TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-02-18 02:48:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

wgengine/filter: include IP proto number in unknown protocol errors

Browse Source 
Updates #6423

Change-Id: I9e363922e2c24fdc42687707c069af5bba68b93e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2023-01-14 08:24:16 -08:00 committed by Brad Fitzpatrick
parent 006ec659e6
commit 3386a59cf1
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
wgengine/filter/filter.go
View File

@ -388,6 +388,17 @@ func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) Response {
return r
}
var unknownProtoStringCache sync.Map // ipproto.Proto -> string
func unknownProtoString(proto ipproto.Proto) string {
if v, ok := unknownProtoStringCache.Load(proto); ok {
return v.(string)
}
s := fmt.Sprintf("unknown-protocol-%d", proto)
unknownProtoStringCache.Store(proto, s)
return s
}
func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
// A compromised peer could try to send us packets for
// destinations we didn't explicitly advertise. This check is to
@ -443,7 +454,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
if f.matches4.matchProtoAndIPsOnlyIfAllPorts(q) {
return Accept, "otherproto ok"
}
return Drop, "Unknown proto"
return Drop, unknownProtoString(q.IPProto)
}
return Drop, "no rules matched"
}
@ -503,7 +514,7 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
if f.matches6.matchProtoAndIPsOnlyIfAllPorts(q) {
return Accept, "otherproto ok"
}
return Drop, "Unknown proto"
return Drop, unknownProtoString(q.IPProto)
}
return Drop, "no rules matched"
}