From 3c508a58ccd8cafce15c0f43d4487e4504e0b278 Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@tailscale.com>
Date: Mon, 16 Nov 2020 14:06:37 -0800
Subject: [PATCH] wgengine/filter: don't filter GCP DNS.

Signed-off-by: David Anderson <danderson@tailscale.com>
---
 net/packet/ip4.go         | 7 +++++++
 wgengine/filter/filter.go | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/packet/ip4.go b/net/packet/ip4.go
index 2731bed99..9203ccc53 100644
--- a/net/packet/ip4.go
+++ b/net/packet/ip4.go
@@ -40,6 +40,13 @@ func (ip IP4) IsLinkLocalUnicast() bool {
 	return byte(ip>>24) == 169 && byte(ip>>16) == 254
 }
 
+// IsMostLinkLocalUnicast returns whether ip is a link-local unicast
+// address other than the magical "169.254.169.254" address used by
+// GCP DNS.
+func (ip IP4) IsMostLinkLocalUnicast() bool {
+	return ip.IsLinkLocalUnicast() && ip != 0xA9FEA9FE
+}
+
 // ip4HeaderLength is the length of an IPv4 header with no IP options.
 const ip4HeaderLength = 20
 
diff --git a/wgengine/filter/filter.go b/wgengine/filter/filter.go
index 04fe7f70a..d363c8b3b 100644
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -454,7 +454,7 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) Response {
 			f.logRateLimit(rf, q, dir, Drop, "multicast")
 			return Drop
 		}
-		if q.DstIP4.IsLinkLocalUnicast() {
+		if q.DstIP4.IsMostLinkLocalUnicast() {
 			f.logRateLimit(rf, q, dir, Drop, "link-local-unicast")
 			return Drop
 		}
@@ -495,7 +495,7 @@ func omitDropLogging(p *packet.Parsed, dir direction) bool {
 
 	switch p.IPVersion {
 	case 4:
-		return p.DstIP4.IsMulticast() || p.DstIP4.IsLinkLocalUnicast() || p.IPProto == packet.IGMP
+		return p.DstIP4.IsMulticast() || p.DstIP4.IsMostLinkLocalUnicast() || p.IPProto == packet.IGMP
 	case 6:
 		return p.DstIP6.IsMulticast() || p.DstIP6.IsLinkLocalUnicast()
 	default: