mirror of
https://github.com/dndx/phantun.git
synced 2025-10-24 14:35:34 +08:00
Compare commits
137 Commits
v0.2.1
...
dependabot
Author | SHA1 | Date | |
---|---|---|---|
|
33384e4758 | ||
|
7f7da10b1b | ||
|
9d74a6bfeb | ||
|
9bdfd76819 | ||
|
d1c18c64f3 | ||
|
b42ed82147 | ||
|
7c3864a3ed | ||
|
6a39e9e9d0 | ||
|
cedee0c699 | ||
|
d969f0cc5d | ||
|
19c9f2d9f2 | ||
|
1252affdad | ||
|
141c3477f9 | ||
|
d8dd3e65d1 | ||
|
66de44e32f | ||
|
2a37a2fc92 | ||
|
f5aac38969 | ||
|
118f20f74f | ||
|
6a424fd43c | ||
|
869c79422f | ||
|
201da45ee8 | ||
|
333c6dd059 | ||
|
62f0278c1a | ||
|
f436325d23 | ||
|
028a32d197 | ||
|
e452e40edd | ||
|
253ce54554 | ||
|
34d2350d1c | ||
|
6955a1eb4c | ||
|
e86c5c5c50 | ||
|
60f24d2563 | ||
|
8c7f4e98b3 | ||
|
90b93370ce | ||
|
792ee46ec4 | ||
|
f5cb4b1220 | ||
|
8a0ec729e2 | ||
|
78dd7c13b1 | ||
|
b58d58956b | ||
|
310bb17516 | ||
|
632132b75a | ||
|
48a0399f59 | ||
|
590a048b5b | ||
|
3fa8f86379 | ||
|
805bf80cd8 | ||
|
aec3bcdeda | ||
|
9b1d3c0124 | ||
|
6c42f02b28 | ||
|
ee0bce0a96 | ||
|
1f11d618e0 | ||
|
d7913c1407 | ||
|
ee7ee5d5f9 | ||
|
af3a9061a1 | ||
|
7c98012a67 | ||
|
b674268863 | ||
|
b40ca10cc1 | ||
|
30f0a1118b | ||
|
fd607bc72a | ||
|
939e4aa94e | ||
|
7bcfada87b | ||
|
fe18a49d40 | ||
|
b707c5bd12 | ||
|
6af7757456 | ||
|
f374ac8081 | ||
|
50346c1ba0 | ||
|
f649c79656 | ||
|
c91bda7e6a | ||
|
00a308a005 | ||
|
9ff691d063 | ||
|
b5e79653f0 | ||
|
f496a7919b | ||
|
bf6b9bc2ff | ||
|
47b9037968 | ||
|
c2341b6662 | ||
|
a3eff42453 | ||
|
87a42a1e23 | ||
|
851750b13d | ||
|
b89b683bb2 | ||
|
838cfa6738 | ||
|
827530f62c | ||
|
245cb9c7f4 | ||
|
85555f2a34 | ||
|
74183071f1 | ||
|
2f4eaafccd | ||
|
1e3b632413 | ||
|
99bff568f6 | ||
|
91ad2c03a1 | ||
|
581d80d08c | ||
|
55da4d6a62 | ||
|
bb859be6b6 | ||
|
8d315ea4e7 | ||
|
21eabe8b82 | ||
|
8a74b31c6e | ||
|
ca14ba457f | ||
|
33a0cfe567 | ||
|
95dfd8ab54 | ||
|
1c35635091 | ||
|
b8a6c8853b | ||
|
d97a27778b | ||
|
35f7b35ff5 | ||
|
dff0c4ca28 | ||
|
9bf78adc92 | ||
|
5d4e3bf8c0 | ||
|
9c85b43e94 | ||
|
66b0bc11b0 | ||
|
02b00dfc3a | ||
|
0ee7774d03 | ||
|
11fdac78f1 | ||
|
ed686ce9fa | ||
|
d9001b08aa | ||
|
726ecac9cf | ||
|
2ef0a056be | ||
|
cb9dd3e931 | ||
|
7db7164193 | ||
|
def134d73b | ||
|
b3c781cdc5 | ||
|
d5e30c113f | ||
|
e2a9194f6f | ||
|
d0eaefe5d0 | ||
|
299646a54f | ||
|
8b28cdc6c2 | ||
|
a8ad203754 | ||
|
33e510e7ba | ||
|
521a3f1a01 | ||
|
c5a5116808 | ||
|
e8f2457cb5 | ||
|
583cdbe300 | ||
|
91988520e5 | ||
|
49cc6a6865 | ||
|
7390d4bf27 | ||
|
95e762f5fd | ||
|
c9043015f2 | ||
|
494abf37c5 | ||
|
cab87bd75b | ||
|
042f5af49f | ||
|
f667f56747 | ||
|
49665b906f | ||
|
e9cde27923 |
15
.github/ISSUE_TEMPLATE/bug_report.md
vendored
Normal file
15
.github/ISSUE_TEMPLATE/bug_report.md
vendored
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
name: Bug report
|
||||||
|
about: Create a report to help us improve
|
||||||
|
title: ''
|
||||||
|
labels: ''
|
||||||
|
assignees: ''
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
**Describe the bug**
|
||||||
|
A clear and concise description of what the bug is.
|
||||||
|
|
||||||
|
**Operating system**
|
||||||
|
|
||||||
|
**`tcpdump` between the server and client on Phantun's port**
|
12
.github/dependabot.yml
vendored
Normal file
12
.github/dependabot.yml
vendored
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
version: 2
|
||||||
|
updates:
|
||||||
|
|
||||||
|
- package-ecosystem: "github-actions"
|
||||||
|
directory: "/"
|
||||||
|
schedule:
|
||||||
|
interval: "daily"
|
||||||
|
|
||||||
|
- package-ecosystem: "cargo"
|
||||||
|
directory: "/"
|
||||||
|
schedule:
|
||||||
|
interval: "daily"
|
30
.github/workflows/docker.yml
vendored
Normal file
30
.github/workflows/docker.yml
vendored
Normal file
@@ -0,0 +1,30 @@
|
|||||||
|
name: Docker image build
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
paths-ignore:
|
||||||
|
- '**.md'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
runs-on: ubuntu-22.04
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v5
|
||||||
|
|
||||||
|
- name: Setup QEMU
|
||||||
|
uses: docker/setup-qemu-action@v3
|
||||||
|
with:
|
||||||
|
platforms: linux/amd64
|
||||||
|
|
||||||
|
- name: Setup Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
|
- name: Build Docker Image
|
||||||
|
uses: docker/build-push-action@v6
|
||||||
|
with:
|
||||||
|
context: .
|
||||||
|
file: docker/Dockerfile
|
||||||
|
tags: phantun
|
||||||
|
platforms: linux/amd64
|
46
.github/workflows/release.yml
vendored
46
.github/workflows/release.yml
vendored
@@ -25,13 +25,9 @@ jobs:
|
|||||||
- arm-unknown-linux-musleabihf
|
- arm-unknown-linux-musleabihf
|
||||||
- aarch64-unknown-linux-gnu
|
- aarch64-unknown-linux-gnu
|
||||||
- aarch64-unknown-linux-musl
|
- aarch64-unknown-linux-musl
|
||||||
- mips-unknown-linux-gnu
|
|
||||||
- mips-unknown-linux-musl
|
|
||||||
- mipsel-unknown-linux-gnu
|
|
||||||
- mipsel-unknown-linux-musl
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v5
|
||||||
- uses: actions-rs/toolchain@v1
|
- uses: actions-rs/toolchain@v1
|
||||||
with:
|
with:
|
||||||
toolchain: stable
|
toolchain: stable
|
||||||
@@ -50,7 +46,45 @@ jobs:
|
|||||||
zip phantun_${{ matrix.target }}.zip phantun_client phantun_server
|
zip phantun_${{ matrix.target }}.zip phantun_client phantun_server
|
||||||
|
|
||||||
- name: Upload Github Assets
|
- name: Upload Github Assets
|
||||||
uses: softprops/action-gh-release@v1
|
uses: softprops/action-gh-release@v2
|
||||||
with:
|
with:
|
||||||
files: target/${{ matrix.target }}/release/*.zip
|
files: target/${{ matrix.target }}/release/*.zip
|
||||||
prerelease: ${{ contains(github.ref, '-') }}
|
prerelease: ${{ contains(github.ref, '-') }}
|
||||||
|
update_existing: true
|
||||||
|
|
||||||
|
build-mips-nightly:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
RUST_BACKTRACE: full
|
||||||
|
strategy:
|
||||||
|
matrix:
|
||||||
|
target:
|
||||||
|
- mips-unknown-linux-musl
|
||||||
|
- mips64-unknown-linux-muslabi64
|
||||||
|
- mipsel-unknown-linux-musl
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v5
|
||||||
|
- uses: actions-rs/toolchain@v1
|
||||||
|
with:
|
||||||
|
toolchain: nightly
|
||||||
|
override: true
|
||||||
|
components: rust-src
|
||||||
|
- uses: actions-rs/cargo@v1
|
||||||
|
with:
|
||||||
|
use-cross: true
|
||||||
|
command: build
|
||||||
|
args: --release --target ${{ matrix.target }} -Z build-std
|
||||||
|
- name: Rename artifacts and compress
|
||||||
|
run: |
|
||||||
|
cd target/${{ matrix.target }}/release
|
||||||
|
mv client phantun_client
|
||||||
|
mv server phantun_server
|
||||||
|
zip phantun_${{ matrix.target }}_nightly.zip phantun_client phantun_server
|
||||||
|
|
||||||
|
- name: Upload Github Assets
|
||||||
|
uses: softprops/action-gh-release@v2
|
||||||
|
with:
|
||||||
|
files: target/${{ matrix.target }}/release/*.zip
|
||||||
|
prerelease: ${{ contains(github.ref, '-') }}
|
||||||
|
update_existing: true
|
||||||
|
5
.github/workflows/rust.yml
vendored
5
.github/workflows/rust.yml
vendored
@@ -11,7 +11,10 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v5
|
||||||
|
- uses: actions-rs/toolchain@v1
|
||||||
|
with:
|
||||||
|
toolchain: stable
|
||||||
- name: Run lint
|
- name: Run lint
|
||||||
run: cargo clippy --verbose
|
run: cargo clippy --verbose
|
||||||
- name: Build
|
- name: Build
|
||||||
|
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1,2 +1 @@
|
|||||||
/target
|
/target
|
||||||
Cargo.lock
|
|
||||||
|
1301
Cargo.lock
generated
Normal file
1301
Cargo.lock
generated
Normal file
File diff suppressed because it is too large
Load Diff
@@ -1,6 +1,11 @@
|
|||||||
[workspace]
|
[workspace]
|
||||||
|
resolver = "3"
|
||||||
|
|
||||||
members = [
|
members = [
|
||||||
"fake-tcp",
|
"fake-tcp",
|
||||||
"phantun",
|
"phantun",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
[workspace.dependencies]
|
||||||
|
tokio = { version = "1", features = ["full"] }
|
||||||
|
log = "0"
|
||||||
|
@@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work.
|
|||||||
same "printed page" as the copyright notice for easier
|
same "printed page" as the copyright notice for easier
|
||||||
identification within third-party archives.
|
identification within third-party archives.
|
||||||
|
|
||||||
Copyright 2014-2021 The Rust Project Developers
|
Copyright 2021-2024 Datong Sun (dndx@idndx.com)
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
MIT License
|
MIT License
|
||||||
|
|
||||||
Copyright (c) 2014-2021 The Rust Project Developers
|
Copyright (c) 2021-2024 Datong Sun (dndx@idndx.com)
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any
|
Permission is hereby granted, free of charge, to any
|
||||||
person obtaining a copy of this software and associated
|
person obtaining a copy of this software and associated
|
||||||
|
164
README.md
164
README.md
@@ -2,8 +2,10 @@
|
|||||||
|
|
||||||
A lightweight and fast UDP to TCP obfuscator.
|
A lightweight and fast UDP to TCP obfuscator.
|
||||||
|
|
||||||
Table of Contents
|

|
||||||
=================
|

|
||||||
|
|
||||||
|
# Table of Contents
|
||||||
|
|
||||||
* [Phantun](#phantun)
|
* [Phantun](#phantun)
|
||||||
* [Latest release](#latest-release)
|
* [Latest release](#latest-release)
|
||||||
@@ -24,6 +26,7 @@ Table of Contents
|
|||||||
* [MTU overhead](#mtu-overhead)
|
* [MTU overhead](#mtu-overhead)
|
||||||
* [MTU calculation for WireGuard](#mtu-calculation-for-wireguard)
|
* [MTU calculation for WireGuard](#mtu-calculation-for-wireguard)
|
||||||
* [Version compatibility](#version-compatibility)
|
* [Version compatibility](#version-compatibility)
|
||||||
|
* [Documentations](#documentations)
|
||||||
* [Performance](#performance)
|
* [Performance](#performance)
|
||||||
* [Future plans](#future-plans)
|
* [Future plans](#future-plans)
|
||||||
* [Compariation to udp2raw](#compariation-to-udp2raw)
|
* [Compariation to udp2raw](#compariation-to-udp2raw)
|
||||||
@@ -31,16 +34,23 @@ Table of Contents
|
|||||||
|
|
||||||
# Latest release
|
# Latest release
|
||||||
|
|
||||||
[v0.2.1](https://github.com/dndx/phantun/releases/tag/v0.2.1)
|
[v0.8.1](https://github.com/dndx/phantun/releases/tag/v0.8.1)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>MIPS architecture support for Phantun</summary>
|
||||||
|
|
||||||
|
[Rust only provides Tier 3 supports for MIPS based platforms](https://github.com/rust-lang/compiler-team/issues/648)
|
||||||
|
since 2023. Phantun's MIPS build are therefore built using nightly Rust toolchain and provided on a best effort basis only.
|
||||||
|
</details>
|
||||||
|
|
||||||
# Overview
|
# Overview
|
||||||
|
|
||||||
Phanton is a project that obfuscated UDP packets into TCP connections. It aims to
|
Phantun is a project that obfuscated UDP packets into TCP connections. It aims to
|
||||||
achieve maximum performance with minimum processing and encapsulation overhead.
|
achieve maximum performance with minimum processing and encapsulation overhead.
|
||||||
|
|
||||||
It is commonly used in environments where UDP is blocked/throttled but TCP is allowed through.
|
It is commonly used in environments where UDP is blocked/throttled but TCP is allowed through.
|
||||||
|
|
||||||
Phanton simply converts a stream of UDP packets into obfuscated TCP stream packets. The TCP stack
|
Phantun simply converts a stream of UDP packets into obfuscated TCP stream packets. The TCP stack
|
||||||
used by Phantun is designed to pass through most L3/L4 stateful/stateless firewalls/NAT
|
used by Phantun is designed to pass through most L3/L4 stateful/stateless firewalls/NAT
|
||||||
devices. It will **not** be able to pass through L7 proxies.
|
devices. It will **not** be able to pass through L7 proxies.
|
||||||
However, the advantage of this approach is that none of the common UDP over TCP performance killer
|
However, the advantage of this approach is that none of the common UDP over TCP performance killer
|
||||||
@@ -51,6 +61,11 @@ connection from the perspective of firewalls/NAT devices.
|
|||||||
Phantun means Phantom TUN, as it is an obfuscator for UDP traffic that does just enough work
|
Phantun means Phantom TUN, as it is an obfuscator for UDP traffic that does just enough work
|
||||||
to make it pass through stateful firewall/NATs as TCP packets.
|
to make it pass through stateful firewall/NATs as TCP packets.
|
||||||
|
|
||||||
|
Phantun is written in 100% safe Rust. It has been optimized extensively to scale well on multi-core
|
||||||
|
systems and has no issue saturating all available CPU resources on a fast connection.
|
||||||
|
See the [Performance](#performance) section for benchmarking results.
|
||||||
|
|
||||||
|

|
||||||

|

|
||||||
|
|
||||||
# Usage
|
# Usage
|
||||||
@@ -63,33 +78,45 @@ It is also assumed that **Phantun Client** listens for incoming UDP packets at
|
|||||||
`127.0.0.1:1234` (the `--local` option for client) and connects to Phantun Server at `10.0.0.1:4567`
|
`127.0.0.1:1234` (the `--local` option for client) and connects to Phantun Server at `10.0.0.1:4567`
|
||||||
(the `--remote` option for client).
|
(the `--remote` option for client).
|
||||||
|
|
||||||
Phantun creates TUN interface for both the Client and Server. For Client, Phantun assigns itself the IP address
|
Phantun creates TUN interface for both the Client and Server. For **Client**, Phantun assigns itself the IP address
|
||||||
`192.168.200.2` by default and for Server, it assigns `192.168.201.2` by default. Therefore, your Kernel must have
|
`192.168.200.2` and `fcc8::2` by default.
|
||||||
`net.ipv4.ip_forward` enabled and setup appropriate iptables rules for NAT between your physical
|
For **Server**, it assigns `192.168.201.2` and `fcc9::2` by default. Therefore, your Kernel must have
|
||||||
NIC address and Phantun's TUN interface address.
|
IPv4/IPv6 forwarding enabled and setup appropriate iptables/nftables rules for NAT between your physical
|
||||||
|
NIC address and Phantun's Tun interface address.
|
||||||
|
|
||||||
You may customize the name of Tun interface created by Phantun and the assigned addresses. Please
|
You may customize the name of Tun interface created by Phantun and the assigned addresses. Please
|
||||||
run the executable with `-h` options to see how to change them.
|
run the executable with `-h` options to see how to change them.
|
||||||
|
|
||||||
Another way to help understand this network topology:
|
Another way to help understand this network topology (please see the diagram above for an illustration of this topology):
|
||||||
|
|
||||||
Phantun Client is like a machine with private IP address (`192.168.200.2`) behind a router.
|
Phantun Client is like a machine with private IP address (`192.168.200.2`/`fcc8::2`) behind a router.
|
||||||
In order for it to reach the Internet, you will need to SNAT the private IP address before it's traffic
|
In order for it to reach the Internet, you will need to SNAT the private IP address before it's traffic
|
||||||
leaves the NIC.
|
leaves the NIC.
|
||||||
|
|
||||||
Phantun Server is like a server with private IP address (`192.168.201.2`) behind a router.
|
Phantun Server is like a server with private IP address (`192.168.201.2`/`fcc9::2`) behind a router.
|
||||||
In order to access it from the Internet, you need to `DNAT` it's listening port on the router
|
In order to access it from the Internet, you need to `DNAT` it's listening port on the router
|
||||||
and change the destination IP address to where the server is listening for incoming connections.
|
and change the destination IP address to where the server is listening for incoming connections.
|
||||||
|
|
||||||
In those cases, the machine/iptables running Phantun acts as the "router" that allows Phantun
|
In those cases, the machine/iptables running Phantun acts as the "router" that allows Phantun
|
||||||
to communicate with outside using it's private IP addresses.
|
to communicate with outside using it's private IP addresses.
|
||||||
|
|
||||||
|
As of Phantun v0.4.1, IPv6 is fully supported for both TCP and UDP sides.
|
||||||
|
To specify an IPv6 address, use the following format: `[::1]:1234` with
|
||||||
|
the command line options. Resolving AAAA record is also supported. Please run the program
|
||||||
|
with `-h` to see detailed options on how to control the IPv6 behavior.
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
## 1. Enable Kernel IP forwarding
|
## 1. Enable Kernel IP forwarding
|
||||||
|
|
||||||
Edit `/etc/sysctl.conf`, add `net.ipv4.ip_forward=1` and run `sudo sysctl -p /etc/sysctl.conf`.
|
Edit `/etc/sysctl.conf`, add `net.ipv4.ip_forward=1` and run `sudo sysctl -p /etc/sysctl.conf`.
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>IPv6 specific config</summary>
|
||||||
|
|
||||||
|
`net.ipv6.conf.all.forwarding=1` will need to be set as well.
|
||||||
|
</details>
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
## 2. Add required firewall rules
|
## 2. Add required firewall rules
|
||||||
@@ -115,12 +142,16 @@ table inet nat {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Note: The above rule uses `inet` as the table family type, so it is compatible with
|
||||||
|
both IPv4 and IPv6 usage.
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
#### Using iptables
|
#### Using iptables
|
||||||
|
|
||||||
```
|
```
|
||||||
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||||
|
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||||
```
|
```
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
@@ -130,17 +161,18 @@ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|||||||
Server needs to DNAT the TCP listening port to Phantun's TUN interface address.
|
Server needs to DNAT the TCP listening port to Phantun's TUN interface address.
|
||||||
|
|
||||||
Note: change `eth0` to whatever actual physical interface name is and `4567` to
|
Note: change `eth0` to whatever actual physical interface name is and `4567` to
|
||||||
actual TCP port number used by Phanton server
|
actual TCP port number used by Phantun server
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
#### Using nftables
|
#### Using nftables
|
||||||
|
|
||||||
```
|
```
|
||||||
table ip nat {
|
table inet nat {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority dstnat; policy accept;
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
iif eth0 tcp dport 4567 dnat to 192.168.201.2
|
iif eth0 tcp dport 4567 dnat ip to 192.168.201.2
|
||||||
|
iif eth0 tcp dport 4567 dnat ip6 to fcc9::2
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
@@ -151,6 +183,7 @@ table ip nat {
|
|||||||
|
|
||||||
```
|
```
|
||||||
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination 192.168.201.2
|
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination 192.168.201.2
|
||||||
|
ip6tables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination fcc9::2
|
||||||
```
|
```
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
@@ -172,6 +205,8 @@ sudo setcap cap_net_admin=+pe phantun_client
|
|||||||
|
|
||||||
**Note:** Run Phantun executable with `-h` option to see full detailed options.
|
**Note:** Run Phantun executable with `-h` option to see full detailed options.
|
||||||
|
|
||||||
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
### Server
|
### Server
|
||||||
|
|
||||||
Note: `4567` is the TCP port Phantun should listen on and must corresponds to the DNAT
|
Note: `4567` is the TCP port Phantun should listen on and must corresponds to the DNAT
|
||||||
@@ -181,6 +216,16 @@ rule specified above. `127.0.0.1:1234` is the UDP Server to connect to for new c
|
|||||||
RUST_LOG=info /usr/local/bin/phantun_server --local 4567 --remote 127.0.0.1:1234
|
RUST_LOG=info /usr/local/bin/phantun_server --local 4567 --remote 127.0.0.1:1234
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Or use host name with `--remote`:
|
||||||
|
|
||||||
|
```
|
||||||
|
RUST_LOG=info /usr/local/bin/phantun_server --local 4567 --remote example.com:1234
|
||||||
|
```
|
||||||
|
|
||||||
|
Note: Server by default assigns both IPv4 and IPv6 private address to the Tun interface.
|
||||||
|
If you do not wish to use IPv6, you can simply skip creating the IPv6 DNAT rule above and
|
||||||
|
the presence of IPv6 address on the Tun interface should have no side effect to the server.
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
### Client
|
### Client
|
||||||
@@ -192,25 +237,43 @@ the Phantun Server to connect.
|
|||||||
RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote 10.0.0.1:4567
|
RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote 10.0.0.1:4567
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Or use host name with `--remote`:
|
||||||
|
|
||||||
|
```
|
||||||
|
RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote example.com:4567
|
||||||
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>IPv6 specific config</summary>
|
||||||
|
|
||||||
|
```
|
||||||
|
RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote [fdxx::1234]:4567
|
||||||
|
```
|
||||||
|
|
||||||
|
Domain name with AAAA record is also supported.
|
||||||
|
</details>
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
# MTU overhead
|
# MTU overhead
|
||||||
|
|
||||||
Phantun aims to keep tunneling overhead to the minimum. The overhead compared to a plain UDP packet
|
Phantun aims to keep tunneling overhead to the minimum. The overhead compared to a plain UDP packet
|
||||||
is the following:
|
is the following (using IPv4 below as an example):
|
||||||
|
|
||||||
Standard UDP packet: 20 byte IP header + 8 byte UDP header = 28 bytes
|
**Standard UDP packet:** `20 byte IP header + 8 byte UDP header = 28 bytes`
|
||||||
|
|
||||||
Phantun obfuscated UDP packet: 20 byte IP header + 20 byte TCP header = 40 bytes
|
**Obfuscated packet:** `20 byte IP header + 20 byte TCP header = 40 bytes`
|
||||||
|
|
||||||
|
|
||||||
Note that Phantun does not add any additional header other than IP and TCP headers in order to pass through
|
Note that Phantun does not add any additional header other than IP and TCP headers in order to pass through
|
||||||
stateful packet inspection!
|
stateful packet inspection!
|
||||||
|
|
||||||
Phantun's additional overhead: 12 bytes. I other words, when using Phantun, the usable payload for
|
Phantun's additional overhead: `12 bytes`. In other words, when using Phantun, the usable payload for
|
||||||
UDP packet is reduced by 12 bytes. This is the minimum overhead possible when doing such kind
|
UDP packet is reduced by 12 bytes. This is the minimum overhead possible when doing such kind
|
||||||
of obfuscation.
|
of obfuscation.
|
||||||
|
|
||||||
|

|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
## MTU calculation for WireGuard
|
## MTU calculation for WireGuard
|
||||||
@@ -218,15 +281,34 @@ of obfuscation.
|
|||||||
For people who use Phantun to tunnel [WireGuard®](https://www.wireguard.com) UDP packets, here are some guidelines on figuring
|
For people who use Phantun to tunnel [WireGuard®](https://www.wireguard.com) UDP packets, here are some guidelines on figuring
|
||||||
out the correct MTU to use for your WireGuard interface.
|
out the correct MTU to use for your WireGuard interface.
|
||||||
|
|
||||||
WireGuard MTU = Interface MTU - IP header (20 bytes) - TCP header (20 bytes) - WireGuard overhead (32 bytes)
|
```
|
||||||
|
WireGuard MTU = Link MTU - IPv4 header (20 bytes) - TCP header (20 bytes) - WireGuard overhead (32 bytes)
|
||||||
|
```
|
||||||
|
|
||||||
For example, for a Ethernet interface with 1500 bytes MTU, the WireGuard interface MTU should be set as:
|
or
|
||||||
|
|
||||||
1500 - 20 - 20 - 32 = 1428 bytes
|
```
|
||||||
|
WireGuard MTU = Link MTU - IPv6 header (40 bytes) - TCP header (20 bytes) - WireGuard overhead (32 bytes)
|
||||||
|
```
|
||||||
|
|
||||||
|
For example, for a network link with 1500 bytes MTU, the WireGuard interface MTU should be set as:
|
||||||
|
|
||||||
|
**IPv4:** `1500 (link MTU) - 20 - 20 - 32 = 1428 bytes`
|
||||||
|
|
||||||
|
**IPv6:** `1500 (link MTU) - 40 - 20 - 32 = 1408 bytes`
|
||||||
|
|
||||||
The resulted Phantun TCP data packet will be 1500 bytes which does not exceed the
|
The resulted Phantun TCP data packet will be 1500 bytes which does not exceed the
|
||||||
interface MTU of 1500.
|
interface MTU of 1500.
|
||||||
|
|
||||||
|
Please note **Phantun can not function correctly if
|
||||||
|
the packet size exceeds that of the link MTU**, as Phantun do not perform any IP-fragmentation
|
||||||
|
and reassymbly. For the same reason, Phantun always sets the `DF` (Don't Fragment) bit
|
||||||
|
in the IP header to prevent intermidiate devices performing any fragmentation on the packet.
|
||||||
|
|
||||||
|
It is also *strongly recommended* to use the same interface
|
||||||
|
MTU for both ends of a WireGuard tunnel, or unexpected packet loss may occur and these issues are
|
||||||
|
generally very hard to troubleshoot.
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
# Version compatibility
|
# Version compatibility
|
||||||
@@ -236,21 +318,37 @@ of Server/Client of Phantun on both ends to ensure maximum compatibility.
|
|||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
|
# Documentations
|
||||||
|
|
||||||
|
For users who wish to use `fake-tcp` library inside their own project, refer to the documentations for the library at:
|
||||||
|
[https://docs.rs/fake-tcp](https://docs.rs/fake-tcp).
|
||||||
|
|
||||||
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
# Performance
|
# Performance
|
||||||
|
|
||||||
Performance was tested on AWS t3.xlarge instance with 4 vCPUs and 5 Gb/s NIC. WireGuard was used
|
Performance was tested on 2 AWS `t4g.xlarge` instances with 4 vCPUs and 5 Gb/s NIC over LAN. `nftables` was used to redirect
|
||||||
for tunneling TCP/UDP traffic between two test instances and MTU has been tuned to avoid fragmentation.
|
UDP stream of `iperf3` to go through the Phantun/udp2raw tunnel between two test instances and MTU has been tuned to avoid fragmentation.
|
||||||
|
|
||||||
| | WireGuard | WireGuard + Phantun | WireGuard + udp2raw (cipher-mode=none auth-mode=none disable-anti-replay) |
|
Phantun `v0.3.2` and `udp2raw_arm_asm_aes` `20200818.0` was used. These were the latest release of both projects as of Apr 2022.
|
||||||
|-----------------|-------------|---------------------|---------------------------------------------------------------------------|
|
|
||||||
| iperf3 -c IP -R | 1.56 Gbit/s | 540 Mbit/s | 369 Mbit/s |
|
Test command: `iperf3 -c <IP> -p <PORT> -R -u -l 1400 -b 1000m -t 30 -P 5`
|
||||||
| iperf3 -c IP | 1.71 Gbit/s | 519 Mbit/s | 312 Mbit/s |
|
|
||||||
|
| Mode | Send Speed | Receive Speed | Overall CPU Usage |
|
||||||
|
|---------------------------------------------------------------------------------|----------------|----------------|-----------------------------------------------------|
|
||||||
|
| Direct (1 stream) | 3.00 Gbits/sec | 2.37 Gbits/sec | 25% (1 core at 100%) |
|
||||||
|
| Phantun (1 stream) | 1.30 Gbits/sec | 1.20 Gbits/sec | 60% (1 core at 100%, 3 cores at 50%) |
|
||||||
|
| udp2raw (`cipher-mode=none` `auth-mode=none` `disable-anti-replay`) (1 stream) | 1.30 Gbits/sec | 715 Mbits/sec | 40% (1 core at 100%, 1 core at 50%, 2 cores idling) |
|
||||||
|
| Direct connection (5 streams) | 5.00 Gbits/sec | 3.64 Gbits/sec | 25% (1 core at 100%) |
|
||||||
|
| Phantun (5 streams) | 5.00 Gbits/sec | 2.38 Gbits/sec | 95% (all cores utilized) |
|
||||||
|
| udp2raw (`cipher-mode=none` `auth-mode=none` `disable-anti-replay`) (5 streams) | 5.00 Gbits/sec | 770 Mbits/sec | 50% (2 cores at 100%) |
|
||||||
|
|
||||||
|
Writeup on some of the techniques used in Phantun to achieve this performance result: [Writing Highly Efficient UDP Server in Rust](https://idndx.com/writing-highly-efficient-udp-server-in-rust/).
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
# Future plans
|
# Future plans
|
||||||
|
|
||||||
* IPv6 support
|
|
||||||
* Load balancing a single UDP stream into multiple TCP streams
|
* Load balancing a single UDP stream into multiple TCP streams
|
||||||
* Integration tests
|
* Integration tests
|
||||||
* Auto insertion/removal of required firewall rules
|
* Auto insertion/removal of required firewall rules
|
||||||
@@ -260,7 +358,7 @@ for tunneling TCP/UDP traffic between two test instances and MTU has been tuned
|
|||||||
# Compariation to udp2raw
|
# Compariation to udp2raw
|
||||||
[udp2raw](https://github.com/wangyu-/udp2raw-tunnel) is another popular project by [@wangyu-](https://github.com/wangyu-)
|
[udp2raw](https://github.com/wangyu-/udp2raw-tunnel) is another popular project by [@wangyu-](https://github.com/wangyu-)
|
||||||
that is very similar to what Phantun can do. In fact I took inspirations of Phantun from udp2raw. The biggest reason for
|
that is very similar to what Phantun can do. In fact I took inspirations of Phantun from udp2raw. The biggest reason for
|
||||||
developing Phanton is because of lack of performance when running udp2raw (especially on multi-core systems such as Raspberry Pi).
|
developing Phantun is because of lack of performance when running udp2raw (especially on multi-core systems such as Raspberry Pi).
|
||||||
However, the goal is never to be as feature complete as udp2raw and only support the most common use cases. Most notably, UDP over ICMP
|
However, the goal is never to be as feature complete as udp2raw and only support the most common use cases. Most notably, UDP over ICMP
|
||||||
and UDP over UDP mode are not supported and there is no anti-replay nor encryption support. The benefit of this is much better
|
and UDP over UDP mode are not supported and there is no anti-replay nor encryption support. The benefit of this is much better
|
||||||
performance overall and less MTU overhead because lack of additional headers inside the TCP payload.
|
performance overall and less MTU overhead because lack of additional headers inside the TCP payload.
|
||||||
@@ -274,17 +372,17 @@ Here is a quick overview of comparison between those two to help you choose:
|
|||||||
| UDP over UDP obfuscation | ❌ | ✅ |
|
| UDP over UDP obfuscation | ❌ | ✅ |
|
||||||
| Multi-threaded | ✅ | ❌ |
|
| Multi-threaded | ✅ | ❌ |
|
||||||
| Throughput | Better | Good |
|
| Throughput | Better | Good |
|
||||||
| Raw IP mode | TUN interface | Raw sockets + BPF |
|
| Layer 3 mode | TUN interface | Raw sockets + BPF |
|
||||||
| Tunneling MTU overhead | 12 bytes | 44 bytes |
|
| Tunneling MTU overhead | 12 bytes | 44 bytes |
|
||||||
| Seprate TCP connections for each UDP connection | Client/Server | Server only |
|
| Seprate TCP connections for each UDP connection | Client/Server | Server only |
|
||||||
| Anti-replay, encryption | ❌ | ✅ |
|
| Anti-replay, encryption | ❌ | ✅ |
|
||||||
| IPv6 | Planned | ✅ |
|
| IPv6 | ✅ | ✅ |
|
||||||
|
|
||||||
[Back to TOC](#table-of-contents)
|
[Back to TOC](#table-of-contents)
|
||||||
|
|
||||||
# License
|
# License
|
||||||
|
|
||||||
Copyright 2021 Datong Sun <dndx@idndx.com>
|
Copyright 2021-2025 Datong Sun (dndx@idndx.com)
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
|
Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
|
||||||
[https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license
|
[https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license
|
||||||
|
5
debian/cargo-checksum.json
vendored
Normal file
5
debian/cargo-checksum.json
vendored
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
[source.crates-io]
|
||||||
|
replace-with = "vendored-sources"
|
||||||
|
|
||||||
|
[source.vendored-sources]
|
||||||
|
directory = "vendor"
|
25
debian/changelog
vendored
Normal file
25
debian/changelog
vendored
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
phantun (0.7.0) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
|
[ Datong Sun ]
|
||||||
|
* fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162)
|
||||||
|
* chore(deps): bump dependencies to latest
|
||||||
|
* chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0`
|
||||||
|
|
||||||
|
[ dependabot[bot] ]
|
||||||
|
* chore(deps): bump docker/build-push-action from 5 to 6
|
||||||
|
* chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust
|
||||||
|
* docs(readme): latest release is now `v0.7.0`
|
||||||
|
|
||||||
|
[ Randy Li ]
|
||||||
|
* phantun: change default tun address to link local
|
||||||
|
* phantun: add client and server xor support
|
||||||
|
* rpm: add selinux and rpm spec
|
||||||
|
* deb: add debian files
|
||||||
|
|
||||||
|
-- Randy Li <ayaka@soulik.info> Wed, 11 Dec 2024 15:30:45 +0000
|
||||||
|
|
||||||
|
phantun (0.6.1-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
|
* Initial release. (Closes: #nnnn) <nnnn is the bug number of your ITP>
|
||||||
|
|
||||||
|
-- Randy Li <ayaka@soulik.info> Wed, 06 Nov 2024 18:58:00 +0000
|
1
debian/compat
vendored
Normal file
1
debian/compat
vendored
Normal file
@@ -0,0 +1 @@
|
|||||||
|
10
|
19
debian/control
vendored
Normal file
19
debian/control
vendored
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
Source: phantun
|
||||||
|
Section: net
|
||||||
|
Priority: optional
|
||||||
|
Maintainer: Randy Li <ayaka@soulik.info>
|
||||||
|
Build-Depends: debhelper (>= 9), cargo, rustc
|
||||||
|
Standards-Version: 4.5.0
|
||||||
|
Homepage: <insert homepage here>
|
||||||
|
|
||||||
|
Package: phantun-client
|
||||||
|
Architecture: any
|
||||||
|
Depends: ${shlibs:Depends}, ${misc:Depends}
|
||||||
|
Description: Phantun client
|
||||||
|
Phantun client binary.
|
||||||
|
|
||||||
|
Package: phantun-server
|
||||||
|
Architecture: any
|
||||||
|
Depends: ${shlibs:Depends}, ${misc:Depends}
|
||||||
|
Description: Phantun server
|
||||||
|
Phantun server binary.
|
24
debian/copyright
vendored
Normal file
24
debian/copyright
vendored
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
||||||
|
Upstream-Name: phantun
|
||||||
|
Source: https://github.com/hizukiayaka/phantun
|
||||||
|
|
||||||
|
Files: *
|
||||||
|
Copyright: 2023, Randy Li <ayaka@soulik.info>
|
||||||
|
License: MIT
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
.
|
||||||
|
The above copyright notice and this permission notice shall be included in all
|
||||||
|
copies or substantial portions of the Software.
|
||||||
|
.
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
|
SOFTWARE.
|
6
debian/phantun-client-wrapper
vendored
Normal file
6
debian/phantun-client-wrapper
vendored
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
PID_FILE=$1
|
||||||
|
shift 1
|
||||||
|
mkdir -p /var/run/phantun
|
||||||
|
/usr/libexec/phantun/phantun-client "$@" &
|
||||||
|
echo $! > /var/run/phantun/${PID_FILE}
|
2
debian/phantun-client.install
vendored
Normal file
2
debian/phantun-client.install
vendored
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
usr/libexec/phantun/phantun-client
|
||||||
|
usr/bin/phantun-client
|
6
debian/phantun-server-wrapper
vendored
Normal file
6
debian/phantun-server-wrapper
vendored
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
PID_FILE=$1
|
||||||
|
shift 1
|
||||||
|
mkdir -p /var/run/phantun
|
||||||
|
/usr/libexec/phantun/phantun-server "$@" &
|
||||||
|
echo $! > /var/run/phantun/${PID_FILE}
|
2
debian/phantun-server.install
vendored
Normal file
2
debian/phantun-server.install
vendored
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
usr/libexec/phantun/phantun-server
|
||||||
|
usr/bin/phantun-server
|
35
debian/rules
vendored
Executable file
35
debian/rules
vendored
Executable file
@@ -0,0 +1,35 @@
|
|||||||
|
#!/usr/bin/make -f
|
||||||
|
|
||||||
|
%:
|
||||||
|
dh $@ --buildsystem=cargo
|
||||||
|
|
||||||
|
override_dh_auto_install:
|
||||||
|
# Define DESTDIR
|
||||||
|
DESTDIR=$(CURDIR)/debian/phantun
|
||||||
|
|
||||||
|
# Install client binary
|
||||||
|
install -D -m 0755 target/release/client debian/tmp/usr/libexec/phantun/phantun-client
|
||||||
|
|
||||||
|
# Install server binary
|
||||||
|
install -D -m 0755 target/release/server debian/tmp/usr/libexec/phantun/phantun-server
|
||||||
|
|
||||||
|
# Create wrapper scripts
|
||||||
|
install -D -m 0755 debian/phantun-client-wrapper debian/tmp/usr/bin/phantun-client
|
||||||
|
|
||||||
|
install -D -m 0755 debian/phantun-server-wrapper debian/tmp/usr/bin/phantun-server
|
||||||
|
|
||||||
|
chmod +x debian/tmp/usr/bin/phantun-client
|
||||||
|
chmod +x debian/tmp/usr/bin/phantun-server
|
||||||
|
|
||||||
|
override_dh_auto_configure:
|
||||||
|
cp ./debian/cargo-checksum.json ./.cargo-checksum.json
|
||||||
|
|
||||||
|
override_dh_auto_build:
|
||||||
|
cargo build --release
|
||||||
|
|
||||||
|
override_dh_install:
|
||||||
|
dh_install
|
||||||
|
|
||||||
|
override_dh_auto_test:
|
||||||
|
# Disable the auto test step
|
||||||
|
true
|
2
docker/.dockerignore
Normal file
2
docker/.dockerignore
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
README.md
|
||||||
|
docker-compose.yml
|
37
docker/Dockerfile
Normal file
37
docker/Dockerfile
Normal file
@@ -0,0 +1,37 @@
|
|||||||
|
#
|
||||||
|
# Dockerfile for phantun
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Build stage
|
||||||
|
#
|
||||||
|
FROM rust:latest AS builder
|
||||||
|
|
||||||
|
COPY . /phantun
|
||||||
|
|
||||||
|
RUN cd phantun \
|
||||||
|
&& cargo build --release \
|
||||||
|
&& strip target/release/server target/release/client \
|
||||||
|
&& install target/release/server /usr/local/bin/phantun-server \
|
||||||
|
&& install target/release/client /usr/local/bin/phantun-client \
|
||||||
|
&& cd - \
|
||||||
|
&& rm -r phantun
|
||||||
|
|
||||||
|
#
|
||||||
|
# Runtime stage
|
||||||
|
#
|
||||||
|
FROM debian:latest
|
||||||
|
|
||||||
|
COPY --from=builder /usr/local/bin/phantun-server /usr/local/bin/
|
||||||
|
COPY --from=builder /usr/local/bin/phantun-client /usr/local/bin/
|
||||||
|
COPY docker/phantun.sh /usr/local/bin/
|
||||||
|
RUN apt-get update && apt-get install -y \
|
||||||
|
iproute2 \
|
||||||
|
iptables \
|
||||||
|
procps
|
||||||
|
|
||||||
|
ENV USE_IPTABLES_NFT_BACKEND=0
|
||||||
|
ENV RUST_LOG=INFO
|
||||||
|
|
||||||
|
ENTRYPOINT ["phantun.sh"]
|
||||||
|
CMD ["phantun-server", "--help"]
|
11
docker/README.md
Normal file
11
docker/README.md
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
# phantun (docker)
|
||||||
|
|
||||||
|
## Build
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker build -t phantun -f docker/Dockerfile .
|
||||||
|
```
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
It is recommended to use docker-compose, see [docker-compose.yml](docker-compose.yml) for details.
|
26
docker/docker-compose.yml
Normal file
26
docker/docker-compose.yml
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
version: '3.9'
|
||||||
|
|
||||||
|
services:
|
||||||
|
phantun-server:
|
||||||
|
image: phantun
|
||||||
|
container_name: phantun-server
|
||||||
|
restart: unless-stopped
|
||||||
|
network_mode: host
|
||||||
|
privileged: true
|
||||||
|
environment:
|
||||||
|
USE_IPTABLES_NFT_BACKEND: 0
|
||||||
|
RUST_LOG: INFO
|
||||||
|
command: >
|
||||||
|
phantun-server --local 1985 --remote 127.0.0.1:1984 --ipv4-only
|
||||||
|
|
||||||
|
phantun-client:
|
||||||
|
image: phantun
|
||||||
|
container_name: phantun-client
|
||||||
|
restart: unless-stopped
|
||||||
|
network_mode: host
|
||||||
|
privileged: true
|
||||||
|
environment:
|
||||||
|
USE_IPTABLES_NFT_BACKEND: 0
|
||||||
|
RUST_LOG: INFO
|
||||||
|
command: >
|
||||||
|
phantun-client --local 127.0.0.1:1984 --remote 11.22.33.44:1985 --ipv4-only
|
209
docker/phantun.sh
Executable file
209
docker/phantun.sh
Executable file
@@ -0,0 +1,209 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# alias settings must be global, and must be defined before the function being called with the alias
|
||||||
|
if [ "$USE_IPTABLES_NFT_BACKEND" = 1 ]; then
|
||||||
|
alias iptables=iptables-nft
|
||||||
|
alias iptables-save=iptables-nft-save
|
||||||
|
alias ip6tables=ip6tables-nft
|
||||||
|
alias ip6tables-save=ip6tables-nft-save
|
||||||
|
fi
|
||||||
|
|
||||||
|
info() {
|
||||||
|
local green='\e[0;32m'
|
||||||
|
local clear='\e[0m'
|
||||||
|
local time=$(date '+%Y-%m-%d %T')
|
||||||
|
printf "${green}[${time}] [INFO]: ${clear}%s\n" "$*"
|
||||||
|
}
|
||||||
|
|
||||||
|
warn() {
|
||||||
|
local yellow='\e[1;33m'
|
||||||
|
local clear='\e[0m'
|
||||||
|
local time=$(date '+%Y-%m-%d %T')
|
||||||
|
printf "${yellow}[${time}] [WARN]: ${clear}%s\n" "$*" >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
error() {
|
||||||
|
local red='\e[0;31m'
|
||||||
|
local clear='\e[0m'
|
||||||
|
local time=$(date '+%Y-%m-%d %T')
|
||||||
|
printf "${red}[${time}] [ERROR]: ${clear}%s\n" "$*" >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
_get_default_iface() {
|
||||||
|
ip -4 route show default | awk -F 'dev' '{print $2}' | awk '{print $1}'
|
||||||
|
}
|
||||||
|
|
||||||
|
_get_default6_iface() {
|
||||||
|
ip -6 route show default | awk -F 'dev' '{print $2}' | awk '{print $1}'
|
||||||
|
}
|
||||||
|
|
||||||
|
_get_addr_by_iface() {
|
||||||
|
ip -4 addr show dev "$1" | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | head -1
|
||||||
|
}
|
||||||
|
|
||||||
|
_get_addr6_by_iface() {
|
||||||
|
ip -6 addr show dev "$1" | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | head -1
|
||||||
|
}
|
||||||
|
|
||||||
|
_check_rule_by_comment() {
|
||||||
|
iptables-save | grep -q "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
_check_rule6_by_comment() {
|
||||||
|
ip6tables-save | grep -q "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
_is_server_mode() {
|
||||||
|
[ "$1" = "phantun-server" ]
|
||||||
|
}
|
||||||
|
|
||||||
|
_is_ipv4_only() {
|
||||||
|
case "$@" in
|
||||||
|
*-4*|*--ipv4-only*)
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
*\ -4*|*\ --ipv4-only*)
|
||||||
|
return 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
_get_tun_from_args() {
|
||||||
|
local tun=$(echo "$@" | awk -F '--tun ' '{print $2}' | awk '{print $1}')
|
||||||
|
echo ${tun:=tun0}
|
||||||
|
}
|
||||||
|
|
||||||
|
_get_peer_from_args() {
|
||||||
|
local peer=$(echo "$@" | awk -F '--tun-peer ' '{print $2}' | awk '{print $1}')
|
||||||
|
_is_server_mode "$1" && echo ${peer:=192.168.201.2} || echo ${peer:=192.168.200.2}
|
||||||
|
}
|
||||||
|
|
||||||
|
_get_peer6_from_args() {
|
||||||
|
local peer=$(echo "$@" | awk -F '--tun-peer6 ' '{print $2}' | awk '{print $1}')
|
||||||
|
_is_server_mode "$1" && echo ${peer:=fcc9::2} || echo ${peer:=fcc8::2}
|
||||||
|
}
|
||||||
|
|
||||||
|
_get_port_from_args() {
|
||||||
|
local value=$(echo "$@" | awk -F '-l|--local' '{print $2}' | awk '{print $1}')
|
||||||
|
_is_server_mode "$1" && echo $value || echo $value | awk -F ':' '{print $2}'
|
||||||
|
}
|
||||||
|
|
||||||
|
_iptables() {
|
||||||
|
iptables -w 10 "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
_ip6tables() {
|
||||||
|
ip6tables -w 10 "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
apply_sysctl() {
|
||||||
|
info "apply sysctl: $(sysctl -w net.ipv4.ip_forward=1)"
|
||||||
|
! _is_ipv4_only "$@" || return
|
||||||
|
info "apply sysctl: $(sysctl -w net.ipv6.conf.all.forwarding=1)"
|
||||||
|
}
|
||||||
|
|
||||||
|
apply_iptables() {
|
||||||
|
local interface=$(_get_default_iface)
|
||||||
|
local address=$(_get_addr_by_iface "${interface}")
|
||||||
|
local tun=$(_get_tun_from_args "$@")
|
||||||
|
local peer=$(_get_peer_from_args "$@")
|
||||||
|
local port=$(_get_port_from_args "$@")
|
||||||
|
local comment="phantun_${tun}_${port}"
|
||||||
|
|
||||||
|
if _check_rule_by_comment "${comment}"; then
|
||||||
|
warn "iptables rules already exist, maybe needs to check."
|
||||||
|
else
|
||||||
|
_iptables -A FORWARD -i $tun -j ACCEPT -m comment --comment "${comment}" || error "iptables filter rule add failed."
|
||||||
|
_iptables -A FORWARD -o $tun -j ACCEPT -m comment --comment "${comment}" || error "iptables filter rule add failed."
|
||||||
|
if _is_server_mode "$1"; then
|
||||||
|
info "iptables DNAT rule added: [${comment}]: ${interface} -> ${tun}, ${address} -> ${peer}"
|
||||||
|
_iptables -t nat -A PREROUTING -p tcp -i $interface --dport $port -j DNAT --to-destination $peer \
|
||||||
|
-m comment --comment "${comment}" || error "iptables DNAT rule add failed."
|
||||||
|
else
|
||||||
|
info "iptables SNAT rule added: [${comment}]: ${tun} -> ${interface}, ${peer} -> ${address}"
|
||||||
|
_iptables -t nat -A POSTROUTING -s $peer -o $interface -j SNAT --to-source $address \
|
||||||
|
-m comment --comment "${comment}" || error "iptables SNAT rule add failed."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
apply_ip6tables() {
|
||||||
|
! _is_ipv4_only "$@" || return
|
||||||
|
|
||||||
|
local interface=$(_get_default6_iface)
|
||||||
|
local address=$(_get_addr6_by_iface "${interface}")
|
||||||
|
local tun=$(_get_tun_from_args "$@")
|
||||||
|
local peer=$(_get_peer6_from_args "$@")
|
||||||
|
local port=$(_get_port_from_args "$@")
|
||||||
|
local comment="phantun_${tun}_${port}"
|
||||||
|
|
||||||
|
if _check_rule6_by_comment "${comment}"; then
|
||||||
|
warn "ip6tables rules already exist, maybe needs to check."
|
||||||
|
else
|
||||||
|
_ip6tables -A FORWARD -i $tun -j ACCEPT -m comment --comment "${comment}" || error "ip6tables filter rule add failed."
|
||||||
|
_ip6tables -A FORWARD -o $tun -j ACCEPT -m comment --comment "${comment}" || error "ip6tables filter rule add failed."
|
||||||
|
if _is_server_mode "$1"; then
|
||||||
|
info "ip6tables DNAT rule added: [${comment}]: ${interface} -> ${tun}, ${address} -> ${peer}"
|
||||||
|
_ip6tables -t nat -A PREROUTING -p tcp -i $interface --dport $port -j DNAT --to-destination $peer \
|
||||||
|
-m comment --comment "${comment}" || error "ip6tables DNAT rule add failed."
|
||||||
|
else
|
||||||
|
info "ip6tables SNAT rule added: [${comment}]: ${tun} -> ${interface}, ${peer} -> ${address}"
|
||||||
|
_ip6tables -t nat -A POSTROUTING -s $peer -o $interface -j SNAT --to-source $address \
|
||||||
|
-m comment --comment "${comment}" || error "ip6tables SNAT rule add failed."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
stop_process() {
|
||||||
|
kill $(pidof phantun-server phantun-client)
|
||||||
|
info "terminate phantun process."
|
||||||
|
}
|
||||||
|
|
||||||
|
revoke_iptables() {
|
||||||
|
local tun=$(_get_tun_from_args "$@")
|
||||||
|
local port=$(_get_port_from_args "$@")
|
||||||
|
local comment="phantun_${tun}_${port}"
|
||||||
|
|
||||||
|
iptables-save -t filter | grep "${comment}" | while read rule; do
|
||||||
|
_iptables -t filter ${rule/-A/-D} || error "iptables filter rule remove failed."
|
||||||
|
done
|
||||||
|
iptables-save -t nat | grep "${comment}" | while read rule; do
|
||||||
|
_iptables -t nat ${rule/-A/-D} || error "iptables nat rule remove failed."
|
||||||
|
done
|
||||||
|
info "iptables rule: [${comment}] removed."
|
||||||
|
}
|
||||||
|
|
||||||
|
revoke_ip6tables() {
|
||||||
|
! _is_ipv4_only "$@" || return
|
||||||
|
|
||||||
|
local tun=$(_get_tun_from_args "$@")
|
||||||
|
local port=$(_get_port_from_args "$@")
|
||||||
|
local comment="phantun_${tun}_${port}"
|
||||||
|
|
||||||
|
ip6tables-save -t filter | grep "${comment}" | while read rule; do
|
||||||
|
_ip6tables -t filter ${rule/-A/-D} || error "ip6tables filter rule remove failed."
|
||||||
|
done
|
||||||
|
ip6tables-save -t nat | grep "${comment}" | while read rule; do
|
||||||
|
_ip6tables -t nat ${rule/-A/-D} || error "ip6tables nat rule remove failed."
|
||||||
|
done
|
||||||
|
info "ip6tables rule: [${comment}] removed."
|
||||||
|
}
|
||||||
|
|
||||||
|
graceful_stop() {
|
||||||
|
warn "caught SIGTERM or SIGINT signal, graceful stopping..."
|
||||||
|
stop_process
|
||||||
|
revoke_iptables "$@"
|
||||||
|
revoke_ip6tables "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
start_phantun() {
|
||||||
|
trap 'graceful_stop "$@"' SIGTERM SIGINT
|
||||||
|
apply_sysctl "$@"
|
||||||
|
apply_iptables "$@"
|
||||||
|
apply_ip6tables "$@"
|
||||||
|
"$@" &
|
||||||
|
wait
|
||||||
|
}
|
||||||
|
|
||||||
|
start_phantun "$@"
|
@@ -1,7 +1,7 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "fake-tcp"
|
name = "fake-tcp"
|
||||||
version = "0.1.2"
|
version = "0.7.1"
|
||||||
edition = "2018"
|
edition = "2024"
|
||||||
authors = ["Datong Sun <dndx@idndx.com>"]
|
authors = ["Datong Sun <dndx@idndx.com>"]
|
||||||
license = "MIT OR Apache-2.0"
|
license = "MIT OR Apache-2.0"
|
||||||
repository = "https://github.com/dndx/phantun"
|
repository = "https://github.com/dndx/phantun"
|
||||||
@@ -16,9 +16,10 @@ benchmark = []
|
|||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
bytes = "1"
|
bytes = "1"
|
||||||
pnet = "0.28.0"
|
pnet = "0"
|
||||||
tokio = { version = "1.12.0", features = ["full"] }
|
rand = { version = "0", features = ["small_rng"] }
|
||||||
rand = { version = "0.8.4", features = ["small_rng"] }
|
internet-checksum = "0"
|
||||||
log = "0.4"
|
tokio-tun = "0"
|
||||||
internet-checksum = "0.2.0"
|
flume = "0"
|
||||||
dndx-fork-tokio-tun = "0.3.16"
|
tokio = { workspace = true }
|
||||||
|
log = { workspace = true }
|
||||||
|
@@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work.
|
|||||||
same "printed page" as the copyright notice for easier
|
same "printed page" as the copyright notice for easier
|
||||||
identification within third-party archives.
|
identification within third-party archives.
|
||||||
|
|
||||||
Copyright 2014-2021 The Rust Project Developers
|
Copyright 2021-2024 Datong Sun (dndx@idndx.com)
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
MIT License
|
MIT License
|
||||||
|
|
||||||
Copyright (c) 2014-2021 The Rust Project Developers
|
Copyright (c) 2021-2024 Datong Sun (dndx@idndx.com)
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any
|
Permission is hereby granted, free of charge, to any
|
||||||
person obtaining a copy of this software and associated
|
person obtaining a copy of this software and associated
|
||||||
|
@@ -5,7 +5,7 @@ packet oriented tunneling with minimum overhead.
|
|||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
Copyright 2021 Datong Sun <dndx@idndx.com>
|
Copyright 2021-2025 Datong Sun <dndx@idndx.com>
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
|
Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
|
||||||
[https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license
|
[https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license
|
||||||
|
@@ -1,7 +1,46 @@
|
|||||||
|
//! A minimum, userspace TCP based datagram stack
|
||||||
|
//!
|
||||||
|
//! # Overview
|
||||||
|
//!
|
||||||
|
//! `fake-tcp` is a reusable library that implements a minimum TCP stack in
|
||||||
|
//! user space using the Tun interface. It allows programs to send datagrams
|
||||||
|
//! as if they are part of a TCP connection. `fake-tcp` has been tested to
|
||||||
|
//! be able to pass through a variety of NAT and stateful firewalls while
|
||||||
|
//! fully preserves certain desirable behavior such as out of order delivery
|
||||||
|
//! and no congestion/flow controls.
|
||||||
|
//!
|
||||||
|
//! # Core Concepts
|
||||||
|
//!
|
||||||
|
//! The core of the `fake-tcp` crate compose of two structures. [`Stack`] and
|
||||||
|
//! [`Socket`].
|
||||||
|
//!
|
||||||
|
//! ## [`Stack`]
|
||||||
|
//!
|
||||||
|
//! [`Stack`] represents a virtual TCP stack that operates at
|
||||||
|
//! Layer 3. It is responsible for:
|
||||||
|
//!
|
||||||
|
//! * TCP active and passive open and handshake
|
||||||
|
//! * `RST` handling
|
||||||
|
//! * Interact with the Tun interface at Layer 3
|
||||||
|
//! * Distribute incoming datagrams to corresponding [`Socket`]
|
||||||
|
//!
|
||||||
|
//! ## [`Socket`]
|
||||||
|
//!
|
||||||
|
//! [`Socket`] represents a TCP connection. It registers the identifying
|
||||||
|
//! tuple `(src_ip, src_port, dest_ip, dest_port)` inside the [`Stack`] so
|
||||||
|
//! so that incoming packets can be distributed to the right [`Socket`] with
|
||||||
|
//! using a channel. It is also what the client should use for
|
||||||
|
//! sending/receiving datagrams.
|
||||||
|
//!
|
||||||
|
//! # Examples
|
||||||
|
//!
|
||||||
|
//! Please see [`client.rs`](https://github.com/dndx/phantun/blob/main/phantun/src/bin/client.rs)
|
||||||
|
//! and [`server.rs`](https://github.com/dndx/phantun/blob/main/phantun/src/bin/server.rs) files
|
||||||
|
//! from the `phantun` crate for how to use this library in client/server mode, respectively.
|
||||||
|
|
||||||
#![cfg_attr(feature = "benchmark", feature(test))]
|
#![cfg_attr(feature = "benchmark", feature(test))]
|
||||||
|
|
||||||
pub mod packet;
|
pub mod packet;
|
||||||
extern crate dndx_fork_tokio_tun as tokio_tun;
|
|
||||||
|
|
||||||
use bytes::{Bytes, BytesMut};
|
use bytes::{Bytes, BytesMut};
|
||||||
use log::{error, info, trace, warn};
|
use log::{error, info, trace, warn};
|
||||||
@@ -10,28 +49,30 @@ use pnet::packet::{tcp, Packet};
|
|||||||
use rand::prelude::*;
|
use rand::prelude::*;
|
||||||
use std::collections::{HashMap, HashSet};
|
use std::collections::{HashMap, HashSet};
|
||||||
use std::fmt;
|
use std::fmt;
|
||||||
use std::net::{Ipv4Addr, SocketAddrV4};
|
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
|
||||||
use std::sync::atomic::{AtomicU32, Ordering};
|
use std::sync::{
|
||||||
use std::sync::{Arc, RwLock};
|
atomic::{AtomicU32, Ordering},
|
||||||
|
Arc, RwLock,
|
||||||
|
};
|
||||||
use tokio::sync::broadcast;
|
use tokio::sync::broadcast;
|
||||||
use tokio::sync::mpsc::{self, Receiver, Sender};
|
use tokio::sync::mpsc;
|
||||||
use tokio::sync::watch;
|
|
||||||
use tokio::sync::Mutex as AsyncMutex;
|
|
||||||
use tokio::time;
|
use tokio::time;
|
||||||
use tokio_tun::Tun;
|
use tokio_tun::Tun;
|
||||||
|
|
||||||
const TIMEOUT: time::Duration = time::Duration::from_secs(1);
|
const TIMEOUT: time::Duration = time::Duration::from_secs(1);
|
||||||
const RETRIES: usize = 6;
|
const RETRIES: usize = 6;
|
||||||
const MPSC_BUFFER_LEN: usize = 512;
|
const MPMC_BUFFER_LEN: usize = 512;
|
||||||
|
const MPSC_BUFFER_LEN: usize = 128;
|
||||||
|
const MAX_UNACKED_LEN: u32 = 128 * 1024 * 1024; // 128MB
|
||||||
|
|
||||||
#[derive(Hash, Eq, PartialEq, Clone, Debug)]
|
#[derive(Hash, Eq, PartialEq, Clone, Debug)]
|
||||||
pub struct AddrTuple {
|
struct AddrTuple {
|
||||||
local_addr: SocketAddrV4,
|
local_addr: SocketAddr,
|
||||||
remote_addr: SocketAddrV4,
|
remote_addr: SocketAddr,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl AddrTuple {
|
impl AddrTuple {
|
||||||
fn new(local_addr: SocketAddrV4, remote_addr: SocketAddrV4) -> AddrTuple {
|
fn new(local_addr: SocketAddr, remote_addr: SocketAddr) -> AddrTuple {
|
||||||
AddrTuple {
|
AddrTuple {
|
||||||
local_addr,
|
local_addr,
|
||||||
remote_addr,
|
remote_addr,
|
||||||
@@ -40,17 +81,18 @@ impl AddrTuple {
|
|||||||
}
|
}
|
||||||
|
|
||||||
struct Shared {
|
struct Shared {
|
||||||
tuples: RwLock<HashMap<AddrTuple, Sender<Bytes>>>,
|
tuples: RwLock<HashMap<AddrTuple, flume::Sender<Bytes>>>,
|
||||||
listening: RwLock<HashSet<u16>>,
|
listening: RwLock<HashSet<u16>>,
|
||||||
tun: Vec<Arc<Tun>>,
|
tun: Vec<Arc<Tun>>,
|
||||||
ready: Sender<Socket>,
|
ready: mpsc::Sender<Socket>,
|
||||||
tuples_purge: broadcast::Sender<AddrTuple>,
|
tuples_purge: broadcast::Sender<AddrTuple>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub struct Stack {
|
pub struct Stack {
|
||||||
shared: Arc<Shared>,
|
shared: Arc<Shared>,
|
||||||
local_ip: Ipv4Addr,
|
local_ip: Ipv4Addr,
|
||||||
ready: Receiver<Socket>,
|
local_ip6: Option<Ipv6Addr>,
|
||||||
|
ready: mpsc::Receiver<Socket>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub enum State {
|
pub enum State {
|
||||||
@@ -63,116 +105,123 @@ pub enum State {
|
|||||||
pub struct Socket {
|
pub struct Socket {
|
||||||
shared: Arc<Shared>,
|
shared: Arc<Shared>,
|
||||||
tun: Arc<Tun>,
|
tun: Arc<Tun>,
|
||||||
incoming: AsyncMutex<Receiver<Bytes>>,
|
incoming: flume::Receiver<Bytes>,
|
||||||
local_addr: SocketAddrV4,
|
local_addr: SocketAddr,
|
||||||
remote_addr: SocketAddrV4,
|
remote_addr: SocketAddr,
|
||||||
seq: AtomicU32,
|
seq: AtomicU32,
|
||||||
ack: AtomicU32,
|
ack: AtomicU32,
|
||||||
|
last_ack: AtomicU32,
|
||||||
state: State,
|
state: State,
|
||||||
closing_tx: watch::Sender<()>,
|
|
||||||
closing_rx: watch::Receiver<()>,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// A socket that represents a unique TCP connection between a server and client.
|
||||||
|
///
|
||||||
|
/// The `Socket` object itself satisfies `Sync` and `Send`, which means it can
|
||||||
|
/// be safely called within an async future.
|
||||||
|
///
|
||||||
|
/// To close a TCP connection that is no longer needed, simply drop this object
|
||||||
|
/// out of scope.
|
||||||
impl Socket {
|
impl Socket {
|
||||||
fn new(
|
fn new(
|
||||||
shared: Arc<Shared>,
|
shared: Arc<Shared>,
|
||||||
tun: Arc<Tun>,
|
tun: Arc<Tun>,
|
||||||
local_addr: SocketAddrV4,
|
local_addr: SocketAddr,
|
||||||
remote_addr: SocketAddrV4,
|
remote_addr: SocketAddr,
|
||||||
ack: Option<u32>,
|
ack: Option<u32>,
|
||||||
state: State,
|
state: State,
|
||||||
) -> (Socket, Sender<Bytes>) {
|
) -> (Socket, flume::Sender<Bytes>) {
|
||||||
let (incoming_tx, incoming_rx) = mpsc::channel(MPSC_BUFFER_LEN);
|
let (incoming_tx, incoming_rx) = flume::bounded(MPMC_BUFFER_LEN);
|
||||||
let (closing_tx, closing_rx) = watch::channel(());
|
|
||||||
|
|
||||||
(
|
(
|
||||||
Socket {
|
Socket {
|
||||||
shared,
|
shared,
|
||||||
tun,
|
tun,
|
||||||
incoming: AsyncMutex::new(incoming_rx),
|
incoming: incoming_rx,
|
||||||
local_addr,
|
local_addr,
|
||||||
remote_addr,
|
remote_addr,
|
||||||
seq: AtomicU32::new(0),
|
seq: AtomicU32::new(0),
|
||||||
ack: AtomicU32::new(ack.unwrap_or(0)),
|
ack: AtomicU32::new(ack.unwrap_or(0)),
|
||||||
|
last_ack: AtomicU32::new(ack.unwrap_or(0)),
|
||||||
state,
|
state,
|
||||||
closing_tx,
|
|
||||||
closing_rx,
|
|
||||||
},
|
},
|
||||||
incoming_tx,
|
incoming_tx,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn build_tcp_packet(&self, flags: u16, payload: Option<&[u8]>) -> Bytes {
|
fn build_tcp_packet(&self, flags: u8, payload: Option<&[u8]>) -> Bytes {
|
||||||
|
let ack = self.ack.load(Ordering::Relaxed);
|
||||||
|
self.last_ack.store(ack, Ordering::Relaxed);
|
||||||
|
|
||||||
build_tcp_packet(
|
build_tcp_packet(
|
||||||
self.local_addr,
|
self.local_addr,
|
||||||
self.remote_addr,
|
self.remote_addr,
|
||||||
self.seq.load(Ordering::Relaxed),
|
self.seq.load(Ordering::Relaxed),
|
||||||
self.ack.load(Ordering::Relaxed),
|
ack,
|
||||||
flags,
|
flags,
|
||||||
payload,
|
payload,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Sends a datagram to the other end.
|
||||||
|
///
|
||||||
|
/// This method takes `&self`, and it can be called safely by multiple threads
|
||||||
|
/// at the same time.
|
||||||
|
///
|
||||||
|
/// A return of `None` means the Tun socket returned an error
|
||||||
|
/// and this socket must be closed.
|
||||||
pub async fn send(&self, payload: &[u8]) -> Option<()> {
|
pub async fn send(&self, payload: &[u8]) -> Option<()> {
|
||||||
let mut closing = self.closing_rx.clone();
|
|
||||||
|
|
||||||
match self.state {
|
match self.state {
|
||||||
State::Established => {
|
State::Established => {
|
||||||
let buf = self.build_tcp_packet(tcp::TcpFlags::ACK, Some(payload));
|
let buf = self.build_tcp_packet(tcp::TcpFlags::ACK, Some(payload));
|
||||||
self.seq.fetch_add(payload.len() as u32, Ordering::Relaxed);
|
self.seq.fetch_add(payload.len() as u32, Ordering::Relaxed);
|
||||||
|
self.tun.send(&buf).await.ok().and(Some(()))
|
||||||
tokio::select! {
|
|
||||||
res = self.tun.send(&buf) => {
|
|
||||||
res.unwrap();
|
|
||||||
Some(())
|
|
||||||
},
|
|
||||||
_ = closing.changed() => {
|
|
||||||
None
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
_ => unreachable!(),
|
_ => unreachable!(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Attempt to receive a datagram from the other end.
|
||||||
|
///
|
||||||
|
/// This method takes `&self`, and it can be called safely by multiple threads
|
||||||
|
/// at the same time.
|
||||||
|
///
|
||||||
|
/// A return of `None` means the TCP connection is broken
|
||||||
|
/// and this socket must be closed.
|
||||||
pub async fn recv(&self, buf: &mut [u8]) -> Option<usize> {
|
pub async fn recv(&self, buf: &mut [u8]) -> Option<usize> {
|
||||||
let mut closing = self.closing_rx.clone();
|
|
||||||
|
|
||||||
match self.state {
|
match self.state {
|
||||||
State::Established => {
|
State::Established => {
|
||||||
let mut incoming = self.incoming.lock().await;
|
self.incoming.recv_async().await.ok().and_then(|raw_buf| {
|
||||||
tokio::select! {
|
let (_v4_packet, tcp_packet) = parse_ip_packet(&raw_buf).unwrap();
|
||||||
Some(raw_buf) = incoming.recv() => {
|
|
||||||
let (_v4_packet, tcp_packet) = parse_ipv4_packet(&raw_buf);
|
|
||||||
|
|
||||||
if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 {
|
if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 {
|
||||||
info!("Connection {} reset by peer", self);
|
info!("Connection {} reset by peer", self);
|
||||||
self.close();
|
|
||||||
return None;
|
return None;
|
||||||
}
|
}
|
||||||
|
|
||||||
let payload = tcp_packet.payload();
|
let payload = tcp_packet.payload();
|
||||||
|
|
||||||
self.ack
|
let new_ack = tcp_packet.get_sequence().wrapping_add(payload.len() as u32);
|
||||||
.store(tcp_packet.get_sequence().wrapping_add(1), Ordering::Relaxed);
|
let last_ask = self.last_ack.load(Ordering::Relaxed);
|
||||||
|
self.ack.store(new_ack, Ordering::Relaxed);
|
||||||
|
|
||||||
|
if new_ack.overflowing_sub(last_ask).0 > MAX_UNACKED_LEN {
|
||||||
|
let buf = self.build_tcp_packet(tcp::TcpFlags::ACK, None);
|
||||||
|
if let Err(e) = self.tun.try_send(&buf) {
|
||||||
|
// This should not really happen as we have not sent anything for
|
||||||
|
// quite some time...
|
||||||
|
info!("Connection {} unable to send idling ACK back: {}", self, e)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
buf[..payload.len()].copy_from_slice(payload);
|
buf[..payload.len()].copy_from_slice(payload);
|
||||||
|
|
||||||
Some(payload.len())
|
Some(payload.len())
|
||||||
},
|
})
|
||||||
_ = closing.changed() => {
|
|
||||||
None
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
_ => unreachable!(),
|
_ => unreachable!(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn close(&self) {
|
|
||||||
self.closing_tx.send(()).unwrap();
|
|
||||||
}
|
|
||||||
|
|
||||||
async fn accept(mut self) {
|
async fn accept(mut self) {
|
||||||
for _ in 0..RETRIES {
|
for _ in 0..RETRIES {
|
||||||
match self.state {
|
match self.state {
|
||||||
@@ -184,10 +233,10 @@ impl Socket {
|
|||||||
info!("Sent SYN + ACK to client");
|
info!("Sent SYN + ACK to client");
|
||||||
}
|
}
|
||||||
State::SynReceived => {
|
State::SynReceived => {
|
||||||
let res = time::timeout(TIMEOUT, self.incoming.lock().await.recv()).await;
|
let res = time::timeout(TIMEOUT, self.incoming.recv_async()).await;
|
||||||
if let Ok(buf) = res {
|
if let Ok(buf) = res {
|
||||||
let buf = buf.unwrap();
|
let buf = buf.unwrap();
|
||||||
let (_v4_packet, tcp_packet) = parse_ipv4_packet(&buf);
|
let (_v4_packet, tcp_packet) = parse_ip_packet(&buf).unwrap();
|
||||||
|
|
||||||
if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 {
|
if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 {
|
||||||
return;
|
return;
|
||||||
@@ -228,10 +277,10 @@ impl Socket {
|
|||||||
info!("Sent SYN to server");
|
info!("Sent SYN to server");
|
||||||
}
|
}
|
||||||
State::SynSent => {
|
State::SynSent => {
|
||||||
match time::timeout(TIMEOUT, self.incoming.lock().await.recv()).await {
|
match time::timeout(TIMEOUT, self.incoming.recv_async()).await {
|
||||||
Ok(buf) => {
|
Ok(buf) => {
|
||||||
let buf = buf.unwrap();
|
let buf = buf.unwrap();
|
||||||
let (_v4_packet, tcp_packet) = parse_ipv4_packet(&buf);
|
let (_v4_packet, tcp_packet) = parse_ip_packet(&buf).unwrap();
|
||||||
|
|
||||||
if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 {
|
if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 {
|
||||||
return None;
|
return None;
|
||||||
@@ -271,6 +320,7 @@ impl Socket {
|
|||||||
}
|
}
|
||||||
|
|
||||||
impl Drop for Socket {
|
impl Drop for Socket {
|
||||||
|
/// Drop the socket and close the TCP connection
|
||||||
fn drop(&mut self) {
|
fn drop(&mut self) {
|
||||||
let tuple = AddrTuple::new(self.local_addr, self.remote_addr);
|
let tuple = AddrTuple::new(self.local_addr, self.remote_addr);
|
||||||
// dissociates ourself from the dispatch map
|
// dissociates ourself from the dispatch map
|
||||||
@@ -278,16 +328,24 @@ impl Drop for Socket {
|
|||||||
// purge cache
|
// purge cache
|
||||||
self.shared.tuples_purge.send(tuple).unwrap();
|
self.shared.tuples_purge.send(tuple).unwrap();
|
||||||
|
|
||||||
let buf = self.build_tcp_packet(tcp::TcpFlags::RST, None);
|
let buf = build_tcp_packet(
|
||||||
|
self.local_addr,
|
||||||
|
self.remote_addr,
|
||||||
|
self.seq.load(Ordering::Relaxed),
|
||||||
|
0,
|
||||||
|
tcp::TcpFlags::RST,
|
||||||
|
None,
|
||||||
|
);
|
||||||
if let Err(e) = self.tun.try_send(&buf) {
|
if let Err(e) = self.tun.try_send(&buf) {
|
||||||
warn!("Unable to send RST to remote end: {}", e);
|
warn!("Unable to send RST to remote end: {}", e);
|
||||||
}
|
}
|
||||||
self.close();
|
|
||||||
info!("Fake TCP connection to {} closed", self);
|
info!("Fake TCP connection to {} closed", self);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl fmt::Display for Socket {
|
impl fmt::Display for Socket {
|
||||||
|
/// User-friendly string representation of the socket
|
||||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||||
write!(
|
write!(
|
||||||
f,
|
f,
|
||||||
@@ -297,8 +355,13 @@ impl fmt::Display for Socket {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// A userspace TCP state machine
|
||||||
impl Stack {
|
impl Stack {
|
||||||
pub fn new(tun: Vec<Tun>) -> Stack {
|
/// Create a new stack, `tun` is an array of [`Tun`](tokio_tun::Tun).
|
||||||
|
/// When more than one [`Tun`](tokio_tun::Tun) object is passed in, same amount
|
||||||
|
/// of reader will be spawned later. This allows user to utilize the performance
|
||||||
|
/// benefit of Multiqueue Tun support on machines with SMP.
|
||||||
|
pub fn new(tun: Vec<Tun>, local_ip: Ipv4Addr, local_ip6: Option<Ipv6Addr>) -> Stack {
|
||||||
let tun: Vec<Arc<Tun>> = tun.into_iter().map(Arc::new).collect();
|
let tun: Vec<Arc<Tun>> = tun.into_iter().map(Arc::new).collect();
|
||||||
let (ready_tx, ready_rx) = mpsc::channel(MPSC_BUFFER_LEN);
|
let (ready_tx, ready_rx) = mpsc::channel(MPSC_BUFFER_LEN);
|
||||||
let (tuples_purge_tx, _tuples_purge_rx) = broadcast::channel(16);
|
let (tuples_purge_tx, _tuples_purge_rx) = broadcast::channel(16);
|
||||||
@@ -309,7 +372,6 @@ impl Stack {
|
|||||||
ready: ready_tx,
|
ready: ready_tx,
|
||||||
tuples_purge: tuples_purge_tx.clone(),
|
tuples_purge: tuples_purge_tx.clone(),
|
||||||
});
|
});
|
||||||
let local_ip = tun[0].destination().unwrap();
|
|
||||||
|
|
||||||
for t in tun {
|
for t in tun {
|
||||||
tokio::spawn(Stack::reader_task(
|
tokio::spawn(Stack::reader_task(
|
||||||
@@ -322,24 +384,49 @@ impl Stack {
|
|||||||
Stack {
|
Stack {
|
||||||
shared,
|
shared,
|
||||||
local_ip,
|
local_ip,
|
||||||
|
local_ip6,
|
||||||
ready: ready_rx,
|
ready: ready_rx,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Listens for incoming connections on the given `port`.
|
||||||
pub fn listen(&mut self, port: u16) {
|
pub fn listen(&mut self, port: u16) {
|
||||||
assert!(self.shared.listening.write().unwrap().insert(port));
|
assert!(self.shared.listening.write().unwrap().insert(port));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Accepts an incoming connection.
