Merge branch 'dev' into msg-opt

2026-03-26 12:36:45 +00:00 · 2026-03-03 16:54:23 -08:00
parent 6371e980d2 beaf386615
commit 7d6825132b
5 changed files with 89 additions and 84 deletions
--- a/netstack2/subnet_lookup.go
+++ b/netstack2/subnet_lookup.go
@@ -167,10 +167,13 @@ func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip.

 			// Step 3: Check each rule for ICMP and port restrictions
 			for _, rule := range rules {
-				// Check if ICMP is disabled for this rule
-				if rule.DisableIcmp && (proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber) {
-					// ICMP is disabled for this subnet
-					return nil
+				// Handle ICMP before port range check — ICMP has no ports
+				if proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber {
+					if rule.DisableIcmp {
+						return nil
+					}
+					// ICMP is allowed; port ranges don't apply to ICMP
+					return rule
 				}

 				// Check port restrictions