udp: endpoint-independent mapping mk1

Author: ignoramous

intra/netstack/hdl.go

@@ -13,7 +13,10 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/celzero/firestack/intra/settings"
 	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
+	"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
 
@@ -134,3 +137,20 @@ func nsaddr2ip(addr tcpip.Address) net.IP {
 	b := addr.AsSlice()
 	return net.IP(b)
 }
+
+func addrport2nsaddr(ipp netip.AddrPort) (tcpip.FullAddress, tcpip.NetworkProtocolNumber) {
+	var proto tcpip.NetworkProtocolNumber
+	var addr tcpip.Address
+	if ipp.Addr().Is4() {
+		proto = ipv4.ProtocolNumber
+		addr = tcpip.AddrFrom4(ipp.Addr().As4())
+	} else {
+		proto = ipv6.ProtocolNumber
+		addr = tcpip.AddrFrom16(ipp.Addr().As16())
+	}
+	return tcpip.FullAddress{
+		NIC:  settings.NICID,
+		Addr: addr,
+		Port: ipp.Port(),
+	}, proto
+}

intra/netstack/udp.go

@@ -15,7 +15,6 @@ import (
 	"github.com/celzero/firestack/intra/core"
 	"github.com/celzero/firestack/intra/log"
 	"github.com/celzero/firestack/intra/settings"
-	"gvisor.dev/gvisor/pkg/tcpip"
 
 	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
 
@@ -30,7 +29,7 @@ type GUDPConnHandler interface {
 	// Proxy proxies data between conn (src) and dst.
 	Proxy(conn *GUDPConn, src, dst netip.AddrPort) bool
 	// ProxyMux proxies data between conn and multiple destinations.
-	ProxyMux(conn *GUDPConn, src netip.AddrPort) bool
+	ProxyMux(conn *GUDPConn, src, dst netip.AddrPort) bool
 	// Error notes the error in connecting src to dst.
 	Error(conn *GUDPConn, src, dst netip.AddrPort, err error)
 	// CloseConns closes conns by ids, or all if ids is empty.
@@ -42,21 +41,26 @@ type GUDPConnHandler interface {
 var _ core.UDPConn = (*GUDPConn)(nil)
 
 type GUDPConn struct {
-	c   *core.Volatile[*gonet.UDPConn] // conn exposes UDP semantics atop endpoint
-	ep  *core.Volatile[tcpip.Endpoint] // ep is the endpoint for netstack io
-	src netip.AddrPort                 // local addr (remote addr in netstack)
-	dst netip.AddrPort                 // remote addr (local addr in netstack)
-	req *udp.ForwarderRequest          // egress request as UDP
+	stack *stack.Stack
+	c     *core.Volatile[*gonet.UDPConn] // conn exposes UDP semantics atop endpoint
+	src   netip.AddrPort                 // local addr (remote addr in netstack)
+	dst   netip.AddrPort                 // remote addr (local addr in netstack)
+	req   *udp.ForwarderRequest          // egress request as UDP
+
+	eim bool // endpoint is muxed
+	eif bool // endpoint is transparent
 }
 
 // ref: github.com/google/gvisor/blob/e89e736f1/pkg/tcpip/adapters/gonet/gonet_test.go#L373
-func makeGUDPConn(r *udp.ForwarderRequest, src, dst netip.AddrPort) *GUDPConn {
+func makeGUDPConn(s *stack.Stack, r *udp.ForwarderRequest, src, dst netip.AddrPort) *GUDPConn {
 	return &GUDPConn{
-		c:   core.NewZeroVolatile[*gonet.UDPConn](),
-		ep:  core.NewZeroVolatile[tcpip.Endpoint](),
-		src: src,
-		dst: dst,
-		req: r,
+		stack: s,
+		c:     core.NewZeroVolatile[*gonet.UDPConn](),
+		src:   src,
+		dst:   dst,
+		req:   r,
+		eim:   settings.EndpointIndependentMapping.Load(),
+		eif:   settings.EndpointIndependentFiltering.Load(),
 	}
 }
 
@@ -90,11 +94,11 @@ func udpForwarder(s *stack.Stack, h GUDPConnHandler) *udp.Forwarder {
 		// multiple dst in the unconnected udp case.
 		dst := localAddrPort(id)
 
-		gc := makeGUDPConn(req, src, dst)
+		gc := makeGUDPConn(s, req, src, dst)
 		// setup to recv right away, so that netstack's internal state is consistent
 		// in case there are multiple forwarders dispatching from the TUN device.
 		if !settings.SingleThreaded.Load() {
-			if err := gc.tryConnect(); err != nil {
+			if err := gc.Establish(); err != nil {
 				log.E("ns: udp: forwarder: connect: %v; src(%v) dst(%v)", err, src, dst)
 				go h.Error(gc, src, dst, err)
 				return
@@ -103,10 +107,10 @@ func udpForwarder(s *stack.Stack, h GUDPConnHandler) *udp.Forwarder {
 
 		// proxy in a separate gorountine; return immediately
 		// why? netstack/dispatcher.go:newReadvDispatcher
-		if gc.connected() { // gc is connected udp; proxy it like a stream
-			go h.Proxy(gc, src, dst)
+		if gc.eim {
+			go h.ProxyMux(gc, src, dst)
 		} else {
-			go h.ProxyMux(gc, src)
+			go h.Proxy(gc, src, dst)
 		}
 	})
 }
@@ -119,17 +123,16 @@ func (g *GUDPConn) conn() *gonet.UDPConn {
 	return g.c.Load()
 }
 
-func (g *GUDPConn) endpoint() tcpip.Endpoint {
-	return g.ep.Load()
-}
-
 func (g *GUDPConn) StatefulTeardown() (fin bool) {
 	_ = g.tryConnect() // establish circuit then teardown
 	_ = g.Close()      // then shutdown
 	return true        // always fin
 }
 
-func (g *GUDPConn) Connect() error {
+func (g *GUDPConn) Establish() error {
+	if g.eif {
+		return g.tryBind()
+	}
 	return g.tryConnect()
 }
 
@@ -139,18 +142,33 @@ func (g *GUDPConn) tryConnect() error {
 	}
 
 	wq := new(waiter.Queue)
-	// use gonet.DialUDP instead?
 	if endpoint, err := g.req.CreateEndpoint(wq); err != nil {
 		// ex: CONNECT endpoint for [fd66:f83a:c650::1]:15753 => [fd66:f83a:c650::3]:53; err(no route to host)
 		log.E("ns: udp: connect: endpoint for %v => %v; err(%v)", g.src, g.dst, err)
 		return e(err)
 	} else {
-		g.ep.Store(endpoint)
 		g.c.Store(gonet.NewUDPConn(wq, endpoint))
 	}
 	return nil
 }
 
+func (g *GUDPConn) tryBind() error {
+	if g.ok() { // already setup
+		return nil
+	}
+
+	src, proto := addrport2nsaddr(g.src)
+	// unconnected socket w/ gonet.DialUDP
+	if conn, err := gonet.DialUDP(g.stack, &src, nil, proto); err != nil {
+		log.E("ns: udp: bind: endpoint for %v [=> %v]; err(%v)", g.src, g.dst, err)
+		return err
+	} else {
+		// todo: handle the first pkt like in g.req.CreateEndpoint
+		g.c.Store(conn)
+	}
+	return nil
+}
+
 func (g *GUDPConn) LocalAddr() (addr net.Addr) {
 	if c := g.conn(); c != nil {
 		addr = c.RemoteAddr()
@@ -227,15 +245,8 @@ func (g *GUDPConn) SetWriteDeadline(t time.Time) error {
 
 // Close closes the connection.
 func (g *GUDPConn) Close() error {
-	if ep := g.endpoint(); ep != nil {
-		ep.Abort()
-	}
 	if c := g.conn(); c != nil {
 		_ = c.Close()
 	}
 	return nil
 }
-
-func (g *GUDPConn) connected() bool {
-	return !g.dst.Addr().IsUnspecified()
-}

intra/settings/config.go

@@ -83,6 +83,14 @@ var Loopingback = atomic.Bool{}
 // in a single-threaded mode.
 var SingleThreaded = atomic.Bool{}
 
+// EndpointIndependentMapping is a global flag to enable endpoint-independent
+// mapping for UDP as per RFC 4787.
+var EndpointIndependentMapping = atomic.Bool{}
+
+// EndpointIndependentFiltering is a global flag to enable endpoint-independent
+// filtering for UDP as per RFC 4787.
+var EndpointIndependentFiltering = atomic.Bool{}
+
 // L3 returns the string'd repr of engine.
 func L3(engine int) string {
 	switch engine {