From f3011fce04fec182b3028a57c784dd4ff9b71440 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Mon, 3 Mar 2025 16:07:31 -0800
Subject: [PATCH] more misc plan9 work; it works now

Change-Id: Iafc4ee41dd4d7ba9b9907c8e13bb1e161c8f78e3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 Makefile                          | 11 ++++++---
 cmd/tailscaled/tailscaled.go      |  4 +++-
 go.mod                            |  4 +---
 go.sum                            | 12 ++--------
 ipn/ipnlocal/local.go             |  5 +++++
 net/tstun/tstun_stub.go           |  2 +-
 net/tstun/tun.go                  | 37 ++++++++++++++++++++++++++++++-
 net/tstun/wrap.go                 |  3 +++
 ssh/tailssh/incubator.go          | 10 ++++++++-
 ssh/tailssh/tailssh.go            |  3 +--
 types/logger/logger.go            |  5 +++++
 util/osuser/group_ids.go          |  4 ++++
 util/osuser/user.go               | 23 +++++++++++++++++--
 wgengine/router/router_default.go |  2 +-
 wgengine/userspace.go             | 12 ++++++++++
 15 files changed, 112 insertions(+), 25 deletions(-)

diff --git a/Makefile b/Makefile
index d718a00b4..a7bb84dcf 100644
--- a/Makefile
+++ b/Makefile
@@ -110,9 +110,14 @@ publishdevnameserver: ## Build and publish k8s-nameserver image to location spec
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-nameserver" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-nameserver" && exit 1)
 	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-nameserver ./build_docker.sh
 
-plan9:
-	GOOS=plan9 GOARCH=386 go build -o ${HOME}/hack/rsc-plan9/td ./cmd/tailscaled
-	GOOS=plan9 GOARCH=386 go build -o ${HOME}/hack/rsc-plan9/ts ./cmd/tailscale
+plan93:
+	GOOS=plan9 GOARCH=386 ${HOME}/hack/go/bin/go build -o ${HOME}/hack/rsc-plan9/td3 ./cmd/tailscaled
+	GOOS=plan9 GOARCH=386 ${HOME}/hack/go/bin/go build -o ${HOME}/hack/rsc-plan9/ts3 ./cmd/tailscale
+
+plan9a:
+	GOOS=plan9 GOARCH=amd64 ${HOME}/hack/go/bin/go build -o ${HOME}/hack/rsc-plan9/tda ./cmd/tailscaled
+	GOOS=plan9 GOARCH=amd64 ${HOME}/hack/go/bin/go build -o ${HOME}/hack/rsc-plan9/tsa ./cmd/tailscale
+
 
 .PHONY: sshintegrationtest
 sshintegrationtest: ## Run the SSH integration tests in various Docker containers
diff --git a/cmd/tailscaled/tailscaled.go b/cmd/tailscaled/tailscaled.go
index 897f72cb7..7cc9aff35 100644
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -82,7 +82,9 @@ func defaultTunName() string {
 		// "utun" is recognized by wireguard-go/tun/tun_darwin.go
 		// as a magic value that uses/creates any free number.
 		return "utun"
-	case "plan9", "aix", "solaris", "illumos":
+	case "plan9":
+		return "auto"
+	case "aix", "solaris", "illumos":
 		return "userspace-networking"
 	case "linux":
 		switch distro.Get() {
diff --git a/go.mod b/go.mod
index a566c941f..79a86a496 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,6 @@ require (
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/creachadair/taskgroup v0.13.2
-	github.com/creack/pty v1.1.23
 	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa
 	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e
 	github.com/distribution/reference v0.6.0
@@ -84,12 +83,11 @@ require (
 	github.com/tailscale/setec v0.0.0-20250205144240-8898a29c3fbb
 	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976
 	github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6
-	github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19
+	github.com/tailscale/wireguard-go v0.0.0-20250304000100-91a0587fb251
 	github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e
 	github.com/tc-hib/winres v0.2.1
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
-	github.com/u-root/u-root v0.12.0
 	github.com/vishvananda/netns v0.0.4
 	go.uber.org/zap v1.27.0
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745
diff --git a/go.sum b/go.sum
index 528e48c16..08246cd59 100644
--- a/go.sum
+++ b/go.sum
@@ -234,8 +234,6 @@ github.com/creachadair/mds v0.17.1/go.mod h1:4b//mUiL8YldH6TImXjmW45myzTLNS1LLjO
 github.com/creachadair/taskgroup v0.13.2 h1:3KyqakBuFsm3KkXi/9XIb0QcA8tEzLHLgaoidf0MdVc=
 github.com/creachadair/taskgroup v0.13.2/go.mod h1:i3V1Zx7H8RjwljUEeUWYT30Lmb9poewSb2XI1yTwD0g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
-github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/curioswitch/go-reassign v0.2.0 h1:G9UZyOcpk/d7Gd6mqYgd8XYWFMw/znxwGDUstnC9DIo=
 github.com/curioswitch/go-reassign v0.2.0/go.mod h1:x6OpXuWvgfQaMGks2BZybTngWjT84hqJfKoO8Tt/Roc=
 github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
@@ -545,8 +543,6 @@ github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSo
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/hugelgupf/vmtest v0.0.0-20240102225328-693afabdd27f h1:ov45/OzrJG8EKbGjn7jJZQJTN7Z1t73sFYNIRd64YlI=
-github.com/hugelgupf/vmtest v0.0.0-20240102225328-693afabdd27f/go.mod h1:JoDrYMZpDPYo6uH9/f6Peqms3zNNWT2XiGgioMOIGuI=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/illarion/gonotify/v3 v3.0.2 h1:O7S6vcopHexutmpObkeWsnzMJt/r1hONIEogeVNmJMk=
 github.com/illarion/gonotify/v3 v3.0.2/go.mod h1:HWGPdPe817GfvY3w7cx6zkbzNZfi3QjcBm/wgVvEL1U=
@@ -922,8 +918,8 @@ github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:U
 github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19 h1:BcEJP2ewTIK2ZCsqgl6YGpuO6+oKqqag5HHb7ehljKw=
-github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
+github.com/tailscale/wireguard-go v0.0.0-20250304000100-91a0587fb251 h1:h/41LFTrwMxB9Xvvug0kRdQCU5TlV1+pAMQw0ZtDE3U=
+github.com/tailscale/wireguard-go v0.0.0-20250304000100-91a0587fb251/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
@@ -950,10 +946,6 @@ github.com/tommy-muehle/go-mnd/v2 v2.5.1 h1:NowYhSdyE/1zwK9QCLeRb6USWdoif80Ie+v+
 github.com/tommy-muehle/go-mnd/v2 v2.5.1/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
-github.com/u-root/gobusybox/src v0.0.0-20231228173702-b69f654846aa h1:unMPGGK/CRzfg923allsikmvk2l7beBeFPUNC4RVX/8=
-github.com/u-root/gobusybox/src v0.0.0-20231228173702-b69f654846aa/go.mod h1:Zj4Tt22fJVn/nz/y6Ergm1SahR9dio1Zm/D2/S0TmXM=
-github.com/u-root/u-root v0.12.0 h1:K0AuBFriwr0w/PGS3HawiAw89e3+MU7ks80GpghAsNs=
-github.com/u-root/u-root v0.12.0/go.mod h1:FYjTOh4IkIZHhjsd17lb8nYW6udgXdJhG1c0r6u0arI=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index 1f9f7e8b2..8c027b0d1 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -5001,6 +5001,11 @@ func shouldUseOneCGNATRoute(logf logger.Logf, mon *netmon.Monitor, controlKnobs
 		}
 	}
 
+	if versionOS == "plan9" {
+		// Just temporarily during plan9 bringup to have fewer routes to debug.
+		return true
+	}
+
 	// Also prefer to do this on the Mac, so that we don't need to constantly
 	// update the network extension configuration (which is disruptive to
 	// Chrome, see https://github.com/tailscale/tailscale/issues/3102). Only
diff --git a/net/tstun/tstun_stub.go b/net/tstun/tstun_stub.go
index 3119d647c..d21eda6b0 100644
--- a/net/tstun/tstun_stub.go
+++ b/net/tstun/tstun_stub.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build plan9 || aix || solaris || illumos
+//go:build aix || solaris || illumos
 
 package tstun
 
diff --git a/net/tstun/tun.go b/net/tstun/tun.go
index 44ccdfc99..d01db61a2 100644
--- a/net/tstun/tun.go
+++ b/net/tstun/tun.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !wasm && !plan9 && !tamago && !aix && !solaris && !illumos
+//go:build !wasm && !tamago && !aix && !solaris && !illumos
 
 // Package tun creates a tuntap device, working around OS-specific
 // quirks if necessary.
@@ -9,6 +9,9 @@ package tstun
 
 import (
 	"errors"
+	"fmt"
+	"log"
+	"os"
 	"runtime"
 	"strings"
 	"time"
@@ -45,6 +48,9 @@ func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
 		}
 		dev, err = CreateTAP.Get()(logf, tapName, bridgeName)
 	} else {
+		if runtime.GOOS == "plan9" {
+			cleanUpPlan9Interfaces()
+		}
 		dev, err = tun.CreateTUN(tunName, int(DefaultTUNMTU()))
 	}
 	if err != nil {
@@ -65,6 +71,35 @@ func New(logf logger.Logf, tunName string) (tun.Device, string, error) {
 	return dev, name, nil
 }
 
