tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	2531065d10	clientupdate, ipn/localapi: don't use google/uuid, thin iOS deps We were using google/uuid in two places and that brought in database/sql/driver. We didn't need it in either place. Updates #13760 Updates tailscale/corp#20099 Change-Id: Ieed32f1bebe35d35f47ec5a2a429268f24f11f1f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 weeks ago
Irbe Krumina	89ee6bbdae	cmd/k8s-operator,k8s-operator/apis: set a readiness condition on egress Services for ProxyGroup (#13746 ) cmd/k8s-operator,k8s-operator/apis: set a readiness condition on egress Services Set a readiness condition on ExternalName Services that define a tailnet target to route cluster traffic to via a ProxyGroup's proxies. The condition is set to true if at least one proxy is currently set up to route. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 weeks ago
Irbe Krumina	f6d4d03355	cmd/k8s-operator: don't error out if ProxyClass for ProxyGroup not found. (#13736 ) We don't need to error out and continuously reconcile if ProxyClass has not (yet) been created, once it gets created the ProxyGroup reconciler will get triggered. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 weeks ago
Irbe Krumina	60011e73b8	cmd/k8s-operator: fix Pod IP selection (#13743 ) Ensure that .status.podIPs is used to select Pod's IP in all reconcilers. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 weeks ago
Nick Khyl	da40609abd	util/syspolicy, ipn: add "tailscale debug component-logs" support Fixes #13313 Fixes #12687 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 weeks ago
Tom Proctor	07c157ee9f	cmd/k8s-operator: base ProxyGroup StatefulSet on common proxy.yaml definition (#13714 ) As discussed in #13684, base the ProxyGroup's proxy definitions on the same scaffolding as the existing proxies, as defined in proxy.yaml Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 weeks ago
Irbe Krumina	861dc3631c	cmd/{k8s-operator,containerboot},kube/egressservices: fix Pod IP check for dual stack clusters (#13721 ) Currently egress Services for ProxyGroup only work for Pods and Services with IPv4 addresses. Ensure that it works on dual stack clusters by reading proxy Pod's IP from the .status.podIPs list that always contains both IPv4 and IPv6 address (if the Pod has them) rather than .status.podIP that could contain IPv6 only for a dual stack cluster. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 weeks ago
Tom Proctor	36cb2e4e5f	cmd/k8s-operator,k8s-operator: use default ProxyClass if set for ProxyGroup (#13720 ) The default ProxyClass can be set via helm chart or env var, and applies to all proxies that do not otherwise have an explicit ProxyClass set. This ensures proxies created by the new ProxyGroup CRD are consistent with the behaviour of existing proxies Nearby but unrelated changes: * Fix up double error logs (controller runtime logs returned errors) * Fix a couple of variable names Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 weeks ago
Tom Proctor	cba2e76568	cmd/containerboot: simplify k8s setup logic (#13627 ) Rearrange conditionals to reduce indentation and make it a bit easier to read the logic. Also makes some error message updates for better consistency with the recent decision around capitalising resource names and the upcoming addition of config secrets. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 weeks ago
Irbe Krumina	7f016baa87	cmd/k8s-operator,k8s-operator: create ConfigMap for egress services + small fixes for egress services (#13715 ) cmd/k8s-operator, k8s-operator: create ConfigMap for egress services + small reconciler fixes Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 weeks ago
Erisa A	c588c36233	types/key: use tlpub: in error message (#13707 ) Fixes tailscale/corp#19442 Signed-off-by: Erisa A <erisa@tailscale.com>	2 weeks ago
Tom Proctor	e48cddfbb3	cmd/{containerboot,k8s-operator},k8s-operator,kube: add ProxyGroup controller (#13684 ) Implements the controller for the new ProxyGroup CRD, designed for running proxies in a high availability configuration. Each proxy gets its own config and state Secret, and its own tailscale node ID. We are currently mounting all of the config secrets into the container, but will stop mounting them and instead read them directly from the kube API once #13578 is implemented. Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	2 weeks ago