|
||||||
pub async fn accept(&mut self) -> Socket {
|
pub async fn accept(&mut self) -> Socket {
|
||||||
self.ready.recv().await.unwrap()
|
self.ready.recv().await.unwrap()
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn connect(&mut self, addr: SocketAddrV4) -> Option<Socket> {
|
/// Connects to the remote end. `None` returned means
|
||||||
let mut rng = SmallRng::from_entropy();
|
/// the connection attempt failed.
|
||||||
let local_port: u16 = rng.gen_range(1024..65535);
|
pub async fn connect(&mut self, addr: SocketAddr) -> Option<Socket> {
|
||||||
let local_addr = SocketAddrV4::new(self.local_ip, local_port);
|
let mut rng = SmallRng::from_os_rng();
|
||||||
|
for local_port in rng.random_range(32768..=60999)..=60999 {
|
||||||
|
let local_addr = SocketAddr::new(
|
||||||
|
if addr.is_ipv4() {
|
||||||
|
IpAddr::V4(self.local_ip)
|
||||||
|
} else {
|
||||||
|
IpAddr::V6(self.local_ip6.expect("IPv6 local address undefined"))
|
||||||
|
},
|
||||||
|
local_port,
|
||||||
|
);
|
||||||
let tuple = AddrTuple::new(local_addr, addr);
|
let tuple = AddrTuple::new(local_addr, addr);
|
||||||
let (mut sock, incoming) = Socket::new(
|
let mut sock;
|
||||||
|
|
||||||
|
{
|
||||||
|
let mut tuples = self.shared.tuples.write().unwrap();
|
||||||
|
if tuples.contains_key(&tuple) {
|
||||||
|
trace!(
|
||||||
|
"Fake TCP connection to {}, local port number {} already in use, trying another one",
|
||||||
|
addr, local_port
|
||||||
|
);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
let incoming;
|
||||||
|
(sock, incoming) = Socket::new(
|
||||||
self.shared.clone(),
|
self.shared.clone(),
|
||||||
self.shared.tun.choose(&mut rng).unwrap().clone(),
|
self.shared.tun.choose(&mut rng).unwrap().clone(),
|
||||||
local_addr,
|
local_addr,
|
||||||
@@ -348,12 +435,17 @@ impl Stack {
|
|||||||
State::Idle,
|
State::Idle,
|
||||||
);
|
);
|
||||||
|
|
||||||
{
|
assert!(tuples.insert(tuple, incoming).is_none());
|
||||||
let mut tuples = self.shared.tuples.write().unwrap();
|
|
||||||
assert!(tuples.insert(tuple, incoming.clone()).is_none());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
sock.connect().await.map(|_| sock)
|
return sock.connect().await.map(|_| sock);
|
||||||
|
}
|
||||||
|
|
||||||
|
error!(
|
||||||
|
"Fake TCP connection to {} failed, emphemeral port number exhausted",
|
||||||
|
addr
|
||||||
|
);
|
||||||
|
None
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn reader_task(
|
async fn reader_task(
|
||||||
@@ -361,11 +453,10 @@ impl Stack {
|
|||||||
shared: Arc<Shared>,
|
shared: Arc<Shared>,
|
||||||
mut tuples_purge: broadcast::Receiver<AddrTuple>,
|
mut tuples_purge: broadcast::Receiver<AddrTuple>,
|
||||||
) {
|
) {
|
||||||
let mut tuples: HashMap<AddrTuple, Sender<Bytes>> = HashMap::new();
|
let mut tuples: HashMap<AddrTuple, flume::Sender<Bytes>> = HashMap::new();
|
||||||
|
|
||||||
loop {
|
loop {
|
||||||
let mut buf = BytesMut::with_capacity(MAX_PACKET_LEN);
|
let mut buf = BytesMut::zeroed(MAX_PACKET_LEN);
|
||||||
buf.resize(MAX_PACKET_LEN, 0);
|
|
||||||
|
|
||||||
tokio::select! {
|
tokio::select! {
|
||||||
size = tun.recv(&mut buf) => {
|
size = tun.recv(&mut buf) => {
|
||||||
@@ -373,19 +464,15 @@ impl Stack {
|
|||||||
buf.truncate(size);
|
buf.truncate(size);
|
||||||
let buf = buf.freeze();
|
let buf = buf.freeze();
|
||||||
|
|
||||||
if buf[0] >> 4 != 4 {
|
match parse_ip_packet(&buf) {
|
||||||
// not an IPv4 packet
|
Some((ip_packet, tcp_packet)) => {
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
let (ip_packet, tcp_packet) = parse_ipv4_packet(&buf);
|
|
||||||
let local_addr =
|
let local_addr =
|
||||||
SocketAddrV4::new(ip_packet.get_destination(), tcp_packet.get_destination());
|
SocketAddr::new(ip_packet.get_destination(), tcp_packet.get_destination());
|
||||||
let remote_addr = SocketAddrV4::new(ip_packet.get_source(), tcp_packet.get_source());
|
let remote_addr = SocketAddr::new(ip_packet.get_source(), tcp_packet.get_source());
|
||||||
|
|
||||||
let tuple = AddrTuple::new(local_addr, remote_addr);
|
let tuple = AddrTuple::new(local_addr, remote_addr);
|
||||||
if let Some(c) = tuples.get(&tuple) {
|
if let Some(c) = tuples.get(&tuple) {
|
||||||
if c.send(buf).await.is_err() {
|
if c.send_async(buf).await.is_err() {
|
||||||
trace!("Cache hit, but receiver already closed, dropping packet");
|
trace!("Cache hit, but receiver already closed, dropping packet");
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -393,19 +480,17 @@ impl Stack {
|
|||||||
|
|
||||||
// If not Ok, receiver has been closed and just fall through to the slow
|
// If not Ok, receiver has been closed and just fall through to the slow
|
||||||
// path below
|
// path below
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
trace!("Cache miss, checking the shared tuples table for connection");
|
trace!("Cache miss, checking the shared tuples table for connection");
|
||||||
let sender;
|
let sender = {
|
||||||
{
|
|
||||||
let tuples = shared.tuples.read().unwrap();
|
let tuples = shared.tuples.read().unwrap();
|
||||||
sender = tuples.get(&tuple).cloned();
|
tuples.get(&tuple).cloned()
|
||||||
}
|
};
|
||||||
|
|
||||||
if let Some(c) = sender {
|
if let Some(c) = sender {
|
||||||
trace!("Storing connection information into local tuples");
|
trace!("Storing connection information into local tuples");
|
||||||
tuples.insert(tuple, c.clone());
|
tuples.insert(tuple, c.clone());
|
||||||
c.send(buf).await.unwrap();
|
c.send_async(buf).await.unwrap();
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -440,8 +525,8 @@ impl Stack {
|
|||||||
local_addr,
|
local_addr,
|
||||||
remote_addr,
|
remote_addr,
|
||||||
0,
|
0,
|
||||||
tcp_packet.get_sequence() + 1,
|
tcp_packet.get_sequence() + tcp_packet.payload().len() as u32 + 1, // +1 because of SYN flag set
|
||||||
tcp::TcpFlags::RST,
|
tcp::TcpFlags::RST | tcp::TcpFlags::ACK,
|
||||||
None,
|
None,
|
||||||
);
|
);
|
||||||
shared.tun[0].try_send(&buf).unwrap();
|
shared.tun[0].try_send(&buf).unwrap();
|
||||||
@@ -452,17 +537,22 @@ impl Stack {
|
|||||||
local_addr,
|
local_addr,
|
||||||
remote_addr,
|
remote_addr,
|
||||||
tcp_packet.get_acknowledgement(),
|
tcp_packet.get_acknowledgement(),
|
||||||
0,
|
tcp_packet.get_sequence() + tcp_packet.payload().len() as u32,
|
||||||
tcp::TcpFlags::RST,
|
tcp::TcpFlags::RST | tcp::TcpFlags::ACK,
|
||||||
None,
|
None,
|
||||||
);
|
);
|
||||||
shared.tun[0].try_send(&buf).unwrap();
|
shared.tun[0].try_send(&buf).unwrap();
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
None => {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
},
|
},
|
||||||
tuple = tuples_purge.recv() => {
|
tuple = tuples_purge.recv() => {
|
||||||
let tuple = tuple.unwrap();
|
let tuple = tuple.unwrap();
|
||||||
tuples.remove(&tuple);
|
tuples.remove(&tuple);
|
||||||
trace!("Removed cached tuple");
|
trace!("Removed cached tuple: {:?}", tuple);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@@ -1,45 +1,84 @@
|
|||||||
use bytes::{Bytes, BytesMut};
|
use bytes::{Bytes, BytesMut};
|
||||||
use internet_checksum::Checksum;
|
use internet_checksum::Checksum;
|
||||||
use pnet::packet::Packet;
|
use pnet::packet::Packet;
|
||||||
use pnet::packet::{ip, ipv4, tcp};
|
use pnet::packet::{ip, ipv4, ipv6, tcp};
|
||||||
use std::convert::TryInto;
|
use std::convert::TryInto;
|
||||||
use std::net::SocketAddrV4;
|
use std::net::{IpAddr, SocketAddr};
|
||||||
|
|
||||||
const IPV4_HEADER_LEN: usize = 20;
|
const IPV4_HEADER_LEN: usize = 20;
|
||||||
|
const IPV6_HEADER_LEN: usize = 40;
|
||||||
const TCP_HEADER_LEN: usize = 20;
|
const TCP_HEADER_LEN: usize = 20;
|
||||||
pub const MAX_PACKET_LEN: usize = 1500;
|
pub const MAX_PACKET_LEN: usize = 1500;
|
||||||
|
|
||||||
|
pub enum IPPacket<'p> {
|
||||||
|
V4(ipv4::Ipv4Packet<'p>),
|
||||||
|
V6(ipv6::Ipv6Packet<'p>),
|
||||||
|
}
|
||||||
|
|
||||||
|
impl IPPacket<'_> {
|
||||||
|
pub fn get_source(&self) -> IpAddr {
|
||||||
|
match self {
|
||||||
|
IPPacket::V4(p) => IpAddr::V4(p.get_source()),
|
||||||
|
IPPacket::V6(p) => IpAddr::V6(p.get_source()),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn get_destination(&self) -> IpAddr {
|
||||||
|
match self {
|
||||||
|
IPPacket::V4(p) => IpAddr::V4(p.get_destination()),
|
||||||
|
IPPacket::V6(p) => IpAddr::V6(p.get_destination()),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pub fn build_tcp_packet(
|
pub fn build_tcp_packet(
|
||||||
local_addr: SocketAddrV4,
|
local_addr: SocketAddr,
|
||||||
remote_addr: SocketAddrV4,
|
remote_addr: SocketAddr,
|
||||||
seq: u32,
|
seq: u32,
|
||||||
ack: u32,
|
ack: u32,
|
||||||
flags: u16,
|
flags: u8,
|
||||||
payload: Option<&[u8]>,
|
payload: Option<&[u8]>,
|
||||||
) -> Bytes {
|
) -> Bytes {
|
||||||
|
let ip_header_len = match local_addr {
|
||||||
|
SocketAddr::V4(_) => IPV4_HEADER_LEN,
|
||||||
|
SocketAddr::V6(_) => IPV6_HEADER_LEN,
|
||||||
|
};
|
||||||
let wscale = (flags & tcp::TcpFlags::SYN) != 0;
|
let wscale = (flags & tcp::TcpFlags::SYN) != 0;
|
||||||
let tcp_header_len = TCP_HEADER_LEN + if wscale { 4 } else { 0 }; // nop + wscale
|
let tcp_header_len = TCP_HEADER_LEN + if wscale { 4 } else { 0 }; // nop + wscale
|
||||||
let tcp_total_len = tcp_header_len + payload.map_or(0, |payload| payload.len());
|
let tcp_total_len = tcp_header_len + payload.map_or(0, |payload| payload.len());
|
||||||
let total_len = IPV4_HEADER_LEN + tcp_total_len;
|
let total_len = ip_header_len + tcp_total_len;
|
||||||
let mut buf = BytesMut::with_capacity(total_len);
|
let mut buf = BytesMut::zeroed(total_len);
|
||||||
buf.resize(total_len, 0);
|
|
||||||
|
|
||||||
let mut v4_buf = buf.split_to(IPV4_HEADER_LEN);
|
let mut ip_buf = buf.split_to(ip_header_len);
|
||||||
let mut tcp_buf = buf.split_to(tcp_total_len);
|
let mut tcp_buf = buf.split_to(tcp_total_len);
|
||||||
assert_eq!(0, buf.len());
|
assert_eq!(0, buf.len());
|
||||||
|
|
||||||
let mut v4 = ipv4::MutableIpv4Packet::new(&mut v4_buf).unwrap();
|
match (local_addr, remote_addr) {
|
||||||
|
(SocketAddr::V4(local), SocketAddr::V4(remote)) => {
|
||||||
|
let mut v4 = ipv4::MutableIpv4Packet::new(&mut ip_buf).unwrap();
|
||||||
v4.set_version(4);
|
v4.set_version(4);
|
||||||
v4.set_header_length(IPV4_HEADER_LEN as u8 / 4);
|
v4.set_header_length(IPV4_HEADER_LEN as u8 / 4);
|
||||||
v4.set_next_level_protocol(ip::IpNextHeaderProtocols::Tcp);
|
v4.set_next_level_protocol(ip::IpNextHeaderProtocols::Tcp);
|
||||||
v4.set_ttl(64);
|
v4.set_ttl(64);
|
||||||
v4.set_source(*local_addr.ip());
|
v4.set_source(*local.ip());
|
||||||
v4.set_destination(*remote_addr.ip());
|
v4.set_destination(*remote.ip());
|
||||||
v4.set_total_length(total_len.try_into().unwrap());
|
v4.set_total_length(total_len.try_into().unwrap());
|
||||||
v4.set_flags(ipv4::Ipv4Flags::DontFragment);
|
v4.set_flags(ipv4::Ipv4Flags::DontFragment);
|
||||||
let mut cksm = Checksum::new();
|
let mut cksm = Checksum::new();
|
||||||
cksm.add_bytes(v4.packet());
|
cksm.add_bytes(v4.packet());
|
||||||
v4.set_checksum(u16::from_be_bytes(cksm.checksum()));
|
v4.set_checksum(u16::from_be_bytes(cksm.checksum()));
|
||||||
|
}
|
||||||
|
(SocketAddr::V6(local), SocketAddr::V6(remote)) => {
|
||||||
|
let mut v6 = ipv6::MutableIpv6Packet::new(&mut ip_buf).unwrap();
|
||||||
|
v6.set_version(6);
|
||||||
|
v6.set_payload_length(tcp_total_len.try_into().unwrap());
|
||||||
|
v6.set_next_header(ip::IpNextHeaderProtocols::Tcp);
|
||||||
|
v6.set_hop_limit(64);
|
||||||
|
v6.set_source(*local.ip());
|
||||||
|
v6.set_destination(*remote.ip());
|
||||||
|
}
|
||||||
|
_ => unreachable!(),
|
||||||
|
};
|
||||||
|
|
||||||
let mut tcp = tcp::MutableTcpPacket::new(&mut tcp_buf).unwrap();
|
let mut tcp = tcp::MutableTcpPacket::new(&mut tcp_buf).unwrap();
|
||||||
tcp.set_window(0xffff);
|
tcp.set_window(0xffff);
|
||||||
@@ -59,24 +98,55 @@ pub fn build_tcp_packet(
|
|||||||
}
|
}
|
||||||
|
|
||||||
let mut cksm = Checksum::new();
|
let mut cksm = Checksum::new();
|
||||||
cksm.add_bytes(&local_addr.ip().octets());
|
|
||||||
cksm.add_bytes(&remote_addr.ip().octets());
|
|
||||||
let ip::IpNextHeaderProtocol(tcp_protocol) = ip::IpNextHeaderProtocols::Tcp;
|
let ip::IpNextHeaderProtocol(tcp_protocol) = ip::IpNextHeaderProtocols::Tcp;
|
||||||
|
|
||||||
|
match (local_addr, remote_addr) {
|
||||||
|
(SocketAddr::V4(local), SocketAddr::V4(remote)) => {
|
||||||
|
cksm.add_bytes(&local.ip().octets());
|
||||||
|
cksm.add_bytes(&remote.ip().octets());
|
||||||
|
|
||||||
let mut pseudo = [0u8, tcp_protocol, 0, 0];
|
let mut pseudo = [0u8, tcp_protocol, 0, 0];
|
||||||
pseudo[2..].copy_from_slice(&(tcp_total_len as u16).to_be_bytes());
|
pseudo[2..].copy_from_slice(&(tcp_total_len as u16).to_be_bytes());
|
||||||
cksm.add_bytes(&pseudo);
|
cksm.add_bytes(&pseudo);
|
||||||
|
}
|
||||||
|
(SocketAddr::V6(local), SocketAddr::V6(remote)) => {
|
||||||
|
cksm.add_bytes(&local.ip().octets());
|
||||||
|
cksm.add_bytes(&remote.ip().octets());
|
||||||
|
|
||||||
|
let mut pseudo = [0u8, 0, 0, 0, 0, 0, 0, tcp_protocol];
|
||||||
|
pseudo[0..4].copy_from_slice(&(tcp_total_len as u32).to_be_bytes());
|
||||||
|
cksm.add_bytes(&pseudo);
|
||||||
|
}
|
||||||
|
_ => unreachable!(),
|
||||||
|
};
|
||||||
|
|
||||||
cksm.add_bytes(tcp.packet());
|
cksm.add_bytes(tcp.packet());
|
||||||
tcp.set_checksum(u16::from_be_bytes(cksm.checksum()));
|
tcp.set_checksum(u16::from_be_bytes(cksm.checksum()));
|
||||||
|
|
||||||
v4_buf.unsplit(tcp_buf);
|
ip_buf.unsplit(tcp_buf);
|
||||||
v4_buf.freeze()
|
ip_buf.freeze()
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn parse_ipv4_packet(buf: &Bytes) -> (ipv4::Ipv4Packet, tcp::TcpPacket) {
|
pub fn parse_ip_packet(buf: &Bytes) -> Option<(IPPacket<'_>, tcp::TcpPacket<'_>)> {
|
||||||
|
if buf[0] >> 4 == 4 {
|
||||||
let v4 = ipv4::Ipv4Packet::new(buf).unwrap();
|
let v4 = ipv4::Ipv4Packet::new(buf).unwrap();
|
||||||
let tcp = tcp::TcpPacket::new(&buf[IPV4_HEADER_LEN..]).unwrap();
|
if v4.get_next_level_protocol() != ip::IpNextHeaderProtocols::Tcp {
|
||||||
|
return None;
|
||||||
|
}
|
||||||
|
|
||||||
(v4, tcp)
|
let tcp = tcp::TcpPacket::new(&buf[IPV4_HEADER_LEN..]).unwrap();
|
||||||
|
Some((IPPacket::V4(v4), tcp))
|
||||||
|
} else if buf[0] >> 4 == 6 {
|
||||||
|
let v6 = ipv6::Ipv6Packet::new(buf).unwrap();
|
||||||
|
if v6.get_next_header() != ip::IpNextHeaderProtocols::Tcp {
|
||||||
|
return None;
|
||||||
|
}
|
||||||
|
|
||||||
|
let tcp = tcp::TcpPacket::new(&buf[IPV6_HEADER_LEN..]).unwrap();
|
||||||
|
Some((IPPacket::V6(v6), tcp))
|
||||||
|
} else {
|
||||||
|
None
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(all(test, feature = "benchmark"))]
|
#[cfg(all(test, feature = "benchmark"))]
|
||||||
|
BIN
images/packet-headers.png
Normal file
BIN
images/packet-headers.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 30 KiB |
BIN
images/phantun-vs-udp2raw-benchmark-result.png
Normal file
BIN
images/phantun-vs-udp2raw-benchmark-result.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 15 KiB |
Binary file not shown.
