curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

TUN-6812: Drop IP packets if ICMP proxy is not initialized

This commit is contained in:
cthuang 2022-09-29 15:42:30 +01:00 committed by Chung-Ting Huang
parent 5b30925773
commit eacc8c648d
3 changed files with 24 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
connection/quic.go
View File

@ -50,7 +50,7 @@ type QUICConnection struct {
// sessionManager tracks active sessions. It receives datagrams from quic connection via datagramMuxer // sessionManager tracks active sessions. It receives datagrams from quic connection via datagramMuxer
sessionManager datagramsession.Manager sessionManager datagramsession.Manager
// datagramMuxer mux/demux datagrams from quic connection // datagramMuxer mux/demux datagrams from quic connection
datagramMuxer quicpogs.BaseDatagramMuxer datagramMuxer *quicpogs.DatagramMuxerV2
packetRouter *packet.Router packetRouter *packet.Router
controlStreamHandler ControlStreamHandler controlStreamHandler ControlStreamHandler
connOptions *tunnelpogs.ConnectionOptions connOptions *tunnelpogs.ConnectionOptions
@ -75,11 +75,7 @@ func NewQUICConnection(
sessionDemuxChan := make(chan *packet.Session, demuxChanCapacity) sessionDemuxChan := make(chan *packet.Session, demuxChanCapacity)
datagramMuxer := quicpogs.NewDatagramMuxerV2(session, logger, sessionDemuxChan) datagramMuxer := quicpogs.NewDatagramMuxerV2(session, logger, sessionDemuxChan)
sessionManager := datagramsession.NewManager(logger, datagramMuxer.SendToSession, sessionDemuxChan) sessionManager := datagramsession.NewManager(logger, datagramMuxer.SendToSession, sessionDemuxChan)
packetRouter := packet.NewRouter(packetRouterConfig, datagramMuxer, &returnPipe{muxer: datagramMuxer}, logger)
var pr *packet.Router
if packetRouterConfig != nil {
pr = packet.NewRouter(packetRouterConfig, datagramMuxer, &returnPipe{muxer: datagramMuxer}, logger)
}
return &QUICConnection{ return &QUICConnection{
session: session, session: session,
@ -87,7 +83,7 @@ func NewQUICConnection(
logger: logger, logger: logger,
sessionManager: sessionManager, sessionManager: sessionManager,
datagramMuxer: datagramMuxer, datagramMuxer: datagramMuxer,
packetRouter: pr, packetRouter: packetRouter,
controlStreamHandler: controlStreamHandler, controlStreamHandler: controlStreamHandler,
connOptions: connOptions, connOptions: connOptions,
}, nil }, nil
@ -123,17 +119,14 @@ func (q *QUICConnection) Serve(ctx context.Context) error {
defer cancel() defer cancel()
return q.sessionManager.Serve(ctx) return q.sessionManager.Serve(ctx)
}) })
errGroup.Go(func() error { errGroup.Go(func() error {
defer cancel() defer cancel()
return q.datagramMuxer.ServeReceive(ctx) return q.datagramMuxer.ServeReceive(ctx)
}) })
if q.packetRouter != nil {
errGroup.Go(func() error { errGroup.Go(func() error {
defer cancel() defer cancel()
return q.packetRouter.Serve(ctx) return q.packetRouter.Serve(ctx)
}) })
}
return errGroup.Wait() return errGroup.Wait()
} }

18
packet/router.go
View File

@ -25,9 +25,7 @@ type Upstream interface {
type Router struct { type Router struct {
upstream Upstream upstream Upstream
returnPipe FunnelUniPipe returnPipe FunnelUniPipe
icmpRouter ICMPRouter globalConfig *GlobalRouterConfig
ipv4Src netip.Addr
ipv6Src netip.Addr
logger *zerolog.Logger logger *zerolog.Logger
} }
@ -43,9 +41,7 @@ func NewRouter(globalConfig *GlobalRouterConfig, upstream Upstream, returnPipe F
return &Router{ return &Router{
upstream: upstream, upstream: upstream,
returnPipe: returnPipe, returnPipe: returnPipe,
icmpRouter: globalConfig.ICMPRouter, globalConfig: globalConfig,
ipv4Src: globalConfig.IPv4Src,
ipv6Src: globalConfig.IPv6Src,
logger: logger, logger: logger,
} }
} }
@ -58,6 +54,10 @@ func (r *Router) Serve(ctx context.Context) error {
if err != nil { if err != nil {
return err return err
} }
// Drop packets if ICMPRouter wasn't created
if r.globalConfig == nil {
continue
}
icmpPacket, err := icmpDecoder.Decode(rawPacket) icmpPacket, err := icmpDecoder.Decode(rawPacket)
if err != nil { if err != nil {
r.logger.Err(err).Msg("Failed to decode ICMP packet from quic datagram") r.logger.Err(err).Msg("Failed to decode ICMP packet from quic datagram")
@ -72,7 +72,7 @@ func (r *Router) Serve(ctx context.Context) error {
} }
icmpPacket.TTL-- icmpPacket.TTL--
if err := r.icmpRouter.Request(icmpPacket, r.returnPipe); err != nil { if err := r.globalConfig.ICMPRouter.Request(icmpPacket, r.returnPipe); err != nil {
r.logger.Err(err). r.logger.Err(err).
Str("src", icmpPacket.Src.String()). Str("src", icmpPacket.Src.String()).
Str("dst", icmpPacket.Dst.String()). Str("dst", icmpPacket.Dst.String()).
@ -86,9 +86,9 @@ func (r *Router) Serve(ctx context.Context) error {
func (r *Router) sendTTLExceedMsg(pk *ICMP, rawPacket RawPacket, encoder *Encoder) error { func (r *Router) sendTTLExceedMsg(pk *ICMP, rawPacket RawPacket, encoder *Encoder) error {
var srcIP netip.Addr var srcIP netip.Addr
if pk.Dst.Is4() { if pk.Dst.Is4() {
srcIP = r.ipv4Src srcIP = r.globalConfig.IPv4Src
} else { } else {
srcIP = r.ipv6Src srcIP = r.globalConfig.IPv6Src
} }
ttlExceedPacket := NewICMPTTLExceedPacket(pk.IP, rawPacket, srcIP) ttlExceedPacket := NewICMPTTLExceedPacket(pk.IP, rawPacket, srcIP)

4
packet/router_test.go
View File

@ -56,7 +56,7 @@ func TestRouterReturnTTLExceed(t *testing.T) {
}, },
}, },
} }
assertTTLExceed(t, &pk, router.ipv4Src, upstream, returnPipe) assertTTLExceed(t, &pk, router.globalConfig.IPv4Src, upstream, returnPipe)
pk = ICMP{ pk = ICMP{
IP: &IP{ IP: &IP{
Src: netip.MustParseAddr("fd51:2391:523:f4ee::1"), Src: netip.MustParseAddr("fd51:2391:523:f4ee::1"),
@ -74,7 +74,7 @@ func TestRouterReturnTTLExceed(t *testing.T) {
}, },
}, },
} }
assertTTLExceed(t, &pk, router.ipv6Src, upstream, returnPipe) assertTTLExceed(t, &pk, router.globalConfig.IPv6Src, upstream, returnPipe)
cancel() cancel()
<-routerStopped <-routerStopped