Skip to content

net/{packet,tstun},wgengine/filter: fix unknown IP protocol handling #6965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bradfitz merged 1 commit into from
Jan 14, 2023
Merged

net/{packet,tstun},wgengine/filter: fix unknown IP protocol handling #6965

bradfitz merged 1 commit into from
Jan 14, 2023

Conversation

@bradfitz
Copy link
Member

@bradfitz bradfitz commented Jan 14, 2023

01b90df added SCTP support before (with explicit parsing for ports) and
69de3bf tried to add support for arbitrary IP protocols (as long as the ACL permited a port of "*", since we might not know how to find ports from an arbitrary IP protocol, if it even has such a concept). But apparently that latter commit wasn't tested end-to-end enough. It had a lot of tests, but the tests made assumptions about layering that either weren't true, or regressed since 1.20. Notably, it didn't remove the (*Filter).pre bidirectional filter that dropped all "unknown" protocol packets both leaving and entering, even if there were explicit protocol matches allowing them in.

Also, don't map all unknown protocols to 0. Keep their IP protocol number parsed so it's matchable by later layers. Only reject illegal things.

Fixes #6423
Updates #2162
Updates #2163

@bradfitz bradfitz requested a review from DentonGentry January 14, 2023 17:03
DentonGentry
DentonGentry approved these changes Jan 14, 2023
View reviewed changes
net/tstun/wrap_test.go Outdated
{"junk_out", out, true, []byte("\x45not a valid IPv4 packet")},
{"short_in", in, true, []byte("\x45xxx")},
{"short_out", out, true, []byte("\x45xxx")},
{"ip97_out", out, false, must.Get(hex.DecodeString(strings.ReplaceAll("4500 0019 d186 4000 4061 751d 644a 4603 6449 e549 6865 6c6c 6f", " ", "")))},
Copy link
Contributor

@DentonGentry DentonGentry Jan 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I note that packet_test.go defined a noWS() function to do this for all unicode whitespace runes, though I don't see why it was needed there.

Copy link
Member Author

@bradfitz bradfitz Jan 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

made them both consistent with a new mustDecodeHex func. maybe I'll move that to some packet test helper package later.

@bradfitz
net/{packet,tstun},wgengine/filter: fix unknown IP protocol handling
fbca9a4 
01b90df added SCTP support before
(with explicit parsing for ports) and
69de3bf tried to add support for
arbitrary IP protocols (as long as the ACL permited a port of "*",
since we might not know how to find ports from an arbitrary IP
protocol, if it even has such a concept). But apparently that latter
commit wasn't tested end-to-end enough. It had a lot of tests, but the
tests made assumptions about layering that either weren't true, or
regressed since 1.20. Notably, it didn't remove the (*Filter).pre
bidirectional filter that dropped all "unknown" protocol packets both
leaving and entering, even if there were explicit protocol matches
allowing them in.

Also, don't map all unknown protocols to 0. Keep their IP protocol
number parsed so it's matchable by later layers. Only reject illegal
things.

Fixes #6423
Updates #2162
Updates #2163

Change-Id: I9659b3ece86f4db51d644f9b34df78821758842c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
@bradfitz bradfitz force-pushed the bradfitz/ip_proto_other branch from d899023 to fbca9a4 Compare January 14, 2023 18:20
@bradfitz bradfitz merged commit c1a2e2c into main Jan 14, 2023
@bradfitz bradfitz deleted the bradfitz/ip_proto_other branch January 14, 2023 18:32
andrew-d
andrew-d reviewed Jan 14, 2023
View reviewed changes
net/packet/packet_test.go
}

// mustHexDecode is like hex.DecodeString, but panics on error
// and ignores whitespcae in s.
Copy link
Member

@andrew-d andrew-d Jan 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// and ignores whitespcae in s.
// and ignores whitespace in s.

Copy link
Member Author

@bradfitz bradfitz Jan 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#6968

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrew-d andrew-d andrew-d left review comments

+1 more reviewer

@DentonGentry DentonGentry DentonGentry approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

FR: Unable to run EOIP (Protocol 97) between two nodes

3 participants

@bradfitz @andrew-d @DentonGentry