all: fix spelling mistakes

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

chirp/chirp_test.go

@@ -106,10 +106,10 @@ func TestChirp(t *testing.T) {
 		t.Fatal(err)
 	}
 	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeded", "rando")
+		t.Fatalf("enabling %q succeeded", "rando")
 	}
 	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeded", "rando")
+		t.Fatalf("disabling %q succeeded", "rando")
 	}
 }
 

client/tailscale/acl.go

@@ -459,7 +459,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
+		return nil, fmt.Errorf("control api responded with %d status code", resp.StatusCode)
 	}
 
 	// The test ran without fail

client/tailscale/localclient.go

@@ -674,14 +674,14 @@ func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate
 	return &cert, nil
 }
 
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
 //
 // Deprecated: use LocalClient.ExpandSNIName.
 func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	return defaultLocalClient.ExpandSNIName(ctx, name)
 }
 
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
 func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	st, err := lc.StatusWithoutPeers(ctx)
 	if err != nil {

client/tailscale/tailscale.go

@@ -115,7 +115,7 @@ func (c *Client) Do(req *http.Request) (*http.Response, error) {
 	return c.httpClient().Do(req)
 }
 
-// sendRequest add the authenication key to the request and sends it. It
+// sendRequest add the authentication key to the request and sends it. It
 // receives the response and reads up to 10MB of it.
 func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
 	if !I_Acknowledge_This_API_Is_Unstable {

cmd/derper/websocket.go

@@ -23,7 +23,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		up := strings.ToLower(r.Header.Get("Upgrade"))
 
 		// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
-		// speak WebSockets (they still assumed DERP's binary framining). So to distinguish
+		// speak WebSockets (they still assumed DERP's binary framing). So to distinguish
 		// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
 		if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
 			base.ServeHTTP(w, r)

cmd/tailscale/cli/bugreport.go

@@ -36,7 +36,7 @@ func runBugReport(ctx context.Context, args []string) error {
 	case 1:
 		note = args[0]
 	default:
-		return errors.New("unknown argumets")
+		return errors.New("unknown arguments")
 	}
 	logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{
 		Note:     note,

cmd/tailscale/cli/cli_test.go

@@ -410,7 +410,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
 		},
 		{
-			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
+			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Issue 3480
 			flags:         []string{"--hostname=foo"},
 			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
@@ -448,7 +448,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		},
 		{
 			// Issue 3176: on Synology, don't require --accept-routes=false because user
-			// migth've had old an install, and we don't support --accept-routes anyway.
+			// might've had an old install, and we don't support --accept-routes anyway.
 			name:  "synology_permit_omit_accept_routes",
 			flags: []string{"--hostname=foo"},
 			curPrefs: &ipn.Prefs{

cmd/tailscale/cli/ssh_exec_windows.go

@@ -13,7 +13,7 @@ import (
 
 func findSSH() (string, error) {
 	// use C:\Windows\System32\OpenSSH\ssh.exe since unexpected behavior
-	// occured with ssh.exe provided by msys2/cygwin and other environments.
+	// occurred with ssh.exe provided by msys2/cygwin and other environments.
 	if systemRoot := os.Getenv("SystemRoot"); systemRoot != "" {
 		exe := filepath.Join(systemRoot, "System32", "OpenSSH", "ssh.exe")
 		if st, err := os.Stat(exe); err == nil && !st.IsDir() {

cmd/tailscaled/tailscaled.go

@@ -88,7 +88,7 @@ func defaultTunName() string {
 			// see https://github.com/tailscale/tailscale/issues/391
 			//
 			// But Gokrazy does have the tun module built-in, so users
-			// can stil run --tun=tailscale0 if they wish, if they
+			// can still run --tun=tailscale0 if they wish, if they
 			// arrange for iptables to be present or run in "tailscale
 			// up --netfilter-mode=off" mode, perhaps. Untested.
 			return "userspace-networking"
@@ -158,7 +158,7 @@ func main() {
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
+	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an ephemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")

cmd/tailscaled/tailscaled_windows.go

@@ -193,7 +193,7 @@ func beWindowsSubprocess() bool {
 	}
 	logid := os.Args[2]
 
-	// Remove the date/time prefix; the logtail + file logggers add it.
+	// Remove the date/time prefix; the logtail + file loggers add it.
 	log.SetFlags(0)
 
 	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)

cmd/tsconnect/build.go

@@ -57,7 +57,7 @@ func runBuild() {
 
 // fixEsbuildMetadataPaths re-keys the esbuild metadata file to use paths
 // relative to the dist directory (it normally uses paths relative to the cwd,
-// which are akward if we're running with a different cwd at serving time).
+// which are awkward if we're running with a different cwd at serving time).
 func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
 	var metadata EsbuildMetadata
 	if err := json.Unmarshal([]byte(metadataStr), &metadata); err != nil {

cmd/tsconnect/src/pkg/pkg.ts

@@ -15,12 +15,12 @@ import wasmURL from "./main.wasm"
  * needed for the package to function.
  */
 type IPNPackageConfig = IPNConfig & {
-  // Auth key used to intitialize the Tailscale client (required)
+  // Auth key used to initialize the Tailscale client (required)
   authKey: string
   // URL of the main.wasm file that is included in the page, if it is not
   // accessible via a relative URL.
   wasmURL?: string
-  // Funtion invoked if the Go process panics or unexpectedly exits.
+  // Function invoked if the Go process panics or unexpectedly exits.
   panicHandler: (err: string) => void
 }
 

cmd/viewer/viewer.go

@@ -388,7 +388,7 @@ func main() {
 		log.Fatal(err)
 	}
 	if runCloner {
-		// When a new pacakge is added or when existing generated files have
+		// When a new package is added or when existing generated files have
 		// been deleted, we might run into a case where tailscale.com/cmd/cloner
 		// has not run yet. We detect this by verifying that all the structs we
 		// interacted with have had Clone method already generated. If they

control/controlclient/direct.go

@@ -776,7 +776,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		// with useful results. The first POST just gets us the DERP map which we
 		// need to do the STUN queries to discover our endpoints.
 		// TODO(bradfitz): we skip this optimization in tests, though,
-		// because the e2e tests are currently hyperspecific about the
+		// because the e2e tests are currently hyper-specific about the
 		// ordering of things. The e2e tests need love.
 		ReadOnly: readOnly || (len(epStrs) == 0 && !everEndpoints && !inTest()),
 	}

control/controlclient/map.go

@@ -35,7 +35,7 @@ type mapSession struct {
 	machinePubKey          key.MachinePublic
 	keepSharerAndUserSplit bool // see Options.KeepSharerAndUserSplit
 
-	// Fields storing state over the the coards of multiple MapResponses.
+	// Fields storing state over the course of multiple MapResponses.
 	lastNode               *tailcfg.Node
 	lastDNSConfig          *tailcfg.DNSConfig
 	lastDERPMap            *tailcfg.DERPMap

control/controlclient/map_test.go

@@ -466,7 +466,7 @@ func TestNetmapForResponse(t *testing.T) {
 	})
 }
 
-// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResposnes
+// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResponses
 // entirely or have their opt.Bool values unspecified between MapResponses in a
 // session and that should mean no change. (as of capver 37). But two Debug
 // fields existed prior to capver 37 that weren't opt.Bool; we test that we both

derp/derp_test.go

@@ -232,7 +232,7 @@ func TestSendFreeze(t *testing.T) {
 	//	alice --> bob
 	//	alice --> cathy
 	//
-	// Then cathy stops processing messsages.
+	// Then cathy stops processing messages.
 	// That should not interfere with alice talking to bob.
 
 	newClient := func(ctx context.Context, name string, k key.NodePrivate) (c *Client, clientConn nettest.Conn) {
@@ -772,7 +772,7 @@ func TestForwarderRegistration(t *testing.T) {
 	})
 
 	// Now pretend u1 was already connected locally (so clientsMesh[u1] is nil), and then we heard
-	// that they're also connected to a peer of ours. That sholdn't transition the forwarder
+	// that they're also connected to a peer of ours. That shouldn't transition the forwarder
 	// from nil to the new one, not a multiForwarder.
 	s.clients[u1] = singleClient{u1c}
 	s.clientsMesh[u1] = nil

derp/derphttp/derphttp_client.go

@@ -199,7 +199,7 @@ func (c *Client) urlString(node *tailcfg.DERPNode) string {
 	return fmt.Sprintf("https://%s/derp", node.HostName)
 }
 
-// AddressFamilySelector decides whethers IPv6 is preferred for
+// AddressFamilySelector decides whether IPv6 is preferred for
 // outbound dials.
 type AddressFamilySelector interface {
 	// PreferIPv6 reports whether IPv4 dials should be slightly

disco/disco.go

@@ -15,9 +15,9 @@
 // The recipient then decrypts the bytes following (the nacl secretbox)
 // and then the inner payload structure is:
 //
-//	messageType    byte  (the MessageType constants below)
-//	messageVersion byte  (0 for now; but always ignore bytes at the end)
-//	message-paylod [...]byte
+//	messageType     byte  (the MessageType constants below)
+//	messageVersion  byte  (0 for now; but always ignore bytes at the end)
+//	message-payload [...]byte
 package disco
 
 import (

ipn/backend.go

@@ -69,7 +69,7 @@ type Notify struct {
 	State         *State             // if non-nil, the new or current IPN state
 	Prefs         *Prefs             // if non-nil, the new or current preferences
 	NetMap        *netmap.NetworkMap // if non-nil, the new or current netmap
-	Engine        *EngineStatus      // if non-nil, the new or urrent wireguard stats
+	Engine        *EngineStatus      // if non-nil, the new or current wireguard stats
 	BrowseToURL   *string            // if non-nil, UI should open a browser right now
 	BackendLogID  *string            // if non-nil, the public logtail ID used by backend
 

ipn/ipnlocal/local.go

@@ -2173,7 +2173,7 @@ func (b *LocalBackend) GetPeerAPIPort(ip netip.Addr) (port uint16, ok bool) {
 // ServePeerAPIConnection serves an already-accepted connection c.
 //
 // The remote parameter is the remote address.
-// The local paramater is the local address (either a Tailscale IPv4
+// The local parameter is the local address (either a Tailscale IPv4
 // or IPv6 IP and the peerapi port for that address).
 //
 // The connection will be closed by ServePeerAPIConnection.
@@ -3027,7 +3027,7 @@ func (b *LocalBackend) RequestEngineStatus() {
 // that have happened. It is invoked from the various callbacks that
 // feed events into LocalBackend.
 //
-// TODO(apenwarr): use a channel or something to prevent re-entrancy?
+// TODO(apenwarr): use a channel or something to prevent reentrancy?
 // Or maybe just call the state machine from fewer places.
 func (b *LocalBackend) stateMachine() {
 	b.enterState(b.nextState())
@@ -3087,7 +3087,7 @@ func (b *LocalBackend) ResetForClientDisconnect() {
 
 func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() }
 
-// ShouldHandleViaIP reports whether whether ip is an IPv6 address in the
+// ShouldHandleViaIP reports whether ip is an IPv6 address in the
 // Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
 // by Tailscale.
 func (b *LocalBackend) ShouldHandleViaIP(ip netip.Addr) bool {
@@ -3605,7 +3605,7 @@ func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
 	return mc, nil
 }
 
-// DoNoiseRequest sends a request to URL over the the control plane
+// DoNoiseRequest sends a request to URL over the control plane
 // Noise connection.
 func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 	b.mu.Lock()

ipn/ipnlocal/network-lock.go

@@ -44,10 +44,10 @@ type tkaState struct {
 //
 // There are 4 scenarios handled here:
 //   - Enablement: nm.TKAEnabled but b.tka == nil
-//     ∴ reach out to /machine/tka/boostrap to get the genesis AUM, then
+//     ∴ reach out to /machine/tka/bootstrap to get the genesis AUM, then
 //     initialize TKA.
 //   - Disablement: !nm.TKAEnabled but b.tka != nil
-//     ∴ reach out to /machine/tka/boostrap to read the disablement secret,
+//     ∴ reach out to /machine/tka/bootstrap to read the disablement secret,
 //     then verify and clear tka local state.
 //   - Sync needed: b.tka.Head != nm.TKAHead
 //     ∴ complete multi-step synchronization flow.

ipn/ipnlocal/peerapi.go

@@ -79,7 +79,7 @@ type peerAPIServer struct {
 }
 
 const (
-	// partialSuffix is the suffix appened to files while they're
+	// partialSuffix is the suffix appended to files while they're
 	// still in the process of being transferred.
 	partialSuffix = ".partial"
 
@@ -1184,7 +1184,7 @@ func newFakePeerAPIListener(ip netip.Addr) net.Listener {
 // even if the kernel isn't cooperating (like on Android: Issue 4449, 4293, etc)
 // or we lack permission to listen on a port. It's okay to not actually listen via
 // the kernel because on almost all platforms (except iOS as of 2022-04-20) we
-// also intercept netstack TCP requests in to our peerapi port and hand it over
+// also intercept incoming netstack TCP requests to our peerapi port and hand them over
 // directly to peerapi, without involving the kernel. So this doesn't need to be
 // real. But the port number we return (1, in this case) is the port number we advertise
 // to peers and they connect to. 1 seems pretty safe to use. Even if the kernel's

ipn/ipnlocal/peerapi_test.go

@@ -109,7 +109,7 @@ func TestHandlePeerAPI(t *testing.T) {
 	tests := []struct {
 		name       string
 		isSelf     bool // the peer sending the request is owned by us
-		capSharing bool // self node has file sharing capabilty
+		capSharing bool // self node has file sharing capability
 		omitRoot   bool // don't configure
 		req        *http.Request
 		checks     []check

ipn/ipnserver/server.go

@@ -57,7 +57,7 @@ import (
 
 // Options is the configuration of the Tailscale node agent.
 type Options struct {
-	// VarRoot is the the Tailscale daemon's private writable
+	// VarRoot is the Tailscale daemon's private writable
 	// directory (usually "/var/lib/tailscale" on Linux) that
 	// contains the "tailscaled.state" file, the "certs" directory
 	// for TLS certs, and the "files" directory for incoming

ipn/prefs_test.go

@@ -470,7 +470,7 @@ func TestLoadPrefsNotExist(t *testing.T) {
 	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
 }
 
-// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs hanldes corrupted input files.
+// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs handles corrupted input files.
 // See issue #954 for details.
 func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
 	f, err := os.CreateTemp("", "TestLoadPrefsFileWithZeroInIt")

logpolicy/logpolicy.go

@@ -609,7 +609,7 @@ func NewWithConfigPath(collection, dir, cmdName string) *Policy {
 		}
 	}
 
