wgengine/filter: add check for unknown proto

Updates #14280

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

util/usermetric/metrics.go

@@ -41,6 +41,9 @@ const (
 	// ReasonFragment means that the packet was dropped because it was an IP fragment.
 	ReasonFragment DropReason = "fragment"
 
+	// ReasonUnknownProtocol means that the packet was dropped because it was an unknown protocol.
+	ReasonUnknownProtocol DropReason = "unknown_protocol"
+
 	// ReasonError means that the packet was dropped because of an error.
 	ReasonError DropReason = "error"
 )

wgengine/filter/filter.go

@@ -621,6 +621,11 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) (Response, us
 		return Drop, usermetric.ReasonTooShort
 	}
 
+	if q.IPProto == ipproto.Unknown {
+		f.logRateLimit(rf, q, dir, Drop, "unknown proto")
+		return Drop, usermetric.ReasonUnknownProtocol
+	}
+
 	if q.Dst.Addr().IsMulticast() {
 		f.logRateLimit(rf, q, dir, Drop, "multicast")
 		return Drop, usermetric.ReasonMulticast

wgengine/filter/filter_test.go

@@ -390,7 +390,8 @@ func TestPreFilter(t *testing.T) {
 	}{
 		{"empty", Accept, "", []byte{}},
 		{"short", Drop, usermetric.ReasonTooShort, []byte("short")},
-		{"junk", Drop, "", raw4default(ipproto.Unknown, 10)},
+		{"short-junk", Drop, usermetric.ReasonTooShort, raw4default(ipproto.Unknown, 10)},
+		{"long-junk", Drop, usermetric.ReasonUnknownProtocol, raw4default(ipproto.Unknown, 21)},
 		{"fragment", Accept, "", raw4default(ipproto.Fragment, 40)},
 		{"tcp", noVerdict, "", raw4default(ipproto.TCP, 0)},
 		{"udp", noVerdict, "", raw4default(ipproto.UDP, 0)},