punchnet/sdlan-lib-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

acl check

Browse Source
This commit is contained in:
alex 2026-03-24 15:55:21 +08:00
parent 2261d83e18
commit 1f46a15b11
7 changed files with 65 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -1,4 +1,4 @@
self: self: libtun-so
RUSTFLAGS="-L ." cargo build --release RUSTFLAGS="-L ." cargo build --release
linux: libtun-so linux: libtun-so

4
src/network/async_main.rs
View File

@ -7,7 +7,7 @@ use crate::network::ipv6::run_ipv6;
use crate::network::{ use crate::network::{
get_edge, ping_to_sn, read_and_parse_packet, TunTapPacketHandler, get_edge, ping_to_sn, read_and_parse_packet, TunTapPacketHandler,
}; };
use crate::tcp::{init_identity_cache, init_quic_conn, send_stun_request}; use crate::tcp::{init_quic_conn, send_stun_request};
use crate::utils::{send_to_sock, CommandLine}; use crate::utils::{send_to_sock, CommandLine};
use crate::{ConnectionInfo}; use crate::{ConnectionInfo};
use sdlan_sn_rs::peer::{SdlanSock}; use sdlan_sn_rs::peer::{SdlanSock};
@ -31,8 +31,6 @@ pub async fn async_main(
// let _ = PidRecorder::new(".pid"); // let _ = PidRecorder::new(".pid");
let edge = get_edge(); let edge = get_edge();
init_identity_cache();
// let token = args.token.clone(); // let token = args.token.clone();
let cancel_tcp = cancel.clone(); let cancel_tcp = cancel.clone();
let (ipv6_network_restarter, rx) = channel(10); let (ipv6_network_restarter, rx) = channel(10);

67
src/network/packet.rs
View File

@ -1,7 +1,8 @@
use std::{net::SocketAddr, sync::atomic::Ordering, time::Duration}; use std::{net::SocketAddr, sync::atomic::Ordering, time::Duration};
use crate::FiveTuple;
use crate::pb::SdlPolicyRequest; use crate::pb::SdlPolicyRequest;
use crate::tcp::{NatType, get_quic_write_conn, is_identity_ok}; use crate::tcp::{NatType, get_quic_write_conn};
use crate::{network::TunTapPacketHandler, utils::mac_to_string}; use crate::{network::TunTapPacketHandler, utils::mac_to_string};
use crate::{ use crate::{
@ -13,7 +14,7 @@ use crate::{
tcp::{PacketType}, tcp::{PacketType},
utils::{send_to_sock, Socket}, utils::{send_to_sock, Socket},
}; };
use etherparse::{Ethernet2Header, PacketHeaders, ip_number}; use etherparse::{Ethernet2Header, IpNumber, PacketHeaders, ip_number};
use prost::Message; use prost::Message;
use sdlan_sn_rs::utils::{BROADCAST_MAC}; use sdlan_sn_rs::utils::{BROADCAST_MAC};
use sdlan_sn_rs::{ use sdlan_sn_rs::{
@ -843,38 +844,6 @@ async fn renew_identity_request(eee: &Node, identity: u32) {
} }
} }
async fn check_identity_is_ok(eee: &Node, identity: u32, protocol: u8, port: u16) -> bool{
true
}
async fn check_identity_is_ok2(eee: &Node, identity: u32, protocol: u8, port: u16) -> bool{
let result = is_identity_ok(identity, protocol, port);
if result.1 {
renew_identity_request(eee, identity).await;
}
match result.0 {
Some(true) => {
// identity is ok
true
}
Some(false) => {
// identity is not allowed
warn!("identity is not allowed for protocol={:?}, port={}", protocol, port);
false
}
None => {
if !result.1 {
renew_identity_request(eee, identity).await;
} else {
// has been sent
}
false
// no such identity, should request for it
}
}
}
async fn handle_tun_packet( async fn handle_tun_packet(
eee: &Node, eee: &Node,
_from_sock: &SdlanSock, _from_sock: &SdlanSock,
@ -918,17 +887,35 @@ async fn handle_tun_packet(
match protocol { match protocol {
ip_number::TCP => { ip_number::TCP => {
let tcp_header = headers.transport.unwrap().tcp().unwrap(); let tcp_header = headers.transport.unwrap().tcp().unwrap();
let port = tcp_header.destination_port; let five_tuple = FiveTuple {
let src_port = tcp_header.source_port; src_ip: ipv4.destination.into(),
println!("tcp srcport={}, dstport={}", src_port, port); dst_ip: ipv4.source.into(),
if !check_identity_is_ok(eee, pkt.identity_id, protocol.0, port).await { src_port: tcp_header.destination_port,
dst_port: tcp_header.source_port,
proto:IpNumber::TCP.0,
};
let (valid, need_refresh) = eee.rule_cache.is_identity_ok(pkt.identity_id, five_tuple);
if need_refresh {
renew_identity_request(eee, pkt.identity_id).await;
}
if !valid {
return; return;
} }
} }
ip_number::UDP => { ip_number::UDP => {
let udp_header = headers.transport.unwrap().udp().unwrap(); let udp_header = headers.transport.unwrap().udp().unwrap();
let port = udp_header.destination_port; let five_tuple = FiveTuple {
if !check_identity_is_ok(eee, pkt.identity_id, protocol.0, port).await { src_ip: ipv4.destination.into(),
dst_ip: ipv4.source.into(),
src_port: udp_header.destination_port,
dst_port: udp_header.source_port,
proto:IpNumber::UDP.0,
};
let (valid, need_refresh) = eee.rule_cache.is_identity_ok(pkt.identity_id, five_tuple);
if need_refresh {
renew_identity_request(eee, pkt.identity_id).await;
}
if !valid {
return; return;
} }
} }

