diff --git a/net/tstun/wrap.go b/net/tstun/wrap.go
index 6725c7c81..24decbe29 100644
--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -136,23 +136,23 @@ type Wrapper struct {
 	// filterFlags control the verbosity of logging packet drops/accepts.
 	filterFlags filter.RunFlags
 
-	// PreFilterIn is the inbound filter function that runs before the main filter
+	// PreFilterPacketInboundFromWireGuard is the inbound filter function that runs before the main filter
 	// and therefore sees the packets that may be later dropped by it.
-	PreFilterIn FilterFunc
-	// PostFilterIn is the inbound filter function that runs after the main filter.
-	PostFilterIn FilterFunc
-	// PreFilterFromTunToNetstack is a filter function that runs before the main filter
+	PreFilterPacketInboundFromWireGuard FilterFunc
+	// PostFilterPacketInboundFromWireGaurd is the inbound filter function that runs after the main filter.
+	PostFilterPacketInboundFromWireGaurd FilterFunc
+	// PreFilterPacketOutboundToWireGuardNetstackIntercept is a filter function that runs before the main filter
 	// for packets from the local system. This filter is populated by netstack to hook
 	// packets that should be handled by netstack. If set, this filter runs before
 	// PreFilterFromTunToEngine.
-	PreFilterFromTunToNetstack FilterFunc
-	// PreFilterFromTunToEngine is a filter function that runs before the main filter
+	PreFilterPacketOutboundToWireGuardNetstackIntercept FilterFunc
+	// PreFilterPacketOutboundToWireGuardEngineIntercept is a filter function that runs before the main filter
 	// for packets from the local system. This filter is populated by wgengine to hook
 	// packets which it handles internally. If both this and PreFilterFromTunToNetstack
 	// filter functions are non-nil, this filter runs second.
-	PreFilterFromTunToEngine FilterFunc
-	// PostFilterOut is the outbound filter function that runs after the main filter.
-	PostFilterOut FilterFunc
+	PreFilterPacketOutboundToWireGuardEngineIntercept FilterFunc
+	// PostFilterPacketOutboundToWireGuard is the outbound filter function that runs after the main filter.
+	PostFilterPacketOutboundToWireGuard FilterFunc
 
 	// OnTSMPPongReceived, if non-nil, is called whenever a TSMP pong arrives.
 	OnTSMPPongReceived func(packet.TSMPPongReply)
@@ -464,7 +464,7 @@ var (
 	magicDNSIPPortv6 = netip.AddrPortFrom(tsaddr.TailscaleServiceIPv6(), 0)
 )
 
-func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
+func (t *Wrapper) filterPacketOutboundToWireGuard(p *packet.Parsed) filter.Response {
 	// Fake ICMP echo responses to MagicDNS (100.100.100.100).
 	if p.IsEchoRequest() {
 		switch p.Dst {
@@ -494,14 +494,14 @@ func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
 		return filter.DropSilently
 	}
 
-	if t.PreFilterFromTunToNetstack != nil {
-		if res := t.PreFilterFromTunToNetstack(p, t); res.IsDrop() {
+	if t.PreFilterPacketOutboundToWireGuardNetstackIntercept != nil {
+		if res := t.PreFilterPacketOutboundToWireGuardNetstackIntercept(p, t); res.IsDrop() {
 			// Handled by netstack.Impl.handleLocalPackets (quad-100 DNS primarily)
 			return res
 		}
 	}
-	if t.PreFilterFromTunToEngine != nil {
-		if res := t.PreFilterFromTunToEngine(p, t); res.IsDrop() {
+	if t.PreFilterPacketOutboundToWireGuardEngineIntercept != nil {
+		if res := t.PreFilterPacketOutboundToWireGuardEngineIntercept(p, t); res.IsDrop() {
 			// Handled by userspaceEngine.handleLocalPackets (primarily handles
 			// quad-100 if netstack is not installed).
 			return res
@@ -518,8 +518,8 @@ func (t *Wrapper) filterOut(p *packet.Parsed) filter.Response {
 		return filter.Drop
 	}
 
-	if t.PostFilterOut != nil {
-		if res := t.PostFilterOut(p, t); res.IsDrop() {
+	if t.PostFilterPacketOutboundToWireGuard != nil {
+		if res := t.PostFilterPacketOutboundToWireGuard(p, t); res.IsDrop() {
 			return res
 		}
 	}
@@ -575,7 +575,7 @@ func (t *Wrapper) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
 			capt(capture.FromLocal, time.Now(), data[res.dataOffset:])
 		}
 		if !t.disableFilter {
-			response := t.filterOut(p)
+			response := t.filterPacketOutboundToWireGuard(p)
 			if response != filter.Accept {
 				metricPacketOutDrop.Add(1)
 				continue
@@ -636,7 +636,7 @@ func (t *Wrapper) injectedRead(res tunInjectedRead, buf []byte, offset int) (int
 	return n, nil
 }
 
-func (t *Wrapper) filterIn(p *packet.Parsed) filter.Response {
+func (t *Wrapper) filterPacketInboundFromWireGuard(p *packet.Parsed) filter.Response {
 	if capt := t.captureHook.Load(); capt != nil {
 		capt(capture.FromPeer, time.Now(), p.Buffer())
 	}
@@ -672,8 +672,8 @@ func (t *Wrapper) filterIn(p *packet.Parsed) filter.Response {
 		return filter.DropSilently
 	}
 
-	if t.PreFilterIn != nil {
-		if res := t.PreFilterIn(p, t); res.IsDrop() {
+	if t.PreFilterPacketInboundFromWireGuard != nil {
+		if res := t.PreFilterPacketInboundFromWireGuard(p, t); res.IsDrop() {
 			return res
 		}
 	}
@@ -724,8 +724,8 @@ func (t *Wrapper) filterIn(p *packet.Parsed) filter.Response {
 		return filter.Drop
 	}
 
-	if t.PostFilterIn != nil {
-		if res := t.PostFilterIn(p, t); res.IsDrop() {
+	if t.PostFilterPacketInboundFromWireGaurd != nil {
+		if res := t.PostFilterPacketInboundFromWireGaurd(p, t); res.IsDrop() {
 			return res
 		}
 	}
@@ -743,7 +743,7 @@ func (t *Wrapper) Write(buffs [][]byte, offset int) (int, error) {
 		defer parsedPacketPool.Put(p)
 		for _, buff := range buffs {
 			p.Decode(buff[offset:])
-			if t.filterIn(p) != filter.Accept {
+			if t.filterPacketInboundFromWireGuard(p) != filter.Accept {
 				metricPacketInDrop.Add(1)
 			} else {
 				buffs[i] = buff
diff --git a/net/tstun/wrap_test.go b/net/tstun/wrap_test.go
index 6faccf169..c9c621ddf 100644
--- a/net/tstun/wrap_test.go
+++ b/net/tstun/wrap_test.go
@@ -544,7 +544,7 @@ func TestPeerAPIBypass(t *testing.T) {
 			tt.w.SetFilter(tt.filter)
 			tt.w.disableTSMPRejected = true
 			tt.w.logf = t.Logf
-			if got := tt.w.filterIn(p); got != tt.want {
+			if got := tt.w.filterPacketInboundFromWireGuard(p); got != tt.want {
 				t.Errorf("got = %v; want %v", got, tt.want)
 			}
 		})
@@ -574,7 +574,7 @@ func TestFilterDiscoLoop(t *testing.T) {
 
 	p := new(packet.Parsed)
 	p.Decode(pkt)
-	got := tw.filterIn(p)
+	got := tw.filterPacketInboundFromWireGuard(p)
 	if got != filter.DropSilently {
 		t.Errorf("got %v; want DropSilently", got)
 	}
@@ -585,7 +585,7 @@ func TestFilterDiscoLoop(t *testing.T) {
 	memLog.Reset()
 	pp := new(packet.Parsed)
 	pp.Decode(pkt)
-	got = tw.filterOut(pp)
+	got = tw.filterPacketOutboundToWireGuard(pp)
 	if got != filter.DropSilently {
 		t.Errorf("got %v; want DropSilently", got)
 	}
diff --git a/wgengine/netstack/netstack.go b/wgengine/netstack/netstack.go
index 54a039dd6..8fc9d6cca 100644
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -260,8 +260,8 @@ func (ns *Impl) Start(lb *ipnlocal.LocalBackend) error {
 	ns.ipstack.SetTransportProtocolHandler(tcp.ProtocolNumber, ns.wrapProtoHandler(tcpFwd.HandlePacket))
 	ns.ipstack.SetTransportProtocolHandler(udp.ProtocolNumber, ns.wrapProtoHandler(udpFwd.HandlePacket))
 	go ns.inject()
-	ns.tundev.PostFilterIn = ns.injectInbound
-	ns.tundev.PreFilterFromTunToNetstack = ns.handleLocalPackets
+	ns.tundev.PostFilterPacketInboundFromWireGaurd = ns.injectInbound
+	ns.tundev.PreFilterPacketOutboundToWireGuardNetstackIntercept = ns.handleLocalPackets
 	return nil
 }
 
diff --git a/wgengine/userspace.go b/wgengine/userspace.go
index 7def6c971..8f0c2d226 100644
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -373,19 +373,19 @@ func NewUserspaceEngine(logf logger.Logf, conf Config) (_ Engine, reterr error)
 	tsTUNDev.SetDiscoKey(e.magicConn.DiscoPublicKey())
 
 	if conf.RespondToPing {
-		e.tundev.PostFilterIn = echoRespondToAll
+		e.tundev.PostFilterPacketInboundFromWireGaurd = echoRespondToAll
 	}
-	e.tundev.PreFilterFromTunToEngine = e.handleLocalPackets
+	e.tundev.PreFilterPacketOutboundToWireGuardEngineIntercept = e.handleLocalPackets
 
 	if envknob.BoolDefaultTrue("TS_DEBUG_CONNECT_FAILURES") {
-		if e.tundev.PreFilterIn != nil {
+		if e.tundev.PreFilterPacketInboundFromWireGuard != nil {
 			return nil, errors.New("unexpected PreFilterIn already set")
 		}
-		e.tundev.PreFilterIn = e.trackOpenPreFilterIn
-		if e.tundev.PostFilterOut != nil {
+		e.tundev.PreFilterPacketInboundFromWireGuard = e.trackOpenPreFilterIn
+		if e.tundev.PostFilterPacketOutboundToWireGuard != nil {
 			return nil, errors.New("unexpected PostFilterOut already set")
 		}
-		e.tundev.PostFilterOut = e.trackOpenPostFilterOut
+		e.tundev.PostFilterPacketOutboundToWireGuard = e.trackOpenPostFilterOut
 	}
 
 	e.wgLogger = wglog.NewLogger(logf)