Erisa A	f30d85310c	cmd/tailscale/cli: don't print disablement secrets if init fails (#13673 ) * cmd/tailscale/cli: don't print disablement secrets if init fails Fixes tailscale/corp#11355 Signed-off-by: Erisa A <erisa@tailscale.com> * cmd/tailscale/cli: changes from code review Signed-off-by: Erisa A <erisa@tailscale.com> * cmd/tailscale/cli: small grammar change Signed-off-by: Erisa A <erisa@tailscale.com> --------- Signed-off-by: Erisa A <erisa@tailscale.com>	3 weeks ago
Irbe Krumina	e8bb5d1be5	cmd/{k8s-operator,containerboot},k8s-operator,kube: reconcile ExternalName Services for ProxyGroup (#13635 ) Adds a new reconciler that reconciles ExternalName Services that define a tailnet target that should be exposed to cluster workloads on a ProxyGroup's proxies. The reconciler ensures that for each such service, the config mounted to the proxies is updated with the tailnet target definition and that and EndpointSlice and ClusterIP Service are created for the service. Adds a new reconciler that ensures that as proxy Pods become ready to route traffic to a tailnet target, the EndpointSlice for the target is updated with the Pods' endpoints. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 weeks ago
Irbe Krumina	9bd158cc09	cmd/containerboot,util/linuxfw: create a SNAT rule for dst/src only once, clean up if needed (#13658 ) The AddSNATRuleForDst rule was adding a new rule each time it was called including: - if a rule already existed - if a rule matching the destination, but with different desired source already existed This was causing issues especially for the in-progress egress HA proxies work, where the rules are now refreshed more frequently, so more redundant rules were being created. This change: - only creates the rule if it doesn't already exist - if a rule for the same dst, but different source is found, delete it - also ensures that egress proxies refresh firewall rules if the node's tailnet IP changes Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 weeks ago
Brad Fitzpatrick	d3f302d8e2	cmd/tailscale/cli: make 'tailscale debug ts2021' try twice In prep for a future port 80 MITM fix, make the 'debug ts2021' command retry once after a failure to give it a chance to pick a new strategy. Updates #13597 Change-Id: Icb7bad60cbf0dbec78097df4a00e9795757bc8e4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 weeks ago
Maisem Ali	fb0f8fc0ae	cmd/tsidp: add --dir flag To better control where the tsnet state is being stored. Updates #10263 Signed-off-by: Maisem Ali <maisem@tailscale.com>	4 weeks ago
Irbe Krumina	096b090caf	cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets (#13531 ) * cmd/containerboot,kube,util/linuxfw: configure kube egress proxies to route to 1+ tailnet targets This commit is first part of the work to allow running multiple replicas of the Kubernetes operator egress proxies per tailnet service + to allow exposing multiple tailnet services via each proxy replica. This expands the existing iptables/nftables-based proxy configuration mechanism. A proxy can now be configured to route to one or more tailnet targets via a (mounted) config file that, for each tailnet target, specifies: - the target's tailnet IP or FQDN - mappings of container ports to which cluster workloads will send traffic to tailnet target ports where the traffic should be forwarded. Example configfile contents: { "some-svc": {"tailnetTarget":{"fqdn":"foo.tailnetxyz.ts.net","ports"{"tcp:4006:80":{"protocol":"tcp","matchPort":4006,"targetPort":80},"tcp:4007:443":{"protocol":"tcp","matchPort":4007,"targetPort":443}}}} } A proxy that is configured with this config file will configure firewall rules to route cluster traffic to the tailnet targets. It will then watch the config file for updates as well as monitor relevant netmap updates and reconfigure firewall as needed. This adds a bunch of new iptables/nftables functionality to make it easier to dynamically update the firewall rules without needing to restart the proxy Pod as well as to make it easier to debug/understand the rules: - for iptables, each portmapping is a DNAT rule with a comment pointing at the 'service',i.e: -A PREROUTING ! -i tailscale0 -p tcp -m tcp --dport 4006 -m comment --comment "some-svc:tcp:4006 -> tcp:80" -j DNAT --to-destination 100.64.1.18:80 Additionally there is a SNAT rule for each tailnet target, to mask the source address. - for nftables, a separate prerouting chain is created for each tailnet target and all the portmapping rules are placed in that chain. This makes it easier to look up rules and delete services when no longer needed. (nftables allows hooking a custom chain to a