wgengine/netstack: deliver self-addressed packets via loopback - tailscale - The easiest, most secure way to use WireGuard and 2FA

diff options

author	James Tucker <james@tailscale.com>	2026-02-27 13:49:05 -0800
committer	James Tucker <jftucker@gmail.com>	2026-02-27 14:30:41 -0800
commit	0fb207c3d045b888523914dce0b6c9e9a1abdd69 (patch)
tree	d6787a3f30b1ab140581c3a5460561ef81021407 /control/controlhttp/controlhttpserver/controlhttpserver.go
parent	30e12310f19fa85a9e35fe5800b067d7b033bd33 (diff)
download	tailscale-0fb207c3d045b888523914dce0b6c9e9a1abdd69.tar.xz tailscale-0fb207c3d045b888523914dce0b6c9e9a1abdd69.zip

wgengine/netstack: deliver self-addressed packets via loopback

When a tsnet.Server dials its own Tailscale IP, TCP SYN packets are silently dropped. In inject(), outbound packets with dst=self fail the shouldSendToHost check and fall through to WireGuard, which has no peer for the node's own address. Fix this by detecting self-addressed packets in inject() using isLocalIP and delivering them back into gVisor's network stack as inbound packets via a new DeliverLoopback method on linkEndpoint. The outbound packet must be re-serialized into a new PacketBuffer because outbound packets have their headers parsed into separate views, but DeliverNetworkPacket expects raw unparsed data. Updates #18829 Signed-off-by: James Tucker <james@tailscale.com>

Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: