wgengine/filter: allow ICMP response packets.

Longer term, we should probably update the packet filter to be fully stateful, for both TCP and ICMP. That is, only ICMP packets related to a session *we* initiated should be allowed back in. But this is reasonably secure for now, since wireguard is already trimming most traffic. The current code would not protect against eg. Ping-of-Death style attacks from VPN nodes. Fixes tailscale/tailscale#290. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2025-12-02 18:11:59 +00:00 · 2020-04-29 03:53:32 -04:00
parent dbc1f71e5d
commit 85e675940d
2 changed files with 34 additions and 9 deletions
--- a/wgengine/packet/packet.go
+++ b/wgengine/packet/packet.go
@@ -94,8 +94,10 @@ func (ipp *IP) UnmarshalJSON(b []byte) error {
 }

 const (
-	EchoReply   uint8 = 0x00
-	EchoRequest uint8 = 0x08
+	EchoReply    uint8 = 0x00
+	EchoRequest  uint8 = 0x08
+	Unreachable  uint8 = 0x03
+	TimeExceeded uint8 = 0x0B
 )

 const (
@@ -315,6 +317,18 @@ func (q *QDecode) IsTCPSyn() bool {
 	return (q.TCPFlags & SynAck) == Syn
 }

+// For a packet that has already been decoded, check if it's an IPv4 ICMP
+// "Error" packet.
+func (q *QDecode) IsError() bool {
+	if q.IPProto == ICMP && len(q.b) >= q.subofs+8 {
+		switch q.b[q.subofs] {
+		case Unreachable, TimeExceeded:
+			return true
+		}
+	}
+	return false
+}
+
 // For a packet that has already been decoded, check if it's an IPv4 ICMP
 // Echo Request.
 func (q *QDecode) IsEchoRequest() bool {
@@ -324,6 +338,15 @@ func (q *QDecode) IsEchoRequest() bool {
 	return false
 }

+// For a packet that has already been decoded, check if it's an IPv4 ICMP
+// Echo Response.
+func (q *QDecode) IsEchoResponse() bool {
+	if q.IPProto == ICMP && len(q.b) >= q.subofs+8 {
+		return q.b[q.subofs] == EchoReply && q.b[q.subofs+1] == 0
+	}
+	return false
+}
+
 func (q *QDecode) EchoRespond() []byte {
 	icmpid := binary.BigEndian.Uint16(q.Sub(4, 2))
 	b := q.Trim()