From 7a549109901557791a867119e851d0d614608789 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Mon, 9 Nov 2020 22:02:03 -0800 Subject: [PATCH] wgengine/filter: remove helper vars, mark NewAllowAll test-only. Signed-off-by: David Anderson --- wgengine/filter/filter.go | 23 +++++++++++++++++++---- wgengine/filter/filter_test.go | 2 +- wgengine/filter/match.go | 10 ---------- wgengine/magicsock/magicsock_test.go | 2 +- wgengine/tstun/tun_test.go | 2 +- 5 files changed, 22 insertions(+), 17 deletions(-) diff --git a/wgengine/filter/filter.go b/wgengine/filter/filter.go index a7a1a525e..ebd4cdc1d 100644 --- a/wgengine/filter/filter.go +++ b/wgengine/filter/filter.go @@ -89,10 +89,25 @@ func (r Response) String() string { HexdumpAccepts // print packet hexdump when logging accepts ) -// NewAllowAll returns a packet filter that accepts everything to and -// from localNets. -func NewAllowAll(localNets []netaddr.IPPrefix, logf logger.Logf) *Filter { - return New([]Match{Match{NetPortRangeAny, NetAny}}, localNets, nil, logf) +// NewAllowAllForTest returns a packet filter that accepts +// everything. Use in tests only, as it permits some kinds of spoofing +// attacks to reach the OS network stack. +func NewAllowAllForTest(logf logger.Logf) *Filter { + any4 := netaddr.IPPrefix{IP: netaddr.IPv4(0, 0, 0, 0), Bits: 0} // TODO: IPv6 + m := Match{ + Srcs: []netaddr.IPPrefix{any4}, + Dsts: []NetPortRange{ + { + Net: any4, + Ports: PortRange{ + First: 0, + Last: 65535, + }, + }, + }, + } + + return New([]Match{m}, []netaddr.IPPrefix{any4}, nil, logf) } // NewAllowNone returns a packet filter that rejects everything. diff --git a/wgengine/filter/filter_test.go b/wgengine/filter/filter_test.go index a22fc6746..69646c2fc 100644 --- a/wgengine/filter/filter_test.go +++ b/wgengine/filter/filter_test.go @@ -58,7 +58,7 @@ func nets(nets ...string) (ret []netaddr.IPPrefix) { func ports(s string) PortRange { if s == "*" { - return PortRangeAny + return PortRange{First: 0, Last: 65535} } var fs, ls string diff --git a/wgengine/filter/match.go b/wgengine/filter/match.go index 68cbee010..27a976ab6 100644 --- a/wgengine/filter/match.go +++ b/wgengine/filter/match.go @@ -16,9 +16,6 @@ type PortRange struct { First, Last uint16 // inclusive } -// PortRangeAny represents all TCP and UDP ports. -var PortRangeAny = PortRange{0, 65535} - func (pr PortRange) String() string { if pr.First == 0 && pr.Last == 65535 { return "*" @@ -34,10 +31,6 @@ func (pr PortRange) contains(port uint16) bool { return port >= pr.First && port <= pr.Last } -// NetAny matches all IP addresses. -// TODO: add ipv6. -var NetAny = []netaddr.IPPrefix{{IP: netaddr.IPv4(0, 0, 0, 0), Bits: 0}} - // NetPortRange combines an IP address prefix and PortRange. type NetPortRange struct { Net netaddr.IPPrefix @@ -48,9 +41,6 @@ func (npr NetPortRange) String() string { return fmt.Sprintf("%v:%v", npr.Net, npr.Ports) } -// NetPortRangeAny matches any IP and port. -var NetPortRangeAny = []NetPortRange{{Net: NetAny[0], Ports: PortRangeAny}} - // Match matches packets from any IP address in Srcs to any ip:port in // Dsts. type Match struct { diff --git a/wgengine/magicsock/magicsock_test.go b/wgengine/magicsock/magicsock_test.go index 9a369d241..17d931e1f 100644 --- a/wgengine/magicsock/magicsock_test.go +++ b/wgengine/magicsock/magicsock_test.go @@ -158,7 +158,7 @@ func newMagicStack(t *testing.T, logf logger.Logf, l nettype.PacketListener, der tun := tuntest.NewChannelTUN() tsTun := tstun.WrapTUN(logf, tun.TUN()) - tsTun.SetFilter(filter.NewAllowAll(filter.NetAny, logf)) + tsTun.SetFilter(filter.NewAllowAllForTest(logf)) dev := device.NewDevice(tsTun, &device.DeviceOptions{ Logger: &device.Logger{ diff --git a/wgengine/tstun/tun_test.go b/wgengine/tstun/tun_test.go index cccf1c89a..f6e363f18 100644 --- a/wgengine/tstun/tun_test.go +++ b/wgengine/tstun/tun_test.go @@ -58,7 +58,7 @@ func nets(nets ...string) (ret []netaddr.IPPrefix) { func ports(s string) filter.PortRange { if s == "*" { - return filter.PortRangeAny + return filter.PortRange{First: 0, Last: 65535} } var fs, ls string