wgengine/filter: add protocol-agnostic packet checker (#10446)

For use in ACL tests, we need a way to check whether a packet is allowed not just with TCP, but any protocol. Updates #3561 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-02-27 10:47:35 +00:00 · 2023-12-02 16:30:33 -06:00 · 2023-12-02 16:30:33 -06:00 · 263e01c47b
commit 263e01c47b
parent c85532270f
1 changed files with 13 additions and 5 deletions
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@ -300,9 +300,9 @@ var dummyPacket = []byte{
 	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
 }
-// CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort
+// Check determines whether traffic from srcIP to dstIP:dstPort is allowed
-// is allowed.
+// using protocol proto.
-func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response {
+func (f *Filter) Check(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto) Response {
 	pkt := &packet.Parsed{}
 	pkt.Decode(dummyPacket) // initialize private fields
 	switch {
@ -319,12 +319,20 @@ func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response {
 	}
 	pkt.Src = netip.AddrPortFrom(srcIP, 0)
 	pkt.Dst = netip.AddrPortFrom(dstIP, dstPort)
-	pkt.IPProto = ipproto.TCP
+	pkt.IPProto = proto
-	pkt.TCPFlags = packet.TCPSyn
+	if proto == ipproto.TCP {
 		pkt.TCPFlags = packet.TCPSyn
 	}
 	return f.RunIn(pkt, 0)
 }
 // CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort
 // is allowed.
 func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response {
 	return f.Check(srcIP, dstIP, dstPort, ipproto.TCP)
 }
 // CapsWithValues appends to base the capabilities that srcIP has talking
 // to dstIP.
 func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap {