wgengine/filter: drop multicast packets out, don't log about them

Eventually we'll probably support multicast. For now it's just log spam. Fixes #629
2025-10-10 09:45:08 +00:00 · 2020-09-25 11:06:48 -07:00
parent bbb56f2303
commit 5f807c389e
3 changed files with 24 additions and 0 deletions
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -367,6 +367,11 @@ func (f *Filter) pre(q *packet.ParsedPacket, rf RunFlags, dir direction) Respons
 		f.logRateLimit(rf, q, dir, Drop, "ipv6")
 		return Drop
 	}
+	if q.DstIP.IsMulticast() {
+		f.logRateLimit(rf, q, dir, Drop, "multicast")
+		return Drop
+	}
+
 	switch q.IPProto {
 	case packet.Unknown:
 		// Unknown packets are dangerous; always drop them.
@@ -409,6 +414,9 @@ func omitDropLogging(p *packet.ParsedPacket, dir direction) bool {
 			if ipProto == packet.IGMP {
 				return true
 			}
+			if p.DstIP.IsMulticast() {
+				return true
+			}
 		case 6:
 			if len(b) < 40 {
 				return false
--- a/wgengine/filter/filter_test.go
+++ b/wgengine/filter/filter_test.go
@@ -379,6 +379,18 @@ func TestOmitDropLogging(t *testing.T) {
 			dir:  out,
 			want: true,
 		},
+		{
+			name: "v6_multicast_out_low",
+			pkt:  &packet.ParsedPacket{IPVersion: 4, DstIP: packet.NewIP(net.ParseIP("224.0.0.0"))},
+			dir:  out,
+			want: true,
+		},
+		{
+			name: "v6_multicast_out_high",
+			pkt:  &packet.ParsedPacket{IPVersion: 4, DstIP: packet.NewIP(net.ParseIP("239.255.255.255"))},
+			dir:  out,
+			want: true,
+		},
 	}

 	for _, tt := range tests {