chore(connlib): add some additional details about UnallowedPacket (#4241

) ref: #4018 extracted from #4163
firezone · Mar 21, 2024 · 7449c9b · 7449c9b
1 parent 9f9e66a
commit 7449c9b
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/rust/connlib/shared/src/error.rs b/rust/connlib/shared/src/error.rs
@@ -1,6 +1,7 @@
 //! Error module.
 use base64::{DecodeError, DecodeSliceError};
 use boringtun::noise::errors::WireGuardError;
+use std::net::IpAddr;
 use thiserror::Error;
 use tokio::task::JoinError;
 
@@ -156,8 +157,8 @@ pub enum ConnlibError {
 
     #[error(transparent)]
     Snownet(#[from] snownet::Error),
-    #[error("Detected non-allowed packet in channel")]
-    UnallowedPacket,
+    #[error("Detected non-allowed packet in channel from {0}")]
+    UnallowedPacket(IpAddr),
 
     // Error variants for `systemd-resolved` DNS control
     #[error("Failed to control system DNS with `resolvectl`")]

diff --git a/rust/connlib/tunnel/src/gateway.rs b/rust/connlib/tunnel/src/gateway.rs
@@ -276,6 +276,8 @@ impl GatewayState {
         let packet = match peer.untransform(packet.into()) {
             Ok(packet) => packet,
             Err(e) => {
+                // Note: this can happen with apps such as cURL that if started before the tunnel routes are address
+                // source ips can be sticky.
                 tracing::warn!(%conn_id, %local, %from, "Failed to transform packet: {e}");
 
                 return None;

diff --git a/rust/connlib/tunnel/src/peer.rs b/rust/connlib/tunnel/src/peer.rs
@@ -85,7 +85,7 @@ where
         let (packet, addr) = self.transform.packet_untransform(packet)?;
 
         if !self.is_allowed(addr) {
-            return Err(Error::UnallowedPacket);
+            return Err(Error::UnallowedPacket(addr));
         }
 
         Ok(packet)