ipn/ipnlocal: handle masquerade addresses in PeerAPI

Without this, the peer fails to do anything over the PeerAPI if it
has a masquerade address.

```
Apr 19 13:58:15 hydrogen tailscaled[6696]: peerapi: invalid request from <ip>:58334: 100.64.0.1/32 not found in self addresses
```

Updates #8020

Signed-off-by: Maisem Ali <maisem@tailscale.com>

ipn/ipnlocal/peerapi.go

@@ -605,6 +605,16 @@ func (h *peerAPIHandler) logf(format string, a ...any) {
 	h.ps.b.logf("peerapi: "+format, a...)
 }
 
+// isAddressValid reports whether addr is a valid destination address for this
+// node originating from the peer.
+func (h *peerAPIHandler) isAddressValid(addr netip.Addr) bool {
+	if h.peerNode.SelfNodeV4MasqAddrForThisPeer != nil {
+		return *h.peerNode.SelfNodeV4MasqAddrForThisPeer == addr
+	}
+	pfx := netip.PrefixFrom(addr, addr.BitLen())
+	return slices.Contains(h.selfNode.Addresses, pfx)
+}
+
 func (h *peerAPIHandler) validateHost(r *http.Request) error {
 	if r.Host == "peer" {
 		return nil
@@ -613,9 +623,8 @@ func (h *peerAPIHandler) validateHost(r *http.Request) error {
 	if err != nil {
 		return err
 	}
-	hostIPPfx := netip.PrefixFrom(ap.Addr(), ap.Addr().BitLen())
+	if !h.isAddressValid(ap.Addr()) {
-	if !slices.Contains(h.selfNode.Addresses, hostIPPfx) {
+		return fmt.Errorf("%v not found in self addresses", ap.Addr())
-		return fmt.Errorf("%v not found in self addresses", hostIPPfx)
 	}
 	return nil
 }

tstest/integration/integration_test.go

@@ -601,9 +601,17 @@ func TestNATPing(t *testing.T) {
 				t.Fatal(err)
 			}
 
+			if err := n1.Tailscale("ping", "-peerapi", tc.n1SeesN2IP.String()).Run(); err != nil {
+				t.Fatal(err)
+			}
+
 			if err := n2.Tailscale("ping", tc.n2SeesN1IP.String()).Run(); err != nil {
 				t.Fatal(err)
 			}
+
+			if err := n2.Tailscale("ping", "-peerapi", tc.n2SeesN1IP.String()).Run(); err != nil {
+				t.Fatal(err)
+			}
 		})
 	}
 }