curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

TUN-6740: Detect no UDP packets allowed and fallback from QUIC in that case

This commit is contained in:
Nuno Diegues 2022-09-06 13:20:50 +01:00
parent 4b75943d59
commit 7a19798682
3 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
connection/errors.go
View File

@ -27,6 +27,10 @@ func (e *EdgeQuicDialError) Error() string {
return "failed to dial to edge with quic: " + e.Cause.Error() return "failed to dial to edge with quic: " + e.Cause.Error()
} }
func (e *EdgeQuicDialError) Unwrap() error {
return e.Cause
}
// RegisterTunnel error from server // RegisterTunnel error from server
type ServerRegisterTunnelError struct { type ServerRegisterTunnelError struct {
Cause error Cause error

4
ingress/origin_icmp_proxy_test.go
View File

@ -23,6 +23,10 @@ var (
// TestICMPProxyEcho makes sure we can send ICMP echo via the Request method and receives response via the // TestICMPProxyEcho makes sure we can send ICMP echo via the Request method and receives response via the
// ListenResponse method // ListenResponse method
//
// Note: if this test fails on your device under Linux, then most likely you need to make sure that your user
// is allowed in ping_group_range. See the following gist for how to do that:
// https://github.com/ValentinBELYN/icmplib/blob/main/docs/6-use-icmplib-without-privileges.md
func TestICMPProxyEcho(t *testing.T) { func TestICMPProxyEcho(t *testing.T) {
onlyDarwinOrLinux(t) onlyDarwinOrLinux(t)
const ( const (

25
supervisor/tunnel.go
View File

@ -317,16 +317,11 @@ func selectNextProtocol(
selector connection.ProtocolSelector, selector connection.ProtocolSelector,
cause error, cause error,
) bool { ) bool {
var idleTimeoutError *quic.IdleTimeoutError isQuicBroken := isQuicBroken(cause)
isNetworkActivityTimeout := errors.As(cause, &idleTimeoutError)
edgeQuicDialError, ok := cause.(*connection.EdgeQuicDialError)
if !isNetworkActivityTimeout && ok {
isNetworkActivityTimeout = errors.As(edgeQuicDialError.Cause, &idleTimeoutError)
}
_, hasFallback := selector.Fallback() _, hasFallback := selector.Fallback()
if protocolBackoff.ReachedMaxRetries() || (hasFallback && isNetworkActivityTimeout) { if protocolBackoff.ReachedMaxRetries() || (hasFallback && isQuicBroken) {
if isNetworkActivityTimeout { if isQuicBroken {
connLog.Warn().Msg("If this log occurs persistently, and cloudflared is unable to connect to " + connLog.Warn().Msg("If this log occurs persistently, and cloudflared is unable to connect to " +
"Cloudflare Network with `quic` protocol, then most likely your machine/network is getting its egress " + "Cloudflare Network with `quic` protocol, then most likely your machine/network is getting its egress " +
"UDP to port 7844 (or others) blocked or dropped. Make sure to allow egress connectivity as per " + "UDP to port 7844 (or others) blocked or dropped. Make sure to allow egress connectivity as per " +
@ -355,6 +350,20 @@ func selectNextProtocol(
return true return true
} }
func isQuicBroken(cause error) bool {
var idleTimeoutError *quic.IdleTimeoutError
if errors.As(cause, &idleTimeoutError) {
return true
}
var transportError *quic.TransportError
if errors.As(cause, &transportError) && strings.Contains(cause.Error(), "operation not permitted") {
return true
}
return false
}
// ServeTunnel runs a single tunnel connection, returns nil on graceful shutdown, // ServeTunnel runs a single tunnel connection, returns nil on graceful shutdown,
// on error returns a flag indicating if error can be retried // on error returns a flag indicating if error can be retried
func (e *EdgeTunnelServer) serveTunnel( func (e *EdgeTunnelServer) serveTunnel(