules
 	// applied to all packets arriving over tailscale
@@ -137,7 +138,7 @@ func NewAllowAllForTest(logf logger.Logf) *Filter {
 		},
 	}
 
-	var sb netaddr.IPSetBuilder
+	var sb netipx.IPSetBuilder
 	sb.AddPrefix(any4)
 	sb.AddPrefix(any6)
 	ipSet, _ := sb.IPSet()
@@ -145,15 +146,15 @@ func NewAllowAllForTest(logf logger.Logf) *Filter {
 }
 
 // NewAllowNone returns a packet filter that rejects everything.
-func NewAllowNone(logf logger.Logf, logIPs *netaddr.IPSet) *Filter {
-	return New(nil, &netaddr.IPSet{}, logIPs, nil, logf)
+func NewAllowNone(logf logger.Logf, logIPs *netipx.IPSet) *Filter {
+	return New(nil, &netipx.IPSet{}, logIPs, nil, logf)
 }
 
 // NewShieldsUpFilter returns a packet filter that rejects incoming connections.
 //
 // If shareStateWith is non-nil, the returned filter shares state with the previous one,
 // as long as the previous one was also a shields up filter.
-func NewShieldsUpFilter(localNets *netaddr.IPSet, logIPs *netaddr.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter {
+func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter {
 	// Don't permit sharing state with a prior filter that wasn't a shields-up filter.
 	if shareStateWith != nil && !shareStateWith.shieldsUp {
 		shareStateWith = nil
@@ -168,7 +169,7 @@ func NewShieldsUpFilter(localNets *netaddr.IPSet, logIPs *netaddr.IPSet, shareSt
 // by matches. If shareStateWith is non-nil, the returned filter
 // shares state with the previous one, to enable changing rules at
 // runtime without breaking existing stateful flows.
-func New(matches []Match, localNets *netaddr.IPSet, logIPs *netaddr.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter {
+func New(matches []Match, localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter {
 	var state *filterState
 	if shareStateWith != nil {
 		state = shareStateWith.state
@@ -198,12 +199,12 @@ func matchesFamily(ms matches, keep func(netaddr.IP) bool) matches {
 		var retm Match
 		retm.IPProto = m.IPProto
 		for _, src := range m.Srcs {
-			if keep(src.IP()) {
+			if keep(src.Addr()) {
 				retm.Srcs = append(retm.Srcs, src)
 			}
 		}
 		for _, dst := range m.Dsts {
-			if keep(dst.Net.IP()) {
+			if keep(dst.Net.Addr()) {
 				retm.Dsts = append(retm.Dsts, dst)
 			}
 		}
@@ -224,7 +225,7 @@ func capMatchesFunc(ms matches, keep func(netaddr.IP) bool) matches {
 		}
 		retm := Match{Caps: m.Caps}
 		for _, src := range m.Srcs {
-			if keep(src.IP()) {
+			if keep(src.Addr()) {
 				retm.Srcs = append(retm.Srcs, src)
 			}
 		}
@@ -390,7 +391,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
 	// A compromised peer could try to send us packets for
 	// destinations we didn't explicitly advertise. This check is to
 	// prevent that.
-	if !f.local.Contains(q.Dst.IP()) {
+	if !f.local.Contains(q.Dst.Addr()) {
 		return Drop, "destination not allowed"
 	}
 
@@ -450,7 +451,7 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
 	// A compromised peer could try to send us packets for
 	// destinations we didn't explicitly advertise. This check is to
 	// prevent that.
-	if !f.local.Contains(q.Dst.IP()) {
+	if !f.local.Contains(q.Dst.Addr()) {
 		return Drop, "destination not allowed"
 	}
 
@@ -555,11 +556,11 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) Response {
 		return Drop
 	}
 
-	if q.Dst.IP().IsMulticast() {
+	if q.Dst.Addr().IsMulticast() {
 		f.logRateLimit(rf, q, dir, Drop, "multicast")
 		return Drop
 	}
-	if q.Dst.IP().IsLinkLocalUnicast() && q.Dst.IP() != gcpDNSAddr {
+	if q.Dst.Addr().IsLinkLocalUnicast() && q.Dst.Addr() != gcpDNSAddr {
 		f.logRateLimit(rf, q, dir, Drop, "link-local-unicast")
 		return Drop
 	}
@@ -581,7 +582,7 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) Response {
 
 // loggingAllowed reports whether p can appear in logs at all.
 func (f *Filter) loggingAllowed(p *packet.Parsed) bool {
-	return f.logIPs.Contains(p.Src.IP()) && f.logIPs.Contains(p.Dst.IP())
+	return f.logIPs.Contains(p.Src.Addr()) && f.logIPs.Contains(p.Dst.Addr())
 }
 
 // omitDropLogging reports whether packet p, which has already been
@@ -593,5 +594,5 @@ func omitDropLogging(p *packet.Parsed, dir direction) bool {
 		return false
 	}
 
-	return p.Dst.IP().IsMulticast() || (p.Dst.IP().IsLinkLocalUnicast() && p.Dst.IP() != gcpDNSAddr) || p.IPProto == ipproto.IGMP
+	return p.Dst.Addr().IsMulticast() || (p.Dst.Addr().IsLinkLocalUnicast() && p.Dst.Addr() != gcpDNSAddr) || p.IPProto == ipproto.IGMP
 }

wgengine/filter/filter_clone.go

@@ -7,7 +7,8 @@
 package filter
 
 import (
-	"inet.af/netaddr"
+	"net/netip"
+
 	"tailscale.com/types/ipproto"
 )
 
@@ -29,7 +30,7 @@ func (src *Match) Clone() *Match {
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _MatchCloneNeedsRegeneration = Match(struct {
 	IPProto []ipproto.Proto
-	Srcs    []netaddr.IPPrefix
+	Srcs    []netip.Prefix
 	Dsts    []NetPortRange
 	Caps    []CapMatch
 }{})

wgengine/filter/filter_test.go

@@ -13,7 +13,8 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"inet.af/netaddr"
+	"go4.org/netipx"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
@@ -58,12 +59,12 @@ func newFilter(logf logger.Logf) *Filter {
 
 	// Expects traffic to 100.122.98.50, 1.2.3.4, 5.6.7.8,
 	// 102.102.102.102, 119.119.119.119, 8.1.0.0/16
-	var localNets netaddr.IPSetBuilder
+	var localNets netipx.IPSetBuilder
 	for _, n := range nets("100.122.98.50", "1.2.3.4", "5.6.7.8", "102.102.102.102", "119.119.119.119", "8.1.0.0/16", "2001::/16") {
 		localNets.AddPrefix(n)
 	}
 
-	var logB netaddr.IPSetBuilder
+	var logB netipx.IPSetBuilder
 	logB.Complement()
 	localNetsSet, _ := localNets.IPSet()
 	logBSet, _ := logB.IPSet()
@@ -140,9 +141,9 @@ func TestFilter(t *testing.T) {
 		if test.p.IPProto == ipproto.TCP {
 			var got Response
 			if test.p.IPVersion == 4 {
-				got = acl.CheckTCP(test.p.Src.IP(), test.p.Dst.IP(), test.p.Dst.Port())
+				got = acl.CheckTCP(test.p.Src.Addr(), test.p.Dst.Addr(), test.p.Dst.Port())
 			} else {
-				got = acl.CheckTCP(test.p.Src.IP(), test.p.Dst.IP(), test.p.Dst.Port())
+				got = acl.CheckTCP(test.p.Src.Addr(), test.p.Dst.Addr(), test.p.Dst.Port())
 			}
 			if test.want != got {
 				t.Errorf("#%d CheckTCP got=%v want=%v packet:%v", i, got, test.want, test.p)
@@ -340,7 +341,7 @@ func TestPreFilter(t *testing.T) {
 		{"udp", noVerdict, raw4default(ipproto.UDP, 0)},
 		{"icmp", noVerdict, raw4default(ipproto.ICMPv4, 0)},
 	}
-	f := NewAllowNone(t.Logf, &netaddr.IPSet{})
+	f := NewAllowNone(t.Logf, &netipx.IPSet{})
 	for _, testPacket := range packets {
 		p := &packet.Parsed{}
 		p.Decode(testPacket.b)
@@ -437,16 +438,16 @@ func TestLoggingPrivacy(t *testing.T) {
 		logged = true
 	}
 
-	var logB netaddr.IPSetBuilder
+	var logB netipx.IPSetBuilder
 	logB.AddPrefix(netaddr.MustParseIPPrefix("100.64.0.0/10"))
 	logB.AddPrefix(tsaddr.TailscaleULARange())
 	f := newFilter(logf)
 	f.logIPs, _ = logB.IPSet()
 
 	var (
-		ts4       = netaddr.IPPortFrom(tsaddr.CGNATRange().IP().Next(), 1234)
+		ts4       = netaddr.IPPortFrom(tsaddr.CGNATRange().Addr().Next(), 1234)
 		internet4 = netaddr.IPPortFrom(netaddr.MustParseIP("8.8.8.8"), 1234)
-		ts6       = netaddr.IPPortFrom(tsaddr.TailscaleULARange().IP().Next(), 1234)
+		ts6       = netaddr.IPPortFrom(tsaddr.TailscaleULARange().Addr().Next(), 1234)
 		internet6 = netaddr.IPPortFrom(netaddr.MustParseIP("2001::1"), 1234)
 	)
 

wgengine/filter/match.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"strings"
 
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/types/ipproto"
 )
@@ -99,11 +99,11 @@ func (ms matches) match(q *packet.Parsed) bool {
 		if !protoInList(q.IPProto, m.IPProto) {
 			continue
 		}
-		if !ipInList(q.Src.IP(), m.Srcs) {
+		if !ipInList(q.Src.Addr(), m.Srcs) {
 			continue
 		}
 		for _, dst := range m.Dsts {
-			if !dst.Net.Contains(q.Dst.IP()) {
+			if !dst.Net.Contains(q.Dst.Addr()) {
 				continue
 			}
 			if !dst.Ports.contains(q.Dst.Port()) {
@@ -117,11 +117,11 @@ func (ms matches) match(q *packet.Parsed) bool {
 
 func (ms matches) matchIPsOnly(q *packet.Parsed) bool {
 	for _, m := range ms {
-		if !ipInList(q.Src.IP(), m.Srcs) {
+		if !ipInList(q.Src.Addr(), m.Srcs) {
 			continue
 		}
 		for _, dst := range m.Dsts {
-			if dst.Net.Contains(q.Dst.IP()) {
+			if dst.Net.Contains(q.Dst.Addr()) {
 				return true
 			}
 		}
@@ -137,14 +137,14 @@ func (ms matches) matchProtoAndIPsOnlyIfAllPorts(q *packet.Parsed) bool {
 		if !protoInList(q.IPProto, m.IPProto) {
 			continue
 		}
-		if !ipInList(q.Src.IP(), m.Srcs) {
+		if !ipInList(q.Src.Addr(), m.Srcs) {
 			continue
 		}
 		for _, dst := range m.Dsts {
 			if dst.Ports != allPorts {
 				continue
 			}
-			if dst.Net.Contains(q.Dst.IP()) {
+			if dst.Net.Contains(q.Dst.Addr()) {
 				return true
 			}
 		}

wgengine/filter/tailcfg.go

@@ -8,7 +8,8 @@ import (
 	"fmt"
 	"strings"
 
-	"inet.af/netaddr"
+	"go4.org/netipx"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/ipproto"
 )
@@ -140,7 +141,7 @@ func parseIPSet(arg string, bits *int) ([]netaddr.IPPrefix, error) {
 		if err != nil {
 			return nil, err
 		}
-		r := netaddr.IPRangeFrom(ip1, ip2)
+		r := netipx.IPRangeFrom(ip1, ip2)
 		if !r.Valid() {
 			return nil, fmt.Errorf("invalid IP range %q", arg)
 		}
@@ -150,7 +151,7 @@ func parseIPSet(arg string, bits *int) ([]netaddr.IPPrefix, error) {
 	if err != nil {
 		return nil, fmt.Errorf("invalid IP address %q", arg)
 	}
-	bits8 := ip.BitLen()
+	bits8 := uint8(ip.BitLen())
 	if bits != nil {
 		if *bits < 0 || *bits > int(bits8) {
 			return nil, fmt.Errorf("invalid CIDR size %d for IP %q", *bits, arg)

wgengine/magicsock/debughttp.go

@@ -13,7 +13,7 @@ import (
 	"strings"
 	"time"
 
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstime/mono"
 	"tailscale.com/types/key"
@@ -195,7 +195,7 @@ func peerDebugName(p *tailcfg.Node) string {
 }
 
 func ipPortLess(a, b netaddr.IPPort) bool {
-	if v := a.IP().Compare(b.IP()); v != 0 {
+	if v := a.Addr().Compare(b.Addr()); v != 0 {
 		return v < 0
 	}
 	return a.Port() < b.Port()

wgengine/magicsock/magicsock.go

@@ -29,7 +29,6 @@ import (
 
 	"go4.org/mem"
 	"golang.zx2c4.com/wireguard/conn"
-	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
@@ -39,6 +38,7 @@ import (
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/netcheck"
 	"tailscale.com/net/neterror"
 	"tailscale.com/net/netns"
@@ -55,7 +55,6 @@ import (
 	"tailscale.com/types/nettype"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/mak"
-	"tailscale.com/util/netconv"
 	"tailscale.com/util/uniq"
 	"tailscale.com/version"
 	"tailscale.com/wgengine/monitor"
@@ -890,7 +889,7 @@ func (c *Conn) Ping(peer *tailcfg.Node, res *ipnstate.PingResult, cb func(*ipnst
 		return
 	}
 	if len(peer.Addresses) > 0 {
-		res.NodeIP = peer.Addresses[0].IP().String()
+		res.NodeIP = peer.Addresses[0].Addr().String()
 	}
 	res.NodeName = peer.Name // prefer DNS name
 	if res.NodeName == "" {
@@ -911,7 +910,7 @@ func (c *Conn) Ping(peer *tailcfg.Node, res *ipnstate.PingResult, cb func(*ipnst
 // c.mu must be held
 func (c *Conn) populateCLIPingResponseLocked(res *ipnstate.PingResult, latency time.Duration, ep netaddr.IPPort) {
 	res.LatencySeconds = latency.Seconds()
-	if ep.IP() != derpMagicIPAddr {
+	if ep.Addr() != derpMagicIPAddr {
 		res.Endpoint = ep.String()
 		return
 	}
@@ -1049,7 +1048,7 @@ func (c *Conn) determineEndpoints(ctx context.Context) ([]tailcfg.Endpoint, erro
 		return
 	}
 	addAddr := func(ipp netaddr.IPPort, et tailcfg.EndpointType) {
-		if ipp.IsZero() || (debugOmitLocalAddresses && et == tailcfg.EndpointLocal) {
+		if !ipp.IsValid() || (debugOmitLocalAddresses && et == tailcfg.EndpointLocal) {
 			return
 		}
 		if _, ok := already[ipp]; !ok {
@@ -1185,23 +1184,16 @@ var errDropDerpPacket = errors.New("too many DERP packets queued; dropping")
 
 var errNoUDP = errors.New("no UDP available on platform")
 
-var udpAddrPool = &sync.Pool{
-	New: func() any { return new(net.UDPAddr) },
-}
-
 // sendUDP sends UDP packet b to ipp.
 // See sendAddr's docs on the return value meanings.
 func (c *Conn) sendUDP(ipp netaddr.IPPort, b []byte) (sent bool, err error) {
 	if runtime.GOOS == "js" {
 		return false, errNoUDP
 	}
-	ua := udpAddrPool.Get().(*net.UDPAddr)
-	sent, err = c.sendUDPStd(ipp.UDPAddrAt(ua), b)
+	sent, err = c.sendUDPStd(ipp, b)
 	if err != nil {
 		metricSendUDPError.Add(1)
 	} else {
-		// Only return it to the pool on success; Issue 3122.
-		udpAddrPool.Put(ua)
 		if sent {
 			metricSendUDP.Add(1)
 		}
@@ -1211,19 +1203,19 @@ func (c *Conn) sendUDP(ipp netaddr.IPPort, b []byte) (sent bool, err error) {
 
 // sendUDP sends UDP packet b to addr.
 // See sendAddr's docs on the return value meanings.
-func (c *Conn) sendUDPStd(addr *net.UDPAddr, b []byte) (sent bool, err error) {
+func (c *Conn) sendUDPStd(addr netip.AddrPort, b []byte) (sent bool, err error) {
 	switch {
-	case addr.IP.To4() != nil:
-		_, err = c.pconn4.WriteTo(b, addr)
+	case addr.Addr().Is4():
+		_, err = c.pconn4.WriteToUDPAddrPort(b, addr)
 		if err != nil && (c.noV4.Get() || neterror.TreatAsLostUDP(err)) {
 			return false, nil
 		}
-	case len(addr.IP) == net.IPv6len:
+	case addr.Addr().Is6():
 		if c.pconn6 == nil {
 			// ignore IPv6 dest if we don't have an IPv6 address.
 			return false, nil
 		}
-		_, err = c.pconn6.WriteTo(b, addr)
+		_, err = c.pconn6.WriteToUDPAddrPort(b, addr)
 		if err != nil && (c.noV6.Get() || neterror.TreatAsLostUDP(err)) {
 			return false, nil
 		}
@@ -1244,7 +1236,7 @@ func (c *Conn) sendUDPStd(addr *net.UDPAddr, b []byte) (sent bool, err error) {
 // IPv6 address when the local machine doesn't have IPv6 support
 // returns (false, nil); it's not an error, but nothing was sent.
 func (c *Conn) sendAddr(addr netaddr.IPPort, pubKey key.NodePublic, b []byte) (sent bool, err error) {
-	if addr.IP() != derpMagicIPAddr {
+	if addr.Addr() != derpMagicIPAddr {
 		return c.sendUDP(addr, b)
 	}
 
@@ -1290,7 +1282,7 @@ const bufferedDerpWritesBeforeDrop = 32
 // If peer is non-zero, it can be used to find an active reverse
 // path, without using addr.
 func (c *Conn) derpWriteChanOfAddr(addr netaddr.IPPort, peer key.NodePublic) chan<- derpWriteRequest {
-	if addr.IP() != derpMagicIPAddr {
+	if addr.Addr() != derpMagicIPAddr {
 		return nil
 	}
 	regionID := int(addr.Port())
@@ -1795,7 +1787,7 @@ func (c *Conn) sendDiscoMessage(dst netaddr.IPPort, dstKey key.NodePublic, dstDi
 	di := c.discoInfoLocked(dstDisco)
 	c.mu.Unlock()
 
-	isDERP := dst.IP() == derpMagicIPAddr
+	isDERP := dst.Addr() == derpMagicIPAddr
 	if isDERP {
 		metricSendDiscoDERP.Add(1)
 	} else {
@@ -1846,7 +1838,7 @@ func (c *Conn) sendDiscoMessage(dst netaddr.IPPort, dstKey key.NodePublic, dstDi
 //  * nonce             [24]byte
 //  * naclbox of payload (see tailscale.com/disco package for inner payload format)
 //
-// For messages received over DERP, the src.IP() will be derpMagicIP (with
+// For messages received over DERP, the src.Addr() will be derpMagicIP (with
 // src.Port() being the region ID) and the derpNodeSrc will be the node key
 // it was received from at the DERP layer. derpNodeSrc is zero when received
 // over UDP.
@@ -1932,7 +1924,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort, derpNodeSrc ke
 		return
 	}
 
-	isDERP := src.IP() == derpMagicIPAddr
+	isDERP := src.Addr() == derpMagicIPAddr
 	if isDERP {
 		metricRecvDiscoDERP.Add(1)
 	} else {
@@ -2024,7 +2016,7 @@ func (c *Conn) handlePingLocked(dm *disco.Ping, src netaddr.IPPort, di *discoInf
 	likelyHeartBeat := src == di.lastPingFrom && time.Since(di.lastPingTime) < 5*time.Second
 	di.lastPingFrom = src
 	di.lastPingTime = time.Now()
-	isDerp := src.IP() == derpMagicIPAddr
+	isDerp := src.Addr() == derpMagicIPAddr
 
