Merge pull request #2449 from zerotier/dependabot/cargo/rustybits/openssl-0.10.72

Bump openssl from 0.10.70 to 0.10.72 in /rustybits
Merge branch 'dev' into dependabot/cargo/rustybits/openssl-0.10.72
2025-04-22 06:56:54 +02:00 · 2025-04-08 10:36:25 -07:00 · 2025-04-08 08:08:28 -07:00 · 2025-04-08 08:08:08 -07:00 · 2025-04-08 02:02:25 +00:00 · 2025-04-04 20:53:49 +00:00
1666 changed files with 352926 additions and 58733 deletions
--- a/.clang-format
+++ b/.clang-format
@ -0,0 +1,75 @@
 ---
 BasedOnStyle: LLVM
 BreakBeforeBraces: Stroustrup
 IndentWidth: 4
 TabWidth: 4
 AlignAfterOpenBracket: AlwaysBreak
 AlignConsecutiveMacros: 'true'
 AlignConsecutiveAssignments: 'false'
 AlignConsecutiveDeclarations: 'false'
 AlignEscapedNewlines: Right
 AlignOperands: 'true'
 AlignTrailingComments: 'true'
 AllowAllArgumentsOnNextLine: 'false'
 AllowAllConstructorInitializersOnNextLine: 'false'
 AllowAllParametersOfDeclarationOnNextLine: 'false'
 AllowShortBlocksOnASingleLine: 'true'
 AllowShortCaseLabelsOnASingleLine: 'false'
 AllowShortFunctionsOnASingleLine: None
 AllowShortIfStatementsOnASingleLine: Never
 AlwaysBreakAfterReturnType: None
 BinPackArguments: 'false'
 BinPackParameters: 'false'
 BreakBeforeBinaryOperators: NonAssignment
 BreakBeforeTernaryOperators: 'true'
 BreakConstructorInitializers: BeforeComma
 BreakInheritanceList: BeforeComma
 CompactNamespaces: 'false'
 ConstructorInitializerAllOnOneLineOrOnePerLine: 'true'
 ConstructorInitializerIndentWidth: '4'
 ContinuationIndentWidth: '4'
 Cpp11BracedListStyle: 'false'
 FixNamespaceComments: 'true'
 IncludeBlocks: Regroup
 IndentCaseLabels: 'true'
 IndentPPDirectives: None
 IndentWrappedFunctionNames: 'false'
 KeepEmptyLinesAtTheStartOfBlocks: 'false'
 MaxEmptyLinesToKeep: '1'
 NamespaceIndentation: None
 PointerAlignment: Left
 ReflowComments: 'true'
 SortIncludes: 'true'
 SortUsingDeclarations: 'true'
 SpaceAfterCStyleCast: 'false'
 SpaceAfterLogicalNot: 'true'
 SpaceAfterTemplateKeyword: 'true'
 SpaceBeforeAssignmentOperators: 'true'
 SpaceBeforeCpp11BracedList: 'true'
 SpaceBeforeCtorInitializerColon: 'true'
 SpaceBeforeInheritanceColon: 'true'
 SpaceBeforeParens: ControlStatements
 SpaceBeforeRangeBasedForLoopColon: 'true'
 SpaceInEmptyParentheses: 'false'
 SpacesBeforeTrailingComments: '3'
 SpacesInAngles: 'false'
 SpacesInCStyleCastParentheses: 'false'
 SpacesInContainerLiterals: 'true'
 SpacesInParentheses: 'false'
 SpacesInSquareBrackets: 'false'
 UseTab: 'Always'
 ---
 Language: Cpp
 Standard: Cpp03
 ColumnLimit: '240'
 ---
 Language: ObjC
 ColumnLimit: '240'
 ---
 Language: Java
 ColumnLimit: '240'
 ---
 Language: CSharp
 ColumnLimit: '240'
 ...
--- a/.clangd
+++ b/.clangd
@ -0,0 +1,6 @@
 CompileFlags:
  Add:
    - "-std=c++17"
    - "-I../ext"
    - "-I../ext/prometheus-cpp-lite-1.0/core/include"
    - "-I../ext/prometheus-cpp-lite-1.0/simpleapi/include"
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,2 @@
 .git/
 workspace/
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@ -0,0 +1,256 @@
 //
 // tweakables
 //
 local registry = "084037375216.dkr.ecr.us-east-2.amazonaws.com";
 local build_channel = "zerotier-builds";
 local release_channel = "zerotier-releases";
 local targets = [
    { "os": "linux", distro: "redhat", "name": "el9",      "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag", "custom" ] },
    { "os": "linux", distro: "redhat", "name": "el8",      "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
    { "os": "linux", distro: "redhat", "name": "el7",      "isas": [ "386",          "amd64",          "ppc64le"],                                  "events": [ "tag" ] },
    { "os": "linux", distro: "amazon", "name": "amzn2",    "isas": [                 "amd64", "arm64" ],                                            "events": [ "tag" ] },
    { "os": "linux", distro: "amazon", "name": "amzn2022", "isas": [                 "amd64", "arm64" ],                                            "events": [ "tag" ] },
    { "os": "linux", distro: "fedora", "name": "fc38",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
    { "os": "linux", distro: "fedora", "name": "fc37",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
    { "os": "linux", distro: "fedora", "name": "fc36",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
    { "os": "linux", distro: "ubuntu", "name": "jammy",    "isas": [        "armv7", "amd64", "arm64", "ppc64le", "s390x", "riscv64" ],             "events": [ "tag" ] },
    { "os": "linux", distro: "ubuntu", "name": "focal",    "isas": [        "armv7", "amd64", "arm64", "ppc64le", "s390x", "riscv64" ],             "events": [ "tag" ] },
    { "os": "linux", distro: "ubuntu", "name": "bionic",   "isas": [ "386", "armv7", "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
    { "os": "linux", distro: "ubuntu", "name": "xenial",   "isas": [ "386", "armv7", "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
    { "os": "linux", distro: "ubuntu", "name": "trusty",   "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "tag" ] },
    { "os": "linux", distro: "debian", "name": "bookworm", "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x" ],            "events": [ "tag"] },
    { "os": "linux", distro: "debian", "name": "bullseye", "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x" ],            "events": [ "push", "tag", "custom" ] },
    { "os": "linux", distro: "debian", "name": "buster",   "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "tag" ] },
    { "os": "linux", distro: "debian", "name": "stretch",  "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "tag" ] },
    { "os": "linux", distro: "debian", "name": "jessie",   "isas": [ "386", "armv7", "amd64" ],                                                     "events": [ "tag" ] },
 //   { "os": "windows", distro: "windows", "name": "windows",  "isas": [ "amd64" ], "events": [ "push", "tag", "custom" ] },
 //   { "os": "darwin", distro: "darwin", "name": "darwin",  "isas": [ "amd64" ], "events": [ "push", "tag", "custom" ] },
 ];
 local less_targets = [
      { "os": "linux", distro: "redhat", "name": "el9",      "isas": [                 "amd64", "arm64" ],                        "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "redhat", "name": "el8",      "isas": [                 "amd64", "arm64" ],                        "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "ubuntu", "name": "jammy",    "isas": [        "armv7", "amd64", "arm64" ],             "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "ubuntu", "name": "focal",    "isas": [        "armv7", "amd64", "arm64" ],             "events": [ "push", "tag", "custom" ] },
 ];
 local native_targets = [
      { "os": "linux", distro: "debian", "name": "bullseye", "isas": [ "386", "armv7", "amd64", "arm64" ],            "events": [ "push", "tag", "custom" ] },
 ];    
 local master_targets = [
      //
      // copypasta from here
      //
      { "os": "linux", distro: "redhat", "name": "el9",      "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "redhat", "name": "el8",      "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "redhat", "name": "el7",      "isas": [ "386", "amd64",          "ppc64le"],                                  "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "amazon", "name": "amzn2",    "isas": [                 "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "amazon", "name": "amzn2022", "isas": [                 "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "fedora", "name": "fc38",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "fedora", "name": "fc37",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "fedora", "name": "fc36",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "ubuntu", "name": "jammy",    "isas": [        "armv7", "amd64", "arm64", "ppc64le", "s390x", "riscv64" ],             "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "ubuntu", "name": "focal",    "isas": [        "armv7", "amd64", "arm64", "ppc64le", "s390x", "riscv64" ],             "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "ubuntu", "name": "bionic",   "isas": [ "386", "armv7", "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "ubuntu", "name": "xenial",   "isas": [ "386", "armv7", "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "ubuntu", "name": "trusty",   "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "debian", "name": "sid",      "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x", "riscv64" ], "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "debian", "name": "bookworm", "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x" ],            "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "debian", "name": "bullseye", "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x" ],            "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "debian", "name": "buster",   "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "debian", "name": "stretch",  "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
      { "os": "linux", distro: "debian", "name": "jessie",   "isas": [ "386", "armv7", "amd64" ],                                                     "events": [ "push", "tag", "custom" ] },
      { "os": "windows", distro: "windows", "name": "win2k22", "isas": [ "amd64" ],                                                                     "events": [ "push", "tag", "custom" ] }
 ];
 //
 // functions
 //
 local pipeline_type(os)  = if os == "darwin" then "exec" else "docker";
 local builder_image(os)  = if os == "linux" then registry + "/honda-builder" else registry + "/windows-builder";
 local tester_image(os)   = if os == "linux" then registry + "/honda-builder" else registry + "/windows-tester";
 local build_step_volumes(os) = if os == "linux" then [ { name: "zerotier-builds", path: "/zerotier-builds" } ] else [];
 local release_step_volumes(os) = if os == "linux" then [ { name: "zerotier-releases", path: "/zerotier-releases" } ] else [];
 local host_volumes(os)   = if os == "linux" then [
  { name: "zerotier-builds", host: { path: "/zerotier-builds" } },
  { name: "zerotier-releases", host: { path: "/zerotier-releases" } },
 ] else [];
 local index_image(distro) =
      if distro == "debian" || distro == "ubuntu" then
          registry + "/apt-builder"
      else if distro == "redhat" || distro == "fedora" || distro == "amazon" then
          registry + "/dnf-builder"
      else if distro == "windows" then
          registry + "/msi-builder"
 ;          
 local copy_commands(os, distro, name, isa, version) =
  if os == "linux" then [
      std.join(" ", [ "./ci/scripts/publish.sh", name, distro, isa, version, "${DRONE_BUILD_EVENT}" ])
    ]
    else if os == "windows" then [  
      "C:\\scripts\\fix-ec2-metadata.ps1",
      "Get-ChildItem windows",
      // "aws s3 cp windows\\bytey-SetupFiles\\bytey.msi s3://zerotier-builds/windows/" + version + "/bytey.msi",
    ] else if os == "darwin" then [
        "echo hello"
      ]
 ;
 local index_commands(os, channel, distro, name, isas) =
      if os == "linux" then
        [ "/usr/local/bin/index " + channel + " " + distro + " " + name  + " " + std.join(" ", isas) ]
      else if os == "windows" then
        [ "Get-ChildItem -Recurse windows" ]
 ;
 local build_commands(os, distro, name, isa, version) =
      if os == "linux" then
        [ std.join(" ", [ "./ci/scripts/build.sh", name, distro, isa, version, "${DRONE_BUILD_EVENT}" ]) ]
      else
        if os == "windows" then
           [ "windows/build.ps1", "windows/package.ps1" ]
      else
        if os == "darwin" then
           [ "whoami" ]
 ;
 local test_commands(os, distro, name, isa, version) =
  if os == "linux" then
    [ std.join(" ", [ "./ci/scripts/test.sh", name, distro, isa, version, "${DRONE_BUILD_EVENT}" ]) ]
  else
    if os == "windows" then
      [ "windows/testpackage.ps1 " + version ]
 ;
 //
 // render
 //
 local Build(os, distro, name, isa, events) = {
  "kind": "pipeline",
  "type": pipeline_type(os),
  "name": std.join(" ", [ name, isa, "build" ]),
  "pull": "always",
  "clone": { "depth": 1, [ if os == "darwin" then "disable" ]: true },
  "steps": [
    {
      "name": "build",
      "image": builder_image(os),
      "commands": build_commands(os, distro, name, isa, "100.0.0+${DRONE_COMMIT_SHA:0:8}"),
      "when": { "event": [ "push" ]},
    },
    {
      "name": "release",
      "image": builder_image(os),
      "commands": build_commands(os, distro, name, isa, "${DRONE_TAG}"),
      "when": { "event": [ "tag" ]},
    },    
    {
      "name": "copy build",
      "image": builder_image(os),
      "commands": copy_commands(os, distro, name, isa, "100.0.0+${DRONE_COMMIT_SHA:0:8}"),
      "volumes": build_step_volumes(os),
      "when": { "event": [ "push" ]},
    },
    {
      "name": "copy relase",
      "image": builder_image(os),
      "commands": copy_commands(os, distro, name, isa, "${DRONE_TAG}"),
      "volumes": release_step_volumes(os),
      "when": { "event": [ "tag" ]},      
    },    
  ],
  "volumes": host_volumes(os),
  "platform": { "os": os, [ if isa == "arm64" || isa == "armv7" then "arch" ]: "arm64" },
  "trigger": { "event": events }
 };
 local Test(os, distro, name, isa, events) = {
  "kind": "pipeline",
  "type": pipeline_type(os),
  "name": std.join(" ", [ name, isa, "test"]),
  "pull": "always",
  "clone": { "depth": 1 },
  "steps": [
    {
      "name": "test build",
      "image": tester_image(os),
      "volumes": build_step_volumes(os),
      "commands": test_commands(os, distro, name, isa, "100.0.0+${DRONE_COMMIT_SHA:0:8}"),
      "when": { "event": [ "push" ]},
    },
    {
      "name": "test release",
      "image": tester_image(os),
      "volumes": release_step_volumes(os),
      "commands": test_commands(os, distro, name, isa, "${DRONE_TAG}"),
      "when": { "event": [ "tag" ]},
    },    
  ],
  "volumes": host_volumes(os),
  "platform": { "os": os, [ if isa == "arm64" || isa == "armv7" then "arch" ]: "arm64" },
  "depends_on": [ std.join(" ", [ name, "index" ]) ],
  "trigger": { "event": events }
 };
 local Index(p) = {
  "kind": "pipeline",
  "type": pipeline_type(p.os),
  "name": std.join(" ", [ p.name, "index" ]),
  "pull": "always",
  "clone": { "depth": 1 },
  "steps": [
    {
      "name": "index build",
      "image": index_image(p.distro),
      "commands": index_commands(p.os, "zerotier-builds", p.distro, p.name, p.isas),
      "volumes": build_step_volumes(p.os),
      "environment":{ "GPG_PRIVATE_KEY": { from_secret: "gpg-private-key" }},
      "when": { "event": [ "push" ]},
    },
    {
      "name": "index release",
      "image": index_image(p.distro),
      "commands": index_commands(p.os, "zerotier-releases", p.distro, p.name, p.isas),
      "volumes": release_step_volumes(p.os),
      "environment":{ "GPG_PRIVATE_KEY": { from_secret: "gpg-private-key" }},
      "when": { "event": [ "tag" ]},  
    },    
  ],
  "volumes": host_volumes(p.os),
  "platform": { "os": p.os },
  depends_on: std.flattenArrays([ [ std.join(" ", [ p.name, isa, "build" ]) ] for isa in p.isas ]),
  "trigger": { "event": p.events }
 };
 //
 // print
 //
 std.flattenArrays([
    [
      Build(p.os, p.distro, p.name, isa, p.events)
        for isa in p.isas
    ] +
    [
      Index(p)
    ]
    for p in native_targets
 ]) +
 std.flattenArrays([
     [
        Test(p.os, p.distro, p.name, isa, p.events)
         for isa in p.isas
     ]
     for p in native_targets
 ])
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,465 @@
 ---
 clone:
  depth: 1
 kind: pipeline
 name: bullseye 386 build
 platform:
  os: linux
 pull: always
 steps:
 - commands:
  - ./ci/scripts/build.sh bullseye debian 386 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: build
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/build.sh bullseye debian 386 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: release
  when:
    event:
    - tag
 - commands:
  - ./ci/scripts/publish.sh bullseye debian 386 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: copy build
  volumes:
  - name: zerotier-builds
    path: /zerotier-builds
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/publish.sh bullseye debian 386 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: copy relase
  volumes:
  - name: zerotier-releases
    path: /zerotier-releases
  when:
    event:
    - tag
 trigger:
  event:
  - push
  - tag
  - custom
 type: docker
 volumes:
 - host:
    path: /zerotier-builds
  name: zerotier-builds
 - host:
    path: /zerotier-releases
  name: zerotier-releases
 ---
 clone:
  depth: 1
 kind: pipeline
 name: bullseye armv7 build
 platform:
  arch: arm64
  os: linux
 pull: always
 steps:
 - commands:
  - ./ci/scripts/build.sh bullseye debian armv7 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: build
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/build.sh bullseye debian armv7 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: release
  when:
    event:
    - tag
 - commands:
  - ./ci/scripts/publish.sh bullseye debian armv7 100.0.0+${DRONE_COMMIT_SHA:0:8}
    ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: copy build
  volumes:
  - name: zerotier-builds
    path: /zerotier-builds
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/publish.sh bullseye debian armv7 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: copy relase
  volumes:
  - name: zerotier-releases
    path: /zerotier-releases
  when:
    event:
    - tag
 trigger:
  event:
  - push
  - tag
  - custom
 type: docker
 volumes:
 - host:
    path: /zerotier-builds
  name: zerotier-builds
 - host:
    path: /zerotier-releases
  name: zerotier-releases
 ---
 clone:
  depth: 1
 kind: pipeline
 name: bullseye amd64 build
 platform:
  os: linux
 pull: always
 steps:
 - commands:
  - ./ci/scripts/build.sh bullseye debian amd64 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: build
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/build.sh bullseye debian amd64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: release
  when:
    event:
    - tag
 - commands:
  - ./ci/scripts/publish.sh bullseye debian amd64 100.0.0+${DRONE_COMMIT_SHA:0:8}
    ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: copy build
  volumes:
  - name: zerotier-builds
    path: /zerotier-builds
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/publish.sh bullseye debian amd64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: copy relase
  volumes:
  - name: zerotier-releases
    path: /zerotier-releases
  when:
    event:
    - tag
 trigger:
  event:
  - push
  - tag
  - custom
 type: docker
 volumes:
 - host:
    path: /zerotier-builds
  name: zerotier-builds
 - host:
    path: /zerotier-releases
  name: zerotier-releases
 ---
 clone:
  depth: 1
 kind: pipeline
 name: bullseye arm64 build
 platform:
  arch: arm64
  os: linux
 pull: always
 steps:
 - commands:
  - ./ci/scripts/build.sh bullseye debian arm64 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: build
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/build.sh bullseye debian arm64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: release
  when:
    event:
    - tag
 - commands:
  - ./ci/scripts/publish.sh bullseye debian arm64 100.0.0+${DRONE_COMMIT_SHA:0:8}
    ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: copy build
  volumes:
  - name: zerotier-builds
    path: /zerotier-builds
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/publish.sh bullseye debian arm64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: copy relase
  volumes:
  - name: zerotier-releases
    path: /zerotier-releases
  when:
    event:
    - tag
 trigger:
  event:
  - push
  - tag
  - custom
 type: docker
 volumes:
 - host:
    path: /zerotier-builds
  name: zerotier-builds
 - host:
    path: /zerotier-releases
  name: zerotier-releases
 ---
 clone:
  depth: 1
 depends_on:
 - bullseye 386 build
 - bullseye armv7 build
 - bullseye amd64 build
 - bullseye arm64 build
 kind: pipeline
 name: bullseye index
 platform:
  os: linux
 pull: always
 steps:
 - commands:
  - /usr/local/bin/index zerotier-builds debian bullseye 386 armv7 amd64 arm64
  environment:
    GPG_PRIVATE_KEY:
      from_secret: gpg-private-key
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/apt-builder
  name: index build
  volumes:
  - name: zerotier-builds
    path: /zerotier-builds
  when:
    event:
    - push
 - commands:
  - /usr/local/bin/index zerotier-releases debian bullseye 386 armv7 amd64 arm64
  environment:
    GPG_PRIVATE_KEY:
      from_secret: gpg-private-key
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/apt-builder
  name: index release
  volumes:
  - name: zerotier-releases
    path: /zerotier-releases
  when:
    event:
    - tag
 trigger:
  event:
  - push
  - tag
  - custom
 type: docker
 volumes:
 - host:
    path: /zerotier-builds
  name: zerotier-builds
 - host:
    path: /zerotier-releases
  name: zerotier-releases
 ---
 clone:
  depth: 1
 depends_on:
 - bullseye index
 kind: pipeline
 name: bullseye 386 test
 platform:
  os: linux
 pull: always
 steps:
 - commands:
  - ./ci/scripts/test.sh bullseye debian 386 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: test build
  volumes:
  - name: zerotier-builds
    path: /zerotier-builds
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/test.sh bullseye debian 386 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: test release
  volumes:
  - name: zerotier-releases
    path: /zerotier-releases
  when:
    event:
    - tag
 trigger:
  event:
  - push
  - tag
  - custom
 type: docker
 volumes:
 - host:
    path: /zerotier-builds
  name: zerotier-builds
 - host:
    path: /zerotier-releases
  name: zerotier-releases
 ---
 clone:
  depth: 1
 depends_on:
 - bullseye index
 kind: pipeline
 name: bullseye armv7 test
 platform:
  arch: arm64
  os: linux
 pull: always
 steps:
 - commands:
  - ./ci/scripts/test.sh bullseye debian armv7 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: test build
  volumes:
  - name: zerotier-builds
    path: /zerotier-builds
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/test.sh bullseye debian armv7 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: test release
  volumes:
  - name: zerotier-releases
    path: /zerotier-releases
  when:
    event:
    - tag
 trigger:
  event:
  - push
  - tag
  - custom
 type: docker
 volumes:
 - host:
    path: /zerotier-builds
  name: zerotier-builds
 - host:
    path: /zerotier-releases
  name: zerotier-releases
 ---
 clone:
  depth: 1
 depends_on:
 - bullseye index
 kind: pipeline
 name: bullseye amd64 test
 platform:
  os: linux
 pull: always
 steps:
 - commands:
  - ./ci/scripts/test.sh bullseye debian amd64 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: test build
  volumes:
  - name: zerotier-builds
    path: /zerotier-builds
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/test.sh bullseye debian amd64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: test release
  volumes:
  - name: zerotier-releases
    path: /zerotier-releases
  when:
    event:
    - tag
 trigger:
  event:
  - push
  - tag
  - custom
 type: docker
 volumes:
 - host:
    path: /zerotier-builds
  name: zerotier-builds
 - host:
    path: /zerotier-releases
  name: zerotier-releases
 ---
 clone:
  depth: 1
 depends_on:
 - bullseye index
 kind: pipeline
 name: bullseye arm64 test
 platform:
  arch: arm64
  os: linux
 pull: always
 steps:
 - commands:
  - ./ci/scripts/test.sh bullseye debian arm64 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: test build
  volumes:
  - name: zerotier-builds
    path: /zerotier-builds
  when:
    event:
    - push
 - commands:
  - ./ci/scripts/test.sh bullseye debian arm64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
  name: test release
  volumes:
  - name: zerotier-releases
    path: /zerotier-releases
  when:
    event:
    - tag
 trigger:
  event:
  - push
  - tag
  - custom
 type: docker
 volumes:
 - host:
    path: /zerotier-builds
  name: zerotier-builds
 - host:
    path: /zerotier-releases
  name: zerotier-releases
 ---
 kind: signature
 hmac: 887a3ef78d3fe8f0149911e1e4876401dd7dd313b36eb893e791fa42f45d7768
 ...
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,4 @@
 ext/bin/tap-windows-ndis6/x64/zttap300.inf eol=crlf
 ext/bin/tap-windows-ndis6/x64.old/zttap300.inf eol=crlf
 ext/bin/tap-windows-ndis6/x86/zttap300.inf eol=crlf
 windows/TapDriver6/zttap300.inf eol=crlf
--- a/.github/ISSUE_TEMPLATE/bugs-and-issues.md
+++ b/.github/ISSUE_TEMPLATE/bugs-and-issues.md
@ -0,0 +1,31 @@
 ---
 name: Bugs and Issues
 about: Create a report to help us improve
 title: ''
 labels: NEEDS TRIAGE
 assignees: ''
 ---
 # Before filing a Bug Report
 _Using these will ensure you get quicker support, and make this space available for code-related issues. Thank you!_
 - [Docs Site](https://docs.zerotier.com/zerotier/troubleshooting) => Troubleshooting, quickstarts, and more advanced topics.
 - [Discuss Forum](https://discuss.zerotier.com/) => Our discussion forum for users and support to mutually resolve issues & suggest ideas.
 - [Reddit](https://www.reddit.com/r/zerotier/) => Our subreddit, which we monitor regularly and is fairly active.
 - [Knowledge Base](https://zerotier.atlassian.net/wiki/spaces/SD/overview) => Older wiki.
 If you are having a connection issue, it's much easier to diagnose through the discussion forum or the ticket system. 
 # If you still want to file a Bug Report
 ## Please let us know
 - What you expect to be happening.
 - What is actually happening?
 - Any steps to reproduce the error.
 - Any relevant console output or screenshots.
 - What operating system and ZeroTier version. Please try the latest ZeroTier release. 
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -0,0 +1,13 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
 title: "[Feature Request] "
 labels: suggestion
 assignees: ''
 ---
 If there is something you'd like to have added to ZeroTier, to go to https://discuss.zerotier.com/c/feature-requests/ instead. Issues there can be voted on and discussed in-depth.
 Thank you!
--- a/.github/ISSUE_TEMPLATE/game-connection-issue.md
+++ b/.github/ISSUE_TEMPLATE/game-connection-issue.md
@ -0,0 +1,15 @@
 ---
 name: Game Connection Issue
 about: Game issues are better served by forum posts
 title: Please go to our Discuss or Reddit for game-related issues. Thanks!
 labels: wontfix
 assignees: ''
 ---
 Are you having trouble connecting to a game on your virtual network after installing ZeroTier?
 - [ ] Yes
 - [ ] No
 If you answered yes, then it is very likely that your question would be better answered on our [Community Forums](https://discuss.zerotier.com) or [Reddit](https://www.reddit.com/r/zerotier/) community; we monitor both regularly. We also have extensive documentation on our [Knowledge Base](https://zerotier.atlassian.net/wiki/spaces/SD/overview). Thank you!
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -0,0 +1,126 @@
 on:
  pull_request:
  push:
  workflow_dispatch:
 jobs:
  build_ubuntu:
    runs-on: ubuntu-latest
    steps:
    - name: gitconfig
      run: |
        git config --global core.autocrlf input
      #        git config --global core.eol lf
    - name: checkout
      uses: actions/checkout@v4
    - name: Install Rust
      uses: dtolnay/rust-toolchain@stable
      with:
        toolchain: stable
        targets: x86_64-unknown-linux-gnu
        components: rustfmt, clippy
    - name: Set up cargo cache
      uses: Swatinem/rust-cache@v2
      continue-on-error: false
      with:
        key: ${{ runner.os }}-cargo-${{ hashFiles('rustybits//Cargo.lock') }}
        shared-key: ${{ runner.os }}-cargo-
        workspaces: |
          rustybits/
    - name: make
      run: make
    - name: selftest
      run: |
        make selftest
        ./zerotier-selftest
    - name: 'Tar files' # keeps permissions (execute)
      run: tar -cvf zerotier-one.tar zerotier-one
    - name: Archive production artifacts
      uses: actions/upload-artifact@v4
      with:
        name: zerotier-one-ubuntu-x64
        path: zerotier-one.tar
        retention-days: 7
  build_macos:
    runs-on: macos-latest
    steps:
    - name: gitconfig
      run: |
        git config --global core.autocrlf input
      #        git config --global core.eol lf
    - name: checkout
      uses: actions/checkout@v4
    - name: Install Rust aarch64
      uses: dtolnay/rust-toolchain@stable
      with:
        toolchain: stable
        target: aarch64-apple-darwin
        components: rustfmt, clippy
    - name: Install Rust x86_64
      uses: dtolnay/rust-toolchain@stable
      with:
        toolchain: stable
        target: x86_64-apple-darwin
        components: rustfmt, clippy
    - name: Set up cargo cache
      uses: Swatinem/rust-cache@v2
      continue-on-error: false
      with:
        key: ${{ runner.os }}-cargo-${{ hashFiles('rustybits//Cargo.lock') }}
        shared-key: ${{ runner.os }}-cargo-
        workspaces: |
          rustybits/
    - name: make
      run: make
    - name: selftest
      run: |
        make selftest
        ./zerotier-selftest
    - name: 'Tar files' # keeps permissions (execute)
      run: tar -cvf zerotier-one.tar zerotier-one
    - name: Archive production artifacts
      uses: actions/upload-artifact@v4
      with:
        name: zerotier-one-mac
        path: zerotier-one.tar
        retention-days: 7
  build_windows:
    runs-on: windows-latest
    steps:
    - name: gitconfig
      run: |
        git config --global core.autocrlf true
      #        git config --global core.eol lf
    - name: checkout
      uses: actions/checkout@v4
    - name: Install Rust
      uses: dtolnay/rust-toolchain@stable
      with:
        toolchain: stable
        target: aarch64-apple-darwin
        components: rustfmt, clippy
    - name: Set up cargo cache
      uses: Swatinem/rust-cache@v2
      continue-on-error: false
      with:
        key: ${{ runner.os }}-cargo-${{ hashFiles('rustybits//Cargo.lock') }}
        shared-key: ${{ runner.os }}-cargo-
        workspaces: |
          rustybits/
    - name: setup msbuild
      uses: microsoft/setup-msbuild@v2
    - name: msbuild
      run: |
        msbuild windows\ZeroTierOne.sln /m /p:Configuration=Release  /property:Platform=x64 /t:ZeroTierOne
    - name: Archive production artifacts
      uses: actions/upload-artifact@v4
      with:
        name: zerotier-one-windows
        path: windows/Build
        retention-days: 7
--- a/.github/workflows/validate-linux.sh
+++ b/.github/workflows/validate-linux.sh
@ -0,0 +1,497 @@
 #!/bin/bash
 # This test script joins Earth and pokes some stuff
 TEST_NETWORK=8056c2e21c000001
 RUN_LENGTH=30
 TEST_FINISHED=false
 ZTO_VER=$(git describe --tags $(git rev-list --tags --max-count=1))
 ZTO_COMMIT=$(git rev-parse HEAD)
 ZTO_COMMIT_SHORT=$(git rev-parse --short HEAD)
 TEST_DIR_PREFIX="$ZTO_VER-$ZTO_COMMIT_SHORT-test-results"
 TEST_OK=0
 TEST_FAIL=1
 echo "Performing test on: $ZTO_VER-$ZTO_COMMIT_SHORT"
 TEST_FILEPATH_PREFIX="$TEST_DIR_PREFIX/$ZTO_COMMIT_SHORT"
 mkdir $TEST_DIR_PREFIX
 # How long we will wait for ZT to come online before considering it a failure
 MAX_WAIT_SECS=30
 ZT_PORT_NODE_1=9996
 ZT_PORT_NODE_2=9997
 ################################################################################
 # Multi-node connectivity and performance test                                 #
 ################################################################################
 test() {
 	echo -e "\nPerforming pre-flight checks"
 	check_exit_on_invalid_identity
 	echo -e "\nRunning test for $RUN_LENGTH seconds"
 	export NS1="ip netns exec ns1"
 	export NS2="ip netns exec ns2"
 	export ZT1="$NS1 ./zerotier-cli -p9996 -D$(pwd)/node1"
 	# Specify custom port on one node to ensure that feature works
 	export ZT2="$NS2 ./zerotier-cli -p9997 -D$(pwd)/node2"
 	echo -e "\nSetting up network namespaces..."
 	echo "Setting up ns1"
 	ip netns add ns1
 	$NS1 ip link set dev lo up
 	ip link add veth0 type veth peer name veth1
 	ip link set veth1 netns ns1
 	ip addr add 192.168.0.1/24 dev veth0
 	ip link set dev veth0 up
 	$NS1 ip addr add 192.168.0.2/24 dev veth1
 	$NS1 ip link set dev veth1 up
 	# Add default route
 	$NS1 ip route add default via 192.168.0.1
 	iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 \
 		-o eth0 -j MASQUERADE
 	iptables -A FORWARD -i eth0 -o veth0 -j ACCEPT
 	iptables -A FORWARD -o eth0 -i veth0 -j ACCEPT
 	echo "Setting up ns2"
 	ip netns add ns2
 	$NS2 ip link set dev lo up
 	ip link add veth2 type veth peer name veth3
 	ip link set veth3 netns ns2
 	ip addr add 192.168.1.1/24 dev veth2
 	ip link set dev veth2 up
 	$NS2 ip addr add 192.168.1.2/24 dev veth3
 	$NS2 ip link set dev veth3 up
 	$NS2 ip route add default via 192.168.1.1
 	iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 \
 		-o eth0 -j MASQUERADE
 	iptables -A FORWARD -i eth0 -o veth2 -j ACCEPT
 	iptables -A FORWARD -o eth0 -i veth2 -j ACCEPT
 	# Allow forwarding
 	sysctl -w net.ipv4.ip_forward=1
 	################################################################################
 	# Memory Leak Check                                                            #
 	################################################################################
 	export FILENAME_MEMORY_LOG="$TEST_FILEPATH_PREFIX-memory.log"
 	echo -e "\nStarting a ZeroTier instance in each namespace..."
 	export time_test_start=$(date +%s)
 	# Spam the CLI as ZeroTier is starting
 	spam_cli 100
 	echo "Starting memory leak check"
 	$NS1 sudo valgrind --demangle=yes --exit-on-first-error=yes \
 		--error-exitcode=1 \
 		--xml=yes \
 		--xml-file=$FILENAME_MEMORY_LOG \
 		--leak-check=full \
 		./zerotier-one node1 -p$ZT_PORT_NODE_1 -U >>node_1.log 2>&1 &
 	# Second instance, not run in memory profiler
 	# Don't set up internet access until _after_ zerotier is running
 	# This has been a source of stuckness in the past.
 	$NS2 ip addr del 192.168.1.2/24 dev veth3
 	$NS2 sudo ./zerotier-one node2 -U -p$ZT_PORT_NODE_2 >>node_2.log 2>&1 &
 	sleep 10; # New HTTP control plane is a bit sluggish, so we delay here
 	check_bind_to_correct_ports $ZT_PORT_NODE_1
 	check_bind_to_correct_ports $ZT_PORT_NODE_2
 	$NS2 ip addr add 192.168.1.2/24 dev veth3
 	$NS2 ip route add default via 192.168.1.1
 	echo -e "\nPing from host to namespaces"
 	ping -c 3 192.168.0.1
 	ping -c 3 192.168.1.1
 	echo -e "\nPing from namespace to host"
 	$NS1 ping -c 3 192.168.0.1
 	$NS1 ping -c 3 192.168.0.1
 	$NS2 ping -c 3 192.168.0.2
 	$NS2 ping -c 3 192.168.0.2
 	echo -e "\nPing from ns1 to ns2"
 	$NS1 ping -c 3 192.168.0.1
 	echo -e "\nPing from ns2 to ns1"
 	$NS2 ping -c 3 192.168.0.1
 	################################################################################
 	# Online Check                                                                 #
 	################################################################################
 	echo "Waiting for ZeroTier to come online before attempting test..."
 	node1_online=false
 	node2_online=false
 	both_instances_online=false
 	time_zt_node1_start=$(date +%s)
 	time_zt_node2_start=$(date +%s)
 	for ((s = 0; s <= $MAX_WAIT_SECS; s++)); do
 		node1_online="$($ZT1 -j info | jq '.online' 2>/dev/null)"
 		node2_online="$($ZT2 -j info | jq '.online' 2>/dev/null)"
 		echo "Checking for online status: try #$s, node1:$node1_online, node2:$node2_online"
 		if [[ "$node2_online" == "true" && "$node1_online" == "true" ]]; then
 			export both_instances_online=true
 			export time_to_both_nodes_online=$(date +%s)
 			break
 		fi
 		sleep 1
 	done
 	echo -e "\n\nContents of ZeroTier home paths:"
 	ls -lga node1
 	tree node1
 	ls -lga node2
 	tree node2
 	echo -e "\n\nRunning ZeroTier processes:"
 	echo -e "\nNode 1:\n"
 	$NS1 ps aux | grep zerotier-one
 	echo -e "\nNode 2:\n"
 	$NS2 ps aux | grep zerotier-one
 	echo -e "\n\nStatus of each instance:"
 	echo -e "\n\nNode 1:\n"
 	$ZT1 status
 	echo -e "\n\nNode 2:\n"
 	$ZT2 status
 	if [[ "$both_instances_online" != "true" ]]; then
 		exit_test_and_generate_report $TEST_FAIL "one or more nodes failed to come online"
 	fi
 	echo -e "\nJoining networks"
 	$ZT1 join $TEST_NETWORK
 	$ZT2 join $TEST_NETWORK
 	sleep 10
 	node1_ip4=$($ZT1 get $TEST_NETWORK ip4)
 	node2_ip4=$($ZT2 get $TEST_NETWORK ip4)
 	echo "node1_ip4=$node1_ip4"
 	echo "node2_ip4=$node2_ip4"
 	echo -e "\nPinging each node"
 	PING12_FILENAME="$TEST_FILEPATH_PREFIX-ping-1-to-2.txt"
 	PING21_FILENAME="$TEST_FILEPATH_PREFIX-ping-2-to-1.txt"
 	$NS1 ping -c 16 $node2_ip4 >$PING12_FILENAME
 	$NS2 ping -c 16 $node1_ip4 >$PING21_FILENAME
 	ping_loss_percent_1_to_2=$(cat $PING12_FILENAME |
 		grep "packet loss" | awk '{print $6}' | sed 's/%//')
 	ping_loss_percent_2_to_1=$(cat $PING21_FILENAME |
 		grep "packet loss" | awk '{print $6}' | sed 's/%//')
 	# Normalize loss value
 	export ping_loss_percent_1_to_2=$(echo "scale=2; $ping_loss_percent_1_to_2/100.0" | bc)
 	export ping_loss_percent_2_to_1=$(echo "scale=2; $ping_loss_percent_2_to_1/100.0" | bc)
 	################################################################################
 	# CLI Check                                                                    #
 	################################################################################
 	echo "Testing basic CLI functionality..."
