(r *tcp.ForwarderRequest)
| 1510 | ) |
| 1511 | |
| 1512 | func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) { |
| 1513 | reqDetails := r.ID() |
| 1514 | if debugNetstack() { |
| 1515 | ns.logf("[v2] TCP ForwarderRequest: %s", stringifyTEI(reqDetails)) |
| 1516 | } |
| 1517 | clientRemoteIP := netaddrIPFromNetstackIP(reqDetails.RemoteAddress) |
| 1518 | if !clientRemoteIP.IsValid() { |
| 1519 | ns.logf("invalid RemoteAddress in TCP ForwarderRequest: %s", stringifyTEI(reqDetails)) |
| 1520 | r.Complete(true) // sends a RST |
| 1521 | return |
| 1522 | } |
| 1523 | |
| 1524 | // After we've returned from this function or have otherwise reached a |
| 1525 | // non-pending state, decrement the per-client in-flight count and |
| 1526 | // remove this endpoint from our packet tracking map so future TCP |
| 1527 | // connections aren't dropped. |
| 1528 | inFlightCompleted := false |
| 1529 | tei := r.ID() |
| 1530 | defer func() { |
| 1531 | if !inFlightCompleted { |
| 1532 | ns.decrementInFlightTCPForward(tei, clientRemoteIP) |
| 1533 | } |
| 1534 | }() |
| 1535 | |
| 1536 | clientRemotePort := reqDetails.RemotePort |
| 1537 | clientRemoteAddrPort := netip.AddrPortFrom(clientRemoteIP, clientRemotePort) |
| 1538 | |
| 1539 | dialIP := netaddrIPFromNetstackIP(reqDetails.LocalAddress) |
| 1540 | isTailscaleIP := tsaddr.IsTailscaleIP(dialIP) |
| 1541 | isLocal := ns.isLocalIP(dialIP) // i.e. not a subnet routed or 4via6 target |
| 1542 | |
| 1543 | dstAddrPort := netip.AddrPortFrom(dialIP, reqDetails.LocalPort) |
| 1544 | |
| 1545 | if viaRange.Contains(dialIP) { |
| 1546 | isTailscaleIP = false |
| 1547 | dialIP = tsaddr.UnmapVia(dialIP) |
| 1548 | } |
| 1549 | |
| 1550 | defer func() { |
| 1551 | if !isTailscaleIP { |
| 1552 | // if this is a subnet IP, we added this in before the TCP handshake |
| 1553 | // so netstack is happy TCP-handshaking as a subnet IP |
| 1554 | ns.removeSubnetAddress(dialIP) |
| 1555 | } |
| 1556 | }() |
| 1557 | |
| 1558 | var wq waiter.Queue |
| 1559 | |
| 1560 | // We can't actually create the endpoint or complete the inbound |
| 1561 | // request until we're sure that the connection can be handled by this |
| 1562 | // endpoint. This function sets up the TCP connection and should be |
| 1563 | // called immediately before a connection is handled. |
| 1564 | getConnOrReset := func(opts ...tcpip.SettableSocketOption) *gonet.TCPConn { |
| 1565 | ep, err := r.CreateEndpoint(&wq) |
| 1566 | if err != nil { |
| 1567 | ns.logf("CreateEndpoint error for %s: %v", stringifyTEI(reqDetails), err) |
| 1568 | r.Complete(true) // sends a RST |
| 1569 | return nil |
nothing calls this directly
no test coverage detected