TUN-6812: Drop IP packets if ICMP proxy is not initialized
This commit is contained in:
cthuang
Chung-Ting Huang
parent
5b30925773
commit
eacc8c648d
|
|
@ -50,7 +50,7 @@ type QUICConnection struct {
|
||||||
// sessionManager tracks active sessions. It receives datagrams from quic connection via datagramMuxer
|
// sessionManager tracks active sessions. It receives datagrams from quic connection via datagramMuxer
|
||||||
sessionManager datagramsession.Manager
|
sessionManager datagramsession.Manager
|
||||||
// datagramMuxer mux/demux datagrams from quic connection
|
// datagramMuxer mux/demux datagrams from quic connection
|
||||||
datagramMuxer quicpogs.BaseDatagramMuxer
|
datagramMuxer *quicpogs.DatagramMuxerV2
|
||||||
packetRouter *packet.Router
|
packetRouter *packet.Router
|
||||||
controlStreamHandler ControlStreamHandler
|
controlStreamHandler ControlStreamHandler
|
||||||
connOptions *tunnelpogs.ConnectionOptions
|
connOptions *tunnelpogs.ConnectionOptions
|
||||||
|
|
@ -75,11 +75,7 @@ func NewQUICConnection(
|
||||||
sessionDemuxChan := make(chan *packet.Session, demuxChanCapacity)
|
sessionDemuxChan := make(chan *packet.Session, demuxChanCapacity)
|
||||||
datagramMuxer := quicpogs.NewDatagramMuxerV2(session, logger, sessionDemuxChan)
|
datagramMuxer := quicpogs.NewDatagramMuxerV2(session, logger, sessionDemuxChan)
|
||||||
sessionManager := datagramsession.NewManager(logger, datagramMuxer.SendToSession, sessionDemuxChan)
|
sessionManager := datagramsession.NewManager(logger, datagramMuxer.SendToSession, sessionDemuxChan)
|
||||||
|
packetRouter := packet.NewRouter(packetRouterConfig, datagramMuxer, &returnPipe{muxer: datagramMuxer}, logger)
|
||||||
var pr *packet.Router
|
|
||||||
if packetRouterConfig != nil {
|
|
||||||
pr = packet.NewRouter(packetRouterConfig, datagramMuxer, &returnPipe{muxer: datagramMuxer}, logger)
|
|
||||||
}
|
|
||||||
|
|
||||||
return &QUICConnection{
|
return &QUICConnection{
|
||||||
session: session,
|
session: session,
|
||||||
|
|
@ -87,7 +83,7 @@ func NewQUICConnection(
|
||||||
logger: logger,
|
logger: logger,
|
||||||
sessionManager: sessionManager,
|
sessionManager: sessionManager,
|
||||||
datagramMuxer: datagramMuxer,
|
datagramMuxer: datagramMuxer,
|
||||||
packetRouter: pr,
|
packetRouter: packetRouter,
|
||||||
controlStreamHandler: controlStreamHandler,
|
controlStreamHandler: controlStreamHandler,
|
||||||
connOptions: connOptions,
|
connOptions: connOptions,
|
||||||
}, nil
|
}, nil
|
||||||
|
|
@ -123,17 +119,14 @@ func (q *QUICConnection) Serve(ctx context.Context) error {
|
||||||
defer cancel()
|
defer cancel()
|
||||||
return q.sessionManager.Serve(ctx)
|
return q.sessionManager.Serve(ctx)
|
||||||
})
|
})
|
||||||
|
|
||||||
errGroup.Go(func() error {
|
errGroup.Go(func() error {
|
||||||
defer cancel()
|
defer cancel()
|
||||||
return q.datagramMuxer.ServeReceive(ctx)
|
return q.datagramMuxer.ServeReceive(ctx)
|
||||||
})
|
})
|
||||||
if q.packetRouter != nil {
|
errGroup.Go(func() error {
|
||||||
errGroup.Go(func() error {
|
defer cancel()
|
||||||
defer cancel()
|
return q.packetRouter.Serve(ctx)
|
||||||
return q.packetRouter.Serve(ctx)
|
})
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
return errGroup.Wait()
|
return errGroup.Wait()
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -23,12 +23,10 @@ type Upstream interface {
|
||||||
|
|
||||||
// Router routes packets between Upstream and ICMPRouter. Currently it rejects all other type of ICMP packets
|
// Router routes packets between Upstream and ICMPRouter. Currently it rejects all other type of ICMP packets
|
||||||
type Router struct {
|
type Router struct {
|
||||||
upstream Upstream
|
upstream Upstream
|
||||||
returnPipe FunnelUniPipe
|
returnPipe FunnelUniPipe
|
||||||
icmpRouter ICMPRouter
|
globalConfig *GlobalRouterConfig
|
||||||
ipv4Src netip.Addr
|
logger *zerolog.Logger
|
||||||
ipv6Src netip.Addr
|
|
||||||
logger *zerolog.Logger
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// GlobalRouterConfig is the configuration shared by all instance of Router.
|
// GlobalRouterConfig is the configuration shared by all instance of Router.
|
||||||
|
|
@ -41,12 +39,10 @@ type GlobalRouterConfig struct {
|
||||||
|
|
||||||
func NewRouter(globalConfig *GlobalRouterConfig, upstream Upstream, returnPipe FunnelUniPipe, logger *zerolog.Logger) *Router {
|
func NewRouter(globalConfig *GlobalRouterConfig, upstream Upstream, returnPipe FunnelUniPipe, logger *zerolog.Logger) *Router {
|
||||||
return &Router{
|
return &Router{
|
||||||
upstream: upstream,
|
upstream: upstream,
|
||||||
returnPipe: returnPipe,
|
returnPipe: returnPipe,
|
||||||
icmpRouter: globalConfig.ICMPRouter,
|
globalConfig: globalConfig,
|
||||||
ipv4Src: globalConfig.IPv4Src,
|
logger: logger,
|
||||||
ipv6Src: globalConfig.IPv6Src,
|
|
||||||
logger: logger,
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -58,6 +54,10 @@ func (r *Router) Serve(ctx context.Context) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// Drop packets if ICMPRouter wasn't created
|
||||||
|
if r.globalConfig == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
icmpPacket, err := icmpDecoder.Decode(rawPacket)
|
icmpPacket, err := icmpDecoder.Decode(rawPacket)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
r.logger.Err(err).Msg("Failed to decode ICMP packet from quic datagram")
|
r.logger.Err(err).Msg("Failed to decode ICMP packet from quic datagram")
|
||||||
|
|
@ -72,7 +72,7 @@ func (r *Router) Serve(ctx context.Context) error {
|
||||||
}
|
}
|
||||||
icmpPacket.TTL--
|
icmpPacket.TTL--
|
||||||
|
|
||||||
if err := r.icmpRouter.Request(icmpPacket, r.returnPipe); err != nil {
|
if err := r.globalConfig.ICMPRouter.Request(icmpPacket, r.returnPipe); err != nil {
|
||||||
r.logger.Err(err).
|
r.logger.Err(err).
|
||||||
Str("src", icmpPacket.Src.String()).
|
Str("src", icmpPacket.Src.String()).
|
||||||
Str("dst", icmpPacket.Dst.String()).
|
Str("dst", icmpPacket.Dst.String()).
|
||||||
|
|
@ -86,9 +86,9 @@ func (r *Router) Serve(ctx context.Context) error {
|
||||||
func (r *Router) sendTTLExceedMsg(pk *ICMP, rawPacket RawPacket, encoder *Encoder) error {
|
func (r *Router) sendTTLExceedMsg(pk *ICMP, rawPacket RawPacket, encoder *Encoder) error {
|
||||||
var srcIP netip.Addr
|
var srcIP netip.Addr
|
||||||
if pk.Dst.Is4() {
|
if pk.Dst.Is4() {
|
||||||
srcIP = r.ipv4Src
|
srcIP = r.globalConfig.IPv4Src
|
||||||
} else {
|
} else {
|
||||||
srcIP = r.ipv6Src
|
srcIP = r.globalConfig.IPv6Src
|
||||||
}
|
}
|
||||||
ttlExceedPacket := NewICMPTTLExceedPacket(pk.IP, rawPacket, srcIP)
|
ttlExceedPacket := NewICMPTTLExceedPacket(pk.IP, rawPacket, srcIP)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -56,7 +56,7 @@ func TestRouterReturnTTLExceed(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
assertTTLExceed(t, &pk, router.ipv4Src, upstream, returnPipe)
|
assertTTLExceed(t, &pk, router.globalConfig.IPv4Src, upstream, returnPipe)
|
||||||
pk = ICMP{
|
pk = ICMP{
|
||||||
IP: &IP{
|
IP: &IP{
|
||||||
Src: netip.MustParseAddr("fd51:2391:523:f4ee::1"),
|
Src: netip.MustParseAddr("fd51:2391:523:f4ee::1"),
|
||||||
|
|
@ -74,7 +74,7 @@ func TestRouterReturnTTLExceed(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
assertTTLExceed(t, &pk, router.ipv6Src, upstream, returnPipe)
|
assertTTLExceed(t, &pk, router.globalConfig.IPv6Src, upstream, returnPipe)
|
||||||
|
|
||||||
cancel()
|
cancel()
|
||||||
<-routerStopped
|
<-routerStopped
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue