mirror of
https://github.com/tailscale/tailscale.git
synced 2025-02-18 02:48:40 +00:00
wgengine/filter: include IP proto number in unknown protocol errors
Updates #6423 Change-Id: I9e363922e2c24fdc42687707c069af5bba68b93e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
parent
006ec659e6
commit
3386a59cf1
@ -388,6 +388,17 @@ func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) Response {
|
||||
return r
|
||||
}
|
||||
|
||||
var unknownProtoStringCache sync.Map // ipproto.Proto -> string
|
||||
|
||||
func unknownProtoString(proto ipproto.Proto) string {
|
||||
if v, ok := unknownProtoStringCache.Load(proto); ok {
|
||||
return v.(string)
|
||||
}
|
||||
s := fmt.Sprintf("unknown-protocol-%d", proto)
|
||||
unknownProtoStringCache.Store(proto, s)
|
||||
return s
|
||||
}
|
||||
|
||||
func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
|
||||
// A compromised peer could try to send us packets for
|
||||
// destinations we didn't explicitly advertise. This check is to
|
||||
@ -443,7 +454,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
|
||||
if f.matches4.matchProtoAndIPsOnlyIfAllPorts(q) {
|
||||
return Accept, "otherproto ok"
|
||||
}
|
||||
return Drop, "Unknown proto"
|
||||
return Drop, unknownProtoString(q.IPProto)
|
||||
}
|
||||
return Drop, "no rules matched"
|
||||
}
|
||||
@ -503,7 +514,7 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
|
||||
if f.matches6.matchProtoAndIPsOnlyIfAllPorts(q) {
|
||||
return Accept, "otherproto ok"
|
||||
}
|
||||
return Drop, "Unknown proto"
|
||||
return Drop, unknownProtoString(q.IPProto)
|
||||
}
|
||||
return Drop, "no rules matched"
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user