 	spam_cli 10
 	$ZT1 join $TEST_NETWORK
 	$ZT1 -h
 	$ZT1 -v
 	$ZT1 status
 	$ZT1 info
 	$ZT1 listnetworks
 	$ZT1 peers
 	$ZT1 listpeers
 	$ZT1 -j status
 	$ZT1 -j info
 	$ZT1 -j listnetworks
 	$ZT1 -j peers
 	$ZT1 -j listpeers
 	$ZT1 dump
 	$ZT1 get $TEST_NETWORK allowDNS
 	$ZT1 get $TEST_NETWORK allowDefault
 	$ZT1 get $TEST_NETWORK allowGlobal
 	$ZT1 get $TEST_NETWORK allowManaged
 	$ZT1 get $TEST_NETWORK bridge
 	$ZT1 get $TEST_NETWORK broadcastEnabled
 	$ZT1 get $TEST_NETWORK dhcp
 	$ZT1 get $TEST_NETWORK id
 	$ZT1 get $TEST_NETWORK mac
 	$ZT1 get $TEST_NETWORK mtu
 	$ZT1 get $TEST_NETWORK name
 	$ZT1 get $TEST_NETWORK netconfRevision
 	$ZT1 get $TEST_NETWORK nwid
 	$ZT1 get $TEST_NETWORK portDeviceName
 	$ZT1 get $TEST_NETWORK portError
 	$ZT1 get $TEST_NETWORK status
 	$ZT1 get $TEST_NETWORK type
 	# Test an invalid command
 	$ZT1 get $TEST_NETWORK derpderp
 	# TODO: Validate JSON
 	# Performance Test
 	export FILENAME_PERF_JSON="$TEST_FILEPATH_PREFIX-iperf.json"
 	echo -e "\nBeginning performance test:"
 	echo -e "\nStarting server:"
 	echo "$NS1 iperf3 -s &"
 	sleep 1
 	echo -e "\nStarting client:"
 	sleep 1
 	echo "$NS2 iperf3 --json -c $node1_ip4 > $FILENAME_PERF_JSON"
 	cat $FILENAME_PERF_JSON
 	# Let ZeroTier idle long enough for various timers
 	echo -e "\nIdling ZeroTier for $RUN_LENGTH seconds..."
 	sleep $RUN_LENGTH
 	echo -e "\nLeaving networks"
 	$ZT1 leave $TEST_NETWORK
 	$ZT2 leave $TEST_NETWORK
 	sleep 5
 	exit_test_and_generate_report $TEST_OK "completed test"
 }
 ################################################################################
 # Generate report                                                              #
 ################################################################################
 exit_test_and_generate_report() {
 	echo -e "\nStopping memory check..."
 	sudo pkill -15 -f valgrind
 	sleep 10
 	time_test_end=$(date +%s)
 	echo "Exiting test with reason: $2 ($1)"
 	# Collect ZeroTier dump files
 	echo -e "\nCollecting ZeroTier dump files"
 	node1_id=$($ZT1 -j status | jq -r .address)
 	node2_id=$($ZT2 -j status | jq -r .address)
 	$ZT1 dump
 	mv zerotier_dump.txt "$TEST_FILEPATH_PREFIX-node-dump-$node1_id.txt"
 	$ZT2 dump
 	mv zerotier_dump.txt "$TEST_FILEPATH_PREFIX-node-dump-$node2_id.txt"
 	# Copy ZeroTier stdout/stderr logs
 	cp node_1.log "$TEST_FILEPATH_PREFIX-node-log-$node1_id.txt"
 	cp node_2.log "$TEST_FILEPATH_PREFIX-node-log-$node2_id.txt"
 	# Generate report
 	cat $FILENAME_MEMORY_LOG
 	DEFINITELY_LOST=$(xmlstarlet sel -t -v '/valgrindoutput/error/xwhat' \
 		$FILENAME_MEMORY_LOG | grep "definitely" | awk '{print $1;}')
 	POSSIBLY_LOST=$(xmlstarlet sel -t -v '/valgrindoutput/error/xwhat' \
 		$FILENAME_MEMORY_LOG | grep "possibly" | awk '{print $1;}')
 	# Generate coverage report artifact and summary
 	FILENAME_COVERAGE_JSON="$TEST_FILEPATH_PREFIX-coverage.json"
 	FILENAME_COVERAGE_HTML="$TEST_FILEPATH_PREFIX-coverage.html"
 	echo -e "\nGenerating coverage test report..."
 	gcovr -r . --exclude ext --json-summary $FILENAME_COVERAGE_JSON \
 		--html >$FILENAME_COVERAGE_HTML
 	cat $FILENAME_COVERAGE_JSON
 	COVERAGE_LINE_COVERED=$(cat $FILENAME_COVERAGE_JSON | jq .line_covered)
 	COVERAGE_LINE_TOTAL=$(cat $FILENAME_COVERAGE_JSON | jq .line_total)
 	COVERAGE_LINE_PERCENT=$(cat $FILENAME_COVERAGE_JSON | jq .line_percent)
 	COVERAGE_LINE_COVERED="${COVERAGE_LINE_COVERED:-0}"
 	COVERAGE_LINE_TOTAL="${COVERAGE_LINE_TOTAL:-0}"
 	COVERAGE_LINE_PERCENT="${COVERAGE_LINE_PERCENT:-0}"
 	# Default values
 	DEFINITELY_LOST="${DEFINITELY_LOST:-0}"
 	POSSIBLY_LOST="${POSSIBLY_LOST:-0}"
 	ping_loss_percent_1_to_2="${ping_loss_percent_1_to_2:-100.0}"
 	ping_loss_percent_2_to_1="${ping_loss_percent_2_to_1:-100.0}"
 	time_to_both_nodes_online="${time_to_both_nodes_online:--1}"
 	# Summarize and emit json for trend reporting
 	FILENAME_SUMMARY="$TEST_FILEPATH_PREFIX-summary.json"
 	time_length_test=$((time_test_end - time_test_start))
 	if [[ $time_to_both_nodes_online != -1 ]];
 	then
 		time_to_both_nodes_online=$((time_to_both_nodes_online - time_test_start))
 	fi
 	#time_length_zt_join=$((time_zt_join_end-time_zt_join_start))
 	#time_length_zt_leave=$((time_zt_leave_end-time_zt_leave_start))
 	#time_length_zt_can_still_ping=$((time_zt_can_still_ping-time_zt_leave_start))
 	summary=$(
 		cat <<EOF
 {
  "version":"$ZTO_VER",
  "commit":"$ZTO_COMMIT",
  "arch_m":"$(uname -m)",
  "arch_a":"$(uname -a)",
  "binary_size":"$(stat -c %s zerotier-one)",
  "time_length_test":$time_length_test,
  "time_to_both_nodes_online":$time_to_both_nodes_online,
  "num_possible_bytes_lost": $POSSIBLY_LOST,
  "num_definite_bytes_lost": $DEFINITELY_LOST,
  "num_bad_formattings": $POSSIBLY_LOST,
  "coverage_lines_covered": $COVERAGE_LINE_COVERED,
  "coverage_lines_total": $COVERAGE_LINE_TOTAL,
  "coverage_lines_percent": $COVERAGE_LINE_PERCENT,
  "ping_loss_percent_1_to_2": $ping_loss_percent_1_to_2,
  "ping_loss_percent_2_to_1": $ping_loss_percent_2_to_1,
  "test_exit_code": $1,
  "test_exit_reason":"$2"
 }
 EOF
 	)
 	echo $summary >$FILENAME_SUMMARY
 	cat $FILENAME_SUMMARY
 	exit 0
 }
 ################################################################################
 # CLI Check                                                                    #
 ################################################################################
 spam_cli() {
 	echo "Spamming CLI..."
 	# Rapidly spam the CLI with joins/leaves
 	MAX_TRIES="${1:-10}"
 	for ((s = 0; s <= MAX_TRIES; s++)); do
 		$ZT1 status
 		$ZT2 status
 		sleep 0.1
 	done
 	SPAM_TRIES=128
 	for ((s = 0; s <= SPAM_TRIES; s++)); do
 		$ZT1 join $TEST_NETWORK
 	done
 	for ((s = 0; s <= SPAM_TRIES; s++)); do
 		$ZT1 leave $TEST_NETWORK
 	done
 	for ((s = 0; s <= SPAM_TRIES; s++)); do
 		$ZT1 leave $TEST_NETWORK
 		$ZT1 join $TEST_NETWORK
 	done
 }
 ################################################################################
 # Check for proper exit on load of invalid identity                            #
 ################################################################################
 check_exit_on_invalid_identity() {
 	echo "Checking ZeroTier exits on invalid identity..."
 	mkdir -p $(pwd)/exit_test
 	ZT1="sudo ./zerotier-one -p9999 $(pwd)/exit_test"
 	echo "asdfasdfasdfasdf" > $(pwd)/exit_test/identity.secret
 	echo "asdfasdfasdfasdf" > $(pwd)/exit_test/authtoken.secret
 	echo "Launch ZeroTier with an invalid identity"
 	$ZT1 &
 	my_pid=$!
 	echo "Waiting 5 seconds"
 	sleep 5
 	# check if process is running
 	kill -0 $my_pid
 	if [ $? -eq 0 ]; then
 		exit_test_and_generate_report $TEST_FAIL "Exit test FAILED: Process still running after being fed an invalid identity"
 	fi
 }
 ################################################################################
 # Check that we're binding to the primary port for TCP/TCP6/UDP                #
 ################################################################################
 check_bind_to_correct_ports() {
 	PORT_NUMBER=$1
 	echo "Checking bound ports:"
 	sudo netstat -anp | grep "$PORT_NUMBER" | grep "zerotier"
 	if [[ $(sudo netstat -anp | grep "$PORT_NUMBER" | grep "zerotier" | grep "tcp") ]];
 	then
 		:
 	else
 		exit_test_and_generate_report $TEST_FAIL "ZeroTier did not bind to tcp/$1"
 	fi
 	if [[ $(sudo netstat -anp | grep "$PORT_NUMBER" | grep "zerotier" | grep "tcp6") ]];
 	then
 		:
 	else
 		exit_test_and_generate_report $TEST_FAIL "ZeroTier did not bind to tcp6/$1"
 	fi
 	if [[ $(sudo netstat -anp | grep "$PORT_NUMBER" | grep "zerotier" | grep "udp") ]];
 	then
 		:
 	else
 		exit_test_and_generate_report $TEST_FAIL "ZeroTier did not bind to udp/$1"
 	fi
 }
 test "$@"
--- a/.github/workflows/validate-report.sh
+++ b/.github/workflows/validate-report.sh
@ -0,0 +1,24 @@
 #!/bin/bash
 ################################################################################
 # Set exit code depending on tool reports                                      #
 ################################################################################
 DEFINITELY_LOST=$(cat *test-results/*summary.json | jq .num_definite_bytes_lost)
 EXIT_CODE=$(cat *test-results/*summary.json | jq .exit_code)
 EXIT_REASON=$(cat *test-results/*summary.json | jq .exit_reason)
 cat *test-results/*summary.json
 echo -e "\nBytes of memory definitely lost: $DEFINITELY_LOST"
 if [[ "$DEFINITELY_LOST" -gt 0 ]]; then
      exit 1
 fi
 # Catch-all for other non-zero exit codes
 if [[ "$EXIT_CODE" -gt 0 ]]; then
      echo "Test failed: $EXIT_REASON"
      exit 1
 fi
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@ -0,0 +1,57 @@
 on:
  pull_request:
  push:
  workflow_dispatch:
 jobs:
  build_ubuntu:
    runs-on: ubuntu-latest
    steps:
    - name: gitconfig
      run: |
        git config --global core.autocrlf input
    - name: checkout
      uses: actions/checkout@v3
      with:
        fetch-depth: 0
    - name: Install Rust
      uses: actions-rs/toolchain@v1
      with:
        toolchain: stable
        target: x86_64-unknown-linux-gnu
        override: true
        components: rustfmt, clippy
    - name: Set up cargo cache
      uses: Swatinem/rust-cache@v2
      continue-on-error: false
      with:
        key: ${{ runner.os }}-cargo-${{ hashFiles('zeroidc//Cargo.lock') }}
        shared-key: ${{ runner.os }}-cargo-
        workspaces: |
          zeroidc/
    - name: validate-1m-linux
      env:
        CC: 'gcc'
        CXX: 'g++'
        BRANCH: ${{  github.ref_name }}
      run: |
        sudo apt install -y valgrind xmlstarlet gcovr iperf3 tree
        make one ZT_COVERAGE=1 ZT_TRACE=1
        sudo chmod +x ./.github/workflows/validate-linux.sh
        sudo ./.github/workflows/validate-linux.sh
    - name: Archive test results
      uses: actions/upload-artifact@v4
      with:
        name: ${{github.sha}}-test-results
        path: "*test-results*"
    - name: final-report
      run: |
        sudo chmod +x ./.github/workflows/validate-report.sh
        sudo ./.github/workflows/validate-report.sh
--- a/.gitignore
+++ b/.gitignore
@ -4,6 +4,12 @@
 /zerotier-cli
 /zerotier-selftest
 /zerotier
 /nltest
 # IDE stuff
 /.idea
 /.nova
 /compile_commands.json
 # OS-created garbage files from various platforms
 .DS_Store
@ -29,10 +35,8 @@ Thumbs.db
 /windows/WebUIWrapper/obj
 /windows/lib
 /ext/installfiles/windows/ZeroTier One-SetupFiles
 /ext/installfiles/windows/Prerequisites
 /ext/installfiles/windows/*-cache
 /ZeroTier One.msi
 /windows/.vs
 *.vcxproj.backup
 /windows/TapDriver6/Win7Debug
 /windows/TapDriver6/win7Release
@ -41,6 +45,7 @@ Thumbs.db
 enc_temp_folder
 /windows/copyutil/bin
 /windows/copyutil/obj
 .vs/
 # *nix/Mac build droppings
 /build-*
@ -50,13 +55,13 @@ enc_temp_folder
 /world/mkworld
 /world/*.c25519
 zt1-src.tar.gz
 /MacEthernetTapAgent
 # Miscellaneous temporaries, build files, etc.
 *.log
 *.opensdf
 *.user
 *.cache
 *.obj
 *.tlog
 *.pid
 *.pkg
@ -101,7 +106,6 @@ windows/ZeroTierOne/Debug/
 *.swp
 *~.nib
 DerivedData/
 build/
 *.pbxuser
 *.mode1v3
 *.mode2v3
@ -112,7 +116,27 @@ build/
 !default.perspectivev3
 *.xccheckout
 xcuserdata/
 ext/librethinkdbxx/build
 .vscode
 __pycache__
 *~
 attic/world/*.c25519
 attic/world/mkworld
 workspace/
 workspace2/
 zeroidc/target/
 tcp-proxy/target
 #snapcraft specifics
 /parts/
 /stage/
 /prime/
 *.snap
 .snapcraft
 __pycache__
 *.pyc
 *_source.tar.bz2
 snap/.snapcraft
 tcp-proxy/tcp-proxy
 rustybits/target
--- a/.kick
+++ b/.kick
@ -0,0 +1,14 @@
 kick
 kick
 kick
 kick
 kick
 kick
 kick
 kick
 kick
 kick
 kick
 kick
 kick
 kick
--- a/AUTHORS.md
+++ b/AUTHORS.md
@ -1,7 +1,10 @@
 # Authors and Third Party Code Licensing Information
 ## Primary Authors
 * ZeroTier Core and ZeroTier One virtual networking service<br>
   Adam Ierymenko / adam.ierymenko@zerotier.com
   Joseph Henry / joseph.henry@zerotier.com (QoS and multipath)
 * Java JNI Interface to enable Android application development, and Android app itself (code for that is elsewhere)<br>
   Grant Limberg / glimberg@gmail.com
@ -25,7 +28,7 @@
 ## Third-Party Code
-ZeroTier includes the following third party code, either in ext/ or incorporated into the ZeroTier core.
+ZeroTier includes the following third party code, either in ext/ or incorporated into the ZeroTier core. This third party code remains licensed under its original license and is not subject to ZeroTier's BSL license.
 * LZ4 compression algorithm by Yann Collet
@ -45,13 +48,6 @@ ZeroTier includes the following third party code, either in ext/ or incorporated
   * Home page: https://github.com/nlohmann/json
   * License grant: MIT
 * TunTapOSX by Mattias Nissler
   * Files: ext/tap-mac/tuntap/*
   * Home page: http://tuntaposx.sourceforge.net/
   * License grant: BSD attribution no-endorsement
   * ZeroTier Modifications: change interface name to zt#, increase max MTU, increase max devices
 * tap-windows6 by the OpenVPN project
   * Files: windows/TapDriver6/*
@ -71,3 +67,9 @@ ZeroTier includes the following third party code, either in ext/ or incorporated
   * Files: ext/libnatpmp/* ext/miniupnpc/*
   * Home page: http://miniupnp.free.fr/
   * License grant: BSD attribution no-endorsement
 * cpp-httplib by yhirose
   * Files: ext/cpp-httplib/*
   * Home page: https://github.com/yhirose/cpp-httplib
   * License grant: MIT
--- a/11
+++ b/11
@ -1,13 +1,8 @@
 ZeroTier One, an endpoint server for the ZeroTier virtual network layer.
-Copyright © 2011–2018 ZeroTier, Inc.
+Copyright © 2011–2019 ZeroTier, Inc.
-ZeroTier One is free software: you can redistribute it and/or modify
+ZeroTier is released under the terms of the BSL version 1.1. See the
-it under the terms of the GNU General Public License as published by
+file LICENSE.txt for details.
 the Free Software Foundation; either version 3 of the License, or (at
 your option) any later version.
 See the file ‘LICENSE.GPL-3’ for the text of the GNU GPL version 3.
 If that file is not present, see <http://www.gnu.org/licenses/>.
 ..
    Local variables:
--- a/Dockerfile.ci
+++ b/Dockerfile.ci
@ -0,0 +1,28 @@
 # vim: ft=dockerfile
 FROM ubuntu:21.04 as stage
 RUN apt-get update -qq && apt-get -qq install make clang
 COPY . .
 RUN /usr/bin/make
 RUN echo $PWD
 RUN cp zerotier-one /usr/sbin
 FROM ubuntu:21.04
 COPY --from=stage /zerotier-one /usr/sbin
 RUN ln -sf /usr/sbin/zerotier-one /usr/sbin/zerotier-idtool
 RUN ln -sf /usr/sbin/zerotier-one /usr/sbin/zerotier-cli
 RUN echo "${VERSION}" > /etc/zerotier-version
 RUN rm -rf /var/lib/zerotier-one
 RUN apt-get -qq update
 RUN apt-get -qq install iproute2 net-tools fping 2ping iputils-ping iputils-arping
 COPY entrypoint.sh.release /entrypoint.sh
 RUN chmod 755 /entrypoint.sh
 CMD []
 ENTRYPOINT ["/entrypoint.sh"]
--- a/Dockerfile.release
+++ b/Dockerfile.release
@ -0,0 +1,23 @@
 # vim: ft=dockerfile
 FROM debian:bookworm
 ARG VERSION
 RUN apt-get update -qq && apt-get install curl gpg -y
 RUN mkdir -p /usr/share/zerotier && \
    curl -o /usr/share/zerotier/tmp.asc "https://download.zerotier.com/contact%40zerotier.com.gpg" && \
    gpg --no-default-keyring --keyring /usr/share/zerotier/zerotier.gpg --import /usr/share/zerotier/tmp.asc && \
    rm -f /usr/share/zerotier/tmp.asc && \
    echo "deb [signed-by=/usr/share/zerotier/zerotier.gpg] http://download.zerotier.com/debian/bookworm bookworm main" > /etc/apt/sources.list.d/zerotier.list
 RUN apt-get update -qq && apt-get install zerotier-one=${VERSION} curl iproute2 net-tools iputils-ping openssl libssl3 -y
 RUN rm -rf /var/lib/zerotier-one
 COPY entrypoint.sh.release /entrypoint.sh
 RUN chmod 755 /entrypoint.sh
 HEALTHCHECK --interval=1s CMD bash /healthcheck.sh
 CMD []
 ENTRYPOINT ["/entrypoint.sh"]
--- a/84
+++ b/84
@ -1,84 +0,0 @@
 #!/usr/bin/env groovy
 node('master') {
    checkout scm
    def changelog = getChangeLog currentBuild
    mattermostSend "Building ${env.JOB_NAME} #${env.BUILD_NUMBER} \n Change Log: \n ${changelog}"
 }
 parallel 'centos7': {
    node('centos7') {
        try {
            checkout scm
 	        stage('Build Centos 7') {
                sh 'make -f make-linux.mk'
            }
        }
        catch (err) {
            currentBuild.result = "FAILURE"
            mattermostSend color: '#ff0000', message: "${env.JOB_NAME} broken on Centos 7 (<${env.BUILD_URL}|Open>)"
            throw err
        }
    }
 }, 'android-ndk': {
    node('android-ndk') {
        try {
            checkout scm
            stage('Build Android NDK') { 
                sh "/android/android-ndk-r15b/ndk-build -C $WORKSPACE/java ZT1=${WORKSPACE}"
            }
        }
        catch (err) {
            currentBuild.result = "FAILURE"
            mattermostSend color: '#ff0000', message: "${env.JOB_NAME} broken on Android NDK (<${env.BUILD_URL}|Open>)"
            throw err
        }
    }
 }, 'macOS': {
    node('macOS') {
        try {
            checkout scm
            stage('Build macOS') {
                sh 'make -f make-mac.mk'
            }
            stage('Build macOS UI') {
                sh 'cd macui && xcodebuild -target "ZeroTier One" -configuration Debug'
            }
        }
        catch (err) {
            currentBuild.result = "FAILURE"
            mattermostSend color: '#ff0000', message: "${env.JOB_NAME} broken on macOS (<${env.BUILD_URL}|Open>)"
            throw err
        }
    }
 }, 'windows': {
    node('windows') {
        try {
            checkout scm
            stage('Build Windows') {
                bat '''CALL "C:\\Program Files (x86)\\Microsoft Visual Studio 14.0\\VC\\vcvarsall.bat" amd64
 git clean -dfx
 msbuild windows\\ZeroTierOne.sln
 '''
            }
        }
        catch (err) {
            currentBuild.result = "FAILURE"
            mattermostSend color: '#ff0000', message: "${env.JOB_NAME} broken on Windows (<${env.BUILD_URL}|Open>)"
            throw err
        }
    }
 }
 mattermostSend color: "#00ff00", message: "${env.JOB_NAME} #${env.BUILD_NUMBER} Complete (<${env.BUILD_URL}|Show More...>)"
--- a/LICENSE.GPL-2
+++ b/LICENSE.GPL-2
@ -1,339 +0,0 @@
                    GNU GENERAL PUBLIC LICENSE
                       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
                            Preamble
  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
 License is intended to guarantee your freedom to share and change free
 software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
 the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
 have the freedom to distribute copies of free software (and charge for
 this service if you wish), that you receive source code or can get it
 if you want it, that you can change the software or use pieces of it
 in new free programs; and that you know you can do these things.
  To protect your rights, we need to make restrictions that forbid
 anyone to deny you these rights or to ask you to surrender the rights.
 These restrictions translate to certain responsibilities for you if you
 distribute copies of the software, or if you modify it.
  For example, if you distribute copies of such a program, whether
 gratis or for a fee, you must give the recipients all the rights that
 you have.  You must make sure that they, too, receive or can get the
 source code.  And you must show them these terms so they know their
 rights.
  We protect your rights with two steps: (1) copyright the software, and
 (2) offer you this license which gives you legal permission to copy,
 distribute and/or modify the software.
  Also, for each author's protection and ours, we want to make certain
 that everyone understands that there is no warranty for this free
 software.  If the software is modified by someone else and passed on, we
 want its recipients to know that what they have is not the original, so
 that any problems introduced by others will not reflect on the original
 authors' reputations.
  Finally, any free program is threatened constantly by software
 patents.  We wish to avoid the danger that redistributors of a free
 program will individually obtain patent licenses, in effect making the
 program proprietary.  To prevent this, we have made it clear that any
 patent must be licensed for everyone's free use or not licensed at all.
  The precise terms and conditions for copying, distribution and
 modification follow.
                    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
  0. This License applies to any program or other work which contains
 a notice placed by the copyright holder saying it may be distributed
 under the terms of this General Public License.  The "Program", below,
 refers to any such program or work, and a "work based on the Program"
 means either the Program or any derivative work under copyright law:
 that is to say, a work containing the Program or a portion of it,
 either verbatim or with modifications and/or translated into another
 language.  (Hereinafter, translation is included without limitation in
 the term "modification".)  Each licensee is addressed as "you".
 Activities other than copying, distribution and modification are not
 covered by this License; they are outside its scope.  The act of
 running the Program is not restricted, and the output from the Program
 is covered only if its contents constitute a work based on the
 Program (independent of having been made by running the Program).
 Whether that is true depends on what the Program does.
  1. You may copy and distribute verbatim copies of the Program's
 source code as you receive it, in any medium, provided that you
 conspicuously and appropriately publish on each copy an appropriate
 copyright notice and disclaimer of warranty; keep intact all the
 notices that refer to this License and to the absence of any warranty;
 and give any other recipients of the Program a copy of this License
 along with the Program.
 You may charge a fee for the physical act of transferring a copy, and
 you may at your option offer warranty protection in exchange for a fee.
  2. You may modify your copy or copies of the Program or any portion
 of it, thus forming a work based on the Program, and copy and
 distribute such modifications or work under the terms of Section 1
 above, provided that you also meet all of these conditions:
    a) You must cause the modified files to carry prominent notices
    stating that you changed the files and the date of any change.
    b) You must cause any work that you distribute or publish, that in
    whole or in part contains or is derived from the Program or any
    part thereof, to be licensed as a whole at no charge to all third
    parties under the terms of this License.
    c) If the modified program normally reads commands interactively
    when run, you must cause it, when started running for such
    interactive use in the most ordinary way, to print or display an
    announcement including an appropriate copyright notice and a
    notice that there is no warranty (or else, saying that you provide
    a warranty) and that users may redistribute the program under
    these conditions, and telling the user how to view a copy of this
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
 themselves, then this License, and its terms, do not apply to those
 sections when you distribute them as separate works.  But when you
 distribute the same sections as part of a whole which is a work based
 on the Program, the distribution of the whole must be on the terms of
 this License, whose permissions for other licensees extend to the
 entire whole, and thus to each and every part regardless of who wrote it.
 Thus, it is not the intent of this section to claim rights or contest
 your rights to work written entirely by you; rather, the intent is to
 exercise the right to control the distribution of derivative or
 collective works based on the Program.
 In addition, mere aggregation of another work not based on the Program
 with the Program (or with a work based on the Program) on a volume of
 a storage or distribution medium does not bring the other work under
 the scope of this License.
  3. You may copy and distribute the Program (or a work based on it,
 under Section 2) in object code or executable form under the terms of
 Sections 1 and 2 above provided that you also do one of the following:
    a) Accompany it with the complete corresponding machine-readable
    source code, which must be distributed under the terms of Sections
    1 and 2 above on a medium customarily used for software interchange; or,
    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your
    cost of physically performing source distribution, a complete
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,
    c) Accompany it with the information you received as to the offer
    to distribute corresponding source code.  (This alternative is
    allowed only for noncommercial distribution and only if you
    received the program in object code or executable form with such
    an offer, in accord with Subsection b above.)
 The source code for a work means the preferred form of the work for
 making modifications to it.  For an executable work, complete source
 code means all the source code for all modules it contains, plus any
 associated interface definition files, plus the scripts used to
 control compilation and installation of the executable.  However, as a
 special exception, the source code distributed need not include
 anything that is normally distributed (in either source or binary
 form) with the major components (compiler, kernel, and so on) of the
 operating system on which the executable runs, unless that component
 itself accompanies the executable.
 If distribution of executable or object code is made by offering
 access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
  4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
 void, and will automatically terminate your rights under this License.
 However, parties who have received copies, or rights, from you under
 this License will not have their licenses terminated so long as such
 parties remain in full compliance.
  5. You are not required to accept this License, since you have not
 signed it.  However, nothing else grants you permission to modify or
 distribute the Program or its derivative works.  These actions are
 prohibited by law if you do not accept this License.  Therefore, by
 modifying or distributing the Program (or any work based on the
 Program), you indicate your acceptance of this License to do so, and
 all its terms and conditions for copying, distributing or modifying
 the Program or works based on it.
  6. Each time you redistribute the Program (or any work based on the
 Program), the recipient automatically receives a license from the
 original licensor to copy, distribute or modify the Program subject to
 these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties to
 this License.
  7. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot
 distribute so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you
 may not distribute the Program at all.  For example, if a patent
 license would not permit royalty-free redistribution of the Program by
 all those who receive copies directly or indirectly through you, then
 the only way you could satisfy both it and this License would be to
 refrain entirely from distribution of the Program.
 If any portion of this section is held invalid or unenforceable under
 any particular circumstance, the balance of the section is intended to
 apply and the section as a whole is intended to apply in other
 circumstances.
 It is not the purpose of this section to induce you to infringe any
 patents or other property right claims or to contest validity of any
 such claims; this section has the sole purpose of protecting the
 integrity of the free software distribution system, which is
 implemented by public license practices.  Many people have made
 generous contributions to the wide range of software distributed
 through that system in reliance on consistent application of that
 system; it is up to the author/donor to decide if he or she is willing
 to distribute software through any other system and a licensee cannot
 impose that choice.
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
  8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
 may add an explicit geographical distribution limitation excluding
 those countries, so that distribution is permitted only in or among
 countries not thus excluded.  In such case, this License incorporates
 the limitation as if written in the body of this License.
  9. The Free Software Foundation may publish revised and/or new versions
 of the General Public License from time to time.  Such new versions will
 be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
 Each version is given a distinguishing version number.  If the Program
 specifies a version number of this License which applies to it and "any
 later version", you have the option of following the terms and conditions
 either of that version or of any later version published by the Free
 Software Foundation.  If the Program does not specify a version number of
 this License, you may choose any version ever published by the Free Software
 Foundation.
  10. If you wish to incorporate parts of the Program into other free
 programs whose distribution conditions are different, write to the author
 to ask for permission.  For software which is copyrighted by the Free
 Software Foundation, write to the Free Software Foundation; we sometimes
 make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
                            NO WARRANTY
  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
 OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
 PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
 OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
 TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
 PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
 REPAIR OR CORRECTION.
  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
 REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
 INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
 OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
 TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
 YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
                     END OF TERMS AND CONDITIONS
            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License along
    with this program; if not, write to the Free Software Foundation, Inc.,
    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 Also add information on how to contact you by electronic and paper mail.
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
    Gnomovision version 69, Copyright (C) year name of author
    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.
 The hypothetical commands `show w' and `show c' should show the appropriate
 parts of the General Public License.  Of course, the commands you use may
 be called something other than `show w' and `show c'; they could even be
 mouse-clicks or menu items--whatever suits your program.
 You should also get your employer (if you work as a programmer) or your
 school, if any, to sign a "copyright disclaimer" for the program, if
 necessary.  Here is a sample; alter the names:
  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
  `Gnomovision' (which makes passes at compilers) written by James Hacker.
  <signature of Ty Coon>, 1 April 1989
  Ty Coon, President of Vice
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
 library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.
--- a/LICENSE.GPL-3
+++ b/LICENSE.GPL-3
@ -1,674 +0,0 @@
                    GNU GENERAL PUBLIC LICENSE
                       Version 3, 29 June 2007
 Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
                            Preamble
  The GNU General Public License is a free, copyleft license for
 software and other kinds of works.
  The licenses for most software and other practical works are designed
 to take away your freedom to share and change the works.  By contrast,
 the GNU General Public License is intended to guarantee your freedom to
 share and change all versions of a program--to make sure it remains free
 software for all its users.  We, the Free Software Foundation, use the
 GNU General Public License for most of our software; it applies also to
 any other work released this way by its authors.  You can apply it to
 your programs, too.
  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
 have the freedom to distribute copies of free software (and charge for
 them if you wish), that you receive source code or can get it if you
 want it, that you can change the software or use pieces of it in new
 free programs, and that you know you can do these things.
  To protect your rights, we need to prevent others from denying you
 these rights or asking you to surrender the rights.  Therefore, you have
 certain responsibilities if you distribute copies of the software, or if
 you modify it: responsibilities to respect the freedom of others.
  For example, if you distribute copies of such a program, whether
 gratis or for a fee, you must pass on to the recipients the same
 freedoms that you received.  You must make sure that they, too, receive
 or can get the source code.  And you must show them these terms so they
 know their rights.
  Developers that use the GNU GPL protect your rights with two steps:
 (1) assert copyright on the software, and (2) offer you this License
 giving you legal permission to copy, distribute and/or modify it.
  For the developers' and authors' protection, the GPL clearly explains
 that there is no warranty for this free software.  For both users' and
 authors' sake, the GPL requires that modified versions be marked as
 changed, so that their problems will not be attributed erroneously to
 authors of previous versions.
  Some devices are designed to deny users access to install or run
 modified versions of the software inside them, although the manufacturer
 can do so.  This is fundamentally incompatible with the aim of
 protecting users' freedom to change the software.  The systematic
 pattern of such abuse occurs in the area of products for individuals to
 use, which is precisely where it is most unacceptable.  Therefore, we
 have designed this version of the GPL to prohibit the practice for those
 products.  If such problems arise substantially in other domains, we
 stand ready to extend this provision to those domains in future versions
 of the GPL, as needed to protect the freedom of users.
  Finally, every program is threatened constantly by software patents.
 States should not allow patents to restrict development and use of
 software on general-purpose computers, but in those that do, we wish to
 avoid the special danger that patents applied to a free program could
 make it effectively proprietary.  To prevent this, the GPL assures that
 patents cannot be used to render the program non-free.
  The precise terms and conditions for copying, distribution and
 modification follow.
                       TERMS AND CONDITIONS
  0. Definitions.
  "This License" refers to version 3 of the GNU General Public License.
  "Copyright" also means copyright-like laws that apply to other kinds of
 works, such as semiconductor masks.
  "The Program" refers to any copyrightable work licensed under this
 License.  Each licensee is addressed as "you".  "Licensees" and
 "recipients" may be individuals or organizations.
  To "modify" a work means to copy from or adapt all or part of the work
 in a fashion requiring copyright permission, other than the making of an
 exact copy.  The resulting work is called a "modified version" of the
 earlier work or a work "based on" the earlier work.
  A "covered work" means either the unmodified Program or a work based
 on the Program.
  To "propagate" a work means to do anything with it that, without
 permission, would make you directly or secondarily liable for
 infringement under applicable copyright law, except executing it on a
 computer or modifying a private copy.  Propagation includes copying,
 distribution (with or without modification), making available to the
 public, and in some countries other activities as well.
  To "convey" a work means any kind of propagation that enables other
 parties to make or receive copies.  Mere interaction with a user through
 a computer network, with no transfer of a copy, is not conveying.
  An interactive user interface displays "Appropriate Legal Notices"
 to the extent that it includes a convenient and prominently visible
 feature that (1) displays an appropriate copyright notice, and (2)
 tells the user that there is no warranty for the work (except to the
 extent that warranties are provided), that licensees may convey the
 work under this License, and how to view a copy of this License.  If
 the interface presents a list of user commands or options, such as a
 menu, a prominent item in the list meets this criterion.
  1. Source Code.
  The "source code" for a work means the preferred form of the work
 for making modifications to it.  "Object code" means any non-source
 form of a work.
  A "Standard Interface" means an interface that either is an official
 standard defined by a recognized standards body, or, in the case of
 interfaces specified for a particular programming language, one that
 is widely used among developers working in that language.
  The "System Libraries" of an executable work include anything, other
 than the work as a whole, that (a) is included in the normal form of
 packaging a Major Component, but which is not part of that Major
 Component, and (b) serves only to enable use of the work with that
 Major Component, or to implement a Standard Interface for which an
 implementation is available to the public in source code form.  A
 "Major Component", in this context, means a major essential component
 (kernel, window system, and so on) of the specific operating system
 (if any) on which the executable work runs, or a compiler used to
 produce the work, or an object code interpreter used to run it.
  The "Corresponding Source" for a work in object code form means all
 the source code needed to generate, install, and (for an executable
 work) run the object code and to modify the work, including scripts to
 control those activities.  However, it does not include the work's
 System Libraries, or general-purpose tools or generally available free
 programs which are used unmodified in performing those activities but
 which are not part of the work.  For example, Corresponding Source
 includes interface definition files associated with source files for
 the work, and the source code for shared libraries and dynamically
 linked subprograms that the work is specifically designed to require,
 such as by intimate data communication or control flow between those
 subprograms and other parts of the work.
  The Corresponding Source need not include anything that users
 can regenerate automatically from other parts of the Corresponding
 Source.
  The Corresponding Source for a work in source code form is that
 same work.
  2. Basic Permissions.
  All rights granted under this License are granted for the term of
 copyright on the Program, and are irrevocable provided the stated
 conditions are met.  This License explicitly affirms your unlimited
 permission to run the unmodified Program.  The output from running a
 covered work is covered by this License only if the output, given its
 content, constitutes a covered work.  This License acknowledges your
 rights of fair use or other equivalent, as provided by copyright law.
  You may make, run and propagate covered works that you do not
 convey, without conditions so long as your license otherwise remains
 in force.  You may convey covered works to others for the sole purpose
 of having them make modifications exclusively for you, or provide you
 with facilities for running those works, provided that you comply with
 the terms of this License in conveying all material for which you do
 not control copyright.  Those thus making or running the covered works
 for you must do so exclusively on your behalf, under your direction
 and control, on terms that prohibit them from making any copies of
 your copyrighted material outside their relationship with you.
  Conveying under any other circumstances is permitted solely under
 the conditions stated below.  Sublicensing is not allowed; section 10
 makes it unnecessary.
  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
  No covered work shall be deemed part of an effective technological
 measure under any applicable law fulfilling obligations under article
 11 of the WIPO copyright treaty adopted on 20 December 1996, or
 similar laws prohibiting or restricting circumvention of such
 measures.
  When you convey a covered work, you waive any legal power to forbid
 circumvention of technological measures to the extent such circumvention
 is effected by exercising rights under this License with respect to
 the covered work, and you disclaim any intention to limit operation or
 modification of the work as a means of enforcing, against the work's
 users, your or third parties' legal rights to forbid circumvention of
 technological measures.
  4. Conveying Verbatim Copies.
  You may convey verbatim copies of the Program's source code as you
 receive it, in any medium, provided that you conspicuously and
 appropriately publish on each copy an appropriate copyright notice;
 keep intact all notices stating that this License and any
 non-permissive terms added in accord with section 7 apply to the code;
 keep intact all notices of the absence of any warranty; and give all
 recipients a copy of this License along with the Program.
  You may charge any price or no price for each copy that you convey,
 and you may offer support or warranty protection for a fee.
  5. Conveying Modified Source Versions.
  You may convey a work based on the Program, or the modifications to
 produce it from the Program, in the form of source code under the
 terms of section 4, provided that you also meet all of these conditions:
    a) The work must carry prominent notices stating that you modified
    it, and giving a relevant date.
    b) The work must carry prominent notices stating that it is
    released under this License and any conditions added under section
    7.  This requirement modifies the requirement in section 4 to
    "keep intact all notices".
    c) You must license the entire work, as a whole, under this
    License to anyone who comes into possession of a copy.  This
    License will therefore apply, along with any applicable section 7
    additional terms, to the whole of the work, and all its parts,
    regardless of how they are packaged.  This License gives no
    permission to license the work in any other way, but it does not
    invalidate such permission if you have separately received it.
    d) If the work has interactive user interfaces, each must display
    Appropriate Legal Notices; however, if the Program has interactive
    interfaces that do not display Appropriate Legal Notices, your
    work need not make them do so.
  A compilation of a covered work with other separate and independent
 works, which are not by their nature extensions of the covered work,
 and which are not combined with it such as to form a larger program,
 in or on a volume of a storage or distribution medium, is called an
 "aggregate" if the compilation and its resulting copyright are not
 used to limit the access or legal rights of the compilation's users
 beyond what the individual works permit.  Inclusion of a covered work
 in an aggregate does not cause this License to apply to the other
 parts of the aggregate.
  6. Conveying Non-Source Forms.
  You may convey a covered work in object code form under the terms
 of sections 4 and 5, provided that you also convey the
 machine-readable Corresponding Source under the terms of this License,
 in one of these ways:
    a) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by the
    Corresponding Source fixed on a durable physical medium
    customarily used for software interchange.
    b) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by a
    written offer, valid for at least three years and valid for as
    long as you offer spare parts or customer support for that product
    model, to give anyone who possesses the object code either (1) a
    copy of the Corresponding Source for all the software in the
    product that is covered by this License, on a durable physical
    medium customarily used for software interchange, for a price no
    more than your reasonable cost of physically performing this
    conveying of source, or (2) access to copy the
    Corresponding Source from a network server at no charge.
    c) Convey individual copies of the object code with a copy of the
    written offer to provide the Corresponding Source.  This
    alternative is allowed only occasionally and noncommercially, and
    only if you received the object code with such an offer, in accord
    with subsection 6b.
    d) Convey the object code by offering access from a designated
    place (gratis or for a charge), and offer equivalent access to the
    Corresponding Source in the same way through the same place at no
    further charge.  You need not require recipients to copy the
    Corresponding Source along with the object code.  If the place to
    copy the object code is a network server, the Corresponding Source
    may be on a different server (operated by you or a third party)
    that supports equivalent copying facilities, provided you maintain
    clear directions next to the object code saying where to find the
    Corresponding Source.  Regardless of what server hosts the
    Corresponding Source, you remain obligated to ensure that it is
    available for as long as needed to satisfy these requirements.
    e) Convey the object code using peer-to-peer transmission, provided
    you inform other peers where the object code and Corresponding
    Source of the work are being offered to the general public at no
    charge under subsection 6d.
  A separable portion of the object code, whose source code is excluded
 from the Corresponding Source as a System Library, need not be
 included in conveying the object code work.
  A "User Product" is either (1) a "consumer product", which means any
 tangible personal property which is normally used for personal, family,
 or household purposes, or (2) anything designed or sold for incorporation
 into a dwelling.  In determining whether a product is a consumer product,
 doubtful cases shall be resolved in favor of coverage.  For a particular
 product received by a particular user, "normally used" refers to a
 typical or common use of that class of product, regardless of the status
 of the particular user or of the way in which the particular user
 actually uses, or expects or is expected to use, the product.  A product
 is a consumer product regardless of whether the product has substantial
 commercial, industrial or non-consumer uses, unless such uses represent
 the only significant mode of use of the product.
  "Installation Information" for a User Product means any methods,
 procedures, authorization keys, or other information required to install
 and execute modified versions of a covered work in that User Product from
 a modified version of its Corresponding Source.  The information must
 suffice to ensure that the continued functioning of the modified object
 code is in no case prevented or interfered with solely because
 modification has been made.
  If you convey an object code work under this section in, or with, or
 specifically for use in, a User Product, and the conveying occurs as
 part of a transaction in which the right of possession and use of the
 User Product is transferred to the recipient in perpetuity or for a
 fixed term (regardless of how the transaction is characterized), the
 Corresponding Source conveyed under this section must be accompanied
 by the Installation Information.  But this requirement does not apply
 if neither you nor any third party retains the ability to install
 modified object code on the User Product (for example, the work has
 been installed in ROM).
  The requirement to provide Installation Information does not include a
 requirement to continue to provide support service, warranty, or updates
 for a work that has been modified or installed by the recipient, or for
 the User Product in which it has been modified or installed.  Access to a
 network may be denied when the modification itself materially and
 adversely affects the operation of the network or violates the rules and
 protocols for communication across the network.
  Corresponding Source conveyed, and Installation Information provided,
 in accord with this section must be in a format that is publicly
 documented (and with an implementation available to the public in
 source code form), and must require no special password or key for
 unpacking, reading or copying.
  7. Additional Terms.
  "Additional permissions" are terms that supplement the terms of this
 License by making exceptions from one or more of its conditions.
 Additional permissions that are applicable to the entire Program shall
 be treated as though they were included in this License, to the extent
 that they are valid under applicable law.  If additional permissions
 apply only to part of the Program, that part may be used separately
 under those permissions, but the entire Program remains governed by
 this License without regard to the additional permissions.
  When you convey a copy of a covered work, you may at your option
 remove any additional permissions from that copy, or from any part of
 it.  (Additional permissions may be written to require their own
 removal in certain cases when you modify the work.)  You may place
 additional permissions on material, added by you to a covered work,
 for which you have or can give appropriate copyright permission.
  Notwithstanding any other provision of this License, for material you
 add to a covered work, you may (if authorized by the copyright holders of
 that material) supplement the terms of this License with terms:
    a) Disclaiming warranty or limiting liability differently from the
    terms of sections 15 and 16 of this License; or
    b) Requiring preservation of specified reasonable legal notices or
    author attributions in that material or in the Appropriate Legal
    Notices displayed by works containing it; or
    c) Prohibiting misrepresentation of the origin of that material, or
    requiring that modified versions of such material be marked in
    reasonable ways as different from the original version; or
    d) Limiting the use for publicity purposes of names of licensors or
    authors of the material; or
    e) Declining to grant rights under trademark law for use of some
    trade names, trademarks, or service marks; or
    f) Requiring indemnification of licensors and authors of that
    material by anyone who conveys the material (or modified versions of
    it) with contractual assumptions of liability to the recipient, for
    any liability that these contractual assumptions directly impose on
    those licensors and authors.
  All other non-permissive additional terms are considered "further
 restrictions" within the meaning of section 10.  If the Program as you
 received it, or any part of it, contains a notice stating that it is
 governed by this License along with a term that is a further
 restriction, you may remove that term.  If a license document contains
 a further restriction but permits relicensing or conveying under this
 License, you may add to a covered work material governed by the terms
 of that license document, provided that the further restriction does
 not survive such relicensing or conveying.
  If you add terms to a covered work in accord with this section, you
 must place, in the relevant source files, a statement of the
 additional terms that apply to those files, or a notice indicating
 where to find the applicable terms.
  Additional terms, permissive or non-permissive, may be stated in the
 form of a separately written license, or stated as exceptions;
 the above requirements apply either way.
  8. Termination.
  You may not propagate or modify a covered work except as expressly
 provided under this License.  Any attempt otherwise to propagate or
 modify it is void, and will automatically terminate your rights under
 this License (including any patent licenses granted under the third
 paragraph of section 11).
  However, if you cease all violation of this License, then your
 license from a particular copyright holder is reinstated (a)
 provisionally, unless and until the copyright holder explicitly and
 finally terminates your license, and (b) permanently, if the copyright
 holder fails to notify you of the violation by some reasonable means
 prior to 60 days after the cessation.
  Moreover, your license from a particular copyright holder is
 reinstated permanently if the copyright holder notifies you of the
 violation by some reasonable means, this is the first time you have
 received notice of violation of this License (for any work) from that
 copyright holder, and you cure the violation prior to 30 days after
 your receipt of the notice.
  Termination of your rights under this section does not terminate the
 licenses of parties who have received copies or rights from you under
 this License.  If your rights have been terminated and not permanently
 reinstated, you do not qualify to receive new licenses for the same
 material under section 10.
  9. Acceptance Not Required for Having Copies.
  You are not required to accept this License in order to receive or
 run a copy of the Program.  Ancillary propagation of a covered work
 occurring solely as a consequence of using peer-to-peer transmission
 to receive a copy likewise does not require acceptance.  However,
 nothing other than this License grants you permission to propagate or
 modify any covered work.  These actions infringe copyright if you do
 not accept this License.  Therefore, by modifying or propagating a
 covered work, you indicate your acceptance of this License to do so.
  10. Automatic Licensing of Downstream Recipients.
  Each time you convey a covered work, the recipient automatically
 receives a license from the original licensors, to run, modify and
 propagate that work, subject to this License.  You are not responsible
 for enforcing compliance by third parties with this License.
  An "entity transaction" is a transaction transferring control of an
 organization, or substantially all assets of one, or subdividing an
 organization, or merging organizations.  If propagation of a covered
 work results from an entity transaction, each party to that
 transaction who receives a copy of the work also receives whatever
 licenses to the work the party's predecessor in interest had or could
 give under the previous paragraph, plus a right to possession of the
 Corresponding Source of the work from the predecessor in interest, if
 the predecessor has it or can get it with reasonable efforts.
  You may not impose any further restrictions on the exercise of the
 rights granted or affirmed under this License.  For example, you may
 not impose a license fee, royalty, or other charge for exercise of
 rights granted under this License, and you may not initiate litigation
 (including a cross-claim or counterclaim in a lawsuit) alleging that
 any patent claim is infringed by making, using, selling, offering for
 sale, or importing the Program or any portion of it.
  11. Patents.
  A "contributor" is a copyright holder who authorizes use under this
 License of the Program or a work on which the Program is based.  The
 work thus licensed is called the contributor's "contributor version".
  A contributor's "essential patent claims" are all patent claims
 owned or controlled by the contributor, whether already acquired or
 hereafter acquired, that would be infringed by some manner, permitted
 by this License, of making, using, or selling its contributor version,
 but do not include claims that would be infringed only as a
 consequence of further modification of the contributor version.  For
 purposes of this definition, "control" includes the right to grant
 patent sublicenses in a manner consistent with the requirements of
 this License.
  Each contributor grants you a non-exclusive, worldwide, royalty-free
 patent license under the contributor's essential patent claims, to
 make, use, sell, offer for sale, import and otherwise run, modify and
 propagate the contents of its contributor version.
  In the following three paragraphs, a "patent license" is any express
 agreement or commitment, however denominated, not to enforce a patent
 (such as an express permission to practice a patent or covenant not to
 sue for patent infringement).  To "grant" such a patent license to a
 party means to make such an agreement or commitment not to enforce a
 patent against the party.
  If you convey a covered work, knowingly relying on a patent license,
 and the Corresponding Source of the work is not available for anyone
 to copy, free of charge and under the terms of this License, through a
 publicly available network server or other readily accessible means,
 then you must either (1) cause the Corresponding Source to be so
 available, or (2) arrange to deprive yourself of the benefit of the
 patent license for this particular work, or (3) arrange, in a manner
 consistent with the requirements of this License, to extend the patent
 license to downstream recipients.  "Knowingly relying" means you have
 actual knowledge that, but for the patent license, your conveying the
 covered work in a country, or your recipient's use of the covered work
 in a country, would infringe one or more identifiable patents in that
 country that you have reason to believe are valid.
  If, pursuant to or in connection with a single transaction or
 arrangement, you convey, or propagate by procuring conveyance of, a
 covered work, and grant a patent license to some of the parties
 receiving the covered work authorizing them to use, propagate, modify
 or convey a specific copy of the covered work, then the patent license
 you grant is automatically extended to all recipients of the covered
 work and works based on it.
  A patent license is "discriminatory" if it does not include within
 the scope of its coverage, prohibits the exercise of, or is
 conditioned on the non-exercise of one or more of the rights that are
 specifically granted under this License.  You may not convey a covered
 work if you are a party to an arrangement with a third party that is
 in the business of distributing software, under which you make payment
 to the third party based on the extent of your activity of conveying
 the work, and under which the third party grants, to any of the
 parties who would receive the covered work from you, a discriminatory
 patent license (a) in connection with copies of the covered work
 conveyed by you (or copies made from those copies), or (b) primarily
 for and in connection with specific products or compilations that
 contain the covered work, unless you entered into that arrangement,
 or that patent license was granted, prior to 28 March 2007.
  Nothing in this License shall be construed as excluding or limiting
 any implied license or other defenses to infringement that may
 otherwise be available to you under applicable patent law.
  12. No Surrender of Others' Freedom.
  If conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot convey a
 covered work so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you may
 not convey it at all.  For example, if you agree to terms that obligate you
 to collect a royalty for further conveying from those to whom you convey
 the Program, the only way you could satisfy both those terms and this
 License would be to refrain entirely from conveying the Program.
  13. Use with the GNU Affero General Public License.
  Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
 under version 3 of the GNU Affero General Public License into a single
 combined work, and to convey the resulting work.  The terms of this
 License will continue to apply to the part which is the covered work,
 but the special requirements of the GNU Affero General Public License,
 section 13, concerning interaction through a network will apply to the
 combination as such.
  14. Revised Versions of this License.
  The Free Software Foundation may publish revised and/or new versions of
 the GNU General Public License from time to time.  Such new versions will
 be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
  Each version is given a distinguishing version number.  If the
 Program specifies that a certain numbered version of the GNU General
 Public License "or any later version" applies to it, you have the
 option of following the terms and conditions either of that numbered
 version or of any later version published by the Free Software
 Foundation.  If the Program does not specify a version number of the
 GNU General Public License, you may choose any version ever published
 by the Free Software Foundation.
  If the Program specifies that a proxy can decide which future
 versions of the GNU General Public License can be used, that proxy's
 public statement of acceptance of a version permanently authorizes you
 to choose that version for the Program.
  Later license versions may give you additional or different
 permissions.  However, no additional obligations are imposed on any
 author or copyright holder as a result of your choosing to follow a
 later version.
  15. Disclaimer of Warranty.
  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
 APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
 OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
 THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
 IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
 ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  16. Limitation of Liability.
  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
 THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
 GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
 USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
 DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
 PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
 EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGES.
  17. Interpretation of Sections 15 and 16.
  If the disclaimer of warranty and limitation of liability provided
 above cannot be given local legal effect according to their terms,
 reviewing courts shall apply local law that most closely approximates
 an absolute waiver of all civil liability in connection with the
 Program, unless a warranty or assumption of liability accompanies a
 copy of the Program in return for a fee.
                     END OF TERMS AND CONDITIONS
            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 state the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 Also add information on how to contact you by electronic and paper mail.
  If the program does terminal interaction, make it output a short
 notice like this when it starts in an interactive mode:
    <program>  Copyright (C) <year>  <name of author>
    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.
 The hypothetical commands `show w' and `show c' should show the appropriate
 parts of the General Public License.  Of course, your program's commands
 might be different; for a GUI interface, you would use an "about box".
  You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
 For more information on this, and how to apply and follow the GNU GPL, see
 <http://www.gnu.org/licenses/>.
  The GNU General Public License does not permit incorporating your program
 into proprietary programs.  If your program is a subroutine library, you
 may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
 <http://www.gnu.org/philosophy/why-not-lgpl.html>.
--- a/LICENSE.txt
+++ b/LICENSE.txt
@ -1,37 +1,149 @@
-ZeroTier One - Network Virtualization Everywhere
+-----------------------------------------------------------------------------
 Copyright (C) 2011-2017  ZeroTier, Inc.  https://www.zerotier.com/
-This program is free software: you can redistribute it and/or modify
+Business Source License 1.1
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
-This program is distributed in the hope that it will be useful,
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
-but WITHOUT ANY WARRANTY; without even the implied warranty of
+"Business Source License" is a trademark of MariaDB Corporation Ab.
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
-You should have received a copy of the GNU General Public License
+-----------------------------------------------------------------------------
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
-See LICENSE.GPL-3 for the full GNU GPL v3 license.
+Parameters
--
+Licensor:             ZeroTier, Inc.
 Licensed Work:        ZeroTier Network Virtualization Engine 1.4.4
                      The Licensed Work is (c)2019 ZeroTier, Inc.
 Additional Use Grant: You may make use of the Licensed Work, provided you
                      do not use it in any of the following ways:
-You can be released from the requirements of the license by purchasing
+                      * Sell hosted ZeroTier services as a "SaaS" Product
 a commercial license. Buying such a license is mandatory as soon as you
 develop commercial closed-source software that incorporates or links
 directly against ZeroTier software without disclosing the source code
 of your own application.
--
+                      (1) Operate or sell access to ZeroTier root servers,
                      network controllers, or authorization key or certificate
                      generation components of the Licensed Work as a
                      for-profit service, regardless of whether the use of
                      these components is sold alone or is bundled with other
                      services. Note that this does not apply to the use of
                      ZeroTier behind the scenes to operate a service not
                      related to ZeroTier network administration.
-The above license does not apply to third party code included with or
+                      * Create Non-Open-Source Commercial Derivative Works
 linked against by ZeroTier software. See the third party code section
 of the AUTHORS.md for an index of third party software included in
 this software repository.
-Licenses for third party code are all relatively permissive: MIT,
+                      (2) Link or directly include the Licensed Work in a
-BSD, and public domain. The only exception is the tap-windows driver
+                      commercial or for-profit application or other product
-which is under the GPLv2, but this is only needed to produce the
+                      not distributed under an Open Source Initiative (OSI)
-binary tap device driver used by the ZeroTier service on Windows.
+                      compliant license. See: https://opensource.org/licenses
                      (3) Remove the name, logo, copyright, or other branding
                      material from the Licensed Work to create a "rebranded"
                      or "white labeled" version to distribute as part of
                      any commercial or for-profit product or service.
                      * Certain Government Uses
                      (4) Use or deploy the Licensed Work in a government
                      setting in support of any active government function
                      or operation with the exception of the following:
                      physical or mental health care, family and social
                      services, social welfare, senior care, child care, and
                      the care of persons with disabilities.
 Change Date:          2026-01-01
 Change License:       Apache License version 2.0 as published by the Apache
                      Software Foundation
 											https://www.apache.org/licenses/
 Alternative Licensing
 If you would like to use the Licensed Work in any way that conflicts with
 the stipulations of the Additional Use Grant, contact ZeroTier, Inc. to
 obtain an alternative commercial license.
 Visit us on the web at: https://www.zerotier.com/
 Notice
 The Business Source License (this document, or the "License") is not an Open
 Source license. However, the Licensed Work will eventually be made available
 under an Open Source License, as stated in this License.
 For more information on the use of the Business Source License for ZeroTier
 products, please visit our pricing page which contains license details and
 and license FAQ: https://zerotier.com/pricing
 For more information on the use of the Business Source License generally,
 please visit the Adopting and Developing Business Source License FAQ at
 https://mariadb.com/bsl-faq-adopting.
 -----------------------------------------------------------------------------
 Business Source License 1.1
 Terms
 The Licensor hereby grants you the right to copy, modify, create derivative
 works, redistribute, and make non-production use of the Licensed Work. The
 Licensor may make an Additional Use Grant, above, permitting limited
 production use.
 Effective on the Change Date, or the fourth anniversary of the first publicly
 available distribution of a specific version of the Licensed Work under this
 License, whichever comes first, the Licensor hereby grants you rights under
 the terms of the Change License, and the rights granted in the paragraph
 above terminate.
 If your use of the Licensed Work does not comply with the requirements
 currently in effect as described in this License, you must purchase a
 commercial license from the Licensor, its affiliated entities, or authorized
 resellers, or you must refrain from using the Licensed Work.
 All copies of the original and modified Licensed Work, and derivative works
 of the Licensed Work, are subject to this License. This License applies
 separately for each version of the Licensed Work and the Change Date may vary
 for each version of the Licensed Work released by Licensor.
 You must conspicuously display this License on each original or modified copy
 of the Licensed Work. If you receive the Licensed Work in original or
 modified form from a third party, the terms and conditions set forth in this
 License apply to your use of that work.
 Any use of the Licensed Work in violation of this License will automatically
 terminate your rights under this License for the current and all other
 versions of the Licensed Work.
 This License does not grant you any right in any trademark or logo of
 Licensor or its affiliates (provided that you may use a trademark or logo of
 Licensor as expressly required by this License).
 TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
 AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
 EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
 TITLE.
 -----------------------------------------------------------------------------
 MariaDB hereby grants you permission to use this License’s text to license
 your works, and to refer to it using the trademark "Business Source License",
 as long as you comply with the Covenants of Licensor below.
 Covenants of Licensor
 In consideration of the right to use this License’s text and the "Business
 Source License" name and trademark, Licensor covenants to MariaDB, and to all
 other recipients of the licensed work to be provided by Licensor:
 1. To specify as the Change License the GPL Version 2.0 or any later version,
   or a license that is compatible with GPL Version 2.0 or a later version,
   where "compatible" means that software provided under the Change License can
   be included in a program with software provided under GPL Version 2.0 or a
   later version. Licensor may specify additional Change Licenses without
   limitation.
 2. To either: (a) specify an additional grant of rights to use that does not
   impose any additional restriction on the right granted in this License, as
   the Additional Use Grant; or (b) insert the text "None".
 3. To specify a Change Date.
 4. Not to modify this License in any other way.
--- a/9
+++ b/9
@ -17,8 +17,8 @@ ifeq ($(OSTYPE),FreeBSD)
 	include make-bsd.mk
 endif
 ifeq ($(OSTYPE),OpenBSD)
-	CC=egcc
+	CC=clang
-	CXX=eg++
+	CXX=clang++
 	ZT_BUILD_PLATFORM=9
 	include make-bsd.mk
 endif
@ -26,3 +26,8 @@ endif
 ifeq ($(OSTYPE),NetBSD)
 	include make-netbsd.mk
 endif
 drone:
 	@echo "rendering .drone.yaml from .drone.jsonnet"
 	drone jsonnet --format --stream
 	drone sign zerotier/ZeroTierOne --save
--- a/OFFICIAL-RELEASE-STEPS.md
+++ b/OFFICIAL-RELEASE-STEPS.md
@ -13,9 +13,8 @@ The version must be incremented in all of the following files:
    /zerotier-one.spec
    /debian/changelog
    /ext/installfiles/mac/ZeroTier One.pkgproj
    /ext/installfiles/windows/chocolatey/zerotier-one.nuspec
    /ext/installfiles/windows/ZeroTier One.aip
-    /windows/WinUI/AboutView.xaml
+  ../DesktopUI/mac-app-template/ZeroTier.app/Contents/Info.plist
 The final .AIP file can only be edited on Windows with [Advanced Installer Enterprise](http://www.advancedinstaller.com/). In addition to incrementing the version be sure that a new product code is generated. (The "upgrade code" GUID on the other hand must never change.)
@ -29,21 +28,6 @@ Mac's easy. Just type:
 You will need [Packages](http://s.sudre.free.fr/Software/Packages/about.html) and our release signing key in the keychain.
 ## Linux
 See `LinuxBuild` environment on `linux-build` VM and use: `chroots/mount-build.sh`, `chroots/build.sh`, and the scripts in `build/` to make APT and RPM repositories.
 ## Windows
 First load the Visual Studio solution and rebuild the UI and ZeroTier One in both x64 and i386 `Release` mode. Then load [Advanced Installer Enterprise](http://www.advancedinstaller.com/), check that the version is correct, and build. The build will fail if any build artifacts are missing, and Windows must have our product singing key (from DigiCert) available to sign the resulting MSI file. The MSI must then be tested on at least a few different CLEAN Windows VMs to ensure that the installer is valid and properly signed.
 *After the MSI is published to download.zerotier.com in the proper RELEASE/#.#.#/dist subfolder for its version* the Chocolatey package must be rebuilt and published. Open a command prompt, change to `ext/installfiles/windows/chocolatey`, and type `choco pack`. Then use `choco push` to push it to Chocolatey (API key required).
    choco pack
    choco push zerotier-one.#.#.#.nupkg -s https://chocolatey.org/
 Note that this does not cover rebuilding the drivers or their containing MSI projects, as this is typically not necessary and they are shipped in binary form in the repository for convenience.
 ## iOS, Android
 ... no docs here yet since this is done entirely out of band with regular installs.
--- a/README.docker.md
+++ b/README.docker.md
@ -0,0 +1,73 @@
 # ZeroTier One in a container!
 **NOTE:** _Most of this information pertains to the docker image only. For more information about ZeroTier, check out the repository_: [here](https://github.com/zerotier/ZeroTierOne) or the [commercial website](https://www.zerotier.com).
 [ZeroTier](https://www.zerotier.com) is a smart programmable Ethernet switch for planet Earth. It allows all networked devices, VMs, containers, and applications to communicate as if they all reside in the same physical data center or cloud region.
 This is accomplished by combining a cryptographically addressed and secure peer to peer network (termed VL1) with an Ethernet emulation layer somewhat similar to VXLAN (termed VL2). Our VL2 Ethernet virtualization layer includes advanced enterprise SDN features like fine grained access control rules for network micro-segmentation and security monitoring.
 All ZeroTier traffic is encrypted end-to-end using secret keys that only you control. Most traffic flows peer to peer, though we offer free (but slow) relaying for users who cannot establish peer to peer connections.
 The goals and design principles of ZeroTier are inspired by among other things the original [Google BeyondCorp](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf) paper and the [Jericho Forum](https://en.wikipedia.org/wiki/Jericho_Forum) with its notion of "deperimeterization."
 Visit [ZeroTier's site](https://www.zerotier.com/) for more information and [pre-built binary packages](https://www.zerotier.com/download/). Apps for Android and iOS are available for free in the Google Play and Apple app stores.
 ZeroTier is licensed under the [BSL version 1.1](https://mariadb.com/bsl11/). See [LICENSE.txt](https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt) and the [ZeroTier pricing page](https://www.zerotier.com/pricing) for details. ZeroTier is free to use internally in businesses and academic institutions and for non-commercial purposes. Certain types of commercial use such as building closed-source apps and devices based on ZeroTier or offering ZeroTier network controllers and network management as a SaaS service require a commercial license.
 A small amount of third party code is also included in ZeroTier and is not subject to our BSL license. See [AUTHORS.md](https://github.com/zerotier/ZeroTierOne/blob/master/AUTHORS.md) for a list of third party code, where it is included, and the licenses that apply to it. All of the third party code in ZeroTier is liberally licensed (MIT, BSD, Apache, public domain, etc.).
 ## Building the docker image
 Due to the network being a substrate for most applications and not an application unto itself, it makes sense that many people would want to build their own image based on our formula.
 The image is based on `debian:buster`.
 The `Dockerfile.release` file contains build instructions for building the described image in the rest of the README. The build is multi-arch and multi-release capable.
 These build arguments power the build:
 - `PACKAGE_BASEURL`: The base URL of the package repository to fetch from. (default: `https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one/`)
 - `ARCH`: The architecture of the package, in debian format. Must match your image arch. (default: `amd64`)
 - `VERSION`: **REQUIRED** the version of ZeroTier to fetch.
 You can build this image like so:
 ```
 docker build -f Dockerfile.release -t mybuild --build-arg VERSION=1.6.5 .
 ```
 ## Using the docker image
 The `entrypoint.sh` in the docker image is a little different; zerotier will be spawned in the background and the "main process" is actually just a sleeping shell script. This allows `zerotier-one` to gracefully terminate in some situations largely unique to docker.
 The `zerotier/zerotier` image requires the `CAP_NET_ADMIN` capability and the `/dev/net/tun` device must be forwarded to it.
 To join a network, simply supply it on the command-line; you can supply multiple networks.
 ```
 docker run --name myzerotier --rm --cap-add NET_ADMIN --device /dev/net/tun zerotier/zerotier:latest abcdefdeadbeef00
 ```
 Once joining all the networks you have provided, it will sleep until terminated. Note that in ZeroTier, joining a network does not necessarily mean you have an IP or can do anything, really. You will want to probe the control socket:
 ```
 docker exec myzerotier zerotier-cli listnetworks
 ```
 To ensure you have a network available before trying to listen on it. Without pre-configuring the identity, this usually means going to the central admin panel and clicking the checkmark against your zerotier identity.
 ### Environment Variables
 You can control a few settings including the identity used and the authtoken used to interact with the control socket (which you can forward and access through `localhost:9993`).
 - `ZEROTIER_JOIN_NETWORKS`: additional way to set networks to join.
 - `ZEROTIER_API_SECRET`: replaces the `authtoken.secret` before booting and allows you to manage the control socket's authentication key.
 - `ZEROTIER_IDENTITY_PUBLIC`: the `identity.public` file for zerotier-one. Use `zerotier-idtool` to generate one of these for you.
 - `ZEROTIER_IDENTITY_SECRET`: the `identity.secret` file for zerotier-one. Use `zerotier-idtool` to generate one of these for you.
 - `ZEROTIER_LOCAL_CONF`: Sets the the `local.conf` file content for zerotier-one
 ### Tips
 - Forwarding port `<dockerip>:9993` to somewhere outside is probably a good idea for highly trafficked services.
 - Forwarding `localhost:9993` to a control network where you can drive it remotely might be a good idea, just be sure to set your authtoken properly through environment variables.
 - Pre-generating your identities could be much simpler to do via our [terraform plugin](https://github.com/zerotier/terraform-provider-zerotier)
--- a/README.md
+++ b/README.md
@ -1,22 +1,34 @@
-ZeroTier - A Planetary Ethernet Switch
+ZeroTier - Global Area Networking
 ======
-ZeroTier is a smart programmable Ethernet switch for planet Earth.
+*This document is written for a software developer audience. For information on using ZeroTier, see the: [Website](https://www.zerotier.com), [Documentation Site](https://docs.zerotier.com), and [Discussion Forum](https://discuss.zerotier.com).*
-It replaces the physical LAN/WAN boundary with a virtual one, allowing devices of any type at any location to be managed as if they all reside in the same cloud region or data center. All traffic is encrypted end-to-end and takes the most direct path available for minimum latency and maximum performance. The goals and design of ZeroTier are inspired by among other things the original [Google BeyondCorp](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf) paper and the [Jericho Forum](https://en.wikipedia.org/wiki/Jericho_Forum).
+ZeroTier is a smart programmable Ethernet switch for planet Earth. It allows all networked devices, VMs, containers, and applications to communicate as if they all reside in the same physical data center or cloud region.
-Visit [ZeroTier's site](https://www.zerotier.com/?pk_campaign=github_ZeroTierOne) for more information and [pre-built binary packages](https://www.zerotier.com/download.shtml?pk_campaign=github_ZeroTierOne). Apps for Android and iOS are available for free in the Google Play and Apple app stores.
+This is accomplished by combining a cryptographically addressed and secure peer to peer network (termed VL1) with an Ethernet emulation layer somewhat similar to VXLAN (termed VL2). Our VL2 Ethernet virtualization layer includes advanced enterprise SDN features like fine grained access control rules for network micro-segmentation and security monitoring.
 All ZeroTier traffic is encrypted end-to-end using secret keys that only you control. Most traffic flows peer to peer, though we offer free (but slow) relaying for users who cannot establish peer to peer connections.
 The goals and design principles of ZeroTier are inspired by among other things the original [Google BeyondCorp](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf) paper and the [Jericho Forum](https://en.wikipedia.org/wiki/Jericho_Forum) with its notion of "deperimeterization."
 Visit [ZeroTier's site](https://www.zerotier.com/) for more information and [pre-built binary packages](https://www.zerotier.com/download/). Apps for Android and iOS are available for free in the Google Play and Apple app stores.
 ZeroTier is licensed under the [BSL version 1.1](https://mariadb.com/bsl11/). See [LICENSE.txt](LICENSE.txt) and the [ZeroTier pricing page](https://www.zerotier.com/pricing) for details. ZeroTier is free to use internally in businesses and academic institutions and for non-commercial purposes. Certain types of commercial use such as building closed-source apps and devices based on ZeroTier or offering ZeroTier network controllers and network management as a SaaS service require a commercial license.
 A small amount of third party code is also included in ZeroTier and is not subject to our BSL license. See [AUTHORS.md](AUTHORS.md) for a list of third party code, where it is included, and the licenses that apply to it. All of the third party code in ZeroTier is liberally licensed (MIT, BSD, Apache, public domain, etc.).
 ### Getting Started
-Everything in the ZeroTier world is controlled by two types of identifier: 40-bit/10-digit *ZeroTier addresses* and 64-bit/16-digit *network IDs*. A ZeroTier address identifies a node or "device" (laptop, phone, server, VM, app, etc.) while a network ID identifies a virtual Ethernet network that can be joined by devices.
+Everything in the ZeroTier world is controlled by two types of identifier: 40-bit/10-digit *ZeroTier addresses* and 64-bit/16-digit *network IDs*. These identifiers are easily distinguished by their length. A ZeroTier address identifies a node or "device" (laptop, phone, server, VM, app, etc.) while a network ID identifies a virtual Ethernet network that can be joined by devices.
-Another way of thinking about it is that ZeroTier addresses are port numbers on a giant planetary-sized smart switch while network IDs are VLANs to which these ports can be assigned. For more details read about VL1 and VL2 in [the ZeroTier manual](https://www.zerotier.com/manual.shtml).
+ZeroTier addresses can be thought of as port numbers on an enormous planet-wide enterprise Ethernet smart switch supporting VLANs. Network IDs are VLAN IDs to which these ports may be assigned. A single port can be assigned to more than one VLAN.
-*Network controllers* are ZeroTier nodes that act as access control certificate authorities and configuration managers for virtual networks. The first 40 bits (or 10 digits) of a network ID is the ZeroTier address of its controller. You can create networks with our [hosted controllers](https://my.zerotier.com/) and web UI/API or [host your own](controller/) if you don't mind posting some JSON configuration info or writing a script to do so.
+A ZeroTier address looks like `8056c2e21c` and a network ID looks like `8056c2e21c000001`. Network IDs are composed of the ZeroTier address of that network's primary controller and an arbitrary 24-bit ID that identifies the network on this controller. Network controllers are roughly analogous to SDN controllers in SDN protocols like [OpenFlow](https://en.wikipedia.org/wiki/OpenFlow), though as with the analogy between VXLAN and VL2 this should not be read to imply that the protocols or design are the same. You can use our convenient and inexpensive SaaS hosted controllers at [my.zerotier.com](https://my.zerotier.com/) or [run your own controller](controller/) if you don't mind messing around with JSON configuration files or writing scripts to do so.
 ### Project Layout
 The base path contains the ZeroTier One service main entry point (`one.cpp`), self test code, makefiles, etc.
 - `artwork/`: icons, logos, etc.
 - `attic/`: old stuff and experimental code that we want to keep around for reference.
 - `controller/`: the reference network controller implementation, which is built and included by default on desktop and server build targets.
@ -25,90 +37,161 @@ Another way of thinking about it is that ZeroTier addresses are port numbers on
 - `ext/`: third party libraries, binaries that we ship for convenience on some platforms (Mac and Windows), and installation support files.
 - `include/`: include files for the ZeroTier core.
 - `java/`: a JNI wrapper used with our Android mobile app. (The whole Android app is not open source but may be made so in the future.)
 - `macui/`: a Macintosh menu-bar app for controlling ZeroTier One, written in Objective C.
 - `node/`: the ZeroTier virtual Ethernet switch core, which is designed to be entirely separate from the rest of the code and able to be built as a stand-alone OS-independent library. Note to developers: do not use C++11 features in here, since we want this to build on old embedded platforms that lack C++11 support. C++11 can be used elsewhere.
 - `osdep/`: code to support and integrate with OSes, including platform-specific stuff only built for certain targets.
 - `rule-compiler/`: JavaScript rules language compiler for defining network-level rules.
 - `service/`: the ZeroTier One service, which wraps the ZeroTier core and provides VPN-like connectivity to virtual networks for desktops, laptops, servers, VMs, and containers.
- - `tcp-proxy/`: TCP proxy code run by ZeroTier, Inc. to provide TCP fallback (this will die soon!).
+ - `windows/`: Visual Studio solution files, Windows service code, and the Windows task bar app UI.
- - `windows/`: Visual Studio solution files, Windows service code for ZeroTier One, and the Windows task bar app UI.
+ - `zeroidc/`: OIDC implementation used by ZeroTier service to log into SSO-enabled networks. (This part is written in Rust, and more Rust will be appearing in this repository in the future.)
-The base path contains the ZeroTier One service main entry point (`one.cpp`), self test code, makefiles, etc.
+### Contributing
 Please do pull requests off of the `dev` branch.
 Releases are done by merging `dev` into `main` and then tagging and doing builds. 
 ### Build and Platform Notes
-To build on Mac and Linux just type `make`. On FreeBSD and OpenBSD `gmake` (GNU make) is required and can be installed from packages or ports. For Windows there is a Visual Studio solution in `windows/'.
+To build on Mac and Linux just type `make`. On FreeBSD and OpenBSD `gmake` (GNU make) is required and can be installed from packages or ports. For Windows there is a Visual Studio solution in `windows/`.
 - **Mac**
-   - Xcode command line tools for OSX 10.7 or newer are required.
+   - Xcode command line tools for macOS 10.13 or newer are required.
-   - Tap device driver kext source is in `ext/tap-mac` and a signed pre-built binary can be found in `ext/bin/tap-mac`. You should not need to build it yourself. It's a fork of [tuntaposx](http://tuntaposx.sourceforge.net) with device names changed to `zt#`, support for a larger MTU, and tun functionality removed.
+   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
 - **Linux**
-   - The minimum compiler versions required are GCC/G++ 4.9.3 or CLANG/CLANG++ 3.4.2.
