From 48a12a52e5e1ae1ae6b23cf4bf7959e35a84188c Mon Sep 17 00:00:00 2001
From: Mike O'Driscoll <mikeo@tailscale.com>
Date: Wed, 2 Apr 2025 13:29:41 -0400
Subject: [PATCH] foo

---
 cmd/derper/derper.go | 4 +++-
 derp/derp_server.go  | 8 ++++++++
 prober/derp.go       | 5 +++--
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/cmd/derper/derper.go b/cmd/derper/derper.go
index 445b9c0a2..8eb0a749e 100644
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -510,7 +510,9 @@ func rateLimitedListenAndServeTLS(srv *http.Server, lc *net.ListenConfig) error
 		return err
 	}
 	rln := newRateLimitedListener(ln, rate.Limit(*acceptConnLimit), *acceptConnBurst)
-	expvar.Publish("tls_listener", rln.ExpVar())
+	if expvar.Get("tls_listener") == nil {
+		expvar.Publish("tls_listener", rln.ExpVar())
+	}
 	defer rln.Close()
 	return srv.ServeTLS(rln, "", "")
 }
diff --git a/derp/derp_server.go b/derp/derp_server.go
index 7811cbd93..c521fe9b8 100644
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -992,6 +992,7 @@ func (c *sclient) run(ctx context.Context) error {
 
 	c.startStatsLoop(sendCtx)
 
+	fmt.Printf("Mike %s : %v\n", c.nc.LocalAddr().String(), c.canMesh)
 	for {
 		ft, fl, err := readFrameHeader(c.br)
 		c.debugLogf("read frame type %d len %d err %v", ft, fl, err)
@@ -1007,6 +1008,8 @@ func (c *sclient) run(ctx context.Context) error {
 			return fmt.Errorf("client %s: readFrameHeader: %w", c.key.ShortString(), err)
 		}
 		c.s.noteClientActivity(c)
+
+		fmt.Printf("0x%X\n", ft)
 		switch ft {
 		case frameNotePreferred:
 			err = c.handleFrameNotePreferred(ft, fl)
@@ -1162,6 +1165,9 @@ func (c *sclient) handleFrameForwardPacket(ft frameType, fl uint32) error {
 
 // handleFrameSendPacket reads a "send packet" frame from the client.
 func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
+	if !c.canMesh {
+		return fmt.Errorf("insufficient permissions")
+	}
 	s := c.s
 
 	dstKey, contents, err := s.recvPacket(c.br, fl)
@@ -1352,6 +1358,8 @@ func (s *Server) usingMeshPort(port string) bool {
 		return true
 	}
 
+	fmt.Printf("Mike %s/%s\n", s.meshPort, port)
+
 	return s.meshPort == port
 }
 
diff --git a/prober/derp.go b/prober/derp.go
index 9c91fdb9b..c2c5a6040 100644
--- a/prober/derp.go
+++ b/prober/derp.go
@@ -291,6 +291,7 @@ func (d *derpProber) probeMesh(from, to string) ProbeClass {
 			}
 
 			dm := d.lastDERPMap
+			fromN.DERPPort = 8888
 			return derpProbeNodePair(ctx, dm, fromN, toN, d.meshKey)
 		},
 		Class:  "derp_mesh",
@@ -720,12 +721,12 @@ func derpProbeBandwidth(ctx context.Context, dm *tailcfg.DERPMap, from, to *tail
 // derpProbeNodePair sends a small packet between two local DERP clients
 // connected to two DERP servers.
 func derpProbeNodePair(ctx context.Context, dm *tailcfg.DERPMap, from, to *tailcfg.DERPNode, meshKey string) (err error) {
-	fromc, err := newConn(ctx, dm, from, true, meshKey)
+	fromc, err := newConn(ctx, dm, from, !to.InsecureForTests, meshKey)
 	if err != nil {
 		return err
 	}
 	defer fromc.Close()
-	toc, err := newConn(ctx, dm, to, true, meshKey)
+	toc, err := newConn(ctx, dm, to, !from.InsecureForTests, meshKey)
 	if err != nil {
 		return err
 	}