injectInbound is installed as a packet hook on the 'inbound' (from a WireGuard peer) path. Returning filter.Accept releases the packet to continue normally (typically being delivered to the host networking stack), whereas returning filter.DropSilently is done when netstack intercepts the packet and
(p *packet.Parsed, t *tstun.Wrapper, gro *gro.GRO)
| 1398 | // packet and no further processing towards to host should be done. |
| 1399 | // Caution: can be called before Start |
| 1400 | func (ns *Impl) injectInbound(p *packet.Parsed, t *tstun.Wrapper, gro *gro.GRO) (filter.Response, *gro.GRO) { |
| 1401 | if !ns.ready.Load() || ns.ctx.Err() != nil { |
| 1402 | return filter.DropSilently, gro |
| 1403 | } |
| 1404 | |
| 1405 | if !ns.shouldProcessInbound(p, t) { |
| 1406 | // Let the host network stack (if any) deal with it. |
| 1407 | return filter.Accept, gro |
| 1408 | } |
| 1409 | |
| 1410 | destIP := p.Dst.Addr() |
| 1411 | |
| 1412 | // If this is an echo request and we're a subnet router, handle pings |
| 1413 | // ourselves instead of forwarding the packet on. |
| 1414 | pingIP, handlePing := ns.shouldHandlePing(p) |
| 1415 | if handlePing { |
| 1416 | var pong []byte // the reply to the ping, if our relayed ping works |
| 1417 | if destIP.Is4() { |
| 1418 | h := p.ICMP4Header() |
| 1419 | h.ToResponse() |
| 1420 | pong = packet.Generate(&h, p.Payload()) |
| 1421 | } else if destIP.Is6() { |
| 1422 | h := p.ICMP6Header() |
| 1423 | h.ToResponse() |
| 1424 | pong = packet.Generate(&h, p.Payload()) |
| 1425 | } |
| 1426 | go ns.userPing(pingIP, pong, userPingDirectionOutbound) |
| 1427 | return filter.DropSilently, gro |
| 1428 | } |
| 1429 | |
| 1430 | if debugPackets { |
| 1431 | ns.logf("[v2] packet in (from %v): % x", p.Src, p.Buffer()) |
| 1432 | } |
| 1433 | gro = ns.linkEP.gro(p, gro) |
| 1434 | |
| 1435 | // We've now delivered this to netstack, so we're done. |
| 1436 | // Instead of returning a filter.Accept here (which would also |
| 1437 | // potentially deliver it to the host OS), and instead of |
| 1438 | // filter.Drop (which would log about rejected traffic), |
| 1439 | // instead return filter.DropSilently which just quietly stops |
| 1440 | // processing it in the tstun TUN wrapper. |
| 1441 | return filter.DropSilently, gro |
| 1442 | } |
| 1443 | |
| 1444 | // shouldHandlePing returns whether or not netstack should handle an incoming |
| 1445 | // ICMP echo request packet, and the IP address that should be pinged from this |