net/ipset, wgengine/filter/filtertype: add split-out packages

This moves NewContainsIPFunc from tsaddr to new ipset package. And wgengine/filter types gets split into wgengine/filter/filtertype, so netmap (and thus the CLI, etc) doesn't need to bring in ipset, bart, etc. Then add a test making sure the CLI deps don't regress. Updates #1278 Change-Id: Ia246d6d9502bbefbdeacc4aef1bed9c8b24f54d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-10-24 17:48:57 +00:00 · 2024-06-16 11:34:11 -07:00
parent 36b1b4af2f
commit 86e0f9b912
20 changed files with 388 additions and 347 deletions
--- a/wgengine/filter/match.go
+++ b/wgengine/filter/match.go
@@ -4,101 +4,13 @@
 package filter

 import (
-	"fmt"
-	"net/netip"
 	"slices"
-	"strings"

 	"tailscale.com/net/packet"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/ipproto"
+	"tailscale.com/wgengine/filter/filtertype"
 )

-//go:generate go run tailscale.com/cmd/cloner --type=Match,CapMatch
-
-// PortRange is a range of TCP and UDP ports.
-type PortRange struct {
-	First, Last uint16 // inclusive
-}
-
-var allPorts = PortRange{0, 0xffff}
-
-func (pr PortRange) String() string {
-	if pr.First == 0 && pr.Last == 65535 {
-		return "*"
-	} else if pr.First == pr.Last {
-		return fmt.Sprintf("%d", pr.First)
-	} else {
-		return fmt.Sprintf("%d-%d", pr.First, pr.Last)
-	}
-}
-
-// contains returns whether port is in pr.
-func (pr PortRange) contains(port uint16) bool {
-	return port >= pr.First && port <= pr.Last
-}
-
-// NetPortRange combines an IP address prefix and PortRange.
-type NetPortRange struct {
-	Net   netip.Prefix
-	Ports PortRange
-}
-
-func (npr NetPortRange) String() string {
-	return fmt.Sprintf("%v:%v", npr.Net, npr.Ports)
-}
-
-// CapMatch is a capability grant match predicate.
-type CapMatch struct {
-	// Dst is the IP prefix that the destination IP address matches against
-	// to get the capability.
-	Dst netip.Prefix
-
-	// Cap is the capability that's granted if the destination IP addresses
-	// matches Dst.
-	Cap tailcfg.PeerCapability
-
-	// Values are the raw JSON values of the capability.
-	// See tailcfg.PeerCapability and tailcfg.PeerCapMap for details.
-	Values []tailcfg.RawMessage
-}
-
-// Match matches packets from any IP address in Srcs to any ip:port in
-// Dsts.
-type Match struct {
-	IPProto      []ipproto.Proto // required set (no default value at this layer)
-	Srcs         []netip.Prefix
-	SrcsContains func(netip.Addr) bool `json:"-"` // report whether Addr is in Srcs
-	Dsts         []NetPortRange        // optional, if Srcs match
-	Caps         []CapMatch            // optional, if Srcs match
-}
-
-func (m Match) String() string {
-	// TODO(bradfitz): use strings.Builder, add String tests
-	srcs := []string{}
-	for _, src := range m.Srcs {
-		srcs = append(srcs, src.String())
-	}
-	dsts := []string{}
-	for _, dst := range m.Dsts {
-		dsts = append(dsts, dst.String())
-	}
-
-	var ss, ds string
-	if len(srcs) == 1 {
-		ss = srcs[0]
-	} else {
-		ss = "[" + strings.Join(srcs, ",") + "]"
-	}
-	if len(dsts) == 1 {
-		ds = dsts[0]
-	} else {
-		ds = "[" + strings.Join(dsts, ",") + "]"
-	}
-	return fmt.Sprintf("%v%v=>%v", m.IPProto, ss, ds)
-}
-
-type matches []Match
+type matches []filtertype.Match

 func (ms matches) match(q *packet.Parsed) bool {
 	for _, m := range ms {
@@ -112,7 +24,7 @@ func (ms matches) match(q *packet.Parsed) bool {
 			if !dst.Net.Contains(q.Dst.Addr()) {
 				continue
 			}
-			if !dst.Ports.contains(q.Dst.Port()) {
+			if !dst.Ports.Contains(q.Dst.Port()) {
 				continue
 			}
 			return true
@@ -147,7 +59,7 @@ func (ms matches) matchProtoAndIPsOnlyIfAllPorts(q *packet.Parsed) bool {
 			continue
 		}
 		for _, dst := range m.Dsts {
-			if dst.Ports != allPorts {
+			if dst.Ports != filtertype.AllPorts {
 				continue
 			}
 			if dst.Net.Contains(q.Dst.Addr()) {