|
|
@ -15,11 +15,14 @@ import (
|
|
|
|
"tailscale.com/wgengine/packet"
|
|
|
|
"tailscale.com/wgengine/packet"
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
type filterState struct {
|
|
|
|
|
|
|
|
mu sync.Mutex
|
|
|
|
|
|
|
|
lru *lru.Cache
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type Filter struct {
|
|
|
|
type Filter struct {
|
|
|
|
matches Matches
|
|
|
|
matches Matches
|
|
|
|
|
|
|
|
state *filterState
|
|
|
|
udpMu sync.Mutex
|
|
|
|
|
|
|
|
udplru *lru.Cache
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type Response int
|
|
|
|
type Response int
|
|
|
@ -66,17 +69,25 @@ var MatchAllowAll = Matches{
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func NewAllowAll() *Filter {
|
|
|
|
func NewAllowAll() *Filter {
|
|
|
|
return New(MatchAllowAll)
|
|
|
|
return New(MatchAllowAll, nil)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func NewAllowNone() *Filter {
|
|
|
|
func NewAllowNone() *Filter {
|
|
|
|
return New(nil)
|
|
|
|
return New(nil, nil)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func New(matches Matches) *Filter {
|
|
|
|
func New(matches Matches, shareStateWith *Filter) *Filter {
|
|
|
|
|
|
|
|
var state *filterState
|
|
|
|
|
|
|
|
if shareStateWith != nil {
|
|
|
|
|
|
|
|
state = shareStateWith.state
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
state = &filterState{
|
|
|
|
|
|
|
|
lru: lru.New(LRU_MAX),
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
f := &Filter{
|
|
|
|
f := &Filter{
|
|
|
|
matches: matches,
|
|
|
|
matches: matches,
|
|
|
|
udplru: lru.New(LRU_MAX),
|
|
|
|
state: state,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return f
|
|
|
|
return f
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -144,6 +155,10 @@ func (f *Filter) runIn(q *packet.QDecode) (r Response, why string) {
|
|
|
|
switch q.IPProto {
|
|
|
|
switch q.IPProto {
|
|
|
|
case packet.ICMP:
|
|
|
|
case packet.ICMP:
|
|
|
|
// If any port is open to an IP, allow ICMP to it.
|
|
|
|
// If any port is open to an IP, allow ICMP to it.
|
|
|
|
|
|
|
|
// TODO(apenwarr): allow ICMP packets on existing sessions.
|
|
|
|
|
|
|
|
// Right now ICMP Echo Response doesn't always work, and
|
|
|
|
|
|
|
|
// probably important ICMP responses on TCP sessions
|
|
|
|
|
|
|
|
// also get blocked.
|
|
|
|
if matchIPWithoutPorts(f.matches, q) {
|
|
|
|
if matchIPWithoutPorts(f.matches, q) {
|
|
|
|
return Accept, "icmp ok"
|
|
|
|
return Accept, "icmp ok"
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -165,9 +180,9 @@ func (f *Filter) runIn(q *packet.QDecode) (r Response, why string) {
|
|
|
|
case packet.UDP:
|
|
|
|
case packet.UDP:
|
|
|
|
t := tuple{q.SrcIP, q.DstIP, q.SrcPort, q.DstPort}
|
|
|
|
t := tuple{q.SrcIP, q.DstIP, q.SrcPort, q.DstPort}
|
|
|
|
|
|
|
|
|
|
|
|
f.udpMu.Lock()
|
|
|
|
f.state.mu.Lock()
|
|
|
|
_, ok := f.udplru.Get(t)
|
|
|
|
_, ok := f.state.lru.Get(t)
|
|
|
|
f.udpMu.Unlock()
|
|
|
|
f.state.mu.Unlock()
|
|
|
|
|
|
|
|
|
|
|
|
if ok {
|
|
|
|
if ok {
|
|
|
|
return Accept, "udp cached"
|
|
|
|
return Accept, "udp cached"
|
|
|
@ -182,12 +197,13 @@ func (f *Filter) runIn(q *packet.QDecode) (r Response, why string) {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (f *Filter) runOut(q *packet.QDecode) (r Response, why string) {
|
|
|
|
func (f *Filter) runOut(q *packet.QDecode) (r Response, why string) {
|
|
|
|
|
|
|
|
// TODO(apenwarr): create sessions on ICMP Echo Request too.
|
|
|
|
if q.IPProto == packet.UDP {
|
|
|
|
if q.IPProto == packet.UDP {
|
|
|
|
t := tuple{q.DstIP, q.SrcIP, q.DstPort, q.SrcPort}
|
|
|
|
t := tuple{q.DstIP, q.SrcIP, q.DstPort, q.SrcPort}
|
|
|
|
|
|
|
|
|
|
|
|
f.udpMu.Lock()
|
|
|
|
f.state.mu.Lock()
|
|
|
|
f.udplru.Add(t, t)
|
|
|
|
f.state.lru.Add(t, t)
|
|
|
|
f.udpMu.Unlock()
|
|
|
|
f.state.mu.Unlock()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return Accept, "ok out"
|
|
|
|
return Accept, "ok out"
|
|
|
|
}
|
|
|
|
}
|
|
|
|