wgengine/filter: let unknown IPProto match if IP okay & match allows all ports

RELNOTE=yes Change-Id: I96eaf3cf550cee7bb6cdb4ad81fc761e280a1b2a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-10-21 07:28:45 +00:00 · 2021-12-04 11:52:39 -08:00
parent 1813c2a162
commit 69de3bf7bf
3 changed files with 96 additions and 18 deletions
--- a/wgengine/filter/match.go
+++ b/wgengine/filter/match.go
@@ -20,6 +20,8 @@ type PortRange struct {
 	First, Last uint16 // inclusive
 }

+var allPorts = PortRange{0, 0xffff}
+
 func (pr PortRange) String() string {
 	if pr.First == 0 && pr.Last == 65535 {
 		return "*"
@@ -115,6 +117,29 @@ func (ms matches) matchIPsOnly(q *packet.Parsed) bool {
 	return false
 }

+// matchProtoAndIPsOnlyIfAllPorts reports q matches any Match in ms where the
+// Match if for the right IP Protocol and IP address, but ports are
+// ignored, as long as the match is for the entire uint16 port range.
+func (ms matches) matchProtoAndIPsOnlyIfAllPorts(q *packet.Parsed) bool {
+	for _, m := range ms {
+		if !protoInList(q.IPProto, m.IPProto) {
+			continue
+		}
+		if !ipInList(q.Src.IP(), m.Srcs) {
+			continue
+		}
+		for _, dst := range m.Dsts {
+			if dst.Ports != allPorts {
+				continue
+			}
+			if dst.Net.Contains(q.Dst.IP()) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func ipInList(ip netaddr.IP, netlist []netaddr.IPPrefix) bool {
 	for _, net := range netlist {
 		if net.Contains(ip) {