wgengine/filter: drop multicast packets out, don't log about them

Eventually we'll probably support multicast. For now it's just log spam.

Fixes #629

wgengine/filter/filter.go

@@ -367,6 +367,11 @@ func (f *Filter) pre(q *packet.ParsedPacket, rf RunFlags, dir direction) Respons
 		f.logRateLimit(rf, q, dir, Drop, "ipv6")
 		return Drop
 	}
+	if q.DstIP.IsMulticast() {
+		f.logRateLimit(rf, q, dir, Drop, "multicast")
+		return Drop
+	}
+
 	switch q.IPProto {
 	case packet.Unknown:
 		// Unknown packets are dangerous; always drop them.
@@ -409,6 +414,9 @@ func omitDropLogging(p *packet.ParsedPacket, dir direction) bool {
 			if ipProto == packet.IGMP {
 				return true
 			}
+			if p.DstIP.IsMulticast() {
+				return true
+			}
 		case 6:
 			if len(b) < 40 {
 				return false

wgengine/filter/filter_test.go

@@ -379,6 +379,18 @@ func TestOmitDropLogging(t *testing.T) {
 			dir:  out,
 			want: true,
 		},
+		{
+			name: "v6_multicast_out_low",
+			pkt:  &packet.ParsedPacket{IPVersion: 4, DstIP: packet.NewIP(net.ParseIP("224.0.0.0"))},
+			dir:  out,
+			want: true,
+		},
+		{
+			name: "v6_multicast_out_high",
+			pkt:  &packet.ParsedPacket{IPVersion: 4, DstIP: packet.NewIP(net.ParseIP("239.255.255.255"))},
+			dir:  out,
+			want: true,
+		},
 	}
 
 	for _, tt := range tests {

wgengine/packet/ip.go

@@ -39,6 +39,10 @@ func (ip IP) String() string {
 	return fmt.Sprintf("%d.%d.%d.%d", byte(ip>>24), byte(ip>>16), byte(ip>>8), byte(ip))
 }
 
+func (ip IP) IsMulticast() bool {
+	return byte(ip>>24)&0xf0 == 0xe0
+}
+
 // IPProto is either a real IP protocol (ITCP, UDP, ...) or an special value like Unknown.
 // If it is a real IP protocol, its value corresponds to its IP protocol number.
 type IPProto uint8