-	log.SetFlags(0) // other logflags are set on console, not here
+	log.SetFlags(0) // other log flags are set on console, not here
 	log.SetOutput(logOutput)
 
 	log.Printf("Program starting: v%v, Go %v: %#v",

logtail/id.go

@@ -34,7 +34,7 @@ func NewPrivateID() (id PrivateID, err error) {
 func (id PrivateID) MarshalText() ([]byte, error) {
 	b := make([]byte, hex.EncodedLen(len(id)))
 	if i := hex.Encode(b, id[:]); i != len(b) {
-		return nil, fmt.Errorf("logtail.PrivateID.MarhsalText: i=%d", i)
+		return nil, fmt.Errorf("logtail.PrivateID.MarshalText: i=%d", i)
 	}
 	return b, nil
 }
@@ -122,7 +122,7 @@ func MustParsePublicID(s string) PublicID {
 func (id PublicID) MarshalText() ([]byte, error) {
 	b := make([]byte, hex.EncodedLen(len(id)))
 	if i := hex.Encode(b, id[:]); i != len(b) {
-		return nil, fmt.Errorf("logtail.PublicID.MarhsalText: i=%d", i)
+		return nil, fmt.Errorf("logtail.PublicID.MarshalText: i=%d", i)
 	}
 	return b, nil
 }

logtail/logtail.go

@@ -49,7 +49,7 @@ type Config struct {
 	HTTPC          *http.Client     // if empty defaults to http.DefaultClient
 	SkipClientTime bool             // if true, client_time is not written to logs
 	LowMemory      bool             // if true, logtail minimizes memory use
-	TimeNow        func() time.Time // if set, subsitutes uses of time.Now
+	TimeNow        func() time.Time // if set, substitutes uses of time.Now
 	Stderr         io.Writer        // if set, logs are sent here instead of os.Stderr
 	StderrLevel    int              // max verbosity level to write to stderr; 0 means the non-verbose messages only
 	Buffer         Buffer           // temp storage, if nil a MemoryBuffer
@@ -73,7 +73,7 @@ type Config struct {
 
 	// IncludeProcSequence, if true, results in an ephemeral sequence number
 	// being included in the logs. The sequence number is incremented for each
-	// log message sent, but is not peristed across process restarts.
+	// log message sent, but is not persisted across process restarts.
 	IncludeProcSequence bool
 }
 

net/dns/manager.go

@@ -381,7 +381,7 @@ func (m *Manager) NextPacket() ([]byte, error) {
 	return buf, nil
 }
 
-// Query executes a DNS query recieved from the given address. The query is
+// Query executes a DNS query received from the given address. The query is
 // provided in bs as a wire-encoded DNS query without any transport header.
 // This method is called for requests arriving over UDP and TCP.
 func (m *Manager) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([]byte, error) {

net/dns/manager_windows_test.go

@@ -274,7 +274,7 @@ func runTest(t *testing.T, isLocal bool) {
 	runCase := func(n int) {
 		t.Logf("Test case: %d domains\n", n)
 		if !isLocal {
-			// When !isLocal, we want to check that a GP notification occured for
+			// When !isLocal, we want to check that a GP notification occurred for
 			// every single test case.
 			trk, err = newGPNotificationTracker()
 			if err != nil {

net/dns/nm.go

@@ -302,7 +302,7 @@ func (m *nmManager) GetBaseConfig() (OSConfig, error) {
 	for _, cfg := range cfgs {
 		if name, ok := cfg["interface"]; ok {
 			if s, ok := name.Value().(string); ok && s == m.interfaceName {
-				// Config for the taislcale interface, skip.
+				// Config for the tailscale interface, skip.
 				continue
 			}
 		}

net/dns/nrpt_windows.go

@@ -58,7 +58,7 @@ var (
 
 const _RP_FORCE = 1 // Flag for RefreshPolicyEx
 
-// nrptRuleDatabase ensapsulates access to the Windows Name Resolution Policy
+// nrptRuleDatabase encapsulates access to the Windows Name Resolution Policy
 // Table (NRPT).
 type nrptRuleDatabase struct {
 	logf               logger.Logf

net/dns/resolver/forwarder.go

@@ -180,7 +180,7 @@ type resolverAndDelay struct {
 type forwarder struct {
 	logf    logger.Logf
 	linkMon *monitor.Mon
-	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absords it
+	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absorbs it
 	dialer  *tsdial.Dialer
 	dohSem  chan struct{}
 
@@ -502,7 +502,7 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 		// Only known DoH providers are supported currently. Specifically, we
 		// only support DoH providers where we can TCP connect to them on port
 		// 443 at the same IP address they serve normal UDP DNS from (1.1.1.1,
-		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custon DoH providers
+		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custom DoH providers
 		// aren't currently supported. There's no backup DNS resolution path for
 		// them.
 		urlBase := rr.name.Addr

net/dns/resolver/tsdns.go

@@ -609,7 +609,7 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netip.Addr,
 		metricDNSResolveLocalOKAll.Add(1)
 		return addrs[0], dns.RCodeSuccess
 
-	// Leave some some record types explicitly unimplemented.
+	// Leave some record types explicitly unimplemented.
 	// These types relate to recursive resolution or special
 	// DNS semantics and might be implemented in the future.
 	case dns.TypeNS, dns.TypeSOA, dns.TypeAXFR, dns.TypeHINFO:

net/dnscache/messagecache.go

@@ -99,7 +99,7 @@ type msgResource struct {
 }
 
 // ErrCacheMiss is a sentinel error returned by MessageCache.ReplyFromCache
-// when the request can not be satisified from cache.
+// when the request can not be satisfied from cache.
 var ErrCacheMiss = errors.New("cache miss")
 
 var parserPool = &sync.Pool{
@@ -264,7 +264,7 @@ func asciiLowerName(n dnsmessage.Name) dnsmessage.Name {
 }
 
 // packDNSResponse builds a DNS response for the given question and
-// transaction ID. The response resource records will have have the
+// transaction ID. The response resource records will have the
 // same provided TTL.
 func packDNSResponse(q msgQ, txID uint16, ttl uint32, answers []msgResource) ([]byte, error) {
 	var baseMem []byte // TODO: guess a max size based on looping over answers?

net/interfaces/interfaces.go

@@ -441,13 +441,13 @@ func prefixesEqual(a, b []netip.Prefix) bool {
 
 // UseInterestingInterfaces is an InterfaceFilter that reports whether i is an interesting interface.
 // An interesting interface if it is (a) not owned by Tailscale and (b) routes interesting IP addresses.
-// See UseInterestingIPs for the defition of an interesting IP address.
+// See UseInterestingIPs for the definition of an interesting IP address.
 func UseInterestingInterfaces(i Interface, ips []netip.Prefix) bool {
 	return !isTailscaleInterface(i.Name, ips) && anyInterestingIP(ips)
 }
 
 // UseInterestingIPs is an IPFilter that reports whether ip is an interesting IP address.
-// An IP address is interesting if it is neither a lopback not a link local unicast IP address.
+// An IP address is interesting if it is neither a loopback nor a link local unicast IP address.
 func UseInterestingIPs(ip netip.Addr) bool {
 	return isInterestingIP(ip)
 }
@@ -455,7 +455,7 @@ func UseInterestingIPs(ip netip.Addr) bool {
 // UseAllInterfaces is an InterfaceFilter that includes all interfaces.
 func UseAllInterfaces(i Interface, ips []netip.Prefix) bool { return true }
 
-// UseAllIPs is an IPFilter that includes all all IPs.
+// UseAllIPs is an IPFilter that includes all IPs.
 func UseAllIPs(ips netip.Addr) bool { return true }
 
 func (s *State) HasPAC() bool { return s != nil && s.PAC != "" }

net/netcheck/netcheck.go

@@ -161,7 +161,7 @@ type Client struct {
 
 	// GetSTUNConn4 optionally provides a func to return the
 	// connection to use for sending & receiving IPv4 packets. If
-	// nil, an emphemeral one is created as needed.
+	// nil, an ephemeral one is created as needed.
 	GetSTUNConn4 func() STUNConn
 
 	// GetSTUNConn6 is like GetSTUNConn4, but for IPv6.

net/nettest/listener.go

@@ -15,7 +15,7 @@ const (
 	bufferSize = 256 * 1024
 )
 
-// Listener is a net.Listener using using NewConn to create pairs of network
+// Listener is a net.Listener using NewConn to create pairs of network
 // connections connected in memory using a buffered pipe. It also provides a
 // Dial method to establish new connections.
 type Listener struct {

net/netutil/ip_forward.go

@@ -195,7 +195,7 @@ const (
 // given interface.
 // The iface param determines which interface to check against, "" means to check
 // global config.
-// It tries to lookup the value directly from `/proc/sys`, and fallsback to
+// It tries to lookup the value directly from `/proc/sys`, and falls back to
 // using `sysctl` on failure.
 func ipForwardingEnabledLinux(p protocol, iface string) (bool, error) {
 	k := ipForwardSysctlKey(slashFormat, p, iface)

net/packet/header.go

@@ -40,7 +40,7 @@ type Header interface {
 }
 
 // HeaderChecksummer is implemented by Header implementations that
-// need to do a checksum over their paylods.
+// need to do a checksum over their payloads.
 type HeaderChecksummer interface {
 	Header
 

net/ping/ping_test.go

@@ -202,7 +202,7 @@ func TestPingerMismatch(t *testing.T) {
 
 func mockPinger(t *testing.T, clock *tstest.Clock) (*Pinger, func()) {
 	// In tests, we use UDP so that we can test without being root; this
-	// doesn't matter becuase we mock out the ICMP reply below to be a real
+	// doesn't matter because we mock out the ICMP reply below to be a real
 	// ICMP echo reply packet.
 	conn, err := net.ListenPacket("udp4", "127.0.0.1:0")
 	if err != nil {

net/portmapper/igd_test.go

@@ -19,7 +19,7 @@ import (
 	"tailscale.com/types/logger"
 )
 
-// TestIGD is an IGD (Intenet Gateway Device) for testing. It supports fake
+// TestIGD is an IGD (Internet Gateway Device) for testing. It supports fake
 // implementations of NAT-PMP, PCP, and/or UPnP to test clients against.
 type TestIGD struct {
 	upnpConn net.PacketConn // for UPnP discovery

net/tsdial/tsdial.go

@@ -58,7 +58,7 @@ type Dialer struct {
 	linkMon           *monitor.Mon
 	linkMonUnregister func()
 	exitDNSDoHBase    string                 // non-empty if DoH-proxying exit node in use; base URL+path (without '?')
-	dnsCache          *dnscache.MessageCache // nil until first first non-empty SetExitDNSDoH
+	dnsCache          *dnscache.MessageCache // nil until first non-empty SetExitDNSDoH
 	nextSysConnID     int
 	activeSysConns    map[int]net.Conn // active connections not yet closed
 }
@@ -210,7 +210,7 @@ func (d *Dialer) userDialResolve(ctx context.Context, network, addr string) (net
 	exitDNSDoH := d.exitDNSDoHBase
 	d.mu.Unlock()
 
-	// MagicDNS or otherwise baked in to the NetworkMap? Try that first.
+	// MagicDNS or otherwise baked into the NetworkMap? Try that first.
 	ipp, err := dns.resolveMemory(ctx, network, addr)
 	if err != errUnresolved {
 		return ipp, err

net/tshttpproxy/tshttpproxy.go

@@ -89,7 +89,7 @@ func GetAuthHeader(u *url.URL) (string, error) {
 
 var condSetTransportGetProxyConnectHeader func(*http.Transport)
 
-// SetTarnsportGetProxyConnectHeader sets the provided Transport's
+// SetTransportGetProxyConnectHeader sets the provided Transport's
 // GetProxyConnectHeader field, if the current build of Go supports
 // it.
 //

net/tshttpproxy/tshttpproxy_synology_test.go

@@ -204,7 +204,7 @@ http_port=80
 
 	})
 
-	t.Run("non-existent config", func(t *testing.T) {
+	t.Run("nonexistent config", func(t *testing.T) {
 		openReader = nil
 		openErr = os.ErrNotExist
 

net/tstun/wrap.go

@@ -173,7 +173,7 @@ type Wrapper struct {
 // See the comment in the middle of Wrap.Read.
 type tunReadResult struct {
 	// Only one of err, packet or data should be set, and are read in that order
-	// of precendence.
+	// of precedence.
 	err    error
 	packet *stack.PacketBuffer
 	data   []byte

paths/paths.go

@@ -63,7 +63,7 @@ func DefaultTailscaledStateFile() string {
 	return ""
 }
 
-// MkStateDir ensures that dirPath, the daemon's configurtaion directory
+// MkStateDir ensures that dirPath, the daemon's configuration directory
 // containing machine keys etc, both exists and has the correct permissions.
 // We want it to only be accessible to the user the daemon is running under.
 func MkStateDir(dirPath string) error {

prober/prober.go

@@ -236,7 +236,7 @@ func (v varExporter) String() string {
 	return string(bs)
 }
 
-// WritePrometheus writes the the state of all probes to w.
+// WritePrometheus writes the state of all probes to w.
 //
 // For each probe, WritePrometheus exports 5 variables:
 //   - <prefix>_interval_secs, how frequently the probe runs.

ssh/tailssh/ctxreader.go

@@ -29,7 +29,7 @@ type contextReader struct {
 	// consumed.
 	buffered []byte
 	// readErr is a previous read error that was seen while filling buffered. It
-	// should be returned to the caller after bufffered is consumed.
+	// should be returned to the caller after buffered is consumed.
 	readErr error
 
 	mu sync.Mutex // guards ch only
@@ -40,7 +40,7 @@ type contextReader struct {
 	ch chan readResult
 }
 
-// HasOutstandingRead reports whether there's an oustanding Read call that's
+// HasOutstandingRead reports whether there's an outstanding Read call that's
 // either currently blocked in a Read or whose result hasn't been consumed.
 func (w *contextReader) HasOutstandingRead() bool {
 	w.mu.Lock()
@@ -97,14 +97,14 @@ func (w *contextReader) ReadContext(ctx context.Context, p []byte) (n int, err e
 	}
 }
 
-// contextReaderSesssion implements ssh.Session, wrapping another
+// contextReaderSession implements ssh.Session, wrapping another
 // ssh.Session but changing its Read method to use contextReader.
-type contextReaderSesssion struct {
+type contextReaderSession struct {
 	ssh.Session
 	cr *contextReader
 }
 
-func (a contextReaderSesssion) Read(p []byte) (n int, err error) {
+func (a contextReaderSession) Read(p []byte) (n int, err error) {
 	if a.cr.HasOutstandingRead() {
 		return a.cr.ReadContext(context.Background(), p)
 	}

ssh/tailssh/incubator.go

@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// This file contains the code for the incubator process.  Taiscaled
+// This file contains the code for the incubator process.  Tailscaled
 // launches the incubator as the same user as it was launched as.  The
 // incubator then registers a new session with the OS, sets its UID
 // and groups to the specified `--uid`, `--gid` and `--groups`, and
-// then lauches the requested `--cmd`.
+// then launches the requested `--cmd`.
 
 //go:build linux || (darwin && !ios)
 // +build linux darwin,!ios

ssh/tailssh/tailssh.go

@@ -181,7 +181,7 @@ func (c *conn) logf(format string, args ...any) {
 	c.srv.logf(format, args...)
 }
 
-// PublicKeyHandler implements ssh.PublicKeyHandler is called by the the
+// PublicKeyHandler implements ssh.PublicKeyHandler is called by the
 // ssh.Server when the client presents a public key.
 func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error {
 	c.mu.Lock()
@@ -205,7 +205,7 @@ func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error {
 var errPubKeyRequired = errors.New("ssh publickey required")
 
 // NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by
-// the the ssh.Server when the client first connects with the "none"
+// the ssh.Server when the client first connects with the "none"
 // authentication method.
 func (c *conn) NoClientAuthCallback(cm gossh.ConnMetadata) (*gossh.Permissions, error) {
 	if c.insecureSkipTailscaleAuth {
@@ -595,7 +595,7 @@ func (c *conn) handleSessionPostSSHAuth(s ssh.Session) {
 	if cr.HasOutstandingRead() {
 		// There was some buffered input while we were waiting for the policy
 		// decision.
-		s = contextReaderSesssion{s, cr}
+		s = contextReaderSession{s, cr}
 	}
 
 	// Do this check after auth, but before starting the session.
@@ -1326,7 +1326,7 @@ func (ss *sshSession) startNewRecording() (*recording, error) {
 		Timestamp: now.Unix(),
 		Env: map[string]string{
 			"TERM": term,
-			// TODO(bradiftz): anything else important?
+			// TODO(bradfitz): anything else important?
 			// including all seems noisey, but maybe we should
 			// for auditing. But first need to break
 			// launchProcess's startWithStdPipes and

tailcfg/tailcfg.go

@@ -117,7 +117,7 @@ func (u StableNodeID) IsZero() bool {
 // A user can have multiple logins associated with it (e.g. gmail and github oauth).
 // (Note: none of our UIs support this yet.)
 //
-// Some properties are inhereted from the logins and can be overridden, such as
+// Some properties are inherited from the logins and can be overridden, such as
 // display name and profile picture.
 //
 // Other properties must be the same for all logins associated with a user.
@@ -249,7 +249,7 @@ type Node struct {
 // the owner of the node. When forOwner is false, the hostname is
 // never included in the return value.
 //
-// Return value is either either "Name" or "Name (Hostname)", where
+// Return value is either "Name" or "Name (Hostname)", where
 // Name is the node's MagicDNS base name (for normal non-shared-in
 // nodes), FQDN (without trailing dot, for shared-in nodes), or
 // Hostname (if no MagicDNS). Hostname is only included in the
@@ -864,7 +864,7 @@ type RegisterResponse struct {
 	MachineAuthorized bool   // TODO(crawshaw): move to using MachineStatus
 	AuthURL           string // if set, authorization pending
 
-	// Error indiciates that authorization failed. If this is non-empty,
+	// Error indicates that authorization failed. If this is non-empty,
 	// other status fields should be ignored.
 	Error string
 }
@@ -992,7 +992,7 @@ type NetPortRange struct {
 
 // CapGrant grants capabilities in a FilterRule.
 type CapGrant struct {
-	// Dsts are the destination IP ranges that this capabilty
+	// Dsts are the destination IP ranges that this capability
 	// grant matches.
 	Dsts []netip.Prefix
 
@@ -1006,7 +1006,7 @@ type CapGrant struct {
 //
 // A rule is logically a set of source CIDRs to match (described by
 // SrcIPs and SrcBits), and a set of destination targets that are then
-// allowed if a source IP is mathces of those CIDRs.
+// allowed if a source IP is matches of those CIDRs.
 type FilterRule struct {
 	// SrcIPs are the source IPs/networks to match.
 	//
@@ -1124,7 +1124,7 @@ type DNSConfig struct {
 	// MagicDNS config.
 	ExtraRecords []DNSRecord `json:",omitempty"`
 
-	// ExitNodeFilteredSuffixes are the the DNS suffixes that the
+	// ExitNodeFilteredSuffixes are the DNS suffixes that the
 	// node, when being an exit node DNS proxy, should not answer.
 	//
 	// The entries do not contain trailing periods and are always
@@ -1828,7 +1828,7 @@ type SSHAction struct {
 //
 // The "OverTLS" prefix is to loudly declare that this exchange
 // doesn't happen over Noise and can be intercepted/MITM'ed by
-// enterprise/corp proxies where the orgnanization can put TLS roots
+// enterprise/corp proxies where the organization can put TLS roots
 // on devices.
 type OverTLSPublicKeyResponse struct {
 	// LegacyPublic specifies the control plane server's original

tailcfg/tka.go

@@ -98,7 +98,7 @@ type TKAInfo struct {
 	// This field exists to disambiguate a nil TKAInfo in a delta mapresponse
 	// from a nil TKAInfo indicating TKA should be disabled.
 	//
-	// TODO(tom): Implement /machine/tka/boostrap as a noise endpoint, to
+	// TODO(tom): Implement /machine/tka/bootstrap as a noise endpoint, to
 	// communicate the genesis AUM & any disablement secrets.
 	Disabled bool `json:",omitempty"`
 }

tka/aum.go

@@ -60,7 +60,7 @@ const (
 	//
 	// Only the Key optional field may be set.
 	AUMAddKey
-	// A RemoveKey AUM describes hte removal of a key trusted by TKA.
+	// A RemoveKey AUM describes the removal of a key trusted by TKA.
 	//
 	// Only the KeyID optional field may be set.
 	AUMRemoveKey

tka/scenario_test.go

@@ -67,7 +67,7 @@ func (s *scenarioTest) mkNodeWithForks(name string, signWithDefault bool, chains
 	for parentName, chain := range chains {
 		parent, exists := n.AUMs[parentName]
 		if !exists {
-			panic("cannot use non-existent parent: " + parentName)
+			panic("cannot use nonexistent parent: " + parentName)
 		}
 		parentHash := parent.Hash()
 		chain.Nodes[chain.FirstIdent].ParentHash = &parentHash
@@ -216,7 +216,7 @@ func TestScenarioHelpers(t *testing.T) {
 	s.checkHaveConsensus(control, n)
 }
 
-func TestNormalPropergation(t *testing.T) {
+func TestNormalPropagation(t *testing.T) {
 	s := testScenario(t, `
         G -> L1 -> L2
         G.template = genesis
@@ -242,7 +242,7 @@ func TestNormalPropergation(t *testing.T) {
 	s.checkHaveConsensus(n1, n2)
 }
 
-func TestForkingPropergation(t *testing.T) {
+func TestForkingPropagation(t *testing.T) {
 	pub, priv := testingKey25519(t, 2)
 	key := Key{Kind: Key25519, Public: pub, Votes: 2}
 
