wgengine/filter: also silently drop link-local unicast traffic

Updates #629
2025-12-22 16:46:29 +00:00 · 2020-09-25 11:47:38 -07:00
parent 5f807c389e
commit 73cc2d8f89
3 changed files with 17 additions and 3 deletions
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -371,6 +371,10 @@ func (f *Filter) pre(q *packet.ParsedPacket, rf RunFlags, dir direction) Respons
 		f.logRateLimit(rf, q, dir, Drop, "multicast")
 		return Drop
 	}
+	if q.DstIP.IsLinkLocalUnicast() {
+		f.logRateLimit(rf, q, dir, Drop, "link-local-unicast")
+		return Drop
+	}

 	switch q.IPProto {
 	case packet.Unknown:
@@ -414,7 +418,7 @@ func omitDropLogging(p *packet.ParsedPacket, dir direction) bool {
 			if ipProto == packet.IGMP {
 				return true
 			}
-			if p.DstIP.IsMulticast() {
+			if p.DstIP.IsMulticast() || p.DstIP.IsLinkLocalUnicast() {
 				return true
 			}
 		case 6: