TUN-9470: Add OriginDialerService to include TCP

Adds an OriginDialerService that takes over the roles of both DialUDP and DialTCP 
towards the origin. This provides the possibility to leverage dialer "middleware"
to inject virtual origins, such as the DNS resolver service.

DNS Resolver service also gains access to the DialTCP operation to service TCP
DNS requests.

Minor refactoring includes changes to remove the needs previously provided by
the warp-routing configuration. This configuration cannot be disabled by cloudflared
so many of the references have been adjusted or removed.

Closes TUN-9470

proxy/proxy.go

@@ -5,11 +5,11 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/netip"
 	"strconv"
 	"time"
 
 	"github.com/pkg/errors"
-	pkgerrors "github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
@@ -35,7 +35,7 @@ const (
 // Proxy represents a means to Proxy between cloudflared and the origin services.
 type Proxy struct {
 	ingressRules ingress.Ingress
-	warpRouting  *ingress.WarpRoutingService
+	originDialer ingress.OriginTCPDialer
 	tags         []pogs.Tag
 	flowLimiter  cfdflow.Limiter
 	log          *zerolog.Logger
@@ -44,21 +44,19 @@ type Proxy struct {
 // NewOriginProxy returns a new instance of the Proxy struct.
 func NewOriginProxy(
 	ingressRules ingress.Ingress,
-	warpRouting ingress.WarpRoutingConfig,
+	originDialer ingress.OriginDialer,
 	tags []pogs.Tag,
 	flowLimiter cfdflow.Limiter,
-	writeTimeout time.Duration,
 	log *zerolog.Logger,
 ) *Proxy {
 	proxy := &Proxy{
 		ingressRules: ingressRules,
+		originDialer: originDialer,
 		tags:         tags,
 		flowLimiter:  flowLimiter,
 		log:          log,
 	}
 
-	proxy.warpRouting = ingress.NewWarpRoutingService(warpRouting, writeTimeout)
-
 	return proxy
 }
 
@@ -146,24 +144,18 @@ func (p *Proxy) ProxyHTTP(
 // ProxyTCP proxies to a TCP connection between the origin service and cloudflared.
 func (p *Proxy) ProxyTCP(
 	ctx context.Context,
-	rwa connection.ReadWriteAcker,
+	conn connection.ReadWriteAcker,
 	req *connection.TCPRequest,
 ) error {
 	incrementTCPRequests()
 	defer decrementTCPConcurrentRequests()
 
-	if p.warpRouting == nil {
-		err := errors.New(`cloudflared received a request from WARP client, but your configuration has disabled ingress from WARP clients. To enable this, set "warp-routing:\n\t enabled: true" in your config.yaml`)
-		p.log.Error().Msg(err.Error())
-		return err
-	}
-
 	logger := newTCPLogger(p.log, req)
 
 	// Try to start a new flow
 	if err := p.flowLimiter.Acquire(management.TCP.String()); err != nil {
 		logger.Warn().Msg("Too many concurrent flows being handled, rejecting tcp proxy")
-		return pkgerrors.Wrap(err, "failed to start tcp flow due to rate limiting")
+		return errors.Wrap(err, "failed to start tcp flow due to rate limiting")
 	}
 	defer p.flowLimiter.Release()
 
@@ -173,7 +165,14 @@ func (p *Proxy) ProxyTCP(
 	tracedCtx := tracing.NewTracedContext(serveCtx, req.CfTraceID, &logger)
 	logger.Debug().Msg("tcp proxy stream started")
 
-	if err := p.proxyStream(tracedCtx, rwa, req.Dest, p.warpRouting.Proxy, &logger); err != nil {
+	// Parse the destination into a netip.AddrPort
+	dest, err := netip.ParseAddrPort(req.Dest)
+	if err != nil {
+		logRequestError(&logger, err)
+		return err
+	}
+
+	if err := p.proxyTCPStream(tracedCtx, conn, dest, p.originDialer, &logger); err != nil {
 		logRequestError(&logger, err)
 		return err
 	}
@@ -279,14 +278,14 @@ func (p *Proxy) proxyStream(
 	tr *tracing.TracedContext,
 	rwa connection.ReadWriteAcker,
 	dest string,
-	connectionProxy ingress.StreamBasedOriginProxy,
+	originDialer ingress.StreamBasedOriginProxy,
 	logger *zerolog.Logger,
 ) error {
 	ctx := tr.Context
 	_, connectSpan := tr.Tracer().Start(ctx, "stream-connect")
 
 	start := time.Now()
-	originConn, err := connectionProxy.EstablishConnection(ctx, dest, logger)
+	originConn, err := originDialer.EstablishConnection(ctx, dest, logger)
 	if err != nil {
 		connectStreamErrors.Inc()
 		tracing.EndWithErrorStatus(connectSpan, err)
@@ -310,6 +309,45 @@ func (p *Proxy) proxyStream(
 	return nil
 }
 
+// proxyTCPStream proxies private network type TCP connections as a stream towards an available origin.
+//
+// This is different than proxyStream because it's not leveraged ingress rule services and uses the
+// originDialer from OriginDialerService.
+func (p *Proxy) proxyTCPStream(
+	tr *tracing.TracedContext,
+	tunnelConn connection.ReadWriteAcker,
+	dest netip.AddrPort,
+	originDialer ingress.OriginTCPDialer,
+	logger *zerolog.Logger,
+) error {
+	ctx := tr.Context
+	_, connectSpan := tr.Tracer().Start(ctx, "stream-connect")
+
+	start := time.Now()
+	originConn, err := originDialer.DialTCP(ctx, dest)
+	if err != nil {
+		connectStreamErrors.Inc()
+		tracing.EndWithErrorStatus(connectSpan, err)
+		return err
+	}
+	connectSpan.End()
+	defer originConn.Close()
+	logger.Debug().Msg("origin connection established")
+
+	encodedSpans := tr.GetSpans()
+
+	if err := tunnelConn.AckConnection(encodedSpans); err != nil {
+		connectStreamErrors.Inc()
+		return err
+	}
+
+	connectLatency.Observe(float64(time.Since(start).Milliseconds()))
+	logger.Debug().Msg("proxy stream acknowledged")
+
+	stream.Pipe(tunnelConn, originConn, logger)
+	return nil
+}
+
 func (p *Proxy) proxyLocalRequest(proxy ingress.HTTPLocalProxy, w connection.ResponseWriter, req *http.Request, isWebsocket bool) {
 	if isWebsocket {
 		// These headers are added since they are stripped off during an eyeball request to origintunneld, but they