version: bump snapshot

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
tun/netstack: bump mod
2022-03-16 21:32:14 -06:00 · 2022-03-16 18:01:34 -06:00 · 2022-03-16 17:51:47 -06:00 · 2022-03-16 16:40:24 -07:00 · 2022-03-16 16:09:48 -07:00 · 2022-03-09 18:27:36 -07:00
106 changed files with 4702 additions and 4485 deletions
--- a/0
+++ b/0
--- a/4
+++ b/4
@@ -10,7 +10,7 @@ MAKEFLAGS += --no-print-directory
 generate-version-and-build:
 	@export GIT_CEILING_DIRECTORIES="$(realpath $(CURDIR)/..)" && \
 	tag="$$(git describe --dirty 2>/dev/null)" && \
-	ver="$$(printf 'package main\nconst Version = "%s"\n' "$$tag")" && \
+	ver="$$(printf 'package main\n\nconst Version = "%s"\n' "$$tag")" && \
 	[ "$$(cat version.go 2>/dev/null)" != "$$ver" ] && \
 	echo "$$ver" > version.go && \
 	git update-index --assume-unchanged version.go || true
@@ -23,7 +23,7 @@ install: wireguard-go
 	@install -v -d "$(DESTDIR)$(BINDIR)" && install -v -m 0755 "$<" "$(DESTDIR)$(BINDIR)/wireguard-go"

 test:
-	go test -v ./...
+	go test ./...

 clean:
 	rm -f wireguard-go
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ This will run on OpenBSD. It does not yet support sticky sockets. Fwmark is mapp

 ## Building

-This requires an installation of [go](https://golang.org) ≥ 1.13.
+This requires an installation of [go](https://golang.org) ≥ 1.18.

 ```
 $ git clone https://git.zx2c4.com/wireguard-go
--- a/conn/bind_linux.go
+++ b/conn/bind_linux.go
@@ -1,5 +1,3 @@
-// +build !android
-
 /* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
@@ -10,6 +8,7 @@ package conn
 import (
 	"errors"
 	"net"
+	"net/netip"
 	"strconv"
 	"sync"
 	"syscall"
@@ -18,101 +17,114 @@ import (
 	"golang.org/x/sys/unix"
 )

-type IPv4Source struct {
+type ipv4Source struct {
 	Src     [4]byte
 	Ifindex int32
 }

-type IPv6Source struct {
+type ipv6Source struct {
 	src [16]byte
-	//ifindex belongs in dst.ZoneId
+	// ifindex belongs in dst.ZoneId
 }

-type NativeEndpoint struct {
-	sync.Mutex
+type LinuxSocketEndpoint struct {
+	mu   sync.Mutex
 	dst  [unsafe.Sizeof(unix.SockaddrInet6{})]byte
-	src  [unsafe.Sizeof(IPv6Source{})]byte
+	src  [unsafe.Sizeof(ipv6Source{})]byte
 	isV6 bool
 }

-func (endpoint *NativeEndpoint) Src4() *IPv4Source         { return endpoint.src4() }
-func (endpoint *NativeEndpoint) Dst4() *unix.SockaddrInet4 { return endpoint.dst4() }
-func (endpoint *NativeEndpoint) IsV6() bool                { return endpoint.isV6 }
+func (endpoint *LinuxSocketEndpoint) Src4() *ipv4Source         { return endpoint.src4() }
+func (endpoint *LinuxSocketEndpoint) Dst4() *unix.SockaddrInet4 { return endpoint.dst4() }
+func (endpoint *LinuxSocketEndpoint) IsV6() bool                { return endpoint.isV6 }

-func (endpoint *NativeEndpoint) src4() *IPv4Source {
-	return (*IPv4Source)(unsafe.Pointer(&endpoint.src[0]))
+func (endpoint *LinuxSocketEndpoint) src4() *ipv4Source {
+	return (*ipv4Source)(unsafe.Pointer(&endpoint.src[0]))
 }

-func (endpoint *NativeEndpoint) src6() *IPv6Source {
-	return (*IPv6Source)(unsafe.Pointer(&endpoint.src[0]))
+func (endpoint *LinuxSocketEndpoint) src6() *ipv6Source {
+	return (*ipv6Source)(unsafe.Pointer(&endpoint.src[0]))
 }

-func (endpoint *NativeEndpoint) dst4() *unix.SockaddrInet4 {
+func (endpoint *LinuxSocketEndpoint) dst4() *unix.SockaddrInet4 {
 	return (*unix.SockaddrInet4)(unsafe.Pointer(&endpoint.dst[0]))
 }

-func (endpoint *NativeEndpoint) dst6() *unix.SockaddrInet6 {
+func (endpoint *LinuxSocketEndpoint) dst6() *unix.SockaddrInet6 {
 	return (*unix.SockaddrInet6)(unsafe.Pointer(&endpoint.dst[0]))
 }

-type nativeBind struct {
-	sock4    int
-	sock6    int
-	lastMark uint32
-	closing  sync.RWMutex
+// LinuxSocketBind uses sendmsg and recvmsg to implement a full bind with sticky sockets on Linux.
+type LinuxSocketBind struct {
+	// mu guards sock4 and sock6 and the associated fds.
+	// As long as someone holds mu (read or write), the associated fds are valid.
+	mu    sync.RWMutex
+	sock4 int
+	sock6 int
 }

-var _ Endpoint = (*NativeEndpoint)(nil)
-var _ Bind = (*nativeBind)(nil)
+func NewLinuxSocketBind() Bind { return &LinuxSocketBind{sock4: -1, sock6: -1} }
+func NewDefaultBind() Bind     { return NewLinuxSocketBind() }

-func CreateEndpoint(s string) (Endpoint, error) {
-	var end NativeEndpoint
-	addr, err := parseEndpoint(s)
+var (
+	_ Endpoint = (*LinuxSocketEndpoint)(nil)
+	_ Bind     = (*LinuxSocketBind)(nil)
+)
+
+func (*LinuxSocketBind) ParseEndpoint(s string) (Endpoint, error) {
+	var end LinuxSocketEndpoint
+	e, err := netip.ParseAddrPort(s)
 	if err != nil {
 		return nil, err
 	}

-	ipv4 := addr.IP.To4()
-	if ipv4 != nil {
+	if e.Addr().Is4() {
 		dst := end.dst4()
 		end.isV6 = false
-		dst.Port = addr.Port
-		copy(dst.Addr[:], ipv4)
+		dst.Port = int(e.Port())
+		dst.Addr = e.Addr().As4()
 		end.ClearSrc()
 		return &end, nil
 	}

-	ipv6 := addr.IP.To16()
-	if ipv6 != nil {
-		zone, err := zoneToUint32(addr.Zone)
+	if e.Addr().Is6() {
+		zone, err := zoneToUint32(e.Addr().Zone())
 		if err != nil {
 			return nil, err
 		}
 		dst := end.dst6()
 		end.isV6 = true
-		dst.Port = addr.Port
+		dst.Port = int(e.Port())
 		dst.ZoneId = zone
-		copy(dst.Addr[:], ipv6[:])
+		dst.Addr = e.Addr().As16()
 		end.ClearSrc()
 		return &end, nil
 	}

-	return nil, errors.New("Invalid IP address")
+	return nil, errors.New("invalid IP address")
 }

-func createBind(port uint16) (Bind, uint16, error) {
+func (bind *LinuxSocketBind) Open(port uint16) ([]ReceiveFunc, uint16, error) {
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+
 	var err error
-	var bind nativeBind
 	var newPort uint16
 	var tries int
+
+	if bind.sock4 != -1 || bind.sock6 != -1 {
+		return nil, 0, ErrBindAlreadyOpen
+	}
+
 	originalPort := port

 again:
 	port = originalPort
+	var sock4, sock6 int
 	// Attempt ipv6 bind, update port if successful.
-	bind.sock6, newPort, err = create6(port)
+	sock6, newPort, err = create6(port)
 	if err != nil {
-		if err != syscall.EAFNOSUPPORT {
+		if !errors.Is(err, syscall.EAFNOSUPPORT) {
 			return nil, 0, err
 		}
 	} else {
@@ -120,35 +132,39 @@ again:
 	}

 	// Attempt ipv4 bind, update port if successful.
-	bind.sock4, newPort, err = create4(port)
+	sock4, newPort, err = create4(port)
 	if err != nil {
-		if originalPort == 0 && err == syscall.EADDRINUSE && tries < 100 {
-			unix.Close(bind.sock6)
+		if originalPort == 0 && errors.Is(err, syscall.EADDRINUSE) && tries < 100 {
+			unix.Close(sock6)
 			tries++
 			goto again
 		}
-		if err != syscall.EAFNOSUPPORT {
-			unix.Close(bind.sock6)
+		if !errors.Is(err, syscall.EAFNOSUPPORT) {
+			unix.Close(sock6)
 			return nil, 0, err
 		}
 	} else {
 		port = newPort
 	}

-	if bind.sock4 == -1 && bind.sock6 == -1 {
-		return nil, 0, errors.New("ipv4 and ipv6 not supported")
+	var fns []ReceiveFunc
+	if sock4 != -1 {
+		bind.sock4 = sock4
+		fns = append(fns, bind.receiveIPv4)
 	}
-
-	return &bind, port, nil
+	if sock6 != -1 {
+		bind.sock6 = sock6
+		fns = append(fns, bind.receiveIPv6)
+	}
+	if len(fns) == 0 {
+		return nil, 0, syscall.EAFNOSUPPORT
+	}
+	return fns, port, nil
 }

-func (bind *nativeBind) LastMark() uint32 {
-	return bind.lastMark
-}
-
-func (bind *nativeBind) SetMark(value uint32) error {
-	bind.closing.RLock()
-	defer bind.closing.RUnlock()
+func (bind *LinuxSocketBind) SetMark(value uint32) error {
+	bind.mu.RLock()
+	defer bind.mu.RUnlock()

 	if bind.sock6 != -1 {
 		err := unix.SetsockoptInt(
@@ -157,7 +173,6 @@ func (bind *nativeBind) SetMark(value uint32) error {
 			unix.SO_MARK,
 			int(value),
 		)
-
 		if err != nil {
 			return err
 		}
@@ -170,27 +185,29 @@ func (bind *nativeBind) SetMark(value uint32) error {
 			unix.SO_MARK,
 			int(value),
 		)
-
 		if err != nil {
 			return err
 		}
 	}

-	bind.lastMark = value
 	return nil
 }

-func (bind *nativeBind) Close() error {
-	var err1, err2 error
-	bind.closing.RLock()
+func (bind *LinuxSocketBind) Close() error {
+	// Take a readlock to shut down the sockets...
+	bind.mu.RLock()
 	if bind.sock6 != -1 {
 		unix.Shutdown(bind.sock6, unix.SHUT_RDWR)
 	}
 	if bind.sock4 != -1 {
 		unix.Shutdown(bind.sock4, unix.SHUT_RDWR)
 	}
-	bind.closing.RUnlock()
-	bind.closing.Lock()
+	bind.mu.RUnlock()
+	// ...and a write lock to close the fd.
+	// This ensures that no one else is using the fd.
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+	var err1, err2 error
 	if bind.sock6 != -1 {
 		err1 = unix.Close(bind.sock6)
 		bind.sock6 = -1
@@ -199,7 +216,6 @@ func (bind *nativeBind) Close() error {
 		err2 = unix.Close(bind.sock4)
 		bind.sock4 = -1
 	}
-	bind.closing.Unlock()

 	if err1 != nil {
 		return err1
@@ -207,83 +223,65 @@ func (bind *nativeBind) Close() error {
 	return err2
 }

-func (bind *nativeBind) ReceiveIPv6(buff []byte) (int, Endpoint, error) {
-	bind.closing.RLock()
-	defer bind.closing.RUnlock()
-
-	var end NativeEndpoint
-	if bind.sock6 == -1 {
-		return 0, nil, NetErrClosed
-	}
-	n, err := receive6(
-		bind.sock6,
-		buff,
-		&end,
-	)
-	return n, &end, err
-}
-
-func (bind *nativeBind) ReceiveIPv4(buff []byte) (int, Endpoint, error) {
-	bind.closing.RLock()
-	defer bind.closing.RUnlock()
-
-	var end NativeEndpoint
+func (bind *LinuxSocketBind) receiveIPv4(buf []byte) (int, Endpoint, error) {
+	bind.mu.RLock()
+	defer bind.mu.RUnlock()
 	if bind.sock4 == -1 {
-		return 0, nil, NetErrClosed
+		return 0, nil, net.ErrClosed
 	}
-	n, err := receive4(
-		bind.sock4,
-		buff,
-		&end,
-	)
+	var end LinuxSocketEndpoint
+	n, err := receive4(bind.sock4, buf, &end)
 	return n, &end, err
 }

-func (bind *nativeBind) Send(buff []byte, end Endpoint) error {
-	bind.closing.RLock()
-	defer bind.closing.RUnlock()
+func (bind *LinuxSocketBind) receiveIPv6(buf []byte) (int, Endpoint, error) {
+	bind.mu.RLock()
+	defer bind.mu.RUnlock()
+	if bind.sock6 == -1 {
+		return 0, nil, net.ErrClosed
+	}
+	var end LinuxSocketEndpoint
+	n, err := receive6(bind.sock6, buf, &end)
+	return n, &end, err
+}

-	nend := end.(*NativeEndpoint)
+func (bind *LinuxSocketBind) Send(buff []byte, end Endpoint) error {
+	nend, ok := end.(*LinuxSocketEndpoint)
+	if !ok {
+		return ErrWrongEndpointType
+	}
+	bind.mu.RLock()
+	defer bind.mu.RUnlock()
 	if !nend.isV6 {
 		if bind.sock4 == -1 {
-			return NetErrClosed
+			return net.ErrClosed
 		}
 		return send4(bind.sock4, nend, buff)
 	} else {
 		if bind.sock6 == -1 {
-			return NetErrClosed
+			return net.ErrClosed
 		}
 		return send6(bind.sock6, nend, buff)
 	}
 }

-func (end *NativeEndpoint) SrcIP() net.IP {
+func (end *LinuxSocketEndpoint) SrcIP() netip.Addr {
 	if !end.isV6 {
-		return net.IPv4(
-			end.src4().Src[0],
-			end.src4().Src[1],
-			end.src4().Src[2],
-			end.src4().Src[3],
-		)
+		return netip.AddrFrom4(end.src4().Src)
 	} else {
-		return end.src6().src[:]
+		return netip.AddrFrom16(end.src6().src)
 	}
 }

-func (end *NativeEndpoint) DstIP() net.IP {
+func (end *LinuxSocketEndpoint) DstIP() netip.Addr {
 	if !end.isV6 {
-		return net.IPv4(
-			end.dst4().Addr[0],
-			end.dst4().Addr[1],
-			end.dst4().Addr[2],
-			end.dst4().Addr[3],
-		)
+		return netip.AddrFrom4(end.dst4().Addr)
 	} else {
-		return end.dst6().Addr[:]
+		return netip.AddrFrom16(end.dst6().Addr)
 	}
 }

-func (end *NativeEndpoint) DstToBytes() []byte {
+func (end *LinuxSocketEndpoint) DstToBytes() []byte {
 	if !end.isV6 {
 		return (*[unsafe.Offsetof(end.dst4().Addr) + unsafe.Sizeof(end.dst4().Addr)]byte)(unsafe.Pointer(end.dst4()))[:]
 	} else {
@@ -291,28 +289,27 @@ func (end *NativeEndpoint) DstToBytes() []byte {
 	}
 }

-func (end *NativeEndpoint) SrcToString() string {
+func (end *LinuxSocketEndpoint) SrcToString() string {
 	return end.SrcIP().String()
 }

-func (end *NativeEndpoint) DstToString() string {
-	var udpAddr net.UDPAddr
-	udpAddr.IP = end.DstIP()
+func (end *LinuxSocketEndpoint) DstToString() string {
+	var port int
 	if !end.isV6 {
-		udpAddr.Port = end.dst4().Port
+		port = end.dst4().Port
 	} else {
-		udpAddr.Port = end.dst6().Port
+		port = end.dst6().Port
 	}
-	return udpAddr.String()
+	return netip.AddrPortFrom(end.DstIP(), uint16(port)).String()
 }

-func (end *NativeEndpoint) ClearDst() {
+func (end *LinuxSocketEndpoint) ClearDst() {
 	for i := range end.dst {
 		end.dst[i] = 0
 	}
 }

-func (end *NativeEndpoint) ClearSrc() {
+func (end *LinuxSocketEndpoint) ClearSrc() {
 	for i := range end.src {
 		end.src[i] = 0
 	}
@@ -330,7 +327,6 @@ func zoneToUint32(zone string) (uint32, error) {
 }

 func create4(port uint16) (int, uint16, error) {
-
 	// create socket

 	fd, err := unix.Socket(
@@ -338,7 +334,6 @@ func create4(port uint16) (int, uint16, error) {
 		unix.SOCK_DGRAM,
 		0,
 	)
-
 	if err != nil {
 		return -1, 0, err
 	}
@@ -374,7 +369,6 @@ func create4(port uint16) (int, uint16, error) {
 }

 func create6(port uint16) (int, uint16, error) {
-
 	// create socket

 	fd, err := unix.Socket(
@@ -382,7 +376,6 @@ func create6(port uint16) (int, uint16, error) {
 		unix.SOCK_DGRAM,
 		0,
 	)
-
 	if err != nil {
 		return -1, 0, err
 	}
@@ -413,7 +406,6 @@ func create6(port uint16) (int, uint16, error) {
 		}

 		return unix.Bind(fd, &addr)
-
 	}(); err != nil {
 		unix.Close(fd)
 		return -1, 0, err
@@ -427,8 +419,7 @@ func create6(port uint16) (int, uint16, error) {
 	return fd, uint16(addr.Port), err
 }

-func send4(sock int, end *NativeEndpoint, buff []byte) error {
-
+func send4(sock int, end *LinuxSocketEndpoint, buff []byte) error {
 	// construct message header

 	cmsg := struct {
@@ -446,9 +437,9 @@ func send4(sock int, end *NativeEndpoint, buff []byte) error {
 		},
 	}

-	end.Lock()
+	end.mu.Lock()
 	_, err := unix.SendmsgN(sock, buff, (*[unsafe.Sizeof(cmsg)]byte)(unsafe.Pointer(&cmsg))[:], end.dst4(), 0)
-	end.Unlock()
+	end.mu.Unlock()

 	if err == nil {
 		return nil
@@ -459,16 +450,15 @@ func send4(sock int, end *NativeEndpoint, buff []byte) error {
 	if err == unix.EINVAL {
 		end.ClearSrc()
 		cmsg.pktinfo = unix.Inet4Pktinfo{}
-		end.Lock()
+		end.mu.Lock()
 		_, err = unix.SendmsgN(sock, buff, (*[unsafe.Sizeof(cmsg)]byte)(unsafe.Pointer(&cmsg))[:], end.dst4(), 0)
-		end.Unlock()
+		end.mu.Unlock()
 	}

 	return err
 }

-func send6(sock int, end *NativeEndpoint, buff []byte) error {
-
+func send6(sock int, end *LinuxSocketEndpoint, buff []byte) error {
 	// construct message header

 	cmsg := struct {
@@ -490,9 +480,9 @@ func send6(sock int, end *NativeEndpoint, buff []byte) error {
 		cmsg.pktinfo.Ifindex = 0
 	}

-	end.Lock()
+	end.mu.Lock()
 	_, err := unix.SendmsgN(sock, buff, (*[unsafe.Sizeof(cmsg)]byte)(unsafe.Pointer(&cmsg))[:], end.dst6(), 0)
-	end.Unlock()
+	end.mu.Unlock()

 	if err == nil {
 		return nil
@@ -503,16 +493,15 @@ func send6(sock int, end *NativeEndpoint, buff []byte) error {
 	if err == unix.EINVAL {
 		end.ClearSrc()
 		cmsg.pktinfo = unix.Inet6Pktinfo{}
-		end.Lock()
+		end.mu.Lock()
 		_, err = unix.SendmsgN(sock, buff, (*[unsafe.Sizeof(cmsg)]byte)(unsafe.Pointer(&cmsg))[:], end.dst6(), 0)
-		end.Unlock()
+		end.mu.Unlock()
 	}

 	return err
 }

-func receive4(sock int, buff []byte, end *NativeEndpoint) (int, error) {
-
+func receive4(sock int, buff []byte, end *LinuxSocketEndpoint) (int, error) {
 	// construct message header

 	var cmsg struct {
@@ -521,7 +510,6 @@ func receive4(sock int, buff []byte, end *NativeEndpoint) (int, error) {
 	}

 	size, _, _, newDst, err := unix.Recvmsg(sock, buff, (*[unsafe.Sizeof(cmsg)]byte)(unsafe.Pointer(&cmsg))[:], 0)
-
 	if err != nil {
 		return 0, err
 	}
@@ -543,8 +531,7 @@ func receive4(sock int, buff []byte, end *NativeEndpoint) (int, error) {
 	return size, nil
 }

-func receive6(sock int, buff []byte, end *NativeEndpoint) (int, error) {
-
+func receive6(sock int, buff []byte, end *LinuxSocketEndpoint) (int, error) {
 	// construct message header

 	var cmsg struct {
@@ -553,7 +540,6 @@ func receive6(sock int, buff []byte, end *NativeEndpoint) (int, error) {
 	}

 	size, _, _, newDst, err := unix.Recvmsg(sock, buff, (*[unsafe.Sizeof(cmsg)]byte)(unsafe.Pointer(&cmsg))[:], 0)
-
 	if err != nil {
 		return 0, err
 	}
--- a/conn/bind_std.go
+++ b/conn/bind_std.go
@@ -0,0 +1,204 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package conn
+
+import (
+	"errors"
+	"net"
+	"net/netip"
+	"sync"
+	"syscall"
+)
+
+// StdNetBind is meant to be a temporary solution on platforms for which
+// the sticky socket / source caching behavior has not yet been implemented.
+// It uses the Go's net package to implement networking.
+// See LinuxSocketBind for a proper implementation on the Linux platform.
+type StdNetBind struct {
+	mu         sync.Mutex // protects following fields
+	ipv4       *net.UDPConn
+	ipv6       *net.UDPConn
+	blackhole4 bool
+	blackhole6 bool
+}
+
+func NewStdNetBind() Bind { return &StdNetBind{} }
+
+type StdNetEndpoint net.UDPAddr
+
+var (
+	_ Bind     = (*StdNetBind)(nil)
+	_ Endpoint = (*StdNetEndpoint)(nil)
+)
+
+func (*StdNetBind) ParseEndpoint(s string) (Endpoint, error) {
+	e, err := netip.ParseAddrPort(s)
+	return (*StdNetEndpoint)(&net.UDPAddr{
+		IP:   e.Addr().AsSlice(),
+		Port: int(e.Port()),
+		Zone: e.Addr().Zone(),
+	}), err
+}
+
+func (*StdNetEndpoint) ClearSrc() {}
+
+func (e *StdNetEndpoint) DstIP() netip.Addr {
+	a, _ := netip.AddrFromSlice((*net.UDPAddr)(e).IP)
+	return a
+}
+
+func (e *StdNetEndpoint) SrcIP() netip.Addr {
+	return netip.Addr{} // not supported
+}
+
+func (e *StdNetEndpoint) DstToBytes() []byte {
+	addr := (*net.UDPAddr)(e)
+	out := addr.IP.To4()
+	if out == nil {
+		out = addr.IP
+	}
+	out = append(out, byte(addr.Port&0xff))
+	out = append(out, byte((addr.Port>>8)&0xff))
+	return out
+}
+
+func (e *StdNetEndpoint) DstToString() string {
+	return (*net.UDPAddr)(e).String()
+}
+
+func (e *StdNetEndpoint) SrcToString() string {
+	return ""
+}
+
+func listenNet(network string, port int) (*net.UDPConn, int, error) {
+	conn, err := net.ListenUDP(network, &net.UDPAddr{Port: port})
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// Retrieve port.
+	laddr := conn.LocalAddr()
+	uaddr, err := net.ResolveUDPAddr(
+		laddr.Network(),
+		laddr.String(),
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	return conn, uaddr.Port, nil
+}
+
+func (bind *StdNetBind) Open(uport uint16) ([]ReceiveFunc, uint16, error) {
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+
+	var err error
+	var tries int
+
+	if bind.ipv4 != nil || bind.ipv6 != nil {
+		return nil, 0, ErrBindAlreadyOpen
+	}
+
+	// Attempt to open ipv4 and ipv6 listeners on the same port.
+	// If uport is 0, we can retry on failure.
+again:
+	port := int(uport)
+	var ipv4, ipv6 *net.UDPConn
+
+	ipv4, port, err = listenNet("udp4", port)
+	if err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return nil, 0, err
+	}
+
+	// Listen on the same port as we're using for ipv4.
+	ipv6, port, err = listenNet("udp6", port)
+	if uport == 0 && errors.Is(err, syscall.EADDRINUSE) && tries < 100 {
+		ipv4.Close()
+		tries++
+		goto again
+	}
+	if err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		ipv4.Close()
+		return nil, 0, err
+	}
+	var fns []ReceiveFunc
+	if ipv4 != nil {
+		fns = append(fns, bind.makeReceiveIPv4(ipv4))
+		bind.ipv4 = ipv4
+	}
+	if ipv6 != nil {
+		fns = append(fns, bind.makeReceiveIPv6(ipv6))
+		bind.ipv6 = ipv6
+	}
+	if len(fns) == 0 {
+		return nil, 0, syscall.EAFNOSUPPORT
+	}
+	return fns, uint16(port), nil
+}
+
+func (bind *StdNetBind) Close() error {
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+
+	var err1, err2 error
+	if bind.ipv4 != nil {
+		err1 = bind.ipv4.Close()
+		bind.ipv4 = nil
+	}
+	if bind.ipv6 != nil {
+		err2 = bind.ipv6.Close()
+		bind.ipv6 = nil
+	}
+	bind.blackhole4 = false
+	bind.blackhole6 = false
+	if err1 != nil {
+		return err1
+	}
+	return err2
+}
+
+func (*StdNetBind) makeReceiveIPv4(conn *net.UDPConn) ReceiveFunc {
+	return func(buff []byte) (int, Endpoint, error) {
+		n, endpoint, err := conn.ReadFromUDP(buff)
+		if endpoint != nil {
+			endpoint.IP = endpoint.IP.To4()
+		}
+		return n, (*StdNetEndpoint)(endpoint), err
+	}
+}
+
+func (*StdNetBind) makeReceiveIPv6(conn *net.UDPConn) ReceiveFunc {
+	return func(buff []byte) (int, Endpoint, error) {
+		n, endpoint, err := conn.ReadFromUDP(buff)
+		return n, (*StdNetEndpoint)(endpoint), err
+	}
+}
+
+func (bind *StdNetBind) Send(buff []byte, endpoint Endpoint) error {
+	var err error
+	nend, ok := endpoint.(*StdNetEndpoint)
+	if !ok {
+		return ErrWrongEndpointType
+	}
+
+	bind.mu.Lock()
+	blackhole := bind.blackhole4
+	conn := bind.ipv4
+	if nend.IP.To4() == nil {
+		blackhole = bind.blackhole6
+		conn = bind.ipv6
+	}
+	bind.mu.Unlock()
+
+	if blackhole {
+		return nil
+	}
+	if conn == nil {
+		return syscall.EAFNOSUPPORT
+	}
+	_, err = conn.WriteToUDP(buff, (*net.UDPAddr)(nend))
+	return err
+}
--- a/conn/bind_windows.go
+++ b/conn/bind_windows.go
@@ -0,0 +1,582 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package conn
+
+import (
+	"encoding/binary"
+	"io"
+	"net"
+	"net/netip"
+	"strconv"
+	"sync"
+	"sync/atomic"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+
+	"golang.zx2c4.com/wireguard/conn/winrio"
+)
+
+const (
+	packetsPerRing = 1024
+	bytesPerPacket = 2048 - 32
+	receiveSpins   = 15
+)
+
+type ringPacket struct {
+	addr WinRingEndpoint
+	data [bytesPerPacket]byte
+}
+
+type ringBuffer struct {
+	packets    uintptr
+	head, tail uint32
+	id         winrio.BufferId
+	iocp       windows.Handle
+	isFull     bool
+	cq         winrio.Cq
+	mu         sync.Mutex
+	overlapped windows.Overlapped
+}
+
+func (rb *ringBuffer) Push() *ringPacket {
+	for rb.isFull {
+		panic("ring is full")
+	}
+	ret := (*ringPacket)(unsafe.Pointer(rb.packets + (uintptr(rb.tail%packetsPerRing) * unsafe.Sizeof(ringPacket{}))))
+	rb.tail += 1
+	if rb.tail%packetsPerRing == rb.head%packetsPerRing {
+		rb.isFull = true
+	}
+	return ret
+}
+
+func (rb *ringBuffer) Return(count uint32) {
+	if rb.head%packetsPerRing == rb.tail%packetsPerRing && !rb.isFull {
+		return
+	}
+	rb.head += count
+	rb.isFull = false
+}
+
+type afWinRingBind struct {
+	sock      windows.Handle
+	rx, tx    ringBuffer
+	rq        winrio.Rq
+	mu        sync.Mutex
+	blackhole bool
+}
+
+// WinRingBind uses Windows registered I/O for fast ring buffered networking.
+type WinRingBind struct {
+	v4, v6 afWinRingBind
+	mu     sync.RWMutex
+	isOpen uint32
+}
+
+func NewDefaultBind() Bind { return NewWinRingBind() }
+
+func NewWinRingBind() Bind {
+	if !winrio.Initialize() {
+		return NewStdNetBind()
+	}
+	return new(WinRingBind)
+}
+
+type WinRingEndpoint struct {
+	family uint16
+	data   [30]byte
+}
+
+var (
+	_ Bind     = (*WinRingBind)(nil)
+	_ Endpoint = (*WinRingEndpoint)(nil)
+)
+
+func (*WinRingBind) ParseEndpoint(s string) (Endpoint, error) {
+	host, port, err := net.SplitHostPort(s)
+	if err != nil {
+		return nil, err
+	}
+	host16, err := windows.UTF16PtrFromString(host)
+	if err != nil {
+		return nil, err
+	}
+	port16, err := windows.UTF16PtrFromString(port)
+	if err != nil {
+		return nil, err
+	}
+	hints := windows.AddrinfoW{
+		Flags:    windows.AI_NUMERICHOST,
+		Family:   windows.AF_UNSPEC,
+		Socktype: windows.SOCK_DGRAM,
+		Protocol: windows.IPPROTO_UDP,
+	}
+	var addrinfo *windows.AddrinfoW
+	err = windows.GetAddrInfoW(host16, port16, &hints, &addrinfo)
+	if err != nil {
+		return nil, err
+	}
+	defer windows.FreeAddrInfoW(addrinfo)
+	if (addrinfo.Family != windows.AF_INET && addrinfo.Family != windows.AF_INET6) || addrinfo.Addrlen > unsafe.Sizeof(WinRingEndpoint{}) {
+		return nil, windows.ERROR_INVALID_ADDRESS
+	}
+	var dst [unsafe.Sizeof(WinRingEndpoint{})]byte
+	copy(dst[:], unsafe.Slice((*byte)(unsafe.Pointer(addrinfo.Addr)), addrinfo.Addrlen))
+	return (*WinRingEndpoint)(unsafe.Pointer(&dst[0])), nil
+}
+
+func (*WinRingEndpoint) ClearSrc() {}
+
+func (e *WinRingEndpoint) DstIP() netip.Addr {
+	switch e.family {
+	case windows.AF_INET:
+		return netip.AddrFrom4(*(*[4]byte)(e.data[2:6]))
+	case windows.AF_INET6:
+		return netip.AddrFrom16(*(*[16]byte)(e.data[6:22]))
+	}
+	return netip.Addr{}
+}
+
+func (e *WinRingEndpoint) SrcIP() netip.Addr {
+	return netip.Addr{} // not supported
+}
+
+func (e *WinRingEndpoint) DstToBytes() []byte {
+	switch e.family {
+	case windows.AF_INET:
+		b := make([]byte, 0, 6)
+		b = append(b, e.data[2:6]...)
+		b = append(b, e.data[1], e.data[0])
+		return b
+	case windows.AF_INET6:
+		b := make([]byte, 0, 18)
+		b = append(b, e.data[6:22]...)
+		b = append(b, e.data[1], e.data[0])
+		return b
+	}
+	return nil
+}
+
+func (e *WinRingEndpoint) DstToString() string {
+	switch e.family {
+	case windows.AF_INET:
+		netip.AddrPortFrom(netip.AddrFrom4(*(*[4]byte)(e.data[2:6])), binary.BigEndian.Uint16(e.data[0:2])).String()
+	case windows.AF_INET6:
+		var zone string
+		if scope := *(*uint32)(unsafe.Pointer(&e.data[22])); scope > 0 {
+			zone = strconv.FormatUint(uint64(scope), 10)
+		}
+		return netip.AddrPortFrom(netip.AddrFrom16(*(*[16]byte)(e.data[6:22])).WithZone(zone), binary.BigEndian.Uint16(e.data[0:2])).String()
+	}
+	return ""
+}
+
+func (e *WinRingEndpoint) SrcToString() string {
+	return ""
+}
+
+func (ring *ringBuffer) CloseAndZero() {
+	if ring.cq != 0 {
+		winrio.CloseCompletionQueue(ring.cq)
+		ring.cq = 0
+	}
+	if ring.iocp != 0 {
+		windows.CloseHandle(ring.iocp)
+		ring.iocp = 0
+	}
+	if ring.id != 0 {
+		winrio.DeregisterBuffer(ring.id)
+		ring.id = 0
+	}
+	if ring.packets != 0 {
+		windows.VirtualFree(ring.packets, 0, windows.MEM_RELEASE)
+		ring.packets = 0
+	}
+	ring.head = 0
+	ring.tail = 0
+	ring.isFull = false
+}
+
+func (bind *afWinRingBind) CloseAndZero() {
+	bind.rx.CloseAndZero()
+	bind.tx.CloseAndZero()
+	if bind.sock != 0 {
+		windows.CloseHandle(bind.sock)
+		bind.sock = 0
+	}
+	bind.blackhole = false
+}
+
+func (bind *WinRingBind) closeAndZero() {
+	atomic.StoreUint32(&bind.isOpen, 0)
+	bind.v4.CloseAndZero()
+	bind.v6.CloseAndZero()
+}
+
+func (ring *ringBuffer) Open() error {
+	var err error
+	packetsLen := unsafe.Sizeof(ringPacket{}) * packetsPerRing
+	ring.packets, err = windows.VirtualAlloc(0, packetsLen, windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE)
+	if err != nil {
+		return err
+	}
+	ring.id, err = winrio.RegisterPointer(unsafe.Pointer(ring.packets), uint32(packetsLen))
+	if err != nil {
+		return err
+	}
+	ring.iocp, err = windows.CreateIoCompletionPort(windows.InvalidHandle, 0, 0, 0)
+	if err != nil {
+		return err
+	}
+	ring.cq, err = winrio.CreateIOCPCompletionQueue(packetsPerRing, ring.iocp, 0, &ring.overlapped)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (bind *afWinRingBind) Open(family int32, sa windows.Sockaddr) (windows.Sockaddr, error) {
+	var err error
+	bind.sock, err = winrio.Socket(family, windows.SOCK_DGRAM, windows.IPPROTO_UDP)
+	if err != nil {
+		return nil, err
+	}
+	err = bind.rx.Open()
+	if err != nil {
+		return nil, err
+	}
+	err = bind.tx.Open()
+	if err != nil {
+		return nil, err
+	}
+	bind.rq, err = winrio.CreateRequestQueue(bind.sock, packetsPerRing, 1, packetsPerRing, 1, bind.rx.cq, bind.tx.cq, 0)
+	if err != nil {
+		return nil, err
+	}
+	err = windows.Bind(bind.sock, sa)
+	if err != nil {
+		return nil, err
+	}
+	sa, err = windows.Getsockname(bind.sock)
+	if err != nil {
+		return nil, err
+	}
+	return sa, nil
+}
+
+func (bind *WinRingBind) Open(port uint16) (recvFns []ReceiveFunc, selectedPort uint16, err error) {
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+	defer func() {
+		if err != nil {
+			bind.closeAndZero()
+		}
+	}()
+	if atomic.LoadUint32(&bind.isOpen) != 0 {
+		return nil, 0, ErrBindAlreadyOpen
+	}
+	var sa windows.Sockaddr
+	sa, err = bind.v4.Open(windows.AF_INET, &windows.SockaddrInet4{Port: int(port)})
+	if err != nil {
+		return nil, 0, err
+	}
+	sa, err = bind.v6.Open(windows.AF_INET6, &windows.SockaddrInet6{Port: sa.(*windows.SockaddrInet4).Port})
+	if err != nil {
+		return nil, 0, err
+	}
+	selectedPort = uint16(sa.(*windows.SockaddrInet6).Port)
+	for i := 0; i < packetsPerRing; i++ {
+		err = bind.v4.InsertReceiveRequest()
+		if err != nil {
+			return nil, 0, err
+		}
+		err = bind.v6.InsertReceiveRequest()
+		if err != nil {
+			return nil, 0, err
+		}
+	}
+	atomic.StoreUint32(&bind.isOpen, 1)
+	return []ReceiveFunc{bind.receiveIPv4, bind.receiveIPv6}, selectedPort, err
+}
+
+func (bind *WinRingBind) Close() error {
+	bind.mu.RLock()
+	if atomic.LoadUint32(&bind.isOpen) != 1 {
+		bind.mu.RUnlock()
+		return nil
+	}
+	atomic.StoreUint32(&bind.isOpen, 2)
+	windows.PostQueuedCompletionStatus(bind.v4.rx.iocp, 0, 0, nil)
+	windows.PostQueuedCompletionStatus(bind.v4.tx.iocp, 0, 0, nil)
+	windows.PostQueuedCompletionStatus(bind.v6.rx.iocp, 0, 0, nil)
+	windows.PostQueuedCompletionStatus(bind.v6.tx.iocp, 0, 0, nil)
+	bind.mu.RUnlock()
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+	bind.closeAndZero()
+	return nil
+}
+
+func (bind *WinRingBind) SetMark(mark uint32) error {
+	return nil
+}
+
+func (bind *afWinRingBind) InsertReceiveRequest() error {
+	packet := bind.rx.Push()
+	dataBuffer := &winrio.Buffer{
+		Id:     bind.rx.id,
+		Offset: uint32(uintptr(unsafe.Pointer(&packet.data[0])) - bind.rx.packets),
+		Length: uint32(len(packet.data)),
+	}
+	addressBuffer := &winrio.Buffer{
+		Id:     bind.rx.id,
+		Offset: uint32(uintptr(unsafe.Pointer(&packet.addr)) - bind.rx.packets),
+		Length: uint32(unsafe.Sizeof(packet.addr)),
+	}
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+	return winrio.ReceiveEx(bind.rq, dataBuffer, 1, nil, addressBuffer, nil, nil, 0, uintptr(unsafe.Pointer(packet)))
+}
+
+//go:linkname procyield runtime.procyield
+func procyield(cycles uint32)
+
+func (bind *afWinRingBind) Receive(buf []byte, isOpen *uint32) (int, Endpoint, error) {
+	if atomic.LoadUint32(isOpen) != 1 {
+		return 0, nil, net.ErrClosed
+	}
+	bind.rx.mu.Lock()
+	defer bind.rx.mu.Unlock()
+
+	var err error
+	var count uint32
+	var results [1]winrio.Result
+retry:
+	count = 0
+	for tries := 0; count == 0 && tries < receiveSpins; tries++ {
+		if tries > 0 {
+			if atomic.LoadUint32(isOpen) != 1 {
+				return 0, nil, net.ErrClosed
+			}
+			procyield(1)
+		}
+		count = winrio.DequeueCompletion(bind.rx.cq, results[:])
+	}
+	if count == 0 {
+		err = winrio.Notify(bind.rx.cq)
+		if err != nil {
+			return 0, nil, err
+		}
+		var bytes uint32
+		var key uintptr
+		var overlapped *windows.Overlapped
+		err = windows.GetQueuedCompletionStatus(bind.rx.iocp, &bytes, &key, &overlapped, windows.INFINITE)
+		if err != nil {
+			return 0, nil, err
+		}
+		if atomic.LoadUint32(isOpen) != 1 {
+			return 0, nil, net.ErrClosed
+		}
+		count = winrio.DequeueCompletion(bind.rx.cq, results[:])
+		if count == 0 {
+			return 0, nil, io.ErrNoProgress
+		}
+	}
+	bind.rx.Return(1)
+	err = bind.InsertReceiveRequest()
+	if err != nil {
+		return 0, nil, err
+	}
+	// We limit the MTU well below the 65k max for practicality, but this means a remote host can still send us
+	// huge packets. Just try again when this happens. The infinite loop this could cause is still limited to
+	// attacker bandwidth, just like the rest of the receive path.
+	if windows.Errno(results[0].Status) == windows.WSAEMSGSIZE {
+		if atomic.LoadUint32(isOpen) != 1 {
+			return 0, nil, net.ErrClosed
+		}
+		goto retry
+	}
+	if results[0].Status != 0 {
+		return 0, nil, windows.Errno(results[0].Status)
+	}
+	packet := (*ringPacket)(unsafe.Pointer(uintptr(results[0].RequestContext)))
+	ep := packet.addr
+	n := copy(buf, packet.data[:results[0].BytesTransferred])
+	return n, &ep, nil
+}
+
+func (bind *WinRingBind) receiveIPv4(buf []byte) (int, Endpoint, error) {
+	bind.mu.RLock()
+	defer bind.mu.RUnlock()
+	return bind.v4.Receive(buf, &bind.isOpen)
+}
+
+func (bind *WinRingBind) receiveIPv6(buf []byte) (int, Endpoint, error) {
+	bind.mu.RLock()
+	defer bind.mu.RUnlock()
+	return bind.v6.Receive(buf, &bind.isOpen)
+}
+
+func (bind *afWinRingBind) Send(buf []byte, nend *WinRingEndpoint, isOpen *uint32) error {
+	if atomic.LoadUint32(isOpen) != 1 {
+		return net.ErrClosed
+	}
+	if len(buf) > bytesPerPacket {
+		return io.ErrShortBuffer
+	}
+	bind.tx.mu.Lock()
+	defer bind.tx.mu.Unlock()
+	var results [packetsPerRing]winrio.Result
+	count := winrio.DequeueCompletion(bind.tx.cq, results[:])
+	if count == 0 && bind.tx.isFull {
+		err := winrio.Notify(bind.tx.cq)
+		if err != nil {
+			return err
+		}
+		var bytes uint32
+		var key uintptr
+		var overlapped *windows.Overlapped
+		err = windows.GetQueuedCompletionStatus(bind.tx.iocp, &bytes, &key, &overlapped, windows.INFINITE)
+		if err != nil {
+			return err
+		}
+		if atomic.LoadUint32(isOpen) != 1 {
+			return net.ErrClosed
+		}
+		count = winrio.DequeueCompletion(bind.tx.cq, results[:])
+		if count == 0 {
+			return io.ErrNoProgress
+		}
+	}
+	if count > 0 {
+		bind.tx.Return(count)
+	}
+	packet := bind.tx.Push()
+	packet.addr = *nend
+	copy(packet.data[:], buf)
+	dataBuffer := &winrio.Buffer{
+		Id:     bind.tx.id,
+		Offset: uint32(uintptr(unsafe.Pointer(&packet.data[0])) - bind.tx.packets),
+		Length: uint32(len(buf)),
+	}
+	addressBuffer := &winrio.Buffer{
+		Id:     bind.tx.id,
+		Offset: uint32(uintptr(unsafe.Pointer(&packet.addr)) - bind.tx.packets),
+		Length: uint32(unsafe.Sizeof(packet.addr)),
+	}
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+	return winrio.SendEx(bind.rq, dataBuffer, 1, nil, addressBuffer, nil, nil, 0, 0)
+}
+
+func (bind *WinRingBind) Send(buf []byte, endpoint Endpoint) error {
+	nend, ok := endpoint.(*WinRingEndpoint)
+	if !ok {
+		return ErrWrongEndpointType
+	}
+	bind.mu.RLock()
+	defer bind.mu.RUnlock()
+	switch nend.family {
+	case windows.AF_INET:
+		if bind.v4.blackhole {
+			return nil
+		}
+		return bind.v4.Send(buf, nend, &bind.isOpen)
+	case windows.AF_INET6:
+		if bind.v6.blackhole {
+			return nil
+		}
+		return bind.v6.Send(buf, nend, &bind.isOpen)
+	}
+	return nil
+}
+
+func (bind *StdNetBind) BindSocketToInterface4(interfaceIndex uint32, blackhole bool) error {
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+	sysconn, err := bind.ipv4.SyscallConn()
+	if err != nil {
+		return err
+	}
+	err2 := sysconn.Control(func(fd uintptr) {
+		err = bindSocketToInterface4(windows.Handle(fd), interfaceIndex)
+	})
+	if err2 != nil {
+		return err2
+	}
+	if err != nil {
+		return err
+	}
+	bind.blackhole4 = blackhole
+	return nil
+}
+
+func (bind *StdNetBind) BindSocketToInterface6(interfaceIndex uint32, blackhole bool) error {
+	bind.mu.Lock()
+	defer bind.mu.Unlock()
+	sysconn, err := bind.ipv6.SyscallConn()
+	if err != nil {
+		return err
+	}
+	err2 := sysconn.Control(func(fd uintptr) {
+		err = bindSocketToInterface6(windows.Handle(fd), interfaceIndex)
+	})
+	if err2 != nil {
+		return err2
+	}
+	if err != nil {
+		return err
+	}
+	bind.blackhole6 = blackhole
+	return nil
+}
+
+func (bind *WinRingBind) BindSocketToInterface4(interfaceIndex uint32, blackhole bool) error {
+	bind.mu.RLock()
+	defer bind.mu.RUnlock()
+	if atomic.LoadUint32(&bind.isOpen) != 1 {
+		return net.ErrClosed
+	}
+	err := bindSocketToInterface4(bind.v4.sock, interfaceIndex)
+	if err != nil {
+		return err
+	}
+	bind.v4.blackhole = blackhole
+	return nil
+}
+
+func (bind *WinRingBind) BindSocketToInterface6(interfaceIndex uint32, blackhole bool) error {
+	bind.mu.RLock()
+	defer bind.mu.RUnlock()
+	if atomic.LoadUint32(&bind.isOpen) != 1 {
+		return net.ErrClosed
+	}
+	err := bindSocketToInterface6(bind.v6.sock, interfaceIndex)
+	if err != nil {
+		return err
+	}
+	bind.v6.blackhole = blackhole
+	return nil
+}
+
+func bindSocketToInterface4(handle windows.Handle, interfaceIndex uint32) error {
+	const IP_UNICAST_IF = 31
+	/* MSDN says for IPv4 this needs to be in net byte order, so that it's like an IP address with leading zeros. */
+	var bytes [4]byte
+	binary.BigEndian.PutUint32(bytes[:], interfaceIndex)
+	interfaceIndex = *(*uint32)(unsafe.Pointer(&bytes[0]))
+	err := windows.SetsockoptInt(handle, windows.IPPROTO_IP, IP_UNICAST_IF, int(interfaceIndex))
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func bindSocketToInterface6(handle windows.Handle, interfaceIndex uint32) error {
+	const IPV6_UNICAST_IF = 31
+	return windows.SetsockoptInt(handle, windows.IPPROTO_IPV6, IPV6_UNICAST_IF, int(interfaceIndex))
+}
--- a/conn/bindtest/bindtest.go
+++ b/conn/bindtest/bindtest.go
@@ -0,0 +1,129 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package bindtest
+
+import (
+	"fmt"
+	"math/rand"
+	"net"
+	"net/netip"
+	"os"
+
+	"golang.zx2c4.com/wireguard/conn"
+)
+
+type ChannelBind struct {
+	rx4, tx4         *chan []byte
+	rx6, tx6         *chan []byte
+	closeSignal      chan bool
+	source4, source6 ChannelEndpoint
+	target4, target6 ChannelEndpoint
+}
+
+type ChannelEndpoint uint16
+
+var (
+	_ conn.Bind     = (*ChannelBind)(nil)
+	_ conn.Endpoint = (*ChannelEndpoint)(nil)
+)
+
+func NewChannelBinds() [2]conn.Bind {
+	arx4 := make(chan []byte, 8192)
+	brx4 := make(chan []byte, 8192)
+	arx6 := make(chan []byte, 8192)
+	brx6 := make(chan []byte, 8192)
+	var binds [2]ChannelBind
+	binds[0].rx4 = &arx4
+	binds[0].tx4 = &brx4
+	binds[1].rx4 = &brx4
+	binds[1].tx4 = &arx4
+	binds[0].rx6 = &arx6
+	binds[0].tx6 = &brx6
+	binds[1].rx6 = &brx6
+	binds[1].tx6 = &arx6
+	binds[0].target4 = ChannelEndpoint(1)
+	binds[1].target4 = ChannelEndpoint(2)
+	binds[0].target6 = ChannelEndpoint(3)
+	binds[1].target6 = ChannelEndpoint(4)
+	binds[0].source4 = binds[1].target4
+	binds[0].source6 = binds[1].target6
+	binds[1].source4 = binds[0].target4
+	binds[1].source6 = binds[0].target6
+	return [2]conn.Bind{&binds[0], &binds[1]}
+}
+
+func (c ChannelEndpoint) ClearSrc() {}
+
+func (c ChannelEndpoint) SrcToString() string { return "" }
+
+func (c ChannelEndpoint) DstToString() string { return fmt.Sprintf("127.0.0.1:%d", c) }
+
+func (c ChannelEndpoint) DstToBytes() []byte { return []byte{byte(c)} }
+
+func (c ChannelEndpoint) DstIP() netip.Addr { return netip.AddrFrom4([4]byte{127, 0, 0, 1}) }
+
+func (c ChannelEndpoint) SrcIP() netip.Addr { return netip.Addr{} }
+
+func (c *ChannelBind) Open(port uint16) (fns []conn.ReceiveFunc, actualPort uint16, err error) {
+	c.closeSignal = make(chan bool)
+	fns = append(fns, c.makeReceiveFunc(*c.rx4))
+	fns = append(fns, c.makeReceiveFunc(*c.rx6))
+	if rand.Uint32()&1 == 0 {
+		return fns, uint16(c.source4), nil
+	} else {
+		return fns, uint16(c.source6), nil
+	}
+}
+
+func (c *ChannelBind) Close() error {
+	if c.closeSignal != nil {
+		select {
+		case <-c.closeSignal:
+		default:
+			close(c.closeSignal)
+		}
+	}
+	return nil
+}
+
+func (c *ChannelBind) SetMark(mark uint32) error { return nil }
+
+func (c *ChannelBind) makeReceiveFunc(ch chan []byte) conn.ReceiveFunc {
+	return func(b []byte) (n int, ep conn.Endpoint, err error) {
+		select {
+		case <-c.closeSignal:
+			return 0, nil, net.ErrClosed
+		case rx := <-ch:
+			return copy(b, rx), c.target6, nil
+		}
+	}
+}
+
+func (c *ChannelBind) Send(b []byte, ep conn.Endpoint) error {
+	select {
+	case <-c.closeSignal:
+		return net.ErrClosed
+	default:
+		bc := make([]byte, len(b))
+		copy(bc, b)
+		if ep.(ChannelEndpoint) == c.target4 {
+			*c.tx4 <- bc
+		} else if ep.(ChannelEndpoint) == c.target6 {
+			*c.tx6 <- bc
+		} else {
+			return os.ErrInvalid
+		}
+	}
+	return nil
+}
+
+func (c *ChannelBind) ParseEndpoint(s string) (conn.Endpoint, error) {
+	addr, err := netip.ParseAddrPort(s)
+	if err != nil {
+		return nil, err
+	}
+	return ChannelEndpoint(addr.Port()), nil
+}
--- a/conn/boundif_android.go
+++ b/conn/boundif_android.go
@@ -5,7 +5,7 @@

 package conn

-func (bind *nativeBind) PeekLookAtSocketFd4() (fd int, err error) {
+func (bind *StdNetBind) PeekLookAtSocketFd4() (fd int, err error) {
 	sysconn, err := bind.ipv4.SyscallConn()
 	if err != nil {
 		return -1, err
@@ -19,7 +19,7 @@ func (bind *nativeBind) PeekLookAtSocketFd4() (fd int, err error) {
 	return
 }

-func (bind *nativeBind) PeekLookAtSocketFd6() (fd int, err error) {
+func (bind *StdNetBind) PeekLookAtSocketFd6() (fd int, err error) {
 	sysconn, err := bind.ipv6.SyscallConn()
 	if err != nil {
 		return -1, err
--- a/conn/boundif_windows.go
+++ b/conn/boundif_windows.go
@@ -1,59 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package conn
-
-import (
-	"encoding/binary"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-const (
-	sockoptIP_UNICAST_IF   = 31
-	sockoptIPV6_UNICAST_IF = 31
-)
-
-func (bind *nativeBind) BindSocketToInterface4(interfaceIndex uint32, blackhole bool) error {
-	/* MSDN says for IPv4 this needs to be in net byte order, so that it's like an IP address with leading zeros. */
-	bytes := make([]byte, 4)
-	binary.BigEndian.PutUint32(bytes, interfaceIndex)
-	interfaceIndex = *(*uint32)(unsafe.Pointer(&bytes[0]))
-
-	sysconn, err := bind.ipv4.SyscallConn()
-	if err != nil {
-		return err
-	}
-	err2 := sysconn.Control(func(fd uintptr) {
-		err = windows.SetsockoptInt(windows.Handle(fd), windows.IPPROTO_IP, sockoptIP_UNICAST_IF, int(interfaceIndex))
-	})
-	if err2 != nil {
-		return err2
-	}
-	if err != nil {
-		return err
-	}
-	bind.blackhole4 = blackhole
-	return nil
-}
-
-func (bind *nativeBind) BindSocketToInterface6(interfaceIndex uint32, blackhole bool) error {
-	sysconn, err := bind.ipv6.SyscallConn()
-	if err != nil {
-		return err
-	}
-	err2 := sysconn.Control(func(fd uintptr) {
-		err = windows.SetsockoptInt(windows.Handle(fd), windows.IPPROTO_IPV6, sockoptIPV6_UNICAST_IF, int(interfaceIndex))
-	})
-	if err2 != nil {
-		return err2
-	}
-	if err != nil {
-		return err
-	}
-	bind.blackhole6 = blackhole
-	return nil
-}
--- a/conn/conn.go
+++ b/conn/conn.go
@@ -8,49 +8,41 @@ package conn

 import (
 	"errors"
-	"net"
+	"fmt"
+	"net/netip"
+	"reflect"
+	"runtime"
 	"strings"
 )

+// A ReceiveFunc receives a single inbound packet from the network.