 	// If we can figure out with certainty which node key this disco
 	// message is for, eagerly update our IP<>node and disco<>node
@@ -2378,7 +2370,7 @@ func (c *Conn) SetNetworkMap(nm *netmap.NetworkMap) {
 
 				for _, a := range n.AllowedIPs {
 					if a.IsSingleIP() {
-						fmt.Fprintf(w, "aip=%v ", a.IP())
+						fmt.Fprintf(w, "aip=%v ", a.Addr())
 					} else {
 						fmt.Fprintf(w, "aip=%v ", a)
 					}
@@ -2442,7 +2434,7 @@ func (c *Conn) maybeCloseDERPsOnRebind(okayLocalIPs []netaddr.IPPrefix) {
 			c.closeOrReconectDERPLocked(regionID, "rebind-no-localaddr")
 			continue
 		}
-		if !tsaddr.PrefixesContainsIP(okayLocalIPs, la.IP()) {
+		if !tsaddr.PrefixesContainsIP(okayLocalIPs, la.Addr()) {
 			c.closeOrReconectDERPLocked(regionID, "rebind-default-route-change")
 			continue
 		}
@@ -2806,13 +2798,13 @@ func (c *Conn) initialBind() error {
 
 // listenPacket opens a packet listener.
 // The network must be "udp4" or "udp6".
-func (c *Conn) listenPacket(network string, port uint16) (net.PacketConn, error) {
+func (c *Conn) listenPacket(network string, port uint16) (nettype.PacketConn, error) {
 	ctx := context.Background() // unused without DNS name to resolve
 	addr := net.JoinHostPort("", fmt.Sprint(port))
 	if c.testOnlyPacketListener != nil {
-		return c.testOnlyPacketListener.ListenPacket(ctx, network, addr)
+		return nettype.MakePacketListenerWithNetIP(c.testOnlyPacketListener).ListenPacket(ctx, network, addr)
 	}
-	return netns.Listener(c.logf).ListenPacket(ctx, network, addr)
+	return nettype.MakePacketListenerWithNetIP(netns.Listener(c.logf)).ListenPacket(ctx, network, addr)
 }
 
 // bindSocket initializes rucPtr if necessary and binds a UDP socket to it.
@@ -2854,7 +2846,7 @@ func (c *Conn) bindSocket(rucPtr **RebindingUDPConn, network string, curPortFate
 	// Remove duplicates. (All duplicates are consecutive.)
 	uniq.ModifySlice(&ports, func(i, j int) bool { return ports[i] == ports[j] })
 
-	var pconn net.PacketConn
+	var pconn nettype.PacketConn
 	for _, port := range ports {
 		// Close the existing conn, in case it is sitting on the port we want.
 		err := ruc.closeLocked()
@@ -2943,7 +2935,7 @@ func (c *Conn) resetEndpointStates() {
 
 // packIPPort packs an IPPort into the form wanted by WireGuard.
 func packIPPort(ua netaddr.IPPort) []byte {
-	ip := ua.IP().Unmap()
+	ip := ua.Addr().Unmap()
 	a := ip.As16()
 	ipb := a[:]
 	if ip.Is4() {
@@ -2983,11 +2975,11 @@ func (c *Conn) ParseEndpoint(nodeKeyStr string) (conn.Endpoint, error) {
 // Unix has no notion of re-binding a socket, so we swap it out for a new one.
 type RebindingUDPConn struct {
 	mu    sync.Mutex
-	pconn net.PacketConn
+	pconn nettype.PacketConn
 }
 
 // currentConn returns c's current pconn.
-func (c *RebindingUDPConn) currentConn() net.PacketConn {
+func (c *RebindingUDPConn) currentConn() nettype.PacketConn {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	return c.pconn
@@ -3021,9 +3013,7 @@ func (c *RebindingUDPConn) ReadFromNetaddr(b []byte) (n int, ipp netaddr.IPPort,
 		// This lets us avoid allocations by calling ReadFromUDPAddrPort.
 		// The non-*net.UDPConn case works, but it allocates.
 		if udpConn, ok := pconn.(*net.UDPConn); ok {
-			var ap netip.AddrPort
-			n, ap, err = udpConn.ReadFromUDPAddrPort(b)
-			ipp = netconv.AsIPPort(ap)
+			n, ipp, err = udpConn.ReadFromUDPAddrPort(b)
 		} else {
 			var addr net.Addr
 			n, addr, err = pconn.ReadFrom(b)
@@ -3094,6 +3084,26 @@ func (c *RebindingUDPConn) WriteTo(b []byte, addr net.Addr) (int, error) {
 	}
 }
 
+func (c *RebindingUDPConn) WriteToUDPAddrPort(b []byte, addr netip.AddrPort) (int, error) {
+	for {
+		c.mu.Lock()
+		pconn := c.pconn
+		c.mu.Unlock()
+
+		n, err := pconn.WriteToUDPAddrPort(b, addr)
+		if err != nil {
+			c.mu.Lock()
+			pconn2 := c.pconn
+			c.mu.Unlock()
+
+			if pconn != pconn2 {
+				continue
+			}
+		}
+		return n, err
+	}
+}
+
 func newBlockForeverConn() *blockForeverConn {
 	c := new(blockForeverConn)
 	c.cond = sync.NewCond(&c.mu)
@@ -3121,6 +3131,11 @@ func (c *blockForeverConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 	return len(p), nil
 }
 
+func (c *blockForeverConn) WriteToUDPAddrPort(p []byte, addr netip.AddrPort) (int, error) {
+	// Silently drop writes.
+	return len(p), nil
+}
+
 func (c *blockForeverConn) LocalAddr() net.Addr {
 	// Return a *net.UDPAddr because lots of code assumes that it will.
 	return new(net.UDPAddr)
@@ -3153,11 +3168,11 @@ func simpleDur(d time.Duration) time.Duration {
 }
 
 func sbPrintAddr(sb *strings.Builder, a netaddr.IPPort) {
-	is6 := a.IP().Is6()
+	is6 := a.Addr().Is6()
 	if is6 {
 		sb.WriteByte('[')
 	}
-	fmt.Fprintf(sb, "%s", a.IP())
+	fmt.Fprintf(sb, "%s", a.Addr())
 	if is6 {
 		sb.WriteByte(']')
 	}
@@ -3197,8 +3212,8 @@ func (c *Conn) UpdateStatus(sb *ipnstate.StatusBuilder) {
 			if !addr.IsSingleIP() {
 				continue
 			}
-			sb.AddTailscaleIP(addr.IP())
-			tailscaleIPs = append(tailscaleIPs, addr.IP())
+			sb.AddTailscaleIP(addr.Addr())
+			tailscaleIPs = append(tailscaleIPs, addr.Addr())
 		}
 	}
 
@@ -3236,7 +3251,7 @@ func (c *Conn) UpdateStatus(sb *ipnstate.StatusBuilder) {
 }
 
 func ippDebugString(ua netaddr.IPPort) string {
-	if ua.IP() == derpMagicIPAddr {
+	if ua.Addr() == derpMagicIPAddr {
 		return fmt.Sprintf("derp-%d", ua.Port())
 	}
 	return ua.String()
@@ -3454,7 +3469,7 @@ func (de *endpoint) canP2P() bool {
 // de.mu must be held.
 func (de *endpoint) addrForSendLocked(now mono.Time) (udpAddr, derpAddr netaddr.IPPort) {
 	udpAddr = de.bestAddr.IPPort
-	if udpAddr.IsZero() || now.After(de.trustBestAddrUntil) {
+	if !udpAddr.IsValid() || now.After(de.trustBestAddrUntil) {
 		// We had a bestAddr but it expired so send both to it
 		// and DERP.
 		derpAddr = de.derpAddr
@@ -3488,7 +3503,7 @@ func (de *endpoint) heartbeat() {
 
 	now := mono.Now()
 	udpAddr, _ := de.addrForSendLocked(now)
-	if !udpAddr.IsZero() {
+	if udpAddr.IsValid() {
 		// We have a preferred path. Ping that every 2 seconds.
 		de.startPingLocked(udpAddr, now, pingHeartbeat)
 	}
@@ -3511,7 +3526,7 @@ func (de *endpoint) wantFullPingLocked(now mono.Time) bool {
 	if !de.canP2P() {
 		return false
 	}
-	if de.bestAddr.IsZero() || de.lastFullPing.IsZero() {
+	if !de.bestAddr.IsValid() || de.lastFullPing.IsZero() {
 		return true
 	}
 	if now.After(de.trustBestAddrUntil) {
@@ -3543,10 +3558,10 @@ func (de *endpoint) cliPing(res *ipnstate.PingResult, cb func(*ipnstate.PingResu
 
 	now := mono.Now()
 	udpAddr, derpAddr := de.addrForSendLocked(now)
-	if !derpAddr.IsZero() {
+	if derpAddr.IsValid() {
 		de.startPingLocked(derpAddr, now, pingCLI)
 	}
-	if !udpAddr.IsZero() && now.Before(de.trustBestAddrUntil) {
+	if udpAddr.IsValid() && now.Before(de.trustBestAddrUntil) {
 		// Already have an active session, so just ping the address we're using.
 		// Otherwise "tailscale ping" results to a node on the local network
 		// can look like they're bouncing between, say 10.0.0.0/9 and the peer's
@@ -3565,20 +3580,20 @@ func (de *endpoint) send(b []byte) error {
 
 	de.mu.Lock()
 	udpAddr, derpAddr := de.addrForSendLocked(now)
-	if de.canP2P() && (udpAddr.IsZero() || now.After(de.trustBestAddrUntil)) {
+	if de.canP2P() && (!udpAddr.IsValid() || now.After(de.trustBestAddrUntil)) {
 		de.sendPingsLocked(now, true)
 	}
 	de.noteActiveLocked()
 	de.mu.Unlock()
 
-	if udpAddr.IsZero() && derpAddr.IsZero() {
+	if !udpAddr.IsValid() && !derpAddr.IsValid() {
 		return errors.New("no UDP or DERP addr")
 	}
 	var err error
-	if !udpAddr.IsZero() {
+	if udpAddr.IsValid() {
 		_, err = de.c.sendAddr(udpAddr, de.publicKey, b)
 	}
-	if !derpAddr.IsZero() {
+	if derpAddr.IsValid() {
 		if ok, _ := de.c.sendAddr(derpAddr, de.publicKey, b); ok && err != nil {
 			// UDP failed but DERP worked, so good enough:
 			return nil
@@ -3594,7 +3609,7 @@ func (de *endpoint) pingTimeout(txid stun.TxID) {
 	if !ok {
 		return
 	}
-	if debugDisco || de.bestAddr.IsZero() || mono.Now().After(de.trustBestAddrUntil) {
+	if debugDisco || !de.bestAddr.IsValid() || mono.Now().After(de.trustBestAddrUntil) {
 		de.c.logf("[v1] magicsock: disco: timeout waiting for pong %x from %v (%v, %v)", txid[:6], sp.to, de.publicKey.ShortString(), de.discoShort)
 	}
 	de.removeSentPingLocked(txid, sp)
@@ -3710,7 +3725,7 @@ func (de *endpoint) sendPingsLocked(now mono.Time, sendCallMeMaybe bool) {
 		de.startPingLocked(ep, now, pingDiscovery)
 	}
 	derpAddr := de.derpAddr
-	if sentAny && sendCallMeMaybe && !derpAddr.IsZero() {
+	if sentAny && sendCallMeMaybe && derpAddr.IsValid() {
 		// Have our magicsock.Conn figure out its STUN endpoint (if
 		// it doesn't know already) and then send a CallMeMaybe
 		// message to our peer via DERP informing them that we've
@@ -3822,7 +3837,7 @@ func (de *endpoint) handlePongConnLocked(m *disco.Pong, di *discoInfo, src netad
 	de.mu.Lock()
 	defer de.mu.Unlock()
 
-	isDerp := src.IP() == derpMagicIPAddr
+	isDerp := src.Addr() == derpMagicIPAddr
 
 	sp, ok := de.sentPing[m.TxID]
 	if !ok {
@@ -3895,19 +3910,19 @@ func betterAddr(a, b addrLatency) bool {
 	if a.IPPort == b.IPPort {
 		return false
 	}
-	if b.IsZero() {
+	if !b.IsValid() {
 		return true
 	}
-	if a.IsZero() {
+	if !a.IsValid() {
 		return false
 	}
-	if a.IP().Is6() && b.IP().Is4() {
+	if a.Addr().Is6() && b.Addr().Is4() {
 		// Prefer IPv6 for being a bit more robust, as long as
 		// the latencies are roughly equivalent.
 		if a.latency/10*9 < b.latency {
 			return true
 		}
-	} else if a.IP().Is4() && b.IP().Is6() {
+	} else if a.Addr().Is4() && b.Addr().Is6() {
 		if betterAddr(b, a) {
 			return false
 		}
@@ -3952,7 +3967,7 @@ func (de *endpoint) handleCallMeMaybe(m *disco.CallMeMaybe) {
 	}
 	var newEPs []netaddr.IPPort
 	for _, ep := range m.MyNumber {
-		if ep.IP().Is6() && ep.IP().IsLinkLocalUnicast() {
+		if ep.Addr().Is6() && ep.Addr().IsLinkLocalUnicast() {
 			// We send these out, but ignore them for now.
 			// TODO: teach the ping code to ping on all interfaces
 			// for these.
@@ -4010,7 +4025,7 @@ func (de *endpoint) populatePeerStatus(ps *ipnstate.PeerStatus) {
 	ps.LastWrite = de.lastSend.WallTime()
 	ps.Active = now.Sub(de.lastSend) < sessionActiveTimeout
 
-	if udpAddr, derpAddr := de.addrForSendLocked(now); !udpAddr.IsZero() && derpAddr.IsZero() {
+	if udpAddr, derpAddr := de.addrForSendLocked(now); udpAddr.IsValid() && !derpAddr.IsValid() {
 		ps.CurAddr = udpAddr.String()
 	}
 }

wgengine/magicsock/magicsock_test.go

@@ -30,10 +30,10 @@ import (
 	"go4.org/mem"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/tuntest"
-	"inet.af/netaddr"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/stun/stuntest"
 	"tailscale.com/net/tstun"
 	"tailscale.com/tailcfg"
@@ -44,7 +44,6 @@ import (
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/nettype"
 	"tailscale.com/util/cibuild"
-	"tailscale.com/util/netconv"
 	"tailscale.com/util/racebuild"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/wgcfg"
@@ -511,7 +510,7 @@ func TestConnClosed(t *testing.T) {
 	cleanup = meshStacks(t.Logf, nil, ms1, ms2)
 	defer cleanup()
 
-	pkt := tuntest.Ping(netconv.AsAddr(ms2.IP()), netconv.AsAddr(ms1.IP()))
+	pkt := tuntest.Ping(ms2.IP(), ms1.IP())
 
 	if len(ms1.conn.activeDerp) == 0 {
 		t.Errorf("unexpected DERP empty got: %v want: >0", len(ms1.conn.activeDerp))
@@ -643,7 +642,7 @@ func TestNoDiscoKey(t *testing.T) {
 		break
 	}
 
-	pkt := tuntest.Ping(netconv.AsAddr(m2.IP()), netconv.AsAddr(m1.IP()))
+	pkt := tuntest.Ping(m2.IP(), m1.IP())
 	m1.tun.Outbound <- pkt
 	select {
 	case <-m2.tun.Inbound:
@@ -856,7 +855,7 @@ func newPinger(t *testing.T, logf logger.Logf, src, dst *magicStack) (cleanup fu
 		// failure). Figure out what kind of thing would be
 		// acceptable to test instead of "every ping must
 		// transit".
-		pkt := tuntest.Ping(netconv.AsAddr(dst.IP()), netconv.AsAddr(src.IP()))
+		pkt := tuntest.Ping(dst.IP(), src.IP())
 		select {
 		case src.tun.Outbound <- pkt:
 		case <-ctx.Done():

wgengine/monitor/monitor.go

@@ -14,8 +14,8 @@ import (
 	"sync"
 	"time"
 
-	"inet.af/netaddr"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/logger"
 )
 

wgengine/monitor/monitor_darwin.go

@@ -11,7 +11,7 @@ import (
 
 	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/logger"
 )
 
@@ -190,7 +190,7 @@ func fmtAddr(a route.Addr) any {
 	if a == nil {
 		return nil
 	}
-	if ip := ipOfAddr(a); !ip.IsZero() {
+	if ip := ipOfAddr(a); ip.IsValid() {
 		return ip
 	}
 	switch a := a.(type) {

wgengine/monitor/monitor_linux.go

@@ -14,8 +14,8 @@ import (
 	"github.com/jsimonetti/rtnetlink"
 	"github.com/mdlayher/netlink"
 	"golang.org/x/sys/unix"
-	"inet.af/netaddr"
 	"tailscale.com/envknob"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
 )
@@ -167,7 +167,7 @@ func (c *nlConn) Receive() (message, error) {
 
 		if msg.Header.Type == unix.RTM_NEWROUTE &&
 			(rmsg.Attributes.Table == 255 || rmsg.Attributes.Table == 254) &&
-			(dst.IP().IsMulticast() || dst.IP().IsLinkLocalUnicast()) {
+			(dst.Addr().IsMulticast() || dst.Addr().IsLinkLocalUnicast()) {
 
 			if debugNetlinkMessages {
 				c.logf("%s ignored", typeStr)
@@ -180,7 +180,7 @@ func (c *nlConn) Receive() (message, error) {
 		if rmsg.Table == tsTable && dst.IsSingleIP() {
 			// Don't log. Spammy and normal to see a bunch of these on start-up,
 			// which we make ourselves.
-		} else if tsaddr.IsTailscaleIP(dst.IP()) {
+		} else if tsaddr.IsTailscaleIP(dst.Addr()) {
 			// Verbose only.
 			c.logf("%s: [v1] src=%v, dst=%v, gw=%v, outif=%v, table=%v", typeStr,
 				condNetAddrPrefix(src), condNetAddrPrefix(dst), condNetAddrIP(gw),
@@ -246,14 +246,14 @@ func netaddrIPPrefix(std net.IP, bits uint8) netaddr.IPPrefix {
 }
 
 func condNetAddrPrefix(ipp netaddr.IPPrefix) string {
-	if ipp.IP().IsZero() {
+	if !ipp.Addr().IsValid() {
 		return ""
 	}
 	return ipp.String()
 }
 
 func condNetAddrIP(ip netaddr.IP) string {
-	if ip.IsZero() {
+	if !ip.IsValid() {
 		return ""
 	}
 	return ip.String()
@@ -269,7 +269,7 @@ type newRouteMessage struct {
 const tsTable = 52
 
 func (m *newRouteMessage) ignore() bool {
-	return m.Table == tsTable || tsaddr.IsTailscaleIP(m.Dst.IP())
+	return m.Table == tsTable || tsaddr.IsTailscaleIP(m.Dst.Addr())
 }
 
 // newAddrMessage is a message for a new address being added.

wgengine/monitor/monitor_linux_test.go

@@ -11,7 +11,7 @@ import (
 	"github.com/jsimonetti/rtnetlink"
 	"github.com/mdlayher/netlink"
 	"golang.org/x/sys/unix"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 )
 
 func newAddrMsg(iface uint32, addr string, typ netlink.HeaderType) netlink.Message {

wgengine/monitor/monitor_windows.go

@@ -12,7 +12,7 @@ import (
 	"time"
 
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
 )
@@ -144,7 +144,7 @@ func (m *winMon) unicastAddressChanged(_ winipcfg.MibNotificationType, row *wini
 func (m *winMon) routeChanged(_ winipcfg.MibNotificationType, row *winipcfg.MibIPforwardRow2) {
 	what := "route"
 	ipn := row.DestinationPrefix.IPNet()
-	if cidr, ok := netaddr.FromStdIPNet(&ipn); ok && tsaddr.IsTailscaleIP(cidr.IP()) {
+	if cidr, ok := netaddr.FromStdIPNet(&ipn); ok && tsaddr.IsTailscaleIP(cidr.Addr()) {
 		what = "tsroute"
 	}
 	// start a goroutine to finish our work, to return to Windows out of this callback

wgengine/netstack/netstack.go

@@ -34,10 +34,10 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
 	"gvisor.dev/gvisor/pkg/waiter"
-	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tsdial"
@@ -255,7 +255,7 @@ func (ns *Impl) addSubnetAddress(ip netaddr.IP) {
 	if needAdd {
 		pa := tcpip.ProtocolAddress{
 			AddressWithPrefix: tcpip.AddressWithPrefix{
-				Address:   tcpip.Address(ip.IPAddr().IP),
+				Address:   tcpip.Address(ip.AsSlice()),
 				PrefixLen: int(ip.BitLen()),
 			},
 		}
@@ -277,14 +277,14 @@ func (ns *Impl) removeSubnetAddress(ip netaddr.IP) {
 	ns.connsOpenBySubnetIP[ip]--
 	// Only unregister address from netstack after last concurrent connection.
 	if ns.connsOpenBySubnetIP[ip] == 0 {
-		ns.ipstack.RemoveAddress(nicID, tcpip.Address(ip.IPAddr().IP))
+		ns.ipstack.RemoveAddress(nicID, tcpip.Address(ip.AsSlice()))
 		delete(ns.connsOpenBySubnetIP, ip)
 	}
 }
 
 func ipPrefixToAddressWithPrefix(ipp netaddr.IPPrefix) tcpip.AddressWithPrefix {
 	return tcpip.AddressWithPrefix{
-		Address:   tcpip.Address(ipp.IP().IPAddr().IP),
+		Address:   tcpip.Address(ipp.Addr().AsSlice()),
 		PrefixLen: int(ipp.Bits()),
 	}
 }
@@ -335,7 +335,7 @@ func (ns *Impl) updateIPs(nm *netmap.NetworkMap) {
 	}
 	ns.mu.Lock()
 	for ip := range ns.connsOpenBySubnetIP {
-		ipp := tcpip.Address(ip.IPAddr().IP).WithPrefix()
+		ipp := tcpip.Address(ip.AsSlice()).WithPrefix()
 		delete(ipsToBeRemoved, ipp)
 	}
 	ns.mu.Unlock()
@@ -376,7 +376,7 @@ func (ns *Impl) updateIPs(nm *netmap.NetworkMap) {
 func (ns *Impl) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper) filter.Response {
 	// If it's not traffic to the service IP (i.e. magicDNS) we don't
 	// care; resume processing.
-	if dst := p.Dst.IP(); dst != magicDNSIP && dst != magicDNSIPv6 {
+	if dst := p.Dst.Addr(); dst != magicDNSIP && dst != magicDNSIPv6 {
 		return filter.Accept
 	}
 	// Of traffic to the service IP, we only care about UDP 53, and TCP
@@ -414,11 +414,11 @@ func (ns *Impl) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper) filter.Re
 func (ns *Impl) DialContextTCP(ctx context.Context, ipp netaddr.IPPort) (*gonet.TCPConn, error) {
 	remoteAddress := tcpip.FullAddress{
 		NIC:  nicID,
-		Addr: tcpip.Address(ipp.IP().IPAddr().IP),
+		Addr: tcpip.Address(ipp.Addr().AsSlice()),
 		Port: ipp.Port(),
 	}
 	var ipType tcpip.NetworkProtocolNumber
-	if ipp.IP().Is4() {
+	if ipp.Addr().Is4() {
 		ipType = ipv4.ProtocolNumber
 	} else {
 		ipType = ipv6.ProtocolNumber
@@ -430,11 +430,11 @@ func (ns *Impl) DialContextTCP(ctx context.Context, ipp netaddr.IPPort) (*gonet.
 func (ns *Impl) DialContextUDP(ctx context.Context, ipp netaddr.IPPort) (*gonet.UDPConn, error) {
 	remoteAddress := &tcpip.FullAddress{
 		NIC:  nicID,
-		Addr: tcpip.Address(ipp.IP().IPAddr().IP),
+		Addr: tcpip.Address(ipp.Addr().AsSlice()),
 		Port: ipp.Port(),
 	}
 	var ipType tcpip.NetworkProtocolNumber
-	if ipp.IP().Is4() {
+	if ipp.Addr().Is4() {
 		ipType = ipv4.ProtocolNumber
 	} else {
 		ipType = ipv6.ProtocolNumber
@@ -534,9 +534,9 @@ func (ns *Impl) shouldProcessInbound(p *packet.Parsed, t *tstun.Wrapper) bool {
 	// Handle incoming peerapi connections in netstack.
 	if ns.lb != nil && p.IPProto == ipproto.TCP {
 		var peerAPIPort uint16
-		dstIP := p.Dst.IP()
+		dstIP := p.Dst.Addr()
 		if p.TCPFlags&packet.TCPSynAck == packet.TCPSyn && ns.isLocalIP(dstIP) {
-			if port, ok := ns.lb.GetPeerAPIPort(p.Dst.IP()); ok {
+			if port, ok := ns.lb.GetPeerAPIPort(p.Dst.Addr()); ok {
 				peerAPIPort = port
 				atomic.StoreUint32(ns.peerAPIPortAtomic(dstIP), uint32(port))
 			}
@@ -550,15 +550,15 @@ func (ns *Impl) shouldProcessInbound(p *packet.Parsed, t *tstun.Wrapper) bool {
 	if ns.isInboundTSSH(p) && ns.processSSH() {
 		return true
 	}
-	if p.IPVersion == 6 && viaRange.Contains(p.Dst.IP()) {
-		return ns.lb != nil && ns.lb.ShouldHandleViaIP(p.Dst.IP())
+	if p.IPVersion == 6 && viaRange.Contains(p.Dst.Addr()) {
+		return ns.lb != nil && ns.lb.ShouldHandleViaIP(p.Dst.Addr())
 	}
 	if !ns.ProcessLocalIPs && !ns.ProcessSubnets {
 		// Fast path for common case (e.g. Linux server in TUN mode) where
 		// netstack isn't used at all; don't even do an isLocalIP lookup.
 		return false
 	}
-	isLocal := ns.isLocalIP(p.Dst.IP())
+	isLocal := ns.isLocalIP(p.Dst.Addr())
 	if ns.ProcessLocalIPs && isLocal {
 		return true
 	}
@@ -647,7 +647,7 @@ func (ns *Impl) userPing(dstIP netaddr.IP, pingResPkt []byte) {
 func (ns *Impl) isInboundTSSH(p *packet.Parsed) bool {
 	return p.IPProto == ipproto.TCP &&
 		p.Dst.Port() == 22 &&
-		ns.isLocalIP(p.Dst.IP())
+		ns.isLocalIP(p.Dst.Addr())
 }
 
 // injectInbound is installed as a packet hook on the 'inbound' (from a
@@ -661,7 +661,7 @@ func (ns *Impl) injectInbound(p *packet.Parsed, t *tstun.Wrapper) filter.Respons
 		return filter.Accept
 	}
 
-	destIP := p.Dst.IP()
+	destIP := p.Dst.Addr()
 	if p.IsEchoRequest() && ns.ProcessSubnets && !tsaddr.IsTailscaleIP(destIP) {
 		var pong []byte // the reply to the ping, if our relayed ping works
 		if destIP.Is4() {
@@ -886,7 +886,7 @@ func (ns *Impl) acceptUDP(r *udp.ForwarderRequest) {
 	}
 
 	// Handle magicDNS traffic (via UDP) here.
-	if dst := dstAddr.IP(); dst == magicDNSIP || dst == magicDNSIPv6 {
+	if dst := dstAddr.Addr(); dst == magicDNSIP || dst == magicDNSIPv6 {
 		if dstAddr.Port() != 53 {
 			return // Only MagicDNS traffic runs on the service IPs for now.
 		}
@@ -949,16 +949,16 @@ func (ns *Impl) forwardUDP(client *gonet.UDPConn, wq *waiter.Queue, clientAddr,
 
 	var backendListenAddr *net.UDPAddr
 	var backendRemoteAddr *net.UDPAddr
-	isLocal := ns.isLocalIP(dstAddr.IP())
+	isLocal := ns.isLocalIP(dstAddr.Addr())
 	if isLocal {
 		backendRemoteAddr = &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: int(port)}
 		backendListenAddr = &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: int(srcPort)}
 	} else {
-		if dstIP := dstAddr.IP(); viaRange.Contains(dstIP) {
+		if dstIP := dstAddr.Addr(); viaRange.Contains(dstIP) {
 			dstAddr = netaddr.IPPortFrom(tsaddr.UnmapVia(dstIP), dstAddr.Port())
 		}
-		backendRemoteAddr = dstAddr.UDPAddr()
-		if dstAddr.IP().Is4() {
+		backendRemoteAddr = net.UDPAddrFromAddrPort(dstAddr)
+		if dstAddr.Addr().Is4() {
 			backendListenAddr = &net.UDPAddr{IP: net.ParseIP("0.0.0.0"), Port: int(srcPort)}
 		} else {
 			backendListenAddr = &net.UDPAddr{IP: net.ParseIP("::"), Port: int(srcPort)}
@@ -981,7 +981,7 @@ func (ns *Impl) forwardUDP(client *gonet.UDPConn, wq *waiter.Queue, clientAddr,
 		ns.logf("could not get backend local IP:port from %v:%v", backendLocalAddr.IP, backendLocalAddr.Port)
 	}
 	if isLocal {
-		ns.e.RegisterIPPortIdentity(backendLocalIPPort, dstAddr.IP())
+		ns.e.RegisterIPPortIdentity(backendLocalIPPort, dstAddr.Addr())
 	}
 	ctx, cancel := context.WithCancel(context.Background())
 
@@ -1007,13 +1007,13 @@ func (ns *Impl) forwardUDP(client *gonet.UDPConn, wq *waiter.Queue, clientAddr,
 	extend := func() {
 		timer.Reset(idleTimeout)
 	}
-	startPacketCopy(ctx, cancel, client, clientAddr.UDPAddr(), backendConn, ns.logf, extend)
+	startPacketCopy(ctx, cancel, client, net.UDPAddrFromAddrPort(clientAddr), backendConn, ns.logf, extend)
 	startPacketCopy(ctx, cancel, backendConn, backendRemoteAddr, client, ns.logf, extend)
 	if isLocal {
 		// Wait for the copies to be done before decrementing the
 		// subnet address count to potentially remove the route.
 		<-ctx.Done()
-		ns.removeSubnetAddress(dstAddr.IP())
+		ns.removeSubnetAddress(dstAddr.Addr())
 	}
 }
 

wgengine/netstack/netstack_test.go

@@ -9,7 +9,7 @@ import (
 	"testing"
 
