TUN-6856: Refactor to lay foundation for tracing ICMP

Remove send and return methods from Funnel interface. Users of Funnel can provide their own send and return methods without wrapper to comply with the interface. Move packet router to ingress package to avoid circular dependency
2025-07-27 19:29:57 +00:00 · 2022-10-13 11:01:25 +01:00
parent 225c344ceb
commit 495f9fb8bd
15 changed files with 323 additions and 337 deletions
--- a/packet/funnel.go
+++ b/packet/funnel.go
@@ -16,10 +16,6 @@ var (

 // Funnel is an abstraction to pipe from 1 src to 1 or more destinations
 type Funnel interface {
-	// SendToDst sends a raw packet to a destination
-	SendToDst(dst netip.Addr, pk RawPacket) error
-	// ReturnToSrc returns a raw packet to the source
-	ReturnToSrc(pk RawPacket) error
 	// LastActive returns the last time SendToDst or ReturnToSrc is called
 	LastActive() time.Time
 	// Close closes the funnel. Further call to SendToDst or ReturnToSrc should return an error
@@ -36,73 +32,26 @@ type FunnelUniPipe interface {
 	Close() error
 }

-// RawPacketFunnel is an implementation of Funnel that sends raw packets. It can be embedded in other structs to
-// satisfy the Funnel interface.
-type RawPacketFunnel struct {
-	Src netip.Addr
+type ActivityTracker struct {
 	// last active unix time. Unit is seconds
 	lastActive int64
-	sendPipe   FunnelUniPipe
-	returnPipe FunnelUniPipe
 }

-func NewRawPacketFunnel(src netip.Addr, sendPipe, returnPipe FunnelUniPipe) *RawPacketFunnel {
-	return &RawPacketFunnel{
-		Src:        src,
+func NewActivityTracker() *ActivityTracker {
+	return &ActivityTracker{
 		lastActive: time.Now().Unix(),
-		sendPipe:   sendPipe,
-		returnPipe: returnPipe,
 	}
 }

-func (rpf *RawPacketFunnel) SendToDst(dst netip.Addr, pk RawPacket) error {
-	rpf.updateLastActive()
-	return rpf.sendPipe.SendPacket(dst, pk)
+func (at *ActivityTracker) UpdateLastActive() {
+	atomic.StoreInt64(&at.lastActive, time.Now().Unix())
 }

-func (rpf *RawPacketFunnel) ReturnToSrc(pk RawPacket) error {
-	rpf.updateLastActive()
-	return rpf.returnPipe.SendPacket(rpf.Src, pk)
-}
-
-func (rpf *RawPacketFunnel) updateLastActive() {
-	atomic.StoreInt64(&rpf.lastActive, time.Now().Unix())
-}
-
-func (rpf *RawPacketFunnel) LastActive() time.Time {
-	lastActive := atomic.LoadInt64(&rpf.lastActive)
+func (at *ActivityTracker) LastActive() time.Time {
+	lastActive := atomic.LoadInt64(&at.lastActive)
 	return time.Unix(lastActive, 0)
 }

-func (rpf *RawPacketFunnel) Close() error {
-	sendPipeErr := rpf.sendPipe.Close()
-	returnPipeErr := rpf.returnPipe.Close()
-	if sendPipeErr != nil {
-		return sendPipeErr
-	}
-	if returnPipeErr != nil {
-		return returnPipeErr
-	}
-	return nil
-}
-
-func (rpf *RawPacketFunnel) Equal(other Funnel) bool {
-	otherRawFunnel, ok := other.(*RawPacketFunnel)
-	if !ok {
-		return false
-	}
-	if rpf.Src != otherRawFunnel.Src {
-		return false
-	}
-	if rpf.sendPipe != otherRawFunnel.sendPipe {
-		return false
-	}
-	if rpf.returnPipe != otherRawFunnel.returnPipe {
-		return false
-	}
-	return true
-}
-
 // FunnelID represents a key type that can be used by FunnelTracker
 type FunnelID interface {
 	// Type returns the name of the type that implements the FunnelID
--- a/packet/router.go
+++ b/packet/router.go
@@ -1,108 +0,0 @@
-package packet
-
-import (
-	"context"
-	"net/netip"
-
-	"github.com/rs/zerolog"
-)
-
-// ICMPRouter sends ICMP messages and listens for their responses
-type ICMPRouter interface {
-	// Serve starts listening for responses to the requests until context is done
-	Serve(ctx context.Context) error
-	// Request sends an ICMP message. Implementations should not modify pk after the function returns.
-	Request(pk *ICMP, responder FunnelUniPipe) error
-}
-
-// Upstream of raw packets
-type Upstream interface {
-	// ReceivePacket waits for the next raw packet from upstream
-	ReceivePacket(ctx context.Context) (RawPacket, error)
-}
-
-// Router routes packets between Upstream and ICMPRouter. Currently it rejects all other type of ICMP packets
-type Router struct {
-	upstream               Upstream
-	returnPipe             FunnelUniPipe
-	globalConfig           *GlobalRouterConfig
-	logger                 *zerolog.Logger
-	checkRouterEnabledFunc func() bool
-}
-
-// GlobalRouterConfig is the configuration shared by all instance of Router.
-type GlobalRouterConfig struct {
-	ICMPRouter ICMPRouter
-	IPv4Src    netip.Addr
-	IPv6Src    netip.Addr
-	Zone       string
-}
-
-func NewRouter(globalConfig *GlobalRouterConfig, upstream Upstream, returnPipe FunnelUniPipe, logger *zerolog.Logger, checkRouterEnabledFunc func() bool) *Router {
-	return &Router{
-		upstream:               upstream,
-		returnPipe:             returnPipe,
-		globalConfig:           globalConfig,
-		logger:                 logger,
-		checkRouterEnabledFunc: checkRouterEnabledFunc,
-	}
-}
-
-func (r *Router) Serve(ctx context.Context) error {
-	icmpDecoder := NewICMPDecoder()
-	encoder := NewEncoder()
-	for {
-		rawPacket, err := r.upstream.ReceivePacket(ctx)
-		if err != nil {
-			return err
-		}
-
-		// Drop packets if ICMPRouter wasn't created
-		if r.globalConfig == nil {
-			continue
-		}
-
-		if enabled := r.checkRouterEnabledFunc(); !enabled {
-			continue
-		}
-
-		icmpPacket, err := icmpDecoder.Decode(rawPacket)
-		if err != nil {
-			r.logger.Err(err).Msg("Failed to decode ICMP packet from quic datagram")
-			continue
-		}
-
-		if icmpPacket.TTL <= 1 {
-			if err := r.sendTTLExceedMsg(icmpPacket, rawPacket, encoder); err != nil {
-				r.logger.Err(err).Msg("Failed to return ICMP TTL exceed error")
-			}
-			continue
-		}
-		icmpPacket.TTL--
-
-		if err := r.globalConfig.ICMPRouter.Request(icmpPacket, r.returnPipe); err != nil {
-			r.logger.Err(err).
-				Str("src", icmpPacket.Src.String()).
-				Str("dst", icmpPacket.Dst.String()).
-				Interface("type", icmpPacket.Type).
-				Msg("Failed to send ICMP packet")
-			continue
-		}
-	}
-}
-
-func (r *Router) sendTTLExceedMsg(pk *ICMP, rawPacket RawPacket, encoder *Encoder) error {
-	var srcIP netip.Addr
-	if pk.Dst.Is4() {
-		srcIP = r.globalConfig.IPv4Src
-	} else {
-		srcIP = r.globalConfig.IPv6Src
-	}
-	ttlExceedPacket := NewICMPTTLExceedPacket(pk.IP, rawPacket, srcIP)
-
-	encodedTTLExceed, err := encoder.Encode(ttlExceedPacket)
-	if err != nil {
-		return err
-	}
-	return r.returnPipe.SendPacket(pk.Src, encodedTTLExceed)
-}
--- a/packet/router_test.go
+++ b/packet/router_test.go
@@ -1,223 +0,0 @@
-package packet
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"net/netip"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/google/gopacket/layers"
-	"github.com/rs/zerolog"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/net/icmp"
-	"golang.org/x/net/ipv4"
-	"golang.org/x/net/ipv6"
-)
-
-var (
-	noopLogger   = zerolog.Nop()
-	packetConfig = &GlobalRouterConfig{
-		ICMPRouter: &mockICMPRouter{},
-		IPv4Src:    netip.MustParseAddr("172.16.0.1"),
-		IPv6Src:    netip.MustParseAddr("fd51:2391:523:f4ee::1"),
-	}
-)
-
-func TestRouterReturnTTLExceed(t *testing.T) {
-	upstream := &mockUpstream{
-		source: make(chan RawPacket),
-	}
-	returnPipe := &mockFunnelUniPipe{
-		uniPipe: make(chan RawPacket),
-	}
-	routerEnabled := &routerEnabledChecker{}
-	routerEnabled.set(true)
-	router := NewRouter(packetConfig, upstream, returnPipe, &noopLogger, routerEnabled.isEnabled)
-	ctx, cancel := context.WithCancel(context.Background())
-	routerStopped := make(chan struct{})
-	go func() {
-		router.Serve(ctx)
-		close(routerStopped)
-	}()
-
-	pk := ICMP{
-		IP: &IP{
-			Src:      netip.MustParseAddr("192.168.1.1"),
-			Dst:      netip.MustParseAddr("10.0.0.1"),
-			Protocol: layers.IPProtocolICMPv4,
-			TTL:      1,
-		},
-		Message: &icmp.Message{
-			Type: ipv4.ICMPTypeEcho,
-			Code: 0,
-			Body: &icmp.Echo{
-				ID:   12481,
-				Seq:  8036,
-				Data: []byte("TTL exceed"),
-			},
-		},
-	}
-	assertTTLExceed(t, &pk, router.globalConfig.IPv4Src, upstream, returnPipe)
-	pk = ICMP{
-		IP: &IP{
-			Src:      netip.MustParseAddr("fd51:2391:523:f4ee::1"),
-			Dst:      netip.MustParseAddr("fd51:2391:697:f4ee::2"),
-			Protocol: layers.IPProtocolICMPv6,
-			TTL:      1,
-		},
-		Message: &icmp.Message{
-			Type: ipv6.ICMPTypeEchoRequest,
-			Code: 0,
-			Body: &icmp.Echo{
-				ID:   42583,
-				Seq:  7039,
-				Data: []byte("TTL exceed"),
-			},
-		},
-	}
-	assertTTLExceed(t, &pk, router.globalConfig.IPv6Src, upstream, returnPipe)
-
-	cancel()
-	<-routerStopped
-}
-
-func TestRouterCheckEnabled(t *testing.T) {
-	upstream := &mockUpstream{
-		source: make(chan RawPacket),
-	}
-	returnPipe := &mockFunnelUniPipe{
-		uniPipe: make(chan RawPacket),
-	}
-	routerEnabled := &routerEnabledChecker{}
-	router := NewRouter(packetConfig, upstream, returnPipe, &noopLogger, routerEnabled.isEnabled)
-	ctx, cancel := context.WithCancel(context.Background())
-	routerStopped := make(chan struct{})
-	go func() {
-		router.Serve(ctx)
-		close(routerStopped)
-	}()
-
-	pk := ICMP{
-		IP: &IP{
-			Src:      netip.MustParseAddr("192.168.1.1"),
-			Dst:      netip.MustParseAddr("10.0.0.1"),
-			Protocol: layers.IPProtocolICMPv4,
-			TTL:      1,
-		},
-		Message: &icmp.Message{
-			Type: ipv4.ICMPTypeEcho,
-			Code: 0,
-			Body: &icmp.Echo{
-				ID:   12481,
-				Seq:  8036,
-				Data: []byte(t.Name()),
-			},
-		},
-	}
-
-	// router is disabled
-	require.NoError(t, upstream.send(&pk))
-	select {
-	case <-time.After(time.Millisecond * 10):
-	case <-returnPipe.uniPipe:
-		t.Error("Unexpected reply when router is disabled")
-	}
-	routerEnabled.set(true)
-	// router is enabled, expects reply
-	require.NoError(t, upstream.send(&pk))
-	<-returnPipe.uniPipe
-
-	routerEnabled.set(false)
-	// router is disabled
-	require.NoError(t, upstream.send(&pk))
-	select {
-	case <-time.After(time.Millisecond * 10):
-	case <-returnPipe.uniPipe:
-		t.Error("Unexpected reply when router is disabled")
-	}
-
-	cancel()
-	<-routerStopped
-}
-
-func assertTTLExceed(t *testing.T, originalPacket *ICMP, expectedSrc netip.Addr, upstream *mockUpstream, returnPipe *mockFunnelUniPipe) {
-	encoder := NewEncoder()
-	rawPacket, err := encoder.Encode(originalPacket)
-	require.NoError(t, err)
-	upstream.source <- rawPacket
-
-	resp := <-returnPipe.uniPipe
-	decoder := NewICMPDecoder()
-	decoded, err := decoder.Decode(resp)
-	require.NoError(t, err)
-
-	require.Equal(t, expectedSrc, decoded.Src)
-	require.Equal(t, originalPacket.Src, decoded.Dst)
-	require.Equal(t, originalPacket.Protocol, decoded.Protocol)
-	require.Equal(t, DefaultTTL, decoded.TTL)
-	if originalPacket.Dst.Is4() {
-		require.Equal(t, ipv4.ICMPTypeTimeExceeded, decoded.Type)
-	} else {
-		require.Equal(t, ipv6.ICMPTypeTimeExceeded, decoded.Type)
-	}
-	require.Equal(t, 0, decoded.Code)
-	assertICMPChecksum(t, decoded)
-	timeExceed, ok := decoded.Body.(*icmp.TimeExceeded)
-	require.True(t, ok)
-	require.True(t, bytes.Equal(rawPacket.Data, timeExceed.Data))
-}
-
-type mockUpstream struct {
-	source chan RawPacket
-}
-
-func (ms *mockUpstream) send(pk Packet) error {
-	encoder := NewEncoder()
-	rawPacket, err := encoder.Encode(pk)
-	if err != nil {
-		return err
-	}
-	ms.source <- rawPacket
-	return nil
-}
-
-func (ms *mockUpstream) ReceivePacket(ctx context.Context) (RawPacket, error) {
-	select {
-	case <-ctx.Done():
-		return RawPacket{}, ctx.Err()
-	case pk := <-ms.source:
-		return pk, nil
-	}
-}
-
-type mockICMPRouter struct{}
-
-func (mir mockICMPRouter) Serve(ctx context.Context) error {
-	return fmt.Errorf("Serve not implemented by mockICMPRouter")
-}
-
-func (mir mockICMPRouter) Request(pk *ICMP, responder FunnelUniPipe) error {
-	return fmt.Errorf("Request not implemented by mockICMPRouter")
-}
-
-type routerEnabledChecker struct {
-	enabled uint32
-}
-
-func (rec *routerEnabledChecker) isEnabled() bool {
-	if atomic.LoadUint32(&rec.enabled) == 0 {
-		return false
-	}
-	return true
-}
-
-func (rec *routerEnabledChecker) set(enabled bool) {
-	if enabled {
-		atomic.StoreUint32(&rec.enabled, 1)
-	} else {
-		atomic.StoreUint32(&rec.enabled, 0)
-	}
-}