+// It writes the data into b. n is the length of the packet.
+// ep is the remote endpoint.
+type ReceiveFunc func(b []byte) (n int, ep Endpoint, err error)
+
 // A Bind listens on a port for both IPv6 and IPv4 UDP traffic.
 //
 // A Bind interface may also be a PeekLookAtSocketFd or BindSocketToInterface,
 // depending on the platform-specific implementation.
 type Bind interface {
-	// LastMark reports the last mark set for this Bind.
-	LastMark() uint32
+	// Open puts the Bind into a listening state on a given port and reports the actual
+	// port that it bound to. Passing zero results in a random selection.
+	// fns is the set of functions that will be called to receive packets.
+	Open(port uint16) (fns []ReceiveFunc, actualPort uint16, err error)
+
+	// Close closes the Bind listener.
+	// All fns returned by Open must return net.ErrClosed after a call to Close.
+	Close() error

 	// SetMark sets the mark for each packet sent through this Bind.
 	// This mark is passed to the kernel as the socket option SO_MARK.
 	SetMark(mark uint32) error

-	// ReceiveIPv6 reads an IPv6 UDP packet into b.
-	//
-	// It reports the number of bytes read, n,
-	// the packet source address ep,
-	// and any error.
-	ReceiveIPv6(b []byte) (n int, ep Endpoint, err error)
-
-	// ReceiveIPv4 reads an IPv4 UDP packet into b.
-	//
-	// It reports the number of bytes read, n,
-	// the packet source address ep,
-	// and any error.
-	ReceiveIPv4(b []byte) (n int, ep Endpoint, err error)
-
 	// Send writes a packet b to address ep.
 	Send(b []byte, ep Endpoint) error

-	// Close closes the Bind connection.
-	Close() error
-}
-
-// CreateBind creates a Bind bound to a port.
-//
-// The value actualPort reports the actual port number the Bind
-// object gets bound to.
-func CreateBind(port uint16) (b Bind, actualPort uint16, err error) {
-	return createBind(port)
+	// ParseEndpoint creates a new endpoint from a string.
+	ParseEndpoint(s string) (Endpoint, error)
 }

 // BindSocketToInterface is implemented by Bind objects that support being
@@ -69,43 +61,61 @@ type PeekLookAtSocketFd interface {

 // An Endpoint maintains the source/destination caching for a peer.
 //
-//	dst : the remote address of a peer ("endpoint" in uapi terminology)
-//	src : the local address from which datagrams originate going to the peer
+//	dst: the remote address of a peer ("endpoint" in uapi terminology)
+//	src: the local address from which datagrams originate going to the peer
 type Endpoint interface {
 	ClearSrc()           // clears the source address
 	SrcToString() string // returns the local source address (ip:port)
 	DstToString() string // returns the destination address (ip:port)
 	DstToBytes() []byte  // used for mac2 cookie calculations
-	DstIP() net.IP
-	SrcIP() net.IP
+	DstIP() netip.Addr
+	SrcIP() netip.Addr
 }

-func parseEndpoint(s string) (*net.UDPAddr, error) {
-	// ensure that the host is an IP address
+var (
+	ErrBindAlreadyOpen   = errors.New("bind is already open")
+	ErrWrongEndpointType = errors.New("endpoint type does not correspond with bind type")
+)

-	host, _, err := net.SplitHostPort(s)
-	if err != nil {
-		return nil, err
+func (fn ReceiveFunc) PrettyName() string {
+	name := runtime.FuncForPC(reflect.ValueOf(fn).Pointer()).Name()
+	// 0. cheese/taco.beansIPv6.func12.func21218-fm
+	name = strings.TrimSuffix(name, "-fm")
+	// 1. cheese/taco.beansIPv6.func12.func21218
+	if idx := strings.LastIndexByte(name, '/'); idx != -1 {
+		name = name[idx+1:]
+		// 2. taco.beansIPv6.func12.func21218
 	}
-	if i := strings.LastIndexByte(host, '%'); i > 0 && strings.IndexByte(host, ':') >= 0 {
-		// Remove the scope, if any. ResolveUDPAddr below will use it, but here we're just
-		// trying to make sure with a small sanity test that this is a real IP address and
-		// not something that's likely to incur DNS lookups.
-		host = host[:i]
+	for {
+		var idx int
+		for idx = len(name) - 1; idx >= 0; idx-- {
+			if name[idx] < '0' || name[idx] > '9' {
+				break
+			}
+		}
+		if idx == len(name)-1 {
+			break
+		}
+		const dotFunc = ".func"
+		if !strings.HasSuffix(name[:idx+1], dotFunc) {
+			break
+		}
+		name = name[:idx+1-len(dotFunc)]
+		// 3. taco.beansIPv6.func12
+		// 4. taco.beansIPv6
 	}
-	if ip := net.ParseIP(host); ip == nil {
-		return nil, errors.New("Failed to parse IP address: " + host)
+	if idx := strings.LastIndexByte(name, '.'); idx != -1 {
+		name = name[idx+1:]
+		// 5. beansIPv6
 	}
-
-	// parse address and port
-
-	addr, err := net.ResolveUDPAddr("udp", s)
-	if err != nil {
-		return nil, err
+	if name == "" {
+		return fmt.Sprintf("%p", fn)
 	}
-	ip4 := addr.IP.To4()
-	if ip4 != nil {
-		addr.IP = ip4
+	if strings.HasSuffix(name, "IPv4") {
+		return "v4"
 	}
-	return addr, err
+	if strings.HasSuffix(name, "IPv6") {
+		return "v6"
+	}
+	return name
 }
--- a/conn/conn_default.go
+++ b/conn/conn_default.go
@@ -1,171 +0,0 @@
-// +build !linux android
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package conn
-
-import (
-	"errors"
-	"net"
-	"syscall"
-)
-
-/* This code is meant to be a temporary solution
- * on platforms for which the sticky socket / source caching behavior
- * has not yet been implemented.
- *
- * See conn_linux.go for an implementation on the linux platform.
- */
-
-type nativeBind struct {
-	ipv4       *net.UDPConn
-	ipv6       *net.UDPConn
-	blackhole4 bool
-	blackhole6 bool
-}
-
-type NativeEndpoint net.UDPAddr
-
-var _ Bind = (*nativeBind)(nil)
-var _ Endpoint = (*NativeEndpoint)(nil)
-
-func CreateEndpoint(s string) (Endpoint, error) {
-	addr, err := parseEndpoint(s)
-	return (*NativeEndpoint)(addr), err
-}
-
-func (*NativeEndpoint) ClearSrc() {}
-
-func (e *NativeEndpoint) DstIP() net.IP {
-	return (*net.UDPAddr)(e).IP
-}
-
-func (e *NativeEndpoint) SrcIP() net.IP {
-	return nil // not supported
-}
-
-func (e *NativeEndpoint) DstToBytes() []byte {
-	addr := (*net.UDPAddr)(e)
-	out := addr.IP.To4()
-	if out == nil {
-		out = addr.IP
-	}
-	out = append(out, byte(addr.Port&0xff))
-	out = append(out, byte((addr.Port>>8)&0xff))
-	return out
-}
-
-func (e *NativeEndpoint) DstToString() string {
-	return (*net.UDPAddr)(e).String()
-}
-
-func (e *NativeEndpoint) SrcToString() string {
-	return ""
-}
-
-func listenNet(network string, port int) (*net.UDPConn, int, error) {
-	conn, err := net.ListenUDP(network, &net.UDPAddr{Port: port})
-	if err != nil {
-		return nil, 0, err
-	}
-
-	// Retrieve port.
-	laddr := conn.LocalAddr()
-	uaddr, err := net.ResolveUDPAddr(
-		laddr.Network(),
-		laddr.String(),
-	)
-	if err != nil {
-		return nil, 0, err
-	}
-	return conn, uaddr.Port, nil
-}
-
-func createBind(uport uint16) (Bind, uint16, error) {
-	var err error
-	var bind nativeBind
-	var tries int
-
-again:
-	port := int(uport)
-
-	bind.ipv4, port, err = listenNet("udp4", port)
-	if err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
-		return nil, 0, err
-	}
-
-	bind.ipv6, port, err = listenNet("udp6", port)
-	if uport == 0 && err != nil && errors.Is(err, syscall.EADDRINUSE) && tries < 100 {
-		bind.ipv4.Close()
-		tries++
-		goto again
-	}
-	if err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
-		bind.ipv4.Close()
-		bind.ipv4 = nil
-		return nil, 0, err
-	}
-
-	return &bind, uint16(port), nil
-}
-
-func (bind *nativeBind) Close() error {
-	var err1, err2 error
-	if bind.ipv4 != nil {
-		err1 = bind.ipv4.Close()
-	}
-	if bind.ipv6 != nil {
-		err2 = bind.ipv6.Close()
-	}
-	if err1 != nil {
-		return err1
-	}
-	return err2
-}
-
-func (bind *nativeBind) LastMark() uint32 { return 0 }
-
-func (bind *nativeBind) ReceiveIPv4(buff []byte) (int, Endpoint, error) {
-	if bind.ipv4 == nil {
-		return 0, nil, syscall.EAFNOSUPPORT
-	}
-	n, endpoint, err := bind.ipv4.ReadFromUDP(buff)
-	if endpoint != nil {
-		endpoint.IP = endpoint.IP.To4()
-	}
-	return n, (*NativeEndpoint)(endpoint), err
-}
-
-func (bind *nativeBind) ReceiveIPv6(buff []byte) (int, Endpoint, error) {
-	if bind.ipv6 == nil {
-		return 0, nil, syscall.EAFNOSUPPORT
-	}
-	n, endpoint, err := bind.ipv6.ReadFromUDP(buff)
-	return n, (*NativeEndpoint)(endpoint), err
-}
-
-func (bind *nativeBind) Send(buff []byte, endpoint Endpoint) error {
-	var err error
-	nend := endpoint.(*NativeEndpoint)
-	if nend.IP.To4() != nil {
-		if bind.ipv4 == nil {
-			return syscall.EAFNOSUPPORT
-		}
-		if bind.blackhole4 {
-			return nil
-		}
-		_, err = bind.ipv4.WriteToUDP(buff, (*net.UDPAddr)(nend))
-	} else {
-		if bind.ipv6 == nil {
-			return syscall.EAFNOSUPPORT
-		}
-		if bind.blackhole6 {
-			return nil
-		}
-		_, err = bind.ipv6.WriteToUDP(buff, (*net.UDPAddr)(nend))
-	}
-	return err
-}
--- a/conn/default.go
+++ b/conn/default.go
@@ -0,0 +1,10 @@
+//go:build !linux && !windows
+
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package conn
+
+func NewDefaultBind() Bind { return NewStdNetBind() }
--- a/conn/mark_default.go
+++ b/conn/mark_default.go
@@ -1,4 +1,4 @@
-// +build !linux,!openbsd,!freebsd
+//go:build !linux && !openbsd && !freebsd

 /* SPDX-License-Identifier: MIT
 *
@@ -7,6 +7,6 @@

 package conn

-func (bind *nativeBind) SetMark(mark uint32) error {
+func (bind *StdNetBind) SetMark(mark uint32) error {
 	return nil
 }
--- a/conn/mark_unix.go
+++ b/conn/mark_unix.go
@@ -1,4 +1,4 @@
-// +build android openbsd freebsd
+//go:build linux || openbsd || freebsd

 /* SPDX-License-Identifier: MIT
 *
@@ -26,7 +26,7 @@ func init() {
 	}
 }

-func (bind *nativeBind) SetMark(mark uint32) error {
+func (bind *StdNetBind) SetMark(mark uint32) error {
 	var operr error
 	if fwmarkIoctl == 0 {
 		return nil
--- a/conn/net_err_closed.go
+++ b/conn/net_err_closed.go
@@ -1,13 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package conn
-
-import _ "unsafe"
-
-//TODO: replace this with net.ErrClosed for Go 1.16
-
-//go:linkname NetErrClosed internal/poll.ErrNetClosing
-var NetErrClosed error
--- a/conn/winrio/rio_windows.go
+++ b/conn/winrio/rio_windows.go
@@ -0,0 +1,254 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package winrio
+
+import (
+	"log"
+	"sync"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+const (
+	MsgDontNotify = 1
+	MsgDefer      = 2
+	MsgWaitAll    = 4
+	MsgCommitOnly = 8
+
+	MaxCqSize = 0x8000000
+
+	invalidBufferId = 0xFFFFFFFF
+	invalidCq       = 0
+	invalidRq       = 0
+	corruptCq       = 0xFFFFFFFF
+)
+
+var extensionFunctionTable struct {
+	cbSize                   uint32
+	rioReceive               uintptr
+	rioReceiveEx             uintptr
+	rioSend                  uintptr
+	rioSendEx                uintptr
+	rioCloseCompletionQueue  uintptr
+	rioCreateCompletionQueue uintptr
+	rioCreateRequestQueue    uintptr
+	rioDequeueCompletion     uintptr
+	rioDeregisterBuffer      uintptr
+	rioNotify                uintptr
+	rioRegisterBuffer        uintptr
+	rioResizeCompletionQueue uintptr
+	rioResizeRequestQueue    uintptr
+}
+
+type Cq uintptr
+
+type Rq uintptr
+
+type BufferId uintptr
+
+type Buffer struct {
+	Id     BufferId
+	Offset uint32
+	Length uint32
+}
+
+type Result struct {
+	Status           int32
+	BytesTransferred uint32
+	SocketContext    uint64
+	RequestContext   uint64
+}
+
+type notificationCompletionType uint32
+
+const (
+	eventCompletion notificationCompletionType = 1
+	iocpCompletion  notificationCompletionType = 2
+)
+
+type eventNotificationCompletion struct {
+	completionType notificationCompletionType
+	event          windows.Handle
+	notifyReset    uint32
+}
+
+type iocpNotificationCompletion struct {
+	completionType notificationCompletionType
+	iocp           windows.Handle
+	key            uintptr
+	overlapped     *windows.Overlapped
+}
+
+var (
+	initialized sync.Once
+	available   bool
+)
+
+func Initialize() bool {
+	initialized.Do(func() {
+		var (
+			err    error
+			socket windows.Handle
+			cq     Cq
+		)
+		defer func() {
+			if err == nil {
+				return
+			}
+			if maj, _, _ := windows.RtlGetNtVersionNumbers(); maj <= 7 {
+				return
+			}
+			log.Printf("Registered I/O is unavailable: %v", err)
+		}()
+		socket, err = Socket(windows.AF_INET, windows.SOCK_DGRAM, windows.IPPROTO_UDP)
+		if err != nil {
+			return
+		}
+		defer windows.CloseHandle(socket)
+		WSAID_MULTIPLE_RIO := &windows.GUID{0x8509e081, 0x96dd, 0x4005, [8]byte{0xb1, 0x65, 0x9e, 0x2e, 0xe8, 0xc7, 0x9e, 0x3f}}
+		const SIO_GET_MULTIPLE_EXTENSION_FUNCTION_POINTER = 0xc8000024
+		ob := uint32(0)
+		err = windows.WSAIoctl(socket, SIO_GET_MULTIPLE_EXTENSION_FUNCTION_POINTER,
+			(*byte)(unsafe.Pointer(WSAID_MULTIPLE_RIO)), uint32(unsafe.Sizeof(*WSAID_MULTIPLE_RIO)),
+			(*byte)(unsafe.Pointer(&extensionFunctionTable)), uint32(unsafe.Sizeof(extensionFunctionTable)),
+			&ob, nil, 0)
+		if err != nil {
+			return
+		}
+
+		// While we should be able to stop here, after getting the function pointers, some anti-virus actually causes
+		// failures in RIOCreateRequestQueue, so keep going to be certain this is supported.
+		var iocp windows.Handle
+		iocp, err = windows.CreateIoCompletionPort(windows.InvalidHandle, 0, 0, 0)
+		if err != nil {
+			return
+		}
+		defer windows.CloseHandle(iocp)
+		var overlapped windows.Overlapped
+		cq, err = CreateIOCPCompletionQueue(2, iocp, 0, &overlapped)
+		if err != nil {
+			return
+		}
+		defer CloseCompletionQueue(cq)
+		_, err = CreateRequestQueue(socket, 1, 1, 1, 1, cq, cq, 0)
+		if err != nil {
+			return
+		}
+		available = true
+	})
+	return available
+}
+
+func Socket(af, typ, proto int32) (windows.Handle, error) {
+	return windows.WSASocket(af, typ, proto, nil, 0, windows.WSA_FLAG_REGISTERED_IO)
+}
+
+func CloseCompletionQueue(cq Cq) {
+	_, _, _ = syscall.Syscall(extensionFunctionTable.rioCloseCompletionQueue, 1, uintptr(cq), 0, 0)
+}
+
+func CreateEventCompletionQueue(queueSize uint32, event windows.Handle, notifyReset bool) (Cq, error) {
+	notificationCompletion := &eventNotificationCompletion{
+		completionType: eventCompletion,
+		event:          event,
+	}
+	if notifyReset {
+		notificationCompletion.notifyReset = 1
+	}
+	ret, _, err := syscall.Syscall(extensionFunctionTable.rioCreateCompletionQueue, 2, uintptr(queueSize), uintptr(unsafe.Pointer(notificationCompletion)), 0)
+	if ret == invalidCq {
+		return 0, err
+	}
+	return Cq(ret), nil
+}
+
+func CreateIOCPCompletionQueue(queueSize uint32, iocp windows.Handle, key uintptr, overlapped *windows.Overlapped) (Cq, error) {
+	notificationCompletion := &iocpNotificationCompletion{
+		completionType: iocpCompletion,
+		iocp:           iocp,
+		key:            key,
+		overlapped:     overlapped,
+	}
+	ret, _, err := syscall.Syscall(extensionFunctionTable.rioCreateCompletionQueue, 2, uintptr(queueSize), uintptr(unsafe.Pointer(notificationCompletion)), 0)
+	if ret == invalidCq {
+		return 0, err
+	}
+	return Cq(ret), nil
+}
+
+func CreatePolledCompletionQueue(queueSize uint32) (Cq, error) {
+	ret, _, err := syscall.Syscall(extensionFunctionTable.rioCreateCompletionQueue, 2, uintptr(queueSize), 0, 0)
+	if ret == invalidCq {
+		return 0, err
+	}
+	return Cq(ret), nil
+}
+
+func CreateRequestQueue(socket windows.Handle, maxOutstandingReceive, maxReceiveDataBuffers, maxOutstandingSend, maxSendDataBuffers uint32, receiveCq, sendCq Cq, socketContext uintptr) (Rq, error) {
+	ret, _, err := syscall.Syscall9(extensionFunctionTable.rioCreateRequestQueue, 8, uintptr(socket), uintptr(maxOutstandingReceive), uintptr(maxReceiveDataBuffers), uintptr(maxOutstandingSend), uintptr(maxSendDataBuffers), uintptr(receiveCq), uintptr(sendCq), socketContext, 0)
+	if ret == invalidRq {
+		return 0, err
+	}
+	return Rq(ret), nil
+}
+
+func DequeueCompletion(cq Cq, results []Result) uint32 {
+	var array uintptr
+	if len(results) > 0 {
+		array = uintptr(unsafe.Pointer(&results[0]))
+	}
+	ret, _, _ := syscall.Syscall(extensionFunctionTable.rioDequeueCompletion, 3, uintptr(cq), array, uintptr(len(results)))
+	if ret == corruptCq {
+		panic("cq is corrupt")
+	}
+	return uint32(ret)
+}
+
+func DeregisterBuffer(id BufferId) {
+	_, _, _ = syscall.Syscall(extensionFunctionTable.rioDeregisterBuffer, 1, uintptr(id), 0, 0)
+}
+
+func RegisterBuffer(buffer []byte) (BufferId, error) {
+	var buf unsafe.Pointer
+	if len(buffer) > 0 {
+		buf = unsafe.Pointer(&buffer[0])
+	}
+	return RegisterPointer(buf, uint32(len(buffer)))
+}
+
+func RegisterPointer(ptr unsafe.Pointer, size uint32) (BufferId, error) {
+	ret, _, err := syscall.Syscall(extensionFunctionTable.rioRegisterBuffer, 2, uintptr(ptr), uintptr(size), 0)
+	if ret == invalidBufferId {
+		return 0, err
+	}
+	return BufferId(ret), nil
+}
+
+func SendEx(rq Rq, buf *Buffer, dataBufferCount uint32, localAddress, remoteAddress, controlContext, flags *Buffer, sflags uint32, requestContext uintptr) error {
+	ret, _, err := syscall.Syscall9(extensionFunctionTable.rioSendEx, 9, uintptr(rq), uintptr(unsafe.Pointer(buf)), uintptr(dataBufferCount), uintptr(unsafe.Pointer(localAddress)), uintptr(unsafe.Pointer(remoteAddress)), uintptr(unsafe.Pointer(controlContext)), uintptr(unsafe.Pointer(flags)), uintptr(sflags), requestContext)
+	if ret == 0 {
+		return err
+	}
+	return nil
+}
+
+func ReceiveEx(rq Rq, buf *Buffer, dataBufferCount uint32, localAddress, remoteAddress, controlContext, flags *Buffer, sflags uint32, requestContext uintptr) error {
+	ret, _, err := syscall.Syscall9(extensionFunctionTable.rioReceiveEx, 9, uintptr(rq), uintptr(unsafe.Pointer(buf)), uintptr(dataBufferCount), uintptr(unsafe.Pointer(localAddress)), uintptr(unsafe.Pointer(remoteAddress)), uintptr(unsafe.Pointer(controlContext)), uintptr(unsafe.Pointer(flags)), uintptr(sflags), requestContext)
+	if ret == 0 {
+		return err
+	}
+	return nil
+}
+
+func Notify(cq Cq) error {
+	ret, _, _ := syscall.Syscall(extensionFunctionTable.rioNotify, 1, uintptr(cq), 0, 0)
+	if ret != 0 {
+		return windows.Errno(ret)
+	}
+	return nil
+}
--- a/device/allowedips.go
+++ b/device/allowedips.go
@@ -7,62 +7,49 @@ package device

 import (
 	"container/list"
+	"encoding/binary"
 	"errors"
 	"math/bits"
 	"net"
+	"net/netip"
 	"sync"
 	"unsafe"
 )

+type parentIndirection struct {
+	parentBit     **trieEntry
+	parentBitType uint8
+}
+
 type trieEntry struct {
-	child        [2]*trieEntry
-	peer         *Peer
-	bits         net.IP
-	cidr         uint
-	bit_at_byte  uint
-	bit_at_shift uint
-	perPeerElem  *list.Element
+	peer        *Peer
+	child       [2]*trieEntry
+	parent      parentIndirection
+	cidr        uint8
+	bitAtByte   uint8
+	bitAtShift  uint8
+	bits        []byte
+	perPeerElem *list.Element
 }

-func isLittleEndian() bool {
-	one := uint32(1)
-	return *(*byte)(unsafe.Pointer(&one)) != 0
-}
-
-func swapU32(i uint32) uint32 {
-	if !isLittleEndian() {
-		return i
-	}
-
-	return bits.ReverseBytes32(i)
-}
-
-func swapU64(i uint64) uint64 {
-	if !isLittleEndian() {
-		return i
-	}
-
-	return bits.ReverseBytes64(i)
-}
-
-func commonBits(ip1 net.IP, ip2 net.IP) uint {
+func commonBits(ip1, ip2 []byte) uint8 {
 	size := len(ip1)
 	if size == net.IPv4len {
-		a := (*uint32)(unsafe.Pointer(&ip1[0]))
-		b := (*uint32)(unsafe.Pointer(&ip2[0]))
-		x := *a ^ *b
-		return uint(bits.LeadingZeros32(swapU32(x)))
+		a := binary.BigEndian.Uint32(ip1)
+		b := binary.BigEndian.Uint32(ip2)
+		x := a ^ b
+		return uint8(bits.LeadingZeros32(x))
 	} else if size == net.IPv6len {
-		a := (*uint64)(unsafe.Pointer(&ip1[0]))
-		b := (*uint64)(unsafe.Pointer(&ip2[0]))
-		x := *a ^ *b
+		a := binary.BigEndian.Uint64(ip1)
+		b := binary.BigEndian.Uint64(ip2)
+		x := a ^ b
 		if x != 0 {
-			return uint(bits.LeadingZeros64(swapU64(x)))
+			return uint8(bits.LeadingZeros64(x))
 		}
-		a = (*uint64)(unsafe.Pointer(&ip1[8]))
-		b = (*uint64)(unsafe.Pointer(&ip2[8]))
-		x = *a ^ *b
-		return 64 + uint(bits.LeadingZeros64(swapU64(x)))
+		a = binary.BigEndian.Uint64(ip1[8:])
+		b = binary.BigEndian.Uint64(ip2[8:])
+		x = a ^ b
+		return 64 + uint8(bits.LeadingZeros64(x))
 	} else {
 		panic("Wrong size bit string")
 	}
@@ -79,32 +66,8 @@ func (node *trieEntry) removeFromPeerEntries() {
 	}
 }

-func (node *trieEntry) removeByPeer(p *Peer) *trieEntry {
-	if node == nil {
-		return node
-	}
-
-	// walk recursively
-
-	node.child[0] = node.child[0].removeByPeer(p)
-	node.child[1] = node.child[1].removeByPeer(p)
-
-	if node.peer != p {
-		return node
-	}
-
-	// remove peer & merge
-
-	node.removeFromPeerEntries()
-	node.peer = nil
-	if node.child[0] == nil {
-		return node.child[1]
-	}
-	return node.child[0]
-}
-
-func (node *trieEntry) choose(ip net.IP) byte {
-	return (ip[node.bit_at_byte] >> node.bit_at_shift) & 1
+func (node *trieEntry) choose(ip []byte) byte {
+	return (ip[node.bitAtByte] >> node.bitAtShift) & 1
 }

 func (node *trieEntry) maskSelf() {
@@ -114,86 +77,125 @@ func (node *trieEntry) maskSelf() {
 	}
 }

-func (node *trieEntry) insert(ip net.IP, cidr uint, peer *Peer) *trieEntry {
+func (node *trieEntry) zeroizePointers() {
+	// Make the garbage collector's life slightly easier
+	node.peer = nil
+	node.child[0] = nil
+	node.child[1] = nil
+	node.parent.parentBit = nil
+}

-	// at leaf
+func (node *trieEntry) nodePlacement(ip []byte, cidr uint8) (parent *trieEntry, exact bool) {
+	for node != nil && node.cidr <= cidr && commonBits(node.bits, ip) >= node.cidr {
+		parent = node
+		if parent.cidr == cidr {
+			exact = true
+			return
+		}
+		bit := node.choose(ip)
+		node = node.child[bit]
+	}
+	return
+}

-	if node == nil {
+func (trie parentIndirection) insert(ip []byte, cidr uint8, peer *Peer) {
+	if *trie.parentBit == nil {
 		node := &trieEntry{
-			bits:         ip,
-			peer:         peer,
-			cidr:         cidr,
-			bit_at_byte:  cidr / 8,
-			bit_at_shift: 7 - (cidr % 8),
+			peer:       peer,
+			parent:     trie,
+			bits:       ip,
+			cidr:       cidr,
+			bitAtByte:  cidr / 8,
+			bitAtShift: 7 - (cidr % 8),
 		}
 		node.maskSelf()
 		node.addToPeerEntries()
-		return node
+		*trie.parentBit = node
+		return
 	}
-
-	// traverse deeper
-
-	common := commonBits(node.bits, ip)
-	if node.cidr <= cidr && common >= node.cidr {
-		if node.cidr == cidr {
-			node.removeFromPeerEntries()
-			node.peer = peer
-			node.addToPeerEntries()
-			return node
-		}
-		bit := node.choose(ip)
-		node.child[bit] = node.child[bit].insert(ip, cidr, peer)
-		return node
+	node, exact := (*trie.parentBit).nodePlacement(ip, cidr)
+	if exact {
+		node.removeFromPeerEntries()
+		node.peer = peer
+		node.addToPeerEntries()
+		return
 	}

-	// split node
-
 	newNode := &trieEntry{
-		bits:         ip,
-		peer:         peer,
-		cidr:         cidr,
-		bit_at_byte:  cidr / 8,
-		bit_at_shift: 7 - (cidr % 8),
+		peer:       peer,
+		bits:       ip,
+		cidr:       cidr,
+		bitAtByte:  cidr / 8,
+		bitAtShift: 7 - (cidr % 8),
 	}
 	newNode.maskSelf()
 	newNode.addToPeerEntries()

-	cidr = min(cidr, common)
-
-	// check for shorter prefix
+	var down *trieEntry
+	if node == nil {
+		down = *trie.parentBit
+	} else {
+		bit := node.choose(ip)
+		down = node.child[bit]
+		if down == nil {
+			newNode.parent = parentIndirection{&node.child[bit], bit}
+			node.child[bit] = newNode
+			return
+		}
+	}
+	common := commonBits(down.bits, ip)
+	if common < cidr {
+		cidr = common
+	}
+	parent := node

 	if newNode.cidr == cidr {
-		bit := newNode.choose(node.bits)
-		newNode.child[bit] = node
-		return newNode
+		bit := newNode.choose(down.bits)
+		down.parent = parentIndirection{&newNode.child[bit], bit}
+		newNode.child[bit] = down
+		if parent == nil {
+			newNode.parent = trie
+			*trie.parentBit = newNode
+		} else {
+			bit := parent.choose(newNode.bits)
+			newNode.parent = parentIndirection{&parent.child[bit], bit}
+			parent.child[bit] = newNode
+		}
+		return
 	}

-	// create new parent for node & newNode
-
-	parent := &trieEntry{
-		bits:         append([]byte{}, ip...),
-		peer:         nil,
-		cidr:         cidr,
-		bit_at_byte:  cidr / 8,
-		bit_at_shift: 7 - (cidr % 8),
+	node = &trieEntry{
+		bits:       append([]byte{}, newNode.bits...),
+		cidr:       cidr,
+		bitAtByte:  cidr / 8,
+		bitAtShift: 7 - (cidr % 8),
 	}
-	parent.maskSelf()
+	node.maskSelf()

-	bit := parent.choose(ip)
-	parent.child[bit] = newNode
-	parent.child[bit^1] = node
-
-	return parent
+	bit := node.choose(down.bits)
+	down.parent = parentIndirection{&node.child[bit], bit}
+	node.child[bit] = down
+	bit = node.choose(newNode.bits)
+	newNode.parent = parentIndirection{&node.child[bit], bit}
+	node.child[bit] = newNode
+	if parent == nil {
+		node.parent = trie
+		*trie.parentBit = node
+	} else {
+		bit := parent.choose(node.bits)
+		node.parent = parentIndirection{&parent.child[bit], bit}
+		parent.child[bit] = node
+	}
 }

-func (node *trieEntry) lookup(ip net.IP) *Peer {
+func (node *trieEntry) lookup(ip []byte) *Peer {
 	var found *Peer
-	size := uint(len(ip))
+	size := uint8(len(ip))
 	for node != nil && commonBits(node.bits, ip) >= node.cidr {
 		if node.peer != nil {
 			found = node.peer
 		}
-		if node.bit_at_byte == size {
+		if node.bitAtByte == size {
 			break
 		}
 		bit := node.choose(ip)
@@ -208,13 +210,14 @@ type AllowedIPs struct {
 	mutex sync.RWMutex
 }

-func (table *AllowedIPs) EntriesForPeer(peer *Peer, cb func(ip net.IP, cidr uint) bool) {
+func (table *AllowedIPs) EntriesForPeer(peer *Peer, cb func(prefix netip.Prefix) bool) {
 	table.mutex.RLock()
 	defer table.mutex.RUnlock()

 	for elem := peer.trieEntries.Front(); elem != nil; elem = elem.Next() {
 		node := elem.Value.(*trieEntry)
-		if !cb(node.bits, node.cidr) {
+		a, _ := netip.AddrFromSlice(node.bits)
+		if !cb(netip.PrefixFrom(a, int(node.cidr))) {
 			return
 		}
 	}
@@ -224,32 +227,68 @@ func (table *AllowedIPs) RemoveByPeer(peer *Peer) {
 	table.mutex.Lock()
 	defer table.mutex.Unlock()

-	table.IPv4 = table.IPv4.removeByPeer(peer)
-	table.IPv6 = table.IPv6.removeByPeer(peer)
+	var next *list.Element
+	for elem := peer.trieEntries.Front(); elem != nil; elem = next {
+		next = elem.Next()
+		node := elem.Value.(*trieEntry)
+
+		node.removeFromPeerEntries()
+		node.peer = nil
+		if node.child[0] != nil && node.child[1] != nil {
+			continue
+		}
+		bit := 0
+		if node.child[0] == nil {
+			bit = 1
+		}
+		child := node.child[bit]
+		if child != nil {
+			child.parent = node.parent
+		}
+		*node.parent.parentBit = child
+		if node.child[0] != nil || node.child[1] != nil || node.parent.parentBitType > 1 {
+			node.zeroizePointers()
+			continue
+		}
+		parent := (*trieEntry)(unsafe.Pointer(uintptr(unsafe.Pointer(node.parent.parentBit)) - unsafe.Offsetof(node.child) - unsafe.Sizeof(node.child[0])*uintptr(node.parent.parentBitType)))
+		if parent.peer != nil {
+			node.zeroizePointers()
+			continue
+		}
+		child = parent.child[node.parent.parentBitType^1]
+		if child != nil {
+			child.parent = parent.parent
+		}
+		*parent.parent.parentBit = child
+		node.zeroizePointers()
+		parent.zeroizePointers()
+	}
 }

-func (table *AllowedIPs) Insert(ip net.IP, cidr uint, peer *Peer) {
+func (table *AllowedIPs) Insert(prefix netip.Prefix, peer *Peer) {
 	table.mutex.Lock()
 	defer table.mutex.Unlock()

-	switch len(ip) {
-	case net.IPv6len:
-		table.IPv6 = table.IPv6.insert(ip, cidr, peer)
-	case net.IPv4len:
-		table.IPv4 = table.IPv4.insert(ip, cidr, peer)
-	default:
+	if prefix.Addr().Is6() {
+		ip := prefix.Addr().As16()
+		parentIndirection{&table.IPv6, 2}.insert(ip[:], uint8(prefix.Bits()), peer)
+	} else if prefix.Addr().Is4() {
+		ip := prefix.Addr().As4()
+		parentIndirection{&table.IPv4, 2}.insert(ip[:], uint8(prefix.Bits()), peer)
+	} else {
 		panic(errors.New("inserting unknown address type"))
 	}
 }

-func (table *AllowedIPs) LookupIPv4(address []byte) *Peer {
+func (table *AllowedIPs) Lookup(ip []byte) *Peer {
 	table.mutex.RLock()
 	defer table.mutex.RUnlock()
-	return table.IPv4.lookup(address)
-}
-
-func (table *AllowedIPs) LookupIPv6(address []byte) *Peer {
-	table.mutex.RLock()
-	defer table.mutex.RUnlock()
-	return table.IPv6.lookup(address)
+	switch len(ip) {
+	case net.IPv6len:
+		return table.IPv6.lookup(ip)
+	case net.IPv4len:
+		return table.IPv4.lookup(ip)
+	default:
+		panic(errors.New("looking up unknown address type"))
+	}
 }
--- a/device/allowedips_rand_test.go
+++ b/device/allowedips_rand_test.go
@@ -7,19 +7,22 @@ package device

 import (
 	"math/rand"
+	"net"
+	"net/netip"
 	"sort"
 	"testing"
 )

 const (
-	NumberOfPeers     = 100
-	NumberOfAddresses = 250
-	NumberOfTests     = 10000
+	NumberOfPeers        = 100
+	NumberOfPeerRemovals = 4
+	NumberOfAddresses    = 250
+	NumberOfTests        = 10000
 )

 type SlowNode struct {
 	peer *Peer
-	cidr uint
+	cidr uint8
 	bits []byte
 }

@@ -37,7 +40,7 @@ func (r SlowRouter) Swap(i, j int) {
 	r[i], r[j] = r[j], r[i]
 }

-func (r SlowRouter) Insert(addr []byte, cidr uint, peer *Peer) SlowRouter {
+func (r SlowRouter) Insert(addr []byte, cidr uint8, peer *Peer) SlowRouter {
 	for _, t := range r {
 		if t.cidr == cidr && commonBits(t.bits, addr) >= cidr {
 			t.peer = peer
@@ -64,68 +67,75 @@ func (r SlowRouter) Lookup(addr []byte) *Peer {
 	return nil
 }

-func TestTrieRandomIPv4(t *testing.T) {
-	var trie *trieEntry
-	var slow SlowRouter
+func (r SlowRouter) RemoveByPeer(peer *Peer) SlowRouter {
+	n := 0
+	for _, x := range r {
+		if x.peer != peer {
+			r[n] = x
+			n++
+		}
+	}
+	return r[:n]
+}
+
+func TestTrieRandom(t *testing.T) {
+	var slow4, slow6 SlowRouter
 	var peers []*Peer
+	var allowedIPs AllowedIPs

 	rand.Seed(1)

-	const AddressLength = 4
-
 	for n := 0; n < NumberOfPeers; n++ {
 		peers = append(peers, &Peer{})
 	}

 	for n := 0; n < NumberOfAddresses; n++ {
-		var addr [AddressLength]byte
-		rand.Read(addr[:])
-		cidr := uint(rand.Uint32() % (AddressLength * 8))
-		index := rand.Int() % NumberOfPeers
-		trie = trie.insert(addr[:], cidr, peers[index])
-		slow = slow.Insert(addr[:], cidr, peers[index])
+		var addr4 [4]byte
+		rand.Read(addr4[:])
+		cidr := uint8(rand.Intn(32) + 1)
+		index := rand.Intn(NumberOfPeers)
+		allowedIPs.Insert(netip.PrefixFrom(netip.AddrFrom4(addr4), int(cidr)), peers[index])
+		slow4 = slow4.Insert(addr4[:], cidr, peers[index])
+
+		var addr6 [16]byte
+		rand.Read(addr6[:])
+		cidr = uint8(rand.Intn(128) + 1)
+		index = rand.Intn(NumberOfPeers)
+		allowedIPs.Insert(netip.PrefixFrom(netip.AddrFrom16(addr6), int(cidr)), peers[index])
+		slow6 = slow6.Insert(addr6[:], cidr, peers[index])
 	}

-	for n := 0; n < NumberOfTests; n++ {
-		var addr [AddressLength]byte
-		rand.Read(addr[:])
-		peer1 := slow.Lookup(addr[:])
-		peer2 := trie.lookup(addr[:])
-		if peer1 != peer2 {
-			t.Error("Trie did not match naive implementation, for:", addr)
-		}
-	}
-}
-
-func TestTrieRandomIPv6(t *testing.T) {
-	var trie *trieEntry
-	var slow SlowRouter
-	var peers []*Peer
-
-	rand.Seed(1)
-
-	const AddressLength = 16
-
-	for n := 0; n < NumberOfPeers; n++ {
-		peers = append(peers, &Peer{})
-	}
-
-	for n := 0; n < NumberOfAddresses; n++ {
-		var addr [AddressLength]byte
-		rand.Read(addr[:])
-		cidr := uint(rand.Uint32() % (AddressLength * 8))
-		index := rand.Int() % NumberOfPeers
-		trie = trie.insert(addr[:], cidr, peers[index])
-		slow = slow.Insert(addr[:], cidr, peers[index])
-	}
-
-	for n := 0; n < NumberOfTests; n++ {
-		var addr [AddressLength]byte
-		rand.Read(addr[:])
-		peer1 := slow.Lookup(addr[:])
-		peer2 := trie.lookup(addr[:])
-		if peer1 != peer2 {
-			t.Error("Trie did not match naive implementation, for:", addr)
+	var p int
+	for p = 0; ; p++ {
+		for n := 0; n < NumberOfTests; n++ {
+			var addr4 [4]byte
+			rand.Read(addr4[:])
+			peer1 := slow4.Lookup(addr4[:])
+			peer2 := allowedIPs.Lookup(addr4[:])
+			if peer1 != peer2 {
+				t.Errorf("Trie did not match naive implementation, for %v: want %p, got %p", net.IP(addr4[:]), peer1, peer2)
+			}
+
+			var addr6 [16]byte
+			rand.Read(addr6[:])
+			peer1 = slow6.Lookup(addr6[:])
+			peer2 = allowedIPs.Lookup(addr6[:])
+			if peer1 != peer2 {
+				t.Errorf("Trie did not match naive implementation, for %v: want %p, got %p", net.IP(addr6[:]), peer1, peer2)
+			}
 		}
+		if p >= len(peers) || p >= NumberOfPeerRemovals {
+			break
+		}
+		allowedIPs.RemoveByPeer(peers[p])
+		slow4 = slow4.RemoveByPeer(peers[p])
+		slow6 = slow6.RemoveByPeer(peers[p])
+	}
+	for ; p < len(peers); p++ {
+		allowedIPs.RemoveByPeer(peers[p])
+	}
+
+	if allowedIPs.IPv4 != nil || allowedIPs.IPv6 != nil {
+		t.Error("Failed to remove all nodes from trie by peer")
 	}
 }
--- a/device/allowedips_test.go
+++ b/device/allowedips_test.go
@@ -8,20 +8,17 @@ package device
 import (
 	"math/rand"
 	"net"
+	"net/netip"
 	"testing"
 )

-/* Todo: More comprehensive
- */
-
 type testPairCommonBits struct {
 	s1    []byte
 	s2    []byte
-	match uint
+	match uint8
 }

 func TestCommonBits(t *testing.T) {
-
 	tests := []testPairCommonBits{
 		{s1: []byte{1, 4, 53, 128}, s2: []byte{0, 0, 0, 0}, match: 7},
 		{s1: []byte{0, 4, 53, 128}, s2: []byte{0, 0, 0, 0}, match: 13},
@@ -42,9 +39,10 @@ func TestCommonBits(t *testing.T) {
 	}
 }

-func benchmarkTrie(peerNumber int, addressNumber int, addressLength int, b *testing.B) {
+func benchmarkTrie(peerNumber, addressNumber, addressLength int, b *testing.B) {
 	var trie *trieEntry
 	var peers []*Peer
+	root := parentIndirection{&trie, 2}

 	rand.Seed(1)

@@ -57,9 +55,9 @@ func benchmarkTrie(peerNumber int, addressNumber int, addressLength int, b *test
 	for n := 0; n < addressNumber; n++ {
 		var addr [AddressLength]byte
 		rand.Read(addr[:])
-		cidr := uint(rand.Uint32() % (AddressLength * 8))
+		cidr := uint8(rand.Uint32() % (AddressLength * 8))
 		index := rand.Int() % peerNumber
-		trie = trie.insert(addr[:], cidr, peers[index])
+		root.insert(addr[:], cidr, peers[index])
 	}

 	for n := 0; n < b.N; n++ {
@@ -97,21 +95,21 @@ func TestTrieIPv4(t *testing.T) {
 	g := &Peer{}
 	h := &Peer{}

-	var trie *trieEntry
+	var allowedIPs AllowedIPs

-	insert := func(peer *Peer, a, b, c, d byte, cidr uint) {
-		trie = trie.insert([]byte{a, b, c, d}, cidr, peer)
+	insert := func(peer *Peer, a, b, c, d byte, cidr uint8) {
+		allowedIPs.Insert(netip.PrefixFrom(netip.AddrFrom4([4]byte{a, b, c, d}), int(cidr)), peer)
 	}

 	assertEQ := func(peer *Peer, a, b, c, d byte) {
-		p := trie.lookup([]byte{a, b, c, d})
+		p := allowedIPs.Lookup([]byte{a, b, c, d})
 		if p != peer {
 			t.Error("Assert EQ failed")
 		}
 	}

 	assertNEQ := func(peer *Peer, a, b, c, d byte) {
-		p := trie.lookup([]byte{a, b, c, d})
+		p := allowedIPs.Lookup([]byte{a, b, c, d})
 		if p == peer {
 			t.Error("Assert NEQ failed")
 		}
@@ -153,7 +151,7 @@ func TestTrieIPv4(t *testing.T) {
 	assertEQ(a, 192, 0, 0, 0)
 	assertEQ(a, 255, 0, 0, 0)

-	trie = trie.removeByPeer(a)
+	allowedIPs.RemoveByPeer(a)

 	assertNEQ(a, 1, 0, 0, 0)
 	assertNEQ(a, 64, 0, 0, 0)
@@ -161,12 +159,21 @@ func TestTrieIPv4(t *testing.T) {
 	assertNEQ(a, 192, 0, 0, 0)
 	assertNEQ(a, 255, 0, 0, 0)

-	trie = nil
+	allowedIPs.RemoveByPeer(a)
+	allowedIPs.RemoveByPeer(b)
+	allowedIPs.RemoveByPeer(c)
+	allowedIPs.RemoveByPeer(d)
+	allowedIPs.RemoveByPeer(e)
+	allowedIPs.RemoveByPeer(g)
+	allowedIPs.RemoveByPeer(h)
+	if allowedIPs.IPv4 != nil || allowedIPs.IPv6 != nil {
+		t.Error("Expected removing all the peers to empty trie, but it did not")
+	}

 	insert(a, 192, 168, 0, 0, 16)
 	insert(a, 192, 168, 0, 0, 24)

-	trie = trie.removeByPeer(a)
+	allowedIPs.RemoveByPeer(a)

 	assertNEQ(a, 192, 168, 0, 1)
 }
@@ -184,7 +191,7 @@ func TestTrieIPv6(t *testing.T) {
 	g := &Peer{}
 	h := &Peer{}

-	var trie *trieEntry
+	var allowedIPs AllowedIPs

 	expand := func(a uint32) []byte {
 		var out [4]byte
@@ -195,13 +202,13 @@ func TestTrieIPv6(t *testing.T) {
 		return out[:]
 	}

-	insert := func(peer *Peer, a, b, c, d uint32, cidr uint) {
+	insert := func(peer *Peer, a, b, c, d uint32, cidr uint8) {
 		var addr []byte
 		addr = append(addr, expand(a)...)
 		addr = append(addr, expand(b)...)
 		addr = append(addr, expand(c)...)
 		addr = append(addr, expand(d)...)
-		trie = trie.insert(addr, cidr, peer)
+		allowedIPs.Insert(netip.PrefixFrom(netip.AddrFrom16(*(*[16]byte)(addr)), int(cidr)), peer)
 	}

 	assertEQ := func(peer *Peer, a, b, c, d uint32) {
@@ -210,7 +217,7 @@ func TestTrieIPv6(t *testing.T) {
 		addr = append(addr, expand(b)...)
 		addr = append(addr, expand(c)...)
 		addr = append(addr, expand(d)...)
-		p := trie.lookup(addr)
+		p := allowedIPs.Lookup(addr)
 		if p != peer {
 			t.Error("Assert EQ failed")
 		}
--- a/device/constants.go
+++ b/device/constants.go
@@ -35,7 +35,6 @@ const (
 /* Implementation constants */

 const (
-	UnderLoadQueueSize = QueueHandshakeSize / 8
 	UnderLoadAfterTime = time.Second // how long does the device remain under load after detected
 	MaxPeers           = 1 << 16     // maximum number of configured peers
 )
--- a/device/cookie.go
+++ b/device/cookie.go
@@ -83,7 +83,7 @@ func (st *CookieChecker) CheckMAC1(msg []byte) bool {
 	return hmac.Equal(mac1[:], msg[smac1:smac2])
 }

-func (st *CookieChecker) CheckMAC2(msg []byte, src []byte) bool {
+func (st *CookieChecker) CheckMAC2(msg, src []byte) bool {
 	st.RLock()
 	defer st.RUnlock()

@@ -119,7 +119,6 @@ func (st *CookieChecker) CreateReply(
 	recv uint32,
 	src []byte,
 ) (*MessageCookieReply, error) {
-
 	st.RLock()

 	// refresh cookie secret
@@ -204,7 +203,6 @@ func (st *CookieGenerator) ConsumeReply(msg *MessageCookieReply) bool {

 	xchapoly, _ := chacha20poly1305.NewX(st.mac2.encryptionKey[:])
 	_, err := xchapoly.Open(cookie[:0], msg.Nonce[:], msg.Cookie[:], st.mac2.lastMAC1[:])
-
 	if err != nil {
 		return false
 	}
@@ -215,7 +213,6 @@ func (st *CookieGenerator) ConsumeReply(msg *MessageCookieReply) bool {
 }

 func (st *CookieGenerator) AddMacs(msg []byte) {
-
 	size := len(msg)

 	smac2 := size - blake2s.Size128
--- a/device/cookie_test.go
+++ b/device/cookie_test.go
@@ -10,7 +10,6 @@ import (
 )

 func TestCookieMAC1(t *testing.T) {
-
 	// setup generator / checker

 	var (
@@ -132,12 +131,12 @@ func TestCookieMAC1(t *testing.T) {

 		msg[5] ^= 0x20

-		srcBad1 := []byte{192, 168, 13, 37, 40, 01}
+		srcBad1 := []byte{192, 168, 13, 37, 40, 1}
 		if checker.CheckMAC2(msg, srcBad1) {
 			t.Fatal("MAC2 generation/verification failed")
 		}

-		srcBad2 := []byte{192, 168, 13, 38, 40, 01}
+		srcBad2 := []byte{192, 168, 13, 38, 40, 1}
 		if checker.CheckMAC2(msg, srcBad2) {
 			t.Fatal("MAC2 generation/verification failed")
 		}
--- a/device/device.go
+++ b/device/device.go
@@ -11,9 +11,6 @@ import (
 	"sync/atomic"
 	"time"

-	"golang.org/x/net/ipv4"
-	"golang.org/x/net/ipv6"
-
 	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/ratelimiter"
 	"golang.zx2c4.com/wireguard/rwcancel"
@@ -47,6 +44,7 @@ type Device struct {
 		netlinkCancel *rwcancel.RWCancel
 		port          uint16 // listening port
 		fwmark        uint32 // mark value (0 = disabled)
+		brokenRoaming bool
 	}

 	staticIdentity struct {
@@ -56,20 +54,20 @@ type Device struct {
 	}

 	peers struct {
-		empty        AtomicBool // empty reports whether len(keyMap) == 0
-		sync.RWMutex            // protects keyMap
+		sync.RWMutex // protects keyMap
 		keyMap       map[NoisePublicKey]*Peer
 	}

+	// Keep this 8-byte aligned
+	rate struct {
+		underLoadUntil int64
+		limiter        ratelimiter.Ratelimiter
+	}
+
 	allowedips    AllowedIPs
 	indexTable    IndexTable
 	cookieChecker CookieChecker

-	rate struct {
-		underLoadUntil int64
-		limiter        ratelimiter.Ratelimiter
-	}
-
 	pool struct {
 		messageBuffers   *WaitPool
 		inboundElements  *WaitPool
@@ -135,7 +133,6 @@ func removePeerLocked(device *Device, peer *Peer, key NoisePublicKey) {

 	// remove from peer map
 	delete(device.peers.keyMap, key)
-	device.peers.empty.Set(len(device.peers.keyMap) == 0)
 }

 // changeState attempts to change the device state to match want.
@@ -177,6 +174,11 @@ func (device *Device) upLocked() error {
 		return err
 	}

+	// The IPC set operation waits for peers to be created before calling Start() on them,
+	// so if there's a concurrent IPC set request happening, we should wait for it to complete.
+	device.ipcMutex.Lock()
+	defer device.ipcMutex.Unlock()
+
 	device.peers.RLock()
 	for _, peer := range device.peers.keyMap {
 		peer.Start()
@@ -215,7 +217,7 @@ func (device *Device) Down() error {
 func (device *Device) IsUnderLoad() bool {
 	// check if currently under load
 	now := time.Now()
-	underLoad := len(device.queue.handshake.c) >= UnderLoadQueueSize
+	underLoad := len(device.queue.handshake.c) >= QueueHandshakeSize/8
 	if underLoad {
 		atomic.StoreInt64(&device.rate.underLoadUntil, now.Add(UnderLoadAfterTime).UnixNano())
 		return true
@@ -279,11 +281,12 @@ func (device *Device) SetPrivateKey(sk NoisePrivateKey) error {
 	return nil
 }

-func NewDevice(tunDevice tun.Device, logger *Logger) *Device {
+func NewDevice(tunDevice tun.Device, bind conn.Bind, logger *Logger) *Device {
 	device := new(Device)
 	device.state.state = uint32(deviceStateDown)
 	device.closed = make(chan struct{})
 	device.log = logger
+	device.net.bind = bind
 	device.tun.device = tunDevice
 	mtu, err := device.tun.device.MTU()
 	if err != nil {
@@ -302,20 +305,15 @@ func NewDevice(tunDevice tun.Device, logger *Logger) *Device {
 	device.queue.encryption = newOutboundQueue()
 	device.queue.decryption = newInboundQueue()

-	// prepare net
-
-	device.net.port = 0
-	device.net.bind = nil
-
 	// start workers

 	cpus := runtime.NumCPU()
 	device.state.stopping.Wait()
 	device.queue.encryption.wg.Add(cpus) // One for each RoutineHandshake
 	for i := 0; i < cpus; i++ {
-		go device.RoutineEncryption()
-		go device.RoutineDecryption()
-		go device.RoutineHandshake()
+		go device.RoutineEncryption(i + 1)
+		go device.RoutineDecryption(i + 1)
+		go device.RoutineHandshake(i + 1)
 	}

 	device.state.stopping.Add(1)      // RoutineReadFromTUN
@@ -406,7 +404,9 @@ func (device *Device) SendKeepalivesToPeersWithCurrentKeypair() {
 	device.peers.RUnlock()
 }

-func unsafeCloseBind(device *Device) error {
+// closeBindLocked closes the device's net.bind.
+// The caller must hold the net mutex.
+func closeBindLocked(device *Device) error {
 	var err error
 	netc := &device.net
 	if netc.netlinkCancel != nil {
@@ -414,7 +414,6 @@ func unsafeCloseBind(device *Device) error {
 	}
 	if netc.bind != nil {
 		err = netc.bind.Close()
-		netc.bind = nil
 	}
 	netc.stopping.Wait()
 	return err
@@ -462,7 +461,7 @@ func (device *Device) BindUpdate() error {
 	defer device.net.Unlock()

 	// close existing sockets
-	if err := unsafeCloseBind(device); err != nil {
+	if err := closeBindLocked(device); err != nil {
 		return err
 	}

@@ -473,17 +472,16 @@ func (device *Device) BindUpdate() error {

 	// bind to new port
 	var err error
+	var recvFns []conn.ReceiveFunc
 	netc := &device.net
-	netc.bind, netc.port, err = conn.CreateBind(netc.port)
+	recvFns, netc.port, err = netc.bind.Open(netc.port)
 	if err != nil {
-		netc.bind = nil
 		netc.port = 0
 		return err
 	}
 	netc.netlinkCancel, err = device.startRouteListener(netc.bind)
 	if err != nil {
 		netc.bind.Close()
-		netc.bind = nil
 		netc.port = 0
 		return err
 	}
@@ -508,11 +506,12 @@ func (device *Device) BindUpdate() error {
 	device.peers.RUnlock()

 	// start receiving routines
-	device.net.stopping.Add(2)
-	device.queue.decryption.wg.Add(2) // each RoutineReceiveIncoming goroutine writes to device.queue.decryption
-	device.queue.handshake.wg.Add(2)  // each RoutineReceiveIncoming goroutine writes to device.queue.handshake
-	go device.RoutineReceiveIncoming(ipv4.Version, netc.bind)
-	go device.RoutineReceiveIncoming(ipv6.Version, netc.bind)
+	device.net.stopping.Add(len(recvFns))
+	device.queue.decryption.wg.Add(len(recvFns)) // each RoutineReceiveIncoming goroutine writes to device.queue.decryption
+	device.queue.handshake.wg.Add(len(recvFns))  // each RoutineReceiveIncoming goroutine writes to device.queue.handshake
+	for _, fn := range recvFns {
+		go device.RoutineReceiveIncoming(fn)
+	}

 	device.log.Verbosef("UDP bind has been updated")
 	return nil
@@ -520,7 +519,7 @@ func (device *Device) BindUpdate() error {

 func (device *Device) BindClose() error {
 	device.net.Lock()
-	err := unsafeCloseBind(device)
+	err := closeBindLocked(device)
 	device.net.Unlock()
 	return err
 }
--- a/device/device_test.go
+++ b/device/device_test.go
@@ -8,19 +8,19 @@ package device
 import (
 	"bytes"
 	"encoding/hex"
-	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"math/rand"
-	"net"
+	"net/netip"
 	"runtime"
 	"runtime/pprof"
 	"sync"
 	"sync/atomic"
-	"syscall"
 	"testing"
 	"time"

+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/conn/bindtest"
 	"golang.zx2c4.com/wireguard/tun/tuntest"
 )

@@ -48,7 +48,7 @@ func uapiCfg(cfg ...string) string {

 // genConfigs generates a pair of configs that connect to each other.
 // The configs use distinct, probably-usable ports.
-func genConfigs(tb testing.TB) (cfgs [2]string, endpointCfgs [2]string) {
+func genConfigs(tb testing.TB) (cfgs, endpointCfgs [2]string) {
 	var key1, key2 NoisePrivateKey
 	_, err := rand.Read(key1[:])
 	if err != nil {
@@ -96,7 +96,7 @@ type testPair [2]testPeer
 type testPeer struct {
 	tun *tuntest.ChannelTUN
 	dev *Device
-	ip  net.IP
+	ip  netip.Addr
 }

 type SendDirection bool
@@ -147,18 +147,24 @@ func (pair *testPair) Send(tb testing.TB, ping SendDirection, done chan struct{}
 }

 // genTestPair creates a testPair.
-func genTestPair(tb testing.TB) (pair testPair) {
+func genTestPair(tb testing.TB, realSocket bool) (pair testPair) {
 	cfg, endpointCfg := genConfigs(tb)
+	var binds [2]conn.Bind
+	if realSocket {
+		binds[0], binds[1] = conn.NewDefaultBind(), conn.NewDefaultBind()
+	} else {
+		binds = bindtest.NewChannelBinds()
+	}
 	// Bring up a ChannelTun for each config.
 	for i := range pair {
 		p := &pair[i]
 		p.tun = tuntest.NewChannelTUN()
-		p.ip = net.IPv4(1, 0, 0, byte(i+1))
+		p.ip = netip.AddrFrom4([4]byte{1, 0, 0, byte(i + 1)})
 		level := LogLevelVerbose
 		if _, ok := tb.(*testing.B); ok && !testing.Verbose() {
 			level = LogLevelError
 		}
-		p.dev = NewDevice(p.tun.TUN(), NewLogger(level, fmt.Sprintf("dev%d: ", i)))
+		p.dev = NewDevice(p.tun.TUN(), binds[i], NewLogger(level, fmt.Sprintf("dev%d: ", i)))
 		if err := p.dev.IpcSet(cfg[i]); err != nil {
 			tb.Errorf("failed to configure device %d: %v", i, err)
 			p.dev.Close()
@@ -186,7 +192,7 @@ func genTestPair(tb testing.TB) (pair testPair) {

 func TestTwoDevicePing(t *testing.T) {
 	goroutineLeakCheck(t)
-	pair := genTestPair(t)
+	pair := genTestPair(t, true)
 	t.Run("ping 1.0.0.1", func(t *testing.T) {
 		pair.Send(t, Ping, nil)
 	})
@@ -197,11 +203,11 @@ func TestTwoDevicePing(t *testing.T) {

 func TestUpDown(t *testing.T) {
 	goroutineLeakCheck(t)
-	const itrials = 20
-	const otrials = 1
+	const itrials = 50
+	const otrials = 10

 	for n := 0; n < otrials; n++ {
-		pair := genTestPair(t)
+		pair := genTestPair(t, false)
 		for i := range pair {
 			for k := range pair[i].dev.peers.keyMap {
 				pair[i].dev.IpcSet(fmt.Sprintf("public_key=%s\npersistent_keepalive_interval=1\n", hex.EncodeToString(k[:])))
@@ -213,17 +219,8 @@ func TestUpDown(t *testing.T) {
 			go func(d *Device) {
 				defer wg.Done()
 				for i := 0; i < itrials; i++ {
-					start := time.Now()
-					for {
-						if err := d.Up(); err != nil {
-							if errors.Is(err, syscall.EADDRINUSE) && time.Now().Sub(start) < time.Second*4 {
-								// Some other test process is racing with us, so try again.
-								time.Sleep(time.Millisecond * 10)
-								continue
-							}
-							t.Errorf("failed up bring up device: %v", err)
-						}
-						break
+					if err := d.Up(); err != nil {
+						t.Errorf("failed up bring up device: %v", err)
 					}
 					time.Sleep(time.Duration(rand.Intn(int(time.Nanosecond * (0x10000 - 1)))))
 					if err := d.Down(); err != nil {
@@ -244,7 +241,7 @@ func TestUpDown(t *testing.T) {
 // TestConcurrencySafety does other things concurrently with tunnel use.
 // It is intended to be used with the race detector to catch data races.
 func TestConcurrencySafety(t *testing.T) {
-	pair := genTestPair(t)
+	pair := genTestPair(t, true)
 	done := make(chan struct{})

 	const warmupIters = 10
@@ -313,32 +310,8 @@ func TestConcurrencySafety(t *testing.T) {
 	close(done)
 }

-func assertNil(t *testing.T, err error) {
-	if err != nil {
-		t.Fatal(err)
-	}
-}
-
-func assertEqual(t *testing.T, a, b []byte) {
-	if !bytes.Equal(a, b) {
-		t.Fatal(a, "!=", b)
-	}
-}
-
-func randDevice(t *testing.T) *Device {
-	sk, err := newPrivateKey()
-	if err != nil {
-		t.Fatal(err)
-	}
-	tun := newDummyTUN("dummy")
-	logger := NewLogger(LogLevelError, "")
-	device := NewDevice(tun, logger)
-	device.SetPrivateKey(sk)
-	return device
-}
-
 func BenchmarkLatency(b *testing.B) {
-	pair := genTestPair(b)
+	pair := genTestPair(b, true)

 	// Establish a connection.
 	pair.Send(b, Ping, nil)
@@ -352,7 +325,7 @@ func BenchmarkLatency(b *testing.B) {
 }

 func BenchmarkThroughput(b *testing.B) {
-	pair := genTestPair(b)
+	pair := genTestPair(b, true)

 	// Establish a connection.
 	pair.Send(b, Ping, nil)
@@ -396,13 +369,13 @@ func BenchmarkThroughput(b *testing.B) {
 }

 func BenchmarkUAPIGet(b *testing.B) {
-	pair := genTestPair(b)
+	pair := genTestPair(b, true)
 	pair.Send(b, Ping, nil)
 	pair.Send(b, Pong, nil)
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		pair[0].dev.IpcGetOperation(ioutil.Discard)
+		pair[0].dev.IpcGetOperation(io.Discard)
 	}
 }

--- a/device/endpoint_test.go
+++ b/device/endpoint_test.go
@@ -7,47 +7,43 @@ package device

 import (
 	"math/rand"
-	"net"
+	"net/netip"
 )

 type DummyEndpoint struct {
-	src [16]byte
-	dst [16]byte
+	src, dst netip.Addr
 }

 func CreateDummyEndpoint() (*DummyEndpoint, error) {
-	var end DummyEndpoint
-	if _, err := rand.Read(end.src[:]); err != nil {
+	var src, dst [16]byte
+	if _, err := rand.Read(src[:]); err != nil {
 		return nil, err
 	}
-	_, err := rand.Read(end.dst[:])
-	return &end, err
+	_, err := rand.Read(dst[:])
+	return &DummyEndpoint{netip.AddrFrom16(src), netip.AddrFrom16(dst)}, err
 }

 func (e *DummyEndpoint) ClearSrc() {}

 func (e *DummyEndpoint) SrcToString() string {
-	var addr net.UDPAddr
-	addr.IP = e.SrcIP()
-	addr.Port = 1000
-	return addr.String()
+	return netip.AddrPortFrom(e.SrcIP(), 1000).String()
 }

 func (e *DummyEndpoint) DstToString() string {
-	var addr net.UDPAddr
-	addr.IP = e.DstIP()
-	addr.Port = 1000
-	return addr.String()
+	return netip.AddrPortFrom(e.DstIP(), 1000).String()
 }

-func (e *DummyEndpoint) SrcToBytes() []byte {
-	return e.src[:]
+func (e *DummyEndpoint) DstToBytes() []byte {
+	out := e.DstIP().AsSlice()
+	out = append(out, byte(1000&0xff))
+	out = append(out, byte((1000>>8)&0xff))
+	return out
 }

-func (e *DummyEndpoint) DstIP() net.IP {
-	return e.dst[:]
+func (e *DummyEndpoint) DstIP() netip.Addr {
+	return e.dst
 }

-func (e *DummyEndpoint) SrcIP() net.IP {
-	return e.src[:]
+func (e *DummyEndpoint) SrcIP() netip.Addr {
+	return e.src
 }
--- a/device/kdf_test.go
+++ b/device/kdf_test.go
@@ -20,7 +20,7 @@ type KDFTest struct {
 	t2    string
 }

-func assertEquals(t *testing.T, a string, b string) {
+func assertEquals(t *testing.T, a, b string) {
 	if a != b {
 		t.Fatal("expected", a, "=", b)
 	}
--- a/device/logger.go
+++ b/device/logger.go
@@ -16,8 +16,8 @@ import (
 // They do not require a trailing newline in the format.
 // If nil, that level of logging will be silent.
 type Logger struct {
-	Verbosef func(format string, args ...interface{})
-	Errorf   func(format string, args ...interface{})
+	Verbosef func(format string, args ...any)
+	Errorf   func(format string, args ...any)
 }

 // Log levels for use with NewLogger.
@@ -28,14 +28,14 @@ const (
 )

 // Function for use in Logger for discarding logged lines.
-func DiscardLogf(format string, args ...interface{}) {}
+func DiscardLogf(format string, args ...any) {}

 // NewLogger constructs a Logger that writes to stdout.
 // It logs at the specified log level and above.
 // It decorates log lines with the log level, date, time, and prepend.
 func NewLogger(level int, prepend string) *Logger {
 	logger := &Logger{DiscardLogf, DiscardLogf}
-	logf := func(prefix string) func(string, ...interface{}) {
+	logf := func(prefix string) func(string, ...any) {
 		return log.New(os.Stdout, prefix+": "+prepend, log.Ldate|log.Ltime).Printf
 	}
 	if level >= LogLevelVerbose {
--- a/device/misc.go
+++ b/device/misc.go
@@ -39,10 +39,3 @@ func (a *AtomicBool) Set(val bool) {
 	}
 	atomic.StoreInt32(&a.int32, flag)
 }
-
-func min(a, b uint) uint {
-	if a > b {
-		return b
-	}
-	return a
-}
--- a/device/mobilequirks.go
+++ b/device/mobilequirks.go
@@ -5,12 +5,15 @@

 package device

+// DisableSomeRoamingForBrokenMobileSemantics should ideally be called before peers are created,
+// though it will try to deal with it, and race maybe, if called after.
 func (device *Device) DisableSomeRoamingForBrokenMobileSemantics() {
+	device.net.brokenRoaming = true
 	device.peers.RLock()
 	for _, peer := range device.peers.keyMap {
 		peer.Lock()
-		defer peer.Unlock()
 		peer.disableRoaming = peer.endpoint != nil
+		peer.Unlock()
 	}
 	device.peers.RUnlock()
 }
--- a/device/noise-protocol.go
+++ b/device/noise-protocol.go
@@ -20,7 +20,6 @@ import (

 type handshakeState int

-// TODO(crawshaw): add commentary describing each state and the transitions
 const (
 	handshakeZeroed = handshakeState(iota)
 	handshakeInitiationCreated
@@ -139,11 +138,11 @@ var (
 	ZeroNonce       [chacha20poly1305.NonceSize]byte
 )

-func mixKey(dst *[blake2s.Size]byte, c *[blake2s.Size]byte, data []byte) {
+func mixKey(dst, c *[blake2s.Size]byte, data []byte) {
 	KDF1(dst, c[:], data)
 }

-func mixHash(dst *[blake2s.Size]byte, h *[blake2s.Size]byte, data []byte) {
+func mixHash(dst, h *[blake2s.Size]byte, data []byte) {
 	hash, _ := blake2s.New256(nil)
 	hash.Write(h[:])
 	hash.Write(data)
@@ -176,7 +175,7 @@ func init() {
 }

 func (device *Device) CreateMessageInitiation(peer *Peer) (*MessageInitiation, error) {
-	var errZeroECDHResult = errors.New("ECDH returned all zeros")
+	errZeroECDHResult := errors.New("ECDH returned all zeros")

 	device.staticIdentity.RLock()
 	defer device.staticIdentity.RUnlock()
@@ -283,7 +282,7 @@ func (device *Device) ConsumeMessageInitiation(msg *MessageInitiation) *Peer {
 	// lookup peer

 	peer := device.LookupPeer(peerPK)
-	if peer == nil {
+	if peer == nil || !peer.isRunning.Get() {
 		return nil
 	}

@@ -437,7 +436,6 @@ func (device *Device) ConsumeMessageResponse(msg *MessageResponse) *Peer {
 	)

 	ok := func() bool {
-
 		// lock handshake state

 		handshake.mutex.RLock()
--- a/device/noise_test.go
+++ b/device/noise_test.go
@@ -9,6 +9,9 @@ import (
 	"bytes"
 	"encoding/binary"
 	"testing"
+
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/tun/tuntest"
 )

 func TestCurveWrappers(t *testing.T) {
@@ -29,6 +32,30 @@ func TestCurveWrappers(t *testing.T) {
 	}
 }

+func randDevice(t *testing.T) *Device {
+	sk, err := newPrivateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	tun := tuntest.NewChannelTUN()
+	logger := NewLogger(LogLevelError, "")
+	device := NewDevice(tun.TUN(), conn.NewDefaultBind(), logger)
+	device.SetPrivateKey(sk)
+	return device
+}
+
+func assertNil(t *testing.T, err error) {
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func assertEqual(t *testing.T, a, b []byte) {
+	if !bytes.Equal(a, b) {
+		t.Fatal(a, "!=", b)
+	}
+}
+
 func TestNoiseHandshake(t *testing.T) {
 	dev1 := randDevice(t)
 	dev2 := randDevice(t)
@@ -44,6 +71,8 @@ func TestNoiseHandshake(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	peer1.Start()
+	peer2.Start()

 	assertEqual(
 		t,
--- a/device/peer.go
+++ b/device/peer.go
@@ -7,9 +7,7 @@ package device

 import (
 	"container/list"
-	"encoding/base64"
 	"errors"
-	"fmt"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -109,15 +107,11 @@ func (device *Device) NewPeer(pk NoisePublicKey) (*Peer, error) {
 	// reset endpoint
 	peer.endpoint = nil

+	// init timers
+	peer.timersInit()
+
 	// add
 	device.peers.keyMap[pk] = peer
-	device.peers.empty.Set(false)
-
-	// start peer
-	peer.timersInit()
-	if peer.device.isUp() {
-		peer.Start()
-	}

 	return peer, nil
 }
@@ -126,13 +120,8 @@ func (peer *Peer) SendBuffer(buffer []byte) error {
 	peer.device.net.RLock()
 	defer peer.device.net.RUnlock()

-	if peer.device.net.bind == nil {
-		// Packets can leak through to SendBuffer while the device is closing.
-		// When that happens, drop them silently to avoid spurious errors.
-		if peer.device.isClosed() {
-			return nil
-		}
-		return errors.New("no bind")
+	if peer.device.isClosed() {
+		return nil
 	}

 	peer.RLock()
@@ -150,12 +139,29 @@ func (peer *Peer) SendBuffer(buffer []byte) error {
 }

 func (peer *Peer) String() string {
-	base64Key := base64.StdEncoding.EncodeToString(peer.handshake.remoteStatic[:])
-	abbreviatedKey := "invalid"
-	if len(base64Key) == 44 {
-		abbreviatedKey = base64Key[0:4] + "…" + base64Key[39:43]
+	// The awful goo that follows is identical to:
+	//
+	//   base64Key := base64.StdEncoding.EncodeToString(peer.handshake.remoteStatic[:])
+	//   abbreviatedKey := base64Key[0:4] + "…" + base64Key[39:43]
+	//   return fmt.Sprintf("peer(%s)", abbreviatedKey)
+	//
+	// except that it is considerably more efficient.
+	src := peer.handshake.remoteStatic
+	b64 := func(input byte) byte {
+		return input + 'A' + byte(((25-int(input))>>8)&6) - byte(((51-int(input))>>8)&75) - byte(((61-int(input))>>8)&15) + byte(((62-int(input))>>8)&3)
 	}
-	return fmt.Sprintf("peer(%s)", abbreviatedKey)
+	b := []byte("peer(____…____)")
+	const first = len("peer(")
+	const second = len("peer(____…")
+	b[first+0] = b64((src[0] >> 2) & 63)
+	b[first+1] = b64(((src[0] << 4) | (src[1] >> 4)) & 63)
+	b[first+2] = b64(((src[1] << 2) | (src[2] >> 6)) & 63)
+	b[first+3] = b64(src[2] & 63)
+	b[second+0] = b64(src[29] & 63)
+	b[second+1] = b64((src[30] >> 2) & 63)
+	b[second+2] = b64(((src[30] << 4) | (src[31] >> 4)) & 63)
+	b[second+3] = b64((src[31] << 2) & 63)
+	return string(b)
 }

 func (peer *Peer) Start() {
@@ -173,7 +179,7 @@ func (peer *Peer) Start() {
 	}

 	device := peer.device
-	device.log.Verbosef("%v - Starting...", peer)
+	device.log.Verbosef("%v - Starting", peer)

 	// reset routine state
 	peer.stopping.Wait()
@@ -249,7 +255,7 @@ func (peer *Peer) Stop() {
 		return
 	}

-	peer.device.log.Verbosef("%v - Stopping...", peer)
+	peer.device.log.Verbosef("%v - Stopping", peer)

 	peer.timersStop()
 	// Signal that RoutineSequentialSender and RoutineSequentialReceiver should exit.
--- a/device/pools.go
+++ b/device/pools.go
@@ -18,13 +18,13 @@ type WaitPool struct {
 	max   uint32
 }

-func NewWaitPool(max uint32, new func() interface{}) *WaitPool {
+func NewWaitPool(max uint32, new func() any) *WaitPool {
 	p := &WaitPool{pool: sync.Pool{New: new}, max: max}
 	p.cond = sync.Cond{L: &p.lock}
 	return p
 }

-func (p *WaitPool) Get() interface{} {
+func (p *WaitPool) Get() any {
 	if p.max != 0 {
 		p.lock.Lock()
 		for atomic.LoadUint32(&p.count) >= p.max {
@@ -36,7 +36,7 @@ func (p *WaitPool) Get() interface{} {
 	return p.pool.Get()
 }

-func (p *WaitPool) Put(x interface{}) {
+func (p *WaitPool) Put(x any) {
 	p.pool.Put(x)
 	if p.max == 0 {
 		return
@@ -46,13 +46,13 @@ func (p *WaitPool) Put(x interface{}) {
 }

 func (device *Device) PopulatePools() {
-	device.pool.messageBuffers = NewWaitPool(PreallocatedBuffersPerPool, func() interface{} {
+	device.pool.messageBuffers = NewWaitPool(PreallocatedBuffersPerPool, func() any {
 		return new([MaxMessageSize]byte)
 	})
-	device.pool.inboundElements = NewWaitPool(PreallocatedBuffersPerPool, func() interface{} {
+	device.pool.inboundElements = NewWaitPool(PreallocatedBuffersPerPool, func() any {
 		return new(QueueInboundElement)
 	})
-	device.pool.outboundElements = NewWaitPool(PreallocatedBuffersPerPool, func() interface{} {
+	device.pool.outboundElements = NewWaitPool(PreallocatedBuffersPerPool, func() any {
 		return new(QueueOutboundElement)
 	})
 }
--- a/device/pools_test.go
+++ b/device/pools_test.go
@@ -15,6 +15,7 @@ import (
 )

 func TestWaitPool(t *testing.T) {
+	t.Skip("Currently disabled")
 	var wg sync.WaitGroup
 	trials := int32(100000)
 	if raceEnabled {
@@ -25,7 +26,7 @@ func TestWaitPool(t *testing.T) {
 	if workers-4 <= 0 {
 		t.Skip("Not enough cores")
 	}
-	p := NewWaitPool(uint32(workers-4), func() interface{} { return make([]byte, 16) })
+	p := NewWaitPool(uint32(workers-4), func() any { return make([]byte, 16) })
 	wg.Add(workers)
 	max := uint32(0)
 	updateMax := func() {
@@ -70,7 +71,7 @@ func BenchmarkWaitPool(b *testing.B) {
 	if workers-4 <= 0 {
 		b.Skip("Not enough cores")
 	}
-	p := NewWaitPool(uint32(workers-4), func() interface{} { return make([]byte, 16) })
+	p := NewWaitPool(uint32(workers-4), func() any { return make([]byte, 16) })
 	wg.Add(workers)
 	b.ResetTimer()
 	for i := 0; i < workers; i++ {
--- a/device/queueconstants_default.go
+++ b/device/queueconstants_default.go
@@ -1,4 +1,4 @@
-// +build !android,!ios
+//go:build !android && !ios && !windows

 /* SPDX-License-Identifier: MIT
 *
--- a/device/queueconstants_ios.go
+++ b/device/queueconstants_ios.go
@@ -1,4 +1,4 @@
-// +build ios
+//go:build ios

 /* SPDX-License-Identifier: MIT
 *
@@ -7,13 +7,15 @@

 package device

-/* Fit within memory limits for iOS's Network Extension API, which has stricter requirements */
-
-const (
-	QueueStagedSize            = 128
-	QueueOutboundSize          = 1024
-	QueueInboundSize           = 1024
-	QueueHandshakeSize         = 1024
-	MaxSegmentSize             = 1700
-	PreallocatedBuffersPerPool = 1024
+// Fit within memory limits for iOS's Network Extension API, which has stricter requirements.
+// These are vars instead of consts, because heavier network extensions might want to reduce
+// them further.
+var (
+	QueueStagedSize                   = 128
+	QueueOutboundSize                 = 1024
+	QueueInboundSize                  = 1024
+	QueueHandshakeSize                = 1024
+	PreallocatedBuffersPerPool uint32 = 1024
 )
+
+const MaxSegmentSize = 1700
--- a/device/queueconstants_windows.go
+++ b/device/queueconstants_windows.go
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package device
+
+const (
+	QueueStagedSize            = 128
+	QueueOutboundSize          = 1024
+	QueueInboundSize           = 1024
+	QueueHandshakeSize         = 1024
+	MaxSegmentSize             = 2048 - 32 // largest possible UDP datagram
+	PreallocatedBuffersPerPool = 0         // Disable and allow for infinite memory growth
+)
--- a/device/race_disabled_test.go
+++ b/device/race_disabled_test.go
@@ -1,4 +1,4 @@
-//+build !race
+//go:build !race

 /* SPDX-License-Identifier: MIT
 *
--- a/device/race_enabled_test.go
+++ b/device/race_enabled_test.go
@@ -1,4 +1,4 @@
-//+build race
+//go:build race

 /* SPDX-License-Identifier: MIT
 *
--- a/device/receive.go
+++ b/device/receive.go
@@ -17,7 +17,6 @@ import (
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/net/ipv4"
 	"golang.org/x/net/ipv6"
-
 	"golang.zx2c4.com/wireguard/conn"
 )

@@ -68,15 +67,16 @@ func (peer *Peer) keepKeyFreshReceiving() {
 * Every time the bind is updated a new routine is started for
 * IPv4 and IPv6 (separately)
 */
-func (device *Device) RoutineReceiveIncoming(IP int, bind conn.Bind) {
+func (device *Device) RoutineReceiveIncoming(recv conn.ReceiveFunc) {
+	recvName := recv.PrettyName()
 	defer func() {
-		device.log.Verbosef("Routine: receive incoming IPv%d - stopped", IP)
+		device.log.Verbosef("Routine: receive incoming %s - stopped", recvName)
 		device.queue.decryption.wg.Done()
 		device.queue.handshake.wg.Done()
 		device.net.stopping.Done()
 	}()

-	device.log.Verbosef("Routine: receive incoming IPv%d - started", IP)
+	device.log.Verbosef("Routine: receive incoming %s - started", recvName)

 	// receive datagrams until conn is closed

@@ -90,24 +90,21 @@ func (device *Device) RoutineReceiveIncoming(IP int, bind conn.Bind) {
 	)

 	for {
-		switch IP {
-		case ipv4.Version:
-			size, endpoint, err = bind.ReceiveIPv4(buffer[:])
-		case ipv6.Version:
-			size, endpoint, err = bind.ReceiveIPv6(buffer[:])
-		default:
-			panic("invalid IP version")
-		}
+		size, endpoint, err = recv(buffer[:])

 		if err != nil {
 			device.PutMessageBuffer(buffer)
-			if errors.Is(err, conn.NetErrClosed) {
+			if errors.Is(err, net.ErrClosed) {
+				return
+			}
+			device.log.Verbosef("Failed to receive %s packet: %v", recvName, err)
+			if neterr, ok := err.(net.Error); ok && !neterr.Temporary() {
 				return
 			}
-			device.log.Errorf("Failed to receive packet: %v", err)
 			if deathSpiral < 10 {
 				deathSpiral++
 				time.Sleep(time.Second / 3)
+				buffer = device.GetMessageBuffer()
 				continue
 			}
 			return
@@ -205,11 +202,11 @@ func (device *Device) RoutineReceiveIncoming(IP int, bind conn.Bind) {
 	}
 }

-func (device *Device) RoutineDecryption() {
+func (device *Device) RoutineDecryption(id int) {
 	var nonce [chacha20poly1305.NonceSize]byte

-	defer device.log.Verbosef("Routine: decryption worker - stopped")
-	device.log.Verbosef("Routine: decryption worker - started")
+	defer device.log.Verbosef("Routine: decryption worker %d - stopped", id)
+	device.log.Verbosef("Routine: decryption worker %d - started", id)

 	for elem := range device.queue.decryption.c {
 		// split message into fields
@@ -236,12 +233,12 @@ func (device *Device) RoutineDecryption() {

 /* Handles incoming packets related to handshake
 */
-func (device *Device) RoutineHandshake() {
+func (device *Device) RoutineHandshake(id int) {
 	defer func() {
-		device.log.Verbosef("Routine: handshake worker - stopped")
+		device.log.Verbosef("Routine: handshake worker %d - stopped", id)
 		device.queue.encryption.wg.Done()
 	}()
-	device.log.Verbosef("Routine: handshake worker - started")
+	device.log.Verbosef("Routine: handshake worker %d - started", id)

 	for elem := range device.queue.handshake.c {

@@ -449,7 +446,7 @@ func (peer *Peer) RoutineSequentialReceiver() {
 			}
 			elem.packet = elem.packet[:length]
 			src := elem.packet[IPv4offsetSrc : IPv4offsetSrc+net.IPv4len]
-			if device.allowedips.LookupIPv4(src) != peer {
+			if device.allowedips.Lookup(src) != peer {
 				device.log.Verbosef("IPv4 packet with disallowed source address from %v", peer)
 				goto skip
 			}
@@ -466,7 +463,7 @@ func (peer *Peer) RoutineSequentialReceiver() {
 			}
 			elem.packet = elem.packet[:length]
 			src := elem.packet[IPv6offsetSrc : IPv6offsetSrc+net.IPv6len]
-			if device.allowedips.LookupIPv6(src) != peer {
+			if device.allowedips.Lookup(src) != peer {
 				device.log.Verbosef("IPv6 packet with disallowed source address from %v", peer)
 				goto skip
 			}
--- a/device/send.go
+++ b/device/send.go
@@ -8,7 +8,9 @@ package device
 import (
 	"bytes"
 	"encoding/binary"
+	"errors"
 	"net"
+	"os"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -224,11 +226,12 @@ func (device *Device) RoutineReadFromTUN() {

 		offset := MessageTransportHeaderSize
 		size, err := device.tun.device.Read(elem.buffer[:], offset)
-
 		if err != nil {
 			if !device.isClosed() {
-				device.log.Errorf("Failed to read packet from TUN device: %v", err)
-				device.Close()
+				if !errors.Is(err, os.ErrClosed) {
+					device.log.Errorf("Failed to read packet from TUN device: %v", err)
+				}
+				go device.Close()
 			}
 			device.PutMessageBuffer(elem.buffer)
 			device.PutOutboundElement(elem)
@@ -250,14 +253,14 @@ func (device *Device) RoutineReadFromTUN() {
 				continue
 			}
 			dst := elem.packet[IPv4offsetDst : IPv4offsetDst+net.IPv4len]
-			peer = device.allowedips.LookupIPv4(dst)
+			peer = device.allowedips.Lookup(dst)

 		case ipv6.Version:
 			if len(elem.packet) < ipv6.HeaderLen {
 				continue
 			}
 			dst := elem.packet[IPv6offsetDst : IPv6offsetDst+net.IPv6len]
-			peer = device.allowedips.LookupIPv6(dst)
+			peer = device.allowedips.Lookup(dst)

 		default:
 			device.log.Verbosef("Received packet with unknown IP version")
@@ -362,12 +365,12 @@ func calculatePaddingSize(packetSize, mtu int) int {
 *
 * Obs. One instance per core
 */
-func (device *Device) RoutineEncryption() {
+func (device *Device) RoutineEncryption(id int) {
 	var paddingZeros [PaddingMultiple]byte
 	var nonce [chacha20poly1305.NonceSize]byte

-	defer device.log.Verbosef("Routine: encryption worker - stopped")
-	device.log.Verbosef("Routine: encryption worker - started")
+	defer device.log.Verbosef("Routine: encryption worker %d - stopped", id)
+	device.log.Verbosef("Routine: encryption worker %d - started", id)

 	for elem := range device.queue.encryption.c {
 		// populate header fields
@@ -421,7 +424,7 @@ func (peer *Peer) RoutineSequentialSender() {
 			// This is an optimization only. It is possible for the peer to be stopped
 			// immediately after this check, in which case, elem will get processed.
 			// The timers and SendBuffer code are resilient to a few stragglers.
-			// TODO(josharian): rework peer shutdown order to ensure
+			// TODO: rework peer shutdown order to ensure
 			// that we never accidentally keep timers alive longer than necessary.
 			device.PutMessageBuffer(elem.buffer)
 			device.PutOutboundElement(elem)
--- a/device/sticky_default.go
+++ b/device/sticky_default.go
@@ -1,4 +1,4 @@
-// +build !linux android
+//go:build !linux

 package device

--- a/device/sticky_linux.go
+++ b/device/sticky_linux.go
@@ -1,5 +1,3 @@
-// +build !android
-
 /* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
@@ -21,11 +19,16 @@ import (
 	"unsafe"

 	"golang.org/x/sys/unix"
+
 	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/rwcancel"
 )

 func (device *Device) startRouteListener(bind conn.Bind) (*rwcancel.RWCancel, error) {
+	if _, ok := bind.(*conn.LinuxSocketBind); !ok {
+		return nil, nil
+	}
+
 	netlinkSock, err := createNetlinkRouteSocket()
 	if err != nil {
 		return nil, err
@@ -109,11 +112,11 @@ func (device *Device) routineRouteListener(bind conn.Bind, netlinkSock int, netl
 									pePtr.peer.Unlock()
 									break
 								}
-								if uint32(pePtr.peer.endpoint.(*conn.NativeEndpoint).Src4().Ifindex) == ifidx {
+								if uint32(pePtr.peer.endpoint.(*conn.LinuxSocketEndpoint).Src4().Ifindex) == ifidx {
 									pePtr.peer.Unlock()
 									break
 								}
-								pePtr.peer.endpoint.(*conn.NativeEndpoint).ClearSrc()
+								pePtr.peer.endpoint.(*conn.LinuxSocketEndpoint).ClearSrc()
 								pePtr.peer.Unlock()
 							}
 							attr = attr[attrhdr.Len:]
@@ -133,7 +136,7 @@ func (device *Device) routineRouteListener(bind conn.Bind, netlinkSock int, netl
 							peer.RUnlock()
 							continue
 						}
-						nativeEP, _ := peer.endpoint.(*conn.NativeEndpoint)
+						nativeEP, _ := peer.endpoint.(*conn.LinuxSocketEndpoint)
 						if nativeEP == nil {
 							peer.RUnlock()
 							continue
@@ -176,7 +179,7 @@ func (device *Device) routineRouteListener(bind conn.Bind, netlinkSock int, netl
 								Len:  8,
 								Type: unix.RTA_MARK,
 							},
-							uint32(bind.LastMark()),
+							device.net.fwmark,
 						}
 						nlmsg.hdr.Len = uint32(unsafe.Sizeof(nlmsg))
 						reqPeerLock.Lock()
--- a/device/timers.go
+++ b/device/timers.go
@@ -8,12 +8,15 @@
 package device

 import (
-	"math/rand"
 	"sync"
 	"sync/atomic"
 	"time"
+	_ "unsafe"
 )

+//go:linkname fastrandn runtime.fastrandn
+func fastrandn(n uint32) uint32
+
 // A Timer manages time-based aspects of the WireGuard protocol.
