TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-10-10 09:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

wgengine, wgengine/filter: minor doc, style, performance, locking changes

Browse Source 
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
2020-03-25 08:40:36 -07:00
parent 6284454ae5
commit 2e420ad8b6
3 changed files with 29 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
wgengine/filter/filter.go
View File

@@ -2,6 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package filter contains a stateful packet filter.
package filter
import (
@@ -17,14 +18,17 @@ import (
type filterState struct {
mu sync.Mutex
lru *lru.Cache
lru *lru.Cache // of tuple
}
// Filter is a stateful packet filter.
type Filter struct {
matches Matches
state *filterState
}
// Response is a verdict: either a Drop, Accept, or noVerdict skip to
// continue processing.
type Response int
const (
@@ -46,6 +50,7 @@ func (r Response) String() string {
}
}
// RunFlags controls the filter's debug log verbosity at runtime.
type RunFlags int
const (
@@ -62,27 +67,34 @@ type tuple struct {
DstPort uint16
}
const LRU_MAX = 512 // max entries in UDP LRU cache
const lruMax = 512 // max entries in UDP LRU cache
// MatchAllowAll matches all packets.
var MatchAllowAll = Matches{
Match{[]IPPortRange{IPPortRangeAny}, []IP{IPAny}},
}
// NewAllowAll returns a packet filter that accepts everything.
func NewAllowAll() *Filter {
return New(MatchAllowAll, nil)
}
// NewAllowNone returns a packet filter that rejects everything.
func NewAllowNone() *Filter {
return New(nil, nil)
}
// New creates a new packet Filter with the given Matches rules.
// If shareStateWith is non-nil, the returned filter shares state
// with the previous one, to enable rules to be changed at runtime
// without breaking existing flows.
func New(matches Matches, shareStateWith *Filter) *Filter {
var state *filterState
if shareStateWith != nil {
state = shareStateWith.state
} else {
state = &filterState{
lru: lru.New(LRU_MAX),
lru: lru.New(lruMax),
}
}
f := &Filter{
@@ -200,9 +212,10 @@ func (f *Filter) runOut(q *packet.QDecode) (r Response, why string) {
// TODO(apenwarr): create sessions on ICMP Echo Request too.
if q.IPProto == packet.UDP {
t := tuple{q.DstIP, q.SrcIP, q.DstPort, q.SrcPort}
var ti interface{} = t // allocate once, rather than twice inside mutex
f.state.mu.Lock()
f.state.lru.Add(t, t)
f.state.lru.Add(ti, ti)
f.state.mu.Unlock()
}
return Accept, "ok out"