From 66c72bbe2eb2b572c0abeebdf91f856be5fcd68f Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 28 Apr 2026 14:29:55 -0700 Subject: [PATCH] Dont block tcp for http unless there are targets --- netstack2/handlers.go | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/netstack2/handlers.go b/netstack2/handlers.go index a63178c..e28a543 100644 --- a/netstack2/handlers.go +++ b/netstack2/handlers.go @@ -152,20 +152,14 @@ func (h *TCPHandler) handleTCPConn(netstackConn *gonet.TCPConn, id stack.Transpo srcAddr, _ := netip.ParseAddr(srcIP) dstAddr, _ := netip.ParseAddr(dstIP) rule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, dstPort, tcp.ProtocolNumber) - if rule != nil { - if rule.Protocol != "" { - logger.Info("TCP Forwarder: Routing %s:%d -> %s:%d to HTTP handler (%s)", - srcIP, srcPort, dstIP, dstPort, rule.Protocol) - h.proxyHandler.httpHandler.HandleConn(netstackConn, rule) - } else { - // A matching HTTP rule exists but has no protocol configured — - // do not fall through to the raw TCP handler; drop the connection. - logger.Info("TCP Forwarder: Dropping %s:%d -> %s:%d (HTTP rule matched but no protocol set)", - srcIP, srcPort, dstIP, dstPort) - netstackConn.Close() - } + if rule != nil && rule.Protocol != "" && len(rule.HTTPTargets) > 0 { + logger.Info("TCP Forwarder: Routing %s:%d -> %s:%d to HTTP handler (%s)", + srcIP, srcPort, dstIP, dstPort, rule.Protocol) + h.proxyHandler.httpHandler.HandleConn(netstackConn, rule) return } + // Otherwise fall through to raw TCP forwarding (e.g. CIDR resources + // that happen to use port 80/443 without HTTP configuration). } defer netstackConn.Close()