MCPcopy Index your code
hub / github.com/tailscale/tailscale / injectInbound

Method injectInbound

wgengine/netstack/netstack.go:1400–1442  ·  view source on GitHub ↗

injectInbound is installed as a packet hook on the 'inbound' (from a WireGuard peer) path. Returning filter.Accept releases the packet to continue normally (typically being delivered to the host networking stack), whereas returning filter.DropSilently is done when netstack intercepts the packet and

(p *packet.Parsed, t *tstun.Wrapper, gro *gro.GRO)

Source from the content-addressed store, hash-verified

1398// packet and no further processing towards to host should be done.
1399// Caution: can be called before Start
1400func (ns *Impl) injectInbound(p *packet.Parsed, t *tstun.Wrapper, gro *gro.GRO) (filter.Response, *gro.GRO) {
1401 if !ns.ready.Load() || ns.ctx.Err() != nil {
1402 return filter.DropSilently, gro
1403 }
1404
1405 if !ns.shouldProcessInbound(p, t) {
1406 // Let the host network stack (if any) deal with it.
1407 return filter.Accept, gro
1408 }
1409
1410 destIP := p.Dst.Addr()
1411
1412 // If this is an echo request and we're a subnet router, handle pings
1413 // ourselves instead of forwarding the packet on.
1414 pingIP, handlePing := ns.shouldHandlePing(p)
1415 if handlePing {
1416 var pong []byte // the reply to the ping, if our relayed ping works
1417 if destIP.Is4() {
1418 h := p.ICMP4Header()
1419 h.ToResponse()
1420 pong = packet.Generate(&h, p.Payload())
1421 } else if destIP.Is6() {
1422 h := p.ICMP6Header()
1423 h.ToResponse()
1424 pong = packet.Generate(&h, p.Payload())
1425 }
1426 go ns.userPing(pingIP, pong, userPingDirectionOutbound)
1427 return filter.DropSilently, gro
1428 }
1429
1430 if debugPackets {
1431 ns.logf("[v2] packet in (from %v): % x", p.Src, p.Buffer())
1432 }
1433 gro = ns.linkEP.gro(p, gro)
1434
1435 // We've now delivered this to netstack, so we're done.
1436 // Instead of returning a filter.Accept here (which would also
1437 // potentially deliver it to the host OS), and instead of
1438 // filter.Drop (which would log about rejected traffic),
1439 // instead return filter.DropSilently which just quietly stops
1440 // processing it in the tstun TUN wrapper.
1441 return filter.DropSilently, gro
1442}
1443
1444// shouldHandlePing returns whether or not netstack should handle an incoming
1445// ICMP echo request packet, and the IP address that should be pinged from this

Callers 3

TestInjectInboundLeakFunction · 0.45
TestTCPForwardLimitsFunction · 0.45

Calls 14

shouldProcessInboundMethod · 0.95
shouldHandlePingMethod · 0.95
userPingMethod · 0.95
GenerateFunction · 0.92
ICMP4HeaderMethod · 0.80
ICMP6HeaderMethod · 0.80
BufferMethod · 0.80
groMethod · 0.80
LoadMethod · 0.65
ToResponseMethod · 0.65
ErrMethod · 0.45
AddrMethod · 0.45

Tested by 3

TestInjectInboundLeakFunction · 0.36
TestTCPForwardLimitsFunction · 0.36