 	"gvisor.dev/gvisor/pkg/refs"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tstun"

wgengine/pendopen.go

@@ -104,8 +104,8 @@ func (e *userspaceEngine) trackOpenPostFilterOut(pp *packet.Parsed, t *tstun.Wra
 	// Don't start timers tracking those. They won't succeed anyway. Avoids log spam
 	// like:
 	//    open-conn-track: timeout opening (100.115.73.60:52501 => 17.125.252.5:443); no associated peer node
-	if runtime.GOOS == "ios" && flow.Dst.Port() == 443 && !tsaddr.IsTailscaleIP(flow.Dst.IP()) {
-		if _, ok := e.PeerForIP(flow.Dst.IP()); !ok {
+	if runtime.GOOS == "ios" && flow.Dst.Port() == 443 && !tsaddr.IsTailscaleIP(flow.Dst.Addr()) {
+		if _, ok := e.PeerForIP(flow.Dst.Addr()); !ok {
 			return
 		}
 	}
@@ -142,7 +142,7 @@ func (e *userspaceEngine) onOpenTimeout(flow flowtrack.Tuple) {
 	}
 
 	// Diagnose why it might've timed out.
-	pip, ok := e.PeerForIP(flow.Dst.IP())
+	pip, ok := e.PeerForIP(flow.Dst.Addr())
 	if !ok {
 		e.logf("open-conn-track: timeout opening %v; no associated peer node", flow)
 		return
@@ -172,7 +172,7 @@ func (e *userspaceEngine) onOpenTimeout(flow flowtrack.Tuple) {
 	if ps == nil {
 		onlyZeroRoute := true // whether peerForIP returned n only because its /0 route matched
 		for _, r := range n.AllowedIPs {
-			if r.Bits() != 0 && r.Contains(flow.Dst.IP()) {
+			if r.Bits() != 0 && r.Contains(flow.Dst.Addr()) {
 				onlyZeroRoute = false
 				break
 			}

wgengine/router/ifconfig_windows.go

@@ -11,17 +11,19 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"net/netip"
 	"runtime"
 	"sort"
 	"time"
 
 	ole "github.com/go-ole/go-ole"
+	"go4.org/netipx"
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
-	"inet.af/netaddr"
 	"tailscale.com/health"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/util/multierr"
 	"tailscale.com/wgengine/winnet"
@@ -326,16 +328,16 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 	var firstGateway6 *net.IP
 	addresses := make([]*net.IPNet, 0, len(cfg.LocalAddrs))
 	for _, addr := range cfg.LocalAddrs {
-		if (addr.IP().Is4() && ipif4 == nil) || (addr.IP().Is6() && ipif6 == nil) {
+		if (addr.Addr().Is4() && ipif4 == nil) || (addr.Addr().Is6() && ipif6 == nil) {
 			// Can't program addresses for disabled protocol.
 			continue
 		}
-		ipnet := addr.IPNet()
+		ipnet := netipx.PrefixIPNet(addr)
 		addresses = append(addresses, ipnet)
 		gateway := ipnet.IP
-		if addr.IP().Is4() && firstGateway4 == nil {
+		if addr.Addr().Is4() && firstGateway4 == nil {
 			firstGateway4 = &gateway
-		} else if addr.IP().Is6() && firstGateway6 == nil {
+		} else if addr.Addr().Is6() && firstGateway6 == nil {
 			firstGateway6 = &gateway
 		}
 	}
@@ -344,31 +346,31 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 	foundDefault4 := false
 	foundDefault6 := false
 	for _, route := range cfg.Routes {
-		if (route.IP().Is4() && ipif4 == nil) || (route.IP().Is6() && ipif6 == nil) {
+		if (route.Addr().Is4() && ipif4 == nil) || (route.Addr().Is6() && ipif6 == nil) {
 			// Can't program routes for disabled protocol.
 			continue
 		}
 
-		if route.IP().Is6() && firstGateway6 == nil {
+		if route.Addr().Is6() && firstGateway6 == nil {
 			// Windows won't let us set IPv6 routes without having an
 			// IPv6 local address set. However, when we've configured
 			// a default route, we want to forcibly grab IPv6 traffic
 			// even if the v6 overlay network isn't configured. To do
 			// that, we add a dummy local IPv6 address to serve as a
 			// route source.
-			ipnet := &net.IPNet{tsaddr.Tailscale4To6Placeholder().IPAddr().IP, net.CIDRMask(128, 128)}
+			ipnet := &net.IPNet{tsaddr.Tailscale4To6Placeholder().AsSlice(), net.CIDRMask(128, 128)}
 			addresses = append(addresses, ipnet)
 			firstGateway6 = &ipnet.IP
-		} else if route.IP().Is4() && firstGateway4 == nil {
+		} else if route.Addr().Is4() && firstGateway4 == nil {
 			// TODO: do same dummy behavior as v6?
 			return errors.New("due to a Windows limitation, one cannot have interface routes without an interface address")
 		}
 
-		ipn := route.IPNet()
+		ipn := netipx.PrefixIPNet(route)
 		var gateway net.IP
-		if route.IP().Is4() {
+		if route.Addr().Is4() {
 			gateway = *firstGateway4
-		} else if route.IP().Is6() {
+		} else if route.Addr().Is6() {
 			gateway = *firstGateway6
 		}
 		r := winipcfg.RouteData{
@@ -387,12 +389,12 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) (retErr error) {
 			// then the interface's IP won't be pingable.
 			continue
 		}
-		if route.IP().Is4() {
+		if route.Addr().Is4() {
 			if route.Bits() == 0 {
 				foundDefault4 = true
 			}
 			r.NextHop = *firstGateway4
-		} else if route.IP().Is6() {
+		} else if route.Addr().Is6() {
 			if route.Bits() == 0 {
 				foundDefault6 = true
 			}
@@ -782,8 +784,8 @@ func filterRoutes(routes []*winipcfg.RouteData, dontDelete []netaddr.IPPrefix) [
 		if nr.IsSingleIP() {
 			continue
 		}
-		lastIP := nr.Range().To()
-		ddm[netaddr.IPPrefixFrom(lastIP, lastIP.BitLen())] = true
+		lastIP := netipx.RangeOfPrefix(nr).To()
+		ddm[netip.PrefixFrom(lastIP, lastIP.BitLen())] = true
 	}
 	filtered := make([]*winipcfg.RouteData, 0, len(routes))
 	for _, r := range routes {

wgengine/router/ifconfig_windows_test.go

@@ -11,8 +11,9 @@ import (
 	"strings"
 	"testing"
 
+	"go4.org/netipx"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 )
 
 func randIP() net.IP {
@@ -38,7 +39,7 @@ func TestRouteLess(t *testing.T) {
 		if err != nil {
 			t.Fatalf("error parsing test data %q: %v", s, err)
 		}
-		return *ipp.IPNet()
+		return *netipx.PrefixIPNet(ipp)
 	}
 
 	tests := []struct {

wgengine/router/router.go

@@ -10,7 +10,7 @@ import (
 	"reflect"
 
 	"golang.zx2c4.com/wireguard/tun"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/preftype"
 	"tailscale.com/wgengine/monitor"

wgengine/router/router_linux.go

@@ -18,11 +18,12 @@ import (
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/tailscale/netlink"
+	"go4.org/netipx"
 	"golang.org/x/sys/unix"
 	"golang.org/x/time/rate"
 	"golang.zx2c4.com/wireguard/tun"
-	"inet.af/netaddr"
 	"tailscale.com/envknob"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/syncs"
 	"tailscale.com/types/logger"
@@ -439,7 +440,7 @@ func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error {
 	}
 
 	for cidr := range r.addrs {
-		if err := r.addLoopbackRule(cidr.IP()); err != nil {
+		if err := r.addLoopbackRule(cidr.Addr()); err != nil {
 			return err
 		}
 	}
@@ -451,7 +452,7 @@ func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error {
 // address is already assigned to the interface, or if the addition
 // fails.
 func (r *linuxRouter) addAddress(addr netaddr.IPPrefix) error {
-	if !r.v6Available && addr.IP().Is6() {
+	if !r.v6Available && addr.Addr().Is6() {
 		return nil
 	}
 	if r.useIPCommand() {
@@ -467,7 +468,7 @@ func (r *linuxRouter) addAddress(addr netaddr.IPPrefix) error {
 			return fmt.Errorf("adding address %v from tunnel interface: %w", addr, err)
 		}
 	}
-	if err := r.addLoopbackRule(addr.IP()); err != nil {
+	if err := r.addLoopbackRule(addr.Addr()); err != nil {
 		return err
 	}
 	return nil
@@ -477,10 +478,10 @@ func (r *linuxRouter) addAddress(addr netaddr.IPPrefix) error {
 // the address is not assigned to the interface, or if the removal
 // fails.
 func (r *linuxRouter) delAddress(addr netaddr.IPPrefix) error {
-	if !r.v6Available && addr.IP().Is6() {
+	if !r.v6Available && addr.Addr().Is6() {
 		return nil
 	}
-	if err := r.delLoopbackRule(addr.IP()); err != nil {
+	if err := r.delLoopbackRule(addr.Addr()); err != nil {
 		return err
 	}
 	if r.useIPCommand() {
@@ -547,7 +548,7 @@ func (r *linuxRouter) delLoopbackRule(addr netaddr.IP) error {
 // interface. Fails if the route already exists, or if adding the
 // route fails.
 func (r *linuxRouter) addRoute(cidr netaddr.IPPrefix) error {
-	if !r.v6Available && cidr.IP().Is6() {
+	if !r.v6Available && cidr.Addr().Is6() {
 		return nil
 	}
 	if r.useIPCommand() {
@@ -559,7 +560,7 @@ func (r *linuxRouter) addRoute(cidr netaddr.IPPrefix) error {
 	}
 	return netlink.RouteReplace(&netlink.Route{
 		LinkIndex: linkIndex,
-		Dst:       cidr.Masked().IPNet(),
+		Dst:       netipx.PrefixIPNet(cidr.Masked()),
 		Table:     r.routeTable(),
 	})
 }
@@ -572,14 +573,14 @@ func (r *linuxRouter) addThrowRoute(cidr netaddr.IPPrefix) error {
 	if !r.ipRuleAvailable {
 		return nil
 	}
-	if !r.v6Available && cidr.IP().Is6() {
+	if !r.v6Available && cidr.Addr().Is6() {
 		return nil
 	}
 	if r.useIPCommand() {
 		return r.addRouteDef([]string{"throw", normalizeCIDR(cidr)}, cidr)
 	}
 	err := netlink.RouteReplace(&netlink.Route{
-		Dst:   cidr.Masked().IPNet(),
+		Dst:   netipx.PrefixIPNet(cidr.Masked()),
 		Table: tailscaleRouteTable.num,
 		Type:  unix.RTN_THROW,
 	})
@@ -590,7 +591,7 @@ func (r *linuxRouter) addThrowRoute(cidr netaddr.IPPrefix) error {
 }
 
 func (r *linuxRouter) addRouteDef(routeDef []string, cidr netaddr.IPPrefix) error {
-	if !r.v6Available && cidr.IP().Is6() {
+	if !r.v6Available && cidr.Addr().Is6() {
 		return nil
 	}
 	args := append([]string{"ip", "route", "add"}, routeDef...)
@@ -624,7 +625,7 @@ var (
 // interface. Fails if the route doesn't exist, or if removing the
 // route fails.
 func (r *linuxRouter) delRoute(cidr netaddr.IPPrefix) error {
-	if !r.v6Available && cidr.IP().Is6() {
+	if !r.v6Available && cidr.Addr().Is6() {
 		return nil
 	}
 	if r.useIPCommand() {
@@ -636,7 +637,7 @@ func (r *linuxRouter) delRoute(cidr netaddr.IPPrefix) error {
 	}
 	err = netlink.RouteDel(&netlink.Route{
 		LinkIndex: linkIndex,
-		Dst:       cidr.Masked().IPNet(),
+		Dst:       netipx.PrefixIPNet(cidr.Masked()),
 		Table:     r.routeTable(),
 	})
 	if errors.Is(err, errESRCH) {
@@ -652,14 +653,14 @@ func (r *linuxRouter) delThrowRoute(cidr netaddr.IPPrefix) error {
 	if !r.ipRuleAvailable {
 		return nil
 	}
-	if !r.v6Available && cidr.IP().Is6() {
+	if !r.v6Available && cidr.Addr().Is6() {
 		return nil
 	}
 	if r.useIPCommand() {
 		return r.delRouteDef([]string{"throw", normalizeCIDR(cidr)}, cidr)
 	}
 	err := netlink.RouteDel(&netlink.Route{
-		Dst:   cidr.Masked().IPNet(),
+		Dst:   netipx.PrefixIPNet(cidr.Masked()),
 		Table: r.routeTable(),
 		Type:  unix.RTN_THROW,
 	})
@@ -671,7 +672,7 @@ func (r *linuxRouter) delThrowRoute(cidr netaddr.IPPrefix) error {
 }
 
 func (r *linuxRouter) delRouteDef(routeDef []string, cidr netaddr.IPPrefix) error {
-	if !r.v6Available && cidr.IP().Is6() {
+	if !r.v6Available && cidr.Addr().Is6() {
 		return nil
 	}
 	args := append([]string{"ip", "route", "del"}, routeDef...)
@@ -701,7 +702,7 @@ func dashFam(ip netaddr.IP) string {
 }
 
 func (r *linuxRouter) hasRoute(routeDef []string, cidr netaddr.IPPrefix) (bool, error) {
-	args := append([]string{"ip", dashFam(cidr.IP()), "route", "show"}, routeDef...)
+	args := append([]string{"ip", dashFam(cidr.Addr()), "route", "show"}, routeDef...)
 	if r.ipRuleAvailable {
 		args = append(args, "table", tailscaleRouteTable.ipCmdArg())
 	}
@@ -1549,6 +1550,6 @@ func checkIPRuleSupportsV6(logf logger.Logf) error {
 
 func nlAddrOfPrefix(p netaddr.IPPrefix) *netlink.Addr {
 	return &netlink.Addr{
-		IPNet: p.IPNet(),
+		IPNet: netipx.PrefixIPNet(p),
 	}
 }

wgengine/router/router_linux_test.go

@@ -17,7 +17,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/vishvananda/netlink"
 	"golang.zx2c4.com/wireguard/tun"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/tstest"
 	"tailscale.com/types/logger"
 	"tailscale.com/wgengine/monitor"

wgengine/router/router_openbsd.go

@@ -10,8 +10,9 @@ import (
 	"log"
 	"os/exec"
 
+	"go4.org/netipx"
 	"golang.zx2c4.com/wireguard/tun"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/logger"
 	"tailscale.com/wgengine/monitor"
 )
@@ -59,7 +60,7 @@ func (r *openbsdRouter) Up() error {
 }
 
 func inet(p netaddr.IPPrefix) string {
-	if p.IP().Is6() {
+	if p.Addr().Is6() {
 		return "inet6"
 	}
 	return "inet"
@@ -79,11 +80,11 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 	localAddr4 := netaddr.IPPrefix{}
 	localAddr6 := netaddr.IPPrefix{}
 	for _, addr := range cfg.LocalAddrs {
-		if addr.IP().Is4() {
+		if addr.Addr().Is4() {
 			numIPv4++
 			localAddr4 = addr
 		}
-		if addr.IP().Is6() {
+		if addr.Addr().Is6() {
 			numIPv6++
 			localAddr6 = addr
 		}
@@ -95,7 +96,7 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 	var errq error
 
 	if localAddr4 != r.local4 {
-		if !r.local4.IsZero() {
+		if r.local4.IsValid() {
 			addrdel := []string{"ifconfig", r.tunname,
 				"inet", r.local4.String(), "-alias"}
 			out, err := cmd(addrdel...).CombinedOutput()
@@ -108,7 +109,7 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 
 			routedel := []string{"route", "-q", "-n",
 				"del", "-inet", r.local4.String(),
-				"-iface", r.local4.IP().String()}
+				"-iface", r.local4.Addr().String()}
 			if out, err := cmd(routedel...).CombinedOutput(); err != nil {
 				r.logf("route del failed: %v: %v\n%s", routedel, err, out)
 				if errq == nil {
@@ -117,7 +118,7 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 			}
 		}
 
-		if !localAddr4.IsZero() {
+		if localAddr4.IsValid() {
 			addradd := []string{"ifconfig", r.tunname,
 				"inet", localAddr4.String(), "alias"}
 			out, err := cmd(addradd...).CombinedOutput()
@@ -130,7 +131,7 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 
 			routeadd := []string{"route", "-q", "-n",
 				"add", "-inet", localAddr4.String(),
-				"-iface", localAddr4.IP().String()}
+				"-iface", localAddr4.Addr().String()}
 			if out, err := cmd(routeadd...).CombinedOutput(); err != nil {
 				r.logf("route add failed: %v: %v\n%s", routeadd, err, out)
 				if errq == nil {
@@ -140,15 +141,15 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 		}
 	}
 
-	if !localAddr6.IsZero() {
+	if localAddr6.IsValid() {
 		// in https://github.com/tailscale/tailscale/issues/1307 we made
 		// FreeBSD use a /48 for IPv6 addresses, which is nice because we
 		// don't need to additionally add routing entries. Do that here too.
-		localAddr6 = netaddr.IPPrefixFrom(localAddr6.IP(), 48)
+		localAddr6 = netaddr.IPPrefixFrom(localAddr6.Addr(), 48)
 	}
 
 	if localAddr6 != r.local6 {
-		if !r.local6.IsZero() {
+		if r.local6.IsValid() {
 			addrdel := []string{"ifconfig", r.tunname,
 				"inet6", r.local6.String(), "delete"}
 			out, err := cmd(addrdel...).CombinedOutput()
@@ -160,7 +161,7 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 			}
 		}
 
-		if !localAddr6.IsZero() {
+		if localAddr6.IsValid() {
 			addradd := []string{"ifconfig", r.tunname,
 				"inet6", localAddr6.String()}
 			out, err := cmd(addradd...).CombinedOutput()
@@ -179,12 +180,12 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 	}
 	for route := range r.routes {
 		if _, keep := newRoutes[route]; !keep {
-			net := route.IPNet()
+			net := netipx.PrefixIPNet(route)
 			nip := net.IP.Mask(net.Mask)
 			nstr := fmt.Sprintf("%v/%d", nip, route.Bits())
-			dst := localAddr4.IP().String()
-			if route.IP().Is6() {
-				dst = localAddr6.IP().String()
+			dst := localAddr4.Addr().String()
+			if route.Addr().Is6() {
+				dst = localAddr6.Addr().String()
 			}
 			routedel := []string{"route", "-q", "-n",
 				"del", "-" + inet(route), nstr,
@@ -200,12 +201,12 @@ func (r *openbsdRouter) Set(cfg *Config) error {
 	}
 	for route := range newRoutes {
 		if _, exists := r.routes[route]; !exists {
-			net := route.IPNet()
+			net := netipx.PrefixIPNet(route)
 			nip := net.IP.Mask(net.Mask)
 			nstr := fmt.Sprintf("%v/%d", nip, route.Bits())
-			dst := localAddr4.IP().String()
-			if route.IP().Is6() {
-				dst = localAddr6.IP().String()
+			dst := localAddr4.Addr().String()
+			if route.Addr().Is6() {
+				dst = localAddr6.Addr().String()
 			}
 			routeadd := []string{"route", "-q", "-n",
 				"add", "-" + inet(route), nstr,

wgengine/router/router_test.go

@@ -8,7 +8,7 @@ import (
 	"reflect"
 	"testing"
 
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/preftype"
 )
 

wgengine/router/router_userspace_bsd.go

@@ -13,8 +13,9 @@ import (
 	"os/exec"
 	"runtime"
 
