wgengine/filter: add check for unknown proto
Some checks are pending
checklocks / checklocks (push) Waiting to run
CodeQL / Analyze (go) (push) Waiting to run
Dockerfile build / deploy (push) Waiting to run
CI / race-root-integration (1/4) (push) Waiting to run
CI / race-root-integration (2/4) (push) Waiting to run
CI / race-root-integration (3/4) (push) Waiting to run
CI / race-root-integration (4/4) (push) Waiting to run
CI / test (-coverprofile=/tmp/coverage.out, amd64) (push) Waiting to run
CI / test (-race, amd64, 1/3) (push) Waiting to run
CI / test (-race, amd64, 2/3) (push) Waiting to run
CI / test (-race, amd64, 3/3) (push) Waiting to run
CI / test (386) (push) Waiting to run
CI / windows (push) Waiting to run
CI / privileged (push) Waiting to run
CI / vm (push) Waiting to run
CI / race-build (push) Waiting to run
CI / cross (386, linux) (push) Waiting to run
CI / cross (amd64, darwin) (push) Waiting to run
CI / cross (amd64, freebsd) (push) Waiting to run
CI / cross (amd64, openbsd) (push) Waiting to run
CI / cross (amd64, windows) (push) Waiting to run
CI / cross (arm, 5, linux) (push) Waiting to run
CI / cross (arm, 7, linux) (push) Waiting to run
CI / cross (arm64, darwin) (push) Waiting to run
CI / cross (arm64, linux) (push) Waiting to run
CI / cross (arm64, windows) (push) Waiting to run
CI / cross (loong64, linux) (push) Waiting to run
CI / ios (push) Waiting to run
CI / crossmin (amd64, illumos) (push) Waiting to run
CI / crossmin (amd64, plan9) (push) Waiting to run
CI / crossmin (amd64, solaris) (push) Waiting to run
CI / crossmin (ppc64, aix) (push) Waiting to run
CI / android (push) Waiting to run
CI / wasm (push) Waiting to run
CI / tailscale_go (push) Waiting to run
CI / fuzz (push) Waiting to run
CI / depaware (push) Waiting to run
CI / go_generate (push) Waiting to run
CI / go_mod_tidy (push) Waiting to run
CI / licenses (push) Waiting to run
CI / staticcheck (386, windows) (push) Waiting to run
CI / staticcheck (amd64, darwin) (push) Waiting to run
CI / staticcheck (amd64, linux) (push) Waiting to run
CI / staticcheck (amd64, windows) (push) Waiting to run
CI / notify_slack (push) Blocked by required conditions
CI / check_mergeability (push) Blocked by required conditions
Some checks are pending
checklocks / checklocks (push) Waiting to run
CodeQL / Analyze (go) (push) Waiting to run
Dockerfile build / deploy (push) Waiting to run
CI / race-root-integration (1/4) (push) Waiting to run
CI / race-root-integration (2/4) (push) Waiting to run
CI / race-root-integration (3/4) (push) Waiting to run
CI / race-root-integration (4/4) (push) Waiting to run
CI / test (-coverprofile=/tmp/coverage.out, amd64) (push) Waiting to run
CI / test (-race, amd64, 1/3) (push) Waiting to run
CI / test (-race, amd64, 2/3) (push) Waiting to run
CI / test (-race, amd64, 3/3) (push) Waiting to run
CI / test (386) (push) Waiting to run
CI / windows (push) Waiting to run
CI / privileged (push) Waiting to run
CI / vm (push) Waiting to run
CI / race-build (push) Waiting to run
CI / cross (386, linux) (push) Waiting to run
CI / cross (amd64, darwin) (push) Waiting to run
CI / cross (amd64, freebsd) (push) Waiting to run
CI / cross (amd64, openbsd) (push) Waiting to run
CI / cross (amd64, windows) (push) Waiting to run
CI / cross (arm, 5, linux) (push) Waiting to run
CI / cross (arm, 7, linux) (push) Waiting to run
CI / cross (arm64, darwin) (push) Waiting to run
CI / cross (arm64, linux) (push) Waiting to run
CI / cross (arm64, windows) (push) Waiting to run
CI / cross (loong64, linux) (push) Waiting to run
CI / ios (push) Waiting to run
CI / crossmin (amd64, illumos) (push) Waiting to run
CI / crossmin (amd64, plan9) (push) Waiting to run
CI / crossmin (amd64, solaris) (push) Waiting to run
CI / crossmin (ppc64, aix) (push) Waiting to run
CI / android (push) Waiting to run
CI / wasm (push) Waiting to run
CI / tailscale_go (push) Waiting to run
CI / fuzz (push) Waiting to run
CI / depaware (push) Waiting to run
CI / go_generate (push) Waiting to run
CI / go_mod_tidy (push) Waiting to run
CI / licenses (push) Waiting to run
CI / staticcheck (386, windows) (push) Waiting to run
CI / staticcheck (amd64, darwin) (push) Waiting to run
CI / staticcheck (amd64, linux) (push) Waiting to run
CI / staticcheck (amd64, windows) (push) Waiting to run
CI / notify_slack (push) Blocked by required conditions
CI / check_mergeability (push) Blocked by required conditions
Updates #14280 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
committed by
Kristoffer Dalby
Kristoffer Dalby
parent
f39ee8e520
commit
f0b63d0eec
@ -41,6 +41,9 @@ const (
|
|||||||
// ReasonFragment means that the packet was dropped because it was an IP fragment.
|
// ReasonFragment means that the packet was dropped because it was an IP fragment.
|
||||||
ReasonFragment DropReason = "fragment"
|
ReasonFragment DropReason = "fragment"
|
||||||
|
|
||||||
|
// ReasonUnknownProtocol means that the packet was dropped because it was an unknown protocol.
|
||||||
|
ReasonUnknownProtocol DropReason = "unknown_protocol"
|
||||||
|
|
||||||
// ReasonError means that the packet was dropped because of an error.
|
// ReasonError means that the packet was dropped because of an error.
|
||||||
ReasonError DropReason = "error"
|
ReasonError DropReason = "error"
|
||||||
)
|
)
|
||||||
|
|||||||
@ -621,6 +621,11 @@ func (f *Filter) pre(q *packet.Parsed, rf RunFlags, dir direction) (Response, us
|
|||||||
return Drop, usermetric.ReasonTooShort
|
return Drop, usermetric.ReasonTooShort
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if q.IPProto == ipproto.Unknown {
|
||||||
|
f.logRateLimit(rf, q, dir, Drop, "unknown proto")
|
||||||
|
return Drop, usermetric.ReasonUnknownProtocol
|
||||||
|
}
|
||||||
|
|
||||||
if q.Dst.Addr().IsMulticast() {
|
if q.Dst.Addr().IsMulticast() {
|
||||||
f.logRateLimit(rf, q, dir, Drop, "multicast")
|
f.logRateLimit(rf, q, dir, Drop, "multicast")
|
||||||
return Drop, usermetric.ReasonMulticast
|
return Drop, usermetric.ReasonMulticast
|
||||||
|
|||||||
@ -390,7 +390,8 @@ func TestPreFilter(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
{"empty", Accept, "", []byte{}},
|
{"empty", Accept, "", []byte{}},
|
||||||
{"short", Drop, usermetric.ReasonTooShort, []byte("short")},
|
{"short", Drop, usermetric.ReasonTooShort, []byte("short")},
|
||||||
{"junk", Drop, "", raw4default(ipproto.Unknown, 10)},
|
{"short-junk", Drop, usermetric.ReasonTooShort, raw4default(ipproto.Unknown, 10)},
|
||||||
|
{"long-junk", Drop, usermetric.ReasonUnknownProtocol, raw4default(ipproto.Unknown, 21)},
|
||||||
{"fragment", Accept, "", raw4default(ipproto.Fragment, 40)},
|
{"fragment", Accept, "", raw4default(ipproto.Fragment, 40)},
|
||||||
{"tcp", noVerdict, "", raw4default(ipproto.TCP, 0)},
|
{"tcp", noVerdict, "", raw4default(ipproto.TCP, 0)},
|
||||||
{"udp", noVerdict, "", raw4default(ipproto.UDP, 0)},
|
{"udp", noVerdict, "", raw4default(ipproto.UDP, 0)},
|
||||||
|
|||||||
Reference in New Issue
Block a user