mirror of
				https://github.com/dndx/phantun.git
				synced 2025-10-25 06:55:34 +08:00 
			
		
		
		
	Compare commits
	
		
			131 Commits
		
	
	
		
			v0.2.2
			...
			dependabot
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 33384e4758 | ||
|  | 7f7da10b1b | ||
|  | 9d74a6bfeb | ||
|  | 9bdfd76819 | ||
|  | d1c18c64f3 | ||
|  | b42ed82147 | ||
|  | 7c3864a3ed | ||
|  | 6a39e9e9d0 | ||
|  | cedee0c699 | ||
|  | d969f0cc5d | ||
|  | 19c9f2d9f2 | ||
|  | 1252affdad | ||
|  | 141c3477f9 | ||
|  | d8dd3e65d1 | ||
|  | 66de44e32f | ||
|  | 2a37a2fc92 | ||
|  | f5aac38969 | ||
|  | 118f20f74f | ||
|  | 6a424fd43c | ||
|  | 869c79422f | ||
|  | 201da45ee8 | ||
|  | 333c6dd059 | ||
|  | 62f0278c1a | ||
|  | f436325d23 | ||
|  | 028a32d197 | ||
|  | e452e40edd | ||
|  | 253ce54554 | ||
|  | 34d2350d1c | ||
|  | 6955a1eb4c | ||
|  | e86c5c5c50 | ||
|  | 60f24d2563 | ||
|  | 8c7f4e98b3 | ||
|  | 90b93370ce | ||
|  | 792ee46ec4 | ||
|  | f5cb4b1220 | ||
|  | 8a0ec729e2 | ||
|  | 78dd7c13b1 | ||
|  | b58d58956b | ||
|  | 310bb17516 | ||
|  | 632132b75a | ||
|  | 48a0399f59 | ||
|  | 590a048b5b | ||
|  | 3fa8f86379 | ||
|  | 805bf80cd8 | ||
|  | aec3bcdeda | ||
|  | 9b1d3c0124 | ||
|  | 6c42f02b28 | ||
|  | ee0bce0a96 | ||
|  | 1f11d618e0 | ||
|  | d7913c1407 | ||
|  | ee7ee5d5f9 | ||
|  | af3a9061a1 | ||
|  | 7c98012a67 | ||
|  | b674268863 | ||
|  | b40ca10cc1 | ||
|  | 30f0a1118b | ||
|  | fd607bc72a | ||
|  | 939e4aa94e | ||
|  | 7bcfada87b | ||
|  | fe18a49d40 | ||
|  | b707c5bd12 | ||
|  | 6af7757456 | ||
|  | f374ac8081 | ||
|  | 50346c1ba0 | ||
|  | f649c79656 | ||
|  | c91bda7e6a | ||
|  | 00a308a005 | ||
|  | 9ff691d063 | ||
|  | b5e79653f0 | ||
|  | f496a7919b | ||
|  | bf6b9bc2ff | ||
|  | 47b9037968 | ||
|  | c2341b6662 | ||
|  | a3eff42453 | ||
|  | 87a42a1e23 | ||
|  | 851750b13d | ||
|  | b89b683bb2 | ||
|  | 838cfa6738 | ||
|  | 827530f62c | ||
|  | 245cb9c7f4 | ||
|  | 85555f2a34 | ||
|  | 74183071f1 | ||
|  | 2f4eaafccd | ||
|  | 1e3b632413 | ||
|  | 99bff568f6 | ||
|  | 91ad2c03a1 | ||
|  | 581d80d08c | ||
|  | 55da4d6a62 | ||
|  | bb859be6b6 | ||
|  | 8d315ea4e7 | ||
|  | 21eabe8b82 | ||
|  | 8a74b31c6e | ||
|  | ca14ba457f | ||
|  | 33a0cfe567 | ||
|  | 95dfd8ab54 | ||
|  | 1c35635091 | ||
|  | b8a6c8853b | ||
|  | d97a27778b | ||
|  | 35f7b35ff5 | ||
|  | dff0c4ca28 | ||
|  | 9bf78adc92 | ||
|  | 5d4e3bf8c0 | ||
|  | 9c85b43e94 | ||
|  | 66b0bc11b0 | ||
|  | 02b00dfc3a | ||
|  | 0ee7774d03 | ||
|  | 11fdac78f1 | ||
|  | ed686ce9fa | ||
|  | d9001b08aa | ||
|  | 726ecac9cf | ||
|  | 2ef0a056be | ||
|  | cb9dd3e931 | ||
|  | 7db7164193 | ||
|  | def134d73b | ||
|  | b3c781cdc5 | ||
|  | d5e30c113f | ||
|  | e2a9194f6f | ||
|  | d0eaefe5d0 | ||
|  | 299646a54f | ||
|  | 8b28cdc6c2 | ||
|  | a8ad203754 | ||
|  | 33e510e7ba | ||
|  | 521a3f1a01 | ||
|  | c5a5116808 | ||
|  | e8f2457cb5 | ||
|  | 583cdbe300 | ||
|  | 91988520e5 | ||
|  | 49cc6a6865 | ||
|  | 7390d4bf27 | ||
|  | 95e762f5fd | ||
|  | c9043015f2 | 
							
								
								
									
										15
									
								
								.github/ISSUE_TEMPLATE/bug_report.md
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								.github/ISSUE_TEMPLATE/bug_report.md
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | |||||||
|  | --- | ||||||
|  | name: Bug report | ||||||
|  | about: Create a report to help us improve | ||||||
|  | title: '' | ||||||
|  | labels: '' | ||||||
|  | assignees: '' | ||||||
|  |  | ||||||
|  | --- | ||||||
|  |  | ||||||
|  | **Describe the bug** | ||||||
|  | A clear and concise description of what the bug is. | ||||||
|  |  | ||||||
|  | **Operating system** | ||||||
|  |  | ||||||
|  | **`tcpdump` between the server and client on Phantun's port** | ||||||
							
								
								
									
										30
									
								
								.github/workflows/docker.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								.github/workflows/docker.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,30 @@ | |||||||
|  | name: Docker image build | ||||||
|  |  | ||||||
|  | on: | ||||||
|  |   push: | ||||||
|  |     paths-ignore: | ||||||
|  |       - '**.md' | ||||||
|  |  | ||||||
|  | jobs: | ||||||
|  |   build: | ||||||
|  |     runs-on: ubuntu-22.04 | ||||||
|  |  | ||||||
|  |     steps: | ||||||
|  |       - name: Checkout | ||||||
|  |         uses: actions/checkout@v5 | ||||||
|  |  | ||||||
|  |       - name: Setup QEMU | ||||||
|  |         uses: docker/setup-qemu-action@v3 | ||||||
|  |         with: | ||||||
|  |           platforms: linux/amd64 | ||||||
|  |  | ||||||
|  |       - name: Setup Docker Buildx | ||||||
|  |         uses: docker/setup-buildx-action@v3 | ||||||
|  |  | ||||||
|  |       - name: Build Docker Image | ||||||
|  |         uses: docker/build-push-action@v6 | ||||||
|  |         with: | ||||||
|  |           context: . | ||||||
|  |           file: docker/Dockerfile | ||||||
|  |           tags: phantun | ||||||
|  |           platforms: linux/amd64 | ||||||
							
								
								
									
										46
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										46
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -25,13 +25,9 @@ jobs: | |||||||
|           - arm-unknown-linux-musleabihf |           - arm-unknown-linux-musleabihf | ||||||
|           - aarch64-unknown-linux-gnu |           - aarch64-unknown-linux-gnu | ||||||
|           - aarch64-unknown-linux-musl |           - aarch64-unknown-linux-musl | ||||||
|           - mips-unknown-linux-gnu |  | ||||||
|           - mips-unknown-linux-musl |  | ||||||
|           - mipsel-unknown-linux-gnu |  | ||||||
|           - mipsel-unknown-linux-musl |  | ||||||
|  |  | ||||||
|     steps: |     steps: | ||||||
|       - uses: actions/checkout@v2 |       - uses: actions/checkout@v5 | ||||||
|       - uses: actions-rs/toolchain@v1 |       - uses: actions-rs/toolchain@v1 | ||||||
|         with: |         with: | ||||||
|           toolchain: stable |           toolchain: stable | ||||||
| @@ -50,7 +46,45 @@ jobs: | |||||||
|           zip phantun_${{ matrix.target }}.zip phantun_client phantun_server |           zip phantun_${{ matrix.target }}.zip phantun_client phantun_server | ||||||
|  |  | ||||||
|       - name: Upload Github Assets |       - name: Upload Github Assets | ||||||
|         uses: softprops/action-gh-release@v1 |         uses: softprops/action-gh-release@v2 | ||||||
|         with: |         with: | ||||||
|           files: target/${{ matrix.target }}/release/*.zip |           files: target/${{ matrix.target }}/release/*.zip | ||||||
|           prerelease: ${{ contains(github.ref, '-') }} |           prerelease: ${{ contains(github.ref, '-') }} | ||||||
|  |           update_existing: true | ||||||
|  |  | ||||||
|  |   build-mips-nightly: | ||||||
|  |     runs-on: ubuntu-latest | ||||||
|  |     env: | ||||||
|  |       RUST_BACKTRACE: full | ||||||
|  |     strategy: | ||||||
|  |       matrix: | ||||||
|  |         target: | ||||||
|  |           - mips-unknown-linux-musl | ||||||
|  |           - mips64-unknown-linux-muslabi64 | ||||||
|  |           - mipsel-unknown-linux-musl | ||||||
|  |  | ||||||
|  |     steps: | ||||||
|  |       - uses: actions/checkout@v5 | ||||||
|  |       - uses: actions-rs/toolchain@v1 | ||||||
|  |         with: | ||||||
|  |           toolchain: nightly | ||||||
|  |           override: true | ||||||
|  |           components: rust-src | ||||||
|  |       - uses: actions-rs/cargo@v1 | ||||||
|  |         with: | ||||||
|  |           use-cross: true | ||||||
|  |           command: build | ||||||
|  |           args: --release --target ${{ matrix.target }} -Z build-std | ||||||
|  |       - name: Rename artifacts and compress | ||||||
|  |         run: | | ||||||
|  |           cd target/${{ matrix.target }}/release | ||||||
|  |           mv client phantun_client | ||||||
|  |           mv server phantun_server | ||||||
|  |           zip phantun_${{ matrix.target }}_nightly.zip phantun_client phantun_server | ||||||
|  |  | ||||||
|  |       - name: Upload Github Assets | ||||||
|  |         uses: softprops/action-gh-release@v2 | ||||||
|  |         with: | ||||||
|  |           files: target/${{ matrix.target }}/release/*.zip | ||||||
|  |           prerelease: ${{ contains(github.ref, '-') }} | ||||||
|  |           update_existing: true | ||||||
|   | |||||||
							
								
								
									
										2
									
								
								.github/workflows/rust.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.github/workflows/rust.yml
									
									
									
									
										vendored
									
									
								
							| @@ -11,7 +11,7 @@ jobs: | |||||||
|     runs-on: ubuntu-latest |     runs-on: ubuntu-latest | ||||||
|  |  | ||||||
|     steps: |     steps: | ||||||
|     - uses: actions/checkout@v2 |     - uses: actions/checkout@v5 | ||||||
|     - uses: actions-rs/toolchain@v1 |     - uses: actions-rs/toolchain@v1 | ||||||
|       with: |       with: | ||||||
|         toolchain: stable |         toolchain: stable | ||||||
|   | |||||||
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -1,2 +1 @@ | |||||||
| /target | /target | ||||||
| Cargo.lock |  | ||||||
|   | |||||||
							
								
								
									
										1301
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
										Normal file
									
								
							
							
						
						
									
										1301
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @@ -1,6 +1,11 @@ | |||||||
| [workspace] | [workspace] | ||||||
|  | resolver = "3" | ||||||
|  |  | ||||||
| members = [ | members = [ | ||||||
|     "fake-tcp", |     "fake-tcp", | ||||||
|     "phantun", |     "phantun", | ||||||
| ] | ] | ||||||
|  |  | ||||||
|  | [workspace.dependencies] | ||||||
|  | tokio = { version = "1", features = ["full"] } | ||||||
|  | log = "0" | ||||||
|   | |||||||
| @@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work. | |||||||
|    same "printed page" as the copyright notice for easier |    same "printed page" as the copyright notice for easier | ||||||
|    identification within third-party archives. |    identification within third-party archives. | ||||||
|  |  | ||||||
| Copyright 2014-2021 The Rust Project Developers | Copyright 2021-2024 Datong Sun (dndx@idndx.com) | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); | Licensed under the Apache License, Version 2.0 (the "License"); | ||||||
| you may not use this file except in compliance with the License. | you may not use this file except in compliance with the License. | ||||||
|   | |||||||
| @@ -1,6 +1,6 @@ | |||||||
| MIT License | MIT License | ||||||
|  |  | ||||||
| Copyright (c) 2014-2021 The Rust Project Developers | Copyright (c) 2021-2024 Datong Sun (dndx@idndx.com) | ||||||
|  |  | ||||||
| Permission is hereby granted, free of charge, to any | Permission is hereby granted, free of charge, to any | ||||||
| person obtaining a copy of this software and associated | person obtaining a copy of this software and associated | ||||||
|   | |||||||
							
								
								
									
										166
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										166
									
								
								README.md
									
									
									
									
									
