wgengine/netstack: fix 4via6 subnet routesirbekrm/fixsubnets

Fix a bug where, for a subnet router that advertizes
4via6 route, all packets with a source IP matching
the 4via6 address were being sent to the host itself.
Instead, only send to host packets whose destination
address is host's local address.

Fixes tailscale/tailscale#12448

Co-authored-by: Andrew Dunham <andrew@du.nham.ca>
Signed-off-by: Irbe Krumina <irbe@tailscale.com>

1 files changed, 11 insertions, 4 deletions

diff --git a/wgengine/netstack/netstack.go b/wgengine/netstack/netstack.go
index fbbcce3a9..ef3a97f00 100644
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -831,10 +831,17 @@ func (ns *Impl) inject() {
 				// Only send to the host if this 4via6 route is
 				// something this node handles.
 				if ns.lb != nil && ns.lb.ShouldHandleViaIP(srcIP) {
-					sendToHost = true
-					if debugNetstack() {
-						ns.logf("netstack: sending 4via6 packet to host: %v", srcIP)
-					}
+					dstIP := netip.AddrFrom16(v.DestinationAddress().As16())
+					// Also, only forward to the host if
+					// the packet is destined for a local
+					// IP; otherwise, we'd send traffic
+					// that's intended for another peer
+					// from the local 4via6 address to the
+					// host instead of outbound to
+					// WireGuard. See:
+					// https://github.com/tailscale/tailscale/issues/12448
+					sendToHost = ns.isLocalIP(dstIP)
+					ns.logf("netstack: sending 4via6 packet to host: src=%v dst=%v", srcIP, dstIP)
 				}
 			}
 		default: