wgengine/filter: include IP proto number in unknown protocol errors

Updates #6423 Change-Id: I9e363922e2c24fdc42687707c069af5bba68b93e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2 years ago · 3386a59cf1
parent 006ec659e6
commit 3386a59cf1
1 changed files with 13 additions and 2 deletions
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@ -388,6 +388,17 @@ func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) Response {
 	return r
 }
 var unknownProtoStringCache sync.Map // ipproto.Proto -> string
 func unknownProtoString(proto ipproto.Proto) string {
 	if v, ok := unknownProtoStringCache.Load(proto); ok {
 		return v.(string)
 	}
 	s := fmt.Sprintf("unknown-protocol-%d", proto)
 	unknownProtoStringCache.Store(proto, s)
 	return s
 }
 func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
 	// A compromised peer could try to send us packets for
 	// destinations we didn't explicitly advertise. This check is to
@ -443,7 +454,7 @@ func (f *Filter) runIn4(q *packet.Parsed) (r Response, why string) {
 		if f.matches4.matchProtoAndIPsOnlyIfAllPorts(q) {
 			return Accept, "otherproto ok"
 		}
-		return Drop, "Unknown proto"
+		return Drop, unknownProtoString(q.IPProto)
 	}
 	return Drop, "no rules matched"
 }
@ -503,7 +514,7 @@ func (f *Filter) runIn6(q *packet.Parsed) (r Response, why string) {
 		if f.matches6.matchProtoAndIPsOnlyIfAllPorts(q) {
 			return Accept, "otherproto ok"
 		}
-		return Drop, "Unknown proto"
+		return Drop, unknownProtoString(q.IPProto)
 	}
 	return Drop, "no rules matched"
 }