tailcfg: add FilterRule.IPProto

Updates #1516 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-10-21 07:28:45 +00:00 · 2021-03-17 14:24:32 -07:00
parent 32562a82a9
commit 90a6fb7ffe
7 changed files with 169 additions and 16 deletions
--- a/wgengine/filter/match.go
+++ b/wgengine/filter/match.go
@@ -47,11 +47,13 @@ func (npr NetPortRange) String() string {
 // Match matches packets from any IP address in Srcs to any ip:port in
 // Dsts.
 type Match struct {
-	Dsts []NetPortRange
-	Srcs []netaddr.IPPrefix
+	IPProto []packet.IPProto // required set (no default value at this layer)
+	Dsts    []NetPortRange
+	Srcs    []netaddr.IPPrefix
 }

 func (m Match) String() string {
+	// TODO(bradfitz): use strings.Builder, add String tests
 	srcs := []string{}
 	for _, src := range m.Srcs {
 		srcs = append(srcs, src.String())
@@ -72,13 +74,16 @@ func (m Match) String() string {
 	} else {
 		ds = "[" + strings.Join(dsts, ",") + "]"
 	}
-	return fmt.Sprintf("%v=>%v", ss, ds)
+	return fmt.Sprintf("%v%v=>%v", m.IPProto, ss, ds)
 }

 type matches []Match

 func (ms matches) match(q *packet.Parsed) bool {
 	for _, m := range ms {
+		if !protoInList(q.IPProto, m.IPProto) {
+			continue
+		}
 		if !ipInList(q.Src.IP, m.Srcs) {
 			continue
 		}
@@ -117,3 +122,12 @@ func ipInList(ip netaddr.IP, netlist []netaddr.IPPrefix) bool {
 	}
 	return false
 }
+
+func protoInList(proto packet.IPProto, valid []packet.IPProto) bool {
+	for _, v := range valid {
+		if proto == v {
+			return true
+		}
+	}
+	return false
+}