summaryrefslogtreecommitdiffhomepage
path: root/control/controlhttp/controlhttpserver/controlhttpserver.go
diff options
context:
space:
mode:
authorMichael Ben-Ami <mzb@tailscale.com>2026-02-20 17:36:40 +0000
committermzbenami <mike.benami@gmail.com>2026-02-24 10:54:56 -0500
commit811fe7d18ed832a1b48880ab8d893c7909a900e1 (patch)
treeab6eb21969972ccc0111623765a095abcaa352cc /control/controlhttp/controlhttpserver/controlhttpserver.go
parentdc80fd6324eb1e2e183408451761ff38a5eeafd2 (diff)
downloadtailscale-811fe7d18ed832a1b48880ab8d893c7909a900e1.tar.xz
tailscale-811fe7d18ed832a1b48880ab8d893c7909a900e1.zip
ipnext,ipnlocal,wgengine/filter: add extension hooks for custom filter matchers
Add PacketMatch hooks to the packet filter, allowing extensions to customize filtering decisions: - IngressAllowHooks: checked in RunIn after pre() but before the standard runIn4/runIn6 match rules. Hooks can accept packets to destinations outside the local IP set. First match wins; the returned why string is used for logging. - LinkLocalAllowHooks: checked inside pre() for both ingress and egress, providing exceptions to the default policy of dropping link-local unicast packets. First match wins. The GCP DNS address (169.254.169.254) is always allowed regardless of hooks. PacketMatch returns (match bool, why string) to provide a log reason consistent with the existing filter functions. Hooks are registered via the new FilterHooks struct in ipnext.Hooks and wired through to filter.Filter in LocalBackend.updateFilterLocked. Fixes tailscale/corp#35989 Fixes tailscale/corp#37207 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Michael Ben-Ami <mzb@tailscale.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')
0 files changed, 0 insertions, 0 deletions