@@ -278,7 +278,7 @@ func TestForkingPropergation(t *testing.T) {
 	s.testSyncsBetween(control, n2)
 	s.checkHaveConsensus(control, n2)
 
-	// No wozzles propergating from n2->CTRL, what about CTRL->n1?
+	// No wozzles propagating from n2->CTRL, what about CTRL->n1?
 	s.testSyncsBetween(control, n1)
 	s.checkHaveConsensus(n1, n2)
 
@@ -290,7 +290,7 @@ func TestForkingPropergation(t *testing.T) {
 	}
 }
 
-func TestInvalidAUMPropergationRejected(t *testing.T) {
+func TestInvalidAUMPropagationRejected(t *testing.T) {
 	s := testScenario(t, `
         G -> L1 -> L2
         G.template = genesis
@@ -324,7 +324,7 @@ func TestInvalidAUMPropergationRejected(t *testing.T) {
 	}
 }
 
-func TestUnsignedAUMPropergationRejected(t *testing.T) {
+func TestUnsignedAUMPropagationRejected(t *testing.T) {
 	s := testScenario(t, `
         G -> L1 -> L2
         G.template = genesis
@@ -357,7 +357,7 @@ func TestUnsignedAUMPropergationRejected(t *testing.T) {
 	}
 }
 
-func TestBadSigAUMPropergationRejected(t *testing.T) {
+func TestBadSigAUMPropagationRejected(t *testing.T) {
 	s := testScenario(t, `
         G -> L1 -> L2
         G.template = genesis

tka/sig.go

@@ -33,7 +33,7 @@ const (
 	// SigRotation signature and sign it again with their rotation key. That
 	// way, SigRotation nesting should only be 2 deep in the common case.
 	SigRotation
-	// SigCredential describes a signature over a specifi public key, signed
+	// SigCredential describes a signature over a specific public key, signed
 	// by a key in the tailnet key authority referenced by the specified keyID.
 	// In effect, SigCredential delegates the ability to make a signature to
 	// a different public/private key pair.

tstest/clock.go

@@ -25,7 +25,7 @@ type Clock struct {
 	sync.Mutex
 }
 
-// Now returns the virtual clock's current time, and avances it
+// Now returns the virtual clock's current time, and advances it
 // according to its step configuration.
 func (c *Clock) Now() time.Time {
 	c.Lock()

tstest/integration/gen_deps.go

@@ -53,7 +53,7 @@ import (
 `)
 	for _, dep := range x.Imports {
 		if !strings.Contains(dep, ".") {
-			// Omit stanard library deps.
+			// Omit standard library deps.
 			continue
 		}
 		fmt.Fprintf(&out, "\t_ %q\n", dep)

tstest/integration/testcontrol/testcontrol.go

@@ -463,7 +463,7 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey key.
 		case <-doneCh:
 		}
 		// TODO(bradfitz): support a side test API to mark an
-		// auth as failued so we can send an error response in
+		// auth as failed so we can send an error response in
 		// some follow-ups? For now all are successes.
 	}
 

tstest/integration/vms/nixos_test.go

@@ -73,7 +73,7 @@ let
 
     # The path on disk to the "source code" of the package, in this case it is
     # the path to the binaries that are built. This needs to be the raw
-    # unquoted slash-separated path, not a string contaning the path because Nix
+    # unquoted slash-separated path, not a string containing the path because Nix
     # has a special path type.
     src = {{.BinPath}};
 

tstest/integration/vms/top_level_test.go

@@ -78,7 +78,7 @@ func TestMITMProxy(t *testing.T) {
 	// - The first thing we do is append the nsslcrtd_program stanza to the config.
 	//   This must be an absolute path and is based on the nix path of the squid derivation,
 	//   so we compute and write it out here.
-	// - Squid expects a pre-initalized directory layout, so we create that in /tmp/squid then
+	// - Squid expects a pre-initialized directory layout, so we create that in /tmp/squid then
 	//   invoke squid with -z to have it fill in the rest.
 	// - Doing a meddler-in-the-middle attack requires using some fake keys, so we create
 	//   them using openssl and then use the security_file_certgen tool to setup squids' ssl_db.

tstest/natlab/natlab.go

@@ -92,7 +92,7 @@ func mustPrefix(s string) netip.Prefix {
 func NewInternet() *Network {
 	return &Network{
 		Name: "internet",
-		// easily recognizable internett-y addresses
+		// easily recognizable internetty addresses
 		Prefix4: mustPrefix("1.0.0.0/24"),
 		Prefix6: mustPrefix("1111::/64"),
 	}
@@ -243,7 +243,7 @@ func (f *Interface) String() string {
 	if f.name != "" {
 		return f.name
 	}
-	return fmt.Sprintf("unamed-interface-on-network-%p", f.net)
+	return fmt.Sprintf("unnamed-interface-on-network-%p", f.net)
 }
 
 // Contains reports whether f contains ip as an IP.

tsweb/tsweb.go

@@ -412,7 +412,7 @@ func (l loggingResponseWriter) Flush() {
 //
 // It is the error type to be (optionally) used by Handler.ServeHTTPReturn.
 type HTTPError struct {
-	Code   int         // HTTP response code to send to client; 0 means means 500
+	Code   int         // HTTP response code to send to client; 0 means 500
 	Msg    string      // Response body to send to client
 	Err    error       // Detailed error to log on the server
 	Header http.Header // Optional set of HTTP headers to set in the response

types/key/disco.go

@@ -63,7 +63,7 @@ func (k DiscoPrivate) Public() DiscoPublic {
 	return ret
 }
 
-// Shared returns the DiscoShared for communication betweek k and p.
+// Shared returns the DiscoShared for communication between k and p.
 func (k DiscoPrivate) Shared(p DiscoPublic) DiscoShared {
 	if k.IsZero() || p.IsZero() {
 		panic("can't compute shared secret with zero keys")

types/logger/tokenbucket.go

@@ -21,7 +21,7 @@ import (
 // be enough to disqualify it on its own.
 //
 // Unlike rate.Limiter, this token bucket does not attempt to
-// do any locking of its own. Don't try to access it re-entrantly.
+// do any locking of its own. Don't try to access it reentrantly.
 // That's fine inside this types/logger package because we already have
 // locking at a higher level.
 type tokenBucket struct {

types/opt/bool.go

@@ -11,7 +11,7 @@ import (
 )
 
 // Bool represents an optional boolean to be JSON-encoded.  The string
-// is either "true", "false", or the enmpty string to mean unset.
+// is either "true", "false", or the empty string to mean unset.
 //
 // As a special case, the underlying string may also be the string
 // "unset" as as a synonym for the empty string. This lets the

util/clientmetric/clientmetric.go

@@ -197,7 +197,7 @@ func WritePrometheusExpositionFormat(w io.Writer) {
 const (
 	// metricLogNameFrequency is how often a metric's name=>id
 	// mapping is redundantly put in the logs. In other words,
-	// this is how how far in the logs you need to fetch from a
+	// this is how far in the logs you need to fetch from a
 	// given point in time to recompute the metrics at that point
 	// in time.
 	metricLogNameFrequency = 4 * time.Hour

util/deephash/deephash.go

@@ -434,7 +434,7 @@ func makeMapHasher(t reflect.Type) typeHasherFunc {
 		mh := mapHasherPool.Get().(*mapHasher)
 		defer mapHasherPool.Put(mh)
 
-		// Hash a map in a sort-free mannar.
+		// Hash a map in a sort-free manner.
 		// It relies on a map being a an unordered set of KV entries.
 		// So long as we hash each KV entry together, we can XOR all the
 		// individual hashes to produce a unique hash for the entire map.

util/deephash/deephash_test.go

@@ -552,7 +552,7 @@ func TestGetTypeHasher(t *testing.T) {
 			out:  "\x01\x00\x00\x00\x02\x00\x00\x00\x03\x04\x00\x00\x00",
 		},
 		{
-			name: "IntIntByteInt-canddr",
+			name: "IntIntByteInt-canaddr",
 			val:  &IntIntByteInt{1, 2, 3, 4},
 			out:  "\x01\x01\x00\x00\x00\x02\x00\x00\x00\x03\x04\x00\x00\x00",
 		},
@@ -604,9 +604,9 @@ func TestSliceCycle(t *testing.T) {
 	type S []S
 	c := qt.New(t)
 
-	a := make(S, 1) // cylic graph of 1 node
+	a := make(S, 1) // cyclic graph of 1 node
 	a[0] = a
-	b := make(S, 1) // cylic graph of 1 node
+	b := make(S, 1) // cyclic graph of 1 node
 	b[0] = b
 	ha := Hash(&a)
 	hb := Hash(&b)
@@ -642,9 +642,9 @@ func TestMapCycle(t *testing.T) {
 	type M map[string]M
 	c := qt.New(t)
 
-	a := make(M) // cylic graph of 1 node
+	a := make(M) // cyclic graph of 1 node
 	a["self"] = a
-	b := make(M) // cylic graph of 1 node
+	b := make(M) // cyclic graph of 1 node
 	b["self"] = b
 	ha := Hash(&a)
 	hb := Hash(&b)
@@ -897,7 +897,7 @@ func TestArrayAllocs(t *testing.T) {
 
 	// In theory, there should be no allocations. However, escape analysis on
 	// certain architectures fails to detect that certain cases do not escape.
-	// This discrepency currently affects sha256.digest.Sum.
+	// This discrepancy currently affects sha256.digest.Sum.
 	// Measure the number of allocations in sha256 to ensure that Hash does
 	// not allocate on top of its usage of sha256.
 	// See https://golang.org/issue/48055.

util/deephash/pointer.go

@@ -27,7 +27,7 @@ import (
 // rely on pointer.asValue to convert the pointer back to a reflect.Value.
 // Conversion of an unsafe.Pointer to reflect.Value guarantees that the
 // read-only flag in the reflect.Value is unpopulated, avoiding panics that may
-// othewise have occurred since the value was obtained from an unexported field.
+// otherwise have occurred since the value was obtained from an unexported field.
 type unsafePointer struct{ p unsafe.Pointer }
 
 func unsafePointerOf(v reflect.Value) unsafePointer {

util/dnsname/dnsname_test.go

@@ -104,7 +104,7 @@ func TestSanitizeLabel(t *testing.T) {
 		{"mixed", "Avery's iPhone 4(SE)", "averys-iphone-4se"},
 		{"dotted", "mon.ipn.dev", "mon-ipn-dev"},
 		{"email", "admin@example.com", "admin-example-com"},
-		{"boudary", ".bound.ary.", "bound-ary"},
+		{"boundary", ".bound.ary.", "bound-ary"},
 		{"bad_trailing", "a-", "a"},
 		{"bad_leading", "-a", "a"},
 		{"bad_both", "-a-", "a"},

util/mak/mak.go

@@ -52,7 +52,7 @@ func NonNil(ptr interface{}) {
 
 // NonNilSliceForJSON makes sure that *slicePtr is non-nil so it will
 // won't be omitted from JSON serialization and possibly confuse JavaScript
-// clients expecting it to be preesnt.
+// clients expecting it to be present.
 func NonNilSliceForJSON[T any, S ~[]T](slicePtr *S) {
 	if *slicePtr != nil {
 		return
@@ -62,7 +62,7 @@ func NonNilSliceForJSON[T any, S ~[]T](slicePtr *S) {
 
 // NonNilMapForJSON makes sure that *slicePtr is non-nil so it will
 // won't be omitted from JSON serialization and possibly confuse JavaScript
-// clients expecting it to be preesnt.
+// clients expecting it to be present.
 func NonNilMapForJSON[K comparable, V any, M ~map[K]V](mapPtr *M) {
 	if *mapPtr != nil {
 		return

wf/firewall.go

@@ -88,7 +88,7 @@ type Firewall struct {
 	permittedRoutes map[netip.Prefix][]*wf.Rule
 }
 
-// New returns a new Firewall for the provdied interface ID.
+// New returns a new Firewall for the provided interface ID.
 func New(luid uint64) (*Firewall, error) {
 	session, err := wf.New(&wf.Options{
 		Name:    "Tailscale firewall",

wgengine/filter/filter.go

@@ -305,7 +305,7 @@ func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response {
 	pkt.Decode(dummyPacket) // initialize private fields
 	switch {
 	case (srcIP.Is4() && dstIP.Is6()) || (srcIP.Is6() && srcIP.Is4()):
-		// Mistmatched address families, no filters will
+		// Mismatched address families, no filters will
 		// match.
 		return Drop
 	case srcIP.Is4():
@@ -523,7 +523,7 @@ func (f *Filter) runOut(q *packet.Parsed) (r Response, why string) {
 	return Accept, "ok out"
 }
 
-// direction is whether a packet was flowing in to this machine, or
+// direction is whether a packet was flowing into this machine, or
 // flowing out.
 type direction int
 

wgengine/filter/filter_test.go

@@ -166,7 +166,7 @@ func TestUDPState(t *testing.T) {
 	a4 := parsed(ipproto.UDP, "119.119.119.119", "102.102.102.102", 4242, 4343)
 	b4 := parsed(ipproto.UDP, "102.102.102.102", "119.119.119.119", 4343, 4242)
 
-	// Unsollicited UDP traffic gets dropped
+	// Unsolicited UDP traffic gets dropped
 	if got := acl.RunIn(&a4, flags); got != Drop {
 		t.Fatalf("incoming initial packet not dropped, got=%v: %v", got, a4)
 	}
@@ -182,7 +182,7 @@ func TestUDPState(t *testing.T) {
 	a6 := parsed(ipproto.UDP, "2001::2", "2001::1", 4242, 4343)
 	b6 := parsed(ipproto.UDP, "2001::1", "2001::2", 4343, 4242)
 
-	// Unsollicited UDP traffic gets dropped
+	// Unsolicited UDP traffic gets dropped
 	if got := acl.RunIn(&a6, flags); got != Drop {
 		t.Fatalf("incoming initial packet not dropped: %v", a4)
 	}

wgengine/magicsock/magicsock.go

@@ -2460,11 +2460,11 @@ func (c *Conn) maybeCloseDERPsOnRebind(okayLocalIPs []netip.Prefix) {
 	for regionID, ad := range c.activeDerp {
 		la, err := ad.c.LocalAddr()
 		if err != nil {
-			c.closeOrReconectDERPLocked(regionID, "rebind-no-localaddr")
+			c.closeOrReconnectDERPLocked(regionID, "rebind-no-localaddr")
 			continue
 		}
 		if !tsaddr.PrefixesContainsIP(okayLocalIPs, la.Addr()) {
-			c.closeOrReconectDERPLocked(regionID, "rebind-default-route-change")
+			c.closeOrReconnectDERPLocked(regionID, "rebind-default-route-change")
 			continue
 		}
 		regionID := regionID
@@ -2475,7 +2475,7 @@ func (c *Conn) maybeCloseDERPsOnRebind(okayLocalIPs []netip.Prefix) {
 			if err := dc.Ping(ctx); err != nil {
 				c.mu.Lock()
 				defer c.mu.Unlock()
-				c.closeOrReconectDERPLocked(regionID, "rebind-ping-fail")
+				c.closeOrReconnectDERPLocked(regionID, "rebind-ping-fail")
 				return
 			}
 			c.logf("post-rebind ping of DERP region %d okay", regionID)
@@ -2484,14 +2484,14 @@ func (c *Conn) maybeCloseDERPsOnRebind(okayLocalIPs []netip.Prefix) {
 	c.logActiveDerpLocked()
 }
 
-// closeOrReconectDERPLocked closes the DERP connection to the
+// closeOrReconnectDERPLocked closes the DERP connection to the
 // provided regionID and starts reconnecting it if it's our current
 // home DERP.
 //
 // why is a reason for logging.
 //
 // c.mu must be held.
-func (c *Conn) closeOrReconectDERPLocked(regionID int, why string) {
+func (c *Conn) closeOrReconnectDERPLocked(regionID int, why string) {
 	c.closeDerpLocked(regionID, why)
 	if !c.privateKey.IsZero() && c.myDerp == regionID {
 		c.startDerpHomeConnectLocked()
@@ -2788,7 +2788,7 @@ func (c *Conn) ReSTUN(why string) {
 	// reconfigures the engine with a zero private key.)
 	//
 	// This used to just check c.privateKey.IsZero, but that broke
-	// some end-to-end tests tests that didn't ever set a private
+	// some end-to-end tests that didn't ever set a private
 	// key somehow. So for now, only stop doing work if we ever
 	// had a key, which helps real users, but appeases tests for
 	// now. TODO: rewrite those tests to be less brittle or more
@@ -4022,7 +4022,7 @@ func (de *endpoint) handleCallMeMaybe(m *disco.CallMeMaybe) {
 			}))
 	}
 
-	// Delete any prior CalllMeMaybe endpoints that weren't included
+	// Delete any prior CallMeMaybe endpoints that weren't included
 	// in this message.
 	for ep, want := range de.isCallMeMaybeEP {
 		if !want {
@@ -4119,17 +4119,17 @@ type ippEndpointCache struct {
 type discoInfo struct {
 	// discoKey is the same as the Conn.discoInfo map key,
 	// just so you can pass around a *discoInfo alone.
-	// Not modifed once initiazed.
+	// Not modified once initialized.
 	discoKey key.DiscoPublic
 
 	// discoShort is discoKey.ShortString().
-	// Not modifed once initiazed;
+	// Not modified once initialized;
 	discoShort string
 
 	// sharedKey is the precomputed key for communication with the
 	// peer that has the DiscoKey used to look up this *discoInfo in
 	// Conn.discoInfo.
-	// Not modifed once initialized.
+	// Not modified once initialized.
 	sharedKey key.DiscoShared
 
 	// Mutable fields follow, owned by Conn.mu:

wgengine/router/ifconfig_windows.go

@@ -570,7 +570,7 @@ func unicastIPNets(ifc *winipcfg.IPAdapterAddresses) []netip.Prefix {
 //
 // Any IPv6 link-local addresses are not deleted out of caution as some
 // configurations may repeatedly re-add them. Link-local addresses are adjusted
-// to set SkipAsSource. SkipAsSource prevents the addresses from being addded to
+// to set SkipAsSource. SkipAsSource prevents the addresses from being added to
 // DNS locally or remotely and from being picked as a source address for
 // outgoing packets with unspecified sources. See #4647 and
 // https://web.archive.org/web/20200912120956/https://devblogs.microsoft.com/scripting/use-powershell-to-change-ip-behavior-with-skipassource/

wgengine/router/router_linux.go

@@ -214,7 +214,7 @@ func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, linkMon *monit
 	//
 	// As such, if we are running on openWRT, detect a mwan3 config, AND detect a rule
 	// with a preference 2001 (corresponding to the first interface wman3 manages), we
-	// shift the priority of our policies to 13xx. This effectively puts us betwen mwan3's
+	// shift the priority of our policies to 13xx. This effectively puts us between mwan3's
 	// permit-by-src-ip rules and mwan3 lookup of its own routing table which would drop
 	// the packet.
 	isMWAN3, err := checkOpenWRTUsingMWAN3()

wgengine/router/router_userspace_bsd.go

@@ -148,7 +148,7 @@ func (r *userspaceBSDRouter) Set(cfg *Config) (reterr error) {
 		}
 		newRoutes[route] = struct{}{}
 	}
-	// Delete any pre-existing routes.
+	// Delete any preexisting routes.
 	for route := range r.routes {
 		if _, keep := newRoutes[route]; !keep {
 			net := netipx.PrefixIPNet(route)

wgengine/router/router_windows.go

@@ -120,7 +120,7 @@ func cleanup(logf logger.Logf, interfaceName string) {
 // but it can be REALLY SLOW to change the Windows firewall for reasons not understood.
 // Like 4 minutes slow. But usually it's tens of milliseconds.
 // See https://github.com/tailscale/tailscale/issues/785.
-// So this tracks the desired state and runs the actual adjusting code asynchrounsly.
+// So this tracks the desired state and runs the actual adjusting code asynchronously.
 type firewallTweaker struct {
 	logf    logger.Logf
 	tunGUID windows.GUID

wgengine/userspace.go

@@ -549,7 +549,7 @@ var debugTrimWireguard = envknob.RegisterOptBool("TS_DEBUG_TRIM_WIREGUARD")
 // stable!) but I'm worried that a future regression would be easier to debug
 // with these knobs in place.
 func forceFullWireguardConfig(numPeers int) bool {
-	// Did the user explicitly enable trimmming via the environment variable knob?
+	// Did the user explicitly enable trimming via the environment variable knob?
 	if b, ok := debugTrimWireguard().Get(); ok {
 		return !b
 	}
@@ -562,7 +562,7 @@ func forceFullWireguardConfig(numPeers int) bool {
 // isTrimmablePeer reports whether p is a peer that we can trim out of the
 // network map.
 //
-// For implementation simplificy, we can only trim peers that have
+// For implementation simplicity, we can only trim peers that have
 // only non-subnet AllowedIPs (an IPv4 /32 or IPv6 /128), which is the
 // common case for most peers. Subnet router nodes will just always be
 // created in the wireguard-go config.
@@ -664,8 +664,8 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[key.Node
 	activeCutoff := e.timeNow().Add(-lazyPeerIdleThreshold)
 
 	// Not all peers can be trimmed from the network map (see
-	// isTrimmablePeer).  For those are are trimmable, keep track of
-	// their NodeKey and Tailscale IPs.  These are the ones we'll need
+	// isTrimmablePeer). For those that are trimmable, keep track of
+	// their NodeKey and Tailscale IPs. These are the ones we'll need
 	// to install tracking hooks for to watch their send/receive
 	// activity.
 	trackNodes := make([]key.NodePublic, 0, len(full.Peers))