From 9f33aeb649f279412f6b7b24a61506ef37fadb47 Mon Sep 17 00:00:00 2001 From: Anton Tolchanov Date: Mon, 11 Nov 2024 16:51:58 +0000 Subject: [PATCH] wgengine/filter: actually use the passed CapTestFunc [capver 109] Initial support for SrcCaps was added in 5ec01bf but it was not actually working without this. Updates #12542 Signed-off-by: Anton Tolchanov --- tailcfg/tailcfg.go | 5 +++-- wgengine/filter/filter.go | 21 +++++++++++---------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go index 1b283a2fc..897e8d27f 100644 --- a/tailcfg/tailcfg.go +++ b/tailcfg/tailcfg.go @@ -142,7 +142,7 @@ // - 97: 2024-06-06: Client understands NodeAttrDisableSplitDNSWhenNoCustomResolvers // - 98: 2024-06-13: iOS/tvOS clients may provide serial number as part of posture information // - 99: 2024-06-14: Client understands NodeAttrDisableLocalDNSOverrideViaNRPT -// - 100: 2024-06-18: Client supports filtertype.Match.SrcCaps (issue #12542) +// - 100: 2024-06-18: Initial support for filtertype.Match.SrcCaps - actually usable in capver 109 (issue #12542) // - 101: 2024-07-01: Client supports SSH agent forwarding when handling connections with /bin/su // - 102: 2024-07-12: NodeAttrDisableMagicSockCryptoRouting support // - 103: 2024-07-24: Client supports NodeAttrDisableCaptivePortalDetection @@ -151,7 +151,8 @@ // - 106: 2024-09-03: fix panic regression from cryptokey routing change (65fe0ba7b5) // - 107: 2024-10-30: add App Connector to conffile (PR #13942) // - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services. -const CurrentCapabilityVersion CapabilityVersion = 108 +// - 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542) +const CurrentCapabilityVersion CapabilityVersion = 109 type StableID string diff --git a/wgengine/filter/filter.go b/wgengine/filter/filter.go index 56224ac5d..9e5d8a37f 100644 --- a/wgengine/filter/filter.go +++ b/wgengine/filter/filter.go @@ -202,16 +202,17 @@ func New(matches []Match, capTest CapTestFunc, localNets, logIPs *netipx.IPSet, } f := &Filter{ - logf: logf, - matches4: matchesFamily(matches, netip.Addr.Is4), - matches6: matchesFamily(matches, netip.Addr.Is6), - cap4: capMatchesFunc(matches, netip.Addr.Is4), - cap6: capMatchesFunc(matches, netip.Addr.Is6), - local4: ipset.FalseContainsIPFunc(), - local6: ipset.FalseContainsIPFunc(), - logIPs4: ipset.FalseContainsIPFunc(), - logIPs6: ipset.FalseContainsIPFunc(), - state: state, + logf: logf, + matches4: matchesFamily(matches, netip.Addr.Is4), + matches6: matchesFamily(matches, netip.Addr.Is6), + cap4: capMatchesFunc(matches, netip.Addr.Is4), + cap6: capMatchesFunc(matches, netip.Addr.Is6), + local4: ipset.FalseContainsIPFunc(), + local6: ipset.FalseContainsIPFunc(), + logIPs4: ipset.FalseContainsIPFunc(), + logIPs6: ipset.FalseContainsIPFunc(), + state: state, + srcIPHasCap: capTest, } if localNets != nil { p := localNets.Prefixes()