								
							| @@ -2,8 +2,10 @@ | |||||||
|  |  | ||||||
| A lightweight and fast UDP to TCP obfuscator. | A lightweight and fast UDP to TCP obfuscator. | ||||||
|  |  | ||||||
| Table of Contents |  | ||||||
| ================= |  | ||||||
|  |  | ||||||
|  | # Table of Contents | ||||||
|  |  | ||||||
| * [Phantun](#phantun) | * [Phantun](#phantun) | ||||||
| * [Latest release](#latest-release) | * [Latest release](#latest-release) | ||||||
| @@ -24,6 +26,7 @@ Table of Contents | |||||||
| * [MTU overhead](#mtu-overhead) | * [MTU overhead](#mtu-overhead) | ||||||
|     * [MTU calculation for WireGuard](#mtu-calculation-for-wireguard) |     * [MTU calculation for WireGuard](#mtu-calculation-for-wireguard) | ||||||
| * [Version compatibility](#version-compatibility) | * [Version compatibility](#version-compatibility) | ||||||
|  | * [Documentations](#documentations) | ||||||
| * [Performance](#performance) | * [Performance](#performance) | ||||||
| * [Future plans](#future-plans) | * [Future plans](#future-plans) | ||||||
| * [Compariation to udp2raw](#compariation-to-udp2raw) | * [Compariation to udp2raw](#compariation-to-udp2raw) | ||||||
| @@ -31,16 +34,23 @@ Table of Contents | |||||||
|  |  | ||||||
| # Latest release | # Latest release | ||||||
|  |  | ||||||
| [v0.2.1](https://github.com/dndx/phantun/releases/tag/v0.2.1) | [v0.8.1](https://github.com/dndx/phantun/releases/tag/v0.8.1) | ||||||
|  |  | ||||||
|  | <details> | ||||||
|  |   <summary>MIPS architecture support for Phantun</summary> | ||||||
|  |  | ||||||
|  |   [Rust only provides Tier 3 supports for MIPS based platforms](https://github.com/rust-lang/compiler-team/issues/648) | ||||||
|  | since 2023. Phantun's MIPS build are therefore built using nightly Rust toolchain and provided on a best effort basis only. | ||||||
|  | </details> | ||||||
|  |  | ||||||
| # Overview | # Overview | ||||||
|  |  | ||||||
| Phanton is a project that obfuscated UDP packets into TCP connections. It aims to | Phantun is a project that obfuscated UDP packets into TCP connections. It aims to | ||||||
| achieve maximum performance with minimum processing and encapsulation overhead. | achieve maximum performance with minimum processing and encapsulation overhead. | ||||||
|  |  | ||||||
| It is commonly used in environments where UDP is blocked/throttled but TCP is allowed through. | It is commonly used in environments where UDP is blocked/throttled but TCP is allowed through. | ||||||
|  |  | ||||||
| Phanton simply converts a stream of UDP packets into obfuscated TCP stream packets. The TCP stack | Phantun simply converts a stream of UDP packets into obfuscated TCP stream packets. The TCP stack | ||||||
| used by Phantun is designed to pass through most L3/L4 stateful/stateless firewalls/NAT | used by Phantun is designed to pass through most L3/L4 stateful/stateless firewalls/NAT | ||||||
| devices. It will **not** be able to pass through L7 proxies. | devices. It will **not** be able to pass through L7 proxies. | ||||||
| However, the advantage of this approach is that none of the common UDP over TCP performance killer | However, the advantage of this approach is that none of the common UDP over TCP performance killer | ||||||
| @@ -51,6 +61,11 @@ connection from the perspective of firewalls/NAT devices. | |||||||
| Phantun means Phantom TUN, as it is an obfuscator for UDP traffic that does just enough work | Phantun means Phantom TUN, as it is an obfuscator for UDP traffic that does just enough work | ||||||
| to make it pass through stateful firewall/NATs as TCP packets. | to make it pass through stateful firewall/NATs as TCP packets. | ||||||
|  |  | ||||||
|  | Phantun is written in 100% safe Rust. It has been optimized extensively to scale well on multi-core | ||||||
|  | systems and has no issue saturating all available CPU resources on a fast connection. | ||||||
|  | See the [Performance](#performance) section for benchmarking results. | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Usage | # Usage | ||||||
| @@ -63,30 +78,32 @@ It is also assumed that **Phantun Client** listens for incoming UDP packets at | |||||||
| `127.0.0.1:1234` (the `--local` option for client) and connects to Phantun Server at `10.0.0.1:4567` | `127.0.0.1:1234` (the `--local` option for client) and connects to Phantun Server at `10.0.0.1:4567` | ||||||
| (the `--remote` option for client). | (the `--remote` option for client). | ||||||
|  |  | ||||||
| Phantun creates TUN interface for both the Client and Server. For Client, Phantun assigns itself the IP address | Phantun creates TUN interface for both the Client and Server. For **Client**, Phantun assigns itself the IP address | ||||||
| `192.168.200.2` by default and for Server, it assigns `192.168.201.2` by default. Therefore, your Kernel must have | `192.168.200.2` and `fcc8::2` by default. | ||||||
| `net.ipv4.ip_forward` enabled and setup appropriate iptables rules for NAT between your physical | For **Server**, it assigns `192.168.201.2` and `fcc9::2` by default. Therefore, your Kernel must have | ||||||
| NIC address and Phantun's TUN interface address. | IPv4/IPv6 forwarding enabled and setup appropriate iptables/nftables rules for NAT between your