+   - The minimum compiler versions required are GCC/G++ 8.x or CLANG/CLANG++ 5.x.
   - Linux makefiles automatically detect and prefer clang/clang++ if present as it produces smaller and slightly faster binaries in most cases. You can override by supplying CC and CXX variables on the make command line.
-   - CentOS 7 ships with a version of GCC/G++ that is too old, but a new enough version of CLANG can be found in the *epel* repositories. Type `yum install epel-release` and then `yum install clang` to build there.
+   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
 - **Windows**
-   - Windows 7 or newer is supported. This *may* work on Vista but isn't officially supported there. It will not work on Windows XP.
+   - Visual Studio 2022 on Windows 10 or newer.
-   - We build with Visual Studio 2015. Older versions may not work. Clang or MinGW will also probably work but may require some makefile hacking.
+   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
   - Pre-built signed Windows drivers are included in `ext/bin/tap-windows-ndis6`. The MSI files found there will install them on 32-bit and 64-bit systems. We don't recommend trying to build Windows drivers from scratch unless you know what you're doing. One does not simply "build" a Windows driver.
 - **FreeBSD**
-   - Tested most recently on FreeBSD-11. Older versions may work but we're not sure.
+   - GNU make is required. Type `gmake` to build.
-   - GCC/G++ 4.9 and gmake are required. These can be installed from packages or ports. Type `gmake` to build.
+   - `binutils` is required.  Type `pkg install binutils` to install.
   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
 - **OpenBSD**
-   - There is a limit of four network memberships on OpenBSD as there are only four tap devices (`/dev/tap0` through `/dev/tap3`). We're not sure if this can be increased.
+   - There is a limit of four network memberships on OpenBSD as there are only four tap devices (`/dev/tap0` through `/dev/tap3`).
-   - OpenBSD lacks `getifmaddrs` (or any equivalent method) to get interface multicast memberships. As a result multicast will only work on OpenBSD for ARP and NDP (IP/MAC lookup) and not for other purposes.
+   - GNU make is required. Type `gmake` to build.
-   - Only tested on OpenBSD 6.0. Older versions may not work.
+   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
   - GCC/G++ 4.9 and gmake are required and can be installed using `pkg_add` or from ports. They get installed in `/usr/local/bin` as `egcc` and `eg++` and our makefile is pre-configured to use them on OpenBSD.
 Typing `make selftest` will build a *zerotier-selftest* binary which unit tests various internals and reports on a few aspects of the build environment. It's a good idea to try this on novel platforms or architectures.
 ### Running
-Running *zerotier-one* with -h will show help.
+Running *zerotier-one* with `-h` option will show help.
-On Linux and BSD you can start the service with:
+On Linux and BSD, if you built from source, you can start the service with:
    sudo ./zerotier-one -d
 On most distributions, macOS, and Windows, the installer will start the service and set it up to start on boot.
 A home folder for your system will automatically be created.
-The service is controlled via the JSON API, which by default is available at 127.0.0.1 port 9993. We include a *zerotier-cli* command line utility to make API calls for standard things like joining and leaving networks. The *authtoken.secret* file in the home folder contains the secret token for accessing this API. See README.md in [service/](service/) for API documentation.
+The service is controlled via the JSON API, which by default is available at `127.0.0.1:9993`. It also listens on `0.0.0.0:9993` which is only usable if `allowManagementFrom` is properly configured in `local.conf`. We include a *zerotier-cli* command line utility to make API calls for standard things like joining and leaving networks. The *authtoken.secret* file in the home folder contains the secret token for accessing this API. See [service/README.md](service/README.md) for API documentation.
 Here's where home folders live (by default) on each OS:
 * **Linux**: `/var/lib/zerotier-one`
 * **FreeBSD** / **OpenBSD**: `/var/db/zerotier-one`
 * **Mac**: `/Library/Application Support/ZeroTier/One`
- * **Windows**: `\ProgramData\ZeroTier\One` (That's for Windows 7. The base 'shared app data' folder might be different on different Windows versions.)
+ * **Windows**: `\ProgramData\ZeroTier\One` (That's the default. The base 'shared app data' folder might be different if Windows is installed with a non-standard drive letter assignment or layout.)
-Running ZeroTier One on a Mac is the same, but OSX requires a kernel extension. We ship a signed binary build of the ZeroTier tap device driver, which can be installed on Mac with:
+### Basic Troubleshooting
    sudo make install-mac-tap
 This will create the home folder for Mac, place *tap.kext* there, and set its modes correctly to enable ZeroTier One to manage it with *kextload* and *kextunload*.
 ### Troubleshooting
 For most users, it just works.
-If you are running a local system firewall, we recommend adding a rule permitting UDP port 9993 inbound and outbound. If you installed binaries for Windows this should be done automatically. Other platforms might require manual editing of local firewall rules depending on your configuration.
+If you are running a local system firewall, we recommend adding a rules permitting zerotier. If you installed binaries for Windows this should be done automatically. Other platforms might require manual editing of local firewall rules depending on your configuration.
-The Mac firewall can be found under "Security" in System Preferences. Linux has a variety of firewall configuration systems and tools. If you're using Ubuntu's *ufw*, you can do this:
+See the [documentation site](https://docs.zerotier.com/zerotier/troubleshooting) for more information.
-    sudo ufw allow 9993/udp
+The Mac firewall can be found under "Security" in System Preferences. Linux has a variety of firewall configuration systems and tools.
 On CentOS check `/etc/sysconfig/iptables` for IPTables rules. For other distributions consult your distribution's documentation. You'll also have to check the UIs or documentation for commercial third party firewall applications like Little Snitch (Mac), McAfee Firewall Enterprise (Windows), etc. if you are running any of those. Some corporate environments might have centrally managed firewall software, so you might also have to contact IT.
 ZeroTier One peers will automatically locate each other and communicate directly over a local wired LAN *if UDP port 9993 inbound is open*. If that port is filtered, they won't be able to see each others' LAN announcement packets. If you're experiencing poor performance between devices on the same physical network, check their firewall settings. Without LAN auto-location peers must attempt "loopback" NAT traversal, which sometimes fails and in any case requires that every packet traverse your external router twice.
-Users behind certain types of firewalls and "symmetric" NAT devices may not able able to connect to external peers directly at all. ZeroTier has limited support for port prediction and will *attempt* to traverse symmetric NATs, but this doesn't always work. If P2P connectivity fails you'll be bouncing UDP packets off our relay servers resulting in slower performance. Some NAT router(s) have a configurable NAT mode, and setting this to "full cone" will eliminate this problem. If you do this you may also see a magical improvement for things like VoIP phones, Skype, BitTorrent, WebRTC, certain games, etc., since all of these use NAT traversal techniques similar to ours.
+Users behind certain types of firewalls and "symmetric" NAT devices may not be able to connect to external peers directly at all. ZeroTier has limited support for port prediction and will *attempt* to traverse symmetric NATs, but this doesn't always work. If P2P connectivity fails you'll be bouncing UDP packets off our relay servers resulting in slower performance. Some NAT router(s) have a configurable NAT mode, and setting this to "full cone" will eliminate this problem. If you do this you may also see a magical improvement for things like VoIP phones, Skype, BitTorrent, WebRTC, certain games, etc., since all of these use NAT traversal techniques similar to ours.
 If you're interested, there's a [technical deep dive about NAT traversal on our blog](https://www.zerotier.com/blog/?p=226?pk_campaign=github_ZeroTierOne). A troubleshooting tool to help you diagnose NAT issues is planned for the future as are uPnP/IGD/NAT-PMP and IPv6 transport.
 If a firewall between you and the Internet blocks ZeroTier's UDP traffic, you will fall back to last-resort TCP tunneling to rootservers over port 443 (https impersonation). This will work almost anywhere but is *very slow* compared to UDP or direct peer to peer connectivity.
-### Contributing
+Additional help can be found in our [knowledge base](https://zerotier.atlassian.net/wiki/spaces/SD/overview).
-Please make pull requests against the `dev` branch. The `master` branch is release, and `edge` is for unstable and work in progress changes and is not likely to work.
+### Prometheus Metrics
-### License
+Prometheus Metrics are available at the `/metrics` API endpoint.  This endpoint is protected by an API key stored in `metricstoken.secret` to prevent unwanted information leakage.  Information that could be gleaned from the metrics include joined networks and peers your instance is talking to. 
-The ZeroTier source code is open source and is licensed under the GNU GPL v3 (not LGPL). If you'd like to embed it in a closed-source commercial product or appliance, please e-mail [contact@zerotier.com](mailto:contact@zerotier.com) to discuss commercial licensing. Otherwise it can be used for free.
+Access control is via the ZeroTier control interface itself and `metricstoken.secret`. This can be sent as a bearer auth token, via the `X-ZT1-Auth` HTTP header field, or appended to the URL as `?auth=<token>`. You can see the current metrics via `cURL` with the following command:
    // Linux
    curl -H "X-ZT1-Auth: $(sudo cat /var/lib/zerotier-one/metricstoken.secret)" http://localhost:9993/metrics
    // macOS
    curl -H "X-ZT1-Auth: $(sudo cat /Library/Application\ Support/ZeroTier/One/metricstoken.secret)" http://localhost:9993/metrics
    // Windows PowerShell (Admin)
    Invoke-RestMethod -Headers @{'X-ZT1-Auth' = "$(Get-Content C:\ProgramData\ZeroTier\One\metricstoken.secret)"; } -Uri http://localhost:9993/metrics
 To configure a scrape job in Prometheus on the machine ZeroTier is running on, add this to your Prometheus `scrape_config`:
    - job_name: zerotier-one
      honor_labels: true
      scrape_interval: 15s
      metrics_path: /metrics
      static_configs:
      - targets:
        - 127.0.0.1:9993
        labels:
          group: zerotier-one
          node_id: $YOUR_10_CHARACTER_NODE_ID
      authorization:
        credentials: $YOUR_METRICS_TOKEN_SECRET
 If neither of these methods are desirable, it is probably possible to distribute metrics via [Prometheus Proxy](https://github.com/pambrose/prometheus-proxy) or some other tool.  Note: We have not tested this internally, but will probably work with the correct configuration.
 Metrics are also available on disk in ZeroTier's working directory:
   // Linux
   /var/lib/zerotier-one/metrics.prom
   // macOS
   /Library/Application\ Support/ZeroTier/One/metrics.prom
   //Windows
   C:\ProgramData\ZeroTier\One\metrics.prom
 #### Available Metrics
 | Metric Name | Labels | Metric Type | Description |
 | ---         | ---    | ---         | ---         |
 | zt_packet | packet_type, direction | Counter | ZeroTier packet type counts |
 | zt_packet_error | error_type, direction | Counter | ZeroTier packet errors|
 | zt_data | protocol, direction | Counter | number of bytes ZeroTier has transmitted or received |
 | zt_num_networks | | Gauge | number of networks this instance is joined to |
 | zt_network_multicast_groups_subscribed | network_id | Gauge | number of multicast groups networks are subscribed to |
 | zt_network_packets | network_id, direction | Counter | number of incoming/outgoing packets per network |
 | zt_peer_latency | node_id | Histogram | peer latency (ms) |
 | zt_peer_path_count | node_id, status | Gauge | number of paths to peer |
 | zt_peer_packets | node_id, direction | Counter | number of packets to/from a peer |
 | zt_peer_packet_errors | node_id | Counter | number of incoming packet errors from a peer |
 If there are other metrics you'd like to see tracked, ask us in an Issue or send us a Pull Request!
 ### HTTP / App server
 There is a static http file server suitable for hosting Single Page Apps at http://localhost:9993/app/<app-path>
 Use `zerotier-cli info -j` to find your zerotier-one service's homeDir
 ``` sh
 cd $ZT_HOME
 sudo mkdir -p app/app1
 sudo mkdir -p app/appB
 echo '<html><meta charset=utf-8><title>appA</title><body><h1>hello world A' | sudo tee app/appA/index.html 
 echo '<html><meta charset=utf-8><title>app2</title><body><h1>hello world 2' | sudo tee app/app2/index.html 
 curl -sL http://localhost:9993/app/appA http://localhost:9993/app/app2 
 ```
 Then visit [http://localhost:9993/app/app1/](http://localhost:9993/app/app1/) and [http://localhost:9993/app/appB/](http://localhost:9993/app/appB/)
 Requests to paths don't exist return the app root index.html, as is customary for SPAs. 
 If you want, you can write some javascript that talks to the service or controller [api](https://docs.zerotier.com/service/v1).
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@ -1,6 +1,325 @@
 ZeroTier Release Notes
 ======
 # 2024-10-23 -- Version 1.14.2
  * Fix for missing entitlement on macOS Sequoia.
  * Fix for a problem correctly parsing local.conf to enable low bandwidth mode.
  * Increment versions of some dependent libraries.
  * Other fixes.
 # 2024-09-12 -- Version 1.14.1
  * Multithreaded packet I/O support! Currently this is just for Linux and must
    be enabled in local.conf. It will likely make the largest difference on small
    multi-core devices where CPU is a bottleneck and high throughput is desired.
    It may be enabled by default in the future but we want it to be thoroughly
    tested. It's a little harder than it seems at first glance due to the need
    to keep packets in sequence and balance load.
  * Several multipath bug fixes.
  * Updated the versions on a number of libraries related to OIDC support and HTTP.
  * MacOS .app now shows the correct version in its Info.plist manifest.
  * Sanitize MAC addresses in JSON format rules parser.
  * Some basic information about the platform (OS, CPU architecture) is now reported
    to network controllers when networks are joined so it can be displayed to
    network admins and in the future used in policy checking and inventory operations.
 # 2024-05-02 -- Version 1.14.0
  * Linux I/O performance improvements under heavy load
  * Improvements to multipath
  * Fix for port rebinding "coma" bug after periods offline (some laptop users)
  * Fixed a rules engine quirk/ambiguity (GitHub Issue #2200)
  * Controller API enhancements: node names and other node meta-data
  * Other bug fixes
 # 2023-09-12 -- Version 1.12.2
  * More improvements to macOS full tunnel mode.
  * Faster recovery after changes to physical network settings.
 # 2023-08-25 -- Version 1.12.1
  * Minor release to fix a port binding issue in Linux.
  * Update Debian dependencies.
  * No changes for other platforms.
 # 2023-08-23 -- Version 1.12.0
  * Experimental Windows ARM64 support
  * Fix numerous sleep/wake issues on macOS and other platforms
  * Faster recovery after changes to physical network settings
  * Prometheus compatible metrics support!
  * Fix full tunnel mode on recent macOS versions
  * Numerous macOS DNS fixes
  * 10-30% speed improvement on Linux
 # 2023-03-23 -- Version 1.10.6
  * Prevent binding temporary ipv6 addresses on macos (#1910)
  * Prevent path-learning loops (#1914)
  * Prevent infinite loop of UAC prompts in tray app
 # 2023-03-10 -- Version 1.10.5
 * Fix for high CPU usage bug on Windows
 # 2023-03-07 -- Version 1.10.4
 * SECURITY FIX (Windows): this version fixes a file permission problem on
   Windows that could allow non-privileged users on a Windows system to read
   privileged files in the ZeroTier service's working directory. This could
   allow an unprivileged local Windows user to administrate the local ZeroTier
   instance without appropriate local permissions. This issue is not remotely
   exploitable unless a remote user can read arbitrary local files, and does
   not impact other operating systems.
 * Fix a bug in the handling of multiple IP address assignments to virtual
   interfaces on macOS.
 # 2023-02-15 -- Version 1.10.3
 * Fix for duplicate paths in client. Could cause connectivity issues. Affects all platforms.
 * Fix for Ethernet Tap MTU setting, would not properly apply on Linux.
 * Fix default route bugs (macOS.)
 * Enable Ping automatically for ZeroTier Adapters (Windows.)
 * SSO updates and minor bugfixes.
 * Add low-bandwidth mode.
 * Add forceTcpRelay mode (optionally enabled.)
 * Fix bug that prevented setting of custom TCP relay address.
 * Build script improvements and bug fixes.
 # 2022-11-01 -- Version 1.10.2
 * Fix another SSO "stuck client" issue in zeroidc.
 * Expose root-reported external IP/port information via the local JSON API for better diagnostics.
 * Multipath: CLI output improvement for inspecting bonds
 * Multipath: balance-aware mode
 * Multipath: Custom policies
 * Multipath: Link quality measurement improvements
 Note that releases are coming few and far between because most of our dev effort is going into version 2.
 # 2022-06-27 -- Version 1.10.1
 * Fix an issue that could cause SSO clients to get "stuck" on stale auth URLs.
 * A few other SSO related bug fixes.
 # 2022-06-07 -- Version 1.10.0
 * Fix formatting problem in `zerotier-cli` when using SSO networks.
 * Fix a few other minor bugs in SSO signin to prepare for general availability.
 * Remove requirement for webview in desktop UI and instead just make everything available via the tray pulldown/menu. Use [libui-ng](https://github.com/libui-ng/libui-ng) for minor prompt dialogs. Saves space and eliminates installation headaches on Windows.
 * Fix SSO "spam" bug in desktop UI.
 * Use system default browser for SSO login so all your plugins, MFA devices, password managers, etc. will work as you have them configured.
 * Minor fix for bonding/multipath.
 # 2022-05-10 -- Version 1.8.10
 * Fixed a bug preventing SSO sign-on on Windows.
 # 2022-04-25 -- Version 1.8.9
 * Fixed a long-standing and strange bug that was causing sporadic "phantom" packet authentication failures. Not a security problem but could be behind sporadic reports of link failures under some conditions.
 * Fixed a memory leak in SSO/OIDC support.
 * Fixed SSO/OIDC display error on CLI.
 * Fixed a bug causing nodes to sometimes fail to push certs to each other (primarily affects SSO/OIDC use cases).
 * Fixed a deadlock bug on leaving SSO/OIDC managed networks.
 * Added some new Linux distributions to the build subsystem.
 # 2022-04-11 -- Version 1.8.8
 * Fix a local privilege escalation bug in the Windows installer.
 * Dependency fix for some Ubuntu versions.
 * No changes for other platforms. Windows upgrade recommended, everyone else optional.
 # 2022-03-30 -- Version 1.8.7
 * Fix for dependency installations in Windows MSI package.
 * Fix for desktop UI setup when run by a non-super-user.
 * Bug fix in local OIDC / SSO support for auth0 and other providers.
 * Other minor fixes for e.g. old Linux distributions.
 # 2022-03-04 -- Version 1.8.6
 * Fixed an issue that could cause the UI to be non-responsive if not joined to any networks.
 * Fix dependency issues in Debian and RedHat packages for some distributions (Fedora, Mint).
 * Bumped the peer cache serialization version to prevent "coma" issues on upgrade due to changes in path logic behaving badly with old values.
 # 2022-02-22 -- Version 1.8.5
 * Plumbing under the hood for endpoint device SSO support.
 * Fix in LinuxEthernetTap to tap device support on very old (2.6) Linux kernels.
 * Fix an issue that could cause self-hosted roots ("moons") to fail to assist peers in making direct links. (GitHub issue #1512)
 * Merge a series of changes by Joseph Henry (of ZeroTier) that should fix some edge cases where ZeroTier would "forget" valid paths.
 * Minor multipath improvements for automatic path negotiation.
 # 2021-11-30 -- Version 1.8.4
 * Fixed an ugly font problem on some older macOS versions.
 * Fixed a bug that could cause the desktop tray app control panel to stop opening after a while on Windows.
 * Fixed a possible double "release" in macOS tray app code that crashed on older macOS versions.
 * Fixed installation on 32-bit Windows 10.
 * Fixed a build flags issue that could cause ZeroTier to crash on older ARM32 CPUs.
 # 2021-11-15 -- Version 1.8.3
 * Remove problematic spinlock, which was only used on x86_64 anyway. Just use pthread always.
 * Fix fd leak on MacOS that caused non-responsiveness after some time.
 * Fix Debian install scripts to set /usr/sbin/nologin as shell on service user.
 * Fix regression that could prevent managed routes from being deleted.
 * DesktopUI: Remove NSDate:now() call, now works on MacOS 10.13 or newer!
 # 2021-11-08 -- Version 1.8.2
 * Fix multicast on linux.
 * Fix a bug that could cause the tap adapter to have the wrong MAC on Linux.
 * Update build flags to possibly support MacOS older than 10.14, but more work needs to be done. It may not work yet.
 * Fix path variable setting on Windows.
 # 2021-10-28 -- Version 1.8.1
 * Fix numerous UI issues from 1.8.0 (never fully released).
 * Remove support for REALLY ancient 1.1.6 or earlier network controllers.
 * MacOS IPv6 no longer binds to temporary addresses as these can cause interruptions if they expire.
 * Added additional hardening against address impersonation on networks (also in 1.6.6).
 * Fix an issue that could cause clobbering of MacOS IP route settings on restart.
 * NOTE: Windows 7 is no longer supported! Windows 7 users will have to use version 1.6.5 or earlier.
 # 2021-09-15 -- Version 1.8.0 (preview release only)
 * A *completely* rewritten desktop UI for Mac and Windows!
 * Implement a workaround for one potential source of a "coma" bug, which can occur if buggy NATs/routers stop allowing the service to communicate on a given port. ZeroTier now reassigns a new secondary port if it's offline for a while unless a secondary port is manually specified in local.conf. Working around crummy buggy routers is an ongoing effort.
 * Fix for MacOS MTU capping issue on feth devices
 * Fix for mistakenly using v6 source addresses for v4 routes on some platforms
 * Stop binding to temporary IPv6 addresses
 * Set MAC address before bringing up Linux TAP link
 * Check if DNS servers need to be applied on macOS
 * Upgrade json.hpp dependency to version 3.10.2
 # 2021-09-21 -- Version 1.6.6
 * Backport COM hash check mitigation against network member impersonation.
 # 2021-04-13 -- Version 1.6.5
 * Fix a bug in potential network path filtering that could in some circumstances lead to "software laser" effects.
 * Fix a printf overflow in zerotier-cli (not exploitable or a security risk)
 * Windows now looks up the name of ZeroTier devices instead of relying on them having "ZeroTier" in them.
 # 2021-02-15 -- Version 1.6.4
 * The groundhog saw his shadow, which meant that the "connection coma" bug still wasn't gone. We think we found it this time.
 # 2021-02-02 -- Version 1.6.3
 * Likely fix for GitHub issue #1334, an issue that could cause ZeroTier to
   go into a "coma" on some networks.
 * Also groundhog day
 # 2020-11-30 -- Version 1.6.2
 * Fix an ARM hardware AES crypto issue (not an exploitable vulnerability).
 * Fix a Linux network leave hang due to a mutex deadlock.
 # 2020-11-24 -- Version 1.6.1
 This release fixes some minor bugs and other issues in 1.6.0.
 * Fixed a bug that caused IP addresses in the 203.0.0.0/8 block to be miscategorized as not being in global scope.
 * Changed Linux builds to (hopefully) fix LXC and SELinux issues.
 * Fixed unaligned memory access that caused crash on FreeBSD systems on the ARM architecture.
 * Merged CLI options for controlling bonded devices into the beta multipath code.
 * Updated Windows driver with Microsoft cross-signing to fix issues on some Windows systems.
 # 2020-11-19 -- Version 1.6.0
 Version 1.6.0 is a major release that incorporates back-ported features from the 2.0 branch, which is still under development. It also fixes a number of issues.
 New features and improvements (including those listed under 1.5.0):
 * **Apple Silicon** (MacOS ARM64) native support via universal binary. ZeroTier now requires the very latest Xcode to build.
 * **Linux performance improvements** for up to 25% faster tun/tap I/O performance on multi-core systems.
 * **Multipath support** with modes modeled after the Linux kernel's bonding driver. This includes active-passive and active-active modes with fast failover and load balancing. See section 2.1.5 of the manual.
 * **DNS configuration** push from network controllers to end nodes, with locally configurable permissions for whether or not push is allowed.
 * **AES-GMAC-SIV** encryption mode, which is both somewhat more secure and significantly faster than the old Salsa20/12-Poly1305 mode on hardware that supports AES acceleration. This includes virtually all X86-64 chips and most ARM64. This mode is based on AES-SIV and has been audited by Trail of Bits to ensure that it is equivalent security-wise.
 Bug fixes:
 * **Managed route assignment fixes** to eliminate missing routes on Linux and what we believe to be the source of sporadic high CPU usage on MacOS.
 * **Hang on shutdown** issues should be fixed.
 * **Sporadic multicast outages** should be fixed.
 Known remaining issues:
 * AES hardware acceleration is not yet supported on 32-bit ARM, PowerPC (32 or 64), or MIPS (32 or 64) systems. Currently supported are X86-64 and ARM64/AARCH64 with crypto extensions.
 # 2020-10-05 -- Version 1.5.0 (actually 1.6.0-beta1)
 Version 1.6.0 (1.5.0 is a beta!) is a significant release that incorporates a number of back-ported fixes and features from the ZeroTier 2.0 tree.
 Major new features are:
 * **Multipath support** with modes modeled after the Linux kernel's bonding driver. This includes active-passive and active-active modes with fast failover and load balancing. See section 2.1.5 of the manual.
 * **DNS configuration** push from network controllers to end nodes, with locally configurable permissions for whether or not push is allowed.
 * **AES-GMAC-SIV** encryption mode, which is both somewhat more secure and significantly faster than the old Salsa20/12-Poly1305 mode on hardware that supports AES acceleration. This includes virtually all X86-64 chips and most ARM64. This mode is based on AES-SIV and has been audited by Trail of Bits to ensure that it is equivalent security-wise.
 Known issues that are not yet fixed in this beta:
 * Some Mac users have reported periods of 100% CPU in kernel_task and connection instability after leaving networks that have been joined for a period of time, or needing to kill ZeroTier and restart it to finish leaving a network. This doesn't appear to affect all users and we haven't diagnosed the root cause yet.
 * The service sometimes hangs on shutdown requiring a kill -9. This also does not affect all systems or users.
 * AES hardware acceleration is not yet supported on 32-bit ARM, PowerPC (32 or 64), or MIPS (32 or 64) systems. Currently supported are X86-64 and ARM64/AARCH64 with crypto extensions.
 * Some users have reported multicast/broadcast outages on networks lasting up to 30 seconds. Still investigating.
 We're trying to fix all these issues before the 1.6.0 release. Stay tuned.
 # 2019-08-30 -- Version 1.4.6
 * Update default root list to latest
 * ARM32 platform build and flag fixes
 * Add a clarification line to LICENSE.txt
 * Fix license message in CLI
 * Windows service now looks for service command line arguments
 * Fixed a bug that could cause excessive queued multicasts
 # 2019-08-23 -- Version 1.4.4
 * Change license from GPL3 to BSL 1.1, see LICENSE.txt
 * Fix an issue with the "ipauth" rule and auto-generated unforgeable IPv6 addresses
 * Fix socket/bind errors setting IPs and routes on Linux
 # 2019-08-12 -- Version 1.4.2
 * Fix high CPU use bug on some platforms
 * Fix issues with PostgreSQL controller DB (only affects Central)
 * Restore backward compatibility with MacOS versions prior to 10.13
 # 2019-07-29 -- Version 1.4.0
 ### Major Changes
 * Mac version no longer requires a kernel extension, instead making use of the [feth interfaces](https://apple.stackexchange.com/questions/337715/fake-ethernet-interfaces-feth-if-fake-anyone-ever-seen-this).
 * Added support for concurrent multipath (multiple paths at once) with traffic weighting by link quality and faster recovery from lost links.
 * Added under-the-hood support for QoS (not yet exposed) that will eventually be configurable via our rules engine.
 ### Minor Changes and Bug Fixes
 * Experimental controller DB driver for [LF](https://github.com/zerotier/lf) to store network controller data (LFDB.cpp / LFDB.hpp).
 * Modified credential push and direct path push timings and algorithms to somewhat reduce "chattiness" of the protocol when idle. More radical background overhead reductions will have to wait for the 2.x line.
 * Removed our beta/half-baked integration of Central with the Windows UI. We're going to do a whole new UI of some kind in the future at least for Windows and Mac.
 * Fixed stack overflow issues on Linux versions using musl libc.
 * Fixed some alignment problems reported on ARM and ARM64, but some reports we could not reproduce so please report any issues with exact chip, OS/distro, and ZeroTier version in use.
 * Fixed numerous other small issues and bugs such as ARM alignment issues causing crashes on some devices.
 * Windows now sets the adapter name such that it is consistent in both the Windows UI and command line utilities.
 # 2018-07-27 -- Version 1.2.12
 * Fixed a bug that caused exits to take a long time on Mac due to huge numbers of redundant attempts to delete managed routes.
 * Fixed a socket limit problem on Windows that caused the ZeroTier service to run out of sockets, causing the UI and CLI to be unable to access the API.
 * Fixed a threading bug in the ZeroTier Core, albeit one that never manifested on the regular ZeroTier One service/client.
 * Fixed a bug that could cause the service to crash if an authorized local client accessed an invalid URL via the control API. (Not exploitable since you needed admin access anyway.)
 # 2018-05-08 -- Version 1.2.10
 * Fix bug loading `moons.d/` files for federated root operation.
@ -36,7 +355,7 @@ ZeroTier Release Notes
    * Fixed two very rare multithreading issues that were only observed on certain systems
 * Platform-Specific Changes
    * MacOS
-        * Installer now loads the kernel extension right away so that High Sierra users will see the prompt to authorize it. This is done in the "Security & Privacy" preference pane and must be done driectly on the console (not via remote desktop). On High Sierra and newer kexts must be authorized at the console via security settings system preferences pane.
+        * Installer now loads the kernel extension right away so that High Sierra users will see the prompt to authorize it. This is done in the "Security & Privacy" preference pane and must be done directly on the console (not via remote desktop). On High Sierra and newer kexts must be authorized at the console via security settings system preferences pane.
    * Windows
        * The Windows installer should now install the driver without requiring a special prompt in most cases. This should make it easier for our packages to be accepted into and updated in the Chocolatey repository and should make it easier to perform remote installs across groups of machines using IT management and provisioning tools.
        * The Windows official packages are now signed with an EV certificate (with hardware key).
@ -53,7 +372,7 @@ ZeroTier Release Notes
 # 2017-04-20 -- Version 1.2.4
 * Managed routes are now only bifurcated for the default route. This is a change in behavior, though few people will probably notice. Bifurcating all managed routes was causing more trouble than it was worth for most users.
- * Up to 2X crypto speedup on x86-64 (except Windows, which will take some porting) and 32-bit ARM platforms due to integration of fast assembly language implementations of Salsa20/12 from the [supercop](http://bench.cr.yp.to/supercop.html) code base. These were written by Daniel J. Bernstein and are in the public domain. My Macbook Pro (Core i5 2.8ghz) now does almost 1.5GiB/sec Salsa20/12 per core and a Raspberry Pi got a 2X boost. 64-bit ARM support and Windows support will take some work but should not be too hard.
+ * Up to 2X crypto speedup on x86-64 (except Windows, which will take some porting) and 32-bit ARM platforms due to integration of fast assembly language implementations of Salsa20/12 from the [supercop](http://bench.cr.yp.to/supercop.html) code base. These were written by Daniel J. Bernstein and are in the public domain. My MacBook Pro (Core i5 2.8ghz) now does almost 1.5GiB/sec Salsa20/12 per core and a Raspberry Pi got a 2X boost. 64-bit ARM support and Windows support will take some work but should not be too hard.
 * Refactored code that manages credentials to greatly reduce memory use in most cases. This may also result in a small performance improvement.
 * Reworked and simplified path selection and priority logic to fix path instability and dead path persistence edge cases. There have been some sporadic reports of persistent path instabilities and dead paths hanging around that take minutes to resolve. These have proven difficult to reproduce in house, but hopefully this will fix them. In any case it seems to speed up path establishment in our tests and it makes the code simpler and more readable.
 * Eliminated some unused cruft from the code around path management and in the peer class.
@ -78,7 +397,7 @@ The largest new feature in 1.2.0, and the product of many months of work, is our
 Rules allow you to filter packets on your network and vector traffic to security observers. Security observation can be performed in-band using REDIRECT or out of band using TEE.
-Tags and capabilites provide advanced methods for implementing fine grained permission structures and micro-segmentation schemes without bloating the size and complexity of your rules table.
+Tags and capabilities provide advanced methods for implementing fine grained permission structures and micro-segmentation schemes without bloating the size and complexity of your rules table.
 See the [rules engine announcement blog post](https://www.zerotier.com/blog/?p=927) for an in-depth discussion of theory and implementation. The [manual](https://www.zerotier.com/manual.shtml) contains detailed information on rule, tag, and capability use, and the `rule-compiler/` subfolder of the ZeroTier source tree contains a JavaScript function to compile rules in our human-readable rule definition language into rules suitable for import into a network controller. (ZeroTier Central uses this same script to compile rules on [my.zerotier.com](https://my.zerotier.com/).)
@ -161,7 +480,7 @@ A special kind of public network called an ad-hoc network may be accessed by joi
    | Start of port range (hex)
    Reserved ZeroTier address prefix indicating a controller-less network
-Ad-hoc networks are public (no access control) networks that have no network controller. Instead their configuration and other credentials are generated locally. Ad-hoc networks permit only IPv6 UDP and TCP unicast traffic (no multicast or broadcast) using 6plane format NDP-emulated IPv6 addresses. In addition an ad-hoc network ID encodes an IP port range. UDP packets and TCP SYN (connection open) packets are only allowed to desintation ports within the encoded range.
+Ad-hoc networks are public (no access control) networks that have no network controller. Instead their configuration and other credentials are generated locally. Ad-hoc networks permit only IPv6 UDP and TCP unicast traffic (no multicast or broadcast) using 6plane format NDP-emulated IPv6 addresses. In addition an ad-hoc network ID encodes an IP port range. UDP packets and TCP SYN (connection open) packets are only allowed to destination ports within the encoded range.
 For example `ff00160016000000` is an ad-hoc network allowing only SSH, while `ff0000ffff000000` is an ad-hoc network allowing any UDP or TCP port.
@ -176,7 +495,7 @@ If you have data in an old SQLite3 controller we've included a NodeJS script in
 ## Major Bug Fixes in 1.2.0
 * **The Windows HyperV 100% CPU bug is FINALLY DEAD**: This long-running problem turns out to have been an issue with Windows itself, but one we were triggering by placing invalid data into the Windows registry. Microsoft is aware of the issue but we've also fixed the triggering problem on our side. ZeroTier should now co-exist quite well with HyperV and should now be able to be bridged with a HyperV virtual switch.
- * **Segmenation faults on musl-libc based Linux systems**: Alpine Linux and some embedded Linux systems that use musl libc (a minimal libc) experienced segmentation faults. These were due to a smaller default stack size. A work-around that sets the stack size for new threads has been added.
+ * **Segmentation faults on musl-libc based Linux systems**: Alpine Linux and some embedded Linux systems that use musl libc (a minimal libc) experienced segmentation faults. These were due to a smaller default stack size. A work-around that sets the stack size for new threads has been added.
 * **Windows firewall blocks local JSON API**: On some Windows systems the firewall likes to block 127.0.0.1:9993 for mysterious reasons. This is now fixed in the installer via the addition of another firewall exemption rule.
 * **UI crash on embedded Windows due to missing fonts**: The MSI installer now ships fonts and will install them if they are not present, so this should be fixed.
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,93 @@
 # Security
 ZeroTier takes the security of our software products and services seriously, which 
 includes all source code repositories managed through our GitHub organization.
 ## Supported Versions
 The following versions of ZeroTier One receive security updates
 | Version  | Supported          |
 | -------- | ------------------ |
 | 1.14.x   | :white_check_mark: |
 | 1.12.x   | :white_check_mark: |
 | < 1.12.0 | :x:                |
 ## Reporting a Vulnerability
 **Please do not report security issues through public GitHub issues**
 Instead, please report vulnerabilities via email to security@zerotier.com. If possible,
 please encrypt with our PGP key (see below).
 Please include the following information, or as much as you can provide to help us 
 understand the nature and scope of the issue:
  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
  * Full paths of source file(s) related to the manifestation of the issue
  * The location of the affected source code (tag/branch/commit or direct URL)
  * Any special configuration required to reproduce the issue
  * Step-by-step instructions to reproduce the issue
  * Proof-of-concept or exploit code (if possible)
  * Impact of the issue, including how an attacker might exploit the issue
 ## Preferred Languages
 We prefer all communications to be in English.
 ## security@zerotier.com PGP key
 ```
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGQGOVIBEACalXTnNqaiSOVLFEiqHpDMg8N/OI5D5850Xy1ZEvx3B3rz7cbn
 k30ozHtJKbh+vqpyItE7DjyQAuF19gP5Q64Yh0Y+MmLHq60q/GwOwAYz7cI+UzA3
 5x8YqcmTp32LAM1xJn+iMlMLBuAmJl4kULKmOXPlpqPiyTFs5saizvm7fgRmfgJJ
 HpsnIrTkaDFJhAR+jvMJohVYwmhuydeI0DsHu7KGpG1ddcHDrUjOPNqXnnAPSPwx
 llw4yfKlQb8GYErsv/G5QVyzd5+SxEuiI4MARRnrk8LlMQ33CR6pzIQ/Bk5AAmye
 mHqfEAknkiOf++urYhRs9BL3Kz3MdV0cg92zr9EFOg0u56jxf5OnAiTOhGUUA0hn
 dS7peVGl46R9Oy2JYIazNDGi+4NIsYDFXsnsss9xOQVygPyeQd71zFHfix0jct9w
 j3o/kj7Egsnm9nc13354bYT6bbalqXiRWwGH1eAFpjueNWiVFwZS6NZUP3WeNDiY
 BlPo1LodvolbXiJcTILTCyEkERJPCK2zoE2nTdVfvTLWsuehw1M6Yd2/q74TVYy/
 RY+KjHkrChEBQ9PqXsXRHj6opKbT8JLfZkvU5k+3IiqqxOpB+QXFI/whj493CxWW
 so7QAmzOCyJq8GDVPxzkwUac22YIkXdiOmb8i/HWq+kLY/HjQE259Gx6KwARAQAB
 tClaZXJvVGllciBTZWN1cml0eSA8c2VjdXJpdHlAemVyb3RpZXIuY29tPokCTAQT
 AQoANhYhBH1HQGb+4jzl6mnFqf09m6uqADkABQJkBjlSAhsDBAsJCAcEFQoJCAUW
 AgMBAAIeAQIXgAAKCRD9PZurqgA5ACqPD/sFt6SG6Tu0HwTY2ofJtYsa2GBLL0pf
 dYlX4cWSs1PVB5+m5Oj18y+GB2umA9GnsVtmvaSfp3XEngt2zNWX27uUsVfL35b2
 /5TVVe8RjzOedqMN+lQWMvO+f/C1zmWYXjjpC+iGjgMMaRRrofkkn+7uL4N9y6gY
 rcXtpACT1rYFC+i1AKnZfUO8Vr5ji7odq0f7bDkN/N38rB0kRRwEmO8wqdpQK6gK
 nxf9vgJl5ggimDk5Xtz1sfd3y28bf5N4hdOCkXUbd10nUFY3wDNTM4VxozxTGJeG
 imdcc19Wuw/1fGUZ5SIjgPanCdPLGYwSTr+M6Fuern9uTtlC1GOby3BUtmVGP6EU
 1pSAJSRpmoBPHKKOYtSMwV8PCboXru9P1ab8y8STKM3SKyghUJrl17gdc0LaksZa
 E54pJudGPIQMFRqZjMdV6jgMuaLTozjZ4mW8EThf4mkX4xDkO8l7cOn0225ZYJZC
 lZKpdnwzk9owkJA80u4KBNJxTtB4ZAPzjBsD5hFzCZQTLNQp/psU3EjZsau28eXT
 E/C1QjEQHgy4ohkgQlCm1H1+clKssCWcdmsVGXuS1u8gh4K6X9b0Z6LeCGRaQvH2
 +DB8oTAdqp9nUZv9rP4pbo+sR4fF67CFLriVuxjedAiFkbM4uHMFcL4tc/X9+DRo
 YN5X7oEkZvO507kCDQRkBjlSARAAz58UMF7K1qKyQjzKTcutaYZ5SaIGky9lCLZn
 /2vjpFCoBogkxS/6IKQcwZk8b4S9QstaaQZDFEkxqNeKC0GiFTAMAb6SmYcK495h
 EZnHl0NA5Nc2dBlZk5E/ENzTCz2bXaxCcVESc2z+xCzu07brbhGrqvliKiwOUzt9
 JzqEsar6I95OutBcZvkFCs44/Uf9bS1qf1w4klE8w3vdMtGH23umrET4tFZ+sh6o
 ZFtQx0u2eKjsRdn/RMtsxLNaJlcE1DdIAqBpQrcmuwMC8v5wUGfCGZjhClzmyQlq
 akUkayir7UtbHbFT/mgO+YI77YGXWk5QrwPscqqT2l8KB/YMujNDmaWa/0KV1lIY
 zr5s4dzVeiwqFLR9ANFIhzFwzf3JLi6XSx123Qix0TxZoYPZCHl7yoi9qi6qybz5
 0Od2LSz3jbApeKYymZ+zjE+YV5y9DI6Wzy1j2M1FogNvTO9fMk+6dLt4HhTdSNvH
 cKya462YCcy+tnZTkhmh+FTebbJlV6D4wG7skE5KCdBhjm53xLwp6XW9L6n2CrkL
 W1IDBcCz0oPd1sMkXbO3wnxdXprV2XurCfsg/R2nszSNzvdJ8/xj3cr9hpoJ714R
 qqyoEDRZ1Ss9kGL166o5MpN5qb/EewdkqGgWP7YFXbhsdHQiW7Z7dAqzjoaybD4O
 nakkwyUAEQEAAYkCNgQYAQoAIBYhBH1HQGb+4jzl6mnFqf09m6uqADkABQJkBjlS
 AhsMAAoJEP09m6uqADkAax0P/Rh8EZYRqW6dPYTl1YQusAK10rAcRNq3ekjofXGk
 oXK1S7HWGoFgl5++5nfSfNgFJ5VLcgIM56wtIf49zFjWe5oC6fw8k+ghh4d2chMP
 hdDILx6e0c30Iq1+EvovGR9hWa0wJ4cKTdzlwhY9ZC09q0ia+bl2mwpie1JQDR0c
 zXCjt+PldLeeK9z1/XT0Q7KowYC+U18oR+KFm+EaRV4QT85JVequnIeGkmaHJrHB
 lH4T5A5ib7y8edon1c0Zx3GsaxJUojkEJ0SX7ffVDu6ztUZfkHfCVpMW4VzUeGA/
 m+CtFO9ciLRGZEkRa+zhIGoBvwEXU0GiwiF4nZ0F2C8UioeW0YIEV9zl3nXJctYE
 ZKc2whSENQRTGgaYHVoVZhznt71LKWgFLshwBo81UCXVkzwAjMW1ActDnmPw5M7q
 xR5Qp5G49Z1GmfSozazha0HVFPKNV5i3RlTzs4yLUnZyH0yC9IvtOefMHcLjG96L
 N5miEV97gvJJjrn8rhRvpUwAWgmT/9IuYjBNQTtNN40arto5HxezR76WCjdKYxdL
 p3dM1iiBDShHNm7LdyZlLFhTOMU0tNBxJJ7B09ar5gakeZjD+2aB1ODX9VuFtozL
 onBjI2gIkry0UIkuznHfFw05lZAZAiqHEVgVi/WTk4C/bklDZNgE0lx+IWzEz2iS
 L455
 =lheL
 -----END PGP PUBLIC KEY BLOCK-----
 ```
--- a/artwork/AppIcon_90x90.png
+++ b/artwork/AppIcon_90x90.png
--- a/attic/Cluster.cpp
+++ b/attic/Cluster.cpp
--- a/attic/Cluster.hpp
+++ b/attic/Cluster.hpp
@ -1,463 +0,0 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2017  ZeroTier, Inc.  https://www.zerotier.com/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * --
 *
 * You can be released from the requirements of the license by purchasing
 * a commercial license. Buying such a license is mandatory as soon as you
 * develop commercial closed-source software that incorporates or links
 * directly against ZeroTier software without disclosing the source code
 * of your own application.
 */
 #ifndef ZT_CLUSTER_HPP
 #define ZT_CLUSTER_HPP
 #ifdef ZT_ENABLE_CLUSTER
 #include <map>
 #include "Constants.hpp"
 #include "../include/ZeroTierOne.h"
 #include "Address.hpp"
 #include "InetAddress.hpp"
 #include "SHA512.hpp"
 #include "Utils.hpp"
 #include "Buffer.hpp"
 #include "Mutex.hpp"
 #include "SharedPtr.hpp"
 #include "Hashtable.hpp"
 #include "Packet.hpp"
 #include "SharedPtr.hpp"
 /**
 * Timeout for cluster members being considered "alive"
 *
 * A cluster member is considered dead and will no longer have peers
 * redirected to it if we have not heard a heartbeat in this long.
 */
 #define ZT_CLUSTER_TIMEOUT 5000
 /**
 * Desired period between doPeriodicTasks() in milliseconds
 */
 #define ZT_CLUSTER_PERIODIC_TASK_PERIOD 20
 /**
 * How often to flush outgoing message queues (maximum interval)
 */
 #define ZT_CLUSTER_FLUSH_PERIOD ZT_CLUSTER_PERIODIC_TASK_PERIOD
 /**
 * Maximum number of queued outgoing packets per sender address
 */
 #define ZT_CLUSTER_MAX_QUEUE_PER_SENDER 16
 /**
 * Expiration time for send queue entries
 */
 #define ZT_CLUSTER_QUEUE_EXPIRATION 3000
 /**
 * Chunk size for allocating queue entries
 *
 * Queue entries are allocated in chunks of this many and are added to a pool.
 * ZT_CLUSTER_MAX_QUEUE_GLOBAL must be evenly divisible by this.
 */
 #define ZT_CLUSTER_QUEUE_CHUNK_SIZE 32
 /**
 * Maximum number of chunks to ever allocate
 *
 * This is a global sanity limit to prevent resource exhaustion attacks. It
 * works out to about 600mb of RAM. You'll never see this on a normal edge
 * node. We're unlikely to see this on a root server unless someone is DOSing
 * us. In that case cluster relaying will be affected but other functions
 * should continue to operate normally.
 */
 #define ZT_CLUSTER_MAX_QUEUE_CHUNKS 8194
 /**
 * Max data per queue entry
 */
 #define ZT_CLUSTER_SEND_QUEUE_DATA_MAX 1500
 /**
 * We won't send WANT_PEER to other members more than every (ms) per recipient
 */
 #define ZT_CLUSTER_WANT_PEER_EVERY 1000
 namespace ZeroTier {
 class RuntimeEnvironment;
 class MulticastGroup;
 class Peer;
 class Identity;
 // Internal class implemented inside Cluster.cpp
 class _ClusterSendQueue;
 /**
 * Multi-homing cluster state replication and packet relaying
 *
 * Multi-homing means more than one node sharing the same ZeroTier identity.
 * There is nothing in the protocol to prevent this, but to make it work well
 * requires the devices sharing an identity to cooperate and share some
 * information.
 *
 * There are three use cases we want to fulfill:
 *
 * (1) Multi-homing of root servers with handoff for efficient routing,
 *     HA, and load balancing across many commodity nodes.
 * (2) Multi-homing of network controllers for the same reason.
 * (3) Multi-homing of nodes on virtual networks, such as domain servers
 *     and other important endpoints.
 *
 * These use cases are in order of escalating difficulty. The initial
 * version of Cluster is aimed at satisfying the first, though you are
 * free to try #2 and #3.
 */
 class Cluster
 {
 public:
 	/**
 	 * State message types
 	 */
 	enum StateMessageType
 	{
 		CLUSTER_MESSAGE_NOP = 0,
 		/**
 		 * This cluster member is alive:
 		 *   <[2] version minor>
 		 *   <[2] version major>
 		 *   <[2] version revision>
 		 *   <[1] protocol version>
 		 *   <[4] X location (signed 32-bit)>
 		 *   <[4] Y location (signed 32-bit)>
 		 *   <[4] Z location (signed 32-bit)>
 		 *   <[8] local clock at this member>
 		 *   <[8] load average>
 		 *   <[8] number of peers>
 		 *   <[8] flags (currently unused, must be zero)>
 		 *   <[1] number of preferred ZeroTier endpoints>
 		 *   <[...] InetAddress(es) of preferred ZeroTier endpoint(s)>
 		 *
 		 * Cluster members constantly broadcast an alive heartbeat and will only
 		 * receive peer redirects if they've done so within the timeout.
 		 */
 		CLUSTER_MESSAGE_ALIVE = 1,
 		/**
 		 * Cluster member has this peer:
 		 *   <[...] serialized identity of peer>
 		 *
 		 * This is typically sent in response to WANT_PEER but can also be pushed
 		 * to prepopulate if this makes sense.
 		 */
 		CLUSTER_MESSAGE_HAVE_PEER = 2,
 		/**
 		 * Cluster member wants this peer:
 		 *   <[5] ZeroTier address of peer>
 		 *
 		 * Members that have a direct link to this peer will respond with
 		 * HAVE_PEER.
 		 */
 		CLUSTER_MESSAGE_WANT_PEER = 3,
 		/**
 		 * A remote packet that we should also possibly respond to:
 		 *   <[2] 16-bit length of remote packet>
 		 *   <[...] remote packet payload>
 		 *
 		 * Cluster members may relay requests by relaying the request packet.
 		 * These may include requests such as WHOIS and MULTICAST_GATHER. The
 		 * packet must be already decrypted, decompressed, and authenticated.
 		 *
 		 * This can only be used for small request packets as per the cluster
 		 * message size limit, but since these are the only ones in question
 		 * this is fine.
 		 *
 		 * If a response is generated it is sent via PROXY_SEND.
 		 */
 		CLUSTER_MESSAGE_REMOTE_PACKET = 4,
 		/**
 		 * Request that VERB_RENDEZVOUS be sent to a peer that we have:
 		 *   <[5] ZeroTier address of peer on recipient's side>
 		 *   <[5] ZeroTier address of peer on sender's side>
 		 *   <[1] 8-bit number of sender's peer's active path addresses>
 		 *   <[...] series of serialized InetAddresses of sender's peer's paths>
 		 *
 		 * This requests that we perform NAT-t introduction between a peer that
 		 * we have and one on the sender's side. The sender furnishes contact
 		 * info for its peer, and we send VERB_RENDEZVOUS to both sides: to ours
 		 * directly and with PROXY_SEND to theirs.
 		 */
 		CLUSTER_MESSAGE_PROXY_UNITE = 5,
 		/**
 		 * Request that a cluster member send a packet to a locally-known peer:
 		 *   <[5] ZeroTier address of recipient>
 		 *   <[1] packet verb>
 		 *   <[2] length of packet payload>
 		 *   <[...] packet payload>
 		 *
 		 * This differs from RELAY in that it requests the receiving cluster
 		 * member to actually compose a ZeroTier Packet from itself to the
 		 * provided recipient. RELAY simply says "please forward this blob."
 		 * RELAY is used to implement peer-to-peer relaying with RENDEZVOUS,
 		 * while PROXY_SEND is used to implement proxy sending (which right
 		 * now is only used to send RENDEZVOUS).
 		 */
 		CLUSTER_MESSAGE_PROXY_SEND = 6,
 		/**
 		 * Replicate a network config for a network we belong to:
 		 *   <[...] network config chunk>
 		 *
 		 * This is used by clusters to avoid every member having to query
 		 * for the same netconf for networks all members belong to.
 		 *
 		 * The first field of a network config chunk is the network ID,
 		 * so this can be checked to look up the network on receipt.
 		 */
 		CLUSTER_MESSAGE_NETWORK_CONFIG = 7
 	};
 	/**
 	 * Construct a new cluster
 	 */
 	Cluster(
 		const RuntimeEnvironment *renv,
 		uint16_t id,
 		const std::vector<InetAddress> &zeroTierPhysicalEndpoints,
 		int32_t x,
 		int32_t y,
 		int32_t z,
 		void (*sendFunction)(void *,unsigned int,const void *,unsigned int),
 		void *sendFunctionArg,
 		int (*addressToLocationFunction)(void *,const struct sockaddr_storage *,int *,int *,int *),
 		void *addressToLocationFunctionArg);
 	~Cluster();
 	/**
 	 * @return This cluster member's ID
 	 */
 	inline uint16_t id() const throw() { return _id; }
 	/**
 	 * Handle an incoming intra-cluster message
 	 *
 	 * @param data Message data
 	 * @param len Message length (max: ZT_CLUSTER_MAX_MESSAGE_LENGTH)
 	 */
 	void handleIncomingStateMessage(const void *msg,unsigned int len);
 	/**
 	 * Broadcast that we have a given peer
 	 *
 	 * This should be done when new peers are first contacted.
 	 *
 	 * @param id Identity of peer
 	 */
 	void broadcastHavePeer(const Identity &id);
 	/**
 	 * Broadcast a network config chunk to other members of cluster
 	 *
 	 * @param chunk Chunk data
 	 * @param len Length of chunk
 	 */
 	void broadcastNetworkConfigChunk(const void *chunk,unsigned int len);
 	/**
 	 * If the cluster has this peer, prepare the packet to send via cluster
 	 *
 	 * Note that outp is only armored (or modified at all) if the return value is a member ID.
 	 *
 	 * @param toPeerAddress Value of outp.destination(), simply to save additional lookup
 	 * @param ts Result: set to time of last HAVE_PEER from the cluster
 	 * @param peerSecret Result: Buffer to fill with peer secret on valid return value, must be at least ZT_PEER_SECRET_KEY_LENGTH bytes
 	 * @return -1 if cluster does not know this peer, or a member ID to pass to sendViaCluster()
 	 */
 	int checkSendViaCluster(const Address &toPeerAddress,uint64_t &mostRecentTs,void *peerSecret);
 	/**
 	 * Send data via cluster front plane (packet head or fragment)
 	 *
 	 * @param haveMemberId Member ID that has this peer as returned by prepSendviaCluster()
 	 * @param toPeerAddress Destination peer address
 	 * @param data Packet or packet fragment data
 	 * @param len Length of packet or fragment
 	 * @return True if packet was sent (and outp was modified via armoring)
 	 */
 	bool sendViaCluster(int haveMemberId,const Address &toPeerAddress,const void *data,unsigned int len);
 	/**
 	 * Relay a packet via the cluster
 	 *
 	 * This is used in the outgoing packet and relaying logic in Switch to
 	 * relay packets to other cluster members. It isn't PROXY_SEND-- that is
 	 * used internally in Cluster to send responses to peer queries.
 	 *
 	 * @param fromPeerAddress Source peer address (if known, should be NULL for fragments)
 	 * @param toPeerAddress Destination peer address
 	 * @param data Packet or packet fragment data
 	 * @param len Length of packet or fragment
 	 * @param unite If true, also request proxy unite across cluster
 	 */
 	void relayViaCluster(const Address &fromPeerAddress,const Address &toPeerAddress,const void *data,unsigned int len,bool unite);
 	/**
 	 * Send a distributed query to other cluster members
 	 *
 	 * Some queries such as WHOIS or MULTICAST_GATHER need a response from other
 	 * cluster members. Replies (if any) will be sent back to the peer via
 	 * PROXY_SEND across the cluster.
 	 *
 	 * @param pkt Packet to distribute
 	 */
 	void sendDistributedQuery(const Packet &pkt);
 	/**
 	 * Call every ~ZT_CLUSTER_PERIODIC_TASK_PERIOD milliseconds.
 	 */
 	void doPeriodicTasks();
 	/**
 	 * Add a member ID to this cluster
 	 *
 	 * @param memberId Member ID
 	 */
 	void addMember(uint16_t memberId);
 	/**
 	 * Remove a member ID from this cluster
 	 *
 	 * @param memberId Member ID to remove
 	 */
 	void removeMember(uint16_t memberId);
 	/**
 	 * Find a better cluster endpoint for this peer (if any)
 	 *
 	 * @param redirectTo InetAddress to be set to a better endpoint (if there is one)
 	 * @param peerAddress Address of peer to (possibly) redirect
 	 * @param peerPhysicalAddress Physical address of peer's current best path (where packet was most recently received or getBestPath()->address())
 	 * @param offload Always redirect if possible -- can be used to offload peers during shutdown
 	 * @return True if redirectTo was set to a new address, false if redirectTo was not modified
 	 */
 	bool findBetterEndpoint(InetAddress &redirectTo,const Address &peerAddress,const InetAddress &peerPhysicalAddress,bool offload);
 	/**
 	 * @param ip Address to check
 	 * @return True if this is a cluster frontplane address (excluding our addresses)
 	 */
 	bool isClusterPeerFrontplane(const InetAddress &ip) const;
 	/**
 	 * Fill out ZT_ClusterStatus structure (from core API)
 	 *
 	 * @param status Reference to structure to hold result (anything there is replaced)
 	 */
 	void status(ZT_ClusterStatus &status) const;
 private:
 	void _send(uint16_t memberId,StateMessageType type,const void *msg,unsigned int len);
 	void _flush(uint16_t memberId);
 	void _doREMOTE_WHOIS(uint64_t fromMemberId,const Packet &remotep);
 	void _doREMOTE_MULTICAST_GATHER(uint64_t fromMemberId,const Packet &remotep);
 	// These are initialized in the constructor and remain immutable ------------
 	uint16_t _masterSecret[ZT_SHA512_DIGEST_LEN / sizeof(uint16_t)];
 	unsigned char _key[ZT_PEER_SECRET_KEY_LENGTH];
 	const RuntimeEnvironment *RR;
 	_ClusterSendQueue *const _sendQueue;
 	void (*_sendFunction)(void *,unsigned int,const void *,unsigned int);
 	void *_sendFunctionArg;
 	int (*_addressToLocationFunction)(void *,const struct sockaddr_storage *,int *,int *,int *);
 	void *_addressToLocationFunctionArg;
 	const int32_t _x;
 	const int32_t _y;
 	const int32_t _z;
 	const uint16_t _id;
 	const std::vector<InetAddress> _zeroTierPhysicalEndpoints;
 	// end immutable fields -----------------------------------------------------
 	struct _Member
 	{
 		unsigned char key[ZT_PEER_SECRET_KEY_LENGTH];
 		uint64_t lastReceivedAliveAnnouncement;
 		uint64_t lastAnnouncedAliveTo;
 		uint64_t load;
 		uint64_t peers;
 		int32_t x,y,z;
 		std::vector<InetAddress> zeroTierPhysicalEndpoints;
 		Buffer<ZT_CLUSTER_MAX_MESSAGE_LENGTH> q;
 		Mutex lock;
 		inline void clear()
 		{
 			lastReceivedAliveAnnouncement = 0;
 			lastAnnouncedAliveTo = 0;
 			load = 0;
 			peers = 0;
 			x = 0;
 			y = 0;
 			z = 0;
 			zeroTierPhysicalEndpoints.clear();
 			q.clear();
 		}
 		_Member() { this->clear(); }
 		~_Member() { Utils::burn(key,sizeof(key)); }
 	};
 	_Member *const _members;
 	std::vector<uint16_t> _memberIds;
 	Mutex _memberIds_m;
 	struct _RemotePeer
 	{
 		_RemotePeer() : lastHavePeerReceived(0),lastSentWantPeer(0) {}
 		~_RemotePeer() { Utils::burn(key,ZT_PEER_SECRET_KEY_LENGTH); }
 		uint64_t lastHavePeerReceived;
 		uint64_t lastSentWantPeer;
 		uint8_t key[ZT_PEER_SECRET_KEY_LENGTH]; // secret key from identity agreement
 	};
 	std::map< std::pair<Address,unsigned int>,_RemotePeer > _remotePeers; // we need ordered behavior and lower_bound here
 	Mutex _remotePeers_m;
 	uint64_t _lastFlushed;
 	uint64_t _lastCleanedRemotePeers;
 	uint64_t _lastCleanedQueue;
 };
 } // namespace ZeroTier
 #endif // ZT_ENABLE_CLUSTER
 #endif
--- a/attic/ClusterDefinition.hpp
+++ b/attic/ClusterDefinition.hpp
@ -1,168 +0,0 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2017  ZeroTier, Inc.  https://www.zerotier.com/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * --
 *
 * You can be released from the requirements of the license by purchasing
 * a commercial license. Buying such a license is mandatory as soon as you
 * develop commercial closed-source software that incorporates or links
 * directly against ZeroTier software without disclosing the source code
 * of your own application.
 */
 #ifndef ZT_CLUSTERDEFINITION_HPP
 #define ZT_CLUSTERDEFINITION_HPP
 #ifdef ZT_ENABLE_CLUSTER
 #include <vector>
 #include <algorithm>
 #include "../node/Constants.hpp"
 #include "../node/Utils.hpp"
 #include "../node/NonCopyable.hpp"
 #include "../osdep/OSUtils.hpp"
 #include "ClusterGeoIpService.hpp"
 namespace ZeroTier {
 /**
 * Parser for cluster definition file
 */
 class ClusterDefinition : NonCopyable
 {
 public:
 	struct MemberDefinition
 	{
 		MemberDefinition() : id(0),x(0),y(0),z(0) { name[0] = (char)0; }
 		unsigned int id;
 		int x,y,z;
 		char name[256];
 		InetAddress clusterEndpoint;
 		std::vector<InetAddress> zeroTierEndpoints;
 	};
 	/**
 	 * Load and initialize cluster definition and GeoIP data if any
 	 *
 	 * @param myAddress My ZeroTier address
 	 * @param pathToClusterFile Path to cluster definition file
 	 * @throws std::runtime_error Invalid cluster definition or unable to load data
 	 */
 	ClusterDefinition(uint64_t myAddress,const char *pathToClusterFile)
 	{
 		std::string cf;
 		if (!OSUtils::readFile(pathToClusterFile,cf))
 			return;
 		char myAddressStr[64];
 		Utils::ztsnprintf(myAddressStr,sizeof(myAddressStr),"%.10llx",myAddress);
 		std::vector<std::string> lines(OSUtils::split(cf.c_str(),"\r\n","",""));
 		for(std::vector<std::string>::iterator l(lines.begin());l!=lines.end();++l) {
 			std::vector<std::string> fields(OSUtils::split(l->c_str()," \t","",""));
 			if ((fields.size() < 5)||(fields[0][0] == '#')||(fields[0] != myAddressStr))
 				continue;
 			// <address> geo <CSV path> <ip start column> <ip end column> <latitutde column> <longitude column>
 			if (fields[1] == "geo") {
 				if ((fields.size() >= 7)&&(OSUtils::fileExists(fields[2].c_str()))) {
 					int ipStartColumn = Utils::strToInt(fields[3].c_str());
 					int ipEndColumn = Utils::strToInt(fields[4].c_str());
 					int latitudeColumn = Utils::strToInt(fields[5].c_str());
 					int longitudeColumn = Utils::strToInt(fields[6].c_str());
 					if (_geo.load(fields[2].c_str(),ipStartColumn,ipEndColumn,latitudeColumn,longitudeColumn) <= 0)
 						throw std::runtime_error(std::string("failed to load geo-ip data from ")+fields[2]);
 				}
 				continue;
 			}
 			// <address> <ID> <name> <backplane IP/port(s)> <ZT frontplane IP/port(s)> <x,y,z>
 			int id = Utils::strToUInt(fields[1].c_str());
 			if ((id < 0)||(id > ZT_CLUSTER_MAX_MEMBERS))
 				throw std::runtime_error(std::string("invalid cluster member ID: ")+fields[1]);
 			MemberDefinition &md = _md[id];
 			md.id = (unsigned int)id;
 			if (fields.size() >= 6) {
 				std::vector<std::string> xyz(OSUtils::split(fields[5].c_str(),",","",""));
 				md.x = (xyz.size() > 0) ? Utils::strToInt(xyz[0].c_str()) : 0;
 				md.y = (xyz.size() > 1) ? Utils::strToInt(xyz[1].c_str()) : 0;
 				md.z = (xyz.size() > 2) ? Utils::strToInt(xyz[2].c_str()) : 0;
 			}
 			Utils::scopy(md.name,sizeof(md.name),fields[2].c_str());
 			md.clusterEndpoint.fromString(fields[3]);
 			if (!md.clusterEndpoint)
 				continue;
 			std::vector<std::string> zips(OSUtils::split(fields[4].c_str(),",","",""));
 			for(std::vector<std::string>::iterator zip(zips.begin());zip!=zips.end();++zip) {
 				InetAddress i;
 				i.fromString(*zip);
 				if (i)
 					md.zeroTierEndpoints.push_back(i);
 			}
 			_ids.push_back((unsigned int)id);
 		}
 		std::sort(_ids.begin(),_ids.end());
 	}
 	/**
 	 * @return All member definitions in this cluster by ID (ID is array index)
 	 */
 	inline const MemberDefinition &operator[](unsigned int id) const throw() { return _md[id]; }
 	/**
 	 * @return Number of members in this cluster
 	 */
 	inline unsigned int size() const throw() { return (unsigned int)_ids.size(); }
 	/**
 	 * @return IDs of members in this cluster sorted by ID
 	 */
 	inline const std::vector<unsigned int> &ids() const throw() { return _ids; }
 	/**
 	 * @return GeoIP service for this cluster
 	 */
 	inline ClusterGeoIpService &geo() throw() { return _geo; }
 	/**
 	 * @return A vector (new copy) containing all cluster members
 	 */
 	inline std::vector<MemberDefinition> members() const
 	{
 		std::vector<MemberDefinition> m;
 		for(std::vector<unsigned int>::const_iterator i(_ids.begin());i!=_ids.end();++i)
 			m.push_back(_md[*i]);
 		return m;
 	}
 private:
 	MemberDefinition _md[ZT_CLUSTER_MAX_MEMBERS];
 	std::vector<unsigned int> _ids;
 	ClusterGeoIpService _geo;
 };
 } // namespace ZeroTier
 #endif // ZT_ENABLE_CLUSTER
 #endif
--- a/attic/ClusterGeoIpService.cpp
+++ b/attic/ClusterGeoIpService.cpp
@ -1,243 +0,0 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2017  ZeroTier, Inc.  https://www.zerotier.com/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * --
 *
 * You can be released from the requirements of the license by purchasing
 * a commercial license. Buying such a license is mandatory as soon as you
 * develop commercial closed-source software that incorporates or links
 * directly against ZeroTier software without disclosing the source code
 * of your own application.
 */
 #ifdef ZT_ENABLE_CLUSTER
 #include <math.h>
 #include <cmath>
 #include "ClusterGeoIpService.hpp"
 #include "../node/Utils.hpp"
 #include "../osdep/OSUtils.hpp"
 #define ZT_CLUSTERGEOIPSERVICE_FILE_MODIFICATION_CHECK_EVERY 10000
 namespace ZeroTier {
 ClusterGeoIpService::ClusterGeoIpService() :
 	_pathToCsv(),
 	_ipStartColumn(-1),
 	_ipEndColumn(-1),
 	_latitudeColumn(-1),
 	_longitudeColumn(-1),
 	_lastFileCheckTime(0),
 	_csvModificationTime(0),
 	_csvFileSize(0)
 {
 }
 ClusterGeoIpService::~ClusterGeoIpService()
 {
 }
 bool ClusterGeoIpService::locate(const InetAddress &ip,int &x,int &y,int &z)
 {
 	Mutex::Lock _l(_lock);
 	if ((_pathToCsv.length() > 0)&&((OSUtils::now() - _lastFileCheckTime) > ZT_CLUSTERGEOIPSERVICE_FILE_MODIFICATION_CHECK_EVERY)) {
 		_lastFileCheckTime = OSUtils::now();
 		if ((_csvFileSize != OSUtils::getFileSize(_pathToCsv.c_str()))||(_csvModificationTime != OSUtils::getLastModified(_pathToCsv.c_str())))
 			_load(_pathToCsv.c_str(),_ipStartColumn,_ipEndColumn,_latitudeColumn,_longitudeColumn);
 	}
 	/* We search by looking up the upper bound of the sorted vXdb vectors
 	 * and then iterating down for a matching IP range. We stop when we hit
 	 * the beginning or an entry whose start and end are before the IP we
 	 * are searching. */
 	if ((ip.ss_family == AF_INET)&&(_v4db.size() > 0)) {
 		_V4E key;
 		key.start = Utils::ntoh((uint32_t)(reinterpret_cast<const struct sockaddr_in *>(&ip)->sin_addr.s_addr));
 		std::vector<_V4E>::const_iterator i(std::upper_bound(_v4db.begin(),_v4db.end(),key));
 		while (i != _v4db.begin()) {
 			--i;
 			if ((key.start >= i->start)&&(key.start <= i->end)) {
 				x = i->x;
 				y = i->y;
 				z = i->z;
 				//printf("%s : %f,%f %d,%d,%d\n",ip.toIpString().c_str(),i->lat,i->lon,x,y,z);
 				return true;
 			} else if ((key.start > i->start)&&(key.start > i->end))
 				break;
 		}
 	} else if ((ip.ss_family == AF_INET6)&&(_v6db.size() > 0)) {
 		_V6E key;
 		memcpy(key.start,reinterpret_cast<const struct sockaddr_in6 *>(&ip)->sin6_addr.s6_addr,16);
 		std::vector<_V6E>::const_iterator i(std::upper_bound(_v6db.begin(),_v6db.end(),key));
 		while (i != _v6db.begin()) {
 			--i;
 			const int s_vs_s = memcmp(key.start,i->start,16);
 			const int s_vs_e = memcmp(key.start,i->end,16);
 			if ((s_vs_s >= 0)&&(s_vs_e <= 0)) {
 				x = i->x;
 				y = i->y;
 				z = i->z;
 				//printf("%s : %f,%f %d,%d,%d\n",ip.toIpString().c_str(),i->lat,i->lon,x,y,z);
 				return true;
 			} else if ((s_vs_s > 0)&&(s_vs_e > 0))
 				break;
 		}
 	}
 	return false;
 }
 void ClusterGeoIpService::_parseLine(const char *line,std::vector<_V4E> &v4db,std::vector<_V6E> &v6db,int ipStartColumn,int ipEndColumn,int latitudeColumn,int longitudeColumn)
 {
 	std::vector<std::string> ls(OSUtils::split(line,",\t","\\","\"'"));
 	if ( ((ipStartColumn >= 0)&&(ipStartColumn < (int)ls.size()))&&
 	     ((ipEndColumn >= 0)&&(ipEndColumn < (int)ls.size()))&&
 	     ((latitudeColumn >= 0)&&(latitudeColumn < (int)ls.size()))&&
 	     ((longitudeColumn >= 0)&&(longitudeColumn < (int)ls.size())) ) {
 		InetAddress ipStart(ls[ipStartColumn].c_str(),0);
 		InetAddress ipEnd(ls[ipEndColumn].c_str(),0);
 		const double lat = strtod(ls[latitudeColumn].c_str(),(char **)0);
 		const double lon = strtod(ls[longitudeColumn].c_str(),(char **)0);
 		if ((ipStart.ss_family == ipEnd.ss_family)&&(ipStart)&&(ipEnd)&&(std::isfinite(lat))&&(std::isfinite(lon))) {
 			const double latRadians = lat * 0.01745329251994; // PI / 180
 			const double lonRadians = lon * 0.01745329251994; // PI / 180
 			const double cosLat = cos(latRadians);
 			const int x = (int)round((-6371.0) * cosLat * cos(lonRadians)); // 6371 == Earth's approximate radius in kilometers
 			const int y = (int)round(6371.0 * sin(latRadians));
 			const int z = (int)round(6371.0 * cosLat * sin(lonRadians));
 			if (ipStart.ss_family == AF_INET) {
 				v4db.push_back(_V4E());
 				v4db.back().start = Utils::ntoh((uint32_t)(reinterpret_cast<const struct sockaddr_in *>(&ipStart)->sin_addr.s_addr));
 				v4db.back().end = Utils::ntoh((uint32_t)(reinterpret_cast<const struct sockaddr_in *>(&ipEnd)->sin_addr.s_addr));
 				v4db.back().lat = (float)lat;
 				v4db.back().lon = (float)lon;
 				v4db.back().x = x;
 				v4db.back().y = y;
 				v4db.back().z = z;
 				//printf("%s - %s : %d,%d,%d\n",ipStart.toIpString().c_str(),ipEnd.toIpString().c_str(),x,y,z);
 			} else if (ipStart.ss_family == AF_INET6) {
 				v6db.push_back(_V6E());
 				memcpy(v6db.back().start,reinterpret_cast<const struct sockaddr_in6 *>(&ipStart)->sin6_addr.s6_addr,16);
 				memcpy(v6db.back().end,reinterpret_cast<const struct sockaddr_in6 *>(&ipEnd)->sin6_addr.s6_addr,16);
 				v6db.back().lat = (float)lat;
 				v6db.back().lon = (float)lon;
 				v6db.back().x = x;
 				v6db.back().y = y;
 				v6db.back().z = z;
 				//printf("%s - %s : %d,%d,%d\n",ipStart.toIpString().c_str(),ipEnd.toIpString().c_str(),x,y,z);
 			}
 		}
 	}
 }
 long ClusterGeoIpService::_load(const char *pathToCsv,int ipStartColumn,int ipEndColumn,int latitudeColumn,int longitudeColumn)
 {
 	// assumes _lock is locked
 	FILE *f = fopen(pathToCsv,"rb");
 	if (!f)
 		return -1;
 	std::vector<_V4E> v4db;
 	std::vector<_V6E> v6db;
 	v4db.reserve(16777216);
 	v6db.reserve(16777216);
 	char buf[4096];
 	char linebuf[1024];
 	unsigned int lineptr = 0;
 	for(;;) {
 		int n = (int)fread(buf,1,sizeof(buf),f);
 		if (n <= 0)
 			break;
 		for(int i=0;i<n;++i) {
 			if ((buf[i] == '\r')||(buf[i] == '\n')||(buf[i] == (char)0)) {
 				if (lineptr) {
 					linebuf[lineptr] = (char)0;
 					_parseLine(linebuf,v4db,v6db,ipStartColumn,ipEndColumn,latitudeColumn,longitudeColumn);
 				}
 				lineptr = 0;
 			} else if (lineptr < (unsigned int)sizeof(linebuf))
 				linebuf[lineptr++] = buf[i];
 		}
 	}
 	if (lineptr) {
 		linebuf[lineptr] = (char)0;
 		_parseLine(linebuf,v4db,v6db,ipStartColumn,ipEndColumn,latitudeColumn,longitudeColumn);
 	}
 	fclose(f);
 	if ((v4db.size() > 0)||(v6db.size() > 0)) {
 		std::sort(v4db.begin(),v4db.end());
 		std::sort(v6db.begin(),v6db.end());
 		_pathToCsv = pathToCsv;
 		_ipStartColumn = ipStartColumn;
 		_ipEndColumn = ipEndColumn;
 		_latitudeColumn = latitudeColumn;
 		_longitudeColumn = longitudeColumn;
 		_lastFileCheckTime = OSUtils::now();
 		_csvModificationTime = OSUtils::getLastModified(pathToCsv);
 		_csvFileSize = OSUtils::getFileSize(pathToCsv);
 		_v4db.swap(v4db);
 		_v6db.swap(v6db);
 		return (long)(_v4db.size() + _v6db.size());
 	} else {
 		return 0;
 	}
 }
 } // namespace ZeroTier
 #endif // ZT_ENABLE_CLUSTER
 /*
 int main(int argc,char **argv)
 {
 	char buf[1024];
 	ZeroTier::ClusterGeoIpService gip;
 	printf("loading...\n");
 	gip.load("/Users/api/Code/ZeroTier/Infrastructure/root-servers/zerotier-one/cluster-geoip.csv",0,1,5,6);
 	printf("... done!\n"); fflush(stdout);
 	while (gets(buf)) { // unsafe, testing only
 		ZeroTier::InetAddress addr(buf,0);
 		printf("looking up: %s\n",addr.toString().c_str()); fflush(stdout);
 		int x = 0,y = 0,z = 0;
 		if (gip.locate(addr,x,y,z)) {
 			//printf("%s: %d,%d,%d\n",addr.toString().c_str(),x,y,z); fflush(stdout);
 		} else {
 			printf("%s: not found!\n",addr.toString().c_str()); fflush(stdout);
 		}
 	}
 	return 0;
 }
 */
--- a/attic/ClusterGeoIpService.hpp
+++ b/attic/ClusterGeoIpService.hpp
@ -1,151 +0,0 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2017  ZeroTier, Inc.  https://www.zerotier.com/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * --
 *
 * You can be released from the requirements of the license by purchasing
 * a commercial license. Buying such a license is mandatory as soon as you
 * develop commercial closed-source software that incorporates or links
 * directly against ZeroTier software without disclosing the source code
 * of your own application.
 */
 #ifndef ZT_CLUSTERGEOIPSERVICE_HPP
 #define ZT_CLUSTERGEOIPSERVICE_HPP
 #ifdef ZT_ENABLE_CLUSTER
 #include <stdint.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
 #include <vector>
 #include <string>
 #include <algorithm>
 #include "../node/Constants.hpp"
 #include "../node/Mutex.hpp"
 #include "../node/NonCopyable.hpp"
 #include "../node/InetAddress.hpp"
 namespace ZeroTier {
 /**
 * Loads a GeoIP CSV into memory for fast lookup, reloading as needed
 *
 * This was designed around the CSV from https://db-ip.com but can be used
 * with any similar GeoIP CSV database that is presented in the form of an
 * IP range and lat/long coordinates.
 *
 * It loads the whole database into memory, which can be kind of large. If
 * the CSV file changes, the changes are loaded automatically.
 */
 class ClusterGeoIpService : NonCopyable
 {
 public:
 	ClusterGeoIpService();
 	~ClusterGeoIpService();
 	/**
 	 * Load or reload CSV file
 	 *
 	 * CSV column indexes start at zero. CSVs can be quoted with single or
 	 * double quotes. Whitespace before or after commas is ignored. Backslash
 	 * may be used for escaping whitespace as well.
 	 *
 	 * @param pathToCsv Path to (uncompressed) CSV file
 	 * @param ipStartColumn Column with IP range start
 	 * @param ipEndColumn Column with IP range end (inclusive)
 	 * @param latitudeColumn Column with latitude
 	 * @param longitudeColumn Column with longitude
 	 * @return Number of valid records loaded or -1 on error (invalid file, not found, etc.)
 	 */
 	inline long load(const char *pathToCsv,int ipStartColumn,int ipEndColumn,int latitudeColumn,int longitudeColumn)
 	{
 		Mutex::Lock _l(_lock);
 		return _load(pathToCsv,ipStartColumn,ipEndColumn,latitudeColumn,longitudeColumn);
 	}
 	/**
 	 * Attempt to locate an IP
 	 *
 	 * This returns true if x, y, and z are set. If the return value is false
 	 * the values of x, y, and z are undefined.
 	 *
 	 * @param ip IPv4 or IPv6 address
 	 * @param x Reference to variable to receive X
 	 * @param y Reference to variable to receive Y
 	 * @param z Reference to variable to receive Z
 	 * @return True if coordinates were set
 	 */
 	bool locate(const InetAddress &ip,int &x,int &y,int &z);
 	/**
 	 * @return True if IP database/service is available for queries (otherwise locate() will always be false)
 	 */
 	inline bool available() const
 	{
 		Mutex::Lock _l(_lock);
 		return ((_v4db.size() + _v6db.size()) > 0);
 	}
 private:
 	struct _V4E
 	{
 		uint32_t start;
 		uint32_t end;
 		float lat,lon;
 		int16_t x,y,z;
 		inline bool operator<(const _V4E &e) const { return (start < e.start); }
 	};
 	struct _V6E
 	{
 		uint8_t start[16];
 		uint8_t end[16];
 		float lat,lon;
 		int16_t x,y,z;
 		inline bool operator<(const _V6E &e) const { return (memcmp(start,e.start,16) < 0); }
 	};
 	static void _parseLine(const char *line,std::vector<_V4E> &v4db,std::vector<_V6E> &v6db,int ipStartColumn,int ipEndColumn,int latitudeColumn,int longitudeColumn);
 	long _load(const char *pathToCsv,int ipStartColumn,int ipEndColumn,int latitudeColumn,int longitudeColumn);
 	std::string _pathToCsv;
 	int _ipStartColumn;
 	int _ipEndColumn;
 	int _latitudeColumn;
 	int _longitudeColumn;
 	uint64_t _lastFileCheckTime;
 	uint64_t _csvModificationTime;
 	int64_t _csvFileSize;
 	std::vector<_V4E> _v4db;
 	std::vector<_V6E> _v6db;
 	Mutex _lock;
 };
 } // namespace ZeroTier
 #endif // ZT_ENABLE_CLUSTER
 #endif
--- a/attic/FCV.hpp
+++ b/attic/FCV.hpp
@ -1,101 +0,0 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2018  ZeroTier, Inc.  https://www.zerotier.com/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * --
 *
 * You can be released from the requirements of the license by purchasing
 * a commercial license. Buying such a license is mandatory as soon as you
 * develop commercial closed-source software that incorporates or links
 * directly against ZeroTier software without disclosing the source code
 * of your own application.
 */
 #include "Constants.hpp"
 namespace ZeroTier {
 /**
 * A really simple fixed capacity vector
 *
 * This class does no bounds checking, so the user must ensure that
 * no more than C elements are ever added and that accesses are in
 * bounds.
 *
 * @tparam T Type to contain
 * @tparam C Capacity of vector
 */
 template<typename T,unsigned long C>
 class FCV
 {
 public:
 	FCV() : _s(0) {}
 	~FCV() { clear(); }
 	FCV(const FCV &v) :
 		_s(v._s)
 	{
 		for(unsigned long i=0;i<_s;++i) {
 			new (reinterpret_cast<T *>(_mem + (sizeof(T) * i))) T(reinterpret_cast<const T *>(v._mem)[i]);
 		}
 	}
 	inline FCV &operator=(const FCV &v)
 	{
 		clear();
 		_s = v._s;
 		for(unsigned long i=0;i<_s;++i) {
 			new (reinterpret_cast<T *>(_mem + (sizeof(T) * i))) T(reinterpret_cast<const T *>(v._mem)[i]);
 		}
 		return *this;
 	}
 	typedef T * iterator;
 	typedef const T * const_iterator;
 	typedef unsigned long size_type;
 	inline iterator begin() { return (T *)_mem; }
 	inline iterator end() { return (T *)(_mem + (sizeof(T) * _s)); }
 	inline iterator begin() const { return (const T *)_mem; }
 	inline iterator end() const { return (const T *)(_mem + (sizeof(T) * _s)); }
 	inline T &operator[](const size_type i) { return reinterpret_cast<T *>(_mem)[i]; }
 	inline const T &operator[](const size_type i) const { return reinterpret_cast<const T *>(_mem)[i]; }
 	inline T &front() { return reinterpret_cast<T *>(_mem)[0]; }
 	inline const T &front() const { return reinterpret_cast<const T *>(_mem)[0]; }
 	inline T &back() { return reinterpret_cast<T *>(_mem)[_s - 1]; }
 	inline const T &back() const { return reinterpret_cast<const T *>(_mem)[_s - 1]; }
 	inline void push_back(const T &v) { new (reinterpret_cast<T *>(_mem + (sizeof(T) * _s++))) T(v); }
 	inline void pop_back() { reinterpret_cast<T *>(_mem + (sizeof(T) * --_s))->~T(); }
 	inline size_type size() const { return _s; }
 	inline size_type capacity() const { return C; }
 	inline void clear()
 	{
 		for(unsigned long i=0;i<_s;++i)
 			reinterpret_cast<T *>(_mem + (sizeof(T) * i))->~T();
 		_s = 0;
 	}
 private:
 	char _mem[sizeof(T) * C];
 	unsigned long _s;
 };
 } // namespace ZeroTier
--- a/attic/OSXEthernetTap.cpp.pcap-with-bridge-test
+++ b/attic/OSXEthernetTap.cpp.pcap-with-bridge-test
@ -1,650 +0,0 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2015  ZeroTier, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * --
 *
 * ZeroTier may be used and distributed under the terms of the GPLv3, which
 * are available at: http://www.gnu.org/licenses/gpl-3.0.html
 *
 * If you would like to embed ZeroTier into a commercial application or
 * redistribute it in a modified binary form, please contact ZeroTier Networks
 * LLC. Start here: http://www.zerotier.com/
 */
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #include <unistd.h>
 #include <signal.h>
 #include <fcntl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/ioctl.h>
 #include <sys/wait.h>
 #include <sys/select.h>
 #include <sys/cdefs.h>
 #include <sys/uio.h>
 #include <sys/param.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <net/route.h>
 #include <net/if.h>
 #include <net/if_arp.h>
 #include <net/if_dl.h>
 #include <net/if_media.h>
 #include <netinet6/in6_var.h>
 #include <netinet/in_var.h>
 #include <netinet/icmp6.h>
 #include <pcap/pcap.h>
 // OSX compile fix... in6_var defines this in a struct which namespaces it for C++ ... why?!?
 struct prf_ra {
 	u_char onlink : 1;
 	u_char autonomous : 1;
 	u_char reserved : 6;
 } prf_ra;
 #include <netinet6/nd6.h>
 #include <ifaddrs.h>
 // These are KERNEL_PRIVATE... why?
 #ifndef SIOCAUTOCONF_START
 #define SIOCAUTOCONF_START _IOWR('i', 132, struct in6_ifreq)    /* accept rtadvd on this interface */
 #endif
 #ifndef SIOCAUTOCONF_STOP
 #define SIOCAUTOCONF_STOP _IOWR('i', 133, struct in6_ifreq)    /* stop accepting rtadv for this interface */
 #endif
 #ifndef ETH_ALEN
 #define ETH_ALEN 6
 #endif
 // --------------------------------------------------------------------------
 // --------------------------------------------------------------------------
 // This source is from:
 // http://www.opensource.apple.com/source/Libinfo/Libinfo-406.17/gen.subproj/getifmaddrs.c?txt
 // It's here because OSX 10.6 does not have this convenience function.
 #define	SALIGN	(sizeof(uint32_t) - 1)
 #define	SA_RLEN(sa)	((sa)->sa_len ? (((sa)->sa_len + SALIGN) & ~SALIGN) : \
 (SALIGN + 1))
 #define	MAX_SYSCTL_TRY	5
 #define	RTA_MASKS	(RTA_GATEWAY | RTA_IFP | RTA_IFA)
 /* FreeBSD uses NET_RT_IFMALIST and RTM_NEWMADDR from <sys/socket.h> */
 /* We can use NET_RT_IFLIST2 and RTM_NEWMADDR2 on Darwin */
 //#define DARWIN_COMPAT
 //#ifdef DARWIN_COMPAT
 #define GIM_SYSCTL_MIB NET_RT_IFLIST2
 #define GIM_RTM_ADDR RTM_NEWMADDR2
 //#else
 //#define GIM_SYSCTL_MIB NET_RT_IFMALIST
 //#define GIM_RTM_ADDR RTM_NEWMADDR
 //#endif
 // Not in 10.6 includes so use our own
 struct _intl_ifmaddrs {
 	struct _intl_ifmaddrs *ifma_next;
 	struct sockaddr *ifma_name;
 	struct sockaddr *ifma_addr;
 	struct sockaddr *ifma_lladdr;
 };
 static inline int _intl_getifmaddrs(struct _intl_ifmaddrs **pif)
 {
 	int icnt = 1;
 	int dcnt = 0;
 	int ntry = 0;
 	size_t len;
 	size_t needed;
 	int mib[6];
 	int i;
 	char *buf;
 	char *data;
 	char *next;
 	char *p;
 	struct ifma_msghdr2 *ifmam;
 	struct _intl_ifmaddrs *ifa, *ift;
 	struct rt_msghdr *rtm;
 	struct sockaddr *sa;
 	mib[0] = CTL_NET;
 	mib[1] = PF_ROUTE;
 	mib[2] = 0;             /* protocol */
 	mib[3] = 0;             /* wildcard address family */
 	mib[4] = GIM_SYSCTL_MIB;
 	mib[5] = 0;             /* no flags */
 	do {
 		if (sysctl(mib, 6, NULL, &needed, NULL, 0) < 0)
 			return (-1);
 		if ((buf = (char *)malloc(needed)) == NULL)
 			return (-1);
 		if (sysctl(mib, 6, buf, &needed, NULL, 0) < 0) {
 			if (errno != ENOMEM || ++ntry >= MAX_SYSCTL_TRY) {
 				free(buf);
 				return (-1);
 			}
 			free(buf);
 			buf = NULL;
 		}
 	} while (buf == NULL);
 	for (next = buf; next < buf + needed; next += rtm->rtm_msglen) {
 		rtm = (struct rt_msghdr *)(void *)next;
 		if (rtm->rtm_version != RTM_VERSION)
 			continue;
 		switch (rtm->rtm_type) {
 			case GIM_RTM_ADDR:
 				ifmam = (struct ifma_msghdr2 *)(void *)rtm;
 				if ((ifmam->ifmam_addrs & RTA_IFA) == 0)
 					break;
 				icnt++;
 				p = (char *)(ifmam + 1);
 				for (i = 0; i < RTAX_MAX; i++) {
 					if ((RTA_MASKS & ifmam->ifmam_addrs &
 						 (1 << i)) == 0)
 						continue;
 					sa = (struct sockaddr *)(void *)p;
 					len = SA_RLEN(sa);
 					dcnt += len;
 					p += len;
 				}
 				break;
 		}
 	}
 	data = (char *)malloc(sizeof(struct _intl_ifmaddrs) * icnt + dcnt);
 	if (data == NULL) {
 		free(buf);
 		return (-1);
 	}
 	ifa = (struct _intl_ifmaddrs *)(void *)data;
 	data += sizeof(struct _intl_ifmaddrs) * icnt;
 	memset(ifa, 0, sizeof(struct _intl_ifmaddrs) * icnt);
 	ift = ifa;
 	for (next = buf; next < buf + needed; next += rtm->rtm_msglen) {
 		rtm = (struct rt_msghdr *)(void *)next;
 		if (rtm->rtm_version != RTM_VERSION)
 			continue;
 		switch (rtm->rtm_type) {
 			case GIM_RTM_ADDR:
 				ifmam = (struct ifma_msghdr2 *)(void *)rtm;
 				if ((ifmam->ifmam_addrs & RTA_IFA) == 0)
 					break;
 				p = (char *)(ifmam + 1);
 				for (i = 0; i < RTAX_MAX; i++) {
 					if ((RTA_MASKS & ifmam->ifmam_addrs &
 						 (1 << i)) == 0)
 						continue;
 					sa = (struct sockaddr *)(void *)p;
 					len = SA_RLEN(sa);
 					switch (i) {
 						case RTAX_GATEWAY:
 							ift->ifma_lladdr =
 							(struct sockaddr *)(void *)data;
 							memcpy(data, p, len);
 							data += len;
 							break;
 						case RTAX_IFP:
 							ift->ifma_name =
 							(struct sockaddr *)(void *)data;
 							memcpy(data, p, len);
 							data += len;
 							break;
 						case RTAX_IFA:
 							ift->ifma_addr =
 							(struct sockaddr *)(void *)data;
 							memcpy(data, p, len);
 							data += len;
 							break;
 						default:
 							data += len;
 							break;
 					}
 					p += len;
 				}
 				ift->ifma_next = ift + 1;
 				ift = ift->ifma_next;
 				break;
 		}
 	}
 	free(buf);
 	if (ift > ifa) {
 		ift--;
 		ift->ifma_next = NULL;
 		*pif = ifa;
 	} else {
 		*pif = NULL;
 		free(ifa);
 	}
 	return (0);
 }
 static inline void _intl_freeifmaddrs(struct _intl_ifmaddrs *ifmp)
 {
 	free(ifmp);
 }
 // --------------------------------------------------------------------------
 // --------------------------------------------------------------------------
 #include <string>
 #include <map>
 #include <set>
 #include <algorithm>
 #include "../node/Constants.hpp"
 #include "../node/Utils.hpp"
 #include "../node/Mutex.hpp"
 #include "../node/Dictionary.hpp"
 #include "OSUtils.hpp"
 #include "OSXEthernetTap.hpp"
 // ff:ff:ff:ff:ff:ff with no ADI
 static const ZeroTier::MulticastGroup _blindWildcardMulticastGroup(ZeroTier::MAC(0xff),0);
 static inline bool _setIpv6Stuff(const char *ifname,bool performNUD,bool acceptRouterAdverts)
 {
 	struct in6_ndireq nd;
 	struct in6_ifreq ifr;
 	int s = socket(AF_INET6,SOCK_DGRAM,0);
 	if (s <= 0)
 		return false;
 	memset(&nd,0,sizeof(nd));
 	strncpy(nd.ifname,ifname,sizeof(nd.ifname));
 	if (ioctl(s,SIOCGIFINFO_IN6,&nd)) {
 		close(s);
 		return false;
 	}
 	unsigned long oldFlags = (unsigned long)nd.ndi.flags;
 	if (performNUD)
 		nd.ndi.flags |= ND6_IFF_PERFORMNUD;
 	else nd.ndi.flags &= ~ND6_IFF_PERFORMNUD;
 	if (oldFlags != (unsigned long)nd.ndi.flags) {
 		if (ioctl(s,SIOCSIFINFO_FLAGS,&nd)) {
 			close(s);
 			return false;
 		}
 	}
 	memset(&ifr,0,sizeof(ifr));
 	strncpy(ifr.ifr_name,ifname,sizeof(ifr.ifr_name));
 	if (ioctl(s,acceptRouterAdverts ? SIOCAUTOCONF_START : SIOCAUTOCONF_STOP,&ifr)) {
 		close(s);
 		return false;
 	}
 	close(s);
 	return true;
 }
 namespace ZeroTier {
 static std::set<std::string> globalDeviceNames;
 static Mutex globalTapCreateLock;
 OSXEthernetTap::OSXEthernetTap(
 	const char *homePath,
 	const MAC &mac,
 	unsigned int mtu,
 	unsigned int metric,
 	uint64_t nwid,
 	const char *friendlyName,
 	void (*handler)(void *,uint64_t,const MAC &,const MAC &,unsigned int,unsigned int,const void *data,unsigned int len),
 	void *arg) :
 	_handler(handler),
 	_arg(arg),
 	_pcap((void *)0),
 	_nwid(nwid),
 	_mac(mac),
 	_homePath(homePath),
 	_mtu(mtu),
 	_metric(metric),
 	_enabled(true)
 {
 	char errbuf[PCAP_ERRBUF_SIZE];
 	char devname[64],ethaddr[64],mtustr[32],metstr[32],nwids[32];
 	Utils::snprintf(nwids,sizeof(nwids),"%.16llx",nwid);
 	if (mtu > 2800)
 		throw std::runtime_error("max tap MTU is 2800");
 	Mutex::Lock _gl(globalTapCreateLock);
 	std::string desiredDevice;
 	Dictionary devmap;
 	{
 		std::string devmapbuf;
 		if (OSUtils::readFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),devmapbuf)) {
 			devmap.fromString(devmapbuf);
 			desiredDevice = devmap.get(nwids,"");
 		}
 	}
 	if ((desiredDevice.length() >= 9)&&(desiredDevice.substr(0,6) == "bridge")) {
 		// length() >= 9 matches bridge### or bridge####
 		_dev = desiredDevice;
 	} else {
 		if (globalDeviceNames.size() >= (10000 - 128)) // sanity check... this would be nuts
 			throw std::runtime_error("too many devices!");
 		unsigned int pseudoBridgeNo = (unsigned int)((nwid ^ (nwid >> 32)) % (10000 - 128)) + 128; // range: bridge128 to bridge9999
 		sprintf(devname,"bridge%u",pseudoBridgeNo);
 		while (globalDeviceNames.count(std::string(devname)) > 0) {
 			++pseudoBridgeNo;
 			if (pseudoBridgeNo > 9999)
 				pseudoBridgeNo = 64;
 			sprintf(devname,"bridge%u",pseudoBridgeNo);
 		}
 		_dev = devname;
 	}
 	// Configure MAC address and MTU, bring interface up
 	long cpid = (long)vfork();
 	if (cpid == 0) {
 		::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"create",(const char *)0);
 		::_exit(-1);
 	} else if (cpid > 0) {
 		int exitcode = -1;
 		::waitpid(cpid,&exitcode,0);
 		if (exitcode != 0)
 			throw std::runtime_error("ifconfig failure setting link-layer address and activating tap interface");
 	} else throw std::runtime_error("unable to fork()");
 	Utils::snprintf(ethaddr,sizeof(ethaddr),"%.2x:%.2x:%.2x:%.2x:%.2x:%.2x",(int)mac[0],(int)mac[1],(int)mac[2],(int)mac[3],(int)mac[4],(int)mac[5]);
 	Utils::snprintf(mtustr,sizeof(mtustr),"%u",_mtu);
 	Utils::snprintf(metstr,sizeof(metstr),"%u",_metric);
 	cpid = (long)vfork();
 	if (cpid == 0) {
 		::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"lladdr",ethaddr,"mtu",mtustr,"metric",metstr,"up",(const char *)0);
 		::_exit(-1);
 	} else if (cpid > 0) {
 		int exitcode = -1;
 		::waitpid(cpid,&exitcode,0);
 		if (exitcode != 0)
 			throw std::runtime_error("ifconfig failure setting link-layer address and activating tap interface");
 	} else throw std::runtime_error("unable to fork()");
 	_setIpv6Stuff(_dev.c_str(),true,false);
 	_pcap = (void *)pcap_create(_dev.c_str(),errbuf);
 	if (!_pcap) {
 		cpid = (long)vfork();
 		if (cpid == 0) {
 			::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"destroy",(const char *)0);
 			::_exit(-1);
 		} else if (cpid > 0) {
 			int exitcode = -1;
 			::waitpid(cpid,&exitcode,0);
 		}
 		throw std::runtime_error((std::string("pcap_create() on new bridge device failed: ") + errbuf).c_str());
 	}
 	pcap_set_promisc(reinterpret_cast<pcap_t *>(_pcap),1);
 	pcap_set_timeout(reinterpret_cast<pcap_t *>(_pcap),120000);
 	pcap_set_immediate_mode(reinterpret_cast<pcap_t *>(_pcap),1);
 	if (pcap_set_buffer_size(reinterpret_cast<pcap_t *>(_pcap),1024 * 1024 * 16) != 0) // 16MB
 		fprintf(stderr,"WARNING: pcap_set_buffer_size() failed!\n");
 	if (pcap_set_snaplen(reinterpret_cast<pcap_t *>(_pcap),4096) != 0)
 		fprintf(stderr,"WARNING: pcap_set_snaplen() failed!\n");
 	if (pcap_activate(reinterpret_cast<pcap_t *>(_pcap)) != 0) {
 		pcap_close(reinterpret_cast<pcap_t *>(_pcap));
 		cpid = (long)vfork();
 		if (cpid == 0) {
 			::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"destroy",(const char *)0);
 			::_exit(-1);
 		} else if (cpid > 0) {
 			int exitcode = -1;
 			::waitpid(cpid,&exitcode,0);
 		}
 		throw std::runtime_error("pcap_activate() on new bridge device failed.");
 	}
 	globalDeviceNames.insert(_dev);
 	devmap[nwids] = _dev;
 	OSUtils::writeFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),devmap.toString());
 	_thread = Thread::start(this);
 }
 OSXEthernetTap::~OSXEthernetTap()
 {
 	_enabled = false;
 	Mutex::Lock _gl(globalTapCreateLock);
 	globalDeviceNames.erase(_dev);
 	long cpid = (long)vfork();
 	if (cpid == 0) {
 		::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"destroy",(const char *)0);
 		::_exit(-1);
 	} else if (cpid > 0) {
 		int exitcode = -1;
 		::waitpid(cpid,&exitcode,0);
 		if (exitcode == 0) {
 			// Destroying the interface nukes pcap and terminates the thread.
 			Thread::join(_thread);
 		}
 	}
 	pcap_close(reinterpret_cast<pcap_t *>(_pcap));
 }
 static bool ___removeIp(const std::string &_dev,const InetAddress &ip)
 {
 	long cpid = (long)vfork();
 	if (cpid == 0) {
 		execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"inet",ip.toIpString().c_str(),"-alias",(const char *)0);
 		_exit(-1);
 	} else if (cpid > 0) {
 		int exitcode = -1;
 		waitpid(cpid,&exitcode,0);
 		return (exitcode == 0);
 	}
 	return false; // never reached, make compiler shut up about return value
 }
 bool OSXEthernetTap::addIp(const InetAddress &ip)
 {
 	if (!ip)
 		return false;
 	std::vector<InetAddress> allIps(ips());
 	if (std::binary_search(allIps.begin(),allIps.end(),ip))
 		return true;
 	// Remove and reconfigure if address is the same but netmask is different
 	for(std::vector<InetAddress>::iterator i(allIps.begin());i!=allIps.end();++i) {
 		if ((i->ipsEqual(ip))&&(i->netmaskBits() != ip.netmaskBits())) {
 			if (___removeIp(_dev,*i))
 				break;
 		}
 	}
 	long cpid = (long)vfork();
 	if (cpid == 0) {
 		::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),ip.isV4() ? "inet" : "inet6",ip.toString().c_str(),"alias",(const char *)0);
 		::_exit(-1);
 	} else if (cpid > 0) {
 		int exitcode = -1;
 		::waitpid(cpid,&exitcode,0);
 		return (exitcode == 0);
 	} // else return false...
 	return false;
 }
 bool OSXEthernetTap::removeIp(const InetAddress &ip)
 {
 	if (!ip)
 		return true;
 	std::vector<InetAddress> allIps(ips());
 	if (!std::binary_search(allIps.begin(),allIps.end(),ip)) {
 		if (___removeIp(_dev,ip))
 			return true;
 	}
 	return false;
 }
 std::vector<InetAddress> OSXEthernetTap::ips() const
 {
 	struct ifaddrs *ifa = (struct ifaddrs *)0;
 	if (getifaddrs(&ifa))
 		return std::vector<InetAddress>();
 	std::vector<InetAddress> r;
 	struct ifaddrs *p = ifa;
 	while (p) {
 		if ((!strcmp(p->ifa_name,_dev.c_str()))&&(p->ifa_addr)&&(p->ifa_netmask)&&(p->ifa_addr->sa_family == p->ifa_netmask->sa_family)) {
 			switch(p->ifa_addr->sa_family) {
 				case AF_INET: {
 					struct sockaddr_in *sin = (struct sockaddr_in *)p->ifa_addr;
 					struct sockaddr_in *nm = (struct sockaddr_in *)p->ifa_netmask;
 					r.push_back(InetAddress(&(sin->sin_addr.s_addr),4,Utils::countBits((uint32_t)nm->sin_addr.s_addr)));
 				}	break;
 				case AF_INET6: {
 					struct sockaddr_in6 *sin = (struct sockaddr_in6 *)p->ifa_addr;
 					struct sockaddr_in6 *nm = (struct sockaddr_in6 *)p->ifa_netmask;
 					uint32_t b[4];
 					memcpy(b,nm->sin6_addr.s6_addr,sizeof(b));
 					r.push_back(InetAddress(sin->sin6_addr.s6_addr,16,Utils::countBits(b[0]) + Utils::countBits(b[1]) + Utils::countBits(b[2]) + Utils::countBits(b[3])));
 				}	break;
 			}
 		}
 		p = p->ifa_next;
 	}
 	if (ifa)
 		freeifaddrs(ifa);
 	std::sort(r.begin(),r.end());
 	std::unique(r.begin(),r.end());
 	return r;
 }
 void OSXEthernetTap::put(const MAC &from,const MAC &to,unsigned int etherType,const void *data,unsigned int len)
 {
 	char putBuf[4096];
 	if ((len <= _mtu)&&(_enabled)) {
 		to.copyTo(putBuf,6);
 		from.copyTo(putBuf + 6,6);
 		*((uint16_t *)(putBuf + 12)) = htons((uint16_t)etherType);
 		memcpy(putBuf + 14,data,len);
 		len += 14;
 		int r = pcap_inject(reinterpret_cast<pcap_t *>(_pcap),putBuf,len);
 		if (r <= 0) {
 			printf("%s: pcap_inject() failed\n",_dev.c_str());
 			return;
 		}
 		printf("%s: inject %s -> %s etherType==%u len=%u r==%d\n",_dev.c_str(),from.toString().c_str(),to.toString().c_str(),etherType,len,r);
 	}
 }
 std::string OSXEthernetTap::deviceName() const
 {
 	return _dev;
 }
 void OSXEthernetTap::setFriendlyName(const char *friendlyName)
 {
 }
 void OSXEthernetTap::scanMulticastGroups(std::vector<MulticastGroup> &added,std::vector<MulticastGroup> &removed)
 {
 	std::vector<MulticastGroup> newGroups;
 	struct _intl_ifmaddrs *ifmap = (struct _intl_ifmaddrs *)0;
 	if (!_intl_getifmaddrs(&ifmap)) {
 		struct _intl_ifmaddrs *p = ifmap;
 		while (p) {
 			if (p->ifma_addr->sa_family == AF_LINK) {
 				struct sockaddr_dl *in = (struct sockaddr_dl *)p->ifma_name;
 				struct sockaddr_dl *la = (struct sockaddr_dl *)p->ifma_addr;
 				if ((la->sdl_alen == 6)&&(in->sdl_nlen <= _dev.length())&&(!memcmp(_dev.data(),in->sdl_data,in->sdl_nlen)))
 					newGroups.push_back(MulticastGroup(MAC(la->sdl_data + la->sdl_nlen,6),0));
 			}
 			p = p->ifma_next;
 		}
 		_intl_freeifmaddrs(ifmap);
 	}
 	std::vector<InetAddress> allIps(ips());
 	for(std::vector<InetAddress>::iterator ip(allIps.begin());ip!=allIps.end();++ip)
 		newGroups.push_back(MulticastGroup::deriveMulticastGroupForAddressResolution(*ip));
 	std::sort(newGroups.begin(),newGroups.end());
 	std::unique(newGroups.begin(),newGroups.end());
 	for(std::vector<MulticastGroup>::iterator m(newGroups.begin());m!=newGroups.end();++m) {
 		if (!std::binary_search(_multicastGroups.begin(),_multicastGroups.end(),*m))
 			added.push_back(*m);
 	}
 	for(std::vector<MulticastGroup>::iterator m(_multicastGroups.begin());m!=_multicastGroups.end();++m) {
 		if (!std::binary_search(newGroups.begin(),newGroups.end(),*m))
 			removed.push_back(*m);
 	}
 	_multicastGroups.swap(newGroups);
 }
 static void _pcapHandler(u_char *ptr,const struct pcap_pkthdr *hdr,const u_char *data)
 {
 	OSXEthernetTap *tap = reinterpret_cast<OSXEthernetTap *>(ptr);
 	if (hdr->caplen > 14) {
 		MAC to(data,6);
 		MAC from(data + 6,6);
 		if (from == tap->_mac) {
 			unsigned int etherType = ntohs(((const uint16_t *)data)[6]);
 			printf("%s: %s -> %s etherType==%u len==%u\n",tap->_dev.c_str(),from.toString().c_str(),to.toString().c_str(),etherType,(unsigned int)hdr->caplen);
 			// TODO: VLAN support
 			tap->_handler(tap->_arg,tap->_nwid,from,to,etherType,0,(const void *)(data + 14),hdr->len - 14);
 		}
 	}
 }
 void OSXEthernetTap::threadMain()
 	throw()
 {
 	pcap_loop(reinterpret_cast<pcap_t *>(_pcap),-1,&_pcapHandler,reinterpret_cast<u_char *>(this));
 }
 } // namespace ZeroTier
--- a/attic/OSXEthernetTap.cpp.utun-work-in-progress
+++ b/attic/OSXEthernetTap.cpp.utun-work-in-progress
@ -1,831 +0,0 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2015  ZeroTier, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * --
 *
 * ZeroTier may be used and distributed under the terms of the GPLv3, which
 * are available at: http://www.gnu.org/licenses/gpl-3.0.html
 *
 * If you would like to embed ZeroTier into a commercial application or
 * redistribute it in a modified binary form, please contact ZeroTier Networks
 * LLC. Start here: http://www.zerotier.com/
 */
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #include <unistd.h>
 #include <signal.h>
 #include <fcntl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/ioctl.h>
 #include <sys/wait.h>
 #include <sys/select.h>
 #include <sys/cdefs.h>
 #include <sys/uio.h>
 #include <sys/param.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
 #include <sys/sys_domain.h>
 #include <sys/kern_control.h>
 #include <net/if_utun.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <net/route.h>
 #include <net/if.h>
 #include <net/if_arp.h>
 #include <net/if_dl.h>
 #include <net/if_media.h>
 #include <netinet6/in6_var.h>
 #include <netinet/in_var.h>
 #include <netinet/icmp6.h>
 // OSX compile fix... in6_var defines this in a struct which namespaces it for C++ ... why?!?
 struct prf_ra {
 	u_char onlink : 1;
 	u_char autonomous : 1;
 	u_char reserved : 6;
 } prf_ra;
 #include <netinet6/nd6.h>
 #include <ifaddrs.h>
 // These are KERNEL_PRIVATE... why?
 #ifndef SIOCAUTOCONF_START
 #define SIOCAUTOCONF_START _IOWR('i', 132, struct in6_ifreq)    /* accept rtadvd on this interface */
 #endif
 #ifndef SIOCAUTOCONF_STOP
 #define SIOCAUTOCONF_STOP _IOWR('i', 133, struct in6_ifreq)    /* stop accepting rtadv for this interface */
 #endif
 // --------------------------------------------------------------------------
 // --------------------------------------------------------------------------
 // This source is from:
 // http://www.opensource.apple.com/source/Libinfo/Libinfo-406.17/gen.subproj/getifmaddrs.c?txt
 // It's here because OSX 10.6 does not have this convenience function.
