Use NextHeader as a fallback for unknown IPv6 protocols

firewall/interception.go

@@ -79,20 +79,9 @@ func interceptionPrep() (err error) {
 func interceptionStart() error {
 	startAPIAuth()
 
-	interceptionModule.StartWorker("stat logger", func(ctx context.Context) error {
-		statLogger()
-		return nil
-	})
-
-	interceptionModule.StartWorker("packet handler", func(ctx context.Context) error {
-		run()
-		return nil
-	})
-
-	interceptionModule.StartWorker("ports state cleaner", func(ctx context.Context) error {
-		portsInUseCleaner()
-		return nil
-	})
+	interceptionModule.StartWorker("stat logger", statLogger)
+	interceptionModule.StartWorker("packet handler", packetHandler)
+	interceptionModule.StartWorker("ports state cleaner", portsInUseCleaner)
 
 	return interception.Start()
 }
@@ -328,22 +317,22 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V
 // 	return
 // }
 
-func run() {
+func packetHandler(ctx context.Context) error {
 	for {
 		select {
-		case <-interceptionModule.Stopping():
-			return
+		case <-ctx.Done():
+			return nil
 		case pkt := <-interception.Packets:
 			handlePacket(pkt)
 		}
 	}
 }
 
-func statLogger() {
+func statLogger(ctx context.Context) error {
 	for {
 		select {
-		case <-interceptionModule.Stopping():
-			return
+		case <-ctx.Done():
+			return nil
 		case <-time.After(10 * time.Second):
 			log.Tracef(
 				"filter: packets accepted %d, blocked %d, dropped %d, failed %d",

firewall/ports.go

@@ -1,6 +1,7 @@
 package firewall
 
 import (
+	"context"
 	"sync"
 	"time"
 
@@ -69,11 +70,11 @@ func GetPermittedPort() uint16 {
 	return 0
 }
 
-func portsInUseCleaner() {
+func portsInUseCleaner(ctx context.Context) error {
 	for {
 		select {
-		case <-interceptionModule.Stopping():
-			return
+		case <-ctx.Done():
+			return nil
 		case <-time.After(cleanerTickDuration):
 			cleanPortsInUse()
 		}

network/packet/parse.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
-	"github.com/safing/portbase/log"
 )
 
 var layerType2IPProtocol map[gopacket.LayerType]IPProtocol
@@ -33,6 +32,10 @@ func parseIPv6(packet gopacket.Packet, info *Info) error {
 		info.Version = IPv6
 		info.Src = ipv6.SrcIP
 		info.Dst = ipv6.DstIP
+		// we set Protocol to NextHeader as a fallback. If TCP or
+		// UDP layers are detected (somewhere in the list of options)
+		// the Protocol field is adjusted correctly.
+		info.Protocol = IPProtocol(ipv6.NextHeader)
 	}
 	return nil
 }
@@ -96,21 +99,6 @@ func checkError(packet gopacket.Packet, _ *Info) error {
 	return nil
 }
 
-func tryFindIPv6TransportProtocol(packet gopacket.Packet, info *Info) {
-	if transport := packet.TransportLayer(); transport != nil {
-		proto, ok := layerType2IPProtocol[transport.LayerType()]
-
-		if ok {
-			info.Protocol = proto
-			log.Tracef("packet: unsupported IPv6 protocol %02x (%d)", proto)
-		} else {
-			log.Warningf("packet: unsupported or unknown gopacket layer type: %d", transport.LayerType())
-		}
-		return
-	}
-	log.Tracef("packet: failed to get IPv6 transport protocol number")
-}
-
 // Parse parses an IP packet and saves the information in the given packet object.
 func Parse(packetData []byte, pktInfo *Info) error {
 	if len(packetData) == 0 {
@@ -129,9 +117,6 @@ func Parse(packetData []byte, pktInfo *Info) error {
 		return fmt.Errorf("unknown IP version or network protocol: %02x", ipVersion)
 	}
 
-	// 255 is reserved by IANA so we use it as a "failed-to-detect" marker.
-	pktInfo.Protocol = 255
-
 	packet := gopacket.NewPacket(packetData, networkLayerType, gopacket.DecodeOptions{
 		Lazy:   true,
 		NoCopy: true,
@@ -155,12 +140,6 @@ func Parse(packetData []byte, pktInfo *Info) error {
 		}
 	}
 
-	// 255 is reserved by IANA and used as a "failed-to-detect"
-	// marker for IPv6 (parseIPv4 always sets the protocl field)
-	if pktInfo.Protocol == 255 {
-		tryFindIPv6TransportProtocol(packet, pktInfo)
-	}
-
 	return nil
 }