 // Timer roughly copies the interface of the Linux kernel's struct timer_list.
 type Timer struct {
@@ -71,7 +74,7 @@ func (timer *Timer) IsPending() bool {
 }

 func (peer *Peer) timersActive() bool {
-	return peer.isRunning.Get() && peer.device != nil && peer.device.isUp() && !peer.device.peers.empty.Get()
+	return peer.isRunning.Get() && peer.device != nil && peer.device.isUp()
 }

 func expiredRetransmitHandshake(peer *Peer) {
@@ -127,7 +130,6 @@ func expiredNewHandshake(peer *Peer) {
 	}
 	peer.Unlock()
 	peer.SendHandshakeInitiation(false)
-
 }

 func expiredZeroKeyMaterial(peer *Peer) {
@@ -144,7 +146,7 @@ func expiredPersistentKeepalive(peer *Peer) {
 /* Should be called after an authenticated data packet is sent. */
 func (peer *Peer) timersDataSent() {
 	if peer.timersActive() && !peer.timers.newHandshake.IsPending() {
-		peer.timers.newHandshake.Mod(KeepaliveTimeout + RekeyTimeout + time.Millisecond*time.Duration(rand.Int31n(RekeyTimeoutJitterMaxMs)))
+		peer.timers.newHandshake.Mod(KeepaliveTimeout + RekeyTimeout + time.Millisecond*time.Duration(fastrandn(RekeyTimeoutJitterMaxMs)))
 	}
 }

@@ -176,7 +178,7 @@ func (peer *Peer) timersAnyAuthenticatedPacketReceived() {
 /* Should be called after a handshake initiation message is sent. */
 func (peer *Peer) timersHandshakeInitiated() {
 	if peer.timersActive() {
-		peer.timers.retransmitHandshake.Mod(RekeyTimeout + time.Millisecond*time.Duration(rand.Int31n(RekeyTimeoutJitterMaxMs)))
+		peer.timers.retransmitHandshake.Mod(RekeyTimeout + time.Millisecond*time.Duration(fastrandn(RekeyTimeoutJitterMaxMs)))
 	}
 }

--- a/device/tun_test.go
+++ b/device/tun_test.go
@@ -1,56 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package device
-
-import (
-	"errors"
-	"os"
-
-	"golang.zx2c4.com/wireguard/tun"
-)
-
-// newDummyTUN creates a dummy TUN device with the specified name.
-func newDummyTUN(name string) tun.Device {
-	return &dummyTUN{
-		name:    name,
-		packets: make(chan []byte, 100),
-		events:  make(chan tun.Event, 10),
-	}
-}
-
-// A dummyTUN is a tun.Device which is used in unit tests.
-type dummyTUN struct {
-	name    string
-	mtu     int
-	packets chan []byte
-	events  chan tun.Event
-}
-
-func (d *dummyTUN) Events() chan tun.Event { return d.events }
-func (*dummyTUN) File() *os.File           { return nil }
-func (*dummyTUN) Flush() error             { return nil }
-func (d *dummyTUN) MTU() (int, error)      { return d.mtu, nil }
-func (d *dummyTUN) Name() (string, error)  { return d.name, nil }
-
-func (d *dummyTUN) Close() error {
-	close(d.events)
-	close(d.packets)
-	return nil
-}
-
-func (d *dummyTUN) Read(b []byte, offset int) (int, error) {
-	buf, ok := <-d.packets
-	if !ok {
-		return 0, errors.New("device closed")
-	}
-	copy(b[offset:], buf)
-	return len(buf), nil
-}
-
-func (d *dummyTUN) Write(b []byte, offset int) (int, error) {
-	d.packets <- b[offset:]
-	return len(b), nil
-}
--- a/device/uapi.go
+++ b/device/uapi.go
@@ -12,13 +12,13 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
 	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"time"

-	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/ipc"
 )

@@ -39,12 +39,12 @@ func (s IPCError) ErrorCode() int64 {
 	return s.code
 }

-func ipcErrorf(code int64, msg string, args ...interface{}) *IPCError {
+func ipcErrorf(code int64, msg string, args ...any) *IPCError {
 	return &IPCError{code: code, err: fmt.Errorf(msg, args...)}
 }

 var byteBufferPool = &sync.Pool{
-	New: func() interface{} { return new(bytes.Buffer) },
+	New: func() any { return new(bytes.Buffer) },
 }

 // IpcGetOperation implements the WireGuard configuration protocol "get" operation.
@@ -56,7 +56,7 @@ func (device *Device) IpcGetOperation(w io.Writer) error {
 	buf := byteBufferPool.Get().(*bytes.Buffer)
 	buf.Reset()
 	defer byteBufferPool.Put(buf)
-	sendf := func(format string, args ...interface{}) {
+	sendf := func(format string, args ...any) {
 		fmt.Fprintf(buf, format, args...)
 		buf.WriteByte('\n')
 	}
@@ -73,7 +73,6 @@ func (device *Device) IpcGetOperation(w io.Writer) error {
 	}

 	func() {
-
 		// lock required resources

 		device.net.RLock()
@@ -99,33 +98,35 @@ func (device *Device) IpcGetOperation(w io.Writer) error {
 			sendf("fwmark=%d", device.net.fwmark)
 		}

-		// serialize each peer state
-
 		for _, peer := range device.peers.keyMap {
-			peer.RLock()
-			defer peer.RUnlock()
+			// Serialize peer state.
+			// Do the work in an anonymous function so that we can use defer.
+			func() {
+				peer.RLock()
+				defer peer.RUnlock()

-			keyf("public_key", (*[32]byte)(&peer.handshake.remoteStatic))
-			keyf("preshared_key", (*[32]byte)(&peer.handshake.presharedKey))
-			sendf("protocol_version=1")
-			if peer.endpoint != nil {
-				sendf("endpoint=%s", peer.endpoint.DstToString())
-			}
+				keyf("public_key", (*[32]byte)(&peer.handshake.remoteStatic))
+				keyf("preshared_key", (*[32]byte)(&peer.handshake.presharedKey))
+				sendf("protocol_version=1")
+				if peer.endpoint != nil {
+					sendf("endpoint=%s", peer.endpoint.DstToString())
+				}

-			nano := atomic.LoadInt64(&peer.stats.lastHandshakeNano)
-			secs := nano / time.Second.Nanoseconds()
-			nano %= time.Second.Nanoseconds()
+				nano := atomic.LoadInt64(&peer.stats.lastHandshakeNano)
+				secs := nano / time.Second.Nanoseconds()
+				nano %= time.Second.Nanoseconds()

-			sendf("last_handshake_time_sec=%d", secs)
-			sendf("last_handshake_time_nsec=%d", nano)
-			sendf("tx_bytes=%d", atomic.LoadUint64(&peer.stats.txBytes))
-			sendf("rx_bytes=%d", atomic.LoadUint64(&peer.stats.rxBytes))
-			sendf("persistent_keepalive_interval=%d", atomic.LoadUint32(&peer.persistentKeepaliveInterval))
+				sendf("last_handshake_time_sec=%d", secs)
+				sendf("last_handshake_time_nsec=%d", nano)
+				sendf("tx_bytes=%d", atomic.LoadUint64(&peer.stats.txBytes))
+				sendf("rx_bytes=%d", atomic.LoadUint64(&peer.stats.rxBytes))
+				sendf("persistent_keepalive_interval=%d", atomic.LoadUint32(&peer.persistentKeepaliveInterval))

-			device.allowedips.EntriesForPeer(peer, func(ip net.IP, cidr uint) bool {
-				sendf("allowed_ip=%s/%d", ip.String(), cidr)
-				return true
-			})
+				device.allowedips.EntriesForPeer(peer, func(prefix netip.Prefix) bool {
+					sendf("allowed_ip=%s", prefix.String())
+					return true
+				})
+			}()
 		}
 	}()

@@ -157,14 +158,13 @@ func (device *Device) IpcSetOperation(r io.Reader) (err error) {
 		line := scanner.Text()
 		if line == "" {
 			// Blank line means terminate operation.
+			peer.handlePostConfig()
 			return nil
 		}
-		parts := strings.Split(line, "=")
-		if len(parts) != 2 {
-			return ipcErrorf(ipc.IpcErrorProtocol, "failed to parse line %q, found %d =-separated parts, want 2", line, len(parts))
+		key, value, ok := strings.Cut(line, "=")
+		if !ok {
+			return ipcErrorf(ipc.IpcErrorProtocol, "failed to parse line %q", line)
 		}
-		key := parts[0]
-		value := parts[1]

 		if key == "public_key" {
 			if deviceConfig {
@@ -255,10 +255,21 @@ type ipcSetPeer struct {
 	*Peer        // Peer is the current peer being operated on
 	dummy   bool // dummy reports whether this peer is a temporary, placeholder peer
 	created bool // new reports whether this is a newly created peer
+	pkaOn   bool // pkaOn reports whether the peer had the persistent keepalive turn on
 }

 func (peer *ipcSetPeer) handlePostConfig() {
-	if peer.Peer != nil && !peer.dummy && peer.Peer.device.isUp() {
+	if peer.Peer == nil || peer.dummy {
+		return
+	}
+	if peer.created {
+		peer.disableRoaming = peer.device.net.brokenRoaming && peer.endpoint != nil
+	}
+	if peer.device.isUp() {
+		peer.Start()
+		if peer.pkaOn {
+			peer.SendKeepalive()
+		}
 		peer.SendStagedPackets()
 	}
 }
@@ -331,7 +342,7 @@ func (device *Device) handlePeerLine(peer *ipcSetPeer, key, value string) error

 	case "endpoint":
 		device.log.Verbosef("%v - UAPI: Updating endpoint", peer.Peer)
-		endpoint, err := conn.CreateEndpoint(value)
+		endpoint, err := device.net.bind.ParseEndpoint(value)
 		if err != nil {
 			return ipcErrorf(ipc.IpcErrorInvalid, "failed to set endpoint %v: %w", value, err)
 		}
@@ -350,14 +361,7 @@ func (device *Device) handlePeerLine(peer *ipcSetPeer, key, value string) error
 		old := atomic.SwapUint32(&peer.persistentKeepaliveInterval, uint32(secs))

 		// Send immediate keepalive if we're turning it on and before it wasn't on.
-		if old == 0 && secs != 0 {
-			if err != nil {
-				return ipcErrorf(ipc.IpcErrorIO, "failed to get tun device status: %w", err)
-			}
-			if device.isUp() && !peer.dummy {
-				peer.SendKeepalive()
-			}
-		}
+		peer.pkaOn = old == 0 && secs != 0

 	case "replace_allowed_ips":
 		device.log.Verbosef("%v - UAPI: Removing all allowedips", peer.Peer)
@@ -371,16 +375,14 @@ func (device *Device) handlePeerLine(peer *ipcSetPeer, key, value string) error

 	case "allowed_ip":
 		device.log.Verbosef("%v - UAPI: Adding allowedip", peer.Peer)
-
-		_, network, err := net.ParseCIDR(value)
+		prefix, err := netip.ParsePrefix(value)
 		if err != nil {
 			return ipcErrorf(ipc.IpcErrorInvalid, "failed to set allowed ip: %w", err)
 		}
 		if peer.dummy {
 			return nil
 		}
-		ones, _ := network.Mask.Size()
-		device.allowedips.Insert(network.IP, uint(ones), peer.Peer)
+		device.allowedips.Insert(prefix, peer.Peer)

 	case "protocol_version":
 		if value != "1" {
--- a/format_test.go
+++ b/format_test.go
@@ -0,0 +1,51 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2021 WireGuard LLC. All Rights Reserved.
+ */
+package main
+
+import (
+	"bytes"
+	"go/format"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sync"
+	"testing"
+)
+
+func TestFormatting(t *testing.T) {
+	var wg sync.WaitGroup
+	filepath.WalkDir(".", func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			t.Errorf("unable to walk %s: %v", path, err)
+			return nil
+		}
+		if d.IsDir() || filepath.Ext(path) != ".go" {
+			return nil
+		}
+		wg.Add(1)
+		go func(path string) {
+			defer wg.Done()
+			src, err := os.ReadFile(path)
+			if err != nil {
+				t.Errorf("unable to read %s: %v", path, err)
+				return
+			}
+			if runtime.GOOS == "windows" {
+				src = bytes.ReplaceAll(src, []byte{'\r', '\n'}, []byte{'\n'})
+			}
+			formatted, err := format.Source(src)
+			if err != nil {
+				t.Errorf("unable to format %s: %v", path, err)
+				return
+			}
+			if !bytes.Equal(src, formatted) {
+				t.Errorf("unformatted code: %s", path)
+			}
+		}(path)
+		return nil
+	})
+	wg.Wait()
+}
--- a/go.mod
+++ b/go.mod
@@ -1,9 +1,10 @@
 module golang.zx2c4.com/wireguard

-go 1.15
+go 1.18

 require (
-	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
-	golang.org/x/net v0.0.0-20201224014010-6772e930b67b
-	golang.org/x/sys v0.0.0-20210105210732-16f7687f5001
+	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd
+	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
+	golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86
+	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224
 )
--- a/go.sum
+++ b/go.sum
@@ -1,17 +1,8 @@
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad h1:DN0cp81fZ3njFcrLCytUHRSUkqBjfTo4Tx9RJTWs0EY=
-golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b h1:iFwSg7t5GZmB/Q5TjiEAsdoLDrdJRC1RiF2WhuV29Qw=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210105210732-16f7687f5001 h1:/dSxr6gT0FNI1MO5WLJo8mTmItROeOKTkDn+7OwWBos=
-golang.org/x/sys v0.0.0-20210105210732-16f7687f5001/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e h1:FDhOuMEY4JVRztM/gsbk+IKUQ8kj74bxZrgw87eMMVc=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38=
+golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86 h1:A9i04dxx7Cribqbs8jf3FQLogkL/CV2YN7hj9KWJCkc=
+golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
+golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
--- a/ipc/namedpipe/file.go
+++ b/ipc/namedpipe/file.go
@@ -1,62 +1,31 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Copyright 2015 Microsoft
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows
 // +build windows

-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2005 Microsoft
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-package winpipe
+package namedpipe

 import (
-	"errors"
 	"io"
+	"os"
 	"runtime"
 	"sync"
 	"sync/atomic"
 	"time"
+	"unsafe"

 	"golang.org/x/sys/windows"
 )

-//sys cancelIoEx(file windows.Handle, o *windows.Overlapped) (err error) = CancelIoEx
-//sys createIoCompletionPort(file windows.Handle, port windows.Handle, key uintptr, threadCount uint32) (newport windows.Handle, err error) = CreateIoCompletionPort
-//sys getQueuedCompletionStatus(port windows.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) = GetQueuedCompletionStatus
-//sys setFileCompletionNotificationModes(h windows.Handle, flags uint8) (err error) = SetFileCompletionNotificationModes
-//sys wsaGetOverlappedResult(h windows.Handle, o *windows.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) = ws2_32.WSAGetOverlappedResult
-
-type atomicBool int32
-
-func (b *atomicBool) isSet() bool { return atomic.LoadInt32((*int32)(b)) != 0 }
-func (b *atomicBool) setFalse()   { atomic.StoreInt32((*int32)(b), 0) }
-func (b *atomicBool) setTrue()    { atomic.StoreInt32((*int32)(b), 1) }
-func (b *atomicBool) swap(new bool) bool {
-	var newInt int32
-	if new {
-		newInt = 1
-	}
-	return atomic.SwapInt32((*int32)(b), newInt) == 1
-}
-
-const (
-	cFILE_SKIP_COMPLETION_PORT_ON_SUCCESS = 1
-	cFILE_SKIP_SET_EVENT_ON_HANDLE        = 2
-)
-
-var (
-	ErrFileClosed = errors.New("file has already been closed")
-	ErrTimeout    = &timeoutError{}
-)
-
-type timeoutError struct{}
-
-func (e *timeoutError) Error() string   { return "i/o timeout" }
-func (e *timeoutError) Timeout() bool   { return true }
-func (e *timeoutError) Temporary() bool { return true }
-
 type timeoutChan chan struct{}

-var ioInitOnce sync.Once
-var ioCompletionPort windows.Handle
+var (
+	ioInitOnce       sync.Once
+	ioCompletionPort windows.Handle
+)

 // ioResult contains the result of an asynchronous IO operation
 type ioResult struct {
@@ -71,7 +40,7 @@ type ioOperation struct {
 }

 func initIo() {
-	h, err := createIoCompletionPort(windows.InvalidHandle, 0, 0, 0xffffffff)
+	h, err := windows.CreateIoCompletionPort(windows.InvalidHandle, 0, 0, 0)
 	if err != nil {
 		panic(err)
 	}
@@ -79,13 +48,13 @@ func initIo() {
 	go ioCompletionProcessor(h)
 }

-// win32File implements Reader, Writer, and Closer on a Win32 handle without blocking in a syscall.
+// file implements Reader, Writer, and Closer on a Win32 handle without blocking in a syscall.
 // It takes ownership of this handle and will close it if it is garbage collected.
-type win32File struct {
+type file struct {
 	handle        windows.Handle
 	wg            sync.WaitGroup
 	wgLock        sync.RWMutex
-	closing       atomicBool
+	closing       uint32 // used as atomic boolean
 	socket        bool
 	readDeadline  deadlineHandler
 	writeDeadline deadlineHandler
@@ -96,18 +65,18 @@ type deadlineHandler struct {
 	channel     timeoutChan
 	channelLock sync.RWMutex
 	timer       *time.Timer
-	timedout    atomicBool
+	timedout    uint32 // used as atomic boolean
 }

-// makeWin32File makes a new win32File from an existing file handle
-func makeWin32File(h windows.Handle) (*win32File, error) {
-	f := &win32File{handle: h}
+// makeFile makes a new file from an existing file handle
+func makeFile(h windows.Handle) (*file, error) {
+	f := &file{handle: h}
 	ioInitOnce.Do(initIo)
-	_, err := createIoCompletionPort(h, ioCompletionPort, 0, 0xffffffff)
+	_, err := windows.CreateIoCompletionPort(h, ioCompletionPort, 0, 0)
 	if err != nil {
 		return nil, err
 	}
-	err = setFileCompletionNotificationModes(h, cFILE_SKIP_COMPLETION_PORT_ON_SUCCESS|cFILE_SKIP_SET_EVENT_ON_HANDLE)
+	err = windows.SetFileCompletionNotificationModes(h, windows.FILE_SKIP_COMPLETION_PORT_ON_SUCCESS|windows.FILE_SKIP_SET_EVENT_ON_HANDLE)
 	if err != nil {
 		return nil, err
 	}
@@ -116,18 +85,14 @@ func makeWin32File(h windows.Handle) (*win32File, error) {
 	return f, nil
 }

-func MakeOpenFile(h windows.Handle) (io.ReadWriteCloser, error) {
-	return makeWin32File(h)
-}
-
 // closeHandle closes the resources associated with a Win32 handle
-func (f *win32File) closeHandle() {
+func (f *file) closeHandle() {
 	f.wgLock.Lock()
 	// Atomically set that we are closing, releasing the resources only once.
-	if !f.closing.swap(true) {
+	if atomic.SwapUint32(&f.closing, 1) == 0 {
 		f.wgLock.Unlock()
 		// cancel all IO and wait for it to complete
-		cancelIoEx(f.handle, nil)
+		windows.CancelIoEx(f.handle, nil)
 		f.wg.Wait()
 		// at this point, no new IO can start
 		windows.Close(f.handle)
@@ -137,19 +102,19 @@ func (f *win32File) closeHandle() {
 	}
 }

-// Close closes a win32File.
-func (f *win32File) Close() error {
+// Close closes a file.
+func (f *file) Close() error {
 	f.closeHandle()
 	return nil
 }

 // prepareIo prepares for a new IO operation.
 // The caller must call f.wg.Done() when the IO is finished, prior to Close() returning.
-func (f *win32File) prepareIo() (*ioOperation, error) {
+func (f *file) prepareIo() (*ioOperation, error) {
 	f.wgLock.RLock()
-	if f.closing.isSet() {
+	if atomic.LoadUint32(&f.closing) == 1 {
 		f.wgLock.RUnlock()
-		return nil, ErrFileClosed
+		return nil, os.ErrClosed
 	}
 	f.wg.Add(1)
 	f.wgLock.RUnlock()
@@ -164,7 +129,7 @@ func ioCompletionProcessor(h windows.Handle) {
 		var bytes uint32
 		var key uintptr
 		var op *ioOperation
-		err := getQueuedCompletionStatus(h, &bytes, &key, &op, windows.INFINITE)
+		err := windows.GetQueuedCompletionStatus(h, &bytes, &key, (**windows.Overlapped)(unsafe.Pointer(&op)), windows.INFINITE)
 		if op == nil {
 			panic(err)
 		}
@@ -174,13 +139,13 @@ func ioCompletionProcessor(h windows.Handle) {

 // asyncIo processes the return value from ReadFile or WriteFile, blocking until
 // the operation has actually completed.
-func (f *win32File) asyncIo(c *ioOperation, d *deadlineHandler, bytes uint32, err error) (int, error) {
+func (f *file) asyncIo(c *ioOperation, d *deadlineHandler, bytes uint32, err error) (int, error) {
 	if err != windows.ERROR_IO_PENDING {
 		return int(bytes), err
 	}

-	if f.closing.isSet() {
-		cancelIoEx(f.handle, &c.o)
+	if atomic.LoadUint32(&f.closing) == 1 {
+		windows.CancelIoEx(f.handle, &c.o)
 	}

 	var timeout timeoutChan
@@ -195,20 +160,20 @@ func (f *win32File) asyncIo(c *ioOperation, d *deadlineHandler, bytes uint32, er
 	case r = <-c.ch:
 		err = r.err
 		if err == windows.ERROR_OPERATION_ABORTED {
-			if f.closing.isSet() {
-				err = ErrFileClosed
+			if atomic.LoadUint32(&f.closing) == 1 {
+				err = os.ErrClosed
 			}
 		} else if err != nil && f.socket {
 			// err is from Win32. Query the overlapped structure to get the winsock error.
 			var bytes, flags uint32
-			err = wsaGetOverlappedResult(f.handle, &c.o, &bytes, false, &flags)
+			err = windows.WSAGetOverlappedResult(f.handle, &c.o, &bytes, false, &flags)
 		}
 	case <-timeout:
-		cancelIoEx(f.handle, &c.o)
+		windows.CancelIoEx(f.handle, &c.o)
 		r = <-c.ch
 		err = r.err
 		if err == windows.ERROR_OPERATION_ABORTED {
-			err = ErrTimeout
+			err = os.ErrDeadlineExceeded
 		}
 	}

@@ -220,15 +185,15 @@ func (f *win32File) asyncIo(c *ioOperation, d *deadlineHandler, bytes uint32, er
 }

 // Read reads from a file handle.
-func (f *win32File) Read(b []byte) (int, error) {
+func (f *file) Read(b []byte) (int, error) {
 	c, err := f.prepareIo()
 	if err != nil {
 		return 0, err
 	}
 	defer f.wg.Done()

-	if f.readDeadline.timedout.isSet() {
-		return 0, ErrTimeout
+	if atomic.LoadUint32(&f.readDeadline.timedout) == 1 {
+		return 0, os.ErrDeadlineExceeded
 	}

 	var bytes uint32
@@ -247,15 +212,15 @@ func (f *win32File) Read(b []byte) (int, error) {
 }

 // Write writes to a file handle.
-func (f *win32File) Write(b []byte) (int, error) {
+func (f *file) Write(b []byte) (int, error) {
 	c, err := f.prepareIo()
 	if err != nil {
 		return 0, err
 	}
 	defer f.wg.Done()

-	if f.writeDeadline.timedout.isSet() {
-		return 0, ErrTimeout
+	if atomic.LoadUint32(&f.writeDeadline.timedout) == 1 {
+		return 0, os.ErrDeadlineExceeded
 	}

 	var bytes uint32
@@ -265,19 +230,19 @@ func (f *win32File) Write(b []byte) (int, error) {
 	return n, err
 }

-func (f *win32File) SetReadDeadline(deadline time.Time) error {
+func (f *file) SetReadDeadline(deadline time.Time) error {
 	return f.readDeadline.set(deadline)
 }

-func (f *win32File) SetWriteDeadline(deadline time.Time) error {
+func (f *file) SetWriteDeadline(deadline time.Time) error {
 	return f.writeDeadline.set(deadline)
 }

-func (f *win32File) Flush() error {
+func (f *file) Flush() error {
 	return windows.FlushFileBuffers(f.handle)
 }

-func (f *win32File) Fd() uintptr {
+func (f *file) Fd() uintptr {
 	return uintptr(f.handle)
 }

@@ -291,7 +256,7 @@ func (d *deadlineHandler) set(deadline time.Time) error {
 		}
 		d.timer = nil
 	}
-	d.timedout.setFalse()
+	atomic.StoreUint32(&d.timedout, 0)

 	select {
 	case <-d.channel:
@@ -306,7 +271,7 @@ func (d *deadlineHandler) set(deadline time.Time) error {
 	}

 	timeoutIO := func() {
-		d.timedout.setTrue()
+		atomic.StoreUint32(&d.timedout, 1)
 		close(d.channel)
 	}

--- a/ipc/namedpipe/namedpipe.go
+++ b/ipc/namedpipe/namedpipe.go
@@ -0,0 +1,486 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Copyright 2015 Microsoft
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows
+// +build windows
+
+// Package namedpipe implements a net.Conn and net.Listener around Windows named pipes.
+package namedpipe
+
+import (
+	"context"
+	"io"
+	"net"
+	"os"
+	"runtime"
+	"sync/atomic"
+	"time"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+type pipe struct {
+	*file
+	path string
+}
+
+type messageBytePipe struct {
+	pipe
+	writeClosed int32
+	readEOF     bool
+}
+
+type pipeAddress string
+
+func (f *pipe) LocalAddr() net.Addr {
+	return pipeAddress(f.path)
+}
+
+func (f *pipe) RemoteAddr() net.Addr {
+	return pipeAddress(f.path)
+}
+
+func (f *pipe) SetDeadline(t time.Time) error {
+	f.SetReadDeadline(t)
+	f.SetWriteDeadline(t)
+	return nil
+}
+
+// CloseWrite closes the write side of a message pipe in byte mode.
+func (f *messageBytePipe) CloseWrite() error {
+	if !atomic.CompareAndSwapInt32(&f.writeClosed, 0, 1) {
+		return io.ErrClosedPipe
+	}
+	err := f.file.Flush()
+	if err != nil {
+		atomic.StoreInt32(&f.writeClosed, 0)
+		return err
+	}
+	_, err = f.file.Write(nil)
+	if err != nil {
+		atomic.StoreInt32(&f.writeClosed, 0)
+		return err
+	}
+	return nil
+}
+
+// Write writes bytes to a message pipe in byte mode. Zero-byte writes are ignored, since
+// they are used to implement CloseWrite.
+func (f *messageBytePipe) Write(b []byte) (int, error) {
+	if atomic.LoadInt32(&f.writeClosed) != 0 {
+		return 0, io.ErrClosedPipe
+	}
+	if len(b) == 0 {
+		return 0, nil
+	}
+	return f.file.Write(b)
+}
+
+// Read reads bytes from a message pipe in byte mode. A read of a zero-byte message on a message
+// mode pipe will return io.EOF, as will all subsequent reads.
+func (f *messageBytePipe) Read(b []byte) (int, error) {
+	if f.readEOF {
+		return 0, io.EOF
+	}
+	n, err := f.file.Read(b)
+	if err == io.EOF {
+		// If this was the result of a zero-byte read, then
+		// it is possible that the read was due to a zero-size
+		// message. Since we are simulating CloseWrite with a
+		// zero-byte message, ensure that all future Read calls
+		// also return EOF.
+		f.readEOF = true
+	} else if err == windows.ERROR_MORE_DATA {
+		// ERROR_MORE_DATA indicates that the pipe's read mode is message mode
+		// and the message still has more bytes. Treat this as a success, since
+		// this package presents all named pipes as byte streams.
+		err = nil
+	}
+	return n, err
+}
+
+func (f *pipe) Handle() windows.Handle {
+	return f.handle
+}
+
+func (s pipeAddress) Network() string {
+	return "pipe"
+}
+
+func (s pipeAddress) String() string {
+	return string(s)
+}
+
+// tryDialPipe attempts to dial the specified pipe until cancellation or timeout.
+func tryDialPipe(ctx context.Context, path *string) (windows.Handle, error) {
+	for {
+		select {
+		case <-ctx.Done():
+			return 0, ctx.Err()
+		default:
+			path16, err := windows.UTF16PtrFromString(*path)
+			if err != nil {
+				return 0, err
+			}
+			h, err := windows.CreateFile(path16, windows.GENERIC_READ|windows.GENERIC_WRITE, 0, nil, windows.OPEN_EXISTING, windows.FILE_FLAG_OVERLAPPED|windows.SECURITY_SQOS_PRESENT|windows.SECURITY_ANONYMOUS, 0)
+			if err == nil {
+				return h, nil
+			}
+			if err != windows.ERROR_PIPE_BUSY {
+				return h, &os.PathError{Err: err, Op: "open", Path: *path}
+			}
+			// Wait 10 msec and try again. This is a rather simplistic
+			// view, as we always try each 10 milliseconds.
+			time.Sleep(10 * time.Millisecond)
+		}
+	}
+}
+
+// DialConfig exposes various options for use in Dial and DialContext.
+type DialConfig struct {
+	ExpectedOwner *windows.SID // If non-nil, the pipe is verified to be owned by this SID.
+}
+
+// DialTimeout connects to the specified named pipe by path, timing out if the
+// connection  takes longer than the specified duration. If timeout is zero, then
+// we use a default timeout of 2 seconds.
+func (config *DialConfig) DialTimeout(path string, timeout time.Duration) (net.Conn, error) {
+	if timeout == 0 {
+		timeout = time.Second * 2
+	}
+	absTimeout := time.Now().Add(timeout)
+	ctx, _ := context.WithDeadline(context.Background(), absTimeout)
+	conn, err := config.DialContext(ctx, path)
+	if err == context.DeadlineExceeded {
+		return nil, os.ErrDeadlineExceeded
+	}
+	return conn, err
+}
+
+// DialContext attempts to connect to the specified named pipe by path.
+func (config *DialConfig) DialContext(ctx context.Context, path string) (net.Conn, error) {
+	var err error
+	var h windows.Handle
+	h, err = tryDialPipe(ctx, &path)
+	if err != nil {
+		return nil, err
+	}
+
+	if config.ExpectedOwner != nil {
+		sd, err := windows.GetSecurityInfo(h, windows.SE_FILE_OBJECT, windows.OWNER_SECURITY_INFORMATION)
+		if err != nil {
+			windows.Close(h)
+			return nil, err
+		}
+		realOwner, _, err := sd.Owner()
+		if err != nil {
+			windows.Close(h)
+			return nil, err
+		}
+		if !realOwner.Equals(config.ExpectedOwner) {
+			windows.Close(h)
+			return nil, windows.ERROR_ACCESS_DENIED
+		}
+	}
+
+	var flags uint32
+	err = windows.GetNamedPipeInfo(h, &flags, nil, nil, nil)
+	if err != nil {
+		windows.Close(h)
+		return nil, err
+	}
+
+	f, err := makeFile(h)
+	if err != nil {
+		windows.Close(h)
+		return nil, err
+	}
+
+	// If the pipe is in message mode, return a message byte pipe, which
+	// supports CloseWrite.
+	if flags&windows.PIPE_TYPE_MESSAGE != 0 {
+		return &messageBytePipe{
+			pipe: pipe{file: f, path: path},
+		}, nil
+	}
+	return &pipe{file: f, path: path}, nil
+}
+
+var defaultDialer DialConfig
+
+// DialTimeout calls DialConfig.DialTimeout using an empty configuration.
+func DialTimeout(path string, timeout time.Duration) (net.Conn, error) {
+	return defaultDialer.DialTimeout(path, timeout)
+}
+
+// DialContext calls DialConfig.DialContext using an empty configuration.
+func DialContext(ctx context.Context, path string) (net.Conn, error) {
+	return defaultDialer.DialContext(ctx, path)
+}
+
+type acceptResponse struct {
+	f   *file
+	err error
+}
+
+type pipeListener struct {
+	firstHandle windows.Handle
+	path        string
+	config      ListenConfig
+	acceptCh    chan chan acceptResponse
+	closeCh     chan int
+	doneCh      chan int
+}
+
+func makeServerPipeHandle(path string, sd *windows.SECURITY_DESCRIPTOR, c *ListenConfig, isFirstPipe bool) (windows.Handle, error) {
+	path16, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return 0, &os.PathError{Op: "open", Path: path, Err: err}
+	}
+
+	var oa windows.OBJECT_ATTRIBUTES
+	oa.Length = uint32(unsafe.Sizeof(oa))
+
+	var ntPath windows.NTUnicodeString
+	if err := windows.RtlDosPathNameToNtPathName(path16, &ntPath, nil, nil); err != nil {
+		if ntstatus, ok := err.(windows.NTStatus); ok {
+			err = ntstatus.Errno()
+		}
+		return 0, &os.PathError{Op: "open", Path: path, Err: err}
+	}
+	defer windows.LocalFree(windows.Handle(unsafe.Pointer(ntPath.Buffer)))
+	oa.ObjectName = &ntPath
+
+	// The security descriptor is only needed for the first pipe.
+	if isFirstPipe {
+		if sd != nil {
+			oa.SecurityDescriptor = sd
+		} else {
+			// Construct the default named pipe security descriptor.
+			var acl *windows.ACL
+			if err := windows.RtlDefaultNpAcl(&acl); err != nil {
+				return 0, err
+			}
+			defer windows.LocalFree(windows.Handle(unsafe.Pointer(acl)))
+			sd, err = windows.NewSecurityDescriptor()
+			if err != nil {
+				return 0, err
+			}
+			if err = sd.SetDACL(acl, true, false); err != nil {
+				return 0, err
+			}
+			oa.SecurityDescriptor = sd
+		}
+	}
+
+	typ := uint32(windows.FILE_PIPE_REJECT_REMOTE_CLIENTS)
+	if c.MessageMode {
+		typ |= windows.FILE_PIPE_MESSAGE_TYPE
+	}
+
+	disposition := uint32(windows.FILE_OPEN)
+	access := uint32(windows.GENERIC_READ | windows.GENERIC_WRITE | windows.SYNCHRONIZE)
+	if isFirstPipe {
+		disposition = windows.FILE_CREATE
+		// By not asking for read or write access, the named pipe file system
+		// will put this pipe into an initially disconnected state, blocking
+		// client connections until the next call with isFirstPipe == false.
+		access = windows.SYNCHRONIZE
+	}
+
+	timeout := int64(-50 * 10000) // 50ms
+
+	var (
+		h    windows.Handle
+		iosb windows.IO_STATUS_BLOCK
+	)
+	err = windows.NtCreateNamedPipeFile(&h, access, &oa, &iosb, windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE, disposition, 0, typ, 0, 0, 0xffffffff, uint32(c.InputBufferSize), uint32(c.OutputBufferSize), &timeout)
+	if err != nil {
+		if ntstatus, ok := err.(windows.NTStatus); ok {
+			err = ntstatus.Errno()
+		}
+		return 0, &os.PathError{Op: "open", Path: path, Err: err}
+	}
+
+	runtime.KeepAlive(ntPath)
+	return h, nil
+}
+
+func (l *pipeListener) makeServerPipe() (*file, error) {
+	h, err := makeServerPipeHandle(l.path, nil, &l.config, false)
+	if err != nil {
+		return nil, err
+	}
+	f, err := makeFile(h)
+	if err != nil {
+		windows.Close(h)
+		return nil, err
+	}
+	return f, nil
+}
+
+func (l *pipeListener) makeConnectedServerPipe() (*file, error) {
+	p, err := l.makeServerPipe()
+	if err != nil {
+		return nil, err
+	}
+
+	// Wait for the client to connect.
+	ch := make(chan error)
+	go func(p *file) {
+		ch <- connectPipe(p)
+	}(p)
+
+	select {
+	case err = <-ch:
+		if err != nil {
+			p.Close()
+			p = nil
+		}
+	case <-l.closeCh:
+		// Abort the connect request by closing the handle.
+		p.Close()
+		p = nil
+		err = <-ch
+		if err == nil || err == os.ErrClosed {
+			err = net.ErrClosed
+		}
+	}
+	return p, err
+}
+
+func (l *pipeListener) listenerRoutine() {
+	closed := false
+	for !closed {
+		select {
+		case <-l.closeCh:
+			closed = true
+		case responseCh := <-l.acceptCh:
+			var (
+				p   *file
+				err error
+			)
+			for {
+				p, err = l.makeConnectedServerPipe()
+				// If the connection was immediately closed by the client, try
+				// again.
+				if err != windows.ERROR_NO_DATA {
+					break
+				}
+			}
+			responseCh <- acceptResponse{p, err}
+			closed = err == net.ErrClosed
+		}
+	}
+	windows.Close(l.firstHandle)
+	l.firstHandle = 0
+	// Notify Close and Accept callers that the handle has been closed.
+	close(l.doneCh)
+}
+
+// ListenConfig contains configuration for the pipe listener.
+type ListenConfig struct {
+	// SecurityDescriptor contains a Windows security descriptor. If nil, the default from RtlDefaultNpAcl is used.
+	SecurityDescriptor *windows.SECURITY_DESCRIPTOR
+
+	// MessageMode determines whether the pipe is in byte or message mode. In either
+	// case the pipe is read in byte mode by default. The only practical difference in
+	// this implementation is that CloseWrite is only supported for message mode pipes;
+	// CloseWrite is implemented as a zero-byte write, but zero-byte writes are only
+	// transferred to the reader (and returned as io.EOF in this implementation)
+	// when the pipe is in message mode.
+	MessageMode bool
+
+	// InputBufferSize specifies the initial size of the input buffer, in bytes, which the OS will grow as needed.
+	InputBufferSize int32
+
+	// OutputBufferSize specifies the initial size of the output buffer, in bytes, which the OS will grow as needed.
+	OutputBufferSize int32
+}
+
+// Listen creates a listener on a Windows named pipe path,such as \\.\pipe\mypipe.
+// The pipe must not already exist.
+func (c *ListenConfig) Listen(path string) (net.Listener, error) {
+	h, err := makeServerPipeHandle(path, c.SecurityDescriptor, c, true)
+	if err != nil {
+		return nil, err
+	}
+	l := &pipeListener{
+		firstHandle: h,
+		path:        path,
+		config:      *c,
+		acceptCh:    make(chan chan acceptResponse),
+		closeCh:     make(chan int),
+		doneCh:      make(chan int),
+	}
+	// The first connection is swallowed on Windows 7 & 8, so synthesize it.
+	if maj, min, _ := windows.RtlGetNtVersionNumbers(); maj < 6 || (maj == 6 && min < 4) {
+		path16, err := windows.UTF16PtrFromString(path)
+		if err == nil {
+			h, err = windows.CreateFile(path16, 0, 0, nil, windows.OPEN_EXISTING, windows.SECURITY_SQOS_PRESENT|windows.SECURITY_ANONYMOUS, 0)
+			if err == nil {
+				windows.CloseHandle(h)
+			}
+		}
+	}
+	go l.listenerRoutine()
+	return l, nil
+}
+
+var defaultListener ListenConfig
+
+// Listen calls ListenConfig.Listen using an empty configuration.
+func Listen(path string) (net.Listener, error) {
+	return defaultListener.Listen(path)
+}
+
+func connectPipe(p *file) error {
+	c, err := p.prepareIo()
+	if err != nil {
+		return err
+	}
+	defer p.wg.Done()
+
+	err = windows.ConnectNamedPipe(p.handle, &c.o)
+	_, err = p.asyncIo(c, nil, 0, err)
+	if err != nil && err != windows.ERROR_PIPE_CONNECTED {
+		return err
+	}
+	return nil
+}
+
+func (l *pipeListener) Accept() (net.Conn, error) {
+	ch := make(chan acceptResponse)
+	select {
+	case l.acceptCh <- ch:
+		response := <-ch
+		err := response.err
+		if err != nil {
+			return nil, err
+		}
+		if l.config.MessageMode {
+			return &messageBytePipe{
+				pipe: pipe{file: response.f, path: l.path},
+			}, nil
+		}
+		return &pipe{file: response.f, path: l.path}, nil
+	case <-l.doneCh:
+		return nil, net.ErrClosed
+	}
+}
+
+func (l *pipeListener) Close() error {
+	select {
+	case l.closeCh <- 1:
+		<-l.doneCh
+	case <-l.doneCh:
+	}
+	return nil
+}
+
+func (l *pipeListener) Addr() net.Addr {
+	return pipeAddress(l.path)
+}
--- a/ipc/namedpipe/namedpipe_test.go
+++ b/ipc/namedpipe/namedpipe_test.go
@@ -0,0 +1,675 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Copyright 2015 Microsoft
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows
+// +build windows
+
+package namedpipe_test
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"net"
+	"os"
+	"sync"
+	"syscall"
+	"testing"
+	"time"
+
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/ipc/namedpipe"
+)
+
+func randomPipePath() string {
+	guid, err := windows.GenerateGUID()
+	if err != nil {
+		panic(err)
+	}
+	return `\\.\PIPE\go-namedpipe-test-` + guid.String()
+}
+
+func TestPingPong(t *testing.T) {
+	const (
+		ping = 42
+		pong = 24
+	)
+	pipePath := randomPipePath()
+	listener, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatalf("unable to listen on pipe: %v", err)
+	}
+	defer listener.Close()
+	go func() {
+		incoming, err := listener.Accept()
+		if err != nil {
+			t.Fatalf("unable to accept pipe connection: %v", err)
+		}
+		defer incoming.Close()
+		var data [1]byte
+		_, err = incoming.Read(data[:])
+		if err != nil {
+			t.Fatalf("unable to read ping from pipe: %v", err)
+		}
+		if data[0] != ping {
+			t.Fatalf("expected ping, got %d", data[0])
+		}
+		data[0] = pong
+		_, err = incoming.Write(data[:])
+		if err != nil {
+			t.Fatalf("unable to write pong to pipe: %v", err)
+		}
+	}()
+	client, err := namedpipe.DialTimeout(pipePath, time.Duration(0))
+	if err != nil {
+		t.Fatalf("unable to dial pipe: %v", err)
+	}
+	defer client.Close()
+	client.SetDeadline(time.Now().Add(time.Second * 5))
+	var data [1]byte
+	data[0] = ping
+	_, err = client.Write(data[:])
+	if err != nil {
+		t.Fatalf("unable to write ping to pipe: %v", err)
+	}
+	_, err = client.Read(data[:])
+	if err != nil {
+		t.Fatalf("unable to read pong from pipe: %v", err)
+	}
+	if data[0] != pong {
+		t.Fatalf("expected pong, got %d", data[0])
+	}
+}
+
+func TestDialUnknownFailsImmediately(t *testing.T) {
+	_, err := namedpipe.DialTimeout(randomPipePath(), time.Duration(0))
+	if !errors.Is(err, syscall.ENOENT) {
+		t.Fatalf("expected ENOENT got %v", err)
+	}
+}
+
+func TestDialListenerTimesOut(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+	pipe, err := namedpipe.DialTimeout(pipePath, 10*time.Millisecond)
+	if err == nil {
+		pipe.Close()
+	}
+	if err != os.ErrDeadlineExceeded {
+		t.Fatalf("expected os.ErrDeadlineExceeded, got %v", err)
+	}
+}
+
+func TestDialContextListenerTimesOut(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+	d := 10 * time.Millisecond
+	ctx, _ := context.WithTimeout(context.Background(), d)
+	pipe, err := namedpipe.DialContext(ctx, pipePath)
+	if err == nil {
+		pipe.Close()
+	}
+	if err != context.DeadlineExceeded {
+		t.Fatalf("expected context.DeadlineExceeded, got %v", err)
+	}
+}
+
+func TestDialListenerGetsCancelled(t *testing.T) {
+	pipePath := randomPipePath()
+	ctx, cancel := context.WithCancel(context.Background())
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+	ch := make(chan error)
+	go func(ctx context.Context, ch chan error) {
+		_, err := namedpipe.DialContext(ctx, pipePath)
+		ch <- err
+	}(ctx, ch)
+	time.Sleep(time.Millisecond * 30)
+	cancel()
+	err = <-ch
+	if err != context.Canceled {
+		t.Fatalf("expected context.Canceled, got %v", err)
+	}
+}
+
+func TestDialAccessDeniedWithRestrictedSD(t *testing.T) {
+	if windows.NewLazySystemDLL("ntdll.dll").NewProc("wine_get_version").Find() == nil {
+		t.Skip("dacls on named pipes are broken on wine")
+	}
+	pipePath := randomPipePath()
+	sd, _ := windows.SecurityDescriptorFromString("D:")
+	l, err := (&namedpipe.ListenConfig{
+		SecurityDescriptor: sd,
+	}).Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+	pipe, err := namedpipe.DialTimeout(pipePath, time.Duration(0))
+	if err == nil {
+		pipe.Close()
+	}
+	if !errors.Is(err, windows.ERROR_ACCESS_DENIED) {
+		t.Fatalf("expected ERROR_ACCESS_DENIED, got %v", err)
+	}
+}
+
+func getConnection(cfg *namedpipe.ListenConfig) (client, server net.Conn, err error) {
+	pipePath := randomPipePath()
+	if cfg == nil {
+		cfg = &namedpipe.ListenConfig{}
+	}
+	l, err := cfg.Listen(pipePath)
+	if err != nil {
+		return
+	}
+	defer l.Close()
+
+	type response struct {
+		c   net.Conn
+		err error
+	}
+	ch := make(chan response)
+	go func() {
+		c, err := l.Accept()
+		ch <- response{c, err}
+	}()
+
+	c, err := namedpipe.DialTimeout(pipePath, time.Duration(0))
+	if err != nil {
+		return
+	}
+
+	r := <-ch
+	if err = r.err; err != nil {
+		c.Close()
+		return
+	}
+
+	client = c
+	server = r.c
+	return
+}
+
+func TestReadTimeout(t *testing.T) {
+	c, s, err := getConnection(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer c.Close()
+	defer s.Close()
+
+	c.SetReadDeadline(time.Now().Add(10 * time.Millisecond))
+
+	buf := make([]byte, 10)
+	_, err = c.Read(buf)
+	if err != os.ErrDeadlineExceeded {
+		t.Fatalf("expected os.ErrDeadlineExceeded, got %v", err)
+	}
+}
+
+func server(l net.Listener, ch chan int) {
+	c, err := l.Accept()
+	if err != nil {
+		panic(err)
+	}
+	rw := bufio.NewReadWriter(bufio.NewReader(c), bufio.NewWriter(c))
+	s, err := rw.ReadString('\n')
+	if err != nil {
+		panic(err)
+	}
+	_, err = rw.WriteString("got " + s)
+	if err != nil {
+		panic(err)
+	}
+	err = rw.Flush()
+	if err != nil {
+		panic(err)
+	}
+	c.Close()
+	ch <- 1
+}
+
+func TestFullListenDialReadWrite(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	ch := make(chan int)
+	go server(l, ch)
+
+	c, err := namedpipe.DialTimeout(pipePath, time.Duration(0))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer c.Close()
+
+	rw := bufio.NewReadWriter(bufio.NewReader(c), bufio.NewWriter(c))
+	_, err = rw.WriteString("hello world\n")
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = rw.Flush()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	s, err := rw.ReadString('\n')
+	if err != nil {
+		t.Fatal(err)
+	}
+	ms := "got hello world\n"
+	if s != ms {
+		t.Errorf("expected '%s', got '%s'", ms, s)
+	}
+
+	<-ch
+}
+
+func TestCloseAbortsListen(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ch := make(chan error)
+	go func() {
+		_, err := l.Accept()
+		ch <- err
+	}()
+
+	time.Sleep(30 * time.Millisecond)
+	l.Close()
+
+	err = <-ch
+	if err != net.ErrClosed {
+		t.Fatalf("expected net.ErrClosed, got %v", err)
+	}
+}
+
+func ensureEOFOnClose(t *testing.T, r io.Reader, w io.Closer) {
+	b := make([]byte, 10)
+	w.Close()
+	n, err := r.Read(b)
+	if n > 0 {
+		t.Errorf("unexpected byte count %d", n)
+	}
+	if err != io.EOF {
+		t.Errorf("expected EOF: %v", err)
+	}
+}
+
+func TestCloseClientEOFServer(t *testing.T) {
+	c, s, err := getConnection(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer c.Close()
+	defer s.Close()
+	ensureEOFOnClose(t, c, s)
+}
+
+func TestCloseServerEOFClient(t *testing.T) {
+	c, s, err := getConnection(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer c.Close()
+	defer s.Close()
+	ensureEOFOnClose(t, s, c)
+}
+
+func TestCloseWriteEOF(t *testing.T) {
+	cfg := &namedpipe.ListenConfig{
+		MessageMode: true,
+	}
+	c, s, err := getConnection(cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer c.Close()
+	defer s.Close()
+
+	type closeWriter interface {
+		CloseWrite() error
+	}
+
+	err = c.(closeWriter).CloseWrite()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	b := make([]byte, 10)
+	_, err = s.Read(b)
+	if err != io.EOF {
+		t.Fatal(err)
+	}
+}
+
+func TestAcceptAfterCloseFails(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	l.Close()
+	_, err = l.Accept()
+	if err != net.ErrClosed {
+		t.Fatalf("expected net.ErrClosed, got %v", err)
+	}
+}
+
+func TestDialTimesOutByDefault(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+	pipe, err := namedpipe.DialTimeout(pipePath, time.Duration(0)) // Should timeout after 2 seconds.
+	if err == nil {
+		pipe.Close()
+	}
+	if err != os.ErrDeadlineExceeded {
+		t.Fatalf("expected os.ErrDeadlineExceeded, got %v", err)
+	}
+}
+
+func TestTimeoutPendingRead(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	serverDone := make(chan struct{})
+
+	go func() {
+		s, err := l.Accept()
+		if err != nil {
+			t.Fatal(err)
+		}
+		time.Sleep(1 * time.Second)
+		s.Close()
+		close(serverDone)
+	}()
+
+	client, err := namedpipe.DialTimeout(pipePath, time.Duration(0))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer client.Close()
+
+	clientErr := make(chan error)
+	go func() {
+		buf := make([]byte, 10)
+		_, err = client.Read(buf)
+		clientErr <- err
+	}()
+
+	time.Sleep(100 * time.Millisecond) // make *sure* the pipe is reading before we set the deadline
+	client.SetReadDeadline(time.Unix(1, 0))
+
+	select {
+	case err = <-clientErr:
+		if err != os.ErrDeadlineExceeded {
+			t.Fatalf("expected os.ErrDeadlineExceeded, got %v", err)
+		}
+	case <-time.After(100 * time.Millisecond):
+		t.Fatalf("timed out while waiting for read to cancel")
+		<-clientErr
+	}
+	<-serverDone
+}
+
+func TestTimeoutPendingWrite(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	serverDone := make(chan struct{})
+
+	go func() {
+		s, err := l.Accept()
+		if err != nil {
+			t.Fatal(err)
+		}
+		time.Sleep(1 * time.Second)
+		s.Close()
+		close(serverDone)
+	}()
+
+	client, err := namedpipe.DialTimeout(pipePath, time.Duration(0))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer client.Close()
+
+	clientErr := make(chan error)
+	go func() {
+		_, err = client.Write([]byte("this should timeout"))
+		clientErr <- err
+	}()
+
+	time.Sleep(100 * time.Millisecond) // make *sure* the pipe is writing before we set the deadline
+	client.SetWriteDeadline(time.Unix(1, 0))
+
+	select {
+	case err = <-clientErr:
+		if err != os.ErrDeadlineExceeded {
+			t.Fatalf("expected os.ErrDeadlineExceeded, got %v", err)
+		}
+	case <-time.After(100 * time.Millisecond):
+		t.Fatalf("timed out while waiting for write to cancel")
+		<-clientErr
+	}
+	<-serverDone
+}
+
+type CloseWriter interface {
+	CloseWrite() error
+}
+
+func TestEchoWithMessaging(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := (&namedpipe.ListenConfig{
+		MessageMode:      true,  // Use message mode so that CloseWrite() is supported
+		InputBufferSize:  65536, // Use 64KB buffers to improve performance
+		OutputBufferSize: 65536,
+	}).Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	listenerDone := make(chan bool)
+	clientDone := make(chan bool)
+	go func() {
+		// server echo
+		conn, err := l.Accept()
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer conn.Close()
+
+		time.Sleep(500 * time.Millisecond) // make *sure* we don't begin to read before eof signal is sent
+		_, err = io.Copy(conn, conn)
+		if err != nil {
+			t.Fatal(err)
+		}
+		conn.(CloseWriter).CloseWrite()
+		close(listenerDone)
+	}()
+	client, err := namedpipe.DialTimeout(pipePath, time.Second)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer client.Close()
+
+	go func() {
+		// client read back
+		bytes := make([]byte, 2)
+		n, e := client.Read(bytes)
+		if e != nil {
+			t.Fatal(e)
+		}
+		if n != 2 || bytes[0] != 0 || bytes[1] != 1 {
+			t.Fatalf("expected 2 bytes, got %v", n)
+		}
+		close(clientDone)
+	}()
+
+	payload := make([]byte, 2)
+	payload[0] = 0
+	payload[1] = 1
+
+	n, err := client.Write(payload)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if n != 2 {
+		t.Fatalf("expected 2 bytes, got %v", n)
+	}
+	client.(CloseWriter).CloseWrite()
+	<-listenerDone
+	<-clientDone
+}
+
+func TestConnectRace(t *testing.T) {
+	pipePath := randomPipePath()
+	l, err := namedpipe.Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+	go func() {
+		for {
+			s, err := l.Accept()
+			if err == net.ErrClosed {
+				return
+			}
+
+			if err != nil {
+				t.Fatal(err)
+			}
+			s.Close()
+		}
+	}()
+
+	for i := 0; i < 1000; i++ {
+		c, err := namedpipe.DialTimeout(pipePath, time.Duration(0))
+		if err != nil {
+			t.Fatal(err)
+		}
+		c.Close()
+	}
+}
+
+func TestMessageReadMode(t *testing.T) {
+	if maj, _, _ := windows.RtlGetNtVersionNumbers(); maj <= 8 {
+		t.Skipf("Skipping on Windows %d", maj)
+	}
+	var wg sync.WaitGroup
+	defer wg.Wait()
+	pipePath := randomPipePath()
+	l, err := (&namedpipe.ListenConfig{MessageMode: true}).Listen(pipePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	msg := ([]byte)("hello world")
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		s, err := l.Accept()
+		if err != nil {
+			t.Fatal(err)
+		}
+		_, err = s.Write(msg)
+		if err != nil {
+			t.Fatal(err)
+		}
+		s.Close()
+	}()
+
+	c, err := namedpipe.DialTimeout(pipePath, time.Duration(0))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer c.Close()
+
+	mode := uint32(windows.PIPE_READMODE_MESSAGE)
+	err = windows.SetNamedPipeHandleState(c.(interface{ Handle() windows.Handle }).Handle(), &mode, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ch := make([]byte, 1)
+	var vmsg []byte
+	for {
+		n, err := c.Read(ch)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+		if n != 1 {
+			t.Fatalf("expected 1, got %d", n)
+		}
+		vmsg = append(vmsg, ch[0])
+	}
+	if !bytes.Equal(msg, vmsg) {
+		t.Fatalf("expected %s, got %s", msg, vmsg)
+	}
+}
+
+func TestListenConnectRace(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping long race test")
+	}
+	pipePath := randomPipePath()
+	for i := 0; i < 50 && !t.Failed(); i++ {
+		var wg sync.WaitGroup
+		wg.Add(1)
+		go func() {
+			c, err := namedpipe.DialTimeout(pipePath, time.Duration(0))
+			if err == nil {
+				c.Close()
+			}
+			wg.Done()
+		}()
+		s, err := namedpipe.Listen(pipePath)
+		if err != nil {
+			t.Error(i, err)
+		} else {
+			s.Close()
+		}
+		wg.Wait()
+	}
+}
--- a/ipc/uapi_bsd.go
+++ b/ipc/uapi_bsd.go
@@ -1,4 +1,4 @@
-// +build darwin freebsd openbsd
+//go:build darwin || freebsd || openbsd

 /* SPDX-License-Identifier: MIT
 *
@@ -54,7 +54,6 @@ func (l *UAPIListener) Addr() net.Addr {
 }

 func UAPIListen(name string, file *os.File) (net.Listener, error) {
-
 	// wrap file in listener

 	listener, err := net.FileListener(file)
@@ -104,7 +103,7 @@ func UAPIListen(name string, file *os.File) (net.Listener, error) {
 				l.connErr <- err
 				return
 			}
-			if kerr != nil || n != 1 {
+			if (kerr != nil || n != 1) && kerr != unix.EINTR {
 				if kerr != nil {
 					l.connErr <- kerr
 				} else {
--- a/ipc/uapi_js.go
+++ b/ipc/uapi_js.go
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package ipc
+
+// Made up sentinel error codes for the js/wasm platform.
+const (
+	IpcErrorIO        = 1
+	IpcErrorInvalid   = 2
+	IpcErrorPortInUse = 3
+	IpcErrorUnknown   = 4
+	IpcErrorProtocol  = 5
+)
--- a/ipc/uapi_linux.go
+++ b/ipc/uapi_linux.go
@@ -51,7 +51,6 @@ func (l *UAPIListener) Addr() net.Addr {
 }

 func UAPIListen(name string, file *os.File) (net.Listener, error) {
-
 	// wrap file in listener

 	listener, err := net.FileListener(file)
--- a/ipc/uapi_unix.go
+++ b/ipc/uapi_unix.go
@@ -1,4 +1,4 @@
-// +build linux darwin freebsd openbsd
+//go:build linux || darwin || freebsd || openbsd

 /* SPDX-License-Identifier: MIT
 *
@@ -33,7 +33,7 @@ func sockPath(iface string) string {
 }

 func UAPIOpen(name string) (*os.File, error) {
-	if err := os.MkdirAll(socketDirectory, 0755); err != nil {
+	if err := os.MkdirAll(socketDirectory, 0o755); err != nil {
 		return nil, err
 	}

@@ -43,7 +43,7 @@ func UAPIOpen(name string) (*os.File, error) {
 		return nil, err
 	}

-	oldUmask := unix.Umask(0077)
+	oldUmask := unix.Umask(0o077)
 	defer unix.Umask(oldUmask)

 	listener, err := net.ListenUnix("unix", addr)
--- a/ipc/uapi_windows.go
+++ b/ipc/uapi_windows.go
@@ -9,8 +9,7 @@ import (
 	"net"

 	"golang.org/x/sys/windows"
-
-	"golang.zx2c4.com/wireguard/ipc/winpipe"
+	"golang.zx2c4.com/wireguard/ipc/namedpipe"
 )

 // TODO: replace these with actual standard windows error numbers from the win package
@@ -54,18 +53,16 @@ var UAPISecurityDescriptor *windows.SECURITY_DESCRIPTOR

 func init() {
 	var err error
-	/* SDDL_DEVOBJ_SYS_ALL from the WDK */
-	UAPISecurityDescriptor, err = windows.SecurityDescriptorFromString("O:SYD:P(A;;GA;;;SY)")
+	UAPISecurityDescriptor, err = windows.SecurityDescriptorFromString("O:SYD:P(A;;GA;;;SY)(A;;GA;;;BA)S:(ML;;NWNRNX;;;HI)")
 	if err != nil {
 		panic(err)
 	}
 }

 func UAPIListen(name string) (net.Listener, error) {
-	config := winpipe.PipeConfig{
+	listener, err := (&namedpipe.ListenConfig{
 		SecurityDescriptor: UAPISecurityDescriptor,
-	}
-	listener, err := winpipe.ListenPipe(`\\.\pipe\ProtectedPrefix\Administrators\WireGuard\`+name, &config)
+	}).Listen(`\\.\pipe\ProtectedPrefix\Administrators\WireGuard\` + name)
 	if err != nil {
 		return nil, err
 	}
--- a/ipc/winpipe/mksyscall.go
+++ b/ipc/winpipe/mksyscall.go
@@ -1,9 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2005 Microsoft
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package winpipe
-
-//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go pipe.go file.go
--- a/ipc/winpipe/pipe.go
+++ b/ipc/winpipe/pipe.go
@@ -1,509 +0,0 @@
-// +build windows
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2005 Microsoft
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package winpipe
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"os"
-	"runtime"
-	"time"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-//sys connectNamedPipe(pipe windows.Handle, o *windows.Overlapped) (err error) = ConnectNamedPipe
-//sys createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *windows.SecurityAttributes) (handle windows.Handle, err error)  [failretval==windows.InvalidHandle] = CreateNamedPipeW
-//sys createFile(name string, access uint32, mode uint32, sa *windows.SecurityAttributes, createmode uint32, attrs uint32, templatefile windows.Handle) (handle windows.Handle, err error) [failretval==windows.InvalidHandle] = CreateFileW
-//sys getNamedPipeInfo(pipe windows.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) = GetNamedPipeInfo
-//sys getNamedPipeHandleState(pipe windows.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) = GetNamedPipeHandleStateW
-//sys localAlloc(uFlags uint32, length uint32) (ptr uintptr) = LocalAlloc
-//sys ntCreateNamedPipeFile(pipe *windows.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) = ntdll.NtCreateNamedPipeFile
-//sys rtlNtStatusToDosError(status ntstatus) (winerr error) = ntdll.RtlNtStatusToDosErrorNoTeb
-//sys rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) = ntdll.RtlDosPathNameToNtPathName_U
-//sys rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) = ntdll.RtlDefaultNpAcl
-
-type ioStatusBlock struct {
-	Status, Information uintptr
-}
-
-type objectAttributes struct {
-	Length             uintptr
-	RootDirectory      uintptr
-	ObjectName         *unicodeString
-	Attributes         uintptr
-	SecurityDescriptor *windows.SECURITY_DESCRIPTOR
-	SecurityQoS        uintptr
-}
-
-type unicodeString struct {
-	Length        uint16
-	MaximumLength uint16
-	Buffer        uintptr
-}
-
-type ntstatus int32
-
-func (status ntstatus) Err() error {
-	if status >= 0 {
-		return nil
-	}
-	return rtlNtStatusToDosError(status)
-}
-
-const (
-	cSECURITY_SQOS_PRESENT = 0x100000
-	cSECURITY_ANONYMOUS    = 0
-
-	cPIPE_TYPE_MESSAGE = 4
-
-	cPIPE_READMODE_MESSAGE = 2
-
-	cFILE_OPEN   = 1
-	cFILE_CREATE = 2
-
-	cFILE_PIPE_MESSAGE_TYPE          = 1
-	cFILE_PIPE_REJECT_REMOTE_CLIENTS = 2
-)
-
-var (
-	// ErrPipeListenerClosed is returned for pipe operations on listeners that have been closed.
-	// This error should match net.errClosing since docker takes a dependency on its text.
-	ErrPipeListenerClosed = errors.New("use of closed network connection")
-
-	errPipeWriteClosed = errors.New("pipe has been closed for write")
-)
-
-type win32Pipe struct {
-	*win32File
-	path string
-}
-
-type win32MessageBytePipe struct {
-	win32Pipe
-	writeClosed bool
-	readEOF     bool
-}
-
-type pipeAddress string
-
-func (f *win32Pipe) LocalAddr() net.Addr {
-	return pipeAddress(f.path)
-}
-
-func (f *win32Pipe) RemoteAddr() net.Addr {
-	return pipeAddress(f.path)
-}
-
-func (f *win32Pipe) SetDeadline(t time.Time) error {
-	f.SetReadDeadline(t)
-	f.SetWriteDeadline(t)
-	return nil
-}
-
-// CloseWrite closes the write side of a message pipe in byte mode.
-func (f *win32MessageBytePipe) CloseWrite() error {
-	if f.writeClosed {
-		return errPipeWriteClosed
-	}
-	err := f.win32File.Flush()
-	if err != nil {
-		return err
-	}
-	_, err = f.win32File.Write(nil)
-	if err != nil {
-		return err
-	}
-	f.writeClosed = true
-	return nil
-}
-
-// Write writes bytes to a message pipe in byte mode. Zero-byte writes are ignored, since
-// they are used to implement CloseWrite().
-func (f *win32MessageBytePipe) Write(b []byte) (int, error) {
-	if f.writeClosed {
-		return 0, errPipeWriteClosed
-	}
-	if len(b) == 0 {
-		return 0, nil
-	}
-	return f.win32File.Write(b)
-}
-
-// Read reads bytes from a message pipe in byte mode. A read of a zero-byte message on a message
-// mode pipe will return io.EOF, as will all subsequent reads.
-func (f *win32MessageBytePipe) Read(b []byte) (int, error) {
-	if f.readEOF {
-		return 0, io.EOF
-	}
-	n, err := f.win32File.Read(b)
-	if err == io.EOF {
-		// If this was the result of a zero-byte read, then
-		// it is possible that the read was due to a zero-size
-		// message. Since we are simulating CloseWrite with a
-		// zero-byte message, ensure that all future Read() calls
-		// also return EOF.
-		f.readEOF = true
-	} else if err == windows.ERROR_MORE_DATA {
-		// ERROR_MORE_DATA indicates that the pipe's read mode is message mode
-		// and the message still has more bytes. Treat this as a success, since
-		// this package presents all named pipes as byte streams.
-		err = nil
-	}
-	return n, err
-}
-
-func (s pipeAddress) Network() string {
-	return "pipe"
-}
-
-func (s pipeAddress) String() string {
-	return string(s)
-}
-
-// tryDialPipe attempts to dial the pipe at `path` until `ctx` cancellation or timeout.
-func tryDialPipe(ctx context.Context, path *string) (windows.Handle, error) {
-	for {
-		select {
-		case <-ctx.Done():
-			return windows.Handle(0), ctx.Err()
-		default:
-			h, err := createFile(*path, windows.GENERIC_READ|windows.GENERIC_WRITE, 0, nil, windows.OPEN_EXISTING, windows.FILE_FLAG_OVERLAPPED|cSECURITY_SQOS_PRESENT|cSECURITY_ANONYMOUS, 0)
-			if err == nil {
-				return h, nil
-			}
-			if err != windows.ERROR_PIPE_BUSY {
-				return h, &os.PathError{Err: err, Op: "open", Path: *path}
-			}
-			// Wait 10 msec and try again. This is a rather simplistic
-			// view, as we always try each 10 milliseconds.
-			time.Sleep(time.Millisecond * 10)
-		}
-	}
-}
-
-// DialPipe connects to a named pipe by path, timing out if the connection
-// takes longer than the specified duration. If timeout is nil, then we use
-// a default timeout of 2 seconds.  (We do not use WaitNamedPipe.)
-func DialPipe(path string, timeout *time.Duration, expectedOwner *windows.SID) (net.Conn, error) {
-	var absTimeout time.Time
-	if timeout != nil {
-		absTimeout = time.Now().Add(*timeout)
-	} else {
-		absTimeout = time.Now().Add(time.Second * 2)
-	}
-	ctx, _ := context.WithDeadline(context.Background(), absTimeout)
-	conn, err := DialPipeContext(ctx, path, expectedOwner)
-	if err == context.DeadlineExceeded {
-		return nil, ErrTimeout
-	}
-	return conn, err
-}
-
-// DialPipeContext attempts to connect to a named pipe by `path` until `ctx`
-// cancellation or timeout.
-func DialPipeContext(ctx context.Context, path string, expectedOwner *windows.SID) (net.Conn, error) {
-	var err error
-	var h windows.Handle
-	h, err = tryDialPipe(ctx, &path)
-	if err != nil {
-		return nil, err
-	}
-
-	if expectedOwner != nil {
-		sd, err := windows.GetSecurityInfo(h, windows.SE_FILE_OBJECT, windows.OWNER_SECURITY_INFORMATION)
-		if err != nil {
-			windows.Close(h)
-			return nil, err
-		}
-		realOwner, _, err := sd.Owner()
-		if err != nil {
-			windows.Close(h)
-			return nil, err
-		}
-		if !realOwner.Equals(expectedOwner) {
-			windows.Close(h)
-			return nil, windows.ERROR_ACCESS_DENIED
-		}
-	}
-
-	var flags uint32
-	err = getNamedPipeInfo(h, &flags, nil, nil, nil)
-	if err != nil {
-		windows.Close(h)
-		return nil, err
-	}
-
-	f, err := makeWin32File(h)
-	if err != nil {
-		windows.Close(h)
-		return nil, err
-	}
-
-	// If the pipe is in message mode, return a message byte pipe, which
-	// supports CloseWrite().
-	if flags&cPIPE_TYPE_MESSAGE != 0 {
-		return &win32MessageBytePipe{
-			win32Pipe: win32Pipe{win32File: f, path: path},
-		}, nil
-	}
-	return &win32Pipe{win32File: f, path: path}, nil
-}
-
-type acceptResponse struct {
-	f   *win32File
-	err error
-}
-
-type win32PipeListener struct {
-	firstHandle windows.Handle
-	path        string
-	config      PipeConfig
-	acceptCh    chan (chan acceptResponse)
-	closeCh     chan int
-	doneCh      chan int
-}
-
-func makeServerPipeHandle(path string, sd *windows.SECURITY_DESCRIPTOR, c *PipeConfig, first bool) (windows.Handle, error) {
-	path16, err := windows.UTF16FromString(path)
-	if err != nil {
-		return 0, &os.PathError{Op: "open", Path: path, Err: err}
-	}
-
-	var oa objectAttributes
-	oa.Length = unsafe.Sizeof(oa)
-
-	var ntPath unicodeString
-	if err := rtlDosPathNameToNtPathName(&path16[0], &ntPath, 0, 0).Err(); err != nil {
-		return 0, &os.PathError{Op: "open", Path: path, Err: err}
-	}
-	defer windows.LocalFree(windows.Handle(ntPath.Buffer))
-	oa.ObjectName = &ntPath
-
-	// The security descriptor is only needed for the first pipe.
-	if first {
-		if sd != nil {
-			oa.SecurityDescriptor = sd
-		} else {
-			// Construct the default named pipe security descriptor.
-			var dacl uintptr
-			if err := rtlDefaultNpAcl(&dacl).Err(); err != nil {
-				return 0, fmt.Errorf("getting default named pipe ACL: %s", err)
-			}
-			defer windows.LocalFree(windows.Handle(dacl))
-			sd, err := windows.NewSecurityDescriptor()
-			if err != nil {
-				return 0, fmt.Errorf("creating new security descriptor: %s", err)
-			}
-			if err = sd.SetDACL((*windows.ACL)(unsafe.Pointer(dacl)), true, false); err != nil {
-				return 0, fmt.Errorf("assigning dacl: %s", err)
-			}
-			sd, err = sd.ToSelfRelative()
-			if err != nil {
-				return 0, fmt.Errorf("converting to self-relative: %s", err)
-			}
-			oa.SecurityDescriptor = sd
-		}
-	}
-
-	typ := uint32(cFILE_PIPE_REJECT_REMOTE_CLIENTS)
-	if c.MessageMode {
-		typ |= cFILE_PIPE_MESSAGE_TYPE
-	}
-
-	disposition := uint32(cFILE_OPEN)
-	access := uint32(windows.GENERIC_READ | windows.GENERIC_WRITE | windows.SYNCHRONIZE)
-	if first {
-		disposition = cFILE_CREATE
-		// By not asking for read or write access, the named pipe file system
-		// will put this pipe into an initially disconnected state, blocking
-		// client connections until the next call with first == false.
-		access = windows.SYNCHRONIZE
-	}
-
-	timeout := int64(-50 * 10000) // 50ms
-
-	var (
-		h    windows.Handle
-		iosb ioStatusBlock
-	)
-	err = ntCreateNamedPipeFile(&h, access, &oa, &iosb, windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE, disposition, 0, typ, 0, 0, 0xffffffff, uint32(c.InputBufferSize), uint32(c.OutputBufferSize), &timeout).Err()
-	if err != nil {
-		return 0, &os.PathError{Op: "open", Path: path, Err: err}
-	}
-
-	runtime.KeepAlive(ntPath)
-	return h, nil
-}
-
-func (l *win32PipeListener) makeServerPipe() (*win32File, error) {
-	h, err := makeServerPipeHandle(l.path, nil, &l.config, false)
-	if err != nil {
-		return nil, err
-	}
-	f, err := makeWin32File(h)
-	if err != nil {
-		windows.Close(h)
-		return nil, err
-	}
-	return f, nil
-}
-
-func (l *win32PipeListener) makeConnectedServerPipe() (*win32File, error) {
-	p, err := l.makeServerPipe()
-	if err != nil {
-		return nil, err
-	}
-
-	// Wait for the client to connect.
-	ch := make(chan error)
-	go func(p *win32File) {
-		ch <- connectPipe(p)
-	}(p)
-
-	select {
-	case err = <-ch:
-		if err != nil {
-			p.Close()
-			p = nil
-		}
-	case <-l.closeCh:
-		// Abort the connect request by closing the handle.
-		p.Close()
-		p = nil
-		err = <-ch
-		if err == nil || err == ErrFileClosed {
-			err = ErrPipeListenerClosed
-		}
-	}
-	return p, err
-}
-
-func (l *win32PipeListener) listenerRoutine() {
-	closed := false
-	for !closed {
-		select {
-		case <-l.closeCh:
-			closed = true
-		case responseCh := <-l.acceptCh:
-			var (
-				p   *win32File
-				err error
-			)
-			for {
-				p, err = l.makeConnectedServerPipe()
-				// If the connection was immediately closed by the client, try
-				// again.
-				if err != windows.ERROR_NO_DATA {
-					break
-				}
-			}
-			responseCh <- acceptResponse{p, err}
-			closed = err == ErrPipeListenerClosed
-		}
-	}
-	windows.Close(l.firstHandle)
-	l.firstHandle = 0
-	// Notify Close() and Accept() callers that the handle has been closed.
-	close(l.doneCh)
-}
-
-// PipeConfig contain configuration for the pipe listener.
-type PipeConfig struct {
-	// SecurityDescriptor contains a Windows security descriptor.
-	SecurityDescriptor *windows.SECURITY_DESCRIPTOR
-
-	// MessageMode determines whether the pipe is in byte or message mode. In either
-	// case the pipe is read in byte mode by default. The only practical difference in
-	// this implementation is that CloseWrite() is only supported for message mode pipes;
-	// CloseWrite() is implemented as a zero-byte write, but zero-byte writes are only
-	// transferred to the reader (and returned as io.EOF in this implementation)
-	// when the pipe is in message mode.
-	MessageMode bool
-
-	// InputBufferSize specifies the size the input buffer, in bytes.
-	InputBufferSize int32
-
-	// OutputBufferSize specifies the size the input buffer, in bytes.
-	OutputBufferSize int32
-}
-
-// ListenPipe creates a listener on a Windows named pipe path, e.g. \\.\pipe\mypipe.
-// The pipe must not already exist.
-func ListenPipe(path string, c *PipeConfig) (net.Listener, error) {
-	if c == nil {
-		c = &PipeConfig{}
-	}
-	h, err := makeServerPipeHandle(path, c.SecurityDescriptor, c, true)
-	if err != nil {
-		return nil, err
-	}
-	l := &win32PipeListener{
-		firstHandle: h,
-		path:        path,
-		config:      *c,
-		acceptCh:    make(chan (chan acceptResponse)),
-		closeCh:     make(chan int),
-		doneCh:      make(chan int),
-	}
-	go l.listenerRoutine()
-	return l, nil
-}
-
-func connectPipe(p *win32File) error {
-	c, err := p.prepareIo()
-	if err != nil {
-		return err
-	}
-	defer p.wg.Done()
-
-	err = connectNamedPipe(p.handle, &c.o)
-	_, err = p.asyncIo(c, nil, 0, err)
-	if err != nil && err != windows.ERROR_PIPE_CONNECTED {
-		return err
-	}
-	return nil
-}
-
-func (l *win32PipeListener) Accept() (net.Conn, error) {
-	ch := make(chan acceptResponse)
-	select {
-	case l.acceptCh <- ch:
-		response := <-ch
-		err := response.err
-		if err != nil {
-			return nil, err
-		}
-		if l.config.MessageMode {
-			return &win32MessageBytePipe{
-				win32Pipe: win32Pipe{win32File: response.f, path: l.path},
-			}, nil
-		}
-		return &win32Pipe{win32File: response.f, path: l.path}, nil
-	case <-l.doneCh:
-		return nil, ErrPipeListenerClosed
-	}
-}
-
-func (l *win32PipeListener) Close() error {
-	select {
-	case l.closeCh <- 1:
-		<-l.doneCh
-	case <-l.doneCh:
-	}
-	return nil
-}
-
-func (l *win32PipeListener) Addr() net.Addr {
-	return pipeAddress(l.path)
-}
--- a/ipc/winpipe/zsyscall_windows.go
+++ b/ipc/winpipe/zsyscall_windows.go
@@ -1,238 +0,0 @@
-// Code generated by 'go generate'; DO NOT EDIT.
-
-package winpipe
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return nil
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
-	modntdll    = windows.NewLazySystemDLL("ntdll.dll")
-	modws2_32   = windows.NewLazySystemDLL("ws2_32.dll")
-
-	procConnectNamedPipe                   = modkernel32.NewProc("ConnectNamedPipe")
-	procCreateNamedPipeW                   = modkernel32.NewProc("CreateNamedPipeW")
-	procCreateFileW                        = modkernel32.NewProc("CreateFileW")
-	procGetNamedPipeInfo                   = modkernel32.NewProc("GetNamedPipeInfo")
-	procGetNamedPipeHandleStateW           = modkernel32.NewProc("GetNamedPipeHandleStateW")
-	procLocalAlloc                         = modkernel32.NewProc("LocalAlloc")
-	procNtCreateNamedPipeFile              = modntdll.NewProc("NtCreateNamedPipeFile")
-	procRtlNtStatusToDosErrorNoTeb         = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
-	procRtlDosPathNameToNtPathName_U       = modntdll.NewProc("RtlDosPathNameToNtPathName_U")
-	procRtlDefaultNpAcl                    = modntdll.NewProc("RtlDefaultNpAcl")
-	procCancelIoEx                         = modkernel32.NewProc("CancelIoEx")
-	procCreateIoCompletionPort             = modkernel32.NewProc("CreateIoCompletionPort")
-	procGetQueuedCompletionStatus          = modkernel32.NewProc("GetQueuedCompletionStatus")
-	procSetFileCompletionNotificationModes = modkernel32.NewProc("SetFileCompletionNotificationModes")
-	procWSAGetOverlappedResult             = modws2_32.NewProc("WSAGetOverlappedResult")
-)
-
-func connectNamedPipe(pipe windows.Handle, o *windows.Overlapped) (err error) {
-	r1, _, e1 := syscall.Syscall(procConnectNamedPipe.Addr(), 2, uintptr(pipe), uintptr(unsafe.Pointer(o)), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *windows.SecurityAttributes) (handle windows.Handle, err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(name)
-	if err != nil {
-		return
-	}
-	return _createNamedPipe(_p0, flags, pipeMode, maxInstances, outSize, inSize, defaultTimeout, sa)
-}
-
-func _createNamedPipe(name *uint16, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *windows.SecurityAttributes) (handle windows.Handle, err error) {
-	r0, _, e1 := syscall.Syscall9(procCreateNamedPipeW.Addr(), 8, uintptr(unsafe.Pointer(name)), uintptr(flags), uintptr(pipeMode), uintptr(maxInstances), uintptr(outSize), uintptr(inSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)), 0)
-	handle = windows.Handle(r0)
-	if handle == windows.InvalidHandle {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func createFile(name string, access uint32, mode uint32, sa *windows.SecurityAttributes, createmode uint32, attrs uint32, templatefile windows.Handle) (handle windows.Handle, err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(name)
-	if err != nil {
-		return
-	}
-	return _createFile(_p0, access, mode, sa, createmode, attrs, templatefile)
-}
-
-func _createFile(name *uint16, access uint32, mode uint32, sa *windows.SecurityAttributes, createmode uint32, attrs uint32, templatefile windows.Handle) (handle windows.Handle, err error) {
-	r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0)
-	handle = windows.Handle(r0)
-	if handle == windows.InvalidHandle {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func getNamedPipeInfo(pipe windows.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procGetNamedPipeInfo.Addr(), 5, uintptr(pipe), uintptr(unsafe.Pointer(flags)), uintptr(unsafe.Pointer(outSize)), uintptr(unsafe.Pointer(inSize)), uintptr(unsafe.Pointer(maxInstances)), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func getNamedPipeHandleState(pipe windows.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) {
-	r1, _, e1 := syscall.Syscall9(procGetNamedPipeHandleStateW.Addr(), 7, uintptr(pipe), uintptr(unsafe.Pointer(state)), uintptr(unsafe.Pointer(curInstances)), uintptr(unsafe.Pointer(maxCollectionCount)), uintptr(unsafe.Pointer(collectDataTimeout)), uintptr(unsafe.Pointer(userName)), uintptr(maxUserNameSize), 0, 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func localAlloc(uFlags uint32, length uint32) (ptr uintptr) {
-	r0, _, _ := syscall.Syscall(procLocalAlloc.Addr(), 2, uintptr(uFlags), uintptr(length), 0)
-	ptr = uintptr(r0)
-	return
-}
-
-func ntCreateNamedPipeFile(pipe *windows.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) {
-	r0, _, _ := syscall.Syscall15(procNtCreateNamedPipeFile.Addr(), 14, uintptr(unsafe.Pointer(pipe)), uintptr(access), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(share), uintptr(disposition), uintptr(options), uintptr(typ), uintptr(readMode), uintptr(completionMode), uintptr(maxInstances), uintptr(inboundQuota), uintptr(outputQuota), uintptr(unsafe.Pointer(timeout)), 0)
-	status = ntstatus(r0)
-	return
-}
-
-func rtlNtStatusToDosError(status ntstatus) (winerr error) {
-	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0)
-	if r0 != 0 {
-		winerr = syscall.Errno(r0)
-	}
-	return
-}
-
-func rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) {
-	r0, _, _ := syscall.Syscall6(procRtlDosPathNameToNtPathName_U.Addr(), 4, uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(ntName)), uintptr(filePart), uintptr(reserved), 0, 0)
-	status = ntstatus(r0)
-	return
-}
-
-func rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) {
-	r0, _, _ := syscall.Syscall(procRtlDefaultNpAcl.Addr(), 1, uintptr(unsafe.Pointer(dacl)), 0, 0)
-	status = ntstatus(r0)
-	return
-}
-
-func cancelIoEx(file windows.Handle, o *windows.Overlapped) (err error) {
-	r1, _, e1 := syscall.Syscall(procCancelIoEx.Addr(), 2, uintptr(file), uintptr(unsafe.Pointer(o)), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func createIoCompletionPort(file windows.Handle, port windows.Handle, key uintptr, threadCount uint32) (newport windows.Handle, err error) {
-	r0, _, e1 := syscall.Syscall6(procCreateIoCompletionPort.Addr(), 4, uintptr(file), uintptr(port), uintptr(key), uintptr(threadCount), 0, 0)
-	newport = windows.Handle(r0)
-	if newport == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func getQueuedCompletionStatus(port windows.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procGetQueuedCompletionStatus.Addr(), 5, uintptr(port), uintptr(unsafe.Pointer(bytes)), uintptr(unsafe.Pointer(key)), uintptr(unsafe.Pointer(o)), uintptr(timeout), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func setFileCompletionNotificationModes(h windows.Handle, flags uint8) (err error) {
-	r1, _, e1 := syscall.Syscall(procSetFileCompletionNotificationModes.Addr(), 2, uintptr(h), uintptr(flags), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func wsaGetOverlappedResult(h windows.Handle, o *windows.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) {
-	var _p0 uint32
-	if wait {
-		_p0 = 1
-	} else {
-		_p0 = 0
-	}
-	r1, _, e1 := syscall.Syscall6(procWSAGetOverlappedResult.Addr(), 5, uintptr(h), uintptr(unsafe.Pointer(o)), uintptr(unsafe.Pointer(bytes)), uintptr(_p0), uintptr(unsafe.Pointer(flags)), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
--- a/main.go
+++ b/main.go
@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows

 /* SPDX-License-Identifier: MIT
 *
@@ -15,6 +15,7 @@ import (
 	"strconv"
 	"syscall"

+	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
@@ -32,25 +33,28 @@ const (
 )

 func printUsage() {
-	fmt.Printf("usage:\n")
-	fmt.Printf("%s [-f/--foreground] INTERFACE-NAME\n", os.Args[0])
+	fmt.Printf("Usage: %s [-f/--foreground] INTERFACE-NAME\n", os.Args[0])
 }

 func warning() {
-	if runtime.GOOS != "linux" || os.Getenv(ENV_WG_PROCESS_FOREGROUND) == "1" {
+	switch runtime.GOOS {
+	case "linux", "freebsd", "openbsd":
+		if os.Getenv(ENV_WG_PROCESS_FOREGROUND) == "1" {
+			return
+		}
+	default:
 		return
 	}

-	fmt.Fprintln(os.Stderr, "┌───────────────────────────────────────────────────┐")
-	fmt.Fprintln(os.Stderr, "│                                                   │")
-	fmt.Fprintln(os.Stderr, "│   Running this software on Linux is unnecessary,  │")
-	fmt.Fprintln(os.Stderr, "│   because the Linux kernel has built-in first     │")
-	fmt.Fprintln(os.Stderr, "│   class support for WireGuard, which will be      │")
-	fmt.Fprintln(os.Stderr, "│   faster, slicker, and better integrated. For     │")
-	fmt.Fprintln(os.Stderr, "│   information on installing the kernel module,    │")
-	fmt.Fprintln(os.Stderr, "│   please visit: <https://wireguard.com/install>.  │")
-	fmt.Fprintln(os.Stderr, "│                                                   │")
-	fmt.Fprintln(os.Stderr, "└───────────────────────────────────────────────────┘")
+	fmt.Fprintln(os.Stderr, "┌──────────────────────────────────────────────────────┐")
+	fmt.Fprintln(os.Stderr, "│                                                      │")
+	fmt.Fprintln(os.Stderr, "│   Running wireguard-go is not required because this  │")
+	fmt.Fprintln(os.Stderr, "│   kernel has first class support for WireGuard. For  │")
+	fmt.Fprintln(os.Stderr, "│   information on installing the kernel module,       │")
+	fmt.Fprintln(os.Stderr, "│   please visit:                                      │")
+	fmt.Fprintln(os.Stderr, "│         https://www.wireguard.com/install/           │")
+	fmt.Fprintln(os.Stderr, "│                                                      │")
+	fmt.Fprintln(os.Stderr, "└──────────────────────────────────────────────────────┘")
 }

 func main() {
@@ -165,7 +169,6 @@ func main() {

 		return os.NewFile(uintptr(fd), ""), nil
 	}()
-
 	if err != nil {
 		logger.Errorf("UAPI listen error: %v", err)
 		os.Exit(ExitSetupFailed)
@@ -219,7 +222,7 @@ func main() {
 		return
 	}

-	device := device.NewDevice(tun, logger)
+	device := device.NewDevice(tun, conn.NewDefaultBind(), logger)

 	logger.Verbosef("Device started")

--- a/main_windows.go
+++ b/main_windows.go
@@ -11,6 +11,7 @@ import (
 	"os/signal"
 	"syscall"

+	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/ipc"

@@ -47,7 +48,7 @@ func main() {
 		os.Exit(ExitSetupFailed)
 	}

-	device := device.NewDevice(tun, logger)
+	device := device.NewDevice(tun, conn.NewDefaultBind(), logger)
 	err = device.Up()
 	if err != nil {
 		logger.Errorf("Failed to bring up device: %v", err)
--- a/ratelimiter/ratelimiter.go
+++ b/ratelimiter/ratelimiter.go
@@ -6,7 +6,7 @@
 package ratelimiter

 import (
-	"net"
+	"net/netip"
 	"sync"
 	"time"
 )
@@ -30,8 +30,7 @@ type Ratelimiter struct {
 	timeNow func() time.Time

 	stopReset chan struct{} // send to reset, close to stop
-	tableIPv4 map[[net.IPv4len]byte]*RatelimiterEntry
-	tableIPv6 map[[net.IPv6len]byte]*RatelimiterEntry
+	table     map[netip.Addr]*RatelimiterEntry
 }

 func (rate *Ratelimiter) Close() {
@@ -57,8 +56,7 @@ func (rate *Ratelimiter) Init() {
 	}

 	rate.stopReset = make(chan struct{})
-	rate.tableIPv4 = make(map[[net.IPv4len]byte]*RatelimiterEntry)
-	rate.tableIPv6 = make(map[[net.IPv6len]byte]*RatelimiterEntry)
+	rate.table = make(map[netip.Addr]*RatelimiterEntry)

 	stopReset := rate.stopReset // store in case Init is called again.

@@ -87,71 +85,39 @@ func (rate *Ratelimiter) cleanup() (empty bool) {
 	rate.mu.Lock()
 	defer rate.mu.Unlock()

-	for key, entry := range rate.tableIPv4 {
+	for key, entry := range rate.table {
 		entry.mu.Lock()
 		if rate.timeNow().Sub(entry.lastTime) > garbageCollectTime {
-			delete(rate.tableIPv4, key)
+			delete(rate.table, key)
 		}
 		entry.mu.Unlock()
 	}

-	for key, entry := range rate.tableIPv6 {
-		entry.mu.Lock()
-		if rate.timeNow().Sub(entry.lastTime) > garbageCollectTime {
-			delete(rate.tableIPv6, key)
-		}
-		entry.mu.Unlock()
-	}
-
-	return len(rate.tableIPv4) == 0 && len(rate.tableIPv6) == 0
+	return len(rate.table) == 0
 }

-func (rate *Ratelimiter) Allow(ip net.IP) bool {
+func (rate *Ratelimiter) Allow(ip netip.Addr) bool {
 	var entry *RatelimiterEntry
-	var keyIPv4 [net.IPv4len]byte
-	var keyIPv6 [net.IPv6len]byte
-
 	// lookup entry
-
-	IPv4 := ip.To4()
-	IPv6 := ip.To16()
-
 	rate.mu.RLock()
-
-	if IPv4 != nil {
-		copy(keyIPv4[:], IPv4)
-		entry = rate.tableIPv4[keyIPv4]
-	} else {
-		copy(keyIPv6[:], IPv6)
-		entry = rate.tableIPv6[keyIPv6]
-	}
-
+	entry = rate.table[ip]
 	rate.mu.RUnlock()

 	// make new entry if not found
-
 	if entry == nil {
 		entry = new(RatelimiterEntry)
 		entry.tokens = maxTokens - packetCost
 		entry.lastTime = rate.timeNow()
 		rate.mu.Lock()
-		if IPv4 != nil {
-			rate.tableIPv4[keyIPv4] = entry
-			if len(rate.tableIPv4) == 1 && len(rate.tableIPv6) == 0 {
-				rate.stopReset <- struct{}{}
-			}
-		} else {
-			rate.tableIPv6[keyIPv6] = entry
-			if len(rate.tableIPv6) == 1 && len(rate.tableIPv4) == 0 {
-				rate.stopReset <- struct{}{}
-			}
+		rate.table[ip] = entry
+		if len(rate.table) == 1 {
+			rate.stopReset <- struct{}{}
 		}
 		rate.mu.Unlock()
 		return true
 	}

 	// add tokens to entry
-
 	entry.mu.Lock()
 	now := rate.timeNow()
 	entry.tokens += now.Sub(entry.lastTime).Nanoseconds()
@@ -161,7 +127,6 @@ func (rate *Ratelimiter) Allow(ip net.IP) bool {
 	}

 	// subtract cost of packet
-
 	if entry.tokens > packetCost {
 		entry.tokens -= packetCost
 		entry.mu.Unlock()
--- a/ratelimiter/ratelimiter_test.go
+++ b/ratelimiter/ratelimiter_test.go
@@ -6,7 +6,7 @@
 package ratelimiter

 import (
-	"net"
+	"net/netip"
 	"testing"
 	"time"
 )
@@ -71,21 +71,21 @@ func TestRatelimiter(t *testing.T) {
 		text:    "packet following 2 packet burst",
 	})

-	ips := []net.IP{
-		net.ParseIP("127.0.0.1"),
-		net.ParseIP("192.168.1.1"),
-		net.ParseIP("172.167.2.3"),
-		net.ParseIP("97.231.252.215"),
-		net.ParseIP("248.97.91.167"),
-		net.ParseIP("188.208.233.47"),
-		net.ParseIP("104.2.183.179"),
-		net.ParseIP("72.129.46.120"),
-		net.ParseIP("2001:0db8:0a0b:12f0:0000:0000:0000:0001"),
-		net.ParseIP("f5c2:818f:c052:655a:9860:b136:6894:25f0"),
-		net.ParseIP("b2d7:15ab:48a7:b07c:a541:f144:a9fe:54fc"),
-		net.ParseIP("a47b:786e:1671:a22b:d6f9:4ab0:abc7:c918"),
-		net.ParseIP("ea1e:d155:7f7a:98fb:2bf5:9483:80f6:5445"),
-		net.ParseIP("3f0e:54a2:f5b4:cd19:a21d:58e1:3746:84c4"),
+	ips := []netip.Addr{
+		netip.MustParseAddr("127.0.0.1"),
+		netip.MustParseAddr("192.168.1.1"),
+		netip.MustParseAddr("172.167.2.3"),
+		netip.MustParseAddr("97.231.252.215"),
+		netip.MustParseAddr("248.97.91.167"),
+		netip.MustParseAddr("188.208.233.47"),
+		netip.MustParseAddr("104.2.183.179"),
+		netip.MustParseAddr("72.129.46.120"),
+		netip.MustParseAddr("2001:0db8:0a0b:12f0:0000:0000:0000:0001"),
+		netip.MustParseAddr("f5c2:818f:c052:655a:9860:b136:6894:25f0"),
+		netip.MustParseAddr("b2d7:15ab:48a7:b07c:a541:f144:a9fe:54fc"),
+		netip.MustParseAddr("a47b:786e:1671:a22b:d6f9:4ab0:abc7:c918"),
+		netip.MustParseAddr("ea1e:d155:7f7a:98fb:2bf5:9483:80f6:5445"),
+		netip.MustParseAddr("3f0e:54a2:f5b4:cd19:a21d:58e1:3746:84c4"),
 	}

 	now := time.Now()
--- a/replay/replay.go
+++ b/replay/replay.go
@@ -34,7 +34,7 @@ func (f *Filter) Reset() {

 // ValidateCounter checks if the counter should be accepted.
 // Overlimit counters (>= limit) are always rejected.
-func (f *Filter) ValidateCounter(counter uint64, limit uint64) bool {
+func (f *Filter) ValidateCounter(counter, limit uint64) bool {
 	if counter >= limit {
 		return false
 	}
--- a/rwcancel/fdset.go
+++ b/rwcancel/fdset.go
@@ -1,24 +0,0 @@
-// +build !windows
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package rwcancel
-
-import "golang.org/x/sys/unix"
-
-type fdSet struct {
-	unix.FdSet
-}
-
-func (fdset *fdSet) set(i int) {
-	bits := 32 << (^uint(0) >> 63)
-	fdset.Bits[i/bits] |= 1 << uint(i%bits)
-}
-
-func (fdset *fdSet) check(i int) bool {
-	bits := 32 << (^uint(0) >> 63)
-	return (fdset.Bits[i/bits] & (1 << uint(i%bits))) != 0
-}
--- a/rwcancel/rwcancel.go
+++ b/rwcancel/rwcancel.go
@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows && !js

 /* SPDX-License-Identifier: MIT
 *
@@ -17,13 +17,6 @@ import (
 	"golang.org/x/sys/unix"
 )

-func max(a, b int) int {
-	if a > b {
-		return a
-	}
-	return b
-}
-
 type RWCancel struct {
 	fd            int
 	closingReader *os.File
@@ -50,13 +43,12 @@ func RetryAfterError(err error) bool {
 }

 func (rw *RWCancel) ReadyRead() bool {
-	closeFd := int(rw.closingReader.Fd())
-	fdset := fdSet{}
-	fdset.set(rw.fd)
-	fdset.set(closeFd)
+	closeFd := int32(rw.closingReader.Fd())
+
+	pollFds := []unix.PollFd{{Fd: int32(rw.fd), Events: unix.POLLIN}, {Fd: closeFd, Events: unix.POLLIN}}
 	var err error
 	for {
-		err = unixSelect(max(rw.fd, closeFd)+1, &fdset.FdSet, nil, nil, nil)
+		_, err = unix.Poll(pollFds, -1)
 		if err == nil || !RetryAfterError(err) {
 			break
 		}
@@ -64,20 +56,18 @@ func (rw *RWCancel) ReadyRead() bool {
 	if err != nil {
 		return false
 	}
-	if fdset.check(closeFd) {
+	if pollFds[1].Revents != 0 {
 		return false
 	}
-	return fdset.check(rw.fd)
+	return pollFds[0].Revents != 0
 }

 func (rw *RWCancel) ReadyWrite() bool {
-	closeFd := int(rw.closingReader.Fd())
-	fdset := fdSet{}
-	fdset.set(rw.fd)
-	fdset.set(closeFd)
+	closeFd := int32(rw.closingReader.Fd())
+	pollFds := []unix.PollFd{{Fd: int32(rw.fd), Events: unix.POLLOUT}, {Fd: closeFd, Events: unix.POLLOUT}}
 	var err error
 	for {
-		err = unixSelect(max(rw.fd, closeFd)+1, nil, &fdset.FdSet, nil, nil)
+		_, err = unix.Poll(pollFds, -1)
 		if err == nil || !RetryAfterError(err) {
 			break
 		}
@@ -85,10 +75,11 @@ func (rw *RWCancel) ReadyWrite() bool {
 	if err != nil {
 		return false
 	}
-	if fdset.check(closeFd) {
+
+	if pollFds[1].Revents != 0 {
 		return false
 	}
-	return fdset.check(rw.fd)
+	return pollFds[0].Revents != 0
 }

 func (rw *RWCancel) Read(p []byte) (n int, err error) {
@@ -98,7 +89,7 @@ func (rw *RWCancel) Read(p []byte) (n int, err error) {
 			return n, err
 		}
 		if !rw.ReadyRead() {
-			return 0, errors.New("fd closed")
+			return 0, os.ErrClosed
 		}
 	}
 }
@@ -110,7 +101,7 @@ func (rw *RWCancel) Write(p []byte) (n int, err error) {
 			return n, err
 		}
 		if !rw.ReadyWrite() {
-			return 0, errors.New("fd closed")
+			return 0, os.ErrClosed
 		}
 	}
 }
--- a/rwcancel/rwcancel_windows.go
+++ b/rwcancel/rwcancel_windows.go
@@ -1,8 +1,9 @@
+//go:build windows || js
+
 // SPDX-License-Identifier: MIT

 package rwcancel

-type RWCancel struct {
-}
+type RWCancel struct{}

 func (*RWCancel) Cancel() {}
--- a/rwcancel/select_default.go
+++ b/rwcancel/select_default.go
@@ -1,15 +0,0 @@
-// +build !linux,!windows
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package rwcancel
-
-import "golang.org/x/sys/unix"
-
-func unixSelect(nfd int, r *unix.FdSet, w *unix.FdSet, e *unix.FdSet, timeout *unix.Timeval) error {
-	_, err := unix.Select(nfd, r, w, e, timeout)
-	return err
-}
--- a/rwcancel/select_linux.go
+++ b/rwcancel/select_linux.go
@@ -1,13 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package rwcancel
-
-import "golang.org/x/sys/unix"
-
-func unixSelect(nfd int, r *unix.FdSet, w *unix.FdSet, e *unix.FdSet, timeout *unix.Timeval) (err error) {
-	_, err = unix.Select(nfd, r, w, e, timeout)
-	return
-}
--- a/tai64n/tai64n.go
+++ b/tai64n/tai64n.go
@@ -11,9 +11,11 @@ import (
 	"time"
 )

-const TimestampSize = 12
-const base = uint64(0x400000000000000a)
-const whitenerMask = uint32(0x1000000 - 1)
+const (
+	TimestampSize = 12
+	base          = uint64(0x400000000000000a)
+	whitenerMask  = uint32(0x1000000 - 1)
+)

 type Timestamp [TimestampSize]byte

--- a/tun/alignment_windows_test.go
+++ b/tun/alignment_windows_test.go
@@ -0,0 +1,67 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package tun
+
+import (
+	"reflect"
+	"testing"
+	"unsafe"
+)
+
+func checkAlignment(t *testing.T, name string, offset uintptr) {
+	t.Helper()
+	if offset%8 != 0 {
+		t.Errorf("offset of %q within struct is %d bytes, which does not align to 64-bit word boundaries (missing %d bytes). Atomic operations will crash on 32-bit systems.", name, offset, 8-(offset%8))
+	}
+}
+
+// TestRateJugglerAlignment checks that atomically-accessed fields are
+// aligned to 64-bit boundaries, as required by the atomic package.
+//
+// Unfortunately, violating this rule on 32-bit platforms results in a
+// hard segfault at runtime.
+func TestRateJugglerAlignment(t *testing.T) {
+	var r rateJuggler
+
+	typ := reflect.TypeOf(&r).Elem()
+	t.Logf("Peer type size: %d, with fields:", typ.Size())
+	for i := 0; i < typ.NumField(); i++ {
+		field := typ.Field(i)
+		t.Logf("\t%30s\toffset=%3v\t(type size=%3d, align=%d)",
+			field.Name,
+			field.Offset,
+			field.Type.Size(),
+			field.Type.Align(),
+		)
+	}
+
+	checkAlignment(t, "rateJuggler.current", unsafe.Offsetof(r.current))
+	checkAlignment(t, "rateJuggler.nextByteCount", unsafe.Offsetof(r.nextByteCount))
+	checkAlignment(t, "rateJuggler.nextStartTime", unsafe.Offsetof(r.nextStartTime))
+}
+
+// TestNativeTunAlignment checks that atomically-accessed fields are
+// aligned to 64-bit boundaries, as required by the atomic package.
+//
+// Unfortunately, violating this rule on 32-bit platforms results in a
+// hard segfault at runtime.
+func TestNativeTunAlignment(t *testing.T) {
+	var tun NativeTun
+
+	typ := reflect.TypeOf(&tun).Elem()
+	t.Logf("Peer type size: %d, with fields:", typ.Size())
+	for i := 0; i < typ.NumField(); i++ {
+		field := typ.Field(i)
+		t.Logf("\t%30s\toffset=%3v\t(type size=%3d, align=%d)",
+			field.Name,
+			field.Offset,
+			field.Type.Size(),
+			field.Type.Align(),
+		)
+	}
+
+	checkAlignment(t, "NativeTun.rate", unsafe.Offsetof(tun.rate))
+}
--- a/tun/netstack/examples/http_client.go
+++ b/tun/netstack/examples/http_client.go
@@ -1,3 +1,4 @@
+//go:build ignore
 // +build ignore

 /* SPDX-License-Identifier: MIT
@@ -10,22 +11,23 @@ package main
 import (
 	"io"
 	"log"
-	"net"
 	"net/http"
+	"net/netip"

+	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 )

 func main() {
 	tun, tnet, err := netstack.CreateNetTUN(
-		[]net.IP{net.ParseIP("192.168.4.29")},
-		[]net.IP{net.ParseIP("8.8.8.8")},
+		[]netip.Addr{netip.MustParseAddr("192.168.4.29")},
+		[]netip.Addr{netip.MustParseAddr("8.8.8.8")},
 		1420)
 	if err != nil {
 		log.Panic(err)
 	}
-	dev := device.NewDevice(tun, &device.Logger{log.Default(), log.Default(), log.Default()})
+	dev := device.NewDevice(tun, conn.NewDefaultBind(), device.NewLogger(device.LogLevelVerbose, ""))
 	dev.IpcSet(`private_key=a8dac1d8a70a751f0f699fb14ba1cff7b79cf4fbd8f09f44c6e6a90d0369604f
 public_key=25123c5dcd3328ff645e4f2a3fce0d754400d3887a0cb7c56f0267e20fbf3c5b
 endpoint=163.172.161.0:12912
--- a/tun/netstack/examples/http_server.go
+++ b/tun/netstack/examples/http_server.go
@@ -1,3 +1,4 @@
+//go:build ignore
 // +build ignore

 /* SPDX-License-Identifier: MIT
@@ -8,30 +9,33 @@
 package main

 import (
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun/netstack"
 	"io"
 	"log"
 	"net"
 	"net/http"
+	"net/netip"
+
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun/netstack"
 )

 func main() {
 	tun, tnet, err := netstack.CreateNetTUN(
-		[]net.IP{net.ParseIP("192.168.4.29")},
-		[]net.IP{net.ParseIP("8.8.8.8"), net.ParseIP("8.8.4.4")},
+		[]netip.Addr{netip.MustParseAddr("192.168.4.29")},
+		[]netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("8.8.4.4")},
 		1420,
 	)
 	if err != nil {
 		log.Panic(err)
 	}
-	dev := device.NewDevice(tun, &device.Logger{log.Default(), log.Default(), log.Default()})
+	dev := device.NewDevice(tun, conn.NewDefaultBind(), device.NewLogger(device.LogLevelVerbose, ""))
 	dev.IpcSet(`private_key=a8dac1d8a70a751f0f699fb14ba1cff7b79cf4fbd8f09f44c6e6a90d0369604f
 public_key=25123c5dcd3328ff645e4f2a3fce0d754400d3887a0cb7c56f0267e20fbf3c5b
 endpoint=163.172.161.0:12912
 allowed_ip=0.0.0.0/0
 persistent_keepalive_interval=25
-    `)
+`)
 	dev.Up()
 	listener, err := tnet.ListenTCP(&net.TCPAddr{Port: 80})
 	if err != nil {
--- a/tun/netstack/examples/ping_client.go
+++ b/tun/netstack/examples/ping_client.go
@@ -0,0 +1,76 @@
+//go:build ignore
+// +build ignore
+
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package main
+
+import (
+	"bytes"
+	"log"
+	"math/rand"
+	"net/netip"
+	"time"
+
+	"golang.org/x/net/icmp"
+	"golang.org/x/net/ipv4"
+
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+)
+
+func main() {
+	tun, tnet, err := netstack.CreateNetTUN(
+		[]netip.Addr{netip.MustParseAddr("192.168.4.29")},
+		[]netip.Addr{netip.MustParseAddr("8.8.8.8")},
+		1420)
+	if err != nil {
+		log.Panic(err)
+	}
+	dev := device.NewDevice(tun, conn.NewDefaultBind(), device.NewLogger(device.LogLevelVerbose, ""))
+	dev.IpcSet(`private_key=a8dac1d8a70a751f0f699fb14ba1cff7b79cf4fbd8f09f44c6e6a90d0369604f
+public_key=25123c5dcd3328ff645e4f2a3fce0d754400d3887a0cb7c56f0267e20fbf3c5b
+endpoint=163.172.161.0:12912
+allowed_ip=0.0.0.0/0
+`)
+	err = dev.Up()
+	if err != nil {
+		log.Panic(err)
+	}
+
+	socket, err := tnet.Dial("ping4", "zx2c4.com")
+	if err != nil {
+		log.Panic(err)
+	}
+	requestPing := icmp.Echo{
+		Seq:  rand.Intn(1 << 16),
+		Data: []byte("gopher burrow"),
+	}
+	icmpBytes, _ := (&icmp.Message{Type: ipv4.ICMPTypeEcho, Code: 0, Body: &requestPing}).Marshal(nil)
+	socket.SetReadDeadline(time.Now().Add(time.Second * 10))
+	start := time.Now()
+	_, err = socket.Write(icmpBytes)
+	if err != nil {
+		log.Panic(err)
+	}
+	n, err := socket.Read(icmpBytes[:])
+	if err != nil {
+		log.Panic(err)
+	}
+	replyPacket, err := icmp.ParseMessage(1, icmpBytes[:n])
+	if err != nil {
+		log.Panic(err)
+	}
+	replyPing, ok := replyPacket.Body.(*icmp.Echo)
+	if !ok {
+		log.Panicf("invalid reply type: %v", replyPacket)
+	}
+	if !bytes.Equal(replyPing.Data, requestPing.Data) || replyPing.Seq != requestPing.Seq {
+		log.Panicf("invalid ping reply: %v", replyPing)
+	}
+	log.Printf("Ping latency: %v", time.Since(start))
+}
--- a/tun/netstack/go.mod
+++ b/tun/netstack/go.mod
@@ -1,9 +1,17 @@
 module golang.zx2c4.com/wireguard/tun/netstack

-go 1.15
+go 1.18

 require (
-	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
-	golang.zx2c4.com/wireguard v0.0.20201118
-	gvisor.dev/gvisor v0.0.0-20210109011639-2fb7a49fea98
+	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
+	golang.zx2c4.com/wireguard v0.0.0-20220316235147-5aff28b14c24
+	gvisor.dev/gvisor v0.0.0-20211020211948-f76a604701b6
+)
+
+require (
+	github.com/google/btree v1.0.1 // indirect
+	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
+	golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86 // indirect
+	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
+	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 )
--- a/tun/netstack/go.sum
+++ b/tun/netstack/go.sum
@@ -6,217 +6,572 @@ cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6A
 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
 cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
 cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.52.1-0.20200122224058-0482b626c726/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
+cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
+cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
+cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
+cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
+cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
+cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
+cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
+cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
+cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
+cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
+cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
+cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
+cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
+cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
+cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
+cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
+cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
+cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
+cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
 github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
+github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
+github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
 github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
+github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
 github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
 github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
+github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
+github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Microsoft/go-winio v0.4.15-0.20200908182639-5b44b70ab3ab/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
+github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
+github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
+github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
+github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
+github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
+github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
+github.com/bazelbuild/rules_go v0.27.0/go.mod h1:MC23Dc/wkXEyk3Wpq6lCqz0ZAYOZDw2DR5y3N1q2i7M=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
+github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
+github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
+github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
+github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
+github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
+github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
 github.com/cenkalti/backoff v1.1.1-0.20190506075156-2146c9339422/go.mod h1:b6Nc7NRH5C4aCISLry0tLnTjcuTEvoiqcWDdsU0sOGM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
 github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
+github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
+github.com/containerd/btrfs v1.0.0/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss=
+github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI=
+github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM=
 github.com/containerd/cgroups v0.0.0-20201119153540-4cbc285b3327/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
+github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
+github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
 github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
+github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw=
+github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/containerd v1.3.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/continuity v0.0.0-20200928162600-f2cc35102c2a/go.mod h1:W0qIOTD7mp2He++YVq+kgfXezRYqzP1uDuMVH1bITDY=
+github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM=
+github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
+github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
 github.com/containerd/fifo v0.0.0-20191213151349-ff969a566b00/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
+github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk=
+github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
+github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
 github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g=
-github.com/containerd/ttrpc v0.0.0-20200121165050-0be804eadb15/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+github.com/containerd/imgcrypt v1.0.3/go.mod h1:v4X3p/H0lzcvVE0r7whbRYjYuK9Y2KEJnL08tXT63Is=
+github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
+github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
+github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
 github.com/containerd/typeurl v0.0.0-20200205145503-b45ef1f1f737/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
-github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+github.com/containernetworking/plugins v0.8.7/go.mod h1:R7lXeZaBzpfqapcAbHRW8/CYwm0dHzbz0XEjofx0uB0=
+github.com/containers/ocicrypt v1.0.3/go.mod h1:CUBa+8MRNL/VkpxYIpaMtgn1WgXGyvPQj8jcy0EVG6g=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
 github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
+github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
+github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
+github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
+github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=
+github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I=
 github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
 github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v1.4.2-0.20191028175130-9e7d5ac5ea55/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.3.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
 github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
+github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/dpjacques/clockwork v0.1.1-0.20200827220843-c1f524b839be/go.mod h1:D8mP2A8vVT2GkXqPorSBmhnshhkFBYgzhA90KmJt25Y=
+github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
+github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
+github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
+github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
+github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/spec v0.19.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
+github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
+github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofrs/flock v0.6.1-0.20180915234121-886344bea079/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
-github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
+github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
+github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU=
+github.com/gogo/googleapis v1.4.1/go.mod h1:2lpHqI5OcWCtVElxXnPt+s8oJvMpySlOyM6xDCrzib4=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3-0.20201020212313-ab46b8bd0abd/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-github/v28 v28.1.2-0.20191108005307-e555eab49ce8/go.mod h1:g82e6OHbJ0WYrYeOrid1MMfHAtqjxBz+N74tfAt9KrQ=
+github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-github/v32 v32.1.0/go.mod h1:rIEpZD9CTDQwDK9GDrtMTycQNA4JU3qBsCizh3q2WCI=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210423192551-a2663126120b/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/subcommands v1.0.2-0.20190508160503-636abe8753b8/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/googleapis/gnostic v0.4.0/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
 github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
+github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
+github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
+github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho=
 github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a/go.mod h1:M1qoD/MqPgTZIk0EWKB38wE28ACRfVcn+cU08jyArI0=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
+github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
+github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
+github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
+github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
+github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ=
+github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/mohae/deepcopy v0.0.0-20170308212314-bb9b5e7adda9/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
+github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
+github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
+github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
+github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
+github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc90/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.2-0.20181111125026-1722abf79c2f/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
+github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
+github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
+github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
+github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
+github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
+github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
+github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
+github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
+github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
+github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
 github.com/vishvananda/netlink v1.0.1-0.20190930145447-2ec5bdc52b86/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
-github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI=
+github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs=
+github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA=
+github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
+go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg=
+go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
+go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38=
+golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
+golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -225,45 +580,96 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -272,32 +678,74 @@ golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200922070232-aee5d888a860/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201117222635-ba5294a509c7 h1:s330+6z/Ko3J0o6rvOcwXe5nzs7UT9tLKHoOXYn6uE0=
-golang.org/x/sys v0.0.0-20201117222635-ba5294a509c7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210314195730-07df6a141424/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86 h1:A9i04dxx7Cribqbs8jf3FQLogkL/CV2YN7hj9KWJCkc=
+golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -306,35 +754,87 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20201021000207-d49c4edd7d96/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
+golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
+golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wireguard v0.0.20201118 h1:QL8y2C7uO8T6z1GY+UX/hSeWiYEBurQkXjOTRFtCvXU=
-golang.zx2c4.com/wireguard v0.0.20201118/go.mod h1:Dz+cq5bnrai9EpgYj4GDof/+qaGzbRWbeaAOs1bUYa0=
+golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
+golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
+golang.zx2c4.com/wireguard v0.0.0-20220316235147-5aff28b14c24 h1:KwsvzlnmErwMd3BXoBSEuL8qU72QxFM/uOUAgZmavRc=
+golang.zx2c4.com/wireguard v0.0.0-20220316235147-5aff28b14c24/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
+google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
+google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
+google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
+google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
+google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
+google.golang.org/api v0.42.0/go.mod h1:+Oj4s6ch2SEGtPjGqfUfZonBH0GjQH89gTeKKAEGZKI=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -343,49 +843,131 @@ google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRn
 google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
+google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
+google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210312152112-fc591d9ea70f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
+google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
+google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.39.0-dev.0.20210518002758-2713b77e8526/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.1-0.20201020201750-d3470999428b/go.mod h1:hFxJC2f0epmp1elRCiEGJTKAWbwxZ2nvqZdHl3FQXCY=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
-gvisor.dev/gvisor v0.0.0-20210109011639-2fb7a49fea98 h1:qDiV0V69AVoFfU6AiE1UgpLUorGJrIxSM/P4tgkF8oc=
-gvisor.dev/gvisor v0.0.0-20210109011639-2fb7a49fea98/go.mod h1:5DEMKRjYDiM24fvDUWPjBpABm9ROMcv/kEcox3fHtm0=
+gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
+gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
+gvisor.dev/gvisor v0.0.0-20211020211948-f76a604701b6 h1:lgV5mAyX6S2EZAkZcvFkAs18WZ7yJbRzEv/PCH8iSlw=
+gvisor.dev/gvisor v0.0.0-20211020211948-f76a604701b6/go.mod h1:m1RK/gef4nU1CWOFscQWVk7iUgGH2Hz9Ee+lgeCzOBo=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.1.1/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
 k8s.io/api v0.16.13/go.mod h1:QWu8UWSTiuQZMMeYjwLs6ILu5O74qKSJ0c+4vrchDxs=
 k8s.io/apimachinery v0.16.13/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
 k8s.io/apimachinery v0.16.14-rc.0/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
 k8s.io/client-go v0.16.13/go.mod h1:UKvVT4cajC2iN7DCjLgT0KVY/cbY6DGdUCyRiIfws5M=
+k8s.io/component-base v0.16.13/go.mod h1:cNe9ZU2A6tqBG0gPQ4/T/KolI9Cv2NA1+7uvmkA7Cyc=
+k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
+k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/kube-openapi v0.0.0-20200410163147-594e756bea31/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
 k8s.io/utils v0.0.0-20190801114015-581e00157fb1/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/tun/netstack/tun.go
+++ b/tun/netstack/tun.go
@@ -13,7 +13,9 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
 	"os"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -28,8 +30,10 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
 	"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
+	"gvisor.dev/gvisor/pkg/tcpip/transport/icmp"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
+	"gvisor.dev/gvisor/pkg/waiter"
 )

 type netTun struct {
@@ -38,11 +42,14 @@ type netTun struct {
 	events         chan tun.Event
 	incomingPacket chan buffer.VectorisedView
 	mtu            int
-	dnsServers     []net.IP
+	dnsServers     []netip.Addr
 	hasV4, hasV6   bool
 }
-type endpoint netTun
-type Net netTun
+
+type (
+	endpoint netTun
+	Net      netTun
+)

 func (e *endpoint) Attach(dispatcher stack.NetworkDispatcher) {
 	e.dispatcher = dispatcher
@@ -74,12 +81,16 @@ func (*endpoint) LinkAddress() tcpip.LinkAddress {

 func (*endpoint) Wait() {}

-func (e *endpoint) WritePacket(_ *stack.Route, _ *stack.GSO, protocol tcpip.NetworkProtocolNumber, pkt *stack.PacketBuffer) *tcpip.Error {
+func (e *endpoint) WritePacket(_ stack.RouteInfo, _ tcpip.NetworkProtocolNumber, pkt *stack.PacketBuffer) tcpip.Error {
 	e.incomingPacket <- buffer.NewVectorisedView(pkt.Size(), pkt.Views())
 	return nil
 }

-func (e *endpoint) WritePackets(*stack.Route, *stack.GSO, stack.PacketBufferList, tcpip.NetworkProtocolNumber) (int, *tcpip.Error) {
+func (e *endpoint) WritePackets(stack.RouteInfo, stack.PacketBufferList, tcpip.NetworkProtocolNumber) (int, tcpip.Error) {
+	panic("not implemented")
+}
+
+func (e *endpoint) WriteRawPacket(*stack.PacketBuffer) tcpip.Error {
 	panic("not implemented")
 }

@@ -87,13 +98,13 @@ func (*endpoint) ARPHardwareType() header.ARPHardwareType {
 	return header.ARPHardwareNone
 }

-func (e *endpoint) AddHeader(local, remote tcpip.LinkAddress, protocol tcpip.NetworkProtocolNumber, pkt *stack.PacketBuffer) {
+func (e *endpoint) AddHeader(tcpip.LinkAddress, tcpip.LinkAddress, tcpip.NetworkProtocolNumber, *stack.PacketBuffer) {
 }

-func CreateNetTUN(localAddresses []net.IP, dnsServers []net.IP, mtu int) (tun.Device, *Net, error) {
+func CreateNetTUN(localAddresses, dnsServers []netip.Addr, mtu int) (tun.Device, *Net, error) {
 	opts := stack.Options{
 		NetworkProtocols:   []stack.NetworkProtocolFactory{ipv4.NewProtocol, ipv6.NewProtocol},
-		TransportProtocols: []stack.TransportProtocolFactory{tcp.NewProtocol, udp.NewProtocol},
+		TransportProtocols: []stack.TransportProtocolFactory{tcp.NewProtocol, udp.NewProtocol, icmp.NewProtocol6, icmp.NewProtocol4},
 		HandleLocal:        true,
 	}
 	dev := &netTun{
@@ -108,17 +119,23 @@ func CreateNetTUN(localAddresses []net.IP, dnsServers []net.IP, mtu int) (tun.De
 		return nil, nil, fmt.Errorf("CreateNIC: %v", tcpipErr)
 	}
 	for _, ip := range localAddresses {
-		if ip4 := ip.To4(); ip4 != nil {
-			tcpipErr = dev.stack.AddAddress(1, ipv4.ProtocolNumber, tcpip.Address(ip4))
-			if tcpipErr != nil {
-				return nil, nil, fmt.Errorf("AddAddress(%v): %v", ip4, tcpipErr)
-			}
+		var protoNumber tcpip.NetworkProtocolNumber
+		if ip.Is4() {
+			protoNumber = ipv4.ProtocolNumber
+		} else if ip.Is6() {
+			protoNumber = ipv6.ProtocolNumber
+		}
+		protoAddr := tcpip.ProtocolAddress{
+			Protocol:          protoNumber,
+			AddressWithPrefix: tcpip.Address(ip.AsSlice()).WithPrefix(),
+		}
+		tcpipErr := dev.stack.AddProtocolAddress(1, protoAddr, stack.AddressProperties{})
+		if tcpipErr != nil {
+			return nil, nil, fmt.Errorf("AddProtocolAddress(%v): %v", ip, tcpipErr)
+		}
+		if ip.Is4() {
 			dev.hasV4 = true
-		} else {
-			tcpipErr = dev.stack.AddAddress(1, ipv6.ProtocolNumber, tcpip.Address(ip))
-			if tcpipErr != nil {
-				return nil, nil, fmt.Errorf("AddAddress(%v): %v", ip4, tcpipErr)
-			}
+		} else if ip.Is6() {
 			dev.hasV6 = true
 		}
 	}
@@ -190,62 +207,291 @@ func (tun *netTun) MTU() (int, error) {
 	return tun.mtu, nil
 }

-func convertToFullAddr(ip net.IP, port int) (tcpip.FullAddress, tcpip.NetworkProtocolNumber) {
-	if ip4 := ip.To4(); ip4 != nil {
-		return tcpip.FullAddress{
-			NIC:  1,
-			Addr: tcpip.Address(ip4),
-			Port: uint16(port),
-		}, ipv4.ProtocolNumber
+func convertToFullAddr(endpoint netip.AddrPort) (tcpip.FullAddress, tcpip.NetworkProtocolNumber) {
+	var protoNumber tcpip.NetworkProtocolNumber
+	if endpoint.Addr().Is4() {
+		protoNumber = ipv4.ProtocolNumber
 	} else {
-		return tcpip.FullAddress{
-			NIC:  1,
-			Addr: tcpip.Address(ip),
-			Port: uint16(port),
-		}, ipv6.ProtocolNumber
+		protoNumber = ipv6.ProtocolNumber
 	}
+	return tcpip.FullAddress{
+		NIC:  1,
+		Addr: tcpip.Address(endpoint.Addr().AsSlice()),
+		Port: endpoint.Port(),
+	}, protoNumber
+}
+
+func (net *Net) DialContextTCPAddrPort(ctx context.Context, addr netip.AddrPort) (*gonet.TCPConn, error) {
+	fa, pn := convertToFullAddr(addr)
+	return gonet.DialContextTCP(ctx, net.stack, fa, pn)
 }

 func (net *Net) DialContextTCP(ctx context.Context, addr *net.TCPAddr) (*gonet.TCPConn, error) {
 	if addr == nil {
-		panic("todo: deal with auto addr semantics for nil addr")
+		return net.DialContextTCPAddrPort(ctx, netip.AddrPort{})
 	}
-	fa, pn := convertToFullAddr(addr.IP, addr.Port)
-	return gonet.DialContextTCP(ctx, net.stack, fa, pn)
+	ip, _ := netip.AddrFromSlice(addr.IP)
+	return net.DialContextTCPAddrPort(ctx, netip.AddrPortFrom(ip, uint16(addr.Port)))
+}
+
+func (net *Net) DialTCPAddrPort(addr netip.AddrPort) (*gonet.TCPConn, error) {
+	fa, pn := convertToFullAddr(addr)
+	return gonet.DialTCP(net.stack, fa, pn)
 }

 func (net *Net) DialTCP(addr *net.TCPAddr) (*gonet.TCPConn, error) {
 	if addr == nil {
-		panic("todo: deal with auto addr semantics for nil addr")
+		return net.DialTCPAddrPort(netip.AddrPort{})
 	}
-	fa, pn := convertToFullAddr(addr.IP, addr.Port)
-	return gonet.DialTCP(net.stack, fa, pn)
+	ip, _ := netip.AddrFromSlice(addr.IP)
+	return net.DialTCPAddrPort(netip.AddrPortFrom(ip, uint16(addr.Port)))
+}
+
+func (net *Net) ListenTCPAddrPort(addr netip.AddrPort) (*gonet.TCPListener, error) {
+	fa, pn := convertToFullAddr(addr)
+	return gonet.ListenTCP(net.stack, fa, pn)
 }

 func (net *Net) ListenTCP(addr *net.TCPAddr) (*gonet.TCPListener, error) {
 	if addr == nil {
-		panic("todo: deal with auto addr semantics for nil addr")
+		return net.ListenTCPAddrPort(netip.AddrPort{})
 	}
-	fa, pn := convertToFullAddr(addr.IP, addr.Port)
-	return gonet.ListenTCP(net.stack, fa, pn)
+	ip, _ := netip.AddrFromSlice(addr.IP)
+	return net.ListenTCPAddrPort(netip.AddrPortFrom(ip, uint16(addr.Port)))
 }

-func (net *Net) DialUDP(laddr, raddr *net.UDPAddr) (*gonet.UDPConn, error) {
+func (net *Net) DialUDPAddrPort(laddr, raddr netip.AddrPort) (*gonet.UDPConn, error) {
 	var lfa, rfa *tcpip.FullAddress
 	var pn tcpip.NetworkProtocolNumber
-	if laddr != nil {
+	if laddr.IsValid() || laddr.Port() > 0 {
 		var addr tcpip.FullAddress
-		addr, pn = convertToFullAddr(laddr.IP, laddr.Port)
+		addr, pn = convertToFullAddr(laddr)
 		lfa = &addr
 	}
-	if raddr != nil {
+	if raddr.IsValid() || raddr.Port() > 0 {
 		var addr tcpip.FullAddress
-		addr, pn = convertToFullAddr(raddr.IP, raddr.Port)
+		addr, pn = convertToFullAddr(raddr)
 		rfa = &addr
 	}
 	return gonet.DialUDP(net.stack, lfa, rfa, pn)
 }

+func (net *Net) ListenUDPAddrPort(laddr netip.AddrPort) (*gonet.UDPConn, error) {
+	return net.DialUDPAddrPort(laddr, netip.AddrPort{})
+}
+
+func (net *Net) DialUDP(laddr, raddr *net.UDPAddr) (*gonet.UDPConn, error) {
+	var la, ra netip.AddrPort
+	if laddr != nil {
+		ip, _ := netip.AddrFromSlice(laddr.IP)
+		la = netip.AddrPortFrom(ip, uint16(laddr.Port))
+	}
+	if raddr != nil {
+		ip, _ := netip.AddrFromSlice(raddr.IP)
+		ra = netip.AddrPortFrom(ip, uint16(raddr.Port))
+	}
+	return net.DialUDPAddrPort(la, ra)
+}
+
+func (net *Net) ListenUDP(laddr *net.UDPAddr) (*gonet.UDPConn, error) {
+	return net.DialUDP(laddr, nil)
+}
+
+type PingConn struct {
+	laddr    PingAddr
+	raddr    PingAddr
+	wq       waiter.Queue
+	ep       tcpip.Endpoint
+	deadline *time.Timer
+}
+
+type PingAddr struct{ addr netip.Addr }
+
+func (ia PingAddr) String() string {
+	return ia.addr.String()
+}
+
+func (ia PingAddr) Network() string {
+	if ia.addr.Is4() {
+		return "ping4"
+	} else if ia.addr.Is6() {
+		return "ping6"
+	}
+	return "ping"
+}
+
+func (ia PingAddr) Addr() netip.Addr {
+	return ia.addr
+}
+
+func PingAddrFromAddr(addr netip.Addr) *PingAddr {
+	return &PingAddr{addr}
+}
+
+func (net *Net) DialPingAddr(laddr, raddr netip.Addr) (*PingConn, error) {
+	if !laddr.IsValid() && !raddr.IsValid() {
+		return nil, errors.New("ping dial: invalid address")
+	}
+	v6 := laddr.Is6() || raddr.Is6()
+	bind := laddr.IsValid()
+	if !bind {
+		if v6 {
+			laddr = netip.IPv6Unspecified()
+		} else {
+			laddr = netip.IPv4Unspecified()
+		}
+	}
+
+	tn := icmp.ProtocolNumber4
+	pn := ipv4.ProtocolNumber
+	if v6 {
+		tn = icmp.ProtocolNumber6
+		pn = ipv6.ProtocolNumber
+	}
+
+	pc := &PingConn{
+		laddr:    PingAddr{laddr},
+		deadline: time.NewTimer(time.Hour << 10),
+	}
+	pc.deadline.Stop()
+
+	ep, tcpipErr := net.stack.NewEndpoint(tn, pn, &pc.wq)
+	if tcpipErr != nil {
+		return nil, fmt.Errorf("ping socket: endpoint: %s", tcpipErr)
+	}
+	pc.ep = ep
+
+	if bind {
+		fa, _ := convertToFullAddr(netip.AddrPortFrom(laddr, 0))
+		if tcpipErr = pc.ep.Bind(fa); tcpipErr != nil {
+			return nil, fmt.Errorf("ping bind: %s", tcpipErr)
+		}
+	}
+
+	if raddr.IsValid() {
+		pc.raddr = PingAddr{raddr}
+		fa, _ := convertToFullAddr(netip.AddrPortFrom(raddr, 0))
+		if tcpipErr = pc.ep.Connect(fa); tcpipErr != nil {
+			return nil, fmt.Errorf("ping connect: %s", tcpipErr)
+		}
+	}
+
+	return pc, nil
+}
+
+func (net *Net) ListenPingAddr(laddr netip.Addr) (*PingConn, error) {
+	return net.DialPingAddr(laddr, netip.Addr{})
+}
+
+func (net *Net) DialPing(laddr, raddr *PingAddr) (*PingConn, error) {
+	var la, ra netip.Addr
+	if laddr != nil {
+		la = laddr.addr
+	}
+	if raddr != nil {
+		ra = raddr.addr
+	}
+	return net.DialPingAddr(la, ra)
+}
+
+func (net *Net) ListenPing(laddr *PingAddr) (*PingConn, error) {
+	var la netip.Addr
+	if laddr != nil {
+		la = laddr.addr
+	}
+	return net.ListenPingAddr(la)
+}
+
+func (pc *PingConn) LocalAddr() net.Addr {
+	return pc.laddr
+}
+
+func (pc *PingConn) RemoteAddr() net.Addr {
+	return pc.raddr
+}
+
+func (pc *PingConn) Close() error {
+	pc.deadline.Reset(0)
+	pc.ep.Close()
+	return nil
+}
+
+func (pc *PingConn) SetWriteDeadline(t time.Time) error {
+	return errors.New("not implemented")
+}
+
+func (pc *PingConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	var na netip.Addr
+	switch v := addr.(type) {
+	case *PingAddr:
+		na = v.addr
+	case *net.IPAddr:
+		na, _ = netip.AddrFromSlice(v.IP)
+	default:
+		return 0, fmt.Errorf("ping write: wrong net.Addr type")
+	}
+	if !((na.Is4() && pc.laddr.addr.Is4()) || (na.Is6() && pc.laddr.addr.Is6())) {
+		return 0, fmt.Errorf("ping write: mismatched protocols")
+	}
+
+	buf := buffer.NewViewFromBytes(p)
+	rdr := buf.Reader()
+	rfa, _ := convertToFullAddr(netip.AddrPortFrom(na, 0))
+	// won't block, no deadlines
+	n64, tcpipErr := pc.ep.Write(&rdr, tcpip.WriteOptions{
+		To: &rfa,
+	})
+	if tcpipErr != nil {
+		return int(n64), fmt.Errorf("ping write: %s", tcpipErr)
+	}
+
+	return int(n64), nil
+}
+
+func (pc *PingConn) Write(p []byte) (n int, err error) {
+	return pc.WriteTo(p, &pc.raddr)
+}
+
+func (pc *PingConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	e, notifyCh := waiter.NewChannelEntry(nil)
+	pc.wq.EventRegister(&e, waiter.EventIn)
+	defer pc.wq.EventUnregister(&e)
+
+	select {
+	case <-pc.deadline.C:
+		return 0, nil, os.ErrDeadlineExceeded
+	case <-notifyCh:
+	}
+
+	w := tcpip.SliceWriter(p)
+
+	res, tcpipErr := pc.ep.Read(&w, tcpip.ReadOptions{
+		NeedRemoteAddr: true,
+	})
+	if tcpipErr != nil {
+		return 0, nil, fmt.Errorf("ping read: %s", tcpipErr)
+	}
+
+	remoteAddr, _ := netip.AddrFromSlice([]byte(res.RemoteAddr.Addr))
+	return res.Count, &PingAddr{remoteAddr}, nil
+}
+
+func (pc *PingConn) Read(p []byte) (n int, err error) {
+	n, _, err = pc.ReadFrom(p)
+	return
+}
+
+func (pc *PingConn) SetDeadline(t time.Time) error {
+	// pc.SetWriteDeadline is unimplemented
+
+	return pc.SetReadDeadline(t)
+}
+
+func (pc *PingConn) SetReadDeadline(t time.Time) error {
+	pc.deadline.Reset(t.Sub(time.Now()))
+	return nil
+}
+
 var (
 	errNoSuchHost                   = errors.New("no such host")
 	errLameReferral                 = errors.New("lame referral")
@@ -421,7 +667,7 @@ func dnsStreamRoundTrip(c net.Conn, id uint16, query dnsmessage.Question, b []by
 	return p, h, nil
 }

-func (tnet *Net) exchange(ctx context.Context, server net.IP, q dnsmessage.Question, timeout time.Duration) (dnsmessage.Parser, dnsmessage.Header, error) {
+func (tnet *Net) exchange(ctx context.Context, server netip.Addr, q dnsmessage.Question, timeout time.Duration) (dnsmessage.Parser, dnsmessage.Header, error) {
 	q.Class = dnsmessage.ClassINET
 	id, udpReq, tcpReq, err := newRequest(q)
 	if err != nil {
@@ -435,16 +681,19 @@ func (tnet *Net) exchange(ctx context.Context, server net.IP, q dnsmessage.Quest
 		var c net.Conn
 		var err error
 		if useUDP {
-			c, err = tnet.DialUDP(nil, &net.UDPAddr{IP: server, Port: 53})
+			c, err = tnet.DialUDPAddrPort(netip.AddrPort{}, netip.AddrPortFrom(server, 53))
 		} else {
-			c, err = tnet.DialContextTCP(ctx, &net.TCPAddr{IP: server, Port: 53})
+			c, err = tnet.DialContextTCPAddrPort(ctx, netip.AddrPortFrom(server, 53))
 		}

 		if err != nil {
 			return dnsmessage.Parser{}, dnsmessage.Header{}, err
 		}
 		if d, ok := ctx.Deadline(); ok && !d.IsZero() {
-			c.SetDeadline(d)
+			err := c.SetDeadline(d)
+			if err != nil {
+				return dnsmessage.Parser{}, dnsmessage.Header{}, err
+			}
 		}
 		var p dnsmessage.Parser
 		var h dnsmessage.Header
@@ -588,8 +837,8 @@ func (tnet *Net) LookupContextHost(ctx context.Context, host string) ([]string,
 			zlen = zidx
 		}
 	}
-	if ip := net.ParseIP(host[:zlen]); ip != nil {
-		return []string{host[:zlen]}, nil
+	if ip, err := netip.ParseAddr(host[:zlen]); err == nil {
+		return []string{ip.String()}, nil
 	}

 	if !isDomainName(host) {
@@ -600,7 +849,7 @@ func (tnet *Net) LookupContextHost(ctx context.Context, host string) ([]string,
 		server string
 		error
 	}
-	var addrsV4, addrsV6 []net.IP
+	var addrsV4, addrsV6 []netip.Addr
 	lanes := 0
 	if tnet.hasV4 {
 		lanes++
@@ -655,7 +904,7 @@ func (tnet *Net) LookupContextHost(ctx context.Context, host string) ([]string,
 					}
 					break loop
 				}
-				addrsV4 = append(addrsV4, net.IP(a.A[:]))
+				addrsV4 = append(addrsV4, netip.AddrFrom4(a.A))

 			case dnsmessage.TypeAAAA:
 				aaaa, err := result.p.AAAAResource()
@@ -667,7 +916,7 @@ func (tnet *Net) LookupContextHost(ctx context.Context, host string) ([]string,
 					}
 					break loop
 				}
-				addrsV6 = append(addrsV6, net.IP(aaaa.AAAA[:]))
+				addrsV6 = append(addrsV6, netip.AddrFrom16(aaaa.AAAA))

 			default:
 				if err := result.p.SkipAnswer(); err != nil {
@@ -683,7 +932,7 @@ func (tnet *Net) LookupContextHost(ctx context.Context, host string) ([]string,
 		}
 	}
 	// We don't do RFC6724. Instead just put V6 addresess first if an IPv6 address is enabled
-	var addrs []net.IP
+	var addrs []netip.Addr
 	if tnet.hasV6 {
 		addrs = append(addrsV6, addrsV4...)
 	} else {
@@ -720,44 +969,48 @@ func partialDeadline(now, deadline time.Time, addrsRemaining int) (time.Time, er
 	return now.Add(timeout), nil
 }

+var protoSplitter = regexp.MustCompile(`^(tcp|udp|ping)(4|6)?$`)
+
 func (tnet *Net) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
 	if ctx == nil {
 		panic("nil context")
 	}
-	var acceptV4, acceptV6, useUDP bool
-	if len(network) == 3 {
+	var acceptV4, acceptV6 bool
+	matches := protoSplitter.FindStringSubmatch(network)
+	if matches == nil {
+		return nil, &net.OpError{Op: "dial", Err: net.UnknownNetworkError(network)}
+	} else if len(matches[2]) == 0 {
 		acceptV4 = true
 		acceptV6 = true
-	} else if len(network) == 4 {
-		acceptV4 = network[3] == '4'
-		acceptV6 = network[3] == '6'
+	} else {
+		acceptV4 = matches[2][0] == '4'
+		acceptV6 = !acceptV4
 	}
-	if !acceptV4 && !acceptV6 {
-		return nil, &net.OpError{Op: "dial", Err: net.UnknownNetworkError(network)}
-	}
-	if network[:3] == "udp" {
-		useUDP = true
-	} else if network[:3] != "tcp" {
-		return nil, &net.OpError{Op: "dial", Err: net.UnknownNetworkError(network)}
-	}
-	host, sport, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, &net.OpError{Op: "dial", Err: err}
-	}
-	port, err := strconv.Atoi(sport)
-	if err != nil || port < 0 || port > 65535 {
-		return nil, &net.OpError{Op: "dial", Err: errNumericPort}
+	var host string
+	var port int
+	if matches[1] == "ping" {
+		host = address
+	} else {
+		var sport string
+		var err error
+		host, sport, err = net.SplitHostPort(address)
+		if err != nil {
+			return nil, &net.OpError{Op: "dial", Err: err}
+		}
+		port, err = strconv.Atoi(sport)
+		if err != nil || port < 0 || port > 65535 {
+			return nil, &net.OpError{Op: "dial", Err: errNumericPort}
+		}
 	}
 	allAddr, err := tnet.LookupContextHost(ctx, host)
 	if err != nil {
 		return nil, &net.OpError{Op: "dial", Err: err}
 	}
-	var addrs []net.IP
+	var addrs []netip.AddrPort
 	for _, addr := range allAddr {
-		if strings.IndexByte(addr, ':') != -1 && acceptV6 {
-			addrs = append(addrs, net.ParseIP(addr))
-		} else if strings.IndexByte(addr, '.') != -1 && acceptV4 {
-			addrs = append(addrs, net.ParseIP(addr))
+		ip, err := netip.ParseAddr(addr)
+		if err == nil && ((ip.Is4() && acceptV4) || (ip.Is6() && acceptV6)) {
+			addrs = append(addrs, netip.AddrPortFrom(ip, uint16(port)))
 		}
 	}
 	if len(addrs) == 0 && len(allAddr) != 0 {
@@ -795,10 +1048,13 @@ func (tnet *Net) DialContext(ctx context.Context, network, address string) (net.
 		}

 		var c net.Conn
-		if useUDP {
-			c, err = tnet.DialUDP(nil, &net.UDPAddr{IP: addr, Port: port})
-		} else {
-			c, err = tnet.DialContextTCP(dialCtx, &net.TCPAddr{IP: addr, Port: port})
+		switch matches[1] {
+		case "tcp":
+			c, err = tnet.DialContextTCPAddrPort(dialCtx, addr)
+		case "udp":
+			c, err = tnet.DialUDPAddrPort(netip.AddrPort{}, addr)
+		case "ping":
+			c, err = tnet.DialPingAddr(netip.Addr{}, addr.Addr())
 		}
 		if err == nil {
 			return c, nil
--- a/tun/operateonfd.go
+++ b/tun/operateonfd.go
@@ -1,4 +1,4 @@
-// +build !windows
+//go:build darwin || freebsd

 /* SPDX-License-Identifier: MIT
 *
--- a/tun/tun_darwin.go
+++ b/tun/tun_darwin.go
@@ -8,9 +8,9 @@ package tun
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
+	"sync"
 	"syscall"
 	"time"
 	"unsafe"
@@ -27,6 +27,7 @@ type NativeTun struct {
 	events      chan Event
 	errors      chan error
 	routeSocket int
+	closeOnce   sync.Once
 }

 func retryInterfaceByIndex(index int) (iface *net.Interface, err error) {
@@ -107,7 +108,6 @@ func CreateTUN(name string, mtu int) (Device, error) {
 	}

 	fd, err := unix.Socket(unix.AF_SYSTEM, unix.SOCK_DGRAM, 2)
-
 	if err != nil {
 		return nil, err
 	}
@@ -116,6 +116,7 @@ func CreateTUN(name string, mtu int) (Device, error) {
 	copy(ctlInfo.Name[:], []byte(utunControlName))
 	err = unix.IoctlCtlInfo(fd, ctlInfo)
 	if err != nil {
+		unix.Close(fd)
 		return nil, fmt.Errorf("IoctlGetCtlInfo: %w", err)
 	}

@@ -126,11 +127,13 @@ func CreateTUN(name string, mtu int) (Device, error) {

 	err = unix.Connect(fd, sc)
 	if err != nil {
+		unix.Close(fd)
 		return nil, err
 	}

-	err = syscall.SetNonblock(fd, true)
+	err = unix.SetNonblock(fd, true)
 	if err != nil {
+		unix.Close(fd)
 		return nil, err
 	}
 	tun, err := CreateTUNFromFile(os.NewFile(uintptr(fd), ""), mtu)
@@ -138,7 +141,7 @@ func CreateTUN(name string, mtu int) (Device, error) {
 	if err == nil && name == "utun" {
 		fname := os.Getenv("WG_TUN_NAME_FILE")
 		if fname != "" {
-			ioutil.WriteFile(fname, []byte(tun.(*NativeTun).name+"\n"), 0400)
+			os.WriteFile(fname, []byte(tun.(*NativeTun).name+"\n"), 0o400)
 		}
 	}

@@ -229,7 +232,6 @@ func (tun *NativeTun) Read(buff []byte, offset int) (int, error) {
 }

 func (tun *NativeTun) Write(buff []byte, offset int) (int, error) {
-
 	// reserve space for header

 	buff = buff[offset-4:]
@@ -257,14 +259,16 @@ func (tun *NativeTun) Flush() error {
 }

 func (tun *NativeTun) Close() error {
-	var err2 error
-	err1 := tun.tunFile.Close()
-	if tun.routeSocket != -1 {
-		unix.Shutdown(tun.routeSocket, unix.SHUT_RDWR)
-		err2 = unix.Close(tun.routeSocket)
-	} else if tun.events != nil {
-		close(tun.events)
-	}
+	var err1, err2 error
+	tun.closeOnce.Do(func() {
+		err1 = tun.tunFile.Close()
+		if tun.routeSocket != -1 {
+			unix.Shutdown(tun.routeSocket, unix.SHUT_RDWR)
+			err2 = unix.Close(tun.routeSocket)
+		} else if tun.events != nil {
+			close(tun.events)
+		}
+	})
 	if err1 != nil {
 		return err1
 	}
@@ -277,7 +281,6 @@ func (tun *NativeTun) setMTU(n int) error {
 		unix.SOCK_DGRAM,
 		0,
 	)
-
 	if err != nil {
 		return err
 	}
@@ -301,7 +304,6 @@ func (tun *NativeTun) MTU() (int, error) {
 		unix.SOCK_DGRAM,
 		0,
 	)
-
 	if err != nil {
 		return 0, err
 	}
--- a/tun/tun_freebsd.go
+++ b/tun/tun_freebsd.go
@@ -6,61 +6,52 @@
 package tun

 import (
-	"bytes"
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"os"
+	"sync"
 	"syscall"
 	"unsafe"

-	"golang.org/x/net/ipv6"
 	"golang.org/x/sys/unix"
 )

-// _TUNSIFHEAD, value derived from sys/net/{if_tun,ioccom}.h
-// const _TUNSIFHEAD = ((0x80000000) | (((4) & ((1 << 13) - 1) ) << 16) | (uint32(byte('t')) << 8) | (96))
 const (
 	_TUNSIFHEAD = 0x80047460
 	_TUNSIFMODE = 0x8004745e
+	_TUNGIFNAME = 0x4020745d
 	_TUNSIFPID  = 0x2000745f
+
+	_SIOCGIFINFO_IN6        = 0xc048696c
+	_SIOCSIFINFO_IN6        = 0xc048696d
+	_ND6_IFF_AUTO_LINKLOCAL = 0x20
+	_ND6_IFF_NO_DAD         = 0x100
 )

-// TODO: move into x/sys/unix
-const (
-	SIOCGIFINFO_IN6        = 0xc048696c
-	SIOCSIFINFO_IN6        = 0xc048696d
-	ND6_IFF_AUTO_LINKLOCAL = 0x20
-	ND6_IFF_NO_DAD         = 0x100
-)
+// Iface requests with just the name
+type ifreqName struct {
+	Name [unix.IFNAMSIZ]byte
+	_    [16]byte
+}

-// Iface status string max len
-const _IFSTATMAX = 800
-
-const SIZEOF_UINTPTR = 4 << (^uintptr(0) >> 32 & 1)
-
-// structure for iface requests with a pointer
-type ifreq_ptr struct {
+// Iface requests with a pointer
+type ifreqPtr struct {
 	Name [unix.IFNAMSIZ]byte
 	Data uintptr
-	Pad0 [16 - SIZEOF_UINTPTR]byte
+	_    [16 - unsafe.Sizeof(uintptr(0))]byte
 }

-// Structure for iface mtu get/set ioctls
-type ifreq_mtu struct {
+// Iface requests with MTU
+type ifreqMtu struct {
 	Name [unix.IFNAMSIZ]byte
 	MTU  uint32
-	Pad0 [12]byte
+	_    [12]byte
 }

-// Structure for interface status request ioctl
-type ifstat struct {
-	IfsName [unix.IFNAMSIZ]byte
-	Ascii   [_IFSTATMAX]byte
-}
-
-// Structures for nd6 flag manipulation
-type in6_ndireq struct {
+// ND6 flag manipulation
+type nd6Req struct {
 	Name          [unix.IFNAMSIZ]byte
 	Linkmtu       uint32
 	Maxmtu        uint32
@@ -82,6 +73,7 @@ type NativeTun struct {
 	events      chan Event
 	errors      chan error
 	routeSocket int
+	closeOnce   sync.Once
 }

 func (tun *NativeTun) routineRouteListener(tunIfindex int) {
@@ -97,7 +89,7 @@ func (tun *NativeTun) routineRouteListener(tunIfindex int) {
 	retry:
 		n, err := unix.Read(tun.routeSocket, data)
 		if err != nil {
-			if errno, ok := err.(syscall.Errno); ok && errno == syscall.EINTR {
+			if errors.Is(err, syscall.EINTR) {
 				goto retry
 			}
 			tun.errors <- err
@@ -141,91 +133,17 @@ func (tun *NativeTun) routineRouteListener(tunIfindex int) {
 }

 func tunName(fd uintptr) (string, error) {
-	//Terrible hack to make up for freebsd not having a TUNGIFNAME
-
-	//First, make sure the tun pid matches this proc's pid
-	_, _, errno := unix.Syscall(
-		unix.SYS_IOCTL,
-		uintptr(fd),
-		uintptr(_TUNSIFPID),
-		uintptr(0),
-	)
-
-	if errno != 0 {
-		return "", fmt.Errorf("failed to set tun device PID: %s", errno.Error())
-	}
-
-	// Open iface control socket
-
-	confd, err := unix.Socket(
-		unix.AF_INET,
-		unix.SOCK_DGRAM,
-		0,
-	)
-
-	if err != nil {
+	var ifreq ifreqName
+	_, _, err := unix.Syscall(unix.SYS_IOCTL, fd, _TUNGIFNAME, uintptr(unsafe.Pointer(&ifreq)))
+	if err != 0 {
 		return "", err
 	}
-
-	defer unix.Close(confd)
-
-	procPid := os.Getpid()
-
-	//Try to find interface with matching PID
-	for i := 1; ; i++ {
-		iface, _ := net.InterfaceByIndex(i)
-		if err != nil || iface == nil {
-			break
-		}
-
-		// Structs for getting data in and out of SIOCGIFSTATUS ioctl
-		var ifstatus ifstat
-		copy(ifstatus.IfsName[:], iface.Name)
-
-		// Make the syscall to get the status string
-		_, _, errno := unix.Syscall(
-			unix.SYS_IOCTL,
-			uintptr(confd),
-			uintptr(unix.SIOCGIFSTATUS),
-			uintptr(unsafe.Pointer(&ifstatus)),
-		)
-
-		if errno != 0 {
-			continue
-		}
-
-		nullStr := ifstatus.Ascii[:]
-		i := bytes.IndexByte(nullStr, 0)
-		if i < 1 {
-			continue
-		}
-		statStr := string(nullStr[:i])
-		var pidNum int = 0
-
-		// Finally get the owning PID
-		// Format string taken from sys/net/if_tun.c
-		_, err := fmt.Sscanf(statStr, "\tOpened by PID %d\n", &pidNum)
-		if err != nil {
-			continue
-		}
-
-		if pidNum == procPid {
-			return iface.Name, nil
-		}
-	}
-
-	return "", nil
+	return unix.ByteSliceToString(ifreq.Name[:]), nil
 }

 // Destroy a named system interface
 func tunDestroy(name string) error {
-	// Open control socket.
-	var fd int
-	fd, err := unix.Socket(
-		unix.AF_INET,
-		unix.SOCK_DGRAM,
-		0,
-	)
+	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
 	if err != nil {
 		return err
 	}
@@ -233,14 +151,9 @@ func tunDestroy(name string) error {

 	var ifr [32]byte
 	copy(ifr[:], name)
-	_, _, errno := unix.Syscall(
-		unix.SYS_IOCTL,
-		uintptr(fd),
-		uintptr(unix.SIOCIFDESTROY),
-		uintptr(unsafe.Pointer(&ifr[0])),
-	)
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(unix.SIOCIFDESTROY), uintptr(unsafe.Pointer(&ifr[0])))
 	if errno != 0 {
-		return fmt.Errorf("failed to destroy interface %s: %s", name, errno.Error())
+		return fmt.Errorf("failed to destroy interface %s: %w", name, errno)
 	}

 	return nil
@@ -276,103 +189,94 @@ func CreateTUN(name string, mtu int) (Device, error) {
 	ifheadmode := 1
 	var errno syscall.Errno
 	tun.operateOnFd(func(fd uintptr) {
-		_, _, errno = unix.Syscall(
-			unix.SYS_IOCTL,
-			fd,
-			uintptr(_TUNSIFHEAD),
-			uintptr(unsafe.Pointer(&ifheadmode)),
-		)
+		_, _, errno = unix.Syscall(unix.SYS_IOCTL, fd, _TUNSIFHEAD, uintptr(unsafe.Pointer(&ifheadmode)))
 	})

 	if errno != 0 {
 		tunFile.Close()
 		tunDestroy(assignedName)
-		return nil, fmt.Errorf("Unable to put into IFHEAD mode: %w", errno)
+		return nil, fmt.Errorf("unable to put into IFHEAD mode: %w", errno)
 	}

-	// Open control sockets
-	confd, err := unix.Socket(
-		unix.AF_INET,
-		unix.SOCK_DGRAM,
-		0,
-	)
-	if err != nil {
+	// Get out of PTP mode.
+	ifflags := syscall.IFF_BROADCAST | syscall.IFF_MULTICAST
+	tun.operateOnFd(func(fd uintptr) {
+		_, _, errno = unix.Syscall(unix.SYS_IOCTL, fd, uintptr(_TUNSIFMODE), uintptr(unsafe.Pointer(&ifflags)))
+	})
+
+	if errno != 0 {
 		tunFile.Close()
 		tunDestroy(assignedName)
-		return nil, err
+		return nil, fmt.Errorf("unable to put into IFF_BROADCAST mode: %w", errno)
 	}
-	defer unix.Close(confd)
-	confd6, err := unix.Socket(
-		unix.AF_INET6,
-		unix.SOCK_DGRAM,
-		0,
-	)
+
+	// Disable link-local v6, not just because WireGuard doesn't do that anyway, but
+	// also because there are serious races with attaching and detaching LLv6 addresses
+	// in relation to interface lifetime within the FreeBSD kernel.
+	confd6, err := unix.Socket(unix.AF_INET6, unix.SOCK_DGRAM, 0)
 	if err != nil {
 		tunFile.Close()
 		tunDestroy(assignedName)
 		return nil, err
 	}
 	defer unix.Close(confd6)
-
-	// Disable link-local v6, not just because WireGuard doesn't do that anyway, but
-	// also because there are serious races with attaching and detaching LLv6 addresses
-	// in relation to interface lifetime within the FreeBSD kernel.
-	var ndireq in6_ndireq
+	var ndireq nd6Req
 	copy(ndireq.Name[:], assignedName)
-	_, _, errno = unix.Syscall(
-		unix.SYS_IOCTL,
-		uintptr(confd6),
-		uintptr(SIOCGIFINFO_IN6),
-		uintptr(unsafe.Pointer(&ndireq)),
-	)
+	_, _, errno = unix.Syscall(unix.SYS_IOCTL, uintptr(confd6), uintptr(_SIOCGIFINFO_IN6), uintptr(unsafe.Pointer(&ndireq)))
 	if errno != 0 {
 		tunFile.Close()
 		tunDestroy(assignedName)
-		return nil, fmt.Errorf("Unable to get nd6 flags for %s: %w", assignedName, errno)
+		return nil, fmt.Errorf("unable to get nd6 flags for %s: %w", assignedName, errno)
 	}
-	ndireq.Flags = ndireq.Flags &^ ND6_IFF_AUTO_LINKLOCAL
-	ndireq.Flags = ndireq.Flags | ND6_IFF_NO_DAD
-	_, _, errno = unix.Syscall(
-		unix.SYS_IOCTL,
-		uintptr(confd6),
-		uintptr(SIOCSIFINFO_IN6),
-		uintptr(unsafe.Pointer(&ndireq)),
-	)
+	ndireq.Flags = ndireq.Flags &^ _ND6_IFF_AUTO_LINKLOCAL
+	ndireq.Flags = ndireq.Flags | _ND6_IFF_NO_DAD
+	_, _, errno = unix.Syscall(unix.SYS_IOCTL, uintptr(confd6), uintptr(_SIOCSIFINFO_IN6), uintptr(unsafe.Pointer(&ndireq)))
 	if errno != 0 {
 		tunFile.Close()
 		tunDestroy(assignedName)
-		return nil, fmt.Errorf("Unable to set nd6 flags for %s: %w", assignedName, errno)
+		return nil, fmt.Errorf("unable to set nd6 flags for %s: %w", assignedName, errno)
 	}

-	// Rename the interface
-	var newnp [unix.IFNAMSIZ]byte
-	copy(newnp[:], name)
-	var ifr ifreq_ptr
-	copy(ifr.Name[:], assignedName)
-	ifr.Data = uintptr(unsafe.Pointer(&newnp[0]))
-	_, _, errno = unix.Syscall(
-		unix.SYS_IOCTL,
-		uintptr(confd),
-		uintptr(unix.SIOCSIFNAME),
-		uintptr(unsafe.Pointer(&ifr)),
-	)
-	if errno != 0 {
-		tunFile.Close()
-		tunDestroy(assignedName)
-		return nil, fmt.Errorf("Failed to rename %s to %s: %w", assignedName, name, errno)
+	if name != "" {
+		confd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
+		if err != nil {
+			tunFile.Close()
+			tunDestroy(assignedName)
+			return nil, err
+		}
+		defer unix.Close(confd)
+		var newnp [unix.IFNAMSIZ]byte
+		copy(newnp[:], name)
+		var ifr ifreqPtr
+		copy(ifr.Name[:], assignedName)
+		ifr.Data = uintptr(unsafe.Pointer(&newnp[0]))
+		_, _, errno = unix.Syscall(unix.SYS_IOCTL, uintptr(confd), uintptr(unix.SIOCSIFNAME), uintptr(unsafe.Pointer(&ifr)))
+		if errno != 0 {
+			tunFile.Close()
+			tunDestroy(assignedName)
+			return nil, fmt.Errorf("Failed to rename %s to %s: %w", assignedName, name, errno)
+		}
 	}

 	return CreateTUNFromFile(tunFile, mtu)
 }

 func CreateTUNFromFile(file *os.File, mtu int) (Device, error) {
-
 	tun := &NativeTun{
 		tunFile: file,
 		events:  make(chan Event, 10),
 		errors:  make(chan error, 1),
 	}

+	var errno syscall.Errno
+	tun.operateOnFd(func(fd uintptr) {
+		_, _, errno = unix.Syscall(unix.SYS_IOCTL, fd, _TUNSIFPID, uintptr(0))
+	})
+	if errno != 0 {
+		tun.tunFile.Close()
+		return nil, fmt.Errorf("unable to become controlling TUN process: %w", errno)
+	}
+
 	name, err := tun.Name()
 	if err != nil {
 		tun.tunFile.Close()
@@ -443,27 +347,26 @@ func (tun *NativeTun) Read(buff []byte, offset int) (int, error) {
 	}
 }

-func (tun *NativeTun) Write(buff []byte, offset int) (int, error) {
-
-	// reserve space for header
-
-	buff = buff[offset-4:]
-
-	// add packet information header
-
-	buff[0] = 0x00
-	buff[1] = 0x00
-	buff[2] = 0x00
-
-	if buff[4]>>4 == ipv6.Version {
-		buff[3] = unix.AF_INET6
-	} else {
-		buff[3] = unix.AF_INET
+func (tun *NativeTun) Write(buf []byte, offset int) (int, error) {
+	if offset < 4 {
+		return 0, io.ErrShortBuffer
 	}
-
-	// write
-
-	return tun.tunFile.Write(buff)
+	buf = buf[offset-4:]
+	if len(buf) < 5 {
+		return 0, io.ErrShortBuffer
+	}
+	buf[0] = 0x00
+	buf[1] = 0x00
+	buf[2] = 0x00
+	switch buf[4] >> 4 {
+	case 4:
+		buf[3] = unix.AF_INET
+	case 6:
+		buf[3] = unix.AF_INET6
+	default:
+		return 0, unix.EAFNOSUPPORT
+	}
+	return tun.tunFile.Write(buf)
 }

 func (tun *NativeTun) Flush() error {
@@ -472,16 +375,18 @@ func (tun *NativeTun) Flush() error {
 }

 func (tun *NativeTun) Close() error {
-	var err3 error
-	err1 := tun.tunFile.Close()
-	err2 := tunDestroy(tun.name)
-	if tun.routeSocket != -1 {
-		unix.Shutdown(tun.routeSocket, unix.SHUT_RDWR)
-		err3 = unix.Close(tun.routeSocket)
-		tun.routeSocket = -1
-	} else if tun.events != nil {
-		close(tun.events)
-	}
+	var err1, err2, err3 error
+	tun.closeOnce.Do(func() {
+		err1 = tun.tunFile.Close()
+		err2 = tunDestroy(tun.name)
+		if tun.routeSocket != -1 {
+			unix.Shutdown(tun.routeSocket, unix.SHUT_RDWR)
+			err3 = unix.Close(tun.routeSocket)
+			tun.routeSocket = -1
+		} else if tun.events != nil {
+			close(tun.events)
+		}
+	})
 	if err1 != nil {
 		return err1
 	}
@@ -492,70 +397,34 @@ func (tun *NativeTun) Close() error {
 }

 func (tun *NativeTun) setMTU(n int) error {
-	// open datagram socket
-
-	var fd int
-
-	fd, err := unix.Socket(
-		unix.AF_INET,
-		unix.SOCK_DGRAM,
-		0,
-	)
-
+	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
 	if err != nil {
 		return err
 	}
-
 	defer unix.Close(fd)

-	// do ioctl call
-
-	var ifr ifreq_mtu
+	var ifr ifreqMtu
 	copy(ifr.Name[:], tun.name)
 	ifr.MTU = uint32(n)
-
-	_, _, errno := unix.Syscall(
-		unix.SYS_IOCTL,
-		uintptr(fd),
-		uintptr(unix.SIOCSIFMTU),
-		uintptr(unsafe.Pointer(&ifr)),
-	)
-
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(unix.SIOCSIFMTU), uintptr(unsafe.Pointer(&ifr)))
 	if errno != 0 {
-		return fmt.Errorf("failed to set MTU on %s", tun.name)
+		return fmt.Errorf("failed to set MTU on %s: %w", tun.name, errno)
 	}
-
 	return nil
 }

 func (tun *NativeTun) MTU() (int, error) {
-	// open datagram socket
-
-	fd, err := unix.Socket(
-		unix.AF_INET,
-		unix.SOCK_DGRAM,
-		0,
-	)
-
+	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
 	if err != nil {
 		return 0, err
 	}
-
 	defer unix.Close(fd)

-	// do ioctl call
-	var ifr ifreq_mtu
+	var ifr ifreqMtu
 	copy(ifr.Name[:], tun.name)
-
-	_, _, errno := unix.Syscall(
-		unix.SYS_IOCTL,
-		uintptr(fd),
-		uintptr(unix.SIOCGIFMTU),
-		uintptr(unsafe.Pointer(&ifr)),
-	)
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(unix.SIOCGIFMTU), uintptr(unsafe.Pointer(&ifr)))
 	if errno != 0 {
-		return 0, fmt.Errorf("failed to get MTU on %s", tun.name)
+		return 0, fmt.Errorf("failed to get MTU on %s: %w", tun.name, errno)
 	}
-
 	return int(*(*int32)(unsafe.Pointer(&ifr.MTU))), nil
 }
--- a/tun/tun_linux.go
+++ b/tun/tun_linux.go
@@ -10,6 +10,7 @@ package tun

 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"os"
 	"sync"
@@ -39,6 +40,8 @@ type NativeTun struct {
 	hackListenerClosed      sync.Mutex
 	statusListenersShutdown chan struct{}

+	closeOnce sync.Once
+
 	nameOnce  sync.Once // guards calling initNameCache, which sets following fields
 	nameCache string    // name of interface
 	nameErr   error
@@ -53,6 +56,11 @@ func (tun *NativeTun) routineHackListener() {
 	/* This is needed for the detection to work across network namespaces
 	 * If you are reading this and know a better method, please get in touch.
 	 */
+	last := 0
+	const (
+		up   = 1
+		down = 2
+	)
 	for {
 		sysconn, err := tun.tunFile.SyscallConn()
 		if err != nil {
@@ -66,13 +74,19 @@ func (tun *NativeTun) routineHackListener() {
 		}
 		switch err {
 		case unix.EINVAL:
-			// If the tunnel is up, it reports that write() is
-			// allowed but we provided invalid data.
-			tun.events <- EventUp
+			if last != up {
+				// If the tunnel is up, it reports that write() is
+				// allowed but we provided invalid data.
+				tun.events <- EventUp
+				last = up
+			}
 		case unix.EIO:
-			// If the tunnel is down, it reports that no I/O
-			// is possible, without checking our provided data.
-			tun.events <- EventDown
+			if last != down {
+				// If the tunnel is down, it reports that no I/O
+				// is possible, without checking our provided data.
+				tun.events <- EventDown
+				last = down
+			}
 		default:
 			return
 		}
@@ -218,7 +232,6 @@ func (tun *NativeTun) setMTU(n int) error {
 		unix.SOCK_DGRAM,
 		0,
 	)
-
 	if err != nil {
 		return err
 	}
@@ -255,7 +268,6 @@ func (tun *NativeTun) MTU() (int, error) {
 		unix.SOCK_DGRAM,
 		0,
 	)
-
 	if err != nil {
 		return 0, err
 	}
@@ -316,32 +328,30 @@ func (tun *NativeTun) nameSlow() (string, error) {
 	return string(name), nil
 }

-func (tun *NativeTun) Write(buff []byte, offset int) (int, error) {
-
+func (tun *NativeTun) Write(buf []byte, offset int) (int, error) {
 	if tun.nopi {
-		buff = buff[offset:]
+		buf = buf[offset:]
 	} else {
 		// reserve space for header
-
-		buff = buff[offset-4:]
+		buf = buf[offset-4:]

 		// add packet information header
-
-		buff[0] = 0x00
-		buff[1] = 0x00
-
-		if buff[4]>>4 == ipv6.Version {
-			buff[2] = 0x86
-			buff[3] = 0xdd
+		buf[0] = 0x00
+		buf[1] = 0x00
+		if buf[4]>>4 == ipv6.Version {
+			buf[2] = 0x86
+			buf[3] = 0xdd
 		} else {
-			buff[2] = 0x08
-			buff[3] = 0x00
+			buf[2] = 0x08
+			buf[3] = 0x00
 		}
 	}

-	// write
-
-	return tun.tunFile.Write(buff)
+	n, err := tun.tunFile.Write(buf)
+	if errors.Is(err, syscall.EBADFD) {
+		err = os.ErrClosed
+	}
+	return n, err
 }

 func (tun *NativeTun) Flush() error {
@@ -349,22 +359,26 @@ func (tun *NativeTun) Flush() error {
 	return nil
 }

-func (tun *NativeTun) Read(buff []byte, offset int) (int, error) {
+func (tun *NativeTun) Read(buf []byte, offset int) (n int, err error) {
 	select {
-	case err := <-tun.errors:
-		return 0, err
+	case err = <-tun.errors:
 	default:
 		if tun.nopi {
-			return tun.tunFile.Read(buff[offset:])
+			n, err = tun.tunFile.Read(buf[offset:])
 		} else {
-			buff := buff[offset-4:]
-			n, err := tun.tunFile.Read(buff[:])
-			if n < 4 {
-				return 0, err
+			buff := buf[offset-4:]
+			n, err = tun.tunFile.Read(buff[:])
+			if errors.Is(err, syscall.EBADFD) {
+				err = os.ErrClosed
+			}
+			if n < 4 {
+				n = 0
+			} else {
+				n -= 4
 			}
-			return n - 4, err
 		}
 	}
+	return
 }

 func (tun *NativeTun) Events() chan Event {
@@ -372,17 +386,18 @@ func (tun *NativeTun) Events() chan Event {
 }

 func (tun *NativeTun) Close() error {
-	var err1 error
-	if tun.statusListenersShutdown != nil {
-		close(tun.statusListenersShutdown)
-		if tun.netlinkCancel != nil {
-			err1 = tun.netlinkCancel.Cancel()
+	var err1, err2 error
+	tun.closeOnce.Do(func() {
+		if tun.statusListenersShutdown != nil {
+			close(tun.statusListenersShutdown)
+			if tun.netlinkCancel != nil {
+				err1 = tun.netlinkCancel.Cancel()
+			}
+		} else if tun.events != nil {
+			close(tun.events)
 		}
-	} else if tun.events != nil {
-		close(tun.events)
-	}
-	err2 := tun.tunFile.Close()
-
+		err2 = tun.tunFile.Close()
+	})
 	if err1 != nil {
 		return err1
 	}
@@ -402,6 +417,7 @@ func CreateTUN(name string, mtu int) (Device, error) {
 	var flags uint16 = unix.IFF_TUN // | unix.IFF_NO_PI (disabled for TUN status hack)
 	nameBytes := []byte(name)
 	if len(nameBytes) >= unix.IFNAMSIZ {
+		unix.Close(nfd)
 		return nil, fmt.Errorf("interface name too long: %w", unix.ENAMETOOLONG)
 	}
 	copy(ifr[:], nameBytes)
@@ -414,17 +430,19 @@ func CreateTUN(name string, mtu int) (Device, error) {
 		uintptr(unsafe.Pointer(&ifr[0])),
 	)
 	if errno != 0 {
+		unix.Close(nfd)
 		return nil, errno
 	}
+
 	err = unix.SetNonblock(nfd, true)
+	if err != nil {
+		unix.Close(nfd)
+		return nil, err
+	}

 	// Note that the above -- open,ioctl,nonblock -- must happen prior to handing it to netpoll as below this line.

 	fd := os.NewFile(uintptr(nfd), cloneDevicePath)
-	if err != nil {
-		return nil, err
-	}
-
 	return CreateTUNFromFile(fd, mtu)
 }

--- a/tun/tun_openbsd.go
+++ b/tun/tun_openbsd.go
@@ -8,9 +8,9 @@ package tun
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
+	"sync"
 	"syscall"
 	"unsafe"

@@ -33,6 +33,7 @@ type NativeTun struct {
 	events      chan Event
 	errors      chan error
 	routeSocket int
+	closeOnce   sync.Once
 }

 func (tun *NativeTun) routineRouteListener(tunIfindex int) {
@@ -132,7 +133,7 @@ func CreateTUN(name string, mtu int) (Device, error) {
 	if err == nil && name == "tun" {
 		fname := os.Getenv("WG_TUN_NAME_FILE")
 		if fname != "" {
-			ioutil.WriteFile(fname, []byte(tun.(*NativeTun).name+"\n"), 0400)
+			os.WriteFile(fname, []byte(tun.(*NativeTun).name+"\n"), 0o400)
 		}
 	}

@@ -218,7 +219,6 @@ func (tun *NativeTun) Read(buff []byte, offset int) (int, error) {
 }

 func (tun *NativeTun) Write(buff []byte, offset int) (int, error) {
-
 	// reserve space for header

 	buff = buff[offset-4:]
@@ -246,15 +246,17 @@ func (tun *NativeTun) Flush() error {
 }

 func (tun *NativeTun) Close() error {
-	var err2 error
-	err1 := tun.tunFile.Close()
-	if tun.routeSocket != -1 {
-		unix.Shutdown(tun.routeSocket, unix.SHUT_RDWR)
-		err2 = unix.Close(tun.routeSocket)
-		tun.routeSocket = -1
-	} else if tun.events != nil {
-		close(tun.events)
-	}
+	var err1, err2 error
+	tun.closeOnce.Do(func() {
+		err1 = tun.tunFile.Close()
+		if tun.routeSocket != -1 {
+			unix.Shutdown(tun.routeSocket, unix.SHUT_RDWR)
+			err2 = unix.Close(tun.routeSocket)
+			tun.routeSocket = -1
+		} else if tun.events != nil {
+			close(tun.events)
+		}
+	})
 	if err1 != nil {
 		return err1
 	}
@@ -271,7 +273,6 @@ func (tun *NativeTun) setMTU(n int) error {
 		unix.SOCK_DGRAM,
 		0,
 	)
-
 	if err != nil {
 		return err
 	}
@@ -306,7 +307,6 @@ func (tun *NativeTun) MTU() (int, error) {
 		unix.SOCK_DGRAM,
 		0,
 	)
-
 	if err != nil {
 		return 0, err
 	}
--- a/tun/tun_windows.go
+++ b/tun/tun_windows.go
@@ -8,15 +8,15 @@ package tun
 import (
 	"errors"
 	"fmt"
-	"log"
 	"os"
+	"sync"
 	"sync/atomic"
 	"time"
 	_ "unsafe"

 	"golang.org/x/sys/windows"

-	"golang.zx2c4.com/wireguard/tun/wintun"
+	"golang.zx2c4.com/wintun"
 )

 const (
@@ -34,18 +34,22 @@ type rateJuggler struct {

 type NativeTun struct {
 	wt        *wintun.Adapter
+	name      string
 	handle    windows.Handle
-	close     bool
-	events    chan Event
-	errors    chan error
-	forcedMTU int
 	rate      rateJuggler
 	session   wintun.Session
 	readWait  windows.Handle
+	events    chan Event
+	running   sync.WaitGroup
+	closeOnce sync.Once
+	close     int32
+	forcedMTU int
 }

-var WintunPool, _ = wintun.MakePool("WireGuard")
-var WintunStaticRequestedGUID *windows.GUID
+var (
+	WintunTunnelType          = "WireGuard"
+	WintunStaticRequestedGUID *windows.GUID
+)

 //go:linkname procyield runtime.procyield
 func procyield(cycles uint32)
@@ -66,25 +70,10 @@ func CreateTUN(ifname string, mtu int) (Device, error) {
 // a requested GUID. Should a Wintun interface with the same name exist, it is reused.
 //
 func CreateTUNWithRequestedGUID(ifname string, requestedGUID *windows.GUID, mtu int) (Device, error) {
-	var err error
-	var wt *wintun.Adapter
-
-	// Does an interface with this name already exist?
-	wt, err = WintunPool.OpenAdapter(ifname)
-	if err == nil {
-		// If so, we delete it, in case it has weird residual configuration.
-		_, err = wt.Delete(true)
-		if err != nil {
-			return nil, fmt.Errorf("Error deleting already existing interface: %w", err)
-		}
-	}
-	wt, rebootRequired, err := WintunPool.CreateAdapter(ifname, requestedGUID)
+	wt, err := wintun.CreateAdapter(ifname, WintunTunnelType, requestedGUID)
 	if err != nil {
 		return nil, fmt.Errorf("Error creating interface: %w", err)
 	}
-	if rebootRequired {
-		log.Println("Windows indicated a reboot is required.")
-	}

 	forcedMTU := 1420
 	if mtu > 0 {
@@ -93,15 +82,15 @@ func CreateTUNWithRequestedGUID(ifname string, requestedGUID *windows.GUID, mtu

 	tun := &NativeTun{
 		wt:        wt,
+		name:      ifname,
 		handle:    windows.InvalidHandle,
 		events:    make(chan Event, 10),
-		errors:    make(chan error, 1),
 		forcedMTU: forcedMTU,
 	}

 	tun.session, err = wt.StartSession(0x800000) // Ring capacity, 8 MiB
 	if err != nil {
-		tun.wt.Delete(false)
+		tun.wt.Close()
 		close(tun.events)
 		return nil, fmt.Errorf("Error starting session: %w", err)
 	}
@@ -110,7 +99,7 @@ func CreateTUNWithRequestedGUID(ifname string, requestedGUID *windows.GUID, mtu
 }

 func (tun *NativeTun) Name() (string, error) {
-	return tun.wt.Name()
+	return tun.name, nil
 }

 func (tun *NativeTun) File() *os.File {
@@ -122,13 +111,17 @@ func (tun *NativeTun) Events() chan Event {
 }

 func (tun *NativeTun) Close() error {
-	tun.close = true
-	tun.session.End()
 	var err error
-	if tun.wt != nil {
-		_, err = tun.wt.Delete(false)
-	}
-	close(tun.events)
+	tun.closeOnce.Do(func() {
+		atomic.StoreInt32(&tun.close, 1)
+		windows.SetEvent(tun.readWait)
+		tun.running.Wait()
+		tun.session.End()
+		if tun.wt != nil {
+			tun.wt.Close()
+		}
+		close(tun.events)
+	})
 	return err
 }

@@ -138,22 +131,26 @@ func (tun *NativeTun) MTU() (int, error) {

 // TODO: This is a temporary hack. We really need to be monitoring the interface in real time and adapting to MTU changes.
 func (tun *NativeTun) ForceMTU(mtu int) {
+	update := tun.forcedMTU != mtu
 	tun.forcedMTU = mtu
+	if update {
+		tun.events <- EventMTUUpdate
+	}
 }

 // Note: Read() and Write() assume the caller comes only from a single thread; there's no locking.

 func (tun *NativeTun) Read(buff []byte, offset int) (int, error) {
+	tun.running.Add(1)
+	defer tun.running.Done()
 retry:
-	select {
-	case err := <-tun.errors:
-		return 0, err
-	default:
+	if atomic.LoadInt32(&tun.close) == 1 {
+		return 0, os.ErrClosed
 	}
 	start := nanotime()
 	shouldSpin := atomic.LoadUint64(&tun.rate.current) >= spinloopRateThreshold && uint64(start-atomic.LoadInt64(&tun.rate.nextStartTime)) <= rateMeasurementGranularity*2
 	for {
-		if tun.close {
+		if atomic.LoadInt32(&tun.close) == 1 {
 			return 0, os.ErrClosed
 		}
 		packet, err := tun.session.ReceivePacket()
@@ -185,7 +182,9 @@ func (tun *NativeTun) Flush() error {
 }

 func (tun *NativeTun) Write(buff []byte, offset int) (int, error) {
-	if tun.close {
+	tun.running.Add(1)
+	defer tun.running.Done()
+	if atomic.LoadInt32(&tun.close) == 1 {
 		return 0, os.ErrClosed
 	}

@@ -209,6 +208,11 @@ func (tun *NativeTun) Write(buff []byte, offset int) (int, error) {

 // LUID returns Windows interface instance ID.
 func (tun *NativeTun) LUID() uint64 {
+	tun.running.Add(1)
+	defer tun.running.Done()
+	if atomic.LoadInt32(&tun.close) == 1 {
+		return 0
+	}
 	return tun.wt.LUID()
 }

--- a/tun/tuntest/tuntest.go
+++ b/tun/tuntest/tuntest.go
@@ -8,13 +8,13 @@ package tuntest
 import (
 	"encoding/binary"
 	"io"
-	"net"
+	"net/netip"
 	"os"

 	"golang.zx2c4.com/wireguard/tun"
 )

-func Ping(dst, src net.IP) []byte {
+func Ping(dst, src netip.Addr) []byte {
 	localPort := uint16(1337)
 	seq := uint16(0)

@@ -40,7 +40,7 @@ func checksum(buf []byte, initial uint16) uint16 {
 	return ^uint16(v)
 }

-func genICMPv4(payload []byte, dst, src net.IP) []byte {
+func genICMPv4(payload []byte, dst, src netip.Addr) []byte {
 	const (
 		icmpv4ProtocolNumber = 1
 		icmpv4Echo           = 8
@@ -70,8 +70,8 @@ func genICMPv4(payload []byte, dst, src net.IP) []byte {
 	binary.BigEndian.PutUint16(ip[ipv4TotalLenOffset:], length)
 	ip[8] = ttl
 	ip[9] = icmpv4ProtocolNumber
-	copy(ip[12:], src.To4())
-	copy(ip[16:], dst.To4())
+	copy(ip[12:], src.AsSlice())
+	copy(ip[16:], dst.AsSlice())
 	chksum = ^checksum(ip[:], 0)
 	binary.BigEndian.PutUint16(ip[ipv4ChecksumOffset:], chksum)

@@ -79,7 +79,6 @@ func genICMPv4(payload []byte, dst, src net.IP) []byte {
 	return pkt
 }

-// TODO(crawshaw): find a reusable home for this. package devicetest?
 type ChannelTUN struct {
 	Inbound  chan []byte // incoming packets, closed on TUN close
 	Outbound chan []byte // outbound packets, blocks forever on TUN close
@@ -114,7 +113,7 @@ func (t *chTun) File() *os.File { return nil }
 func (t *chTun) Read(data []byte, offset int) (int, error) {
 	select {
 	case <-t.c.closed:
-		return 0, io.EOF // TODO(crawshaw): what is the correct error value?
+		return 0, os.ErrClosed
 	case msg := <-t.c.Outbound:
 		return copy(data[offset:], msg), nil
 	}
@@ -131,7 +130,7 @@ func (t *chTun) Write(data []byte, offset int) (int, error) {
 	copy(msg, data[offset:])
 	select {
 	case <-t.c.closed:
-		return 0, io.EOF // TODO(crawshaw): what is the correct error value?
+		return 0, os.ErrClosed
 	case t.c.Inbound <- msg:
 		return len(data) - offset, nil
 	}
--- a/tun/wintun/dll_fromfile_windows.go
+++ b/tun/wintun/dll_fromfile_windows.go
@@ -1,54 +0,0 @@
-// +build !load_wintun_from_rsrc
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
- */
-
-package wintun
-
-import (
-	"fmt"
-	"sync"
-	"sync/atomic"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-type lazyDLL struct {
-	Name   string
-	mu     sync.Mutex
-	module windows.Handle
-	onLoad func(d *lazyDLL)
-}
-
-func (d *lazyDLL) Load() error {
-	if atomic.LoadPointer((*unsafe.Pointer)(unsafe.Pointer(&d.module))) != nil {
-		return nil
-	}
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	if d.module != 0 {
-		return nil
-	}
-
-	const (
-		LOAD_LIBRARY_SEARCH_APPLICATION_DIR = 0x00000200
-		LOAD_LIBRARY_SEARCH_SYSTEM32        = 0x00000800
-	)
-	module, err := windows.LoadLibraryEx(d.Name, 0, LOAD_LIBRARY_SEARCH_APPLICATION_DIR|LOAD_LIBRARY_SEARCH_SYSTEM32)
-	if err != nil {
-		return fmt.Errorf("Unable to load library: %w", err)
-	}
-
-	atomic.StorePointer((*unsafe.Pointer)(unsafe.Pointer(&d.module)), unsafe.Pointer(module))
-	if d.onLoad != nil {
-		d.onLoad(d)
-	}
-	return nil
-}
-
-func (p *lazyProc) nameToAddr() (uintptr, error) {
-	return windows.GetProcAddress(p.dll.module, p.Name)
-}
--- a/tun/wintun/dll_fromrsrc_windows.go
+++ b/tun/wintun/dll_fromrsrc_windows.go
@@ -1,62 +0,0 @@
-// +build load_wintun_from_rsrc
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
- */
-
-package wintun
-
-import (
-	"fmt"
-	"sync"
-	"sync/atomic"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-
-	"golang.zx2c4.com/wireguard/tun/wintun/memmod"
-	"golang.zx2c4.com/wireguard/tun/wintun/resource"
-)
-
-type lazyDLL struct {
-	Name   string
-	mu     sync.Mutex
-	module *memmod.Module
-	onLoad func(d *lazyDLL)
-}
-
-func (d *lazyDLL) Load() error {
-	if atomic.LoadPointer((*unsafe.Pointer)(unsafe.Pointer(&d.module))) != nil {
-		return nil
-	}
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	if d.module != nil {
-		return nil
-	}
-
-	const ourModule windows.Handle = 0
-	resInfo, err := resource.FindByName(ourModule, d.Name, resource.RT_RCDATA)
-	if err != nil {
-		return fmt.Errorf("Unable to find \"%v\" RCDATA resource: %w", d.Name, err)
-	}
-	data, err := resource.Load(ourModule, resInfo)
-	if err != nil {
-		return fmt.Errorf("Unable to load resource: %w", err)
-	}
-	module, err := memmod.LoadLibrary(data)
-	if err != nil {
-		return fmt.Errorf("Unable to load library: %w", err)
-	}
-
-	atomic.StorePointer((*unsafe.Pointer)(unsafe.Pointer(&d.module)), unsafe.Pointer(module))
-	if d.onLoad != nil {
-		d.onLoad(d)
-	}
-	return nil
-}
-
-func (p *lazyProc) nameToAddr() (uintptr, error) {
-	return p.dll.module.ProcAddressByName(p.Name)
-}
--- a/tun/wintun/dll_windows.go
+++ b/tun/wintun/dll_windows.go
@@ -1,59 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package wintun
-
-import (
-	"fmt"
-	"sync"
-	"sync/atomic"
-	"unsafe"
-)
-
-func newLazyDLL(name string, onLoad func(d *lazyDLL)) *lazyDLL {
-	return &lazyDLL{Name: name, onLoad: onLoad}
-}
-
-func (d *lazyDLL) NewProc(name string) *lazyProc {
-	return &lazyProc{dll: d, Name: name}
-}
-
-type lazyProc struct {
-	Name string
-	mu   sync.Mutex
-	dll  *lazyDLL
-	addr uintptr
-}
-
-func (p *lazyProc) Find() error {
-	if atomic.LoadPointer((*unsafe.Pointer)(unsafe.Pointer(&p.addr))) != nil {
-		return nil
-	}
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	if p.addr != 0 {
-		return nil
-	}
-
-	err := p.dll.Load()
-	if err != nil {
-		return fmt.Errorf("Error loading %v DLL: %w", p.dll.Name, err)
-	}
-	addr, err := p.nameToAddr()
-	if err != nil {
-		return fmt.Errorf("Error getting %v address: %w", p.Name, err)
-	}
-
-	atomic.StorePointer((*unsafe.Pointer)(unsafe.Pointer(&p.addr)), unsafe.Pointer(addr))
-	return nil
-}
-
-func (p *lazyProc) Addr() uintptr {
-	err := p.Find()
-	if err != nil {
-		panic(err)
-	}
-	return p.addr
-}
--- a/tun/wintun/memmod/memmod_windows.go
+++ b/tun/wintun/memmod/memmod_windows.go
@@ -1,620 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-import (
-	"errors"
-	"fmt"
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-type addressList struct {
-	next    *addressList
-	address uintptr
-}
-
-func (head *addressList) free() {
-	for node := head; node != nil; node = node.next {
-		windows.VirtualFree(node.address, 0, windows.MEM_RELEASE)
-	}
-}
-
-type Module struct {
-	headers       *IMAGE_NT_HEADERS
-	codeBase      uintptr
-	modules       []windows.Handle
-	initialized   bool
-	isDLL         bool
-	isRelocated   bool
-	nameExports   map[string]uint16
-	entry         uintptr
-	blockedMemory *addressList
-}
-
-func (module *Module) headerDirectory(idx int) *IMAGE_DATA_DIRECTORY {
-	return &module.headers.OptionalHeader.DataDirectory[idx]
-}
-
-func (module *Module) copySections(address uintptr, size uintptr, old_headers *IMAGE_NT_HEADERS) error {
-	sections := module.headers.Sections()
-	for i := range sections {
-		if sections[i].SizeOfRawData == 0 {
-			// Section doesn't contain data in the dll itself, but may define uninitialized data.
-			sectionSize := old_headers.OptionalHeader.SectionAlignment
-			if sectionSize == 0 {
-				continue
-			}
-			dest, err := windows.VirtualAlloc(module.codeBase+uintptr(sections[i].VirtualAddress),
-				uintptr(sectionSize),
-				windows.MEM_COMMIT,
-				windows.PAGE_READWRITE)
-			if err != nil {
-				return fmt.Errorf("Error allocating section: %w", err)
-			}
-
-			// Always use position from file to support alignments smaller than page size (allocation above will align to page size).
-			dest = module.codeBase + uintptr(sections[i].VirtualAddress)
-			// NOTE: On 64bit systems we truncate to 32bit here but expand again later when "PhysicalAddress" is used.
-			sections[i].SetPhysicalAddress((uint32)(dest & 0xffffffff))
-			var dst []byte
-			unsafeSlice(unsafe.Pointer(&dst), a2p(dest), int(sectionSize))
-			for j := range dst {
-				dst[j] = 0
-			}
-			continue
-		}
-
-		if size < uintptr(sections[i].PointerToRawData+sections[i].SizeOfRawData) {
-			return errors.New("Incomplete section")
-		}
-
-		// Commit memory block and copy data from dll.
-		dest, err := windows.VirtualAlloc(module.codeBase+uintptr(sections[i].VirtualAddress),
-			uintptr(sections[i].SizeOfRawData),
-			windows.MEM_COMMIT,
-			windows.PAGE_READWRITE)
-		if err != nil {
-			return fmt.Errorf("Error allocating memory block: %w", err)
-		}
-
-		// Always use position from file to support alignments smaller than page size (allocation above will align to page size).
-		memcpy(
-			module.codeBase+uintptr(sections[i].VirtualAddress),
-			address+uintptr(sections[i].PointerToRawData),
-			uintptr(sections[i].SizeOfRawData))
-		// NOTE: On 64bit systems we truncate to 32bit here but expand again later when "PhysicalAddress" is used.
-		sections[i].SetPhysicalAddress((uint32)(dest & 0xffffffff))
-	}
-
-	return nil
-}
-
-func (module *Module) realSectionSize(section *IMAGE_SECTION_HEADER) uintptr {
-	size := section.SizeOfRawData
-	if size != 0 {
-		return uintptr(size)
-	}
-	if (section.Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA) != 0 {
-		return uintptr(module.headers.OptionalHeader.SizeOfInitializedData)
-	}
-	if (section.Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA) != 0 {
-		return uintptr(module.headers.OptionalHeader.SizeOfUninitializedData)
-	}
-	return 0
-}
-
-type sectionFinalizeData struct {
-	address         uintptr
-	alignedAddress  uintptr
-	size            uintptr
-	characteristics uint32
-	last            bool
-}
-
-func (module *Module) finalizeSection(sectionData *sectionFinalizeData) error {
-	if sectionData.size == 0 {
-		return nil
-	}
-
-	if (sectionData.characteristics & IMAGE_SCN_MEM_DISCARDABLE) != 0 {
-		// Section is not needed any more and can safely be freed.
-		if sectionData.address == sectionData.alignedAddress &&
-			(sectionData.last ||
-				(sectionData.size%uintptr(module.headers.OptionalHeader.SectionAlignment)) == 0) {
-			// Only allowed to decommit whole pages.
-			windows.VirtualFree(sectionData.address, sectionData.size, windows.MEM_DECOMMIT)
-		}
-		return nil
-	}
-
-	// determine protection flags based on characteristics
-	var ProtectionFlags = [8]uint32{
-		windows.PAGE_NOACCESS,          // not writeable, not readable, not executable
-		windows.PAGE_EXECUTE,           // not writeable, not readable, executable
-		windows.PAGE_READONLY,          // not writeable, readable, not executable
-		windows.PAGE_EXECUTE_READ,      // not writeable, readable, executable
-		windows.PAGE_WRITECOPY,         // writeable, not readable, not executable
-		windows.PAGE_EXECUTE_WRITECOPY, // writeable, not readable, executable
-		windows.PAGE_READWRITE,         // writeable, readable, not executable
-		windows.PAGE_EXECUTE_READWRITE, // writeable, readable, executable
-	}
-	protect := ProtectionFlags[sectionData.characteristics>>29]
-	if (sectionData.characteristics & IMAGE_SCN_MEM_NOT_CACHED) != 0 {
-		protect |= windows.PAGE_NOCACHE
-	}
-
-	// Change memory access flags.
-	var oldProtect uint32
-	err := windows.VirtualProtect(sectionData.address, sectionData.size, protect, &oldProtect)
-	if err != nil {
-		return fmt.Errorf("Error protecting memory page: %w", err)
-	}
-
-	return nil
-}
-
-func (module *Module) finalizeSections() error {
-	sections := module.headers.Sections()
-	imageOffset := module.headers.OptionalHeader.imageOffset()
-	sectionData := sectionFinalizeData{}
-	sectionData.address = uintptr(sections[0].PhysicalAddress()) | imageOffset
-	sectionData.alignedAddress = alignDown(sectionData.address, uintptr(module.headers.OptionalHeader.SectionAlignment))
-	sectionData.size = module.realSectionSize(&sections[0])
-	sectionData.characteristics = sections[0].Characteristics
-
-	// Loop through all sections and change access flags.
-	for i := uint16(1); i < module.headers.FileHeader.NumberOfSections; i++ {
-		sectionAddress := uintptr(sections[i].PhysicalAddress()) | imageOffset
-		alignedAddress := alignDown(sectionAddress, uintptr(module.headers.OptionalHeader.SectionAlignment))
-		sectionSize := module.realSectionSize(&sections[i])
-		// Combine access flags of all sections that share a page.
-		// TODO: We currently share flags of a trailing large section with the page of a first small section. This should be optimized.
-		if sectionData.alignedAddress == alignedAddress || sectionData.address+sectionData.size > alignedAddress {
-			// Section shares page with previous.
-			if (sections[i].Characteristics&IMAGE_SCN_MEM_DISCARDABLE) == 0 || (sectionData.characteristics&IMAGE_SCN_MEM_DISCARDABLE) == 0 {
-				sectionData.characteristics = (sectionData.characteristics | sections[i].Characteristics) &^ IMAGE_SCN_MEM_DISCARDABLE
-			} else {
-				sectionData.characteristics |= sections[i].Characteristics
-			}
-			sectionData.size = sectionAddress + sectionSize - sectionData.address
-			continue
-		}
-
-		err := module.finalizeSection(&sectionData)
-		if err != nil {
-			return fmt.Errorf("Error finalizing section: %w", err)
-		}
-		sectionData.address = sectionAddress
-		sectionData.alignedAddress = alignedAddress
-		sectionData.size = sectionSize
-		sectionData.characteristics = sections[i].Characteristics
-	}
-	sectionData.last = true
-	err := module.finalizeSection(&sectionData)
-	if err != nil {
-		return fmt.Errorf("Error finalizing section: %w", err)
-	}
-	return nil
-}
-
-func (module *Module) executeTLS() {
-	directory := module.headerDirectory(IMAGE_DIRECTORY_ENTRY_TLS)
-	if directory.VirtualAddress == 0 {
-		return
-	}
-
-	tls := (*IMAGE_TLS_DIRECTORY)(a2p(module.codeBase + uintptr(directory.VirtualAddress)))
-	callback := tls.AddressOfCallbacks
-	if callback != 0 {
-		for {
-			f := *(*uintptr)(a2p(callback))
-			if f == 0 {
-				break
-			}
-			syscall.Syscall(f, 3, module.codeBase, uintptr(DLL_PROCESS_ATTACH), uintptr(0))
-			callback += unsafe.Sizeof(f)
-		}
-	}
-}
-
-func (module *Module) performBaseRelocation(delta uintptr) (relocated bool, err error) {
-	directory := module.headerDirectory(IMAGE_DIRECTORY_ENTRY_BASERELOC)
-	if directory.Size == 0 {
-		return delta == 0, nil
-	}
-
-	relocationHdr := (*IMAGE_BASE_RELOCATION)(a2p(module.codeBase + uintptr(directory.VirtualAddress)))
-	for relocationHdr.VirtualAddress > 0 {
-		dest := module.codeBase + uintptr(relocationHdr.VirtualAddress)
-
-		var relInfos []uint16
-		unsafeSlice(
-			unsafe.Pointer(&relInfos),
-			a2p(uintptr(unsafe.Pointer(relocationHdr))+unsafe.Sizeof(*relocationHdr)),
-			int((uintptr(relocationHdr.SizeOfBlock)-unsafe.Sizeof(*relocationHdr))/unsafe.Sizeof(relInfos[0])))
-		for _, relInfo := range relInfos {
-			// The upper 4 bits define the type of relocation.
-			relType := relInfo >> 12
-			// The lower 12 bits define the offset.
-			relOffset := uintptr(relInfo & 0xfff)
-
-			switch relType {
-			case IMAGE_REL_BASED_ABSOLUTE:
-				// Skip relocation.
-
-			case IMAGE_REL_BASED_LOW:
-				*(*uint16)(a2p(dest + relOffset)) += uint16(delta & 0xffff)
-				break
-
-			case IMAGE_REL_BASED_HIGH:
-				*(*uint16)(a2p(dest + relOffset)) += uint16(uint32(delta) >> 16)
-				break
-
-			case IMAGE_REL_BASED_HIGHLOW:
-				*(*uint32)(a2p(dest + relOffset)) += uint32(delta)
-
-			case IMAGE_REL_BASED_DIR64:
-				*(*uint64)(a2p(dest + relOffset)) += uint64(delta)
-
-			case IMAGE_REL_BASED_THUMB_MOV32:
-				inst := *(*uint32)(a2p(dest + relOffset))
-				imm16 := ((inst << 1) & 0x0800) + ((inst << 12) & 0xf000) +
-					((inst >> 20) & 0x0700) + ((inst >> 16) & 0x00ff)
-				if (inst & 0x8000fbf0) != 0x0000f240 {
-					return false, fmt.Errorf("Wrong Thumb2 instruction %08x, expected MOVW", inst)
-				}
-				imm16 += uint32(delta) & 0xffff
-				hiDelta := (uint32(delta&0xffff0000) >> 16) + ((imm16 & 0xffff0000) >> 16)
-				*(*uint32)(a2p(dest + relOffset)) = (inst & 0x8f00fbf0) + ((imm16 >> 1) & 0x0400) +
-					((imm16 >> 12) & 0x000f) +
-					((imm16 << 20) & 0x70000000) +
-					((imm16 << 16) & 0xff0000)
-				if hiDelta != 0 {
-					inst = *(*uint32)(a2p(dest + relOffset + 4))
-					imm16 = ((inst << 1) & 0x0800) + ((inst << 12) & 0xf000) +
-						((inst >> 20) & 0x0700) + ((inst >> 16) & 0x00ff)
-					if (inst & 0x8000fbf0) != 0x0000f2c0 {
-						return false, fmt.Errorf("Wrong Thumb2 instruction %08x, expected MOVT", inst)
-					}
-					imm16 += hiDelta
-					if imm16 > 0xffff {
-						return false, fmt.Errorf("Resulting immediate value won't fit: %08x", imm16)
-					}
-					*(*uint32)(a2p(dest + relOffset + 4)) = (inst & 0x8f00fbf0) +
-						((imm16 >> 1) & 0x0400) +
-						((imm16 >> 12) & 0x000f) +
-						((imm16 << 20) & 0x70000000) +
-						((imm16 << 16) & 0xff0000)
-				}
-
-			default:
-				return false, fmt.Errorf("Unsupported relocation: %v", relType)
-			}
-		}
-
-		// Advance to next relocation block.
-		relocationHdr = (*IMAGE_BASE_RELOCATION)(a2p(uintptr(unsafe.Pointer(relocationHdr)) + uintptr(relocationHdr.SizeOfBlock)))
-	}
-	return true, nil
-}
-
-func (module *Module) buildImportTable() error {
-	directory := module.headerDirectory(IMAGE_DIRECTORY_ENTRY_IMPORT)
-	if directory.Size == 0 {
-		return nil
-	}
-
-	module.modules = make([]windows.Handle, 0, 16)
-	importDesc := (*IMAGE_IMPORT_DESCRIPTOR)(a2p(module.codeBase + uintptr(directory.VirtualAddress)))
-	for !isBadReadPtr(uintptr(unsafe.Pointer(importDesc)), unsafe.Sizeof(*importDesc)) && importDesc.Name != 0 {
-		handle, err := windows.LoadLibraryEx(windows.BytePtrToString((*byte)(a2p(module.codeBase+uintptr(importDesc.Name)))), 0, windows.LOAD_LIBRARY_SEARCH_SYSTEM32)
-		if err != nil {
-			return fmt.Errorf("Error loading module: %w", err)
-		}
-		var thunkRef, funcRef *uintptr
-		if importDesc.OriginalFirstThunk() != 0 {
-			thunkRef = (*uintptr)(a2p(module.codeBase + uintptr(importDesc.OriginalFirstThunk())))
-			funcRef = (*uintptr)(a2p(module.codeBase + uintptr(importDesc.FirstThunk)))
-		} else {
-			// No hint table.
-			thunkRef = (*uintptr)(a2p(module.codeBase + uintptr(importDesc.FirstThunk)))
-			funcRef = (*uintptr)(a2p(module.codeBase + uintptr(importDesc.FirstThunk)))
-		}
-		for *thunkRef != 0 {
-			if IMAGE_SNAP_BY_ORDINAL(*thunkRef) {
-				*funcRef, err = windows.GetProcAddressByOrdinal(handle, IMAGE_ORDINAL(*thunkRef))
-			} else {
-				thunkData := (*IMAGE_IMPORT_BY_NAME)(a2p(module.codeBase + *thunkRef))
-				*funcRef, err = windows.GetProcAddress(handle, windows.BytePtrToString(&thunkData.Name[0]))
-			}
-			if err != nil {
-				windows.FreeLibrary(handle)
-				return fmt.Errorf("Error getting function address: %w", err)
-			}
-			thunkRef = (*uintptr)(a2p(uintptr(unsafe.Pointer(thunkRef)) + unsafe.Sizeof(*thunkRef)))
-			funcRef = (*uintptr)(a2p(uintptr(unsafe.Pointer(funcRef)) + unsafe.Sizeof(*funcRef)))
-		}
-		module.modules = append(module.modules, handle)
-		importDesc = (*IMAGE_IMPORT_DESCRIPTOR)(a2p(uintptr(unsafe.Pointer(importDesc)) + unsafe.Sizeof(*importDesc)))
-	}
-	return nil
-}
-
-func (module *Module) buildNameExports() error {
-	directory := module.headerDirectory(IMAGE_DIRECTORY_ENTRY_EXPORT)
-	if directory.Size == 0 {
-		return errors.New("No export table found")
-	}
-	exports := (*IMAGE_EXPORT_DIRECTORY)(a2p(module.codeBase + uintptr(directory.VirtualAddress)))
-	if exports.NumberOfNames == 0 || exports.NumberOfFunctions == 0 {
-		return errors.New("No functions exported")
-	}
-	if exports.NumberOfNames == 0 {
-		return errors.New("No functions exported by name")
-	}
-	var nameRefs []uint32
-	unsafeSlice(unsafe.Pointer(&nameRefs), a2p(module.codeBase+uintptr(exports.AddressOfNames)), int(exports.NumberOfNames))
-	var ordinals []uint16
-	unsafeSlice(unsafe.Pointer(&ordinals), a2p(module.codeBase+uintptr(exports.AddressOfNameOrdinals)), int(exports.NumberOfNames))
-	module.nameExports = make(map[string]uint16)
-	for i := range nameRefs {
-		nameArray := windows.BytePtrToString((*byte)(a2p(module.codeBase + uintptr(nameRefs[i]))))
-		module.nameExports[nameArray] = ordinals[i]
-	}
-	return nil
-}
-
-// LoadLibrary loads module image to memory.
-func LoadLibrary(data []byte) (module *Module, err error) {
-	addr := uintptr(unsafe.Pointer(&data[0]))
-	size := uintptr(len(data))
-	if size < unsafe.Sizeof(IMAGE_DOS_HEADER{}) {
-		return nil, errors.New("Incomplete IMAGE_DOS_HEADER")
-	}
-	dosHeader := (*IMAGE_DOS_HEADER)(a2p(addr))
-	if dosHeader.E_magic != IMAGE_DOS_SIGNATURE {
-		return nil, fmt.Errorf("Not an MS-DOS binary (provided: %x, expected: %x)", dosHeader.E_magic, IMAGE_DOS_SIGNATURE)
-	}
-	if (size < uintptr(dosHeader.E_lfanew)+unsafe.Sizeof(IMAGE_NT_HEADERS{})) {
-		return nil, errors.New("Incomplete IMAGE_NT_HEADERS")
-	}
-	oldHeader := (*IMAGE_NT_HEADERS)(a2p(addr + uintptr(dosHeader.E_lfanew)))
-	if oldHeader.Signature != IMAGE_NT_SIGNATURE {
-		return nil, fmt.Errorf("Not an NT binary (provided: %x, expected: %x)", oldHeader.Signature, IMAGE_NT_SIGNATURE)
-	}
-	if oldHeader.FileHeader.Machine != imageFileProcess {
-		return nil, fmt.Errorf("Foreign platform (provided: %x, expected: %x)", oldHeader.FileHeader.Machine, imageFileProcess)
-	}
-	if (oldHeader.OptionalHeader.SectionAlignment & 1) != 0 {
-		return nil, errors.New("Unaligned section")
-	}
-	lastSectionEnd := uintptr(0)
-	sections := oldHeader.Sections()
-	optionalSectionSize := oldHeader.OptionalHeader.SectionAlignment
-	for i := range sections {
-		var endOfSection uintptr
-		if sections[i].SizeOfRawData == 0 {
-			// Section without data in the DLL
-			endOfSection = uintptr(sections[i].VirtualAddress) + uintptr(optionalSectionSize)
-		} else {
-			endOfSection = uintptr(sections[i].VirtualAddress) + uintptr(sections[i].SizeOfRawData)
-		}
-		if endOfSection > lastSectionEnd {
-			lastSectionEnd = endOfSection
-		}
-	}
-	alignedImageSize := alignUp(uintptr(oldHeader.OptionalHeader.SizeOfImage), uintptr(oldHeader.OptionalHeader.SectionAlignment))
-	if alignedImageSize != alignUp(lastSectionEnd, uintptr(oldHeader.OptionalHeader.SectionAlignment)) {
-		return nil, errors.New("Section is not page-aligned")
-	}
-
-	module = &Module{isDLL: (oldHeader.FileHeader.Characteristics & IMAGE_FILE_DLL) != 0}
-	defer func() {
-		if err != nil {
-			module.Free()
-			module = nil
-		}
-	}()
-
-	// Reserve memory for image of library.
-	// TODO: Is it correct to commit the complete memory region at once? Calling DllEntry raises an exception if we don't.
-	module.codeBase, err = windows.VirtualAlloc(oldHeader.OptionalHeader.ImageBase,
-		alignedImageSize,
-		windows.MEM_RESERVE|windows.MEM_COMMIT,
-		windows.PAGE_READWRITE)
-	if err != nil {
-		// Try to allocate memory at arbitrary position.
-		module.codeBase, err = windows.VirtualAlloc(0,
-			alignedImageSize,
-			windows.MEM_RESERVE|windows.MEM_COMMIT,
-			windows.PAGE_READWRITE)
-		if err != nil {
-			err = fmt.Errorf("Error allocating code: %w", err)
-			return
-		}
-	}
-	err = module.check4GBBoundaries(alignedImageSize)
-	if err != nil {
-		err = fmt.Errorf("Error reallocating code: %w", err)
-		return
-	}
-
-	if size < uintptr(oldHeader.OptionalHeader.SizeOfHeaders) {
-		err = errors.New("Incomplete headers")
-		return
-	}
-	// Commit memory for headers.
-	headers, err := windows.VirtualAlloc(module.codeBase,
-		uintptr(oldHeader.OptionalHeader.SizeOfHeaders),
-		windows.MEM_COMMIT,
-		windows.PAGE_READWRITE)
-	if err != nil {
-		err = fmt.Errorf("Error allocating headers: %w", err)
-		return
-	}
-	// Copy PE header to code.
-	memcpy(headers, addr, uintptr(oldHeader.OptionalHeader.SizeOfHeaders))
-	module.headers = (*IMAGE_NT_HEADERS)(a2p(headers + uintptr(dosHeader.E_lfanew)))
-
-	// Update position.
-	module.headers.OptionalHeader.ImageBase = module.codeBase
-
-	// Copy sections from DLL file block to new memory location.
-	err = module.copySections(addr, size, oldHeader)
-	if err != nil {
-		err = fmt.Errorf("Error copying sections: %w", err)
-		return
-	}
-
-	// Adjust base address of imported data.
-	locationDelta := module.headers.OptionalHeader.ImageBase - oldHeader.OptionalHeader.ImageBase
-	if locationDelta != 0 {
-		module.isRelocated, err = module.performBaseRelocation(locationDelta)
-		if err != nil {
-			err = fmt.Errorf("Error relocating module: %w", err)
-			return
-		}
-	} else {
-		module.isRelocated = true
-	}
-
-	// Load required dlls and adjust function table of imports.
-	err = module.buildImportTable()
-	if err != nil {
-		err = fmt.Errorf("Error building import table: %w", err)
-		return
-	}
-
-	// Mark memory pages depending on section headers and release sections that are marked as "discardable".
-	err = module.finalizeSections()
-	if err != nil {
-		err = fmt.Errorf("Error finalizing sections: %w", err)
-		return
-	}
-
-	// TLS callbacks are executed BEFORE the main loading.
-	module.executeTLS()
-
-	// Get entry point of loaded module.
-	if module.headers.OptionalHeader.AddressOfEntryPoint != 0 {
-		module.entry = module.codeBase + uintptr(module.headers.OptionalHeader.AddressOfEntryPoint)
-		if module.isDLL {
-			// Notify library about attaching to process.
-			r0, _, _ := syscall.Syscall(module.entry, 3, module.codeBase, uintptr(DLL_PROCESS_ATTACH), 0)
-			successful := r0 != 0
-			if !successful {
-				err = windows.ERROR_DLL_INIT_FAILED
-				return
-			}
-			module.initialized = true
-		}
-	}
-
-	module.buildNameExports()
-	return
-}
-
-// Free releases module resources and unloads it.
-func (module *Module) Free() {
-	if module.initialized {
-		// Notify library about detaching from process.
-		syscall.Syscall(module.entry, 3, module.codeBase, uintptr(DLL_PROCESS_DETACH), 0)
-		module.initialized = false
-	}
-	if module.modules != nil {
-		// Free previously opened libraries.
-		for _, handle := range module.modules {
-			windows.FreeLibrary(handle)
-		}
-		module.modules = nil
-	}
-	if module.codeBase != 0 {
-		windows.VirtualFree(module.codeBase, 0, windows.MEM_RELEASE)
-		module.codeBase = 0
-	}
-	if module.blockedMemory != nil {
-		module.blockedMemory.free()
-		module.blockedMemory = nil
-	}
-}
-
-// ProcAddressByName returns function address by exported name.
-func (module *Module) ProcAddressByName(name string) (uintptr, error) {
-	directory := module.headerDirectory(IMAGE_DIRECTORY_ENTRY_EXPORT)
-	if directory.Size == 0 {
-		return 0, errors.New("No export table found")
-	}
-	exports := (*IMAGE_EXPORT_DIRECTORY)(a2p(module.codeBase + uintptr(directory.VirtualAddress)))
-	if module.nameExports == nil {
-		return 0, errors.New("No functions exported by name")
-	}
-	if idx, ok := module.nameExports[name]; ok {
-		if uint32(idx) > exports.NumberOfFunctions {
-			return 0, errors.New("Ordinal number too high")
-		}
-		// AddressOfFunctions contains the RVAs to the "real" functions.
-		return module.codeBase + uintptr(*(*uint32)(a2p(module.codeBase + uintptr(exports.AddressOfFunctions) + uintptr(idx)*4))), nil
-	}
-	return 0, errors.New("Function not found by name")
-}
-
-// ProcAddressByOrdinal returns function address by exported ordinal.
-func (module *Module) ProcAddressByOrdinal(ordinal uint16) (uintptr, error) {
-	directory := module.headerDirectory(IMAGE_DIRECTORY_ENTRY_EXPORT)
-	if directory.Size == 0 {
-		return 0, errors.New("No export table found")
-	}
-	exports := (*IMAGE_EXPORT_DIRECTORY)(a2p(module.codeBase + uintptr(directory.VirtualAddress)))
-	if uint32(ordinal) < exports.Base {
-		return 0, errors.New("Ordinal number too low")
-	}
-	idx := ordinal - uint16(exports.Base)
-	if uint32(idx) > exports.NumberOfFunctions {
-		return 0, errors.New("Ordinal number too high")
-	}
-	// AddressOfFunctions contains the RVAs to the "real" functions.
-	return module.codeBase + uintptr(*(*uint32)(a2p(module.codeBase + uintptr(exports.AddressOfFunctions) + uintptr(idx)*4))), nil
-}
-
-func alignDown(value, alignment uintptr) uintptr {
-	return value & ^(alignment - 1)
-}
-
-func alignUp(value, alignment uintptr) uintptr {
-	return (value + alignment - 1) & ^(alignment - 1)
-}
-
-func a2p(addr uintptr) unsafe.Pointer {
-	return unsafe.Pointer(addr)
-}
-
-func memcpy(dst, src, size uintptr) {
-	var d, s []byte
-	unsafeSlice(unsafe.Pointer(&d), a2p(dst), int(size))
-	unsafeSlice(unsafe.Pointer(&s), a2p(src), int(size))
-	copy(d, s)
-}
-
-// unsafeSlice updates the slice slicePtr to be a slice
-// referencing the provided data with its length & capacity set to
-// lenCap.
-//
-// TODO: when Go 1.16 or Go 1.17 is the minimum supported version,
-// update callers to use unsafe.Slice instead of this.
-func unsafeSlice(slicePtr, data unsafe.Pointer, lenCap int) {
-	type sliceHeader struct {
-		Data unsafe.Pointer
-		Len  int
-		Cap  int
-	}
-	h := (*sliceHeader)(slicePtr)
-	h.Data = data
-	h.Len = lenCap
-	h.Cap = lenCap
-}
--- a/tun/wintun/memmod/memmod_windows_32.go
+++ b/tun/wintun/memmod/memmod_windows_32.go
@@ -1,16 +0,0 @@
-// +build windows,386 windows,arm
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-func (opthdr *IMAGE_OPTIONAL_HEADER) imageOffset() uintptr {
-	return 0
-}
-
-func (module *Module) check4GBBoundaries(alignedImageSize uintptr) (err error) {
-	return
-}
--- a/tun/wintun/memmod/memmod_windows_386.go
+++ b/tun/wintun/memmod/memmod_windows_386.go
@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-const imageFileProcess = IMAGE_FILE_MACHINE_I386
--- a/tun/wintun/memmod/memmod_windows_64.go
+++ b/tun/wintun/memmod/memmod_windows_64.go
@@ -1,36 +0,0 @@
-// +build windows,amd64 windows,arm64
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-import (
-	"fmt"
-
-	"golang.org/x/sys/windows"
-)
-
-func (opthdr *IMAGE_OPTIONAL_HEADER) imageOffset() uintptr {
-	return uintptr(opthdr.ImageBase & 0xffffffff00000000)
-}
-
-func (module *Module) check4GBBoundaries(alignedImageSize uintptr) (err error) {
-	for (module.codeBase >> 32) < ((module.codeBase + alignedImageSize) >> 32) {
-		node := &addressList{
-			next:    module.blockedMemory,
-			address: module.codeBase,
-		}
-		module.blockedMemory = node
-		module.codeBase, err = windows.VirtualAlloc(0,
-			alignedImageSize,
-			windows.MEM_RESERVE|windows.MEM_COMMIT,
-			windows.PAGE_READWRITE)
-		if err != nil {
-			return fmt.Errorf("Error allocating memory block: %w", err)
-		}
-	}
-	return
-}
--- a/tun/wintun/memmod/memmod_windows_amd64.go
+++ b/tun/wintun/memmod/memmod_windows_amd64.go
@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-const imageFileProcess = IMAGE_FILE_MACHINE_AMD64
--- a/tun/wintun/memmod/memmod_windows_arm.go
+++ b/tun/wintun/memmod/memmod_windows_arm.go
@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-const imageFileProcess = IMAGE_FILE_MACHINE_ARMNT
--- a/tun/wintun/memmod/memmod_windows_arm64.go
+++ b/tun/wintun/memmod/memmod_windows_arm64.go
@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-const imageFileProcess = IMAGE_FILE_MACHINE_ARM64
--- a/tun/wintun/memmod/mksyscall.go
+++ b/tun/wintun/memmod/mksyscall.go
@@ -1,8 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go syscall_windows.go
--- a/tun/wintun/memmod/syscall_windows.go
+++ b/tun/wintun/memmod/syscall_windows.go
@@ -1,341 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-import "unsafe"
-
-const (
-	IMAGE_DOS_SIGNATURE    = 0x5A4D     // MZ
-	IMAGE_OS2_SIGNATURE    = 0x454E     // NE
-	IMAGE_OS2_SIGNATURE_LE = 0x454C     // LE
-	IMAGE_VXD_SIGNATURE    = 0x454C     // LE
-	IMAGE_NT_SIGNATURE     = 0x00004550 // PE00
-)
-
-// DOS .EXE header
-type IMAGE_DOS_HEADER struct {
-	E_magic    uint16     // Magic number
-	E_cblp     uint16     // Bytes on last page of file
-	E_cp       uint16     // Pages in file
-	E_crlc     uint16     // Relocations
-	E_cparhdr  uint16     // Size of header in paragraphs
-	E_minalloc uint16     // Minimum extra paragraphs needed
-	E_maxalloc uint16     // Maximum extra paragraphs needed
-	E_ss       uint16     // Initial (relative) SS value
-	E_sp       uint16     // Initial SP value
-	E_csum     uint16     // Checksum
-	E_ip       uint16     // Initial IP value
-	E_cs       uint16     // Initial (relative) CS value
-	E_lfarlc   uint16     // File address of relocation table
-	E_ovno     uint16     // Overlay number
-	E_res      [4]uint16  // Reserved words
-	E_oemid    uint16     // OEM identifier (for e_oeminfo)
-	E_oeminfo  uint16     // OEM information; e_oemid specific
-	E_res2     [10]uint16 // Reserved words
-	E_lfanew   int32      // File address of new exe header
-}
-
-// File header format
-type IMAGE_FILE_HEADER struct {
-	Machine              uint16
-	NumberOfSections     uint16
-	TimeDateStamp        uint32
-	PointerToSymbolTable uint32
-	NumberOfSymbols      uint32
-	SizeOfOptionalHeader uint16
-	Characteristics      uint16
-}
-
-const (
-	IMAGE_SIZEOF_FILE_HEADER = 20
-
-	IMAGE_FILE_RELOCS_STRIPPED         = 0x0001 // Relocation info stripped from file.
-	IMAGE_FILE_EXECUTABLE_IMAGE        = 0x0002 // File is executable  (i.e. no unresolved external references).
-	IMAGE_FILE_LINE_NUMS_STRIPPED      = 0x0004 // Line nunbers stripped from file.
-	IMAGE_FILE_LOCAL_SYMS_STRIPPED     = 0x0008 // Local symbols stripped from file.
-	IMAGE_FILE_AGGRESIVE_WS_TRIM       = 0x0010 // Aggressively trim working set
-	IMAGE_FILE_LARGE_ADDRESS_AWARE     = 0x0020 // App can handle >2gb addresses
-	IMAGE_FILE_BYTES_REVERSED_LO       = 0x0080 // Bytes of machine word are reversed.
-	IMAGE_FILE_32BIT_MACHINE           = 0x0100 // 32 bit word machine.
-	IMAGE_FILE_DEBUG_STRIPPED          = 0x0200 // Debugging info stripped from file in .DBG file
-	IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP = 0x0400 // If Image is on removable media, copy and run from the swap file.
-	IMAGE_FILE_NET_RUN_FROM_SWAP       = 0x0800 // If Image is on Net, copy and run from the swap file.
-	IMAGE_FILE_SYSTEM                  = 0x1000 // System File.
-	IMAGE_FILE_DLL                     = 0x2000 // File is a DLL.
-	IMAGE_FILE_UP_SYSTEM_ONLY          = 0x4000 // File should only be run on a UP machine
-	IMAGE_FILE_BYTES_REVERSED_HI       = 0x8000 // Bytes of machine word are reversed.
-
-	IMAGE_FILE_MACHINE_UNKNOWN     = 0
-	IMAGE_FILE_MACHINE_TARGET_HOST = 0x0001 // Useful for indicating we want to interact with the host and not a WoW guest.
-	IMAGE_FILE_MACHINE_I386        = 0x014c // Intel 386.
-	IMAGE_FILE_MACHINE_R3000       = 0x0162 // MIPS little-endian, 0x160 big-endian
-	IMAGE_FILE_MACHINE_R4000       = 0x0166 // MIPS little-endian
-	IMAGE_FILE_MACHINE_R10000      = 0x0168 // MIPS little-endian
-	IMAGE_FILE_MACHINE_WCEMIPSV2   = 0x0169 // MIPS little-endian WCE v2
-	IMAGE_FILE_MACHINE_ALPHA       = 0x0184 // Alpha_AXP
-	IMAGE_FILE_MACHINE_SH3         = 0x01a2 // SH3 little-endian
-	IMAGE_FILE_MACHINE_SH3DSP      = 0x01a3
-	IMAGE_FILE_MACHINE_SH3E        = 0x01a4 // SH3E little-endian
-	IMAGE_FILE_MACHINE_SH4         = 0x01a6 // SH4 little-endian
-	IMAGE_FILE_MACHINE_SH5         = 0x01a8 // SH5
-	IMAGE_FILE_MACHINE_ARM         = 0x01c0 // ARM Little-Endian
-	IMAGE_FILE_MACHINE_THUMB       = 0x01c2 // ARM Thumb/Thumb-2 Little-Endian
-	IMAGE_FILE_MACHINE_ARMNT       = 0x01c4 // ARM Thumb-2 Little-Endian
-	IMAGE_FILE_MACHINE_AM33        = 0x01d3
-	IMAGE_FILE_MACHINE_POWERPC     = 0x01F0 // IBM PowerPC Little-Endian
-	IMAGE_FILE_MACHINE_POWERPCFP   = 0x01f1
-	IMAGE_FILE_MACHINE_IA64        = 0x0200 // Intel 64
-	IMAGE_FILE_MACHINE_MIPS16      = 0x0266 // MIPS
-	IMAGE_FILE_MACHINE_ALPHA64     = 0x0284 // ALPHA64
-	IMAGE_FILE_MACHINE_MIPSFPU     = 0x0366 // MIPS
-	IMAGE_FILE_MACHINE_MIPSFPU16   = 0x0466 // MIPS
-	IMAGE_FILE_MACHINE_AXP64       = IMAGE_FILE_MACHINE_ALPHA64
-	IMAGE_FILE_MACHINE_TRICORE     = 0x0520 // Infineon
-	IMAGE_FILE_MACHINE_CEF         = 0x0CEF
-	IMAGE_FILE_MACHINE_EBC         = 0x0EBC // EFI Byte Code
-	IMAGE_FILE_MACHINE_AMD64       = 0x8664 // AMD64 (K8)
-	IMAGE_FILE_MACHINE_M32R        = 0x9041 // M32R little-endian
-	IMAGE_FILE_MACHINE_ARM64       = 0xAA64 // ARM64 Little-Endian
-	IMAGE_FILE_MACHINE_CEE         = 0xC0EE
-)
-
-// Directory format
-type IMAGE_DATA_DIRECTORY struct {
-	VirtualAddress uint32
-	Size           uint32
-}
-
-const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
-
-type IMAGE_NT_HEADERS struct {
-	Signature      uint32
-	FileHeader     IMAGE_FILE_HEADER
-	OptionalHeader IMAGE_OPTIONAL_HEADER
-}
-
-func (ntheader *IMAGE_NT_HEADERS) Sections() []IMAGE_SECTION_HEADER {
-	return (*[0xffff]IMAGE_SECTION_HEADER)(unsafe.Pointer(
-		(uintptr)(unsafe.Pointer(ntheader)) +
-			unsafe.Offsetof(ntheader.OptionalHeader) +
-			uintptr(ntheader.FileHeader.SizeOfOptionalHeader)))[:ntheader.FileHeader.NumberOfSections]
-}
-
-const (
-	IMAGE_DIRECTORY_ENTRY_EXPORT         = 0  // Export Directory
-	IMAGE_DIRECTORY_ENTRY_IMPORT         = 1  // Import Directory
-	IMAGE_DIRECTORY_ENTRY_RESOURCE       = 2  // Resource Directory
-	IMAGE_DIRECTORY_ENTRY_EXCEPTION      = 3  // Exception Directory
-	IMAGE_DIRECTORY_ENTRY_SECURITY       = 4  // Security Directory
-	IMAGE_DIRECTORY_ENTRY_BASERELOC      = 5  // Base Relocation Table
-	IMAGE_DIRECTORY_ENTRY_DEBUG          = 6  // Debug Directory
-	IMAGE_DIRECTORY_ENTRY_COPYRIGHT      = 7  // (X86 usage)
-	IMAGE_DIRECTORY_ENTRY_ARCHITECTURE   = 7  // Architecture Specific Data
-	IMAGE_DIRECTORY_ENTRY_GLOBALPTR      = 8  // RVA of GP
-	IMAGE_DIRECTORY_ENTRY_TLS            = 9  // TLS Directory
-	IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    = 10 // Load Configuration Directory
-	IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   = 11 // Bound Import Directory in headers
-	IMAGE_DIRECTORY_ENTRY_IAT            = 12 // Import Address Table
-	IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   = 13 // Delay Load Import Descriptors
-	IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14 // COM Runtime descriptor
-)
-
-const IMAGE_SIZEOF_SHORT_NAME = 8
-
-// Section header format
-type IMAGE_SECTION_HEADER struct {
-	Name                         [IMAGE_SIZEOF_SHORT_NAME]byte
-	physicalAddressOrVirtualSize uint32
-	VirtualAddress               uint32
-	SizeOfRawData                uint32
-	PointerToRawData             uint32
-	PointerToRelocations         uint32
-	PointerToLinenumbers         uint32
-	NumberOfRelocations          uint16
-	NumberOfLinenumbers          uint16
-	Characteristics              uint32
-}
-
-func (ishdr *IMAGE_SECTION_HEADER) PhysicalAddress() uint32 {
-	return ishdr.physicalAddressOrVirtualSize
-}
-
-func (ishdr *IMAGE_SECTION_HEADER) SetPhysicalAddress(addr uint32) {
-	ishdr.physicalAddressOrVirtualSize = addr
-}
-
-func (ishdr *IMAGE_SECTION_HEADER) VirtualSize() uint32 {
-	return ishdr.physicalAddressOrVirtualSize
-}
-
-func (ishdr *IMAGE_SECTION_HEADER) SetVirtualSize(addr uint32) {
-	ishdr.physicalAddressOrVirtualSize = addr
-}
-
-const (
-	// Section characteristics.
-	IMAGE_SCN_TYPE_REG    = 0x00000000 // Reserved.
-	IMAGE_SCN_TYPE_DSECT  = 0x00000001 // Reserved.
-	IMAGE_SCN_TYPE_NOLOAD = 0x00000002 // Reserved.
-	IMAGE_SCN_TYPE_GROUP  = 0x00000004 // Reserved.
-	IMAGE_SCN_TYPE_NO_PAD = 0x00000008 // Reserved.
-	IMAGE_SCN_TYPE_COPY   = 0x00000010 // Reserved.
-
-	IMAGE_SCN_CNT_CODE               = 0x00000020 // Section contains code.
-	IMAGE_SCN_CNT_INITIALIZED_DATA   = 0x00000040 // Section contains initialized data.
-	IMAGE_SCN_CNT_UNINITIALIZED_DATA = 0x00000080 // Section contains uninitialized data.
-
-	IMAGE_SCN_LNK_OTHER         = 0x00000100 // Reserved.
-	IMAGE_SCN_LNK_INFO          = 0x00000200 // Section contains comments or some other type of information.
-	IMAGE_SCN_TYPE_OVER         = 0x00000400 // Reserved.
-	IMAGE_SCN_LNK_REMOVE        = 0x00000800 // Section contents will not become part of image.
-	IMAGE_SCN_LNK_COMDAT        = 0x00001000 // Section contents comdat.
-	IMAGE_SCN_MEM_PROTECTED     = 0x00004000 // Obsolete.
-	IMAGE_SCN_NO_DEFER_SPEC_EXC = 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
-	IMAGE_SCN_GPREL             = 0x00008000 // Section content can be accessed relative to GP
-	IMAGE_SCN_MEM_FARDATA       = 0x00008000
-	IMAGE_SCN_MEM_SYSHEAP       = 0x00010000 // Obsolete.
-	IMAGE_SCN_MEM_PURGEABLE     = 0x00020000
-	IMAGE_SCN_MEM_16BIT         = 0x00020000
-	IMAGE_SCN_MEM_LOCKED        = 0x00040000
-	IMAGE_SCN_MEM_PRELOAD       = 0x00080000
-
-	IMAGE_SCN_ALIGN_1BYTES    = 0x00100000 //
-	IMAGE_SCN_ALIGN_2BYTES    = 0x00200000 //
-	IMAGE_SCN_ALIGN_4BYTES    = 0x00300000 //
-	IMAGE_SCN_ALIGN_8BYTES    = 0x00400000 //
-	IMAGE_SCN_ALIGN_16BYTES   = 0x00500000 // Default alignment if no others are specified.
-	IMAGE_SCN_ALIGN_32BYTES   = 0x00600000 //
-	IMAGE_SCN_ALIGN_64BYTES   = 0x00700000 //
-	IMAGE_SCN_ALIGN_128BYTES  = 0x00800000 //
-	IMAGE_SCN_ALIGN_256BYTES  = 0x00900000 //
-	IMAGE_SCN_ALIGN_512BYTES  = 0x00A00000 //
-	IMAGE_SCN_ALIGN_1024BYTES = 0x00B00000 //
-	IMAGE_SCN_ALIGN_2048BYTES = 0x00C00000 //
-	IMAGE_SCN_ALIGN_4096BYTES = 0x00D00000 //
-	IMAGE_SCN_ALIGN_8192BYTES = 0x00E00000 //
-	IMAGE_SCN_ALIGN_MASK      = 0x00F00000
-
-	IMAGE_SCN_LNK_NRELOC_OVFL = 0x01000000 // Section contains extended relocations.
-	IMAGE_SCN_MEM_DISCARDABLE = 0x02000000 // Section can be discarded.
-	IMAGE_SCN_MEM_NOT_CACHED  = 0x04000000 // Section is not cachable.
-	IMAGE_SCN_MEM_NOT_PAGED   = 0x08000000 // Section is not pageable.
-	IMAGE_SCN_MEM_SHARED      = 0x10000000 // Section is shareable.
-	IMAGE_SCN_MEM_EXECUTE     = 0x20000000 // Section is executable.
-	IMAGE_SCN_MEM_READ        = 0x40000000 // Section is readable.
-	IMAGE_SCN_MEM_WRITE       = 0x80000000 // Section is writeable.
-
-	// TLS Characteristic Flags
-	IMAGE_SCN_SCALE_INDEX = 0x00000001 // Tls index is scaled.
-)
-
-// Based relocation format
-type IMAGE_BASE_RELOCATION struct {
-	VirtualAddress uint32
-	SizeOfBlock    uint32
-}
-
-const (
-	IMAGE_REL_BASED_ABSOLUTE           = 0
-	IMAGE_REL_BASED_HIGH               = 1
-	IMAGE_REL_BASED_LOW                = 2
-	IMAGE_REL_BASED_HIGHLOW            = 3
-	IMAGE_REL_BASED_HIGHADJ            = 4
-	IMAGE_REL_BASED_MACHINE_SPECIFIC_5 = 5
-	IMAGE_REL_BASED_RESERVED           = 6
-	IMAGE_REL_BASED_MACHINE_SPECIFIC_7 = 7
-	IMAGE_REL_BASED_MACHINE_SPECIFIC_8 = 8
-	IMAGE_REL_BASED_MACHINE_SPECIFIC_9 = 9
-	IMAGE_REL_BASED_DIR64              = 10
-
-	IMAGE_REL_BASED_IA64_IMM64 = 9
-
-	IMAGE_REL_BASED_MIPS_JMPADDR   = 5
-	IMAGE_REL_BASED_MIPS_JMPADDR16 = 9
-
-	IMAGE_REL_BASED_ARM_MOV32   = 5
-	IMAGE_REL_BASED_THUMB_MOV32 = 7
-)
-
-// Export Format
-type IMAGE_EXPORT_DIRECTORY struct {
-	Characteristics       uint32
-	TimeDateStamp         uint32
-	MajorVersion          uint16
-	MinorVersion          uint16
-	Name                  uint32
-	Base                  uint32
-	NumberOfFunctions     uint32
-	NumberOfNames         uint32
-	AddressOfFunctions    uint32 // RVA from base of image
-	AddressOfNames        uint32 // RVA from base of image
-	AddressOfNameOrdinals uint32 // RVA from base of image
-}
-
-type IMAGE_IMPORT_BY_NAME struct {
-	Hint uint16
-	Name [1]byte
-}
-
-func IMAGE_ORDINAL(ordinal uintptr) uintptr {
-	return ordinal & 0xffff
-}
-
-func IMAGE_SNAP_BY_ORDINAL(ordinal uintptr) bool {
-	return (ordinal & IMAGE_ORDINAL_FLAG) != 0
-}
-
-// Thread Local Storage
-type IMAGE_TLS_DIRECTORY struct {
-	StartAddressOfRawData uintptr
-	EndAddressOfRawData   uintptr
-	AddressOfIndex        uintptr // PDWORD
-	AddressOfCallbacks    uintptr // PIMAGE_TLS_CALLBACK *;
-	SizeOfZeroFill        uint32
-	Characteristics       uint32
-}
-
-type IMAGE_IMPORT_DESCRIPTOR struct {
-	characteristicsOrOriginalFirstThunk uint32 // 0 for terminating null import descriptor
-	// RVA to original unbound IAT (PIMAGE_THUNK_DATA)
-	TimeDateStamp uint32 // 0 if not bound,
-	// -1 if bound, and real date\time stamp
-	//     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
-	// O.W. date/time stamp of DLL bound to (Old BIND)
-	ForwarderChain uint32 // -1 if no forwarders
-	Name           uint32
-	FirstThunk     uint32 // RVA to IAT (if bound this IAT has actual addresses)
-}
-
-func (imgimpdesc *IMAGE_IMPORT_DESCRIPTOR) Characteristics() uint32 {
-	return imgimpdesc.characteristicsOrOriginalFirstThunk
-}
-
-func (imgimpdesc *IMAGE_IMPORT_DESCRIPTOR) OriginalFirstThunk() uint32 {
-	return imgimpdesc.characteristicsOrOriginalFirstThunk
-}
-
-const (
-	DLL_PROCESS_ATTACH = 1
-	DLL_THREAD_ATTACH  = 2
-	DLL_THREAD_DETACH  = 3
-	DLL_PROCESS_DETACH = 0
-)
-
-//sys	isBadReadPtr(addr uintptr, ucb uintptr) (ret bool) = kernel32.IsBadReadPtr
-
-type SYSTEM_INFO struct {
-	ProcessorArchitecture     uint16
-	Reserved                  uint16
-	PageSize                  uint32
-	MinimumApplicationAddress uintptr
-	MaximumApplicationAddress uintptr
-	ActiveProcessorMask       uintptr
-	NumberOfProcessors        uint32
-	ProcessorType             uint32
-	AllocationGranularity     uint32
-	ProcessorLevel            uint16
-	ProcessorRevision         uint16
-}
--- a/tun/wintun/memmod/syscall_windows_32.go
+++ b/tun/wintun/memmod/syscall_windows_32.go
@@ -1,45 +0,0 @@
-// +build windows,386 windows,arm
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-// Optional header format
-type IMAGE_OPTIONAL_HEADER struct {
-	Magic                       uint16
-	MajorLinkerVersion          uint8
-	MinorLinkerVersion          uint8
-	SizeOfCode                  uint32
-	SizeOfInitializedData       uint32
-	SizeOfUninitializedData     uint32
-	AddressOfEntryPoint         uint32
-	BaseOfCode                  uint32
-	BaseOfData                  uint32
-	ImageBase                   uintptr
-	SectionAlignment            uint32
-	FileAlignment               uint32
-	MajorOperatingSystemVersion uint16
-	MinorOperatingSystemVersion uint16
-	MajorImageVersion           uint16
-	MinorImageVersion           uint16
-	MajorSubsystemVersion       uint16
-	MinorSubsystemVersion       uint16
-	Win32VersionValue           uint32
-	SizeOfImage                 uint32
-	SizeOfHeaders               uint32
-	CheckSum                    uint32
-	Subsystem                   uint16
-	DllCharacteristics          uint16
-	SizeOfStackReserve          uintptr
-	SizeOfStackCommit           uintptr
-	SizeOfHeapReserve           uintptr
-	SizeOfHeapCommit            uintptr
-	LoaderFlags                 uint32
-	NumberOfRvaAndSizes         uint32
-	DataDirectory               [IMAGE_NUMBEROF_DIRECTORY_ENTRIES]IMAGE_DATA_DIRECTORY
-}
-
-const IMAGE_ORDINAL_FLAG uintptr = 0x80000000
--- a/tun/wintun/memmod/syscall_windows_64.go
+++ b/tun/wintun/memmod/syscall_windows_64.go
@@ -1,44 +0,0 @@
-// +build windows,amd64 windows,arm64
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
- */
-
-package memmod
-
-// Optional header format
-type IMAGE_OPTIONAL_HEADER struct {
-	Magic                       uint16
-	MajorLinkerVersion          uint8
-	MinorLinkerVersion          uint8
-	SizeOfCode                  uint32
-	SizeOfInitializedData       uint32
-	SizeOfUninitializedData     uint32
-	AddressOfEntryPoint         uint32
-	BaseOfCode                  uint32
-	ImageBase                   uintptr
-	SectionAlignment            uint32
-	FileAlignment               uint32
-	MajorOperatingSystemVersion uint16
-	MinorOperatingSystemVersion uint16
-	MajorImageVersion           uint16
-	MinorImageVersion           uint16
-	MajorSubsystemVersion       uint16
-	MinorSubsystemVersion       uint16
-	Win32VersionValue           uint32
-	SizeOfImage                 uint32
-	SizeOfHeaders               uint32
-	CheckSum                    uint32
-	Subsystem                   uint16
-	DllCharacteristics          uint16
-	SizeOfStackReserve          uintptr
-	SizeOfStackCommit           uintptr
-	SizeOfHeapReserve           uintptr
-	SizeOfHeapCommit            uintptr
-	LoaderFlags                 uint32
-	NumberOfRvaAndSizes         uint32
-	DataDirectory               [IMAGE_NUMBEROF_DIRECTORY_ENTRIES]IMAGE_DATA_DIRECTORY
-}
-
-const IMAGE_ORDINAL_FLAG uintptr = 0x8000000000000000
--- a/tun/wintun/memmod/zsyscall_windows.go
+++ b/tun/wintun/memmod/zsyscall_windows.go
@@ -1,50 +0,0 @@
-// Code generated by 'go generate'; DO NOT EDIT.
-
-package memmod
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-	errERROR_EINVAL     error = syscall.EINVAL
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return errERROR_EINVAL
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
-
-	procIsBadReadPtr = modkernel32.NewProc("IsBadReadPtr")
-)
-
-func isBadReadPtr(addr uintptr, ucb uintptr) (ret bool) {
-	r0, _, _ := syscall.Syscall(procIsBadReadPtr.Addr(), 2, uintptr(addr), uintptr(ucb), 0)
-	ret = r0 != 0
-	return
-}
--- a/Show More
+++ b/Show More