move sessionfirewall into the tuntap. this needs testing. the name is also slightly wrong, since a crypto session can still be set up, packets are just accepted/rejected at the tun/tap level instead

src/tuntap/iface.go

@@ -93,6 +93,9 @@ func (tun *TunAdapter) write() {
 			continue // bad local address/subnet
 		}
 		info := tun.store.update(ed25519.PublicKey(from.(iwt.Addr)))
+		if info == nil {
+			continue // Blocked by the gatekeeper
+		}
 		if srcAddr != info.address && srcSubnet != info.subnet {
 			continue // bad remote address/subnet
 		}