WIP

Signed-off-by: Martynas Pumputis <m@lambda.lt>

bpf/lib/wireguard.h

@@ -14,6 +14,8 @@
 #include "overloadable.h"
 #include "identity.h"
 
+#include "lib/proxy.h"
+
 static __always_inline int
 wg_maybe_redirect_to_encrypt(struct __ctx_buff *ctx)
 {
@@ -123,6 +125,10 @@ wg_maybe_redirect_to_encrypt(struct __ctx_buff *ctx)
 	magic = ctx->mark & MARK_MAGIC_HOST_MASK;
 	if ((magic == MARK_MAGIC_PROXY_INGRESS) || (magic == MARK_MAGIC_PROXY_INGRESS))
 		goto maybe_encrypt;
+#if defined(TUNNEL_MODE)
+	if (tc_index_from_ingress_proxy(ctx) || tc_index_from_egress_proxy(ctx))
+		goto maybe_encrypt;
+#endif /* TUNNEL_MODE */
 
 	/* Unless node encryption is enabled, we don't want to encrypt
 	 * traffic from the hostns (an exception - L7 proxy traffic).