remove session firewall, this can't prevent memory use so it's better to just use OS native tools

src/tuntap/iface.go

@@ -116,9 +116,6 @@ func (tun *TunAdapter) write() {
 			continue // bad local address/subnet
 		}
 		info := tun.store.update(ed25519.PublicKey(from.(iwt.Addr)))
-		if info == nil {
-			continue // Blocked by the gatekeeper
-		}
 		if srcAddr != info.address && srcSubnet != info.subnet {
 			continue // bad remote address/subnet
 		}

src/tuntap/keystore.go

@@ -113,18 +113,6 @@ func (k *keyStore) update(key ed25519.PublicKey) *keyInfo {
 		info.key = kArray
 		info.address = *address.AddrForKey(ed25519.PublicKey(info.key[:]))
 		info.subnet = *address.SubnetForKey(ed25519.PublicKey(info.key[:]))
-		var isOutgoing bool
-		if k.addrBuffer[info.address] != nil {
-			isOutgoing = true
-		}
-		if k.subnetBuffer[info.subnet] != nil {
-			isOutgoing = true
-		}
-		if !k.tun.gatekeeper(key, isOutgoing) {
-			// Blocked by the gatekeeper, so don't create an entry for this
-			k.mutex.Unlock()
-			return nil
-		}
 		k.keyToInfo[info.key] = info
 		k.addrToInfo[info.address] = info
 		k.subnetToInfo[info.subnet] = info

src/tuntap/tun.go

@@ -43,16 +43,9 @@ type TunAdapter struct {
 	iface       tun.Device
 	phony.Inbox // Currently only used for _handlePacket from the reader, TODO: all the stuff that currently needs a mutex below
 	//mutex        sync.RWMutex // Protects the below
-	isOpen     bool
-	isEnabled  bool // Used by the writer to drop sessionTraffic if not enabled
-	gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool
-	proto      protoHandler
-}
-
-func (tun *TunAdapter) SetSessionGatekeeper(gatekeeper func(pubkey ed25519.PublicKey, initiator bool) bool) {
-	phony.Block(tun, func() {
-		tun.gatekeeper = gatekeeper
-	})
+	isOpen    bool
+	isEnabled bool // Used by the writer to drop sessionTraffic if not enabled
+	proto     protoHandler
 }
 
 // Gets the maximum supported MTU for the platform based on the defaults in