34
src/network/tun_linux.rs
View File

@ -260,10 +260,40 @@ impl TunTapPacketHandler for Iface {
etherparse::NetHeaders::Ipv4(ipv4, _) => { etherparse::NetHeaders::Ipv4(ipv4, _) => {
use etherparse::ip_number::{self, ICMP}; use etherparse::ip_number::{self, ICMP};
use crate::FiveTuple;
use etherparse::IpNumber;
if let Some(transport) = headers.transport { if let Some(transport) = headers.transport {
if let Some(tcp) = transport.tcp() { match ipv4.protocol {
IpNumber::TCP => {
let tcp = transport.tcp().unwrap();
let out_five_tuple = FiveTuple {
src_ip: ipv4.source.into(),
dst_ip: ipv4.destination.into(),
src_port: tcp.source_port,
dst_port: tcp.destination_port,
proto: IpNumber::TCP.0,
};
edge.rule_cache.touch_packet(out_five_tuple);
// is tcp // is tcp
}
IpNumber::UDP => {
let udp = transport.tcp().unwrap();
let out_five_tuple = FiveTuple {
src_ip: ipv4.source.into(),
dst_ip: ipv4.destination.into(),
src_port: udp.source_port,
dst_port: udp.destination_port,
proto: IpNumber::UDP.0,
};
edge.rule_cache.touch_packet(out_five_tuple);
}
_other => {
}
} }
} }

3
src/tcp/mod.rs
View File

@ -2,11 +2,8 @@ mod tcp_codec;
// mod tcp_conn; // mod tcp_conn;
mod quic; mod quic;
mod identity_cache;
pub use tcp_codec::*; pub use tcp_codec::*;
pub use quic::*; pub use quic::*;
pub use identity_cache::*;
// pub use tcp_conn::*; // pub use tcp_conn::*;

6
src/tcp/quic.rs
View File

@ -9,7 +9,7 @@ use tokio::{sync::mpsc::{Receiver, Sender, channel}, time::sleep};
use tokio_util::sync::CancellationToken; use tokio_util::sync::CancellationToken;
use tracing::{debug, error, warn}; use tracing::{debug, error, warn};
use crate::{AesEncryptor, Chacha20Encryptor, ConnectionInfo, ConnectionState, MyEncryptor, config::{NULL_MAC, TCP_PING_TIME}, get_edge, network::{ARP_REPLY, ArpHdr, EthHdr, Node, RegisterSuperFeedback, StartStopInfo, check_peer_registration_needed, handle_packet_peer_info}, pb::{SdlArpResponse, SdlPolicyResponse, SdlRegisterSuper, SdlRegisterSuperAck, SdlRegisterSuperNak, SdlSendRegisterEvent, encode_to_tcp_message}, tcp::{EventType, NakMsgCode, NatType, PacketType, RuleInfo, SdlanTcp, read_a_packet, send_stun_request, set_identity_cache}}; use crate::{AesEncryptor, Chacha20Encryptor, ConnectionInfo, ConnectionState, MyEncryptor, RuleFromServer, config::{NULL_MAC, TCP_PING_TIME}, get_edge, network::{ARP_REPLY, ArpHdr, EthHdr, Node, RegisterSuperFeedback, StartStopInfo, check_peer_registration_needed, handle_packet_peer_info}, pb::{SdlArpResponse, SdlPolicyResponse, SdlRegisterSuper, SdlRegisterSuperAck, SdlRegisterSuperNak, SdlSendRegisterEvent, encode_to_tcp_message}, tcp::{EventType, NakMsgCode, NatType, PacketType, SdlanTcp, read_a_packet, send_stun_request}};
static GLOBAL_QUIC_HANDLE: OnceLock<ReadWriterHandle> = OnceLock::new(); static GLOBAL_QUIC_HANDLE: OnceLock<ReadWriterHandle> = OnceLock::new();
@ -245,13 +245,13 @@ async fn handle_tcp_message(msg: SdlanTcp) {
let port = u16::from_be_bytes([policy.rules[start+1], policy.rules[start+2]]); let port = u16::from_be_bytes([policy.rules[start+1], policy.rules[start+2]]);
start += 3; start += 3;
infos.push(RuleInfo{ infos.push(RuleFromServer{
proto, proto,
port, port,
}); });
} }
set_identity_cache(identity, infos); edge.rule_cache.set_identity_cache(identity, infos);
} }
PacketType::RegisterSuperNAK => { PacketType::RegisterSuperNAK => {

2
src/utils/acl_session.rs
View File

@ -132,7 +132,7 @@ impl RuleCache {
self.rule_info.insert(identity, (AtomicU64::new(now) , now_sets)); self.rule_info.insert(identity, (AtomicU64::new(now) , now_sets));
} }
fn handle_packet_in(&self, info: FiveTuple) { pub fn touch_packet(&self, info: FiveTuple) {
self.session_table.add_session_info(info); self.session_table.add_session_info(info);
} }