pangolin_mirror/newt
1
0
Fork 0
mirror of https://github.com/fosrl/newt.git synced 2026-03-05 18:26:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix icmp when ports disabled

Browse Source 
Fixes #247
This commit is contained in:
Owen
2026-03-03 16:38:11 -08:00
parent 7920295b8c
commit e474866f84
2 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
clients/clients.go
View File

@@ -726,7 +726,7 @@ func (s *WireGuardService) ensureTargets(targets []Target) error {
s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp) s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange) logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v disableIcmp: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange, target.DisableIcmp)
} }
return nil return nil
@@ -1119,7 +1119,7 @@ func (s *WireGuardService) handleAddTarget(msg websocket.WSMessage) {
s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp) s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange) logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v disableIcmp: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange, target.DisableIcmp)
} }
} }
@@ -1236,7 +1236,7 @@ func (s *WireGuardService) handleUpdateTarget(msg websocket.WSMessage) {
} }
s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp) s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange) logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v disableIcmp: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange, target.DisableIcmp)
} }
} }

11
netstack2/subnet_lookup.go
View File

@@ -167,10 +167,13 @@ func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip.
// Step 3: Check each rule for ICMP and port restrictions // Step 3: Check each rule for ICMP and port restrictions
for _, rule := range rules { for _, rule := range rules {
// Check if ICMP is disabled for this rule // Handle ICMP before port range check ICMP has no ports
if rule.DisableIcmp && (proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber) { if proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber {
// ICMP is disabled for this subnet if rule.DisableIcmp {
return nil return nil
}
// ICMP is allowed; port ranges don't apply to ICMP
return rule
} }
// Check port restrictions // Check port restrictions