From 88f2d234a4da1abdb31d720beae88c832a624cef Mon Sep 17 00:00:00 2001
From: Irbe Krumina <irbe@tailscale.com>
Date: Thu, 13 Jun 2024 17:31:45 +0100
Subject: [PATCH] wgengine/netstack: fix 4via6 subnet routes (#12454)

Fix a bug where, for a subnet router that advertizes
4via6 route, all packets with a source IP matching
the 4via6 address were being sent to the host itself.
Instead, only send to host packets whose destination
address is host's local address.

Fixes tailscale/tailscale#12448

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: Andrew Dunham <andrew@du.nham.ca>
---
 wgengine/netstack/netstack.go | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/wgengine/netstack/netstack.go b/wgengine/netstack/netstack.go
index fbbcce3a9..a385b9593 100644
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -831,9 +831,18 @@ func (ns *Impl) inject() {
 				// Only send to the host if this 4via6 route is
 				// something this node handles.
 				if ns.lb != nil && ns.lb.ShouldHandleViaIP(srcIP) {
-					sendToHost = true
+					dstIP := netip.AddrFrom16(v.DestinationAddress().As16())
+					// Also, only forward to the host if
+					// the packet is destined for a local
+					// IP; otherwise, we'd send traffic
+					// that's intended for another peer
+					// from the local 4via6 address to the
+					// host instead of outbound to
+					// WireGuard. See:
+					// https://github.com/tailscale/tailscale/issues/12448
+					sendToHost = ns.isLocalIP(dstIP)
 					if debugNetstack() {
-						ns.logf("netstack: sending 4via6 packet to host: %v", srcIP)
+						ns.logf("netstack: sending 4via6 packet to host: src=%v dst=%v", srcIP, dstIP)
 					}
 				}
 			}