MCPcopy Index your code
hub / github.com/tailscale/tailscale / shouldProcessInbound

Method shouldProcessInbound

wgengine/netstack/netstack.go:1209–1326  ·  view source on GitHub ↗

shouldProcessInbound reports whether an inbound packet (a packet from a WireGuard peer) should be handled by netstack.

(p *packet.Parsed, t *tstun.Wrapper)

Source from the content-addressed store, hash-verified

1207// shouldProcessInbound reports whether an inbound packet (a packet from a
1208// WireGuard peer) should be handled by netstack.
1209func (ns *Impl) shouldProcessInbound(p *packet.Parsed, t *tstun.Wrapper) bool {
1210 // Handle incoming peerapi connections in netstack.
1211 dstIP := p.Dst.Addr()
1212 isLocal := ns.isLocalIP(dstIP)
1213 isService := ns.isVIPServiceIP(dstIP)
1214
1215 // Handle TCP connection to the Tailscale IP(s) in some cases:
1216 if ns.lb != nil && p.IPProto == ipproto.TCP && isLocal {
1217 var peerAPIPort uint16
1218
1219 if p.TCPFlags&packet.TCPSynAck == packet.TCPSyn {
1220 if port, ok := ns.lb.GetPeerAPIPort(dstIP); ok {
1221 peerAPIPort = port
1222 ns.peerAPIPortAtomic(dstIP).Store(uint32(port))
1223 }
1224 } else {
1225 peerAPIPort = uint16(ns.peerAPIPortAtomic(dstIP).Load())
1226 }
1227 dport := p.Dst.Port()
1228 if dport == peerAPIPort {
1229 return true
1230 }
1231 // Also handle SSH connections, webserver, etc, if enabled:
1232 if ns.lb.ShouldInterceptTCPPort(dport) {
1233 return true
1234 }
1235 }
1236 if buildfeatures.HasServe && isService {
1237 if p.IsEchoRequest() {
1238 return true
1239 }
1240 if ns.lb != nil && p.IPProto == ipproto.TCP {
1241 // An assumption holds for this to work: when tun mode is on for a service,
1242 // its tcp and web are not set. This is enforced in b.setServeConfigLocked.
1243 if ns.lb.ShouldInterceptVIPServiceTCPPort(p.Dst) {
1244 return true
1245 }
1246 }
1247 // check if there's a registered UDP endpoint for this service VIP
1248 // This allows userspace UDP listeners (e.g., via tsnet.ListenPacket) to
1249 // receive traffic on service VIP addresses.
1250 if p.IPProto == ipproto.UDP {
1251 var netProto tcpip.NetworkProtocolNumber
1252 var id stack.TransportEndpointID
1253 if p.Dst.Addr().Is4() {
1254 netProto = ipv4.ProtocolNumber
1255 id = stack.TransportEndpointID{
1256 LocalAddress: tcpip.AddrFrom4(p.Dst.Addr().As4()),
1257 LocalPort: p.Dst.Port(),
1258 RemoteAddress: tcpip.AddrFrom4(p.Src.Addr().As4()),
1259 RemotePort: p.Src.Port(),
1260 }
1261 } else {
1262 netProto = ipv6.ProtocolNumber
1263 id = stack.TransportEndpointID{
1264 LocalAddress: tcpip.AddrFrom16(p.Dst.Addr().As16()),
1265 LocalPort: p.Dst.Port(),
1266 RemoteAddress: tcpip.AddrFrom16(p.Src.Addr().As16()),

Callers 2

injectInboundMethod · 0.95
TestShouldProcessInboundFunction · 0.80

Calls 14

isLocalIPMethod · 0.95
isVIPServiceIPMethod · 0.95
peerAPIPortAtomicMethod · 0.95
GetPeerAPIPortMethod · 0.80
IsEchoRequestMethod · 0.80
ShouldHandleViaIPMethod · 0.80
StoreMethod · 0.65
LoadMethod · 0.65
AddrMethod · 0.45
PortMethod · 0.45

Tested by 1

TestShouldProcessInboundFunction · 0.64