ipn,wgengine: only intercept TailFS traffic on quad 100

This fixes a regression introduced with 993acf4 and released in v1.60.0. The regression caused us to intercept all userspace traffic to port 8080 which prevented users from exposing their own services to their tailnet at port 8080. Now, we only intercept traffic to port 8080 if it's bound for 100.100.100.100 or fd7a:115c:a1e0::53. Fixes #11283 Signed-off-by: Percy Wegmann <percy@tailscale.com> (cherry picked from commit 17cd0626f3)
2025-08-11 13:18:53 +00:00 · 2024-02-28 11:44:42 -06:00
parent e83e2e881b
commit 2d5d6f5403
4 changed files with 97 additions and 31 deletions
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -1131,25 +1131,13 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 	// Local Services (DNS and WebDAV)
 	hittingServiceIP := dialIP == serviceIP || dialIP == serviceIPv6
 	hittingDNS := hittingServiceIP && reqDetails.LocalPort == 53
-	hittingTailFS := hittingServiceIP && ns.tailFSForLocal != nil && reqDetails.LocalPort == ipnlocal.TailFSLocalPort
-	if hittingDNS || hittingTailFS {
+	if hittingDNS {
 		c := getConnOrReset()
 		if c == nil {
 			return
 		}
 		addrPort := netip.AddrPortFrom(clientRemoteIP, reqDetails.RemotePort)
-		if hittingDNS {
-			go ns.dns.HandleTCPConn(c, addrPort)
-		} else if hittingTailFS {
-			if !ns.lb.TailFSAccessEnabled() {
-				c.Close()
-				return
-			}
-			err := ns.tailFSForLocal.HandleConn(c, net.TCPAddrFromAddrPort(addrPort))
-			if err != nil {
-				ns.logf("netstack: tailfs.HandleConn: %v", err)
-			}
-		}
+		go ns.dns.HandleTCPConn(c, addrPort)
 		return
 	}