diff --git a/wgengine/filter/match.go b/wgengine/filter/match.go
index 2d6f71d19..b0ebfbb41 100644
--- a/wgengine/filter/match.go
+++ b/wgengine/filter/match.go
@@ -6,6 +6,7 @@ package filter
 import (
 	"fmt"
 	"net/netip"
+	"slices"
 	"strings"
 
 	"tailscale.com/net/packet"
@@ -100,7 +101,7 @@ type matches []Match
 
 func (ms matches) match(q *packet.Parsed) bool {
 	for _, m := range ms {
-		if !protoInList(q.IPProto, m.IPProto) {
+		if !slices.Contains(m.IPProto, q.IPProto) {
 			continue
 		}
 		if !ipInList(q.Src.Addr(), m.Srcs) {
@@ -138,7 +139,7 @@ func (ms matches) matchIPsOnly(q *packet.Parsed) bool {
 // ignored, as long as the match is for the entire uint16 port range.
 func (ms matches) matchProtoAndIPsOnlyIfAllPorts(q *packet.Parsed) bool {
 	for _, m := range ms {
-		if !protoInList(q.IPProto, m.IPProto) {
+		if !slices.Contains(m.IPProto, q.IPProto) {
 			continue
 		}
 		if !ipInList(q.Src.Addr(), m.Srcs) {
@@ -164,12 +165,3 @@ func ipInList(ip netip.Addr, netlist []netip.Prefix) bool {
 	}
 	return false
 }
-
-func protoInList(proto ipproto.Proto, valid []ipproto.Proto) bool {
-	for _, v := range valid {
-		if proto == v {
-			return true
-		}
-	}
-	return false
-}