acl check
This commit is contained in:
parent
2261d83e18
commit
1f46a15b11
2
Makefile
2
Makefile
@ -1,4 +1,4 @@
|
||||
self:
|
||||
self: libtun-so
|
||||
RUSTFLAGS="-L ." cargo build --release
|
||||
|
||||
linux: libtun-so
|
||||
|
||||
@ -7,7 +7,7 @@ use crate::network::ipv6::run_ipv6;
|
||||
use crate::network::{
|
||||
get_edge, ping_to_sn, read_and_parse_packet, TunTapPacketHandler,
|
||||
};
|
||||
use crate::tcp::{init_identity_cache, init_quic_conn, send_stun_request};
|
||||
use crate::tcp::{init_quic_conn, send_stun_request};
|
||||
use crate::utils::{send_to_sock, CommandLine};
|
||||
use crate::{ConnectionInfo};
|
||||
use sdlan_sn_rs::peer::{SdlanSock};
|
||||
@ -31,8 +31,6 @@ pub async fn async_main(
|
||||
// let _ = PidRecorder::new(".pid");
|
||||
let edge = get_edge();
|
||||
|
||||
init_identity_cache();
|
||||
|
||||
// let token = args.token.clone();
|
||||
let cancel_tcp = cancel.clone();
|
||||
let (ipv6_network_restarter, rx) = channel(10);
|
||||
|
||||
@ -1,7 +1,8 @@
|
||||
use std::{net::SocketAddr, sync::atomic::Ordering, time::Duration};
|
||||
|
||||
use crate::FiveTuple;
|
||||
use crate::pb::SdlPolicyRequest;
|
||||
use crate::tcp::{NatType, get_quic_write_conn, is_identity_ok};
|
||||
use crate::tcp::{NatType, get_quic_write_conn};
|
||||
use crate::{network::TunTapPacketHandler, utils::mac_to_string};
|
||||
|
||||
use crate::{
|
||||
@ -13,7 +14,7 @@ use crate::{
|
||||
tcp::{PacketType},
|
||||
utils::{send_to_sock, Socket},
|
||||
};
|
||||
use etherparse::{Ethernet2Header, PacketHeaders, ip_number};
|
||||
use etherparse::{Ethernet2Header, IpNumber, PacketHeaders, ip_number};
|
||||
use prost::Message;
|
||||
use sdlan_sn_rs::utils::{BROADCAST_MAC};
|
||||
use sdlan_sn_rs::{
|
||||
@ -843,38 +844,6 @@ async fn renew_identity_request(eee: &Node, identity: u32) {
|
||||
}
|
||||
}
|
||||
|
||||
async fn check_identity_is_ok(eee: &Node, identity: u32, protocol: u8, port: u16) -> bool{
|
||||
true
|
||||
}
|
||||
|
||||
async fn check_identity_is_ok2(eee: &Node, identity: u32, protocol: u8, port: u16) -> bool{
|
||||
let result = is_identity_ok(identity, protocol, port);
|
||||
if result.1 {
|
||||
renew_identity_request(eee, identity).await;
|
||||
}
|
||||
match result.0 {
|
||||
Some(true) => {
|
||||
// identity is ok
|
||||
true
|
||||
}
|
||||
Some(false) => {
|
||||
// identity is not allowed
|
||||
warn!("identity is not allowed for protocol={:?}, port={}", protocol, port);
|
||||
false
|
||||
}
|
||||
None => {
|
||||
if !result.1 {
|
||||
renew_identity_request(eee, identity).await;
|
||||
} else {
|
||||
// has been sent
|
||||
}
|
||||
false
|
||||
// no such identity, should request for it
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
async fn handle_tun_packet(
|
||||
eee: &Node,
|
||||
_from_sock: &SdlanSock,
|
||||
@ -918,17 +887,35 @@ async fn handle_tun_packet(
|
||||
match protocol {
|
||||
ip_number::TCP => {
|
||||
let tcp_header = headers.transport.unwrap().tcp().unwrap();
|
||||
let port = tcp_header.destination_port;
|
||||
let src_port = tcp_header.source_port;
|
||||
println!("tcp srcport={}, dstport={}", src_port, port);
|
||||
if !check_identity_is_ok(eee, pkt.identity_id, protocol.0, port).await {
|
||||
let five_tuple = FiveTuple {
|
||||
src_ip: ipv4.destination.into(),
|
||||
dst_ip: ipv4.source.into(),
|
||||
src_port: tcp_header.destination_port,
|
||||
dst_port: tcp_header.source_port,
|
||||
proto:IpNumber::TCP.0,
|
||||
};
|
||||
let (valid, need_refresh) = eee.rule_cache.is_identity_ok(pkt.identity_id, five_tuple);
|
||||
if need_refresh {
|
||||
renew_identity_request(eee, pkt.identity_id).await;
|
||||
}
|
||||
if !valid {
|
||||
return;
|
||||
}
|
||||
}
|
||||
ip_number::UDP => {
|
||||
let udp_header = headers.transport.unwrap().udp().unwrap();
|
||||
let port = udp_header.destination_port;
|
||||
if !check_identity_is_ok(eee, pkt.identity_id, protocol.0, port).await {
|
||||
let five_tuple = FiveTuple {
|
||||
src_ip: ipv4.destination.into(),
|
||||
dst_ip: ipv4.source.into(),
|
||||
src_port: udp_header.destination_port,
|
||||
dst_port: udp_header.source_port,
|
||||
proto:IpNumber::UDP.0,
|
||||
};
|
||||
let (valid, need_refresh) = eee.rule_cache.is_identity_ok(pkt.identity_id, five_tuple);
|
||||
if need_refresh {
|
||||
renew_identity_request(eee, pkt.identity_id).await;
|
||||
}
|
||||
if !valid {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
@ -260,10 +260,40 @@ impl TunTapPacketHandler for Iface {
|
||||
etherparse::NetHeaders::Ipv4(ipv4, _) => {
|
||||
use etherparse::ip_number::{self, ICMP};
|
||||
|
||||
use crate::FiveTuple;
|
||||
use etherparse::IpNumber;
|
||||
|
||||
if let Some(transport) = headers.transport {
|
||||
if let Some(tcp) = transport.tcp() {
|
||||
match ipv4.protocol {
|
||||
IpNumber::TCP => {
|
||||
let tcp = transport.tcp().unwrap();
|
||||
|
||||
let out_five_tuple = FiveTuple {
|
||||
src_ip: ipv4.source.into(),
|
||||
dst_ip: ipv4.destination.into(),
|
||||
src_port: tcp.source_port,
|
||||
dst_port: tcp.destination_port,
|
||||
proto: IpNumber::TCP.0,
|
||||
};
|
||||
|
||||
edge.rule_cache.touch_packet(out_five_tuple);
|
||||
// is tcp
|
||||
}
|
||||
IpNumber::UDP => {
|
||||
let udp = transport.tcp().unwrap();
|
||||
|
||||
let out_five_tuple = FiveTuple {
|
||||
src_ip: ipv4.source.into(),
|
||||
dst_ip: ipv4.destination.into(),
|
||||
src_port: udp.source_port,
|
||||
dst_port: udp.destination_port,
|
||||
proto: IpNumber::UDP.0,
|
||||
};
|
||||
edge.rule_cache.touch_packet(out_five_tuple);
|
||||
}
|
||||
_other => {
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -2,11 +2,8 @@ mod tcp_codec;
|
||||
// mod tcp_conn;
|
||||
mod quic;
|
||||
|
||||
mod identity_cache;
|
||||
|
||||
pub use tcp_codec::*;
|
||||
pub use quic::*;
|
||||
pub use identity_cache::*;
|
||||
|
||||
|
||||
// pub use tcp_conn::*;
|
||||
|
||||
@ -9,7 +9,7 @@ use tokio::{sync::mpsc::{Receiver, Sender, channel}, time::sleep};
|
||||
use tokio_util::sync::CancellationToken;
|
||||
use tracing::{debug, error, warn};
|
||||
|
||||
use crate::{AesEncryptor, Chacha20Encryptor, ConnectionInfo, ConnectionState, MyEncryptor, config::{NULL_MAC, TCP_PING_TIME}, get_edge, network::{ARP_REPLY, ArpHdr, EthHdr, Node, RegisterSuperFeedback, StartStopInfo, check_peer_registration_needed, handle_packet_peer_info}, pb::{SdlArpResponse, SdlPolicyResponse, SdlRegisterSuper, SdlRegisterSuperAck, SdlRegisterSuperNak, SdlSendRegisterEvent, encode_to_tcp_message}, tcp::{EventType, NakMsgCode, NatType, PacketType, RuleInfo, SdlanTcp, read_a_packet, send_stun_request, set_identity_cache}};
|
||||
use crate::{AesEncryptor, Chacha20Encryptor, ConnectionInfo, ConnectionState, MyEncryptor, RuleFromServer, config::{NULL_MAC, TCP_PING_TIME}, get_edge, network::{ARP_REPLY, ArpHdr, EthHdr, Node, RegisterSuperFeedback, StartStopInfo, check_peer_registration_needed, handle_packet_peer_info}, pb::{SdlArpResponse, SdlPolicyResponse, SdlRegisterSuper, SdlRegisterSuperAck, SdlRegisterSuperNak, SdlSendRegisterEvent, encode_to_tcp_message}, tcp::{EventType, NakMsgCode, NatType, PacketType, SdlanTcp, read_a_packet, send_stun_request}};
|
||||
|
||||
static GLOBAL_QUIC_HANDLE: OnceLock<ReadWriterHandle> = OnceLock::new();
|
||||
|
||||
@ -245,13 +245,13 @@ async fn handle_tcp_message(msg: SdlanTcp) {
|
||||
let port = u16::from_be_bytes([policy.rules[start+1], policy.rules[start+2]]);
|
||||
start += 3;
|
||||
|
||||
infos.push(RuleInfo{
|
||||
infos.push(RuleFromServer{
|
||||
proto,
|
||||
port,
|
||||
});
|
||||
}
|
||||
|
||||
set_identity_cache(identity, infos);
|
||||
edge.rule_cache.set_identity_cache(identity, infos);
|
||||
}
|
||||
|
||||
PacketType::RegisterSuperNAK => {
|
||||
|
||||
@ -132,7 +132,7 @@ impl RuleCache {
|
||||
self.rule_info.insert(identity, (AtomicU64::new(now) , now_sets));
|
||||
}
|
||||
|
||||
fn handle_packet_in(&self, info: FiveTuple) {
|
||||
pub fn touch_packet(&self, info: FiveTuple) {
|
||||
self.session_table.add_session_info(info);
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user