diff --git a/easytier/src/easytier-core.rs b/easytier/src/easytier-core.rs index deb9c326..5fc091ed 100644 --- a/easytier/src/easytier-core.rs +++ b/easytier/src/easytier-core.rs @@ -271,8 +271,6 @@ impl Cli { } } - println!("parsed listeners: {:?}", listeners); - listeners } diff --git a/easytier/src/gateway/icmp_proxy.rs b/easytier/src/gateway/icmp_proxy.rs index cb75c759..8d35131c 100644 --- a/easytier/src/gateway/icmp_proxy.rs +++ b/easytier/src/gateway/icmp_proxy.rs @@ -145,6 +145,7 @@ fn socket_recv_loop(socket: Socket, nat_table: IcmpNatTable, sender: UnboundedSe v.src_peer_id.into(), PacketType::Data as u8, ); + p.mut_peer_manager_header().unwrap().set_no_proxy(true); if let Err(e) = sender.send(p) { tracing::error!("send icmp packet to peer failed: {:?}, may exiting..", e); @@ -343,7 +344,7 @@ impl IcmpProxy { let hdr = packet.peer_manager_header().unwrap(); let is_exit_node = hdr.is_exit_node(); - if hdr.packet_type != PacketType::Data as u8 { + if hdr.packet_type != PacketType::Data as u8 || hdr.is_no_proxy() { return None; }; @@ -376,9 +377,9 @@ impl IcmpProxy { }; if icmp_packet.get_icmp_type() != IcmpTypes::EchoRequest { - // drop it because we do not support other icmp types + // if it's other icmp type, just ignore it. may forwarding network to network replay packet. tracing::trace!("unsupported icmp type: {:?}", icmp_packet.get_icmp_type()); - return Some(()); + return None; } if self.global_ctx.no_tun() && Some(ipv4.get_destination()) == self.global_ctx.get_ipv4() { diff --git a/easytier/src/gateway/tcp_proxy.rs b/easytier/src/gateway/tcp_proxy.rs index 8925bf1b..8ad00808 100644 --- a/easytier/src/gateway/tcp_proxy.rs +++ b/easytier/src/gateway/tcp_proxy.rs @@ -217,6 +217,11 @@ impl NicPacketFilter for TcpProxy { panic!("v4 nat entry src ip is not v4"); }; + zc_packet + .mut_peer_manager_header() + .unwrap() + .set_no_proxy(true); + let mut ip_packet = MutableIpv4Packet::new(zc_packet.mut_payload()).unwrap(); ip_packet.set_source(ip); let dst = ip_packet.get_destination(); @@ -557,7 +562,7 @@ impl TcpProxy { let hdr = packet.peer_manager_header().unwrap(); let is_exit_node = hdr.is_exit_node(); - if hdr.packet_type != PacketType::Data as u8 { + if hdr.packet_type != PacketType::Data as u8 || hdr.is_no_proxy() { return None; }; @@ -581,12 +586,13 @@ impl TcpProxy { let ip_packet = Ipv4Packet::new(payload_bytes).unwrap(); let tcp_packet = TcpPacket::new(ip_packet.payload()).unwrap(); - let is_tcp_syn = tcp_packet.get_flags() & pnet::packet::tcp::TcpFlags::SYN != 0; - if is_tcp_syn { - let source_ip = ip_packet.get_source(); - let source_port = tcp_packet.get_source(); - let src = SocketAddr::V4(SocketAddrV4::new(source_ip, source_port)); + let source_ip = ip_packet.get_source(); + let source_port = tcp_packet.get_source(); + let src = SocketAddr::V4(SocketAddrV4::new(source_ip, source_port)); + let is_tcp_syn = tcp_packet.get_flags() & pnet::packet::tcp::TcpFlags::SYN != 0; + let is_tcp_ack = tcp_packet.get_flags() & pnet::packet::tcp::TcpFlags::ACK != 0; + if is_tcp_syn && !is_tcp_ack { let dest_ip = ip_packet.get_destination(); let dest_port = tcp_packet.get_destination(); let dst = SocketAddr::V4(SocketAddrV4::new(dest_ip, dest_port)); @@ -595,6 +601,9 @@ impl TcpProxy { .syn_map .insert(src, Arc::new(NatDstEntry::new(src, dst))); tracing::info!(src = ?src, dst = ?dst, old_entry = ?old_val, "tcp syn received"); + } else if !self.addr_conn_map.contains_key(&src) && !self.syn_map.contains_key(&src) { + // if not in syn map and addr conn map, may forwarding n2n packet + return None; } let mut ip_packet = MutableIpv4Packet::new(payload_bytes).unwrap(); diff --git a/easytier/src/gateway/udp_proxy.rs b/easytier/src/gateway/udp_proxy.rs index 9ef75adb..25812a76 100644 --- a/easytier/src/gateway/udp_proxy.rs +++ b/easytier/src/gateway/udp_proxy.rs @@ -117,6 +117,7 @@ impl UdpNatEntry { |buf| { let mut p = ZCPacket::new_with_payload(buf); p.fill_peer_manager_hdr(self.my_peer_id, self.src_peer_id, PacketType::Data as u8); + p.mut_peer_manager_header().unwrap().set_no_proxy(true); if let Err(e) = packet_sender.send(p) { tracing::error!("send icmp packet to peer failed: {:?}, may exiting..", e); @@ -219,7 +220,7 @@ impl UdpProxy { let _ = self.global_ctx.get_ipv4()?; let hdr = packet.peer_manager_header().unwrap(); let is_exit_node = hdr.is_exit_node(); - if hdr.packet_type != PacketType::Data as u8 { + if hdr.packet_type != PacketType::Data as u8 || hdr.is_no_proxy() { return None; }; diff --git a/easytier/src/instance/virtual_nic.rs b/easytier/src/instance/virtual_nic.rs index dfbff30c..d3666359 100644 --- a/easytier/src/instance/virtual_nic.rs +++ b/easytier/src/instance/virtual_nic.rs @@ -629,8 +629,6 @@ impl NicCtx { proxy_cidrs = routes; } - println!("proxy_cidrs: {:?}", proxy_cidrs); - // if route is in cur_proxy_cidrs but not in proxy_cidrs, delete it. for cidr in cur_proxy_cidrs.iter() { if proxy_cidrs.contains(cidr) { diff --git a/easytier/src/tunnel/packet_def.rs b/easytier/src/tunnel/packet_def.rs index 53c15c07..0018ab8e 100644 --- a/easytier/src/tunnel/packet_def.rs +++ b/easytier/src/tunnel/packet_def.rs @@ -61,6 +61,7 @@ bitflags::bitflags! { const ENCRYPTED = 0b0000_0001; const LATENCY_FIRST = 0b0000_0010; const EXIT_NODE = 0b0000_0100; + const NO_PROXY = 0b0000_1000; const _ = !0; } @@ -108,6 +109,12 @@ impl PeerManagerHeader { .contains(PeerManagerHeaderFlags::EXIT_NODE) } + pub fn is_no_proxy(&self) -> bool { + PeerManagerHeaderFlags::from_bits(self.flags) + .unwrap() + .contains(PeerManagerHeaderFlags::NO_PROXY) + } + pub fn set_latency_first(&mut self, latency_first: bool) -> &mut Self { let mut flags = PeerManagerHeaderFlags::from_bits(self.flags).unwrap(); if latency_first { @@ -129,6 +136,17 @@ impl PeerManagerHeader { self.flags = flags.bits(); self } + + pub fn set_no_proxy(&mut self, no_proxy: bool) -> &mut Self { + let mut flags = PeerManagerHeaderFlags::from_bits(self.flags).unwrap(); + if no_proxy { + flags.insert(PeerManagerHeaderFlags::NO_PROXY); + } else { + flags.remove(PeerManagerHeaderFlags::NO_PROXY); + } + self.flags = flags.bits(); + self + } } // reserve the space for aes tag and nonce