shouldProcessInbound reports whether an inbound packet (a packet from a WireGuard peer) should be handled by netstack.
(p *packet.Parsed, t *tstun.Wrapper)
| 1207 | // shouldProcessInbound reports whether an inbound packet (a packet from a |
| 1208 | // WireGuard peer) should be handled by netstack. |
| 1209 | func (ns *Impl) shouldProcessInbound(p *packet.Parsed, t *tstun.Wrapper) bool { |
| 1210 | // Handle incoming peerapi connections in netstack. |
| 1211 | dstIP := p.Dst.Addr() |
| 1212 | isLocal := ns.isLocalIP(dstIP) |
| 1213 | isService := ns.isVIPServiceIP(dstIP) |
| 1214 | |
| 1215 | // Handle TCP connection to the Tailscale IP(s) in some cases: |
| 1216 | if ns.lb != nil && p.IPProto == ipproto.TCP && isLocal { |
| 1217 | var peerAPIPort uint16 |
| 1218 | |
| 1219 | if p.TCPFlags&packet.TCPSynAck == packet.TCPSyn { |
| 1220 | if port, ok := ns.lb.GetPeerAPIPort(dstIP); ok { |
| 1221 | peerAPIPort = port |
| 1222 | ns.peerAPIPortAtomic(dstIP).Store(uint32(port)) |
| 1223 | } |
| 1224 | } else { |
| 1225 | peerAPIPort = uint16(ns.peerAPIPortAtomic(dstIP).Load()) |
| 1226 | } |
| 1227 | dport := p.Dst.Port() |
| 1228 | if dport == peerAPIPort { |
| 1229 | return true |
| 1230 | } |
| 1231 | // Also handle SSH connections, webserver, etc, if enabled: |
| 1232 | if ns.lb.ShouldInterceptTCPPort(dport) { |
| 1233 | return true |
| 1234 | } |
| 1235 | } |
| 1236 | if buildfeatures.HasServe && isService { |
| 1237 | if p.IsEchoRequest() { |
| 1238 | return true |
| 1239 | } |
| 1240 | if ns.lb != nil && p.IPProto == ipproto.TCP { |
| 1241 | // An assumption holds for this to work: when tun mode is on for a service, |
| 1242 | // its tcp and web are not set. This is enforced in b.setServeConfigLocked. |
| 1243 | if ns.lb.ShouldInterceptVIPServiceTCPPort(p.Dst) { |
| 1244 | return true |
| 1245 | } |
| 1246 | } |
| 1247 | // check if there's a registered UDP endpoint for this service VIP |
| 1248 | // This allows userspace UDP listeners (e.g., via tsnet.ListenPacket) to |
| 1249 | // receive traffic on service VIP addresses. |
| 1250 | if p.IPProto == ipproto.UDP { |
| 1251 | var netProto tcpip.NetworkProtocolNumber |
| 1252 | var id stack.TransportEndpointID |
| 1253 | if p.Dst.Addr().Is4() { |
| 1254 | netProto = ipv4.ProtocolNumber |
| 1255 | id = stack.TransportEndpointID{ |
| 1256 | LocalAddress: tcpip.AddrFrom4(p.Dst.Addr().As4()), |
| 1257 | LocalPort: p.Dst.Port(), |
| 1258 | RemoteAddress: tcpip.AddrFrom4(p.Src.Addr().As4()), |
| 1259 | RemotePort: p.Src.Port(), |
| 1260 | } |
| 1261 | } else { |
| 1262 | netProto = ipv6.ProtocolNumber |
| 1263 | id = stack.TransportEndpointID{ |
| 1264 | LocalAddress: tcpip.AddrFrom16(p.Dst.Addr().As16()), |
| 1265 | LocalPort: p.Dst.Port(), |
| 1266 | RemoteAddress: tcpip.AddrFrom16(p.Src.Addr().As16()), |