+	"go4.org/netipx"
 	"golang.zx2c4.com/wireguard/tun"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
@@ -91,7 +92,7 @@ func (r *userspaceBSDRouter) Up() error {
 }
 
 func inet(p netaddr.IPPrefix) string {
-	if p.IP().Is6() {
+	if p.Addr().Is6() {
 		return "inet6"
 	}
 	return "inet"
@@ -120,15 +121,15 @@ func (r *userspaceBSDRouter) Set(cfg *Config) (reterr error) {
 	}
 	for _, addr := range r.addrsToAdd(cfg.LocalAddrs) {
 		var arg []string
-		if runtime.GOOS == "freebsd" && addr.IP().Is6() && addr.Bits() == 128 {
+		if runtime.GOOS == "freebsd" && addr.Addr().Is6() && addr.Bits() == 128 {
 			// FreeBSD rejects tun addresses of the form fc00::1/128 -> fc00::1,
 			// https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218508
 			// Instead add our whole /48, which works because we use a /48 route.
 			// Full history: https://github.com/tailscale/tailscale/issues/1307
-			tmp := netaddr.IPPrefixFrom(addr.IP(), 48)
+			tmp := netaddr.IPPrefixFrom(addr.Addr(), 48)
 			arg = []string{"ifconfig", r.tunname, inet(tmp), tmp.String()}
 		} else {
-			arg = []string{"ifconfig", r.tunname, inet(addr), addr.String(), addr.IP().String()}
+			arg = []string{"ifconfig", r.tunname, inet(addr), addr.String(), addr.Addr().String()}
 		}
 		out, err := cmd(arg...).CombinedOutput()
 		if err != nil {
@@ -150,7 +151,7 @@ func (r *userspaceBSDRouter) Set(cfg *Config) (reterr error) {
 	// Delete any pre-existing routes.
 	for route := range r.routes {
 		if _, keep := newRoutes[route]; !keep {
-			net := route.IPNet()
+			net := netipx.PrefixIPNet(route)
 			nip := net.IP.Mask(net.Mask)
 			nstr := fmt.Sprintf("%v/%d", nip, route.Bits())
 			del := "del"
@@ -170,7 +171,7 @@ func (r *userspaceBSDRouter) Set(cfg *Config) (reterr error) {
 	// Add the routes.
 	for route := range newRoutes {
 		if _, exists := r.routes[route]; !exists {
-			net := route.IPNet()
+			net := netipx.PrefixIPNet(route)
 			nip := net.IP.Mask(net.Mask)
 			nstr := fmt.Sprintf("%v/%d", nip, route.Bits())
 			routeadd := []string{"route", "-q", "-n",

wgengine/router/router_windows.go

@@ -20,9 +20,9 @@ import (
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
-	"inet.af/netaddr"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/logger"
 	"tailscale.com/wgengine/monitor"
 )

wgengine/userspace.go

@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
 	"reflect"
 	"runtime"
 	"strings"
@@ -22,7 +23,6 @@ import (
 	"go4.org/mem"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
-	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
 	"tailscale.com/health"
@@ -31,6 +31,7 @@ import (
 	"tailscale.com/net/dns/resolver"
 	"tailscale.com/net/flowtrack"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/packet"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tsdial"
@@ -486,7 +487,7 @@ func (e *userspaceEngine) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper)
 	// Handle traffic to the service IP.
 	// TODO(tom): Netstack handles this when it is installed. Rip all
 	//            this out once netstack is used on all platforms.
-	switch p.Dst.IP() {
+	switch p.Dst.Addr() {
 	case magicDNSIP, magicDNSIPv6:
 		err := e.dns.EnqueuePacket(append([]byte(nil), p.Payload()...), p.IPProto, p.Src, p.Dst)
 		if err != nil {
@@ -500,7 +501,7 @@ func (e *userspaceEngine) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper)
 		isLocalAddr, ok := e.isLocalAddr.Load().(func(netaddr.IP) bool)
 		if !ok {
 			e.logf("[unexpected] e.isLocalAddr was nil, can't check for loopback packet")
-		} else if isLocalAddr(p.Dst.IP()) {
+		} else if isLocalAddr(p.Dst.Addr()) {
 			// macOS NetworkExtension directs packets destined to the
 			// tunnel's local IP address into the tunnel, instead of
 			// looping back within the kernel network stack. We have to
@@ -690,8 +691,8 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[key.Node
 		trackNodes = append(trackNodes, nk)
 		recentlyActive := false
 		for _, cidr := range p.AllowedIPs {
-			trackIPs = append(trackIPs, cidr.IP())
-			recentlyActive = recentlyActive || e.isActiveSinceLocked(nk, cidr.IP(), activeCutoff)
+			trackIPs = append(trackIPs, cidr.Addr())
+			recentlyActive = recentlyActive || e.isActiveSinceLocked(nk, cidr.Addr(), activeCutoff)
 		}
 		if recentlyActive {
 			min.Peers = append(min.Peers, *p)
@@ -1324,8 +1325,8 @@ func (e *userspaceEngine) mySelfIPMatchingFamily(dst netaddr.IP) (src netaddr.IP
 		return netaddr.IP{}, errors.New("no netmap")
 	}
 	for _, a := range e.netMap.Addresses {
-		if a.IsSingleIP() && a.IP().BitLen() == dst.BitLen() {
-			return a.IP(), nil
+		if a.IsSingleIP() && a.Addr().BitLen() == dst.BitLen() {
+			return a.Addr(), nil
 		}
 	}
 	if len(e.netMap.Addresses) == 0 {
@@ -1518,13 +1519,13 @@ func (e *userspaceEngine) PeerForIP(ip netaddr.IP) (ret PeerForIP, ok bool) {
 	// TODO(bradfitz): add maps for these. on NetworkMap?
 	for _, p := range nm.Peers {
 		for _, a := range p.Addresses {
-			if a.IP() == ip && a.IsSingleIP() && tsaddr.IsTailscaleIP(ip) {
+			if a.Addr() == ip && a.IsSingleIP() && tsaddr.IsTailscaleIP(ip) {
 				return PeerForIP{Node: p, Route: a}, true
 			}
 		}
 	}
 	for _, a := range nm.Addresses {
-		if a.IP() == ip && a.IsSingleIP() && tsaddr.IsTailscaleIP(ip) {
+		if a.Addr() == ip && a.IsSingleIP() && tsaddr.IsTailscaleIP(ip) {
 			return PeerForIP{Node: nm.SelfNode, IsSelf: true, Route: a}, true
 		}
 	}
@@ -1540,7 +1541,7 @@ func (e *userspaceEngine) PeerForIP(ip netaddr.IP) (ret PeerForIP, ok bool) {
 			if !cidr.Contains(ip) {
 				continue
 			}
-			if best.IsZero() || cidr.Bits() > best.Bits() {
+			if !best.IsValid() || cidr.Bits() > best.Bits() {
 				best = cidr
 				bestKey = p.PublicKey
 			}
@@ -1591,7 +1592,7 @@ func dnsIPsOverTailscale(dnsCfg *dns.Config, routerCfg *router.Config) (ret []ne
 			ip, err := netaddr.ParseIP(r.Addr)
 			if err != nil {
 				if ipp, err := netaddr.ParseIPPort(r.Addr); err == nil {
-					ip = ipp.IP()
+					ip = ipp.Addr()
 				} else {
 					continue
 				}
@@ -1609,7 +1610,7 @@ func dnsIPsOverTailscale(dnsCfg *dns.Config, routerCfg *router.Config) (ret []ne
 
 	ret = make([]netaddr.IPPrefix, 0, len(m))
 	for ip := range m {
-		ret = append(ret, netaddr.IPPrefixFrom(ip, ip.BitLen()))
+		ret = append(ret, netip.PrefixFrom(ip, ip.BitLen()))
 	}
 	return ret
 }

wgengine/userspace_test.go

@@ -10,8 +10,8 @@ import (
 	"testing"
 
 	"go4.org/mem"
-	"inet.af/netaddr"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tstun"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"

wgengine/watchdog.go

@@ -13,11 +13,11 @@ import (
 	"strings"
 	"time"
 
-	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/dns/resolver"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tstun"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"

wgengine/wgcfg/config.go

@@ -6,7 +6,7 @@
 package wgcfg
 
 import (
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/key"
 )
 

wgengine/wgcfg/device_test.go

@@ -19,7 +19,7 @@ import (
 	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/key"
 )
 

wgengine/wgcfg/nmcfg/nmcfg.go

@@ -10,7 +10,7 @@ import (
 	"fmt"
 	"strings"
 
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
@@ -92,11 +92,11 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 				}
 				fmt.Fprintf(skippedUnselected, "%q (%v)", nodeDebugName(peer), peer.Key.ShortString())
 				continue
-			} else if allowedIP.IsSingleIP() && tsaddr.IsTailscaleIP(allowedIP.IP()) && (flags&netmap.AllowSingleHosts) == 0 {
+			} else if allowedIP.IsSingleIP() && tsaddr.IsTailscaleIP(allowedIP.Addr()) && (flags&netmap.AllowSingleHosts) == 0 {
 				if skippedIPs.Len() > 0 {
 					skippedIPs.WriteString(", ")
 				}
-				fmt.Fprintf(skippedIPs, "%v from %q (%v)", allowedIP.IP(), nodeDebugName(peer), peer.Key.ShortString())
+				fmt.Fprintf(skippedIPs, "%v from %q (%v)", allowedIP.Addr(), nodeDebugName(peer), peer.Key.ShortString())
 				continue
 			} else if cidrIsSubnet(peer, allowedIP) {
 				if (flags & netmap.AllowSubnetRoutes) == 0 {

wgengine/wgcfg/parser.go

@@ -13,7 +13,7 @@ import (
 	"strings"
 
 	"go4.org/mem"
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/key"
 )
 

wgengine/wgcfg/parser_test.go

@@ -12,7 +12,7 @@ import (
 	"runtime"
 	"testing"
 
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/key"
 )
 

wgengine/wgcfg/wgcfg_clone.go

@@ -7,7 +7,8 @@
 package wgcfg
 
 import (
-	"inet.af/netaddr"
+	"net/netip"
+
 	"tailscale.com/types/key"
 )
 
@@ -32,9 +33,9 @@ func (src *Config) Clone() *Config {
 var _ConfigCloneNeedsRegeneration = Config(struct {
 	Name       string
 	PrivateKey key.NodePrivate
-	Addresses  []netaddr.IPPrefix
+	Addresses  []netip.Prefix
 	MTU        uint16
-	DNS        []netaddr.IP
+	DNS        []netip.Addr
 	Peers      []Peer
 }{})
 
@@ -54,7 +55,7 @@ func (src *Peer) Clone() *Peer {
 var _PeerCloneNeedsRegeneration = Peer(struct {
 	PublicKey           key.NodePublic
 	DiscoKey            key.DiscoPublic
-	AllowedIPs          []netaddr.IPPrefix
+	AllowedIPs          []netip.Prefix
 	PersistentKeepalive uint16
 	WGEndpoint          key.NodePublic
 }{})

wgengine/wgcfg/writer.go

@@ -9,7 +9,7 @@ import (
 	"io"
 	"strconv"
 
-	"inet.af/netaddr"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )

wgengine/wgengine.go

@@ -8,9 +8,9 @@ import (
 	"errors"
 	"time"
 
-	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/dns"
+	"tailscale.com/net/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"