+func cleanUpPlan9Interfaces() {
+	maybeUnbind := func(n int) {
+		b, err := os.ReadFile(fmt.Sprintf("/net/ipifc/%d/status", n))
+		if err != nil {
+			return
+		}
+		status := string(b)
+		if !(strings.HasPrefix(status, "device  maxtu ") ||
+			strings.Contains(status, "fd7a:115c:a1e0:")) {
+			return
+		}
+		f, err := os.OpenFile(fmt.Sprintf("/net/ipifc/%d/ctl", n), os.O_RDWR, 0)
+		if err != nil {
+			return
+		}
+		defer f.Close()
+		if _, err := fmt.Fprintf(f, "unbind\n"); err != nil {
+			log.Printf("unbind interface %v: %v", n, err)
+			return
+		}
+		log.Printf("tun: unbound stale interface %v", n)
+	}
+
+	// A common case: after unclean shutdown, the /net/ipifc/clone file
+	for n := 2; n < 5; n++ {
+		maybeUnbind(n)
+	}
+}
+
 // tunDiagnoseFailure, if non-nil, does OS-specific diagnostics of why
 // TUN failed to work.
 var tunDiagnoseFailure func(tunName string, logf logger.Logf, err error)
diff --git a/net/tstun/wrap.go b/net/tstun/wrap.go
index 442184065..7432680ea 100644
--- a/net/tstun/wrap.go
+++ b/net/tstun/wrap.go
@@ -928,8 +928,10 @@ func (t *Wrapper) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
 	// packet from OS read and sent to WG
 	res, ok := <-t.vectorOutbound
 	if !ok {
+		t.logf("XXX Wrapper.vectorInbound done")
 		return 0, io.EOF
 	}
+	t.logf("XXX Wrapper.vec in: err=%v, len(data)=%d, offset=%d", res.err, len(res.data), offset)
 	if res.err != nil && len(res.data) == 0 {
 		return 0, res.err
 	}
@@ -947,6 +949,7 @@ func (t *Wrapper) Read(buffs [][]byte, sizes []int, offset int) (int, error) {
 	var buffsGRO *gro.GRO
 	for _, data := range res.data {
 		p.Decode(data[res.dataOffset:])
+		t.logf("XXX Wrapper.Read decode (off=%d): %v", res.dataOffset, p.String())
 
 		if m := t.destIPActivity.Load(); m != nil {
 			if fn := m[p.Dst.Addr()]; fn != nil {
diff --git a/ssh/tailssh/incubator.go b/ssh/tailssh/incubator.go
index 4f630186d..7ee079149 100644
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@@ -1032,6 +1032,14 @@ func (ss *sshSession) startWithStdPipes() (err error) {
 }
 
 func envForUser(u *userMeta) []string {
+	if runtime.GOOS == "plan9" {
+		return []string{
+			fmt.Sprintf("shell=%s", u.LoginShell()),
+			"service=ssh",
+			fmt.Sprintf("USER=%s", u.Username),
+			fmt.Sprintf("home=%s", u.HomeDir),
+		}
+	}
 	return []string{
 		fmt.Sprintf("SHELL=%s", u.LoginShell()),
 		fmt.Sprintf("USER=%s", u.Username),
@@ -1108,7 +1116,7 @@ func (ia *incubatorArgs) loginArgs(loginCmdPath string) []string {
 
 func shellArgs(isShell bool, cmd string) []string {
 	if isShell {
-		if runtime.GOOS == freebsd || runtime.GOOS == openbsd {
+		if runtime.GOOS == freebsd || runtime.GOOS == openbsd || runtime.GOOS == "plan9" {
 			// bsd shells don't support the "-l" option, so we can't run as a login shell
 			return []string{}
 		}
diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go
index 3e9c7a467..2e5040da2 100644
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -672,7 +672,6 @@ type sshSession struct {
 	wrStdin  io.WriteCloser
 	rdStdout io.ReadCloser
 	rdStderr io.ReadCloser // rdStderr is nil for pty sessions
-	ptyReq   *ssh.Pty      // non-nil for pty sessions
 
 	// childPipes is a list of pipes that need to be closed when the process exits.
 	// For pty sessions, this is the tty fd.
@@ -903,7 +902,7 @@ func (ss *sshSession) run() {
 		defer t.Stop()
 	}
 
-	if euid := os.Geteuid(); euid != 0 {
+	if euid := os.Geteuid(); euid != 0 && runtime.GOOS != "plan9" {
 		if lu.Uid != fmt.Sprint(euid) {
 			ss.logf("can't switch to user %q from process euid %v", lu.Username, euid)
 			fmt.Fprintf(ss, "can't switch user\r\n")
diff --git a/types/logger/logger.go b/types/logger/logger.go
index 11596b357..66b989480 100644
--- a/types/logger/logger.go
+++ b/types/logger/logger.go
@@ -14,6 +14,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"runtime"
 	"strings"
 	"sync"
 	"time"
@@ -162,6 +163,10 @@ func RateLimitedFnWithClock(logf Logf, f time.Duration, burst int, maxCache int,
 	if envknob.String("TS_DEBUG_LOG_RATE") == "all" {
 		return logf
 	}
+	if runtime.GOOS == "plan9" {
+		// To ease bring-up.
+		return logf
+	}
 	var (
 		mu       sync.Mutex
 		msgLim   = make(map[string]*limitData) // keyed by logf format
diff --git a/util/osuser/group_ids.go b/util/osuser/group_ids.go
index f25861dbb..7c2b5b090 100644
--- a/util/osuser/group_ids.go
+++ b/util/osuser/group_ids.go
@@ -19,6 +19,10 @@ import (
 // an error. It will first try to use the 'id' command to get the group IDs,
 // and if that fails, it will fall back to the user.GroupIds method.
 func GetGroupIds(user *user.User) ([]string, error) {
+	if runtime.GOOS == "plan9" {
+		return nil, nil
+	}
+
 	if runtime.GOOS != "linux" {
 		return user.GroupIds()
 	}
diff --git a/util/osuser/user.go b/util/osuser/user.go
index 2c7f2e24b..8b96194d7 100644
--- a/util/osuser/user.go
+++ b/util/osuser/user.go
@@ -54,9 +54,18 @@ func lookup(usernameOrUID string, std lookupStd, wantShell bool) (*user.User, st
 	// Skip getent entirely on Non-Unix platforms that won't ever have it.
 	// (Using HasPrefix for "wasip1", anticipating that WASI support will
 	// move beyond "preview 1" some day.)
-	if runtime.GOOS == "windows" || runtime.GOOS == "js" || runtime.GOARCH == "wasm" {
+	if runtime.GOOS == "windows" || runtime.GOOS == "js" || runtime.GOARCH == "wasm" || runtime.GOOS == "plan9" {
+		var shell string
+		if wantShell && runtime.GOOS == "plan9" {
+			shell = "/bin/rc"
+		}
+		if runtime.GOOS == "plan9" {
+			if u, err := user.Current(); err == nil {
+				return u, shell, nil
+			}
+		}
 		u, err := std(usernameOrUID)
-		return u, "", err
+		return u, shell, err
 	}
 
 	// No getent on Gokrazy. So hard-code the login shell.
@@ -78,6 +87,16 @@ func lookup(usernameOrUID string, std lookupStd, wantShell bool) (*user.User, st
 		return u, shell, nil
 	}
 
+	if runtime.GOOS == "plan9" {
+		return &user.User{
+			Uid:      "0",
+			Gid:      "0",
+			Username: "glenda",
+			Name:     "Glenda",
+			HomeDir:  "/",
+		}, "/bin/rc", nil
+	}
+
 	// Start with getent if caller wants to get the user shell.
 	if wantShell {
 		return userLookupGetent(usernameOrUID, std)
diff --git a/wgengine/router/router_default.go b/wgengine/router/router_default.go
index 1e675d1fc..8dcbd36d0 100644
--- a/wgengine/router/router_default.go
+++ b/wgengine/router/router_default.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !windows && !linux && !darwin && !openbsd && !freebsd
+//go:build !windows && !linux && !darwin && !openbsd && !freebsd && !plan9
 
 package router
 
diff --git a/wgengine/userspace.go b/wgengine/userspace.go
index b51b2c8ea..3653cdcb2 100644
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -569,6 +569,18 @@ func (e *userspaceEngine) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper)
 			return filter.Drop
 		}
 	}
+	if runtime.GOOS == "plan9" {
+		isLocalAddr, ok := e.isLocalAddr.LoadOk()
+		if ok {
+			if isLocalAddr(p.Dst.Addr()) {
+				e.logf("XXX plan9 inject inbound")
+				// On Plan9's "tun" equivalent, everything goes back in and out
+				// the tun, even when the kernel's replying to itself.
+				t.InjectInboundCopy(p.Buffer())
+				return filter.Drop
+			}
+		}
+	}
 
 	return filter.Accept
 }