TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-04-16 11:41:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

wgengine/filter: include IP proto number in unknown protocol errors

Browse Source 
Updates #6423

Change-Id: I9e363922e2c24fdc42687707c069af5bba68b93e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2023-01-14 08:24:16 -08:00 committed by Brad Fitzpatrick
parent 006ec659e6
commit 3386a59cf1
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
wgengine/filter/filter.go
View File

@ -388,6 +388,17 @@ func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) Response {
return r return r
} }
var unknownProtoStringCache sync.Map // ipproto.Proto -> string
func unknownProtoString(proto ipproto.Proto) string {
if v, ok := unknownProtoStringCache.Load(proto); ok {
return v.(string)
}
s := fmt.Sprintf("unknown-protocol-%d", proto)
unknownProtoStringCache.Store(proto, s)
return s
}
func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) { func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
// A compromised peer could try to send us packets for // A compromised peer could try to send us packets for
// destinations we didn't explicitly advertise. This check is to // destinations we didn't explicitly advertise. This check is to
@ -443,7 +454,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
if f.matches4.matchProtoAndIPsOnlyIfAllPorts(q) { if f.matches4.matchProtoAndIPsOnlyIfAllPorts(q) {
return Accept, "otherproto ok" return Accept, "otherproto ok"
} }
return Drop, "Unknown proto" return Drop, unknownProtoString(q.IPProto)
} }
return Drop, "no rules matched" return Drop, "no rules matched"
} }
@ -503,7 +514,7 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
if f.matches6.matchProtoAndIPsOnlyIfAllPorts(q) { if f.matches6.matchProtoAndIPsOnlyIfAllPorts(q) {
return Accept, "otherproto ok" return Accept, "otherproto ok"
} }
return Drop, "Unknown proto" return Drop, unknownProtoString(q.IPProto)
} }
return Drop, "no rules matched" return Drop, "no rules matched"
} }