diff --git a/Makefile b/Makefile index 896b124..a95c469 100755 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -self: +self: libtun-so RUSTFLAGS="-L ." cargo build --release linux: libtun-so diff --git a/src/network/async_main.rs b/src/network/async_main.rs index b7303a6..9ae80fa 100755 --- a/src/network/async_main.rs +++ b/src/network/async_main.rs @@ -7,7 +7,7 @@ use crate::network::ipv6::run_ipv6; use crate::network::{ get_edge, ping_to_sn, read_and_parse_packet, TunTapPacketHandler, }; -use crate::tcp::{init_identity_cache, init_quic_conn, send_stun_request}; +use crate::tcp::{init_quic_conn, send_stun_request}; use crate::utils::{send_to_sock, CommandLine}; use crate::{ConnectionInfo}; use sdlan_sn_rs::peer::{SdlanSock}; @@ -31,8 +31,6 @@ pub async fn async_main( // let _ = PidRecorder::new(".pid"); let edge = get_edge(); - init_identity_cache(); - // let token = args.token.clone(); let cancel_tcp = cancel.clone(); let (ipv6_network_restarter, rx) = channel(10); diff --git a/src/network/packet.rs b/src/network/packet.rs index 36fea60..e56475e 100755 --- a/src/network/packet.rs +++ b/src/network/packet.rs @@ -1,7 +1,8 @@ use std::{net::SocketAddr, sync::atomic::Ordering, time::Duration}; +use crate::FiveTuple; use crate::pb::SdlPolicyRequest; -use crate::tcp::{NatType, get_quic_write_conn, is_identity_ok}; +use crate::tcp::{NatType, get_quic_write_conn}; use crate::{network::TunTapPacketHandler, utils::mac_to_string}; use crate::{ @@ -13,7 +14,7 @@ use crate::{ tcp::{PacketType}, utils::{send_to_sock, Socket}, }; -use etherparse::{Ethernet2Header, PacketHeaders, ip_number}; +use etherparse::{Ethernet2Header, IpNumber, PacketHeaders, ip_number}; use prost::Message; use sdlan_sn_rs::utils::{BROADCAST_MAC}; use sdlan_sn_rs::{ @@ -843,38 +844,6 @@ async fn renew_identity_request(eee: &Node, identity: u32) { } } -async fn check_identity_is_ok(eee: &Node, identity: u32, protocol: u8, port: u16) -> bool{ - true -} - -async fn check_identity_is_ok2(eee: &Node, identity: u32, protocol: u8, port: u16) -> bool{ - let result = is_identity_ok(identity, protocol, port); - if result.1 { - renew_identity_request(eee, identity).await; - } - match result.0 { - Some(true) => { - // identity is ok - true - } - Some(false) => { - // identity is not allowed - warn!("identity is not allowed for protocol={:?}, port={}", protocol, port); - false - } - None => { - if !result.1 { - renew_identity_request(eee, identity).await; - } else { - // has been sent - } - false - // no such identity, should request for it - } - } - -} - async fn handle_tun_packet( eee: &Node, _from_sock: &SdlanSock, @@ -918,17 +887,35 @@ async fn handle_tun_packet( match protocol { ip_number::TCP => { let tcp_header = headers.transport.unwrap().tcp().unwrap(); - let port = tcp_header.destination_port; - let src_port = tcp_header.source_port; - println!("tcp srcport={}, dstport={}", src_port, port); - if !check_identity_is_ok(eee, pkt.identity_id, protocol.0, port).await { + let five_tuple = FiveTuple { + src_ip: ipv4.destination.into(), + dst_ip: ipv4.source.into(), + src_port: tcp_header.destination_port, + dst_port: tcp_header.source_port, + proto:IpNumber::TCP.0, + }; + let (valid, need_refresh) = eee.rule_cache.is_identity_ok(pkt.identity_id, five_tuple); + if need_refresh { + renew_identity_request(eee, pkt.identity_id).await; + } + if !valid { return; } } ip_number::UDP => { let udp_header = headers.transport.unwrap().udp().unwrap(); - let port = udp_header.destination_port; - if !check_identity_is_ok(eee, pkt.identity_id, protocol.0, port).await { + let five_tuple = FiveTuple { + src_ip: ipv4.destination.into(), + dst_ip: ipv4.source.into(), + src_port: udp_header.destination_port, + dst_port: udp_header.source_port, + proto:IpNumber::UDP.0, + }; + let (valid, need_refresh) = eee.rule_cache.is_identity_ok(pkt.identity_id, five_tuple); + if need_refresh { + renew_identity_request(eee, pkt.identity_id).await; + } + if !valid { return; } } diff --git a/src/network/tun_linux.rs b/src/network/tun_linux.rs index e80c435..86c793a 100755 --- a/src/network/tun_linux.rs +++ b/src/network/tun_linux.rs @@ -260,10 +260,40 @@ impl TunTapPacketHandler for Iface { etherparse::NetHeaders::Ipv4(ipv4, _) => { use etherparse::ip_number::{self, ICMP}; - + use crate::FiveTuple; + use etherparse::IpNumber; + if let Some(transport) = headers.transport { - if let Some(tcp) = transport.tcp() { + match ipv4.protocol { + IpNumber::TCP => { + let tcp = transport.tcp().unwrap(); + + let out_five_tuple = FiveTuple { + src_ip: ipv4.source.into(), + dst_ip: ipv4.destination.into(), + src_port: tcp.source_port, + dst_port: tcp.destination_port, + proto: IpNumber::TCP.0, + }; + + edge.rule_cache.touch_packet(out_five_tuple); // is tcp + } + IpNumber::UDP => { + let udp = transport.tcp().unwrap(); + + let out_five_tuple = FiveTuple { + src_ip: ipv4.source.into(), + dst_ip: ipv4.destination.into(), + src_port: udp.source_port, + dst_port: udp.destination_port, + proto: IpNumber::UDP.0, + }; + edge.rule_cache.touch_packet(out_five_tuple); + } + _other => { + + } } } diff --git a/src/tcp/mod.rs b/src/tcp/mod.rs index 555dee6..5313877 100755 --- a/src/tcp/mod.rs +++ b/src/tcp/mod.rs @@ -2,11 +2,8 @@ mod tcp_codec; // mod tcp_conn; mod quic; -mod identity_cache; - pub use tcp_codec::*; pub use quic::*; -pub use identity_cache::*; // pub use tcp_conn::*; diff --git a/src/tcp/quic.rs b/src/tcp/quic.rs index 004fd6c..ef2f129 100644 --- a/src/tcp/quic.rs +++ b/src/tcp/quic.rs @@ -9,7 +9,7 @@ use tokio::{sync::mpsc::{Receiver, Sender, channel}, time::sleep}; use tokio_util::sync::CancellationToken; use tracing::{debug, error, warn}; -use crate::{AesEncryptor, Chacha20Encryptor, ConnectionInfo, ConnectionState, MyEncryptor, config::{NULL_MAC, TCP_PING_TIME}, get_edge, network::{ARP_REPLY, ArpHdr, EthHdr, Node, RegisterSuperFeedback, StartStopInfo, check_peer_registration_needed, handle_packet_peer_info}, pb::{SdlArpResponse, SdlPolicyResponse, SdlRegisterSuper, SdlRegisterSuperAck, SdlRegisterSuperNak, SdlSendRegisterEvent, encode_to_tcp_message}, tcp::{EventType, NakMsgCode, NatType, PacketType, RuleInfo, SdlanTcp, read_a_packet, send_stun_request, set_identity_cache}}; +use crate::{AesEncryptor, Chacha20Encryptor, ConnectionInfo, ConnectionState, MyEncryptor, RuleFromServer, config::{NULL_MAC, TCP_PING_TIME}, get_edge, network::{ARP_REPLY, ArpHdr, EthHdr, Node, RegisterSuperFeedback, StartStopInfo, check_peer_registration_needed, handle_packet_peer_info}, pb::{SdlArpResponse, SdlPolicyResponse, SdlRegisterSuper, SdlRegisterSuperAck, SdlRegisterSuperNak, SdlSendRegisterEvent, encode_to_tcp_message}, tcp::{EventType, NakMsgCode, NatType, PacketType, SdlanTcp, read_a_packet, send_stun_request}}; static GLOBAL_QUIC_HANDLE: OnceLock = OnceLock::new(); @@ -245,13 +245,13 @@ async fn handle_tcp_message(msg: SdlanTcp) { let port = u16::from_be_bytes([policy.rules[start+1], policy.rules[start+2]]); start += 3; - infos.push(RuleInfo{ + infos.push(RuleFromServer{ proto, port, }); } - set_identity_cache(identity, infos); + edge.rule_cache.set_identity_cache(identity, infos); } PacketType::RegisterSuperNAK => { diff --git a/src/utils/acl_session.rs b/src/utils/acl_session.rs index 98daa11..7b3ee9b 100644 --- a/src/utils/acl_session.rs +++ b/src/utils/acl_session.rs @@ -132,7 +132,7 @@ impl RuleCache { self.rule_info.insert(identity, (AtomicU64::new(now) , now_sets)); } - fn handle_packet_in(&self, info: FiveTuple) { + pub fn touch_packet(&self, info: FiveTuple) { self.session_table.add_session_info(info); }