prerouting hook, so no extra work is needed to ensure that the rules in the service chains are evaluated). The next steps will be to get the Kubernetes Operator to generate the configfile and ensure it is mounted to the relevant proxy nodes. Updates tailscale/tailscale#13406 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Irbe Krumina	c62b0732d2	cmd/k8s-operator: remove auth key once proxy has logged in (#13612 ) The operator creates a non-reusable auth key for each of the cluster proxies that it creates and puts in the tailscaled configfile mounted to the proxies. The proxies are always tagged, and their state is persisted in a Kubernetes Secret, so their node keys are expected to never be regenerated, so that they don't need to re-auth. Some tailnet configurations however have seen issues where the auth keys being left in the tailscaled configfile cause the proxies to end up in unauthorized state after a restart at a later point in time. Currently, we have not found a way to reproduce this issue, however this commit removes the auth key from the config once the proxy can be assumed to have logged in. If an existing, logged-in proxy is upgraded to this version, its redundant auth key will be removed from the conffile. If an existing, logged-in proxy is downgraded from this version to a previous version, it will work as before without re-issuing key as the previous code did not enforce that a key must be present. Updates tailscale/tailscale#13451 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Tom Proctor	cab2e6ea67	cmd/k8s-operator,k8s-operator: add ProxyGroup CRD (#13591 ) The ProxyGroup CRD specifies a set of N pods which will each be a tailnet device, and will have M different ingress or egress services mapped onto them. It is the mechanism for specifying how highly available proxies need to be. This commit only adds the definition, no controller loop, and so it is not currently functional. This commit also splits out TailnetDevice and RecorderTailnetDevice into separate structs because the URL field is specific to recorders, but we want a more generic struct for use in the ProxyGroup status field. Updates #13406 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	4 weeks ago
Kristoffer Dalby	0909431660	cmd/tailscale: use tsaddr helpers Updates #cleanup Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Cameron Stokes	65c26357b1	cmd/k8s-operator, k8s-operator: fix outdated kb links (#13585 ) updates #13583 Signed-off-by: Cameron Stokes <cameron@tailscale.com>	4 weeks ago
Kristoffer Dalby	0e0e53d3b3	util/usermetrics: make usermetrics non-global this commit changes usermetrics to be non-global, this is a building block for correct metrics if a go process runs multiple tsnets or in tests. Updates #13420 Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	4 weeks ago
Andrea Gottardo	8a6f48b455	cli: add `tailscale dns query` (#13368 ) Updates tailscale/tailscale#13326 Adds a CLI subcommand to perform DNS queries using the internal DNS forwarder and observe its internals (namely, which upstream resolvers are being used). Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	4 weeks ago
Tom Proctor	d0a56a8870	cmd/containerboot: split main.go (#13517 ) containerboot's main.go had grown to well over 1000 lines with lots of disparate bits of functionality. This commit is pure copy- paste to group related functionality outside of the main function into its own set of files. Everything is still in the main package to keep the diff incremental and reviewable. Updates #cleanup Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 month ago
Fran Bull	8b962f23d1	cmd/natc: fix nil pointer Fixes #13495 Signed-off-by: Fran Bull <fran@tailscale.com>	1 month ago
Tom Proctor	98f4dd9857	cmd/k8s-operator,k8s-operator,kube: Add TSRecorder CRD + controller (#13299 ) cmd/k8s-operator,k8s-operator,kube: Add TSRecorder CRD + controller Deploys tsrecorder images to the operator's cluster. S3 storage is configured via environment variables from a k8s Secret. Currently only supports a single tsrecorder replica, but I've tried to take early steps towards supporting multiple replicas by e.g. having a separate secret for auth and state storage. Example CR: ```yaml apiVersion: tailscale.com/v1alpha1 kind: Recorder metadata: name: rec spec: enableUI: true ``` Updates #13298 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>	1 month ago
Fran Bull	7d16af8d95	cmd/natc: fix nil pointer Fixes #13432 Signed-off-by: Fran Bull <fran@tailscale.com>	1 month ago
Jordan Whited	a228d77f86	cmd/stunstamp: add protocol context to timeout logs (#13422 ) We started out with a single protocol & port, now it's many. Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	1 month ago
Irbe Krumina	209567e7a0	kube,cmd/{k8s-operator,containerboot},envknob,ipn/store/kubestore,*/depaware.txt: rename packages (#13418 ) Rename kube/{types,client,api} -> kube/{kubetypes,kubeclient,kubeapi} so that we don't need to rename the package on each import to convey that it's kubernetes specific. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Irbe Krumina	d6dfb7f242	kube,cmd/{k8s-operator,containerboot},envknob,ipn/store/kubestore,*/depaware.txt: split out kube types (#13417 ) Further split kube package into kube/{client,api,types}. This is so that consumers who only need constants/static types don't have to import the client and api bits. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Irbe Krumina	ecd64f6ed9	cmd/k8s-operator,kube: set app name for Kubernetes Operator proxies (#13410 ) Updates tailscale/corp#22920 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Jordan Whited	95f0094310	cmd/stunstamp: cleanup timeout and interval constants (#13393 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Andrew Lytvynov	e7a6e7930f	cmd/systray: handle reconnects to IPN bus (#13386 ) When tailscaled restarts and our watch connection goes down, we get stuck in an infinite loop printing `ipnbus error: EOF` (which ended up consuming all the disk space on my laptop via the log file). Instead, handle errors in `watchIPNBus` and reconnect after a short delay. Updates #1708 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Brad Fitzpatrick	bcc47d91ca	cmd/tailscale/cli: use new Go 1.23 slices.Sorted And a grammatical nit. Updates #12912 Change-Id: I9feae53beb4d28dfe98b583373e2e0a43c801fc4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Andrea Gottardo	d060b3fa02	cli: implement `tailscale dns status` (#13353 ) Updates tailscale/tailscale#13326 This PR begins implementing a `tailscale dns` command group in the Tailscale CLI. It provides an initial implementation of `tailscale dns status` which dumps the state of the internal DNS forwarder. Two new endpoints were added in LocalAPI to support the CLI functionality: - `/netmap`: dumps a copy of the last received network map (because the CLI shouldn't have to listen to the ipn bus for a copy) - `/dns-osconfig`: dumps the OS DNS configuration (this will be very handy for the UI clients as well, as they currently do not display this information) My plan is to implement other subcommands mentioned in tailscale/tailscale#13326, such as `query`, in later PRs. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>	2 months ago
Jordan Whited	1fc4268aea	cmd/stunstamp: increase probe jitter (#13362 ) We've added more probe targets recently which has resulted in more timeouts behind restrictive NATs in localized testing that don't like how many flows we are creating at once. Not so much an issue for datacenter or cloud-hosted deployments. Updates tailscale/corp#22114 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Jordan Whited	1dd1798bfa	cmd/stunstamp: use measureFn more consistently in naming/signatures (#13360 ) Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Jordan Whited	6d6b1773ea	cmd/stunstamp: implement ICMP{v6} probing (#13354 ) This adds both userspace and kernel timestamping. Updates tailscale/corp#22114 Signed-off-by: Jordan Whited <jordan@tailscale.com>	2 months ago
Brad Fitzpatrick	e865a0e2b0	cmd/tailscale/cli: add 'debug go-buildinfo' subcommand To dump runtime/debug.BuildInfo. Updates #1866 Change-Id: I8810390858a03b7649f9b22ef3ab910d423388da Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Irbe Krumina	8e1c00f841	cmd/k8s-operator,k8s-operator/sessionrecording: ensure recording header contains terminal size for terminal sessions (#12965 ) * cmd/k8s-operator,k8s-operator/sessonrecording: ensure CastHeader contains terminal size For tsrecorder to be able to play session recordings, the recording's CastHeader must have '.Width' and '.Height' fields set to non-zero. Kubectl (or whoever is the client that initiates the 'kubectl exec' session recording) sends the terminal dimensions in a resize message that the API server proxy can intercept, however that races with the first server message that we need to record. This PR ensures we wait for the terminal dimensions to be processed from the first resize message before any other data is sent, so that for all sessions with terminal attached, the header of the session recording contains the terminal dimensions and the recording can be played by tsrecorder. Updates tailscale/tailscale#19821 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2 months ago
Andrew Dunham	1c972bc7cb	wgengine/magicsock: actually use AF_PACKET socket for raw disco Previously, despite what the commit said, we were using a raw IP socket that was not an AF_PACKET socket, and thus was subject to the host firewall rules. Switch to using a real AF_PACKET socket to actually get the functionality we want. Updates #13140 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: If657daeeda9ab8d967e75a4f049c66e2bca54b78	2 months ago
Nick Khyl	961ee321e8	ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client. These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config) requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues. We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other platforms when switching between profiles that have different OperatorUser values in ipn.Prefs. We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device (e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation. The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device and against the current (and/or the target) profile. This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next PRs and removing the deprecated methods and the Permit* flags at the end of the transition. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Kristoffer Dalby	a2c42d3cd4	usermetric: add initial user-facing metrics This commit adds a new usermetric package and wires up metrics across the tailscale client. Updates tailscale/corp#22075 Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2 months ago
Kristoffer Dalby	06c31f4e91	tsweb/varz: remove pprof Updates tailscale/corp#22075 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2 months ago
Brad Fitzpatrick	2636a83d0e	cmd/tta: pull out test driver dialing into a type, fix bugs There were a few places it could get wedged (notably the dial without a timeout). And add a knob for verbose debug logs. And keep two idle connections always. Updates #13038 Change-Id: I952ad182d7111481d97a83c12aa2ff4bfdc55fe8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b78df4d48a	tstest/natlab/vnet: add start of IPv6 support Updates #13038 Change-Id: Ic3d095f167daf6c7129463e881b18f2e0d5693f5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	475ab1fb67	cmd/vnet: omit log spam when backend status hasn't changed Updates #13038 Change-Id: I9cc67cf18ba44ff66ba03cda486d5e111e395ce7	2 months ago
Nick Khyl	03acab2639	cmd/cloner, cmd/viewer, util/codegen: add support for aliases of cloneable types We have several checked type assertions to types.Named in both cmd/cloner and cmd/viewer. As Go 1.23 updates the go/types package to produce Alias type nodes for type aliases, these type assertions no longer work as expected unless the new behavior is disabled with gotypesalias=0. In this PR, we add codegen.NamedTypeOf(t types.Type), which functions like t.(types.Named) but also unrolls type aliases. We then use it in place of type assertions in the cmd/cloner and cmd/viewer packages where appropriate. We also update type switches to include types.Alias alongside types.Named in relevant cases, remove *types.Struct cases when switching on types.Type.Underlying and update the tests with more cases where type aliases can be used. Updates #13224 Updates #12912 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Nick Khyl	a9dc6e07ad	util/codegen, cmd/cloner, cmd/viewer: update codegen.LookupMethod to support alias type nodes Go 1.23 updates the go/types package to produce Alias type nodes for type aliases, unless disabled with gotypesalias=0. This new default behavior breaks codegen.LookupMethod, which uses checked type assertions to types.Named and types.Interface, as only named types and interfaces have methods. In this PR, we update codegen.LookupMethod to perform method lookup on the right-hand side of the alias declaration and clearly switch on the supported type nodes types. We also improve support for various edge cases, such as when an alias is used as a type parameter constraint, and add tests for the LookupMethod function. Additionally, we update cmd/viewer/tests to include types with aliases used in type fields and generic type constraints. Updates #13224 Updates #12912 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago

1 2 3 4 5 ...

1978 Commits (db1519cc9f2acc17f4345e7c1f037c87a4baa9d2)