Before Width: | Height: | Size: 82 KiB After Width: | Height: | Size: 89 KiB |
@@ -1,7 +1,7 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "phantun"
|
name = "phantun"
|
||||||
version = "0.2.1"
|
version = "0.8.1"
|
||||||
edition = "2018"
|
edition = "2024"
|
||||||
authors = ["Datong Sun <dndx@idndx.com>"]
|
authors = ["Datong Sun <dndx@idndx.com>"]
|
||||||
license = "MIT OR Apache-2.0"
|
license = "MIT OR Apache-2.0"
|
||||||
repository = "https://github.com/dndx/phantun"
|
repository = "https://github.com/dndx/phantun"
|
||||||
@@ -11,11 +11,14 @@ Transforms UDP stream into (fake) TCP streams that can go through
|
|||||||
Layer 3 & Layer 4 (NAPT) firewalls/NATs.
|
Layer 3 & Layer 4 (NAPT) firewalls/NATs.
|
||||||
"""
|
"""
|
||||||
[dependencies]
|
[dependencies]
|
||||||
clap = "2.33.3"
|
clap = { version = "4", features = ["cargo"] }
|
||||||
socket2 = { version = "0.4.2", features = ["all"] }
|
socket2 = { version = "0", features = ["all"] }
|
||||||
fake-tcp = "0.1.2"
|
fake-tcp = { path = "../fake-tcp", version = "0" }
|
||||||
tokio = { version = "1.12.0", features = ["full"] }
|
tokio-util = "0"
|
||||||
log = "0.4"
|
pretty_env_logger = "0"
|
||||||
pretty_env_logger = "0.4.0"
|
tokio-tun = "0"
|
||||||
dndx-fork-tokio-tun = "0.3.16"
|
num_cpus = "1"
|
||||||
num_cpus = "1.13.0"
|
neli = "0"
|
||||||
|
nix = { version = "0", features = ["net", "uio", "socket"] }
|
||||||
|
tokio = { workspace = true }
|
||||||
|
log = { workspace = true }
|
||||||
|
@@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work.
|
|||||||
same "printed page" as the copyright notice for easier
|
same "printed page" as the copyright notice for easier
|
||||||
identification within third-party archives.
|
identification within third-party archives.
|
||||||
|
|
||||||
Copyright 2014-2021 The Rust Project Developers
|
Copyright 2021-2024 Datong Sun (dndx@idndx.com)
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
MIT License
|
MIT License
|
||||||
|
|
||||||
Copyright (c) 2014-2021 The Rust Project Developers
|
Copyright (c) 2021-2024 Datong Sun (dndx@idndx.com)
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any
|
Permission is hereby granted, free of charge, to any
|
||||||
person obtaining a copy of this software and associated
|
person obtaining a copy of this software and associated
|
||||||
|
@@ -4,7 +4,7 @@ Client/Server crate, see [Phantun Project README.md](https://github.com/dndx/pha
|
|||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
Copyright 2021 Datong Sun <dndx@idndx.com>
|
Copyright 2021-2025 Datong Sun <dndx@idndx.com>
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
|
Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
|
||||||
[https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license
|
[https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license
|
||||||
|
@@ -1,142 +1,191 @@
|
|||||||
extern crate dndx_fork_tokio_tun as tokio_tun;
|
use clap::{crate_version, Arg, ArgAction, Command};
|
||||||
|
|
||||||
use clap::{crate_version, App, Arg};
|
|
||||||
use fake_tcp::packet::MAX_PACKET_LEN;
|
use fake_tcp::packet::MAX_PACKET_LEN;
|
||||||
use fake_tcp::{Socket, Stack};
|
use fake_tcp::{Socket, Stack};
|
||||||
use log::{debug, error, info};
|
use log::{debug, error, info};
|
||||||
|
use phantun::utils::{assign_ipv6_address, new_udp_reuseport, udp_recv_pktinfo};
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::convert::TryInto;
|
use std::fs;
|
||||||
use std::net::{Ipv4Addr, SocketAddr, SocketAddrV4};
|
use std::io;
|
||||||
|
use std::net::{IpAddr, Ipv4Addr, SocketAddr, SocketAddrV4, SocketAddrV6};
|
||||||
use std::sync::Arc;
|
use std::sync::Arc;
|
||||||
use std::time::Duration;
|
use tokio::sync::{Notify, RwLock};
|
||||||
use tokio::net::UdpSocket;
|
|
||||||
use tokio::sync::RwLock;
|
|
||||||
use tokio::time;
|
use tokio::time;
|
||||||
use tokio_tun::TunBuilder;
|
use tokio_tun::TunBuilder;
|
||||||
|
use tokio_util::sync::CancellationToken;
|
||||||
|
|
||||||
const UDP_TTL: Duration = Duration::from_secs(180);
|
use phantun::UDP_TTL;
|
||||||
|
|
||||||
fn new_udp_reuseport(addr: SocketAddrV4) -> UdpSocket {
|
|
||||||
let udp_sock = socket2::Socket::new(socket2::Domain::IPV4, socket2::Type::DGRAM, None).unwrap();
|
|
||||||
udp_sock.set_reuse_port(true).unwrap();
|
|
||||||
// from tokio-rs/mio/blob/master/src/sys/unix/net.rs
|
|
||||||
udp_sock.set_cloexec(true).unwrap();
|
|
||||||
udp_sock.set_nonblocking(true).unwrap();
|
|
||||||
udp_sock.bind(&socket2::SockAddr::from(addr)).unwrap();
|
|
||||||
let udp_sock: std::net::UdpSocket = udp_sock.into();
|
|
||||||
udp_sock.try_into().unwrap()
|
|
||||||
}
|
|
||||||
|
|
||||||
#[tokio::main]
|
#[tokio::main]
|
||||||
async fn main() {
|
async fn main() -> io::Result<()> {
|
||||||
pretty_env_logger::init();
|
pretty_env_logger::init();
|
||||||
|
|
||||||
let matches = App::new("Phantun Client")
|
let matches = Command::new("Phantun Client")
|
||||||
.version(crate_version!())
|
.version(crate_version!())
|
||||||
.author("Datong Sun (github.com/dndx)")
|
.author("Datong Sun (github.com/dndx)")
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("local")
|
Arg::new("local")
|
||||||
.short("l")
|
.short('l')
|
||||||
.long("local")
|
.long("local")
|
||||||
.required(true)
|
.required(true)
|
||||||
.value_name("IP:PORT")
|
.value_name("IP:PORT")
|
||||||
.help("Sets the IP and port where Phantun Client listens for incoming UDP datagrams")
|
.help("Sets the IP and port where Phantun Client listens for incoming UDP datagrams, IPv6 address need to be specified as: \"[IPv6]:PORT\"")
|
||||||
.takes_value(true),
|
|
||||||
)
|
)
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("remote")
|
Arg::new("remote")
|
||||||
.short("r")
|
.short('r')
|
||||||
.long("remote")
|
.long("remote")
|
||||||
.required(true)
|
.required(true)
|
||||||
.value_name("IP:PORT")
|
.value_name("IP or HOST NAME:PORT")
|
||||||
.help("Sets the address and port where Phantun Client connects to Phantun Server")
|
.help("Sets the address or host name and port where Phantun Client connects to Phantun Server, IPv6 address need to be specified as: \"[IPv6]:PORT\"")
|
||||||
.takes_value(true),
|
|
||||||
)
|
)
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("tun")
|
Arg::new("tun")
|
||||||
.long("tun")
|
.long("tun")
|
||||||
.required(false)
|
.required(false)
|
||||||
.value_name("tunX")
|
.value_name("tunX")
|
||||||
.help("Sets the Tun interface name, if absent, pick the next available name")
|
.help("Sets the Tun interface name, if absent, pick the next available name")
|
||||||
.default_value("")
|
.default_value("")
|
||||||
.takes_value(true),
|
|
||||||
)
|
)
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("tun_local")
|
Arg::new("tun_local")
|
||||||
.long("tun-local")
|
.long("tun-local")
|
||||||
.required(false)
|
.required(false)
|
||||||
.value_name("IP")
|
.value_name("IP")
|
||||||
.help("Sets the Tun interface local address (O/S's end)")
|
.help("Sets the Tun interface IPv4 local address (O/S's end)")
|
||||||
.default_value("192.168.200.1")
|
.default_value("192.168.200.1")
|
||||||
.takes_value(true),
|
|
||||||
)
|
)
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("tun_peer")
|
Arg::new("tun_peer")
|
||||||
.long("tun-peer")
|
.long("tun-peer")
|
||||||
.required(false)
|
.required(false)
|
||||||
.value_name("IP")
|
.value_name("IP")
|
||||||
.help("Sets the Tun interface destination (peer) address (Phantun Client's end). \
|
.help("Sets the Tun interface IPv4 destination (peer) address (Phantun Client's end). \
|
||||||
You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
|
You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
|
||||||
in order for Phantun Client to connect to Phantun Server")
|
in order for Phantun Client to connect to Phantun Server")
|
||||||
.default_value("192.168.200.2")
|
.default_value("192.168.200.2")
|
||||||
.takes_value(true),
|
)
|
||||||
|
.arg(
|
||||||
|
Arg::new("ipv4_only")
|
||||||
|
.long("ipv4-only")
|
||||||
|
.short('4')
|
||||||
|
.required(false)
|
||||||
|
.help("Only use IPv4 address when connecting to remote")
|
||||||
|
.action(ArgAction::SetTrue)
|
||||||
|
.conflicts_with_all(["tun_local6", "tun_peer6"]),
|
||||||
|
)
|
||||||
|
.arg(
|
||||||
|
Arg::new("tun_local6")
|
||||||
|
.long("tun-local6")
|
||||||
|
.required(false)
|
||||||
|
.value_name("IP")
|
||||||
|
.help("Sets the Tun interface IPv6 local address (O/S's end)")
|
||||||
|
.default_value("fcc8::1")
|
||||||
|
)
|
||||||
|
.arg(
|
||||||
|
Arg::new("tun_peer6")
|
||||||
|
.long("tun-peer6")
|
||||||
|
.required(false)
|
||||||
|
.value_name("IP")
|
||||||
|
.help("Sets the Tun interface IPv6 destination (peer) address (Phantun Client's end). \
|
||||||
|
You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
|
||||||
|
in order for Phantun Client to connect to Phantun Server")
|
||||||
|
.default_value("fcc8::2")
|
||||||
|
)
|
||||||
|
.arg(
|
||||||
|
Arg::new("handshake_packet")
|
||||||
|
.long("handshake-packet")
|
||||||
|
.required(false)
|
||||||
|
.value_name("PATH")
|
||||||
|
.help("Specify a file, which, after TCP handshake, its content will be sent as the \
|
||||||
|
first data packet to the server.\n\
|
||||||
|
Note: ensure this file's size does not exceed the MTU of the outgoing interface. \
|
||||||
|
The content is always sent out in a single packet and will not be further segmented")
|
||||||
)
|
)
|
||||||
.get_matches();
|
.get_matches();
|
||||||
|
|
||||||
let local_addr: SocketAddrV4 = matches
|
let local_addr: SocketAddr = matches
|
||||||
.value_of("local")
|
.get_one::<String>("local")
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.parse()
|
.parse()
|
||||||
.expect("bad local address");
|
.expect("bad local address");
|
||||||
let remote_addr: SocketAddrV4 = matches
|
|
||||||
.value_of("remote")
|
let ipv4_only = matches.get_flag("ipv4_only");
|
||||||
.unwrap()
|
|
||||||
.parse()
|
let remote_addr = tokio::net::lookup_host(matches.get_one::<String>("remote").unwrap())
|
||||||
.expect("bad remote address");
|
.await
|
||||||
|
.expect("bad remote address or host")
|
||||||
|
.find(|addr| !ipv4_only || addr.is_ipv4())
|
||||||
|
.expect("unable to resolve remote host name");
|
||||||
|
info!("Remote address is: {}", remote_addr);
|
||||||
|
|
||||||
let tun_local: Ipv4Addr = matches
|
let tun_local: Ipv4Addr = matches
|
||||||
.value_of("tun_local")
|
.get_one::<String>("tun_local")
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.parse()
|
.parse()
|
||||||
.expect("bad local address for Tun interface");
|
.expect("bad local address for Tun interface");
|
||||||
let tun_peer: Ipv4Addr = matches
|
let tun_peer: Ipv4Addr = matches
|
||||||
.value_of("tun_peer")
|
.get_one::<String>("tun_peer")
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.parse()
|
.parse()
|
||||||
.expect("bad peer address for Tun interface");
|
.expect("bad peer address for Tun interface");
|
||||||
|
|
||||||
|
let (tun_local6, tun_peer6) = if matches.get_flag("ipv4_only") {
|
||||||
|
(None, None)
|
||||||
|
} else {
|
||||||
|
(
|
||||||
|
matches
|
||||||
|
.get_one::<String>("tun_local6")
|
||||||
|
.map(|v| v.parse().expect("bad local address for Tun interface")),
|
||||||
|
matches
|
||||||
|
.get_one::<String>("tun_peer6")
|
||||||
|
.map(|v| v.parse().expect("bad peer address for Tun interface")),
|
||||||
|
)
|
||||||
|
};
|
||||||
|
|
||||||
|
let tun_name = matches.get_one::<String>("tun").unwrap();
|
||||||
|
let handshake_packet: Option<Vec<u8>> = matches
|
||||||
|
.get_one::<String>("handshake_packet")
|
||||||
|
.map(fs::read)
|
||||||
|
.transpose()?;
|
||||||
|
|
||||||
|
let num_cpus = num_cpus::get();
|
||||||
|
info!("{} cores available", num_cpus);
|
||||||
|
|
||||||
let tun = TunBuilder::new()
|
let tun = TunBuilder::new()
|
||||||
.name(matches.value_of("tun").unwrap()) // if name is empty, then it is set by kernel.
|
.name(tun_name) // if name is empty, then it is set by kernel.
|
||||||
.tap(false) // false (default): TUN, true: TAP.
|
|
||||||
.packet_info(false) // false: IFF_NO_PI, default is true.
|
|
||||||
.up() // or set it up manually using `sudo ip link set <tun-name> up`.
|
.up() // or set it up manually using `sudo ip link set <tun-name> up`.
|
||||||
.address(tun_local)
|
.address(tun_local)
|
||||||
.destination(tun_peer)
|
.destination(tun_peer)
|
||||||
.try_build_mq(num_cpus::get())
|
.queues(num_cpus)
|
||||||
|
.build()
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
|
if remote_addr.is_ipv6() {
|
||||||
|
assign_ipv6_address(tun[0].name(), tun_local6.unwrap(), tun_peer6.unwrap());
|
||||||
|
}
|
||||||
|
|
||||||
info!("Created TUN device {}", tun[0].name());
|
info!("Created TUN device {}", tun[0].name());
|
||||||
|
|
||||||
let udp_sock = Arc::new(new_udp_reuseport(local_addr));
|
let udp_sock = Arc::new(new_udp_reuseport(local_addr));
|
||||||
let connections = Arc::new(RwLock::new(HashMap::<SocketAddrV4, Arc<Socket>>::new()));
|
let connections = Arc::new(RwLock::new(HashMap::<SocketAddr, Arc<Socket>>::new()));
|
||||||
|
|
||||||
let mut stack = Stack::new(tun);
|
let mut stack = Stack::new(tun, tun_peer, tun_peer6);
|
||||||
|
|
||||||
let main_loop = tokio::spawn(async move {
|
let main_loop = tokio::spawn(async move {
|
||||||
let mut buf_r = [0u8; MAX_PACKET_LEN];
|
let mut buf_r = [0u8; MAX_PACKET_LEN];
|
||||||
|
|
||||||
loop {
|
loop {
|
||||||
tokio::select! {
|
let (size, udp_remote_addr, udp_local_addr) = udp_recv_pktinfo(&udp_sock, &mut buf_r).await?;
|
||||||
Ok((size, SocketAddr::V4(addr))) = udp_sock.recv_from(&mut buf_r) => {
|
|
||||||
// seen UDP packet to listening socket, this means:
|
// seen UDP packet to listening socket, this means:
|
||||||
// 1. It is a new UDP connection, or
|
// 1. It is a new UDP connection, or
|
||||||
// 2. It is some extra packets not filtered by more specific
|
// 2. It is some extra packets not filtered by more specific
|
||||||
// connected UDP socket yet
|
// connected UDP socket yet
|
||||||
if let Some(sock) = connections.read().await.get(&addr) {
|
if let Some(sock) = connections.read().await.get(&udp_remote_addr) {
|
||||||
sock.send(&buf_r[..size]).await;
|
sock.send(&buf_r[..size]).await;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
info!("New UDP client from {}", addr);
|
info!("New UDP client from {}", udp_remote_addr);
|
||||||
let sock = stack.connect(remote_addr).await;
|
let sock = stack.connect(remote_addr).await;
|
||||||
if sock.is_none() {
|
if sock.is_none() {
|
||||||
error!("Unable to connect to remote {}", remote_addr);
|
error!("Unable to connect to remote {}", remote_addr);
|
||||||
@@ -144,67 +193,135 @@ async fn main() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
let sock = Arc::new(sock.unwrap());
|
let sock = Arc::new(sock.unwrap());
|
||||||
// send first packet
|
if let Some(ref p) = handshake_packet {
|
||||||
let res = sock.send(&buf_r[..size]).await;
|
if sock.send(p).await.is_none() {
|
||||||
if res.is_none() {
|
error!("Failed to send handshake packet to remote, closing connection.");
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
assert!(connections.write().await.insert(addr, sock.clone()).is_none());
|
debug!("Sent handshake packet to: {}", sock);
|
||||||
debug!("inserted fake TCP socket into connection table");
|
}
|
||||||
|
|
||||||
let connections = connections.clone();
|
// send first packet
|
||||||
|
if sock.send(&buf_r[..size]).await.is_none() {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
assert!(connections
|
||||||
|
.write()
|
||||||
|
.await
|
||||||
|
.insert(udp_remote_addr, sock.clone())
|
||||||
|
.is_none());
|
||||||
|
debug!("inserted fake TCP socket into connection table");
|
||||||
|
|
||||||
// spawn "fastpath" UDP socket and task, this will offload main task
|
// spawn "fastpath" UDP socket and task, this will offload main task
|
||||||
// from forwarding UDP packets
|
// from forwarding UDP packets
|
||||||
|
|
||||||
|
let packet_received = Arc::new(Notify::new());
|
||||||
|
let quit = CancellationToken::new();
|
||||||
|
|
||||||
|
for i in 0..num_cpus {
|
||||||
|
let sock = sock.clone();
|
||||||
|
let quit = quit.clone();
|
||||||
|
let packet_received = packet_received.clone();
|
||||||
|
|
||||||
tokio::spawn(async move {
|
tokio::spawn(async move {
|
||||||
let mut buf_udp = [0u8; MAX_PACKET_LEN];
|
let mut buf_udp = [0u8; MAX_PACKET_LEN];
|
||||||
let mut buf_tcp = [0u8; MAX_PACKET_LEN];
|
let mut buf_tcp = [0u8; MAX_PACKET_LEN];
|
||||||
let udp_sock = new_udp_reuseport(local_addr);
|
// Always reply from the same address that the peer used to communicate with
|
||||||
udp_sock.connect(addr).await.unwrap();
|
// us. This avoids a frequent problem with IPv6 privacy extensions when we
|
||||||
|
// erroneously bind to wrong short-lived temporary address even if the peer
|
||||||
|
// explicitly used a persistent address to communicate to us.
|
||||||
|
//
|
||||||
|
// To do so, first bind to (<incoming packet dst_ip>, <local addr port>), and then
|
||||||
|
// connect to (<incoming packet src_ip>, <incoming packet src_port>).
|
||||||
|
let bind_addr = match (udp_remote_addr, udp_local_addr) {
|
||||||
|
(SocketAddr::V4(_), IpAddr::V4(udp_local_ipv4)) => {
|
||||||
|
SocketAddr::V4(SocketAddrV4::new(
|
||||||
|
udp_local_ipv4,
|
||||||
|
local_addr.port(),
|
||||||
|
))
|
||||||
|
}
|
||||||
|
(SocketAddr::V6(udp_remote_addr), IpAddr::V6(udp_local_ipv6)) => {
|
||||||
|
SocketAddr::V6(SocketAddrV6::new(
|
||||||
|
udp_local_ipv6,
|
||||||
|
local_addr.port(),
|
||||||
|
udp_remote_addr.flowinfo(),
|
||||||
|
udp_remote_addr.scope_id(),
|
||||||
|
))
|
||||||
|
}
|
||||||
|
(_, _) => {
|
||||||
|
panic!("unexpected family combination for udp_remote_addr={udp_remote_addr} and udp_local_addr={udp_local_addr}");
|
||||||
|
}
|
||||||
|
};
|
||||||
|
let udp_sock = new_udp_reuseport(bind_addr);
|
||||||
|
udp_sock.connect(udp_remote_addr).await.unwrap();
|
||||||
|
|
||||||
loop {
|
loop {
|
||||||
let read_timeout = time::sleep(UDP_TTL);
|
|
||||||
|
|
||||||
tokio::select! {
|
tokio::select! {
|
||||||
Ok(size) = udp_sock.recv(&mut buf_udp) => {
|
Ok(size) = udp_sock.recv(&mut buf_udp) => {
|
||||||
if sock.send(&buf_udp[..size]).await.is_none() {
|
if sock.send(&buf_udp[..size]).await.is_none() {
|
||||||
connections.write().await.remove(&addr);
|
|
||||||
debug!("removed fake TCP socket from connections table");
|
debug!("removed fake TCP socket from connections table");
|
||||||
|
quit.cancel();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
packet_received.notify_one();
|
||||||
},
|
},
|
||||||
res = sock.recv(&mut buf_tcp) => {
|
res = sock.recv(&mut buf_tcp) => {
|
||||||
match res {
|
match res {
|
||||||
Some(size) => {
|
Some(size) => {
|
||||||
if size > 0 {
|
if size > 0
|
||||||
if let Err(e) = udp_sock.send(&buf_tcp[..size]).await {
|
&& let Err(e) = udp_sock.send(&buf_tcp[..size]).await {
|
||||||
connections.write().await.remove(&addr);
|
error!("Unable to send UDP packet to {}: {}, closing connection", e, remote_addr);
|
||||||
error!("Unable to send UDP packet to {}: {}, closing connection", e, addr);
|
quit.cancel();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
},
|
},
|
||||||
None => {
|
None => {
|
||||||
connections.write().await.remove(&addr);
|
|
||||||
debug!("removed fake TCP socket from connections table");
|
debug!("removed fake TCP socket from connections table");
|
||||||
|
quit.cancel();
|
||||||
return;
|
return;
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
packet_received.notify_one();
|
||||||
},
|
},
|
||||||
_ = read_timeout => {
|
_ = quit.cancelled() => {
|
||||||
info!("No traffic seen in the last {:?}, closing connection", UDP_TTL);
|
debug!("worker {} terminated", i);
|
||||||
connections.write().await.remove(&addr);
|
|
||||||
debug!("removed fake TCP socket from connections table");
|
|
||||||
return;
|
return;
|
||||||
}
|
},
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
let connections = connections.clone();
|
||||||
|
tokio::spawn(async move {
|
||||||
|
loop {
|
||||||
|
let read_timeout = time::sleep(UDP_TTL);
|
||||||
|
let packet_received_fut = packet_received.notified();
|
||||||
|
|
||||||
|
tokio::select! {
|
||||||
|
_ = read_timeout => {
|
||||||
|
info!("No traffic seen in the last {:?}, closing connection", UDP_TTL);
|
||||||
|
connections.write().await.remove(&udp_remote_addr);
|
||||||
|
debug!("removed fake TCP socket from connections table");
|
||||||
|
|
||||||
|
quit.cancel();
|
||||||
|
return;
|
||||||
},
|
},
|
||||||
|
_ = quit.cancelled() => {
|
||||||
|
connections.write().await.remove(&udp_remote_addr);
|
||||||
|
debug!("removed fake TCP socket from connections table");
|
||||||
|
return;
|
||||||
|
},
|
||||||
|
_ = packet_received_fut => {},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
}
|
||||||
tokio::join!(main_loop).0.unwrap();
|
});
|
||||||
|
|
||||||
|
tokio::join!(main_loop).0.unwrap()
|
||||||
}
|
}
|
||||||
|
@@ -1,60 +1,61 @@
|
|||||||
extern crate dndx_fork_tokio_tun as tokio_tun;
|
use clap::{crate_version, Arg, ArgAction, Command};
|
||||||
|
|
||||||
use clap::{crate_version, App, Arg};
|
|
||||||
use fake_tcp::packet::MAX_PACKET_LEN;
|
use fake_tcp::packet::MAX_PACKET_LEN;
|
||||||
use fake_tcp::Stack;
|
use fake_tcp::Stack;
|
||||||
use log::{error, info};
|
use log::{debug, error, info};
|
||||||
use std::net::{Ipv4Addr, SocketAddrV4};
|
use phantun::utils::{assign_ipv6_address, new_udp_reuseport};
|
||||||
|
use std::fs;
|
||||||
|
use std::io;
|
||||||
|
use std::net::Ipv4Addr;
|
||||||
|
use std::sync::Arc;
|
||||||
use tokio::net::UdpSocket;
|
use tokio::net::UdpSocket;
|
||||||
use tokio::time::{self, Duration};
|
use tokio::sync::Notify;
|
||||||
|
use tokio::time;
|
||||||
use tokio_tun::TunBuilder;
|
use tokio_tun::TunBuilder;
|
||||||
const UDP_TTL: Duration = Duration::from_secs(180);
|
use tokio_util::sync::CancellationToken;
|
||||||
|
|
||||||
|
use phantun::UDP_TTL;
|
||||||
|
|
||||||
#[tokio::main]
|
#[tokio::main]
|
||||||
async fn main() {
|
async fn main() -> io::Result<()> {
|
||||||
pretty_env_logger::init();
|
pretty_env_logger::init();
|
||||||
|
|
||||||
let matches = App::new("Phantun Server")
|
let matches = Command::new("Phantun Server")
|
||||||
.version(crate_version!())
|
.version(crate_version!())
|
||||||
.author("Datong Sun (github.com/dndx)")
|
.author("Datong Sun (github.com/dndx)")
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("local")
|
Arg::new("local")
|
||||||
.short("l")
|
.short('l')
|
||||||
.long("local")
|
.long("local")
|
||||||
.required(true)
|
.required(true)
|
||||||
.value_name("PORT")
|
.value_name("PORT")
|
||||||
.help("Sets the port where Phantun Server listens for incoming Phantun Client TCP connections")
|
.help("Sets the port where Phantun Server listens for incoming Phantun Client TCP connections")
|
||||||
.takes_value(true),
|
|
||||||
)
|
)
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("remote")
|
Arg::new("remote")
|
||||||
.short("r")
|
.short('r')
|
||||||
.long("remote")
|
.long("remote")
|
||||||
.required(true)
|
.required(true)
|
||||||
.value_name("IP:PORT")
|
.value_name("IP or HOST NAME:PORT")
|
||||||
.help("Sets the address and port where Phantun Server forwards UDP packets to")
|
.help("Sets the address or host name and port where Phantun Server forwards UDP packets to, IPv6 address need to be specified as: \"[IPv6]:PORT\"")
|
||||||
.takes_value(true),
|
|
||||||
)
|
)
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("tun")
|
Arg::new("tun")
|
||||||
.long("tun")
|
.long("tun")
|
||||||
.required(false)
|
.required(false)
|
||||||
.value_name("tunX")
|
.value_name("tunX")
|
||||||
.help("Sets the Tun interface name, if absent, pick the next available name")
|
.help("Sets the Tun interface name, if absent, pick the next available name")
|
||||||
.default_value("")
|
.default_value("")
|
||||||
.takes_value(true),
|
|
||||||
)
|
)
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("tun_local")
|
Arg::new("tun_local")
|
||||||
.long("tun-local")
|
.long("tun-local")
|
||||||
.required(false)
|
.required(false)
|
||||||
.value_name("IP")
|
.value_name("IP")
|
||||||
.help("Sets the Tun interface local address (O/S's end)")
|
.help("Sets the Tun interface local address (O/S's end)")
|
||||||
.default_value("192.168.201.1")
|
.default_value("192.168.201.1")
|
||||||
.takes_value(true),
|
|
||||||
)
|
)
|
||||||
.arg(
|
.arg(
|
||||||
Arg::with_name("tun_peer")
|
Arg::new("tun_peer")
|
||||||
.long("tun-peer")
|
.long("tun-peer")
|
||||||
.required(false)
|
.required(false)
|
||||||
.value_name("IP")
|
.value_name("IP")
|
||||||
@@ -62,45 +63,110 @@ async fn main() {
|
|||||||
You will need to setup DNAT rules to this address in order for Phantun Server \
|
You will need to setup DNAT rules to this address in order for Phantun Server \
|
||||||
to accept TCP traffic from Phantun Client")
|
to accept TCP traffic from Phantun Client")
|
||||||
.default_value("192.168.201.2")
|
.default_value("192.168.201.2")
|
||||||
.takes_value(true),
|
)
|
||||||
|
.arg(
|
||||||
|
Arg::new("ipv4_only")
|
||||||
|
.long("ipv4-only")
|
||||||
|
.short('4')
|
||||||
|
.required(false)
|
||||||
|
.help("Do not assign IPv6 addresses to Tun interface")
|
||||||
|
.action(ArgAction::SetTrue)
|
||||||
|
.conflicts_with_all(["tun_local6", "tun_peer6"]),
|
||||||
|
)
|
||||||
|
.arg(
|
||||||
|
Arg::new("tun_local6")
|
||||||
|
.long("tun-local6")
|
||||||
|
.required(false)
|
||||||
|
.value_name("IP")
|
||||||
|
.help("Sets the Tun interface IPv6 local address (O/S's end)")
|
||||||
|
.default_value("fcc9::1")
|
||||||
|
)
|
||||||
|
.arg(
|
||||||
|
Arg::new("tun_peer6")
|
||||||
|
.long("tun-peer6")
|
||||||
|
.required(false)
|
||||||
|
.value_name("IP")
|
||||||
|
.help("Sets the Tun interface IPv6 destination (peer) address (Phantun Client's end). \
|
||||||
|
You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \
|
||||||
|
in order for Phantun Client to connect to Phantun Server")
|
||||||
|
.default_value("fcc9::2")
|
||||||
|
)
|
||||||
|
.arg(
|
||||||
|
Arg::new("handshake_packet")
|
||||||
|
.long("handshake-packet")
|
||||||
|
.required(false)
|
||||||
|
.value_name("PATH")
|
||||||
|
.help("Specify a file, which, after TCP handshake, its content will be sent as the \
|
||||||
|
first data packet to the client.\n\
|
||||||
|
Note: ensure this file's size does not exceed the MTU of the outgoing interface. \
|
||||||
|
The content is always sent out in a single packet and will not be further segmented")
|
||||||
)
|
)
|
||||||
.get_matches();
|
.get_matches();
|
||||||
|
|
||||||
let local_port: u16 = matches
|
let local_port: u16 = matches
|
||||||
.value_of("local")
|
.get_one::<String>("local")
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.parse()
|
.parse()
|
||||||
.expect("bad local port");
|
.expect("bad local port");
|
||||||
let remote_addr: SocketAddrV4 = matches
|
|
||||||
.value_of("remote")
|
let remote_addr = tokio::net::lookup_host(matches.get_one::<String>("remote").unwrap())
|
||||||
.unwrap()
|
.await
|
||||||
.parse()
|
.expect("bad remote address or host")
|
||||||
.expect("bad remote address");
|
.next()
|
||||||
|
.expect("unable to resolve remote host name");
|
||||||
|
|
||||||
|
info!("Remote address is: {}", remote_addr);
|
||||||
|
|
||||||
let tun_local: Ipv4Addr = matches
|
let tun_local: Ipv4Addr = matches
|
||||||
.value_of("tun_local")
|
.get_one::<String>("tun_local")
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.parse()
|
.parse()
|
||||||
.expect("bad local address for Tun interface");
|
.expect("bad local address for Tun interface");
|
||||||
let tun_peer: Ipv4Addr = matches
|
let tun_peer: Ipv4Addr = matches
|
||||||
.value_of("tun_peer")
|
.get_one::<String>("tun_peer")
|
||||||
.unwrap()
|
.unwrap()
|
||||||
.parse()
|
.parse()
|
||||||
.expect("bad peer address for Tun interface");
|
.expect("bad peer address for Tun interface");
|
||||||
|
|
||||||
|
let (tun_local6, tun_peer6) = if matches.get_flag("ipv4_only") {
|
||||||
|
(None, None)
|
||||||
|
} else {
|
||||||
|
(
|
||||||
|
matches
|
||||||
|
.get_one::<String>("tun_local6")
|
||||||
|
.map(|v| v.parse().expect("bad local address for Tun interface")),
|
||||||
|
matches
|
||||||
|
.get_one::<String>("tun_peer6")
|
||||||
|
.map(|v| v.parse().expect("bad peer address for Tun interface")),
|
||||||
|
)
|
||||||
|
};
|
||||||
|
|
||||||
|
let tun_name = matches.get_one::<String>("tun").unwrap();
|
||||||
|
let handshake_packet: Option<Vec<u8>> = matches
|
||||||
|
.get_one::<String>("handshake_packet")
|
||||||
|
.map(fs::read)
|
||||||
|
.transpose()?;
|
||||||
|
|
||||||
|
let num_cpus = num_cpus::get();
|
||||||
|
info!("{} cores available", num_cpus);
|
||||||
|
|
||||||
let tun = TunBuilder::new()
|
let tun = TunBuilder::new()
|
||||||
.name(matches.value_of("tun").unwrap()) // if name is empty, then it is set by kernel.
|
.name(tun_name) // if name is empty, then it is set by kernel.
|
||||||
.tap(false) // false (default): TUN, true: TAP.
|
|
||||||
.packet_info(false) // false: IFF_NO_PI, default is true.
|
|
||||||
.up() // or set it up manually using `sudo ip link set <tun-name> up`.
|
.up() // or set it up manually using `sudo ip link set <tun-name> up`.
|
||||||
.address(tun_local)
|
.address(tun_local)
|
||||||
.destination(tun_peer)
|
.destination(tun_peer)
|
||||||
.try_build_mq(num_cpus::get())
|
.queues(num_cpus)
|
||||||
|
.build()
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
|
if let (Some(tun_local6), Some(tun_peer6)) = (tun_local6, tun_peer6) {
|
||||||
|
assign_ipv6_address(tun[0].name(), tun_local6, tun_peer6);
|
||||||
|
}
|
||||||
|
|
||||||
info!("Created TUN device {}", tun[0].name());
|
info!("Created TUN device {}", tun[0].name());
|
||||||
|
|
||||||
//thread::sleep(time::Duration::from_secs(5));
|
//thread::sleep(time::Duration::from_secs(5));
|
||||||
let mut stack = Stack::new(tun);
|
let mut stack = Stack::new(tun, tun_local, tun_local6);
|
||||||
stack.listen(local_port);
|
stack.listen(local_port);
|
||||||
info!("Listening on {}", local_port);
|
info!("Listening on {}", local_port);
|
||||||
|
|
||||||
@@ -109,44 +175,92 @@ async fn main() {
|
|||||||
let mut buf_tcp = [0u8; MAX_PACKET_LEN];
|
let mut buf_tcp = [0u8; MAX_PACKET_LEN];
|
||||||
|
|
||||||
loop {
|
loop {
|
||||||
let sock = stack.accept().await;
|
let sock = Arc::new(stack.accept().await);
|
||||||
info!("New connection: {}", sock);
|
info!("New connection: {}", sock);
|
||||||
|
if let Some(ref p) = handshake_packet {
|
||||||
|
if sock.send(p).await.is_none() {
|
||||||
|
error!("Failed to send handshake packet to remote, closing connection.");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
debug!("Sent handshake packet to: {}", sock);
|
||||||
|
}
|
||||||
|
|
||||||
|
let packet_received = Arc::new(Notify::new());
|
||||||
|
let quit = CancellationToken::new();
|
||||||
|
let udp_sock = UdpSocket::bind(if remote_addr.is_ipv4() {
|
||||||
|
"0.0.0.0:0"
|
||||||
|
} else {
|
||||||
|
"[::]:0"
|
||||||
|
})
|
||||||
|
.await?;
|
||||||
|
let local_addr = udp_sock.local_addr()?;
|
||||||
|
drop(udp_sock);
|
||||||
|
|
||||||
|
for i in 0..num_cpus {
|
||||||
|
let sock = sock.clone();
|
||||||
|
let quit = quit.clone();
|
||||||
|
let packet_received = packet_received.clone();
|
||||||
|
let udp_sock = new_udp_reuseport(local_addr);
|
||||||
|
|
||||||
tokio::spawn(async move {
|
tokio::spawn(async move {
|
||||||
let udp_sock = UdpSocket::bind("0.0.0.0:0").await.unwrap();
|
|
||||||
udp_sock.connect(remote_addr).await.unwrap();
|
udp_sock.connect(remote_addr).await.unwrap();
|
||||||
|
|
||||||
loop {
|
loop {
|
||||||
let read_timeout = time::sleep(UDP_TTL);
|
|
||||||
|
|
||||||
tokio::select! {
|
tokio::select! {
|
||||||
Ok(size) = udp_sock.recv(&mut buf_udp) => {
|
Ok(size) = udp_sock.recv(&mut buf_udp) => {
|
||||||
if sock.send(&buf_udp[..size]).await.is_none() {
|
if sock.send(&buf_udp[..size]).await.is_none() {
|
||||||
|
quit.cancel();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
packet_received.notify_one();
|
||||||
},
|
},
|
||||||
res = sock.recv(&mut buf_tcp) => {
|
res = sock.recv(&mut buf_tcp) => {
|
||||||
match res {
|
match res {
|
||||||
Some(size) => {
|
Some(size) => {
|
||||||
if size > 0 {
|
if size > 0
|
||||||
if let Err(e) = udp_sock.send(&buf_tcp[..size]).await {
|
&& let Err(e) = udp_sock.send(&buf_tcp[..size]).await {
|
||||||
error!("Unable to send UDP packet to {}: {}, closing connection", e, remote_addr);
|
error!("Unable to send UDP packet to {}: {}, closing connection", e, remote_addr);
|
||||||
|
quit.cancel();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
},
|
},
|
||||||
None => { return; },
|
None => {
|
||||||
}
|
quit.cancel();
|
||||||
|
return;
|
||||||
},
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
packet_received.notify_one();
|
||||||
|
},
|
||||||
|
_ = quit.cancelled() => {
|
||||||
|
debug!("worker {} terminated", i);
|
||||||
|
return;
|
||||||
|
},
|
||||||
|
};
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
tokio::spawn(async move {
|
||||||
|
loop {
|
||||||
|
let read_timeout = time::sleep(UDP_TTL);
|
||||||
|
let packet_received_fut = packet_received.notified();
|
||||||
|
|
||||||
|
tokio::select! {
|
||||||
_ = read_timeout => {
|
_ = read_timeout => {
|
||||||
info!("No traffic seen in the last {:?}, closing connection", UDP_TTL);
|
info!("No traffic seen in the last {:?}, closing connection", UDP_TTL);
|
||||||
|
|
||||||
|
quit.cancel();
|
||||||
return;
|
return;
|
||||||
|
},
|
||||||
|
_ = packet_received_fut => {},
|
||||||
}
|
}
|
||||||
};
|
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
tokio::join!(main_loop).0.unwrap();
|
tokio::join!(main_loop).0.unwrap()
|
||||||
}
|
}
|
||||||
|
5
phantun/src/lib.rs
Normal file
5
phantun/src/lib.rs
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
use std::time::Duration;
|
||||||
|
|
||||||
|
pub mod utils;
|
||||||
|
|
||||||
|
pub const UDP_TTL: Duration = Duration::from_secs(180);
|
155
phantun/src/utils.rs
Normal file
155
phantun/src/utils.rs
Normal file
@@ -0,0 +1,155 @@
|
|||||||
|
use neli::{
|
||||||
|
consts::{
|
||||||
|
nl::NlmF,
|
||||||
|
rtnl::{Ifa, IfaF, RtAddrFamily, RtScope, Rtm},
|
||||||
|
socket::NlFamily,
|
||||||
|
},
|
||||||
|
nl::{NlPayload, NlmsghdrBuilder},
|
||||||
|
rtnl::{IfaddrmsgBuilder, RtattrBuilder},
|
||||||
|
socket::synchronous::NlSocketHandle,
|
||||||
|
types::RtBuffer,
|
||||||
|
utils::Groups,
|
||||||
|
};
|
||||||
|
use nix::sys::socket::{
|
||||||
|
CmsgIterator, ControlMessageOwned, MsgFlags, SockaddrLike, SockaddrStorage, cmsg_space,
|
||||||
|
};
|
||||||
|
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6};
|
||||||
|
use std::os::unix::io::AsRawFd;
|
||||||
|
use tokio::io::Interest;
|
||||||
|
use tokio::net::UdpSocket;
|
||||||
|
|
||||||
|
pub fn new_udp_reuseport(local_addr: SocketAddr) -> UdpSocket {
|
||||||
|
let udp_sock = socket2::Socket::new(
|
||||||
|
if local_addr.is_ipv4() {
|
||||||
|
socket2::Domain::IPV4
|
||||||
|
} else {
|
||||||
|
socket2::Domain::IPV6
|
||||||
|
},
|
||||||
|
socket2::Type::DGRAM,
|
||||||
|
None,
|
||||||
|
)
|
||||||
|
.unwrap();
|
||||||
|
udp_sock.set_reuse_port(true).unwrap();
|
||||||
|
// from tokio-rs/mio/blob/master/src/sys/unix/net.rs
|
||||||
|
udp_sock.set_cloexec(true).unwrap();
|
||||||
|
udp_sock.set_nonblocking(true).unwrap();
|
||||||
|
|
||||||
|
// enable IP_PKTINFO/IPV6_PKTINFO delivery so we know the destination address of incoming
|
||||||
|
// packets
|
||||||
|
if local_addr.is_ipv4() {
|
||||||
|
nix::sys::socket::setsockopt(&udp_sock, nix::sys::socket::sockopt::Ipv4PacketInfo, &true)
|
||||||
|
.unwrap();
|
||||||
|
} else {
|
||||||
|
nix::sys::socket::setsockopt(
|
||||||
|
&udp_sock,
|
||||||
|
nix::sys::socket::sockopt::Ipv6RecvPacketInfo,
|
||||||
|
&true,
|
||||||
|
)
|
||||||
|
.unwrap();
|
||||||
|
}
|
||||||
|
|
||||||
|
udp_sock.bind(&socket2::SockAddr::from(local_addr)).unwrap();
|
||||||
|
let udp_sock: std::net::UdpSocket = udp_sock.into();
|
||||||
|
udp_sock.try_into().unwrap()
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Similiar to `UdpSocket::recv_from()`, but returns a 3rd value `IPAddr`
|
||||||
|
/// which corresponds to where the UDP datagram was destined to, this is useful
|
||||||
|
/// for disambigous when socket can receive on multiple IP address
|
||||||
|
/// or interfaces.
|
||||||
|
pub async fn udp_recv_pktinfo(
|
||||||
|
sock: &UdpSocket,
|
||||||
|
buf: &mut [u8],
|
||||||
|
) -> std::io::Result<(usize, SocketAddr, IpAddr)> {
|
||||||
|
sock.async_io(Interest::READABLE, || {
|
||||||
|
const CONTROL_MESSAGE_BUFFER_SIZE: usize = max_usize(
|
||||||
|
cmsg_space::<nix::libc::in_pktinfo>(),
|
||||||
|
cmsg_space::<nix::libc::in6_pktinfo>(),
|
||||||
|
);
|
||||||
|
let mut control_message_buffer = [0u8; CONTROL_MESSAGE_BUFFER_SIZE];
|
||||||
|
let iov = &mut [std::io::IoSliceMut::new(buf)];
|
||||||
|
let res = nix::sys::socket::recvmsg::<SockaddrStorage>(
|
||||||
|
sock.as_raw_fd(),
|
||||||
|
iov,
|
||||||
|
Some(&mut control_message_buffer),
|
||||||
|
MsgFlags::empty(),
|
||||||
|
)?;
|
||||||
|
|
||||||
|
let src_addr = res.address.expect("missing source address");
|
||||||
|
let src_addr: SocketAddr = {
|
||||||
|
if let Some(inaddr) = src_addr.as_sockaddr_in() {
|
||||||
|
SocketAddrV4::new(inaddr.ip(), inaddr.port()).into()
|
||||||
|
} else if let Some(in6addr) = src_addr.as_sockaddr_in6() {
|
||||||
|
SocketAddrV6::new(
|
||||||
|
in6addr.ip(),
|
||||||
|
in6addr.port(),
|
||||||
|
in6addr.flowinfo(),
|
||||||
|
in6addr.scope_id(),
|
||||||
|
)
|
||||||
|
.into()
|
||||||
|
} else {
|
||||||
|
panic!("unexpected source address family {:#?}", src_addr.family());
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
let dst_addr = dst_addr_from_cmsgs(res.cmsgs()?).expect("didn't receive pktinfo");
|
||||||
|
|
||||||
|
Ok((res.bytes, src_addr, dst_addr))
|
||||||
|
})
|
||||||
|
.await
|
||||||
|
}
|
||||||
|
|
||||||
|
fn dst_addr_from_cmsgs(cmsgs: CmsgIterator) -> Option<IpAddr> {
|
||||||
|
for cmsg in cmsgs {
|
||||||
|
if let ControlMessageOwned::Ipv4PacketInfo(pktinfo) = cmsg {
|
||||||
|
return Some(Ipv4Addr::from(pktinfo.ipi_addr.s_addr.to_ne_bytes()).into());
|
||||||
|
}
|
||||||
|
if let ControlMessageOwned::Ipv6PacketInfo(pktinfo) = cmsg {
|
||||||
|
return Some(Ipv6Addr::from(pktinfo.ipi6_addr.s6_addr).into());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn assign_ipv6_address(device_name: &str, local: Ipv6Addr, peer: Ipv6Addr) {
|
||||||
|
let index = nix::net::if_::if_nametoindex(device_name).unwrap();
|
||||||
|
|
||||||
|
let rtnl = NlSocketHandle::connect(NlFamily::Route, None, Groups::empty()).unwrap();
|
||||||
|
let mut rtattrs = RtBuffer::new();
|
||||||
|
rtattrs.push(
|
||||||
|
RtattrBuilder::default()
|
||||||
|
.rta_type(Ifa::Local)
|
||||||
|
.rta_payload(&local.octets()[..])
|
||||||
|
.build()
|
||||||
|
.unwrap(),
|
||||||
|
);
|
||||||
|
rtattrs.push(
|
||||||
|
RtattrBuilder::default()
|
||||||
|
.rta_type(Ifa::Address)
|
||||||
|
.rta_payload(&peer.octets()[..])
|
||||||
|
.build()
|
||||||
|
.unwrap(),
|
||||||
|
);
|
||||||
|
|
||||||
|
let ifaddrmsg = IfaddrmsgBuilder::default()
|
||||||
|
.ifa_family(RtAddrFamily::Inet6)
|
||||||
|
.ifa_prefixlen(128)
|
||||||
|
.ifa_flags(IfaF::empty())
|
||||||
|
.ifa_scope(RtScope::Universe)
|
||||||
|
.ifa_index(index)
|
||||||
|
.rtattrs(rtattrs)
|
||||||
|
.build()
|
||||||
|
.unwrap();
|
||||||
|
let nl_header = NlmsghdrBuilder::default()
|
||||||
|
.nl_type(Rtm::Newaddr)
|
||||||
|
.nl_flags(NlmF::REQUEST)
|
||||||
|
.nl_payload(NlPayload::Payload(ifaddrmsg))
|
||||||
|
.build()
|
||||||
|
.unwrap();
|
||||||
|
rtnl.send(&nl_header).unwrap();
|
||||||
|
}
|
||||||
|
|
||||||
|
const fn max_usize(a: usize, b: usize) -> usize {
|
||||||
|
if a > b { a } else { b }
|
||||||
|
}
|
128
rpm/phantun.spec
Normal file
128
rpm/phantun.spec
Normal file
@@ -0,0 +1,128 @@
|
|||||||
|
Name: phantun
|
||||||
|
Version: 0.7.0
|
||||||
|
Release: 2%{?dist}
|
||||||
|
Summary: A lightweight and fast UDP to TCP obfuscator
|
||||||
|
|
||||||
|
License: Apache-2.0
|
||||||
|
URL: https://github.com/dndx/phantun/tree/main
|
||||||
|
Source0: %{name}-%{version}.tar.gz
|
||||||
|
|
||||||
|
BuildRequires: rust
|
||||||
|
BuildRequires: cargo
|
||||||
|
BuildRequires: selinux-policy-devel
|
||||||
|
|
||||||
|
%description
|
||||||
|
Your project with client and server components.
|
||||||
|
|
||||||
|
%package client
|
||||||
|
Summary: Client component of phantun
|
||||||
|
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
|
||||||
|
|
||||||
|
%description client
|
||||||
|
Phantun Client is like a machine with private IP address
|
||||||
|
(192.168.200.2/fcc8::2) behind a router. In order for it to reach
|
||||||
|
the Internet, you will need to SNAT the private IP address
|
||||||
|
before it's traffic leaves the NIC.
|
||||||
|
|
||||||
|
%package server
|
||||||
|
Summary: Server component of phantun
|
||||||
|
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
|
||||||
|
|
||||||
|
%description server
|
||||||
|
Phantun Server is like a server with private IP address
|
||||||
|
(192.168.201.2/fcc9::2) behind a router. In order to access it from
|
||||||
|
the Internet, you need to DNAT it's listening port on the router
|
||||||
|
and change the destination IP address to where the server
|
||||||
|
is listening for incoming connections.
|
||||||
|
|
||||||
|
%package selinux
|
||||||
|
Summary: SELinux module for phantun
|
||||||
|
%{?selinux_requires}
|
||||||
|
%global modulename phantun
|
||||||
|
%global selinuxtype targeted
|
||||||
|
|
||||||
|
%description selinux
|
||||||
|
This package provides the SELinux policy module to ensure phantun
|
||||||
|
runs properly under an environment with SELinux enabled.
|
||||||
|
|
||||||
|
%global debug_package %{nil}
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup -q
|
||||||
|
|
||||||
|
%build
|
||||||
|
cargo build --release
|
||||||
|
make -C selinux
|
||||||
|
|
||||||
|
%install
|
||||||
|
# Install binaries
|
||||||
|
install -D -m 0755 target/release/client %{buildroot}/usr/libexec/phantun/phantun-client
|
||||||
|
install -D -m 0755 target/release/server %{buildroot}/usr/libexec/phantun/phantun-server
|
||||||
|
|
||||||
|
mkdir -p %{buildroot}/usr/bin
|
||||||
|
# Create wrapper scripts
|
||||||
|
echo '#!/bin/bash
|
||||||
|
PID_FILE=$1
|
||||||
|
shift 1
|
||||||
|
mkdir -p /var/run/phantun
|
||||||
|
/usr/libexec/phantun/phantun-client "$@" &
|
||||||
|
echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-client
|
||||||
|
|
||||||
|
echo '#!/bin/bash
|
||||||
|
PID_FILE=$1
|
||||||
|
shift 1
|
||||||
|
mkdir -p /var/run/phantun
|
||||||
|
/usr/libexec/phantun/phantun-server "$@" &
|
||||||
|
echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-server
|
||||||
|
|
||||||
|
# Make wrapper scripts executable
|
||||||
|
chmod +x %{buildroot}/usr/bin/phantun-client
|
||||||
|
chmod +x %{buildroot}/usr/bin/phantun-server
|
||||||
|
|
||||||
|
# SELinux
|
||||||
|
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
|
||||||
|
install -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
|
||||||
|
|
||||||
|
%pre selinux
|
||||||
|
%selinux_relabel_pre -s %{selinuxtype}
|
||||||
|
|
||||||
|
%post selinux
|
||||||
|
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
|
||||||
|
|
||||||
|
%postun selinux
|
||||||
|
if [ $1 -eq 0 ]; then
|
||||||
|
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
|
||||||
|
fi
|
||||||
|
|
||||||
|
%posttrans selinux
|
||||||
|
%selinux_relabel_post -s %{selinuxtype}
|
||||||
|
|
||||||
|
%files client
|
||||||
|
/usr/libexec/phantun/phantun-client
|
||||||
|
/usr/bin/phantun-client
|
||||||
|
|
||||||
|
%files server
|
||||||
|
/usr/libexec/phantun/phantun-server
|
||||||
|
/usr/bin/phantun-server
|
||||||
|
|
||||||
|
%files selinux
|
||||||
|
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Wed Dec 11 2024 Randy Li <ayaka@soulik.info> - 0.7.0-2
|
||||||
|
- chore(deps): update tokio-tun requirement from 0.9 to 0.11
|
||||||
|
- chore(deps): update nix requirement from 0.27 to 0.28
|
||||||
|
- chore(deps): bump softprops/action-gh-release from 1 to 2
|
||||||
|
- chore(docs): update license year to 2024
|
||||||
|
- docs(readme): update `README.md` to include incoming interface (`-i tun0`) in client NAT commands example (#163)
|
||||||
|
- Revert "docs(readme): update `README.md` to include incoming interface (`-i t…"
|
||||||
|
- fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162)
|
||||||
|
- chore(deps): bump dependencies to latest
|
||||||
|
- chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0`
|
||||||
|
- chore(deps): bump docker/build-push-action from 5 to 6
|
||||||
|
- chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust
|
||||||
|
- docs(readme): latest release is now `v0.7.0`
|
||||||
|
|
||||||
|
* Sat Oct 14 2023 Randy Li <ayaka@soulik.info> - 0.6.1-1
|
||||||
|
- Initial package
|
||||||
|
|
26
selinux/Makefile
Normal file
26
selinux/Makefile
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
TARGET?=phantun
|
||||||
|
MODULES?=${TARGET:=.pp.bz2}
|
||||||
|
SHAREDIR?=/usr/share
|
||||||
|
|
||||||
|
all: ${TARGET:=.pp.bz2}
|
||||||
|
|
||||||
|
%.pp.bz2: %.pp
|
||||||
|
@echo Compressing $^ -\> $@
|
||||||
|
bzip2 -9 $^
|
||||||
|
|
||||||
|
%.pp: %.te
|
||||||
|
make -f ${SHAREDIR}/selinux/devel/Makefile $@
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ *.tc *.pp *.pp.bz2
|
||||||
|
rm -rf tmp *.tar.gz
|
||||||
|
|
||||||
|
man: install-policy
|
||||||
|
sepolicy manpage --path . --domain ${TARGET}_t
|
||||||
|
|
||||||
|
install-policy: all
|
||||||
|
semodule -i ${TARGET}.pp.bz2
|
||||||
|
|
||||||
|
install: man
|
||||||
|
install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2
|
||||||
|
install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/
|
5
selinux/phantun.fc
Normal file
5
selinux/phantun.fc
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
/usr/libexec/phantun/phantun-client -- gen_context(system_u:object_r:phantun_client_exec_t,s0)
|
||||||
|
/usr/libexec/phantun/phantun-server -- gen_context(system_u:object_r:phantun_server_exec_t,s0)
|
||||||
|
/usr/bin/phantun-client -- gen_context(system_u:object_r:wireguard_exec_t,s0)
|
||||||
|
/usr/bin/phantun-server -- gen_context(system_u:object_r:wireguard_exec_t,s0)
|
||||||
|
/var/run/phantun(/.*)? gen_context(system_u:object_r:phantun_var_run_t,s0)
|
60
selinux/phantun.te
Normal file
60
selinux/phantun.te
Normal file
@@ -0,0 +1,60 @@
|
|||||||
|
policy_module(phantun, 1.0)
|
||||||
|
|
||||||
|
gen_require(`
|
||||||
|
type wireguard_t;
|
||||||
|
type wireguard_exec_t;
|
||||||
|
class capability net_admin;
|
||||||
|
class tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
|
||||||
|
class tcp_socket { name_bind listen accept connect };
|
||||||
|
class udp_socket { name_bind };
|
||||||
|
class file { getattr open read write create unlink execute };
|
||||||
|
class process { transition };
|
||||||
|
')
|
||||||
|
|
||||||
|
|
||||||
|
# Define custom types
|
||||||
|
type phantun_server_exec_t;
|
||||||
|
type phantun_client_exec_t;
|
||||||
|
type phantun_server_port_t;
|
||||||
|
type phantun_client_port_t;
|
||||||
|
type phantun_var_run_t;
|
||||||
|
|
||||||
|
# Allow the wrapper scripts to execute the phantun client and server binaries
|
||||||
|
allow wireguard_exec_t phantun_client_exec_t:file { getattr open read execute };
|
||||||
|
allow wireguard_exec_t phantun_server_exec_t:file { getattr open read execute };
|
||||||
|
|
||||||
|
# Allow the wrapper scripts to write to the PID file
|
||||||
|
allow wireguard_exec_t phantun_var_run_t:file { getattr open read write create unlink };
|
||||||
|
allow wireguard_t self:process transition;
|
||||||
|
|
||||||
|
####################################
|
||||||
|
# Server
|
||||||
|
#
|
||||||
|
|
||||||
|
# Allow wireguard_t to execute the server binary
|
||||||
|
allow wireguard_t phantun_server_exec_t:file { getattr open read execute };
|
||||||
|
|
||||||
|
# Allow the server to create and manage tun devices
|
||||||
|
allow phantun_server_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
|
||||||
|
|
||||||
|
# Allow the server to bind to the custom TCP port and listen for incoming connections
|
||||||
|
allow phantun_server_exec_t phantun_server_port_t:tcp_socket { name_bind listen accept };
|
||||||
|
|
||||||
|
# Allow the server to use net_admin capability
|
||||||
|
allow phantun_server_exec_t self:capability net_admin;
|
||||||
|
|
||||||
|
####################################
|
||||||
|
# Client
|
||||||
|
#
|
||||||
|
|
||||||
|
# Allow wireguard_t to execute the client binary
|
||||||
|
allow wireguard_t phantun_client_exec_t:file { getattr open read execute };
|
||||||
|
|
||||||
|
# Allow the client to create and manage tun devices
|
||||||
|
allow phantun_client_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
|
||||||
|
|
||||||
|
# Allow the client to bind to the custom UDP port
|
||||||
|
#allow phantun_client_exec_t phantun_client_port_t:udp_socket { name_bind };
|
||||||
|
|
||||||
|
# Allow the client to use net_admin capability
|
||||||
|
allow phantun_client_exec_t self:capability net_admin;
|
Reference in New Issue
Block a user