wgengine/filter: remove helper vars, mark NewAllowAll test-only.

Signed-off-by: David Anderson <danderson@tailscale.com>

wgengine/filter/filter.go

@@ -89,10 +89,25 @@ const (
 	HexdumpAccepts                      // print packet hexdump when logging accepts
 )
 
-// NewAllowAll returns a packet filter that accepts everything to and
+// NewAllowAllForTest returns a packet filter that accepts
-// from localNets.
+// everything. Use in tests only, as it permits some kinds of spoofing
-func NewAllowAll(localNets []netaddr.IPPrefix, logf logger.Logf) *Filter {
+// attacks to reach the OS network stack.
-	return New([]Match{Match{NetPortRangeAny, NetAny}}, localNets, nil, logf)
+func NewAllowAllForTest(logf logger.Logf) *Filter {
+	any4 := netaddr.IPPrefix{IP: netaddr.IPv4(0, 0, 0, 0), Bits: 0} // TODO: IPv6
+	m := Match{
+		Srcs: []netaddr.IPPrefix{any4},
+		Dsts: []NetPortRange{
+			{
+				Net: any4,
+				Ports: PortRange{
+					First: 0,
+					Last:  65535,
+				},
+			},
+		},
+	}
+
+	return New([]Match{m}, []netaddr.IPPrefix{any4}, nil, logf)
 }
 
 // NewAllowNone returns a packet filter that rejects everything.

wgengine/filter/filter_test.go

@@ -58,7 +58,7 @@ func nets(nets ...string) (ret []netaddr.IPPrefix) {
 
 func ports(s string) PortRange {
 	if s == "*" {
-		return PortRangeAny
+		return PortRange{First: 0, Last: 65535}
 	}
 
 	var fs, ls string

wgengine/filter/match.go

@@ -16,9 +16,6 @@ type PortRange struct {
 	First, Last uint16 // inclusive
 }
 
-// PortRangeAny represents all TCP and UDP ports.
-var PortRangeAny = PortRange{0, 65535}
-
 func (pr PortRange) String() string {
 	if pr.First == 0 && pr.Last == 65535 {
 		return "*"
@@ -34,10 +31,6 @@ func (pr PortRange) contains(port uint16) bool {
 	return port >= pr.First && port <= pr.Last
 }
 
-// NetAny matches all IP addresses.
-// TODO: add ipv6.
-var NetAny = []netaddr.IPPrefix{{IP: netaddr.IPv4(0, 0, 0, 0), Bits: 0}}
-
 // NetPortRange combines an IP address prefix and PortRange.
 type NetPortRange struct {
 	Net   netaddr.IPPrefix
@@ -48,9 +41,6 @@ func (npr NetPortRange) String() string {
 	return fmt.Sprintf("%v:%v", npr.Net, npr.Ports)
 }
 
-// NetPortRangeAny matches any IP and port.
-var NetPortRangeAny = []NetPortRange{{Net: NetAny[0], Ports: PortRangeAny}}
-
 // Match matches packets from any IP address in Srcs to any ip:port in
 // Dsts.
 type Match struct {

wgengine/magicsock/magicsock_test.go

@@ -158,7 +158,7 @@ func newMagicStack(t *testing.T, logf logger.Logf, l nettype.PacketListener, der
 
 	tun := tuntest.NewChannelTUN()
 	tsTun := tstun.WrapTUN(logf, tun.TUN())
-	tsTun.SetFilter(filter.NewAllowAll(filter.NetAny, logf))
+	tsTun.SetFilter(filter.NewAllowAllForTest(logf))
 
 	dev := device.NewDevice(tsTun, &device.DeviceOptions{
 		Logger: &device.Logger{

wgengine/tstun/tun_test.go

@@ -58,7 +58,7 @@ func nets(nets ...string) (ret []netaddr.IPPrefix) {
 
 func ports(s string) filter.PortRange {
 	if s == "*" {
-		return filter.PortRangeAny
+		return filter.PortRange{First: 0, Last: 65535}
 	}
 
 	var fs, ls string