 #define	SALIGN	(sizeof(uint32_t) - 1)
 #define	SA_RLEN(sa)	((sa)->sa_len ? (((sa)->sa_len + SALIGN) & ~SALIGN) : \
 (SALIGN + 1))
 #define	MAX_SYSCTL_TRY	5
 #define	RTA_MASKS	(RTA_GATEWAY | RTA_IFP | RTA_IFA)
 /* FreeBSD uses NET_RT_IFMALIST and RTM_NEWMADDR from <sys/socket.h> */
 /* We can use NET_RT_IFLIST2 and RTM_NEWMADDR2 on Darwin */
 //#define DARWIN_COMPAT
 //#ifdef DARWIN_COMPAT
 #define GIM_SYSCTL_MIB NET_RT_IFLIST2
 #define GIM_RTM_ADDR RTM_NEWMADDR2
 //#else
 //#define GIM_SYSCTL_MIB NET_RT_IFMALIST
 //#define GIM_RTM_ADDR RTM_NEWMADDR
 //#endif
 // Not in 10.6 includes so use our own
 struct _intl_ifmaddrs {
 	struct _intl_ifmaddrs *ifma_next;
 	struct sockaddr *ifma_name;
 	struct sockaddr *ifma_addr;
 	struct sockaddr *ifma_lladdr;
 };
 static inline int _intl_getifmaddrs(struct _intl_ifmaddrs **pif)
 {
 	int icnt = 1;
 	int dcnt = 0;
 	int ntry = 0;
 	size_t len;
 	size_t needed;
 	int mib[6];
 	int i;
 	char *buf;
 	char *data;
 	char *next;
 	char *p;
 	struct ifma_msghdr2 *ifmam;
 	struct _intl_ifmaddrs *ifa, *ift;
 	struct rt_msghdr *rtm;
 	struct sockaddr *sa;
 	mib[0] = CTL_NET;
 	mib[1] = PF_ROUTE;
 	mib[2] = 0;             /* protocol */
 	mib[3] = 0;             /* wildcard address family */
 	mib[4] = GIM_SYSCTL_MIB;
 	mib[5] = 0;             /* no flags */
 	do {
 		if (sysctl(mib, 6, NULL, &needed, NULL, 0) < 0)
 			return (-1);
 		if ((buf = (char *)malloc(needed)) == NULL)
 			return (-1);
 		if (sysctl(mib, 6, buf, &needed, NULL, 0) < 0) {
 			if (errno != ENOMEM || ++ntry >= MAX_SYSCTL_TRY) {
 				free(buf);
 				return (-1);
 			}
 			free(buf);
 			buf = NULL;
 		}
 	} while (buf == NULL);
 	for (next = buf; next < buf + needed; next += rtm->rtm_msglen) {
 		rtm = (struct rt_msghdr *)(void *)next;
 		if (rtm->rtm_version != RTM_VERSION)
 			continue;
 		switch (rtm->rtm_type) {
 			case GIM_RTM_ADDR:
 				ifmam = (struct ifma_msghdr2 *)(void *)rtm;
 				if ((ifmam->ifmam_addrs & RTA_IFA) == 0)
 					break;
 				icnt++;
 				p = (char *)(ifmam + 1);
 				for (i = 0; i < RTAX_MAX; i++) {
 					if ((RTA_MASKS & ifmam->ifmam_addrs &
 						 (1 << i)) == 0)
 						continue;
 					sa = (struct sockaddr *)(void *)p;
 					len = SA_RLEN(sa);
 					dcnt += len;
 					p += len;
 				}
 				break;
 		}
 	}
 	data = (char *)malloc(sizeof(struct _intl_ifmaddrs) * icnt + dcnt);
 	if (data == NULL) {
 		free(buf);
 		return (-1);
 	}
 	ifa = (struct _intl_ifmaddrs *)(void *)data;
 	data += sizeof(struct _intl_ifmaddrs) * icnt;
 	memset(ifa, 0, sizeof(struct _intl_ifmaddrs) * icnt);
 	ift = ifa;
 	for (next = buf; next < buf + needed; next += rtm->rtm_msglen) {
 		rtm = (struct rt_msghdr *)(void *)next;
 		if (rtm->rtm_version != RTM_VERSION)
 			continue;
 		switch (rtm->rtm_type) {
 			case GIM_RTM_ADDR:
 				ifmam = (struct ifma_msghdr2 *)(void *)rtm;
 				if ((ifmam->ifmam_addrs & RTA_IFA) == 0)
 					break;
 				p = (char *)(ifmam + 1);
 				for (i = 0; i < RTAX_MAX; i++) {
 					if ((RTA_MASKS & ifmam->ifmam_addrs &
 						 (1 << i)) == 0)
 						continue;
 					sa = (struct sockaddr *)(void *)p;
 					len = SA_RLEN(sa);
 					switch (i) {
 						case RTAX_GATEWAY:
 							ift->ifma_lladdr =
 							(struct sockaddr *)(void *)data;
 							memcpy(data, p, len);
 							data += len;
 							break;
 						case RTAX_IFP:
 							ift->ifma_name =
 							(struct sockaddr *)(void *)data;
 							memcpy(data, p, len);
 							data += len;
 							break;
 						case RTAX_IFA:
 							ift->ifma_addr =
 							(struct sockaddr *)(void *)data;
 							memcpy(data, p, len);
 							data += len;
 							break;
 						default:
 							data += len;
 							break;
 					}
 					p += len;
 				}
 				ift->ifma_next = ift + 1;
 				ift = ift->ifma_next;
 				break;
 		}
 	}
 	free(buf);
 	if (ift > ifa) {
 		ift--;
 		ift->ifma_next = NULL;
 		*pif = ifa;
 	} else {
 		*pif = NULL;
 		free(ifa);
 	}
 	return (0);
 }
 static inline void _intl_freeifmaddrs(struct _intl_ifmaddrs *ifmp)
 {
 	free(ifmp);
 }
 // --------------------------------------------------------------------------
 // --------------------------------------------------------------------------
 #include <string>
 #include <map>
 #include <set>
 #include <algorithm>
 #include "../node/Constants.hpp"
 #include "../node/Utils.hpp"
 #include "../node/Mutex.hpp"
 #include "../node/Dictionary.hpp"
 #include "Arp.hpp"
 #include "OSUtils.hpp"
 #include "OSXEthernetTap.hpp"
 // ff:ff:ff:ff:ff:ff with no ADI
 static const ZeroTier::MulticastGroup _blindWildcardMulticastGroup(ZeroTier::MAC(0xff),0);
 static inline bool _setIpv6Stuff(const char *ifname,bool performNUD,bool acceptRouterAdverts)
 {
 	struct in6_ndireq nd;
 	struct in6_ifreq ifr;
 	int s = socket(AF_INET6,SOCK_DGRAM,0);
 	if (s <= 0)
 		return false;
 	memset(&nd,0,sizeof(nd));
 	strncpy(nd.ifname,ifname,sizeof(nd.ifname));
 	if (ioctl(s,SIOCGIFINFO_IN6,&nd)) {
 		close(s);
 		return false;
 	}
 	unsigned long oldFlags = (unsigned long)nd.ndi.flags;
 	if (performNUD)
 		nd.ndi.flags |= ND6_IFF_PERFORMNUD;
 	else nd.ndi.flags &= ~ND6_IFF_PERFORMNUD;
 	if (oldFlags != (unsigned long)nd.ndi.flags) {
 		if (ioctl(s,SIOCSIFINFO_FLAGS,&nd)) {
 			close(s);
 			return false;
 		}
 	}
 	memset(&ifr,0,sizeof(ifr));
 	strncpy(ifr.ifr_name,ifname,sizeof(ifr.ifr_name));
 	if (ioctl(s,acceptRouterAdverts ? SIOCAUTOCONF_START : SIOCAUTOCONF_STOP,&ifr)) {
 		close(s);
 		return false;
 	}
 	close(s);
 	return true;
 }
 // Create an OSX-native utun device (utun# where # is desiredNumber)
 // Adapted from public domain utun example code by Jonathan Levin
 static int _make_utun(int desiredNumber)
 {
 	struct sockaddr_ctl sc;
 	struct ctl_info ctlInfo;
 	struct ifreq ifr;
 	memset(&ctlInfo, 0, sizeof(ctlInfo));
 	if (strlcpy(ctlInfo.ctl_name, UTUN_CONTROL_NAME, sizeof(ctlInfo.ctl_name)) >= sizeof(ctlInfo.ctl_name)) {
 		return -1;
 	}
 	int fd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
 	if (fd == -1)
 		return -1;
 	if (ioctl(fd, CTLIOCGINFO, &ctlInfo) == -1) {
 		close(fd);
 		return -1;
 	}
 	sc.sc_id = ctlInfo.ctl_id;
 	sc.sc_len = sizeof(sc);
 	sc.sc_family = AF_SYSTEM;
 	sc.ss_sysaddr = AF_SYS_CONTROL;
 	sc.sc_unit = desiredNumber + 1;
 	if (connect(fd, (struct sockaddr *)&sc, sizeof(sc)) == -1) {
 		close(fd);
 		return -1;
 	}
 	memset(&ifr,0,sizeof(ifr));
 	sprintf(ifr.ifr_name,"utun%d",desiredNumber);
 	if (ioctl(fd,SIOCGIFFLAGS,(void *)&ifr) < 0) {
 		printf("SIOCGIFFLAGS failed\n");
 	}
 	ifr.ifr_flags &= ~IFF_POINTOPOINT;
 	if (ioctl(fd,SIOCSIFFLAGS,(void *)&ifr) < 0) {
 		printf("clear IFF_POINTOPOINT failed\n");
 	}
 	return fd;
 }
 namespace ZeroTier {
 static long globalTapsRunning = 0;
 static Mutex globalTapCreateLock;
 OSXEthernetTap::OSXEthernetTap(
 	const char *homePath,
 	const MAC &mac,
 	unsigned int mtu,
 	unsigned int metric,
 	uint64_t nwid,
 	const char *friendlyName,
 	void (*handler)(void *,uint64_t,const MAC &,const MAC &,unsigned int,unsigned int,const void *data,unsigned int len),
 	void *arg) :
 	_handler(handler),
 	_arg(arg),
 	_arp((Arp *)0),
 	_nwid(nwid),
 	_homePath(homePath),
 	_mtu(mtu),
 	_metric(metric),
 	_fd(0),
 	_utun(false),
 	_enabled(true)
 {
 	char devpath[64],ethaddr[64],mtustr[32],metstr[32],nwids[32];
 	struct stat stattmp;
 	Utils::snprintf(nwids,sizeof(nwids),"%.16llx",nwid);
 	if (mtu > 2800)
 		throw std::runtime_error("max tap MTU is 2800");
 	Mutex::Lock _gl(globalTapCreateLock);
 	// Read remembered previous device name, if any -- we'll try to reuse
 	Dictionary devmap;
 	std::string desiredDevice;
 	{
 		std::string devmapbuf;
 		if (OSUtils::readFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),devmapbuf)) {
 			devmap.fromString(devmapbuf);
 			desiredDevice = devmap.get(nwids,"");
 		}
 	}
 	if (::stat((_homePath + ZT_PATH_SEPARATOR_S + "tap.kext").c_str(),&stattmp) == 0) {
 		// Try to init kext if it's there, otherwise revert to utun mode
 		if (::stat("/dev/zt0",&stattmp)) {
 			long kextpid = (long)vfork();
 			if (kextpid == 0) {
 				::chdir(homePath);
 				OSUtils::redirectUnixOutputs("/dev/null",(const char *)0);
 				::execl("/sbin/kextload","/sbin/kextload","-q","-repository",homePath,"tap.kext",(const char *)0);
 				::_exit(-1);
 			} else if (kextpid > 0) {
 				int exitcode = -1;
 				::waitpid(kextpid,&exitcode,0);
 			}
 			::usleep(500); // give tap device driver time to start up and try again
 			if (::stat("/dev/zt0",&stattmp))
 				_utun = true;
 		}
 		if (!_utun) {
 			// See if we can re-use the last device we had.
 			bool recalledDevice = false;
 			if (desiredDevice.length() > 2) {
 				Utils::snprintf(devpath,sizeof(devpath),"/dev/%s",desiredDevice.c_str());
 				if (stat(devpath,&stattmp) == 0) {
 					_fd = ::open(devpath,O_RDWR);
 					if (_fd > 0) {
 						_dev = desiredDevice;
 						recalledDevice = true;
 					}
 				}
 			}
 			// Open the first unused tap device if we didn't recall a previous one.
 			if (!recalledDevice) {
 				for(int i=0;i<64;++i) {
 					Utils::snprintf(devpath,sizeof(devpath),"/dev/zt%d",i);
 					if (stat(devpath,&stattmp)) {
 						_utun = true;
 						break;
 					}
 					_fd = ::open(devpath,O_RDWR);
 					if (_fd > 0) {
 						char foo[16];
 						Utils::snprintf(foo,sizeof(foo),"zt%d",i);
 						_dev = foo;
 						break;
 					}
 				}
 			}
 			if (_fd <= 0)
 				_utun = true;
 		}
 	} else {
 		_utun = true;
 	}
 	if (_utun) {
 		// Use OSX built-in utun device if kext is not available or doesn't work
 		int utunNo = 0;
 		if ((desiredDevice.length() > 4)&&(desiredDevice.substr(0,4) == "utun")) {
 			utunNo = Utils::strToInt(desiredDevice.substr(4).c_str());
 			if (utunNo >= 0)
 				_fd = _make_utun(utunNo);
 		}
 		if (_fd <= 0) {
 			// Start at utun8 to leave lower utuns unused since other stuff might
 			// want them -- OpenVPN, cjdns, etc. I'm not sure if those are smart
 			// enough to scan upward like this.
 			for(utunNo=8;utunNo<=256;++utunNo) {
 				if ((_fd = _make_utun(utunNo)) > 0)
 					break;
 			}
 		}
 		if (_fd <= 0)
 			throw std::runtime_error("unable to find/load ZeroTier tap driver OR use built-in utun driver in OSX; permission or system problem or too many open devices?");
 		Utils::snprintf(devpath,sizeof(devpath),"utun%d",utunNo);
 		_dev = devpath;
 		// Configure address and bring it up
 		Utils::snprintf(mtustr,sizeof(mtustr),"%u",_mtu);
 		Utils::snprintf(metstr,sizeof(metstr),"%u",_metric);
 		long cpid = (long)vfork();
 		if (cpid == 0) {
 			::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"mtu",mtustr,"metric",metstr,"up",(const char *)0);
 			::_exit(-1);
 		} else if (cpid > 0) {
 			int exitcode = -1;
 			::waitpid(cpid,&exitcode,0);
 			if (exitcode) {
 				::close(_fd);
 				throw std::runtime_error("ifconfig failure activating utun interface");
 			}
 		}
 	} else {
 		// Use our ZeroTier OSX tun/tap driver for zt# Ethernet tap device
 		if (fcntl(_fd,F_SETFL,fcntl(_fd,F_GETFL) & ~O_NONBLOCK) == -1) {
 			::close(_fd);
 			throw std::runtime_error("unable to set flags on file descriptor for TAP device");
 		}
 		// Configure MAC address and MTU, bring interface up
 		Utils::snprintf(ethaddr,sizeof(ethaddr),"%.2x:%.2x:%.2x:%.2x:%.2x:%.2x",(int)mac[0],(int)mac[1],(int)mac[2],(int)mac[3],(int)mac[4],(int)mac[5]);
 		Utils::snprintf(mtustr,sizeof(mtustr),"%u",_mtu);
 		Utils::snprintf(metstr,sizeof(metstr),"%u",_metric);
 		long cpid = (long)vfork();
 		if (cpid == 0) {
 			::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"lladdr",ethaddr,"mtu",mtustr,"metric",metstr,"up",(const char *)0);
 			::_exit(-1);
 		} else if (cpid > 0) {
 			int exitcode = -1;
 			::waitpid(cpid,&exitcode,0);
 			if (exitcode) {
 				::close(_fd);
 				throw std::runtime_error("ifconfig failure setting link-layer address and activating tap interface");
 			}
 		}
 		_setIpv6Stuff(_dev.c_str(),true,false);
 	}
 	// Set close-on-exec so that devices cannot persist if we fork/exec for update
 	fcntl(_fd,F_SETFD,fcntl(_fd,F_GETFD) | FD_CLOEXEC);
 	::pipe(_shutdownSignalPipe);
 	++globalTapsRunning;
 	devmap[nwids] = _dev;
 	OSUtils::writeFile((_homePath + ZT_PATH_SEPARATOR_S + "devicemap").c_str(),devmap.toString());
 	_thread = Thread::start(this);
 }
 OSXEthernetTap::~OSXEthernetTap()
 {
 	Mutex::Lock _gl(globalTapCreateLock);
 	::write(_shutdownSignalPipe[1],(const void *)this,1); // writing a byte causes thread to exit
 	Thread::join(_thread);
 	::close(_fd);
 	::close(_shutdownSignalPipe[0]);
 	::close(_shutdownSignalPipe[1]);
 	if (_utun) {
 		delete _arp;
 	} else {
 		if (--globalTapsRunning <= 0) {
 			globalTapsRunning = 0; // sanity check -- should not be possible
 			char tmp[16384];
 			sprintf(tmp,"%s/%s",_homePath.c_str(),"tap.kext");
 			long kextpid = (long)vfork();
 			if (kextpid == 0) {
 				OSUtils::redirectUnixOutputs("/dev/null",(const char *)0);
 				::execl("/sbin/kextunload","/sbin/kextunload",tmp,(const char *)0);
 				::_exit(-1);
 			} else if (kextpid > 0) {
 				int exitcode = -1;
 				::waitpid(kextpid,&exitcode,0);
 			}
 		}
 	}
 }
 void OSXEthernetTap::setEnabled(bool en)
 {
 	_enabled = en;
 	// TODO: interface status change
 }
 bool OSXEthernetTap::enabled() const
 {
 	return _enabled;
 }
 static bool ___removeIp(const std::string &_dev,const InetAddress &ip)
 {
 	long cpid = (long)vfork();
 	if (cpid == 0) {
 		execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"inet",ip.toIpString().c_str(),"-alias",(const char *)0);
 		_exit(-1);
 	} else if (cpid > 0) {
 		int exitcode = -1;
 		waitpid(cpid,&exitcode,0);
 		return (exitcode == 0);
 	}
 	return false; // never reached, make compiler shut up about return value
 }
 bool OSXEthernetTap::addIp(const InetAddress &ip)
 {
 	if (!ip)
 		return false;
 	std::vector<InetAddress> allIps(ips());
 	if (std::binary_search(allIps.begin(),allIps.end(),ip))
 		return true;
 	// Remove and reconfigure if address is the same but netmask is different
 	for(std::vector<InetAddress>::iterator i(allIps.begin());i!=allIps.end();++i) {
 		if ((i->ipsEqual(ip))&&(i->netmaskBits() != ip.netmaskBits())) {
 			if (___removeIp(_dev,*i))
 				break;
 		}
 	}
 	if (_utun) {
 		long cpid = (long)vfork();
 		if (cpid == 0) {
 			if (ip.ss_family == AF_INET6) {
 				::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),"inet6",ip.toString().c_str(),"alias",(const char *)0);
 			} else {
 				::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),ip.toString().c_str(),ip.toIpString().c_str(),"alias",(const char *)0);
 			}
 			::_exit(-1);
 		} else if (cpid > 0) {
 			int exitcode = -1;
 			::waitpid(cpid,&exitcode,0);
 			if (exitcode == 0) {
 				if (ip.ss_family == AF_INET) {
 					// Add route to network over tun for IPv4 -- otherwise it behaves
 					// as a simple point to point tunnel instead of a true route.
 					cpid = (long)vfork();
 					if (cpid == 0) {
 						::close(STDERR_FILENO);
 						::close(STDOUT_FILENO);
 						::execl("/sbin/route","/sbin/route","add",ip.network().toString().c_str(),ip.toIpString().c_str(),(const char *)0);
 						::exit(-1);
 					} else if (cpid > 0) {
 						int exitcode = -1;
 						::waitpid(cpid,&exitcode,0);
 						return (exitcode == 0);
 					}
 				} else return true;
 			}
 		}
 	} else {
 		long cpid = (long)vfork();
 		if (cpid == 0) {
 			::execl("/sbin/ifconfig","/sbin/ifconfig",_dev.c_str(),ip.isV4() ? "inet" : "inet6",ip.toString().c_str(),"alias",(const char *)0);
 			::_exit(-1);
 		} else if (cpid > 0) {
 			int exitcode = -1;
 			::waitpid(cpid,&exitcode,0);
 			return (exitcode == 0);
 		}
 	}
 	return false;
 }
 bool OSXEthernetTap::removeIp(const InetAddress &ip)
 {
 	if (!ip)
 		return true;
 	std::vector<InetAddress> allIps(ips());
 	if (!std::binary_search(allIps.begin(),allIps.end(),ip)) {
 		if (___removeIp(_dev,ip))
 			return true;
 	}
 	return false;
 }
 std::vector<InetAddress> OSXEthernetTap::ips() const
 {
 	struct ifaddrs *ifa = (struct ifaddrs *)0;
 	if (getifaddrs(&ifa))
 		return std::vector<InetAddress>();
 	std::vector<InetAddress> r;
 	struct ifaddrs *p = ifa;
 	while (p) {
 		if ((!strcmp(p->ifa_name,_dev.c_str()))&&(p->ifa_addr)&&(p->ifa_netmask)&&(p->ifa_addr->sa_family == p->ifa_netmask->sa_family)) {
 			switch(p->ifa_addr->sa_family) {
 				case AF_INET: {
 					struct sockaddr_in *sin = (struct sockaddr_in *)p->ifa_addr;
 					struct sockaddr_in *nm = (struct sockaddr_in *)p->ifa_netmask;
 					r.push_back(InetAddress(&(sin->sin_addr.s_addr),4,Utils::countBits((uint32_t)nm->sin_addr.s_addr)));
 				}	break;
 				case AF_INET6: {
 					struct sockaddr_in6 *sin = (struct sockaddr_in6 *)p->ifa_addr;
 					struct sockaddr_in6 *nm = (struct sockaddr_in6 *)p->ifa_netmask;
 					uint32_t b[4];
 					memcpy(b,nm->sin6_addr.s6_addr,sizeof(b));
 					r.push_back(InetAddress(sin->sin6_addr.s6_addr,16,Utils::countBits(b[0]) + Utils::countBits(b[1]) + Utils::countBits(b[2]) + Utils::countBits(b[3])));
 				}	break;
 			}
 		}
 		p = p->ifa_next;
 	}
 	if (ifa)
 		freeifaddrs(ifa);
 	std::sort(r.begin(),r.end());
 	std::unique(r.begin(),r.end());
 	return r;
 }
 void OSXEthernetTap::put(const MAC &from,const MAC &to,unsigned int etherType,const void *data,unsigned int len)
 {
 	char putBuf[4096];
 	if ((_fd > 0)&&(len <= _mtu)&&(_enabled)) {
 		to.copyTo(putBuf,6);
 		from.copyTo(putBuf + 6,6);
 		*((uint16_t *)(putBuf + 12)) = htons((uint16_t)etherType);
 		memcpy(putBuf + 14,data,len);
 		len += 14;
 		::write(_fd,putBuf,len);
 	}
 }
 std::string OSXEthernetTap::deviceName() const
 {
 	return _dev;
 }
 void OSXEthernetTap::setFriendlyName(const char *friendlyName)
 {
 }
 void OSXEthernetTap::scanMulticastGroups(std::vector<MulticastGroup> &added,std::vector<MulticastGroup> &removed)
 {
 	std::vector<MulticastGroup> newGroups;
 	struct _intl_ifmaddrs *ifmap = (struct _intl_ifmaddrs *)0;
 	if (!_intl_getifmaddrs(&ifmap)) {
 		struct _intl_ifmaddrs *p = ifmap;
 		while (p) {
 			if (p->ifma_addr->sa_family == AF_LINK) {
 				struct sockaddr_dl *in = (struct sockaddr_dl *)p->ifma_name;
 				struct sockaddr_dl *la = (struct sockaddr_dl *)p->ifma_addr;
 				if ((la->sdl_alen == 6)&&(in->sdl_nlen <= _dev.length())&&(!memcmp(_dev.data(),in->sdl_data,in->sdl_nlen)))
 					newGroups.push_back(MulticastGroup(MAC(la->sdl_data + la->sdl_nlen,6),0));
 			}
 			p = p->ifma_next;
 		}
 		_intl_freeifmaddrs(ifmap);
 	}
 	std::vector<InetAddress> allIps(ips());
 	for(std::vector<InetAddress>::iterator ip(allIps.begin());ip!=allIps.end();++ip)
 		newGroups.push_back(MulticastGroup::deriveMulticastGroupForAddressResolution(*ip));
 	std::sort(newGroups.begin(),newGroups.end());
 	std::unique(newGroups.begin(),newGroups.end());
 	for(std::vector<MulticastGroup>::iterator m(newGroups.begin());m!=newGroups.end();++m) {
 		if (!std::binary_search(_multicastGroups.begin(),_multicastGroups.end(),*m))
 			added.push_back(*m);
 	}
 	for(std::vector<MulticastGroup>::iterator m(_multicastGroups.begin());m!=_multicastGroups.end();++m) {
 		if (!std::binary_search(newGroups.begin(),newGroups.end(),*m))
 			removed.push_back(*m);
 	}
 	_multicastGroups.swap(newGroups);
 }
 void OSXEthernetTap::threadMain()
 	throw()
 {
 	fd_set readfds,nullfds;
 	MAC to,from;
 	int n,nfds,r;
 	char getBuf[8194];
 	Thread::sleep(500);
 	FD_ZERO(&readfds);
 	FD_ZERO(&nullfds);
 	nfds = (int)std::max(_shutdownSignalPipe[0],_fd) + 1;
 	r = 0;
 	for(;;) {
 		FD_SET(_shutdownSignalPipe[0],&readfds);
 		FD_SET(_fd,&readfds);
 		select(nfds,&readfds,&nullfds,&nullfds,(struct timeval *)0);
 		if (FD_ISSET(_shutdownSignalPipe[0],&readfds)) // writes to shutdown pipe terminate thread
 			break;
 		if (FD_ISSET(_fd,&readfds)) {
 			n = (int)::read(_fd,getBuf + r,sizeof(getBuf) - r);
 			if (n < 0) {
 				if ((errno != EINTR)&&(errno != ETIMEDOUT))
 					break;
 			} else {
 				// Some tap drivers like to send the ethernet frame and the
 				// payload in two chunks, so handle that by accumulating
 				// data until we have at least a frame.
 				r += n;
 				if (r > 14) {
 					if (r > ((int)_mtu + 14)) // sanity check for weird TAP behavior on some platforms
 						r = _mtu + 14;
 					if (_enabled) {
 						to.setTo(getBuf,6);
 						from.setTo(getBuf + 6,6);
 						unsigned int etherType = ntohs(((const uint16_t *)getBuf)[6]);
 						// TODO: VLAN support
 						_handler(_arg,_nwid,from,to,etherType,0,(const void *)(getBuf + 14),r - 14);
 					}
 					r = 0;
 				}
 			}
 		}
 	}
 }
 } // namespace ZeroTier
--- a/attic/OSXEthernetTap.hpp.pcap-with-bridge-test
+++ b/attic/OSXEthernetTap.hpp.pcap-with-bridge-test
@ -1,96 +0,0 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2015  ZeroTier, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * --
 *
 * ZeroTier may be used and distributed under the terms of the GPLv3, which
 * are available at: http://www.gnu.org/licenses/gpl-3.0.html
 *
 * If you would like to embed ZeroTier into a commercial application or
 * redistribute it in a modified binary form, please contact ZeroTier Networks
 * LLC. Start here: http://www.zerotier.com/
 */
 #ifndef ZT_OSXETHERNETTAP_HPP
 #define ZT_OSXETHERNETTAP_HPP
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdexcept>
 #include <string>
 #include <vector>
 #include "../node/Constants.hpp"
 #include "../node/MAC.hpp"
 #include "../node/InetAddress.hpp"
 #include "../node/MulticastGroup.hpp"
 #include "Thread.hpp"
 namespace ZeroTier {
 /**
 * OSX Ethernet tap using ZeroTier kernel extension zt# devices
 */
 class OSXEthernetTap
 {
 public:
 	OSXEthernetTap(
 		const char *homePath,
 		const MAC &mac,
 		unsigned int mtu,
 		unsigned int metric,
 		uint64_t nwid,
 		const char *friendlyName,
 		void (*handler)(void *,uint64_t,const MAC &,const MAC &,unsigned int,unsigned int,const void *,unsigned int),
 		void *arg);
 	~OSXEthernetTap();
 	inline void setEnabled(bool en) { _enabled = en; }
 	inline bool enabled() const { return _enabled; }
 	bool addIp(const InetAddress &ip);
 	bool removeIp(const InetAddress &ip);
 	std::vector<InetAddress> ips() const;
 	void put(const MAC &from,const MAC &to,unsigned int etherType,const void *data,unsigned int len);
 	std::string deviceName() const;
 	void setFriendlyName(const char *friendlyName);
 	void scanMulticastGroups(std::vector<MulticastGroup> &added,std::vector<MulticastGroup> &removed);
 	void threadMain()
 		throw();
 	// Private members of OSXEthernetTap have public visibility to be accessable
 	// from an internal bounce function; don't modify directly.
 	void (*_handler)(void *,uint64_t,const MAC &,const MAC &,unsigned int,unsigned int,const void *,unsigned int);
 	void *_arg;
 	void *_pcap; // pcap_t *
 	uint64_t _nwid;
 	MAC _mac;
 	Thread _thread;
 	std::string _homePath;
 	std::string _dev;
 	std::vector<MulticastGroup> _multicastGroups;
 	unsigned int _mtu;
 	unsigned int _metric;
 	volatile bool _enabled;
 };
 } // namespace ZeroTier
 #endif
--- a/attic/OSXEthernetTap.hpp.utun-work-in-progress
+++ b/attic/OSXEthernetTap.hpp.utun-work-in-progress
@ -1,101 +0,0 @@
 /*
 * ZeroTier One - Network Virtualization Everywhere
 * Copyright (C) 2011-2015  ZeroTier, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * --
 *
 * ZeroTier may be used and distributed under the terms of the GPLv3, which
 * are available at: http://www.gnu.org/licenses/gpl-3.0.html
 *
 * If you would like to embed ZeroTier into a commercial application or
 * redistribute it in a modified binary form, please contact ZeroTier Networks
 * LLC. Start here: http://www.zerotier.com/
 */
 #ifndef ZT_OSXETHERNETTAP_HPP
 #define ZT_OSXETHERNETTAP_HPP
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdexcept>
 #include <string>
 #include <vector>
 #include "../node/Constants.hpp"
 #include "../node/MAC.hpp"
 #include "../node/InetAddress.hpp"
 #include "../node/MulticastGroup.hpp"
 #include "Thread.hpp"
 namespace ZeroTier {
 class Arp;
 /**
 * OSX Ethernet tap supporting either ZeroTier tun/tap kext or OSX-native utun
 */
 class OSXEthernetTap
 {
 public:
 	OSXEthernetTap(
 		const char *homePath,
 		const MAC &mac,
 		unsigned int mtu,
 		unsigned int metric,
 		uint64_t nwid,
 		const char *friendlyName,
 		void (*handler)(void *,uint64_t,const MAC &,const MAC &,unsigned int,unsigned int,const void *,unsigned int),
 		void *arg);
 	~OSXEthernetTap();
 	void setEnabled(bool en);
 	bool enabled() const;
 	bool addIp(const InetAddress &ip);
 	bool removeIp(const InetAddress &ip);
 	std::vector<InetAddress> ips() const;
 	void put(const MAC &from,const MAC &to,unsigned int etherType,const void *data,unsigned int len);
 	std::string deviceName() const;
 	void setFriendlyName(const char *friendlyName);
 	void scanMulticastGroups(std::vector<MulticastGroup> &added,std::vector<MulticastGroup> &removed);
 	inline bool isNativeUtun() const { return _utun; }
 	void threadMain()
 		throw();
 private:
 	void (*_handler)(void *,uint64_t,const MAC &,const MAC &,unsigned int,unsigned int,const void *,unsigned int);
 	void *_arg;
 	Arp *_arp; // created and used if utun is enabled
 	uint64_t _nwid;
 	Thread _thread;
 	std::string _homePath;
 	std::string _dev;
 	std::vector<MulticastGroup> _multicastGroups;
 	unsigned int _mtu;
 	unsigned int _metric;
 	int _fd;
 	int _shutdownSignalPipe[2];
 	bool _utun;
 	volatile bool _enabled;
 };
 } // namespace ZeroTier
 #endif
--- a/attic/README.md
+++ b/attic/README.md
@ -1,4 +0,0 @@
 Retired Code and Miscellaneous Junk
 ======
 This directory is for old code that isn't used but we don't want to lose track of, and for anything else random like debug scripts.
--- a/attic/WinUI/APIHandler.cs
+++ b/attic/WinUI/APIHandler.cs
@ -0,0 +1,459 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Text;
 using System.Threading.Tasks;
 using System.Net;
 using System.IO;
 using System.Windows;
 using Newtonsoft.Json;
 using System.Diagnostics;
 using System.Windows.Threading;
 namespace WinUI
 {
    public class APIHandler
    {
        private string authtoken;
        private string url = null;
        private static volatile APIHandler instance;
        private static object syncRoot = new Object();
        public delegate void NetworkListCallback(List<ZeroTierNetwork> networks);
        public delegate void StatusCallback(ZeroTierStatus status);
        private string ZeroTierAddress = "";
        public static APIHandler Instance
        {
            get
            {
                if (instance == null)
                {
                    lock (syncRoot)
                    {
                        if (instance == null)
                        {
                            if (!initHandler())
                            {
                                return null;
                            }
                        }
                    }
                }
                return instance;
            }
        }
        private static bool initHandler(bool resetToken = false)
        {
            String localZtDir = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\ZeroTier\\One";
            String globalZtDir = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData) + "\\ZeroTier\\One";
            String authToken = "";
            Int32 port = 9993;
            if (resetToken)
            {
                instance = null;
                if (File.Exists(localZtDir + "\\authtoken.secret"))
                {
                    File.Delete(localZtDir + "\\authtoken.secret");
                }
                if (File.Exists(localZtDir + "\\zerotier-one.port"))
                {
                    File.Delete(localZtDir + "\\zerotier-one.port");
                }
            }
            if (!File.Exists(localZtDir + "\\authtoken.secret") || !File.Exists(localZtDir + "\\zerotier-one.port"))
            {
                // launch external process to copy file into place
                String curPath = System.Reflection.Assembly.GetEntryAssembly().Location;
                int index = curPath.LastIndexOf("\\");
                curPath = curPath.Substring(0, index);
                ProcessStartInfo startInfo = new ProcessStartInfo(curPath + "\\copyutil.exe", "\"" + globalZtDir + "\"" + " " + "\"" + localZtDir + "\"");
                startInfo.Verb = "runas";
                var process = Process.Start(startInfo);
                process.WaitForExit();
            }
            authToken = readAuthToken(localZtDir + "\\authtoken.secret");
            if ((authToken == null) || (authToken.Length <= 0))
            {
                MessageBox.Show("Unable to read ZeroTier One authtoken", "ZeroTier One");
                return false;
            }
            port = readPort(localZtDir + "\\zerotier-one.port");
            instance = new APIHandler(port, authToken);
            return true;
        }
        private static String readAuthToken(String path)
        {
            String authToken = "";
            if (File.Exists(path))
            {
                try
                {
                    byte[] tmp = File.ReadAllBytes(path);
                    authToken = System.Text.Encoding.UTF8.GetString(tmp).Trim();
                }
                catch
                {
                    MessageBox.Show("Unable to read ZeroTier One Auth Token from:\r\n" + path, "ZeroTier One");
                }
            }
            return authToken;
        }
        private static Int32 readPort(String path)
        {
            Int32 port = 9993;
            try
            {
                byte[] tmp = File.ReadAllBytes(path);
                port = Int32.Parse(System.Text.Encoding.ASCII.GetString(tmp).Trim());
                if ((port <= 0) || (port > 65535))
                    port = 9993;
            }
            catch
            {
            }
            return port;
        }
        private APIHandler()
        {
            url = "http://127.0.0.1:9993";
        }
        public APIHandler(int port, string authtoken)
        {
            url = "http://127.0.0.1:" + port;
            this.authtoken = authtoken;
        }
        public void GetStatus(StatusCallback cb)
        {
            var request = WebRequest.Create(url + "/status" + "?auth=" + authtoken) as HttpWebRequest;
            if (request != null)
            {
                request.Method = "GET";
                request.ContentType = "application/json";
            }
            try
            {
                var httpResponse = (HttpWebResponse)request.GetResponse();
                if (httpResponse.StatusCode == HttpStatusCode.OK)
                {
                    using (var streamReader = new StreamReader(httpResponse.GetResponseStream()))
                    {
                        var responseText = streamReader.ReadToEnd();
                        ZeroTierStatus status = null;
                        try
                        {
                            status = JsonConvert.DeserializeObject<ZeroTierStatus>(responseText);
                            if (ZeroTierAddress != status.Address)
                            {
                                ZeroTierAddress = status.Address;
                            }
                        }
                        catch (JsonReaderException e)
                        {
                            Console.WriteLine(e.ToString());
                        }
                        cb(status);
                    }
                }
                else if (httpResponse.StatusCode == HttpStatusCode.Unauthorized)
                {
                    APIHandler.initHandler(true);
                }
            }
            catch (System.Net.Sockets.SocketException)
            {
                cb(null);
            }
            catch (System.Net.WebException e)
            {
                HttpWebResponse res = (HttpWebResponse)e.Response;
                if (res != null && res.StatusCode == HttpStatusCode.Unauthorized)
                {
                    APIHandler.initHandler(true);
                }
                else
                {
                    cb(null);
                }
            }
        }
        public void GetNetworks(NetworkListCallback cb)
        {
            var request = WebRequest.Create(url + "/network" + "?auth=" + authtoken) as HttpWebRequest;
            if (request == null)
            {
                cb(null);
            }
            request.Method = "GET";
            request.ContentType = "application/json";
            request.Timeout = 10000;
            try
            {
                var httpResponse = (HttpWebResponse)request.GetResponse();
                if (httpResponse.StatusCode == HttpStatusCode.OK)
                {
                    using (var streamReader = new StreamReader(httpResponse.GetResponseStream()))
                    {
                        var responseText = streamReader.ReadToEnd();
                        List<ZeroTierNetwork> networkList = null;
                        try
                        {
                            networkList = JsonConvert.DeserializeObject<List<ZeroTierNetwork>>(responseText);
                            foreach (ZeroTierNetwork n in networkList)
                            {
                                // all networks received via JSON are connected by definition
                                n.IsConnected = true;
                            }
                        }
                        catch (JsonReaderException e)
                        {
                            Console.WriteLine(e.ToString());
                        }
                        cb(networkList);
                    }
                }
                else if (httpResponse.StatusCode == HttpStatusCode.Unauthorized)
                {
                    APIHandler.initHandler(true);
                }
            }
            catch (System.Net.Sockets.SocketException)
            {
                cb(null);
            }
            catch (System.Net.WebException e)
            {
                HttpWebResponse res = (HttpWebResponse)e.Response;
                if (res != null && res.StatusCode == HttpStatusCode.Unauthorized)
                {
                    APIHandler.initHandler(true);
                }
                else
                {
                    cb(null);
                }
            }
        }
        public void JoinNetwork(Dispatcher d, string nwid, bool allowManaged = true, bool allowGlobal = false, bool allowDefault = false, bool allowDNS = false)
        {
            Task.Factory.StartNew(() =>
            {
                var request = WebRequest.Create(url + "/network/" + nwid + "?auth=" + authtoken) as HttpWebRequest;
                if (request == null)
                {
                    return;
                }
                request.Method = "POST";
                request.ContentType = "applicaiton/json";
                request.Timeout = 30000;
                try
                {
                    using (var streamWriter = new StreamWriter(((HttpWebRequest)request).GetRequestStream()))
                    {
                        string json = "{\"allowManaged\":" + (allowManaged ? "true" : "false") + "," +
                                "\"allowGlobal\":" + (allowGlobal ? "true" : "false") + "," +
                                "\"allowDefault\":" + (allowDefault ? "true" : "false") + "," +
                                "\"allowDNS\":" + (allowDNS ? "true" : "false") + "}";
                        streamWriter.Write(json);
                        streamWriter.Flush();
                        streamWriter.Close();
                    }
                }
                catch (System.Net.WebException)
                {
                    d.BeginInvoke(DispatcherPriority.Normal, new Action(() =>
                    {
                        MessageBox.Show("Error Joining Network: Cannot connect to ZeroTier service.");
                    }));
                    return;
                }
                try
                {
                    var httpResponse = (HttpWebResponse)request.GetResponse();
                    if (httpResponse.StatusCode == HttpStatusCode.Unauthorized)
                    {
                        APIHandler.initHandler(true);
                    }
                    else if (httpResponse.StatusCode != HttpStatusCode.OK)
                    {
                        Console.WriteLine("Error sending join network message");
                    }
                }
                catch (System.Net.Sockets.SocketException)
                {
                    d.BeginInvoke(DispatcherPriority.Normal, new Action(() =>
                    {
                        MessageBox.Show("Error Joining Network: Cannot connect to ZeroTier service.");
                    }));
                }
                catch (System.Net.WebException e)
                {
                    HttpWebResponse res = (HttpWebResponse)e.Response;
                    if (res != null && res.StatusCode == HttpStatusCode.Unauthorized)
                    {
                        APIHandler.initHandler(true);
                    }
                    d.BeginInvoke(DispatcherPriority.Normal, new Action(() =>
                    {
                        MessageBox.Show("Error Joining Network: Cannot connect to ZeroTier service.");
                    }));
                }
            });
        }
        public void LeaveNetwork(Dispatcher d, string nwid)
        {
            Task.Factory.StartNew(() =>
            {
                var request = WebRequest.Create(url + "/network/" + nwid + "?auth=" + authtoken) as HttpWebRequest;
                if (request == null)
                {
                    return;
                }
                request.Method = "DELETE";
                request.Timeout = 30000;
                try
                {
                    var httpResponse = (HttpWebResponse)request.GetResponse();
                    if (httpResponse.StatusCode == HttpStatusCode.Unauthorized)
                    {
                        APIHandler.initHandler(true);
                    }
                    else if (httpResponse.StatusCode != HttpStatusCode.OK)
                    {
                        Console.WriteLine("Error sending leave network message");
                    }
                }
                catch (System.Net.Sockets.SocketException)
                {
                    d.BeginInvoke(DispatcherPriority.Normal, new Action(() =>
                    {
                        MessageBox.Show("Error Leaving Network: Cannot connect to ZeroTier service.");
                    }));
                }
                catch (System.Net.WebException e)
                {
                    HttpWebResponse res = (HttpWebResponse)e.Response;
                    if (res != null && res.StatusCode == HttpStatusCode.Unauthorized)
                    {
                        APIHandler.initHandler(true);
                    }
                    d.BeginInvoke(DispatcherPriority.Normal, new Action(() =>
                    {
                        MessageBox.Show("Error Leaving Network: Cannot connect to ZeroTier service.");
                    }));
                }
                catch
                {
                    Console.WriteLine("Error leaving network: Unknown error");
                }
            });
        }
        public delegate void PeersCallback(List<ZeroTierPeer> peers);
        public void GetPeers(PeersCallback cb)
        {
            var request = WebRequest.Create(url + "/peer" + "?auth=" + authtoken) as HttpWebRequest;
            if (request == null)
            {
                cb(null);
            }
            request.Method = "GET";
            request.ContentType = "application/json";
            try
            {
                var httpResponse = (HttpWebResponse)request.GetResponse();
                if (httpResponse.StatusCode == HttpStatusCode.OK)
                {
                    using (var streamReader = new StreamReader(httpResponse.GetResponseStream()))
                    {
                        var responseText = streamReader.ReadToEnd();
                        //Console.WriteLine(responseText);
                        List<ZeroTierPeer> peerList = null;
                        try
                        {
                            peerList = JsonConvert.DeserializeObject<List<ZeroTierPeer>>(responseText);
                        }
                        catch (JsonReaderException e)
                        {
                            Console.WriteLine(e.ToString());
                        }
                        cb(peerList);
                    }
                }
                else if (httpResponse.StatusCode == HttpStatusCode.Unauthorized)
                {
                    APIHandler.initHandler(true);
                }
            }
            catch (System.Net.Sockets.SocketException)
            {
                cb(null);
            }
            catch (System.Net.WebException e)
            {
                HttpWebResponse res = (HttpWebResponse)e.Response;
                if (res != null && res.StatusCode == HttpStatusCode.Unauthorized)
                {
                    APIHandler.initHandler(true);
                }
                else
                {
                    cb(null);
                }
            }
        }
        public string NodeAddress()
        {
            return ZeroTierAddress;
        }
    }
 }
--- a/windows/WinUI/AboutView.xaml
+++ b/windows/WinUI/AboutView.xaml
@ -19,9 +19,9 @@
                    <Run Text="ZeroTier One"/>
                </Paragraph>
                <Paragraph TextAlignment="Center">
-                    <Run FontSize="14" Text="Version 1.2.10"/>
+                    <Run FontSize="14" Text="Version 1.6.6"/>
                    <LineBreak/>
-                    <Run FontSize="14" Text="(c) 2011-2017 ZeroTier, Inc."/>
+                    <Run FontSize="14" Text="(c) 2011-2021 ZeroTier, Inc."/>
                    <LineBreak/>
                    <Run FontSize="14" Text="www.zerotier.com"/>
                </Paragraph>
--- a/windows/WinUI/AboutView.xaml.cs
+++ b/windows/WinUI/AboutView.xaml.cs
--- a/windows/WinUI/App.config
+++ b/windows/WinUI/App.config
--- a/windows/WinUI/App.xaml
+++ b/windows/WinUI/App.xaml
--- a/windows/WinUI/App.xaml.cs
+++ b/windows/WinUI/App.xaml.cs
--- a/windows/WinUI/CentralAPI.cs
+++ b/windows/WinUI/CentralAPI.cs
@ -67,7 +67,7 @@ namespace WinUI
                UseCookies = true,
                CookieContainer = cookieContainer
            };
-            
+
            client = new HttpClient(clientHandler);
            string centralConfigPath = CentralConfigFile();
@ -75,7 +75,15 @@ namespace WinUI
            {
                byte[] tmp = File.ReadAllBytes(centralConfigPath);
                string json = Encoding.UTF8.GetString(tmp).Trim();
-                Central = JsonConvert.DeserializeObject<CentralServer>(json);
+                CentralServer ctmp = JsonConvert.DeserializeObject<CentralServer>(json);
                if (ctmp != null)
                {
                    Central = ctmp;
                } 
                else
                {
                    Central = new CentralServer();
                }
            }
            else
            {
@ -105,7 +113,10 @@ namespace WinUI
        {
            string json = JsonConvert.SerializeObject(Central);
            byte[] tmp = Encoding.UTF8.GetBytes(json);
-            File.WriteAllBytes(CentralConfigFile(), tmp);
+            if (tmp != null)
            {
                File.WriteAllBytes(CentralConfigFile(), tmp);
            }
        }
        private void UpdateRequestHeaders()
@ -207,7 +218,7 @@ namespace WinUI
        public async Task<CentralNetwork> CreateNewNetwork()
        {
-            string networkURL = Central.ServerURL + "/api/network/";
+            string networkURL = Central.ServerURL + "/api/network?easy=1";
            CentralNetwork network = new CentralNetwork();
            network.Config = new CentralNetwork.CentralNetworkConfig();
            network.Config.Name = NetworkNameGenerator.GenerateName();
--- a/windows/WinUI/CentralLogin.cs
+++ b/windows/WinUI/CentralLogin.cs
--- a/windows/WinUI/CentralNetwork.cs
+++ b/windows/WinUI/CentralNetwork.cs
--- a/windows/WinUI/CentralServer.cs
+++ b/windows/WinUI/CentralServer.cs
--- a/windows/WinUI/CentralToken.cs
+++ b/windows/WinUI/CentralToken.cs
--- a/windows/WinUI/CentralUser.cs
+++ b/windows/WinUI/CentralUser.cs
--- a/windows/WinUI/Fonts/segoeui.ttf
+++ b/windows/WinUI/Fonts/segoeui.ttf
--- a/windows/WinUI/Fonts/segoeuib.ttf
+++ b/windows/WinUI/Fonts/segoeuib.ttf
--- a/windows/WinUI/Fonts/segoeuii.ttf
+++ b/windows/WinUI/Fonts/segoeuii.ttf
--- a/windows/WinUI/Fonts/segoeuiz.ttf
+++ b/windows/WinUI/Fonts/segoeuiz.ttf
--- a/windows/WinUI/ISwitchable.cs
+++ b/windows/WinUI/ISwitchable.cs
--- a/windows/WinUI/JoinNetworkView.xaml
+++ b/windows/WinUI/JoinNetworkView.xaml
@ -10,7 +10,8 @@
        <TextBox x:Name="joinNetworkBox" HorizontalAlignment="Left" Height="23" Margin="10,10,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Width="291" PreviewTextInput="joinNetworkBox_OnTextEntered" PreviewKeyDown="joinNetworkBox_OnKeyDown"/>
        <CheckBox x:Name="allowManagedCheckbox" Content="Allow Managed" HorizontalAlignment="Left" Margin="10,38,0,0" VerticalAlignment="Top" IsChecked="True"/>
        <CheckBox x:Name="allowGlobalCheckbox" Content="Allow Global" HorizontalAlignment="Left" Margin="118,38,0,0" VerticalAlignment="Top"/>
-        <CheckBox x:Name="allowDefaultCheckbox" Content="Allow Default" HorizontalAlignment="Left" Margin="210,38,-6,0" VerticalAlignment="Top"/>
+        <CheckBox x:Name="allowDefaultCheckbox" Content="Allow Default" HorizontalAlignment="Left" Margin="10,58,0,0" VerticalAlignment="Top"/>
        <CheckBox x:Name="allowDNSCheckbox" Content="Allow DNS" HorizontalAlignment="Left" VerticalAlignment="Top" Margin="118,58,0,0"/>
        <Button x:Name="joinButton" Content="Join" HorizontalAlignment="Left" Margin="226,58,0,10" Background="#FFFFB354" VerticalAlignment="Top" Width="75" Click="joinButton_Click" IsEnabled="False"/>
    </Grid>
 </Window>
--- a/windows/WinUI/JoinNetworkView.xaml.cs
+++ b/windows/WinUI/JoinNetworkView.xaml.cs
@ -117,8 +117,9 @@ namespace WinUI
            bool allowDefault = allowDefaultCheckbox.IsChecked.Value;
            bool allowGlobal = allowGlobalCheckbox.IsChecked.Value;
            bool allowManaged = allowManagedCheckbox.IsChecked.Value;
            bool allowDNS = allowDNSCheckbox.IsChecked.Value;
-            APIHandler.Instance.JoinNetwork(this.Dispatcher, joinNetworkBox.Text, allowManaged, allowGlobal, allowDefault);
+            APIHandler.Instance.JoinNetwork(this.Dispatcher, joinNetworkBox.Text, allowManaged, allowGlobal, allowDefault, allowDNS);
            Close();
        }
--- a/windows/WinUI/MainWindow.xaml.cs
+++ b/windows/WinUI/MainWindow.xaml.cs
--- a/windows/WinUI/NetworkInfoView.xaml
+++ b/windows/WinUI/NetworkInfoView.xaml
@ -29,6 +29,7 @@
                <RowDefinition Height="auto"/>
                <RowDefinition Height="auto"/>
                <RowDefinition Height="auto"/>
                <RowDefinition Height="auto"/>
            </Grid.RowDefinitions>
            <Grid Grid.Column="0" Grid.Row="0" Grid.ColumnSpan="3">
@ -54,8 +55,9 @@
            <TextBlock TextWrapping="Wrap" Text="Allow Global IP" HorizontalAlignment="Right" Grid.Column="0" Grid.Row="10" Foreground="#FF000000"/>
            <TextBlock TextWrapping="Wrap" Text="Allow Managed IP" HorizontalAlignment="Right" Grid.Column="0" Grid.Row="11" Foreground="#FF000000"/>
            <TextBlock TextWrapping="Wrap" Text="Allow Default Route" HorizontalAlignment="Right" Grid.Column="0" Grid.Row="12" Foreground="#FF000000"/>
-            
+            <TextBlock TextWrapping="Wrap" Text="Allow DNS" HorizontalAlignment="Right" Grid.Column="0" Grid.Row="13" Foreground="#FF000000"/>
-            <Rectangle Grid.Column="2" Grid.Row="2" Grid.RowSpan="11" Fill="#FFEEEEEE"/>
+
            <Rectangle Grid.Column="2" Grid.Row="2" Grid.RowSpan="12" Fill="#FFEEEEEE"/>
            <TextBlock x:Name="networkStatus" FontFamily="Lucida Console" TextWrapping="Wrap" HorizontalAlignment="Right" Text="OK" TextAlignment="Right"  Grid.Column="2" Grid.Row="2" Foreground="#FF000000"/>
            <TextBlock x:Name="networkType" FontFamily="Lucida Console" TextWrapping="Wrap" Text="PUBLIC" HorizontalAlignment="Right"  Grid.Column="2" Grid.Row="3" Foreground="#FF000000"/>
@ -68,10 +70,11 @@
            <CheckBox x:Name="allowGlobal" HorizontalAlignment="Right" Grid.Column="2" Grid.Row="10" />
            <CheckBox x:Name="allowManaged" HorizontalAlignment="Right" Grid.Column="2" Grid.Row="11" />
            <CheckBox x:Name="allowDefault" HorizontalAlignment="Right" Grid.Column="2" Grid.Row="12" />
            <CheckBox x:Name="allowDNS" HorizontalAlignment="Right" Grid.Column="2" Grid.Row="13"/>
            <Separator Grid.Column="0" Grid.Row="14" Grid.ColumnSpan="3"/>
-            <Separator Grid.Column="0" Grid.Row="13" Grid.ColumnSpan="3"/>
+            <Grid Grid.Column="0" Grid.Row="15" Grid.ColumnSpan="3" Background="GhostWhite">
            <Grid Grid.Column="0" Grid.Row="14" Grid.ColumnSpan="3" Background="GhostWhite">
                <Grid.ColumnDefinitions>
                    <ColumnDefinition Width="auto"/>
                    <ColumnDefinition Width="*"/>
--- a/windows/WinUI/NetworkInfoView.xaml.cs
+++ b/windows/WinUI/NetworkInfoView.xaml.cs
@ -36,6 +36,8 @@ namespace WinUI
            allowGlobal.Unchecked += AllowGlobal_CheckStateChanged;
            allowManaged.Checked += AllowManaged_CheckStateChanged;
            allowManaged.Unchecked += AllowManaged_CheckStateChanged;
            allowDNS.Checked += AllowDNS_CheckStateChanged;
            allowDNS.Unchecked += AllowDNS_CheckStateChanged;
        }
        private void UpdateNetworkData()
@ -79,6 +81,7 @@ namespace WinUI
            this.allowDefault.IsChecked = network.AllowDefault;
            this.allowGlobal.IsChecked = network.AllowGlobal;
            this.allowManaged.IsChecked = network.AllowManaged;
            this.allowDNS.IsChecked = network.AllowDNS;
 						this.connectedCheckBox.Checked -= connectedCheckBox_Checked;
 						this.connectedCheckBox.Unchecked -= connectedCheckbox_Unchecked;
@ -116,7 +119,8 @@ namespace WinUI
            APIHandler.Instance.JoinNetwork(this.Dispatcher, network.NetworkId,
                allowManaged.IsChecked ?? false,
                allowGlobal.IsChecked ?? false,
-                allowDefault.IsChecked ?? false);
+                allowDefault.IsChecked ?? false,
                allowDNS.IsChecked ?? false);
        }
        private void AllowGlobal_CheckStateChanged(object sender, RoutedEventArgs e)
@ -125,7 +129,8 @@ namespace WinUI
            APIHandler.Instance.JoinNetwork(this.Dispatcher, network.NetworkId,
                allowManaged.IsChecked ?? false,
                allowGlobal.IsChecked ?? false,
-                allowDefault.IsChecked ?? false);
+                allowDefault.IsChecked ?? false,
                allowDNS.IsChecked ?? false);
        }
        private void AllowDefault_CheckStateChanged(object sender, RoutedEventArgs e)
@ -134,7 +139,18 @@ namespace WinUI
            APIHandler.Instance.JoinNetwork(this.Dispatcher, network.NetworkId,
                allowManaged.IsChecked ?? false,
                allowGlobal.IsChecked ?? false,
-                allowDefault.IsChecked ?? false);
+                allowDefault.IsChecked ?? false,
                allowDNS.IsChecked ?? false);
        }
        private void AllowDNS_CheckStateChanged(object sender, RoutedEventArgs e)
        {
            CheckBox cb = sender as CheckBox;
            APIHandler.Instance.JoinNetwork(this.Dispatcher, network.NetworkId,
                allowManaged.IsChecked ?? false,
                allowGlobal.IsChecked ?? false,
                allowDefault.IsChecked ?? false,
                allowDNS.IsChecked ?? false);
        }
        private void connectedCheckBox_Checked(object sender, RoutedEventArgs e)
@ -154,8 +170,9 @@ namespace WinUI
                bool global = allowGlobal.IsChecked.Value;
                bool managed = allowManaged.IsChecked.Value;
                bool defRoute = allowDefault.IsChecked.Value;
                bool dns = allowDNS.IsChecked.Value;
-                APIHandler.Instance.JoinNetwork(this.Dispatcher, networkId.Text, managed, global, defRoute);
+                APIHandler.Instance.JoinNetwork(this.Dispatcher, networkId.Text, managed, global, defRoute, dns);
            }
            else
            {
--- a/windows/WinUI/NetworkListView.xaml
+++ b/windows/WinUI/NetworkListView.xaml
--- a/windows/WinUI/NetworkListView.xaml.cs
+++ b/windows/WinUI/NetworkListView.xaml.cs
--- a/windows/WinUI/NetworkMonitor.cs
+++ b/windows/WinUI/NetworkMonitor.cs
@ -156,7 +156,7 @@ namespace WinUI
            {
                Console.WriteLine("Monitor Thread Exception: " + "\n" + e.StackTrace);
            }
-						Console.WriteLine("Monitor Thread Ended");
+			Console.WriteLine("Monitor Thread Ended");
        }
        public void SubscribeStatusUpdates(StatusCallback cb)
--- a/windows/WinUI/NetworkNameGenerator.cs
+++ b/windows/WinUI/NetworkNameGenerator.cs
--- a/windows/WinUI/NetworkRoute.cs
+++ b/windows/WinUI/NetworkRoute.cs
--- a/windows/WinUI/NetworksPage.xaml
+++ b/windows/WinUI/NetworksPage.xaml
--- a/windows/WinUI/NetworksPage.xaml.cs
+++ b/windows/WinUI/NetworksPage.xaml.cs
--- a/windows/WinUI/PeersPage.xaml
+++ b/windows/WinUI/PeersPage.xaml
--- a/windows/WinUI/PeersPage.xaml.cs
+++ b/windows/WinUI/PeersPage.xaml.cs
--- a/windows/WinUI/PreferencesView.xaml
+++ b/windows/WinUI/PreferencesView.xaml
--- a/windows/WinUI/PreferencesView.xaml.cs
+++ b/windows/WinUI/PreferencesView.xaml.cs
--- a/windows/WinUI/Properties/AssemblyInfo.cs
+++ b/windows/WinUI/Properties/AssemblyInfo.cs
--- a/windows/WinUI/Properties/Resources.Designer.cs
+++ b/windows/WinUI/Properties/Resources.Designer.cs
--- a/windows/WinUI/Properties/Resources.resx
+++ b/windows/WinUI/Properties/Resources.resx
--- a/windows/WinUI/Properties/Settings.Designer.cs
+++ b/windows/WinUI/Properties/Settings.Designer.cs
--- a/windows/WinUI/Properties/Settings.settings
+++ b/windows/WinUI/Properties/Settings.settings
--- a/windows/WinUI/Resources/ZeroTierIcon.ico
+++ b/windows/WinUI/Resources/ZeroTierIcon.ico
--- a/windows/WinUI/Simple
+++ b/windows/WinUI/Simple
--- a/windows/WinUI/Themes/Generic.xaml
+++ b/windows/WinUI/Themes/Generic.xaml
--- a/windows/WinUI/ToolbarItem.xaml
+++ b/windows/WinUI/ToolbarItem.xaml
@ -43,7 +43,10 @@
 							<Separator/>
 							<MenuItem Header="ZeroTier Central"
 												Click="ToolbarItem_CentralClicked"/>
-								
+							<MenuItem Header="Create and Join Network"
 												Click="ToolbarItem_NewNetwork"
 												x:Name="newNetworkItem"/>
 							<Separator/>
 							<MenuItem Header="About..."
                                      Click="ToolbarItem_AboutClicked"/>
 							<MenuItem Header="Preferences..."
--- a/windows/WinUI/ToolbarItem.xaml.cs
+++ b/windows/WinUI/ToolbarItem.xaml.cs
@ -45,10 +45,6 @@ namespace WinUI
        private ObservableCollection<MenuItem> _networkCollection = new ObservableCollection<MenuItem>();
        private static Boolean shouldShowOnboardProcess = true;
 #if DEBUG
        private static bool isFirstRun = true;
 #endif
        public ObservableCollection<MenuItem> NetworkCollection
        {
@ -85,23 +81,6 @@ namespace WinUI
        {
            if (networks != null)
            {
                if (networks.Count > 0)
                {
 #if DEBUG
                    if (isFirstRun)
                    {
                        shouldShowOnboardProcess = true;
                        isFirstRun = false;
                    }
                    else
                    {
                        shouldShowOnboardProcess = false;
                    } 
 #else
                    shouldShowOnboardProcess = false;
 #endif
                }
                Dispatcher.BeginInvoke(DispatcherPriority.Normal, new Action(() =>
                {
                    NetworkCollection.Clear();
@ -116,18 +95,6 @@ namespace WinUI
                        NetworkCollection.Add(item);
                    }
                }));
                if (shouldShowOnboardProcess)
                {
                    // TODO: Show onboarding process window (on main thread
                    Dispatcher.BeginInvoke(DispatcherPriority.Normal, new Action(() =>
                    {
                        PageSwitcher ps = new PageSwitcher();
                        ps.Show();
                    }));
                    shouldShowOnboardProcess = false;
                }
            }
        }
@ -140,6 +107,15 @@ namespace WinUI
                    nodeIdMenuItem.Header = "Node ID: " + status.Address;
                    nodeIdMenuItem.IsEnabled = true;
                    nodeId = status.Address;
                    if (CentralAPI.Instance.HasAccessToken())
                    {
                        newNetworkItem.IsEnabled = true;
                    }
                    else
                    {
                        newNetworkItem.IsEnabled = false;
                    }
                }));
            }
        }
@ -331,6 +307,21 @@ namespace WinUI
            }
        }
        private async void ToolbarItem_NewNetwork(object sender, System.Windows.RoutedEventArgs e)
        {
            if (CentralAPI.Instance.HasAccessToken())
            {
                CentralAPI api = CentralAPI.Instance;
                CentralNetwork newNetwork = await api.CreateNewNetwork();
                APIHandler handler = APIHandler.Instance;
                handler.JoinNetwork(this.Dispatcher, newNetwork.Id);
                string nodeId = APIHandler.Instance.NodeAddress();
                bool authorized = await CentralAPI.Instance.AuthorizeNode(nodeId, newNetwork.Id);
            }
        }
        private void setWindowPosition(Window w)
        {
            double width = w.ActualWidth;
--- a/windows/WinUI/WinUI.csproj
+++ b/windows/WinUI/WinUI.csproj
@ -121,34 +121,12 @@
    <Compile Include="NetworksPage.xaml.cs">
      <DependentUpon>NetworksPage.xaml</DependentUpon>
    </Compile>
    <Compile Include="OnboardProcess\CreateAccount.xaml.cs">
      <DependentUpon>CreateAccount.xaml</DependentUpon>
    </Compile>
    <Compile Include="OnboardProcess\CreateOrJoin.xaml.cs">
      <DependentUpon>CreateOrJoin.xaml</DependentUpon>
    </Compile>
    <Compile Include="OnboardProcess\EnterToken.xaml.cs">
      <DependentUpon>EnterToken.xaml</DependentUpon>
    </Compile>
    <Compile Include="OnboardProcess\Finished.xaml.cs">
      <DependentUpon>Finished.xaml</DependentUpon>
    </Compile>
    <Compile Include="OnboardProcess\LogIn.xaml.cs">
      <DependentUpon>LogIn.xaml</DependentUpon>
    </Compile>
    <Compile Include="OnboardProcess\RegisterOrLogIn.xaml.cs">
      <DependentUpon>RegisterOrLogIn.xaml</DependentUpon>
    </Compile>
    <Compile Include="PageSwitcher.xaml.cs">
      <DependentUpon>PageSwitcher.xaml</DependentUpon>
    </Compile>
    <Compile Include="PeersPage.xaml.cs">
      <DependentUpon>PeersPage.xaml</DependentUpon>
    </Compile>
    <Compile Include="PreferencesView.xaml.cs">
      <DependentUpon>PreferencesView.xaml</DependentUpon>
    </Compile>
    <Compile Include="Switcher.cs" />
    <Compile Include="ToolbarItem.xaml.cs">
      <DependentUpon>ToolbarItem.xaml</DependentUpon>
    </Compile>
@ -185,34 +163,6 @@
      <SubType>Designer</SubType>
      <Generator>MSBuild:Compile</Generator>
    </Page>
    <Page Include="OnboardProcess\CreateAccount.xaml">
      <SubType>Designer</SubType>
      <Generator>MSBuild:Compile</Generator>
    </Page>
    <Page Include="OnboardProcess\CreateOrJoin.xaml">
      <SubType>Designer</SubType>
      <Generator>MSBuild:Compile</Generator>
    </Page>
    <Page Include="OnboardProcess\EnterToken.xaml">
      <SubType>Designer</SubType>
      <Generator>MSBuild:Compile</Generator>
    </Page>
    <Page Include="OnboardProcess\Finished.xaml">
      <SubType>Designer</SubType>
      <Generator>MSBuild:Compile</Generator>
    </Page>
    <Page Include="OnboardProcess\LogIn.xaml">
      <SubType>Designer</SubType>
      <Generator>MSBuild:Compile</Generator>
    </Page>
    <Page Include="OnboardProcess\RegisterOrLogIn.xaml">
      <SubType>Designer</SubType>
      <Generator>MSBuild:Compile</Generator>
    </Page>
    <Page Include="PageSwitcher.xaml">
      <SubType>Designer</SubType>
      <Generator>MSBuild:Compile</Generator>
    </Page>
    <Page Include="PeersPage.xaml">
      <SubType>Designer</SubType>
      <Generator>MSBuild:Compile</Generator>
@ -310,7 +260,6 @@
    <None Include="Resources\ZeroTierIcon.ico" />
  </ItemGroup>
  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
  <Import Project="$(MSBuildExtensionsPath)\Microsoft\Expression\Blend\.NETFramework\v4.5\Microsoft.Expression.Blend.WPF.targets" />
  <PropertyGroup>
    <PostBuildEvent>copy "$(SolutionDir)\copyutil\bin\$(ConfigurationName)\copyutil.exe" "$(ProjectDir)\$(OutDir)\copyutil.exe"</PostBuildEvent>
  </PropertyGroup>
--- a/windows/WinUI/ZeroTierIcon.ico
+++ b/windows/WinUI/ZeroTierIcon.ico
--- a/windows/WinUI/ZeroTierNetwork.cs
+++ b/windows/WinUI/ZeroTierNetwork.cs
@ -30,6 +30,7 @@ namespace WinUI
        private bool allowManaged;
        private bool allowGlobal;
        private bool allowDefault;
        private bool allowDNS;
        private bool isConnected;
        protected ZeroTierNetwork(SerializationInfo info, StreamingContext ctx)
@ -53,6 +54,7 @@ namespace WinUI
                AllowManaged = info.GetBoolean("allowManaged");
                AllowGlobal = info.GetBoolean("allowGlobal");
                AllowDefault = info.GetBoolean("allowDefault");
                AllowDNS = info.GetBoolean("allowDNS");
            }
            catch { }
            IsConnected = false;
@ -79,6 +81,7 @@ namespace WinUI
            info.AddValue("allowManaged", AllowManaged);
            info.AddValue("allowGlobal", AllowGlobal);
            info.AddValue("allowDefault", AllowDefault);
            info.AddValue("allowDNS", AllowDNS);
        }
        public void UpdateNetwork(ZeroTierNetwork network)
@ -165,6 +168,11 @@ namespace WinUI
                AllowDefault = network.AllowDefault;
            }
            if (AllowDNS != network.AllowDNS)
            {
                AllowDNS = network.AllowDNS;
            }
            if (IsConnected != network.IsConnected)
            {
                IsConnected = network.IsConnected;
@ -413,6 +421,20 @@ namespace WinUI
                NotifyPropertyChanged();
            }
        }
        [JsonProperty("allowDNS")]
        public bool AllowDNS
        {
            get
            {
                return allowDNS;
            }
            set
            {
                allowDNS = value;
                NotifyPropertyChanged();
            }
        }
        public bool IsConnected
        {
--- a/windows/WinUI/ZeroTierPeer.cs
+++ b/windows/WinUI/ZeroTierPeer.cs
--- a/windows/WinUI/ZeroTierPeerPhysicalPath.cs
+++ b/windows/WinUI/ZeroTierPeerPhysicalPath.cs
--- a/windows/WinUI/ZeroTierStatus.cs
+++ b/windows/WinUI/ZeroTierStatus.cs
--- a/windows/WinUI/app.manifest
+++ b/windows/WinUI/app.manifest
--- a/windows/WinUI/packages.config
+++ b/windows/WinUI/packages.config
--- a/attic/kubernetes_docs/.zerotierCliSettings
+++ b/attic/kubernetes_docs/.zerotierCliSettings
@ -1,18 +0,0 @@
 {
  "configVersion": 1,
  "defaultCentral": "@my.zerotier.com",
  "defaultController": "@my.zerotier.com",
  "defaultOne": "@local",
  "things": {
    "local": {
      "auth": "local_service_auth_token_replaced_automatically",
      "type": "one",
      "url": "http://127.0.0.1:9993/"
    },
    "my.zerotier.com": {
      "auth": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "type": "central",
      "url": "https://my.zerotier.com/"
    }
  }
 }
--- a/attic/kubernetes_docs/Dockerfile
+++ b/attic/kubernetes_docs/Dockerfile
@ -1,19 +0,0 @@
 FROM node:4.4
 EXPOSE 8080/tcp 9993/udp
 # Install ZT network conf files
 RUN mkdir -p /var/lib/zerotier-one/networks.d
 ADD *.conf /var/lib/zerotier-one/networks.d/
 ADD *.conf /
 ADD zerotier-one /
 ADD zerotier-cli /
 ADD .zerotierCliSettings /
 # Install App
 ADD server.js /
 # script which will start/auth VM on ZT network
 ADD entrypoint.sh /
 RUN chmod -v +x /entrypoint.sh 
 CMD ["./entrypoint.sh"]
--- a/attic/kubernetes_docs/README.md
+++ b/attic/kubernetes_docs/README.md
@ -1,150 +0,0 @@
 Kubernetes + ZeroTier
 ====
 A self-authorizing Kubernetes cluster deployment over a private ZeroTier network.
 This is a quick tutorial for setting up a Kubernetes deployment which can self-authorize each new replica onto your private ZeroTier network with no additional configuration needed when you scale. The Kubernetes-specific instructions and content is based on the [hellonode](http://kubernetes.io/docs/hellonode/) tutorial. All of the files discussed below can be found [here]();
 ## Preliminary tasks
 **Step 1: Go to [my.zerotier.com](https://my.zerotier.com) and generate a network controller API key. This key will be used by ZeroTier to automatically authorize new instances of your VMs to join your secure deployment network during replication.**
 **Step 2: Create a new `private` network. Take note of the network ID, henceforth: `nwid`**
 **Step 3: Follow the instructions from the [hellonode](ttp://kubernetes.io/docs/hellonode/) tutorial to set up your development system.**
 ***
 ## Construct docker image
 **Step 4: Create necessary files for inclusion into image, your resultant directory should contain:**
 - `ztkube/<nwid>.conf`
 - `ztkube/Dockerfile`
 - `ztkube/entrypoint.sh`
 - `ztkube/server.js`
 - `ztkube/zerotier-cli`
 - `ztkube/zerotier-one`
 Start by creating a build directory to copy all required files into `mkdir ztkube`. Then build the following:
 - `make one`
 - `make cli`
 Add the following files to the `ztkube` directory. These files will be compiled into the Docker image.
 - Create an empty `<nwid>.conf` file to specify the private deployment network you created in *Step 2*:
 - Create a CLI tool config file `.zerotierCliSettings` which should only contain your network controller API key to authorize new devices on your network (the local service API key will be filled in automatically). In this example the default controller is hosted by us at [my.zerotier.com](https://my.zerotier.com). Alternatively, you can host your own network controller but you'll need to modify the CLI config file accordingly.
 ```
 {
  "configVersion": 1,
  "defaultCentral": "@my.zerotier.com",
  "defaultController": "@my.zerotier.com",
  "defaultOne": "@local",
  "things": {
    "local": {
      "auth": "local_service_auth_token_replaced_automatically",
      "type": "one",
      "url": "http://127.0.0.1:9993/"
    },
    "my.zerotier.com": {
      "auth": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "type": "central",
      "url": "https://my.zerotier.com/"
    }
  }
 }
 ```
 - Create a `Dockerfile` which will copy the ZeroTier service as well as the ZeroTier CLI to the image: 
 ```
 FROM node:4.4
 EXPOSE 8080/tcp 9993/udp
 # Install ZT network conf files
 RUN mkdir -p /var/lib/zerotier-one/networks.d
 ADD *.conf /var/lib/zerotier-one/networks.d/
 ADD *.conf /
 ADD zerotier-one /
 ADD zerotier-cli /
 ADD .zerotierCliSettings /
 # Install App
 ADD server.js /
 # script which will start/auth VM on ZT network
 ADD entrypoint.sh /
 RUN chmod -v +x /entrypoint.sh 
 CMD ["./entrypoint.sh"]
 ```
 - Create the `entrypoint.sh` script which will start the ZeroTier service in the VM, attempt to join your deployment network and automatically authorize the new VM if your network is set to private:
 ```
 #!/bin/bash
 echo '*** ZeroTier-Kubernetes self-auth test script'
 chown -R daemon /var/lib/zerotier-one
 chgrp -R daemon /var/lib/zerotier-one
 su daemon -s /bin/bash -c '/zerotier-one -d -U -p9993 >>/tmp/zerotier-one.out 2>&1'
 dev=""
 nwconf=$(ls *.conf)
 nwid="${nwconf%.*}"
 sleep 10
 dev=$(cat /var/lib/zerotier-one/identity.public| cut -d ':' -f 1)
 echo '*** Joining'
 ./zerotier-cli join "$nwid".conf
 # Fill out local service auth token
 AUTHTOKEN=$(cat /var/lib/zerotier-one/authtoken.secret)
 sed "s|\local_service_auth_token_replaced_automatically|${AUTHTOKEN}|" .zerotierCliSettings > /root/.zerotierCliSettings
 echo '*** Authorizing'
 ./zerotier-cli net-auth @my.zerotier.com "$nwid" "$dev"
 echo '*** Cleaning up' # Remove controller auth token
 rm -rf .zerotierCliSettings /root/.zerotierCliSettings
 node server.js
 ```
 **Step 5: Build the image:**
 - `docker build -t gcr.io/$PROJECT_ID/hello-node .`
 **Step 6: Push the docker image to your *Container Registry***
 - `gcloud docker push gcr.io/$PROJECT_ID/hello-node:v1`
 ***
 ## Deploy!
 **Step 7: Create Kubernetes Cluster**
 - `gcloud config set compute/zone us-central1-a`
 - `gcloud container clusters create hello-world`
 - `gcloud container clusters get-credentials hello-world`
 **Step 8: Create your pod**
 - `kubectl run hello-node --image=gcr.io/$PROJECT_ID/hello-node:v1 --port=8080`
 **Step 9: Scale**
 - `kubectl scale deployment hello-node --replicas=4`
 ***
 ## Verify
 Now, after a minute or so you can use `zerotier-cli net-members <nwid>` to show all of your VM instances on your ZeroTier deployment network. If you haven't [configured your local CLI](https://github.com/zerotier/ZeroTierOne/tree/dev/cli), you can simply log into [my.zerotier.com](https://my.zerotier.com), go to *Networks -> nwid* to check that your VMs are indeed members of your private network. You should also note that the `entrypoint.sh` script will automatically delete your network controller API key once it has authorized your VM. This is merely a security measure and can be removed if needed.
--- a/attic/kubernetes_docs/entrypoint.sh
+++ b/attic/kubernetes_docs/entrypoint.sh
@ -1,23 +0,0 @@
 #!/bin/bash
 echo '*** ZeroTier-Kubernetes self-auth test script'
 chown -R daemon /var/lib/zerotier-one
 chgrp -R daemon /var/lib/zerotier-one
 su daemon -s /bin/bash -c '/zerotier-one -d -U -p9993 >>/tmp/zerotier-one.out 2>&1'
 dev=""
 nwconf=$(ls *.conf)
 nwid="${nwconf%.*}"
 sleep 10
 dev=$(cat /var/lib/zerotier-one/identity.public| cut -d ':' -f 1)
 echo '*** Joining'
 ./zerotier-cli join "$nwid".conf
 # Fill out local service auth token
 AUTHTOKEN=$(cat /var/lib/zerotier-one/authtoken.secret)
 sed "s|\local_service_auth_token_replaced_automatically|${AUTHTOKEN}|" .zerotierCliSettings > /root/.zerotierCliSettings
 echo '*** Authorizing'
 ./zerotier-cli net-auth @my.zerotier.com "$nwid" "$dev"
 echo '*** Cleaning up' # Remove controller auth token
 rm -rf .zerotierCliSettings /root/.zerotierCliSettings
 node server.js
--- a/attic/kubernetes_docs/server.js
+++ b/attic/kubernetes_docs/server.js
@ -1,8 +0,0 @@
 var http = require('http');
 var handleRequest = function(request, response) {
  console.log('Received request for URL: ' + request.url);
  response.writeHead(200);
  response.end('Hello World!');
 };
 var www = http.createServer(handleRequest);
 www.listen(8080);
--- a/attic/lat_lon_to_xyz.js
+++ b/attic/lat_lon_to_xyz.js
@ -1,25 +0,0 @@
 'use strict'
 /* This is a utility to convert latitude/longitude into X,Y,Z coordinates as used by clustering. */
 if (process.argv.length !== 4) {
  console.log('Usage: node lat_lon_to_xyz.js <latitude> <longitude');
  process.exit(1);
 }
 var lat = parseFloat(process.argv[2])||0.0;
 var lon = parseFloat(process.argv[3])||0.0;
 var latRadians = lat * 0.01745329251994; // PI / 180
 var lonRadians = lon * 0.01745329251994; // PI / 180
 var cosLat = Math.cos(latRadians);
 console.log({
  lat: lat,
  lon: lon,
  x: Math.round((-6371.0) * cosLat * Math.cos(lonRadians)),
  y: Math.round(6371.0 * Math.sin(latRadians)),
  z: Math.round(6371.0 * cosLat * Math.sin(lonRadians))
 });
 process.exit(0);
--- a/One.xcodeproj/project.pbxproj
+++ b/One.xcodeproj/project.pbxproj
@ -65,6 +65,7 @@
 		93DAFB261D3F0BEE004D5417 /* about.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = about.html; sourceTree = "<group>"; };
 		93DAFE4A1CFE53CA00547CC4 /* AuthtokenCopy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AuthtokenCopy.m; sourceTree = "<group>"; };
 		93DAFE4C1CFE53DA00547CC4 /* AuthtokenCopy.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AuthtokenCopy.h; sourceTree = "<group>"; };
 		C13C72B12527E1B20094F8B4 /* ZeroTier One.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "ZeroTier One.entitlements"; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 /* Begin PBXFrameworksBuildPhase section */
@ -99,6 +100,7 @@
 		93326BDA1CE7C816005CA2AC /* ZeroTier One */ = {
 			isa = PBXGroup;
 			children = (
 				C13C72B12527E1B20094F8B4 /* ZeroTier One.entitlements */,
 				932D472E1D1CD499004BCFE2 /* ZeroTierIcon.icns */,
 				93326BDD1CE7C816005CA2AC /* Assets.xcassets */,
 				93326BDF1CE7C816005CA2AC /* MainMenu.xib */,
@ -175,6 +177,7 @@
 			developmentRegion = English;
 			hasScannedForEncodings = 0;
 			knownRegions = (
 				English,
 				en,
 				Base,
 			);
@ -330,7 +333,10 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = "ZeroTier One/ZeroTier One.entitlements";
 				CODE_SIGN_IDENTITY = "-";
 				COMBINE_HIDPI_IMAGES = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "ZeroTier One/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks";
 				MACOSX_DEPLOYMENT_TARGET = 10.10;
@ -345,7 +351,10 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = "ZeroTier One/ZeroTier One.entitlements";
 				CODE_SIGN_IDENTITY = "-";
 				COMBINE_HIDPI_IMAGES = YES;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = "ZeroTier One/Info.plist";
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks";
 				MACOSX_DEPLOYMENT_TARGET = 10.10;
--- a/One.xcodeproj/project.xcworkspace/contents.xcworkspacedata
+++ b/One.xcodeproj/project.xcworkspace/contents.xcworkspacedata
--- a/Show more
+++ b/Show more