RunIn determines whether this node is allowed to receive q from a Tailscale peer.
(q *packet.Parsed, rf RunFlags)
| 441 | // RunIn determines whether this node is allowed to receive q from a |
| 442 | // Tailscale peer. |
| 443 | func (f *Filter) RunIn(q *packet.Parsed, rf RunFlags) Response { |
| 444 | dir := in |
| 445 | r, _ := f.pre(q, rf, dir) |
| 446 | if r == Accept || r == Drop { |
| 447 | // already logged |
| 448 | return r |
| 449 | } |
| 450 | |
| 451 | var why string |
| 452 | switch q.IPVersion { |
| 453 | case 4: |
| 454 | r, why = f.runIn4(q) |
| 455 | case 6: |
| 456 | r, why = f.runIn6(q) |
| 457 | default: |
| 458 | r, why = Drop, "not-ip" |
| 459 | } |
| 460 | |
| 461 | if r == noVerdict { |
| 462 | for _, pm := range f.IngressAllowHooks { |
| 463 | if match, why := pm(*q); match { |
| 464 | f.logRateLimit(rf, q, dir, Accept, why) |
| 465 | return Accept |
| 466 | } |
| 467 | } |
| 468 | r = Drop |
| 469 | } |
| 470 | f.logRateLimit(rf, q, dir, r, why) |
| 471 | return r |
| 472 | } |
| 473 | |
| 474 | // RunOut determines whether this node is allowed to send q to a |
| 475 | // Tailscale peer. |