diff options
| author | Michael Ben-Ami <mzb@tailscale.com> | 2026-02-20 17:36:40 +0000 |
|---|---|---|
| committer | mzbenami <mike.benami@gmail.com> | 2026-02-24 10:54:56 -0500 |
| commit | 811fe7d18ed832a1b48880ab8d893c7909a900e1 (patch) | |
| tree | ab6eb21969972ccc0111623765a095abcaa352cc /control/controlhttp/controlhttpserver/controlhttpserver.go | |
| parent | dc80fd6324eb1e2e183408451761ff38a5eeafd2 (diff) | |
| download | tailscale-811fe7d18ed832a1b48880ab8d893c7909a900e1.tar.xz tailscale-811fe7d18ed832a1b48880ab8d893c7909a900e1.zip | |
ipnext,ipnlocal,wgengine/filter: add extension hooks for custom filter matchers
Add PacketMatch hooks to the packet filter, allowing extensions to
customize filtering decisions:
- IngressAllowHooks: checked in RunIn after pre() but before the
standard runIn4/runIn6 match rules. Hooks can accept packets to
destinations outside the local IP set. First match wins; the
returned why string is used for logging.
- LinkLocalAllowHooks: checked inside pre() for both ingress and
egress, providing exceptions to the default policy of dropping
link-local unicast packets. First match wins. The GCP DNS address
(169.254.169.254) is always allowed regardless of hooks.
PacketMatch returns (match bool, why string) to provide a log reason
consistent with the existing filter functions.
Hooks are registered via the new FilterHooks struct in ipnext.Hooks
and wired through to filter.Filter in LocalBackend.updateFilterLocked.
Fixes tailscale/corp#35989
Fixes tailscale/corp#37207
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Michael Ben-Ami <mzb@tailscale.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')
0 files changed, 0 insertions, 0 deletions
