diff --git a/tstest/natlab/firewall.go b/tstest/natlab/firewall.go index 1e8cb4e67..c6d6c5a27 100644 --- a/tstest/natlab/firewall.go +++ b/tstest/natlab/firewall.go @@ -9,6 +9,8 @@ import ( "net/netip" "sync" "time" + + "tailscale.com/util/mak" ) // FirewallType is the type of filtering a stateful firewall @@ -100,19 +102,19 @@ func (f *Firewall) timeNow() time.Time { return time.Now() } -func (f *Firewall) init() { - if f.seen == nil { - f.seen = map[fwKey]time.Time{} - } +// Reset drops all firewall state, forgetting all flows. +func (f *Firewall) Reset() { + f.mu.Lock() + defer f.mu.Unlock() + f.seen = nil } func (f *Firewall) HandleOut(p *Packet, oif *Interface) *Packet { f.mu.Lock() defer f.mu.Unlock() - f.init() k := f.Type.key(p.Src, p.Dst) - f.seen[k] = f.timeNow().Add(f.sessionTimeoutLocked()) + mak.Set(&f.seen, k, f.timeNow().Add(f.sessionTimeoutLocked())) p.Trace("firewall out ok") return p } @@ -120,7 +122,6 @@ func (f *Firewall) HandleOut(p *Packet, oif *Interface) *Packet { func (f *Firewall) HandleIn(p *Packet, iif *Interface) *Packet { f.mu.Lock() defer f.mu.Unlock() - f.init() // reverse src and dst because the session table is from the POV // of outbound packets.