net/tstun,wgengine: split PreFilterOut into multiple hooks

A subsequent commit implements handling of magicDNS traffic via netstack. Implementing this requires a hook for traffic originating from the host and hitting the tun, so we make another hook to support this. Signed-off-by: Tom DNetto <tom@tailscale.com>
2 years ago · dc71d3559f
parent 9dee6adfab
commit dc71d3559f
2 changed files with 21 additions and 7 deletions
--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@ -135,9 +135,16 @@ type Wrapper struct {
 	PreFilterIn FilterFunc
 	// PostFilterIn is the inbound filter function that runs after the main filter.
 	PostFilterIn FilterFunc
-	// PreFilterOut is the outbound filter function that runs before the main filter
-	// and therefore sees the packets that may be later dropped by it.
-	PreFilterOut FilterFunc
+	// PreFilterFromTunToNetstack is a filter function that runs before the main filter
+	// for packets from the local system. This filter is populated by netstack to hook
+	// packets that should be handled by netstack. If set, this filter runs before
+	// PreFilterFromTunToEngine.
+	PreFilterFromTunToNetstack FilterFunc
+	// PreFilterFromTunToEngine is a filter function that runs before the main filter
+	// for packets from the local system. This filter is populated by wgengine to hook
+	// packets which it handles internally. If both this and PreFilterFromTunToNetstack
+	// filter functions are non-nil, this filter runs second.
+	PreFilterFromTunToEngine FilterFunc
 	// PostFilterOut is the outbound filter function that runs after the main filter.
 	PostFilterOut FilterFunc

@ -451,9 +458,16 @@ func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
 		return filter.DropSilently
 	}

-	if t.PreFilterOut != nil {
-		if res := t.PreFilterOut(p, t); res.IsDrop() {
-			// Handled by userspaceEngine.handleLocalPackets (quad-100 DNS primarily).
+	if t.PreFilterFromTunToNetstack != nil {
+		if res := t.PreFilterFromTunToNetstack(p, t); res.IsDrop() {
+			// Handled by netstack.Impl.handleLocalPackets (quad-100 DNS primarily)
+			return res
+		}
+	}
+	if t.PreFilterFromTunToEngine != nil {
+		if res := t.PreFilterFromTunToEngine(p, t); res.IsDrop() {
+			// Handled by userspaceEngine.handleLocalPackets (primarily handles
+			// quad-100 if netstack is not installed).
 			return res
 		}
 	}
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@ -362,7 +362,7 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)
 	if conf.RespondToPing {
 		e.tundev.PostFilterIn = echoRespondToAll
 	}
-	e.tundev.PreFilterOut = e.handleLocalPackets
+	e.tundev.PreFilterFromTunToEngine = e.handleLocalPackets

 	if envknob.BoolDefaultTrue("TS_DEBUG_CONNECT_FAILURES") {
 		if e.tundev.PreFilterIn != nil {