Fixes: admin/mini-sing#1
gVisor TUN stack intercepts ICMP echo requests and replies locally
with fake <1ms latency. Real pings to Tailscale peers never reach
the WireGuard tunnel.
Fix: PrepareConnection now checks ICMP destinations against route
rules. If the matching outbound implements ICMPPinger (e.g. Tailscale),
returns an icmpProxy DirectRouteDestination that:
1. Sends the ICMP echo through tailnet's netstack via DialPing("ping4")
2. Reads the real reply from the WireGuard tunnel
3. Rebuilds a raw IP+ICMP reply packet
4. Writes it back to the TUN via DirectRouteContext
Changes:
- adapter/outbound.go: Add ICMPPinger interface
- adapter/router.go: Add FindOutbound to ConnectionRouterEx
- route/router.go: Expose FindOutbound method
- protocol/tailscale/outbound.go: Implement ICMPPinger via tailnet.DialPing
- protocol/tun/inbound.go: ICMP proxy in PrepareConnection + icmpProxy type
- tailnet/outbound.go: Add DialPing method (wraps tnet.DialContext("ping4"))
1f5612e6ad