chore(pmtud/tcp): restrict temp firewall rules to source ip and source port

2026-05-06 20:10:11 +02:00 · 2026-02-18 22:26:57 +00:00
parent 1c56189abc
commit bc79901f1e
9 changed files with 274 additions and 145 deletions
@@ -64,8 +64,9 @@ var (
 // Craft and send a raw TCP packet to test the MTU.
 // It expects either an RST reply (if no server is listening)
 // or a SYN-ACK/ACK reply (if a server is listening).
-func runTest(ctx context.Context, fd fileDescriptor,
-	tracker *tracker, dst netip.AddrPort, mtu uint32,
+func runTest(ctx context.Context, dst netip.AddrPort, mtu uint32,
+	excludeMark int, fd fileDescriptor, tracker *tracker,
+	firewall Firewall, logger Logger,
 ) error {
 	const proto = constants.IPPROTO_TCP
 	src, cleanup, err := ip.SrcAddr(dst, proto)
@@ -74,6 +75,20 @@ func runTest(ctx context.Context, fd fileDescriptor,
 	}
 	defer cleanup()

+	revert, err := firewall.TempDropOutputTCPRST(ctx, src, dst, excludeMark)
+	if err != nil {
+		return fmt.Errorf("temporarily dropping outgoing TCP RST packets: %w", err)
+	}
+	defer func() {
+		// we don't want to skip reverting the firewall changes
+		// even if the context is already expired, so we use a
+		// background context here.
+		err := revert(context.Background())
+		if err != nil {
+			logger.Warnf("reverting firewall changes: %s", err)
+		}
+	}()
+
 	ch := make(chan []byte)
 	abort := make(chan struct{})
 	defer close(abort)