wgengine/filter: actually use the passed CapTestFunc [capver 109]

Initial support for SrcCaps was added in 5ec01bf but it was not actually
working without this.

Updates #12542

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
This commit is contained in:
Anton Tolchanov 2024-11-11 16:51:58 +00:00 committed by Anton Tolchanov
parent 48343ee673
commit 9f33aeb649
2 changed files with 14 additions and 12 deletions

View File

@ -142,7 +142,7 @@
// - 97: 2024-06-06: Client understands NodeAttrDisableSplitDNSWhenNoCustomResolvers // - 97: 2024-06-06: Client understands NodeAttrDisableSplitDNSWhenNoCustomResolvers
// - 98: 2024-06-13: iOS/tvOS clients may provide serial number as part of posture information // - 98: 2024-06-13: iOS/tvOS clients may provide serial number as part of posture information
// - 99: 2024-06-14: Client understands NodeAttrDisableLocalDNSOverrideViaNRPT // - 99: 2024-06-14: Client understands NodeAttrDisableLocalDNSOverrideViaNRPT
// - 100: 2024-06-18: Client supports filtertype.Match.SrcCaps (issue #12542) // - 100: 2024-06-18: Initial support for filtertype.Match.SrcCaps - actually usable in capver 109 (issue #12542)
// - 101: 2024-07-01: Client supports SSH agent forwarding when handling connections with /bin/su // - 101: 2024-07-01: Client supports SSH agent forwarding when handling connections with /bin/su
// - 102: 2024-07-12: NodeAttrDisableMagicSockCryptoRouting support // - 102: 2024-07-12: NodeAttrDisableMagicSockCryptoRouting support
// - 103: 2024-07-24: Client supports NodeAttrDisableCaptivePortalDetection // - 103: 2024-07-24: Client supports NodeAttrDisableCaptivePortalDetection
@ -151,7 +151,8 @@
// - 106: 2024-09-03: fix panic regression from cryptokey routing change (65fe0ba7b5) // - 106: 2024-09-03: fix panic regression from cryptokey routing change (65fe0ba7b5)
// - 107: 2024-10-30: add App Connector to conffile (PR #13942) // - 107: 2024-10-30: add App Connector to conffile (PR #13942)
// - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services. // - 108: 2024-11-08: Client sends ServicesHash in Hostinfo, understands c2n GET /vip-services.
const CurrentCapabilityVersion CapabilityVersion = 108 // - 109: 2024-11-18: Client supports filtertype.Match.SrcCaps (issue #12542)
const CurrentCapabilityVersion CapabilityVersion = 109
type StableID string type StableID string

View File

@ -202,16 +202,17 @@ func New(matches []Match, capTest CapTestFunc, localNets, logIPs *netipx.IPSet,
} }
f := &Filter{ f := &Filter{
logf: logf, logf: logf,
matches4: matchesFamily(matches, netip.Addr.Is4), matches4: matchesFamily(matches, netip.Addr.Is4),
matches6: matchesFamily(matches, netip.Addr.Is6), matches6: matchesFamily(matches, netip.Addr.Is6),
cap4: capMatchesFunc(matches, netip.Addr.Is4), cap4: capMatchesFunc(matches, netip.Addr.Is4),
cap6: capMatchesFunc(matches, netip.Addr.Is6), cap6: capMatchesFunc(matches, netip.Addr.Is6),
local4: ipset.FalseContainsIPFunc(), local4: ipset.FalseContainsIPFunc(),
local6: ipset.FalseContainsIPFunc(), local6: ipset.FalseContainsIPFunc(),
logIPs4: ipset.FalseContainsIPFunc(), logIPs4: ipset.FalseContainsIPFunc(),
logIPs6: ipset.FalseContainsIPFunc(), logIPs6: ipset.FalseContainsIPFunc(),
state: state, state: state,
srcIPHasCap: capTest,
} }
if localNets != nil { if localNets != nil {
p := localNets.Prefixes() p := localNets.Prefixes()