Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[client] Add experimental support for userspace routing #3134

Open
wants to merge 63 commits into
base: main
Choose a base branch
from
Open

[client] Add experimental support for userspace routing #3134

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
63 commits
Select commit Hold shift + click to select a range
4199da4
Add userspace routing
lixmal Dec 26, 2024
b43a8c5
Update wireguard-go ref
lixmal Dec 30, 2024
fad82ee
Add stop methods and improve udp implementation
lixmal Dec 30, 2024
d261654
Add logger
lixmal Dec 30, 2024
6a97d44
Improve udp implementation
lixmal Dec 30, 2024
9feaa8d
Add icmp forwarder
lixmal Dec 30, 2024
fb1a107
Fix lint and test issues
lixmal Dec 31, 2024
509b4e2
Lower udp timeout and add teardown messages
lixmal Dec 31, 2024
ed22d79
Add more control with env vars, also allow to pass traffic to native …
lixmal Jan 2, 2025
a12a9ac
Handle all local IPs
lixmal Jan 2, 2025
7667886
Add more tcp logging
lixmal Jan 2, 2025
d85e57e
Handle other icmp types in forwarder
lixmal Jan 2, 2025
657413b
Move icmp acceptance logic
lixmal Jan 2, 2025
fa27369
Fix linter issues
lixmal Jan 2, 2025
c3c6afa
Merge branch 'main' into userspace-router
lixmal Jan 2, 2025
2b8092d
Close endpoints
lixmal Jan 2, 2025
911f86d
Support local IPs in netstack mode
lixmal Jan 2, 2025
568d064
Drop certain forwarded icmp packets
lixmal Jan 2, 2025
e912f2d
Fix double close in logger
lixmal Jan 2, 2025
f772a21
Fix log level handling
lixmal Jan 2, 2025
0b9854b
Fix tests
lixmal Jan 2, 2025
2930288
Fix test expectation
lixmal Jan 2, 2025
88b420d
Remove linux restriction
lixmal Jan 2, 2025
0c2fa38
Exclude benchmark from CI
lixmal Jan 3, 2025
d711172
Fix benchmarks
lixmal Jan 3, 2025
9490e90
Reduce complexity
lixmal Jan 3, 2025
955b2b9
Complete route ACLs and add tests
lixmal Jan 3, 2025
fc799ef
Set log level from logrus
lixmal Jan 3, 2025
c68be6b
Remove fractions of seconds
lixmal Jan 3, 2025
979fe6b
Reduce complexity and fix linter issues
lixmal Jan 3, 2025
3ce3990
Merge branch 'main' into userspace-router
lixmal Jan 3, 2025
f26b418
Allow to set firewall log level
lixmal Jan 3, 2025
a6ad4dc
Close endpoint when stopping udp forwarder
lixmal Jan 3, 2025
62a20f5
Add local IPs test
lixmal Jan 3, 2025
f69dd6f
Make extra IPs from interfaces optional
lixmal Jan 3, 2025
0b116b3
Use native firewall for nat/firewall operations if available
lixmal Jan 3, 2025
eaadb75
Add env var to force userspace routing if native routing is available
lixmal Jan 3, 2025
7dfe7e4
Always use userspace routing in netstack mode
lixmal Jan 3, 2025
766e0cc
Add packet tracer
lixmal Jan 3, 2025
474fb33
Remove established field from udp and icmp (unused)
lixmal Jan 4, 2025
290e699
Demote close error levels
lixmal Jan 5, 2025
fe7a2aa
Fix test
lixmal Jan 5, 2025
4a189a8
Use MTU for udp max size
lixmal Jan 6, 2025
5ea39df
Adjust limits for iOS
lixmal Jan 6, 2025
2060242
Merge branch 'main' into userspace-router
lixmal Jan 7, 2025
28f5cd5
Merge branch 'main' into userspace-router
lixmal Jan 8, 2025
daf9359
Handle disable-server-routes flag in userspace router
lixmal Jan 9, 2025
6335ef8
Correct comment
lixmal Jan 9, 2025
706f98c
Improve routing decision logic
lixmal Jan 9, 2025
01957a3
Merge branch 'main' into userspace-router
lixmal Jan 10, 2025
af46f25
Block wg net forwarded traffic
lixmal Jan 10, 2025
d31543c
Enable ssh server on freebsd
lixmal Jan 11, 2025
648b22a
Fix listening in netstack mode
lixmal Jan 11, 2025
8430c37
Fix panic if login cmd fails
lixmal Jan 11, 2025
1296ecf
Tidy up go mod
lixmal Jan 11, 2025
1c00870
Merge branch 'allow-ssh-server-freebsd' into userspace-router
lixmal Jan 11, 2025
a625f90
Merge branch 'main' into userspace-router
lixmal Jan 14, 2025
8dce131
Disable local forwarding in netstack mode by default for security rea…
lixmal Jan 14, 2025
ea6c947
Merge branch 'main' into userspace-router
lixmal Jan 15, 2025
22991b3
Process drop rules first (#3167)
lixmal Jan 15, 2025
77afcc8
Merge branch 'main' into userspace-router
lixmal Jan 15, 2025
21a3679
Fix regression
lixmal Jan 15, 2025
9b5c043
Make debug ops a bit safer
lixmal Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Reduce complexity and fix linter issues
  • Loading branch information
@lixmal
lixmal committed Jan 3, 2025
commit 979fe6bb6a9fbbbc03b0c65779513a7238348d7e
33 changes: 5 additions & 28 deletions client/firewall/uspfilter/uspfilter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -732,34 +732,10 @@ func (m *Manager) routeACLsPass(srcIP, dstIP net.IP, proto firewall.Protocol, sr
dstAddr := netip.AddrFrom4([4]byte(dstIP.To4()))

for _, rule := range m.routeRules {
if !rule.destination.Contains(dstAddr) {
continue
}

sourceMatched := false
for _, src := range rule.sources {
if src.Contains(srcAddr) {
sourceMatched = true
break
}
}
if !sourceMatched {
continue
}

if rule.proto != firewall.ProtocolALL && rule.proto != proto {
continue
}

if proto == firewall.ProtocolTCP || proto == firewall.ProtocolUDP {
if !m.portsMatch(rule.srcPort, srcPort) || !m.portsMatch(rule.dstPort, dstPort) {
continue
}
if m.ruleMatches(rule, srcAddr, dstAddr, proto, srcPort, dstPort) {
return rule.action == firewall.ActionAccept
}

return rule.action == firewall.ActionAccept
}

return false
}

Expand All @@ -783,9 +759,10 @@ func (m *Manager) ruleMatches(rule RouteRule, srcAddr, dstAddr netip.Addr, proto
return false
}

// Port matches for TCP/UDP only
if proto == firewall.ProtocolTCP || proto == firewall.ProtocolUDP {
return m.portsMatch(rule.srcPort, srcPort) && m.portsMatch(rule.dstPort, dstPort)
if !m.portsMatch(rule.srcPort, srcPort) || !m.portsMatch(rule.dstPort, dstPort) {
return false
}
}

return true
Expand Down
20 changes: 10 additions & 10 deletions client/firewall/uspfilter/uspfilter_filter_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,15 +223,15 @@ func createTestPacket(t *testing.T, srcIP, dstIP string, proto fw.Protocol, srcP
return buf.Bytes()
}

func setupRoutedManager(t testing.TB, network string) *Manager {
t.Helper()
func setupRoutedManager(tb testing.TB, network string) *Manager {
tb.Helper()

ctrl := gomock.NewController(t)
ctrl := gomock.NewController(tb)
dev := mocks.NewMockDevice(ctrl)
dev.EXPECT().MTU().Return(1500, nil).AnyTimes()

localIP, wgNet, err := net.ParseCIDR(network)
require.NoError(t, err)
require.NoError(tb, err)

ifaceMock := &IFaceMock{
SetFilterFunc: func(device.PacketFilter) error { return nil },
Expand All @@ -250,13 +250,13 @@ func setupRoutedManager(t testing.TB, network string) *Manager {
}

manager, err := Create(ifaceMock)
require.NoError(t, err)
require.NotNil(t, manager)
require.True(t, manager.routingEnabled)
require.False(t, manager.nativeRouter)
require.NoError(tb, err)
require.NotNil(tb, manager)
require.True(tb, manager.routingEnabled)
require.False(tb, manager.nativeRouter)

t.Cleanup(func() {
require.NoError(t, manager.Reset(nil))
tb.Cleanup(func() {
require.NoError(tb, manager.Reset(nil))
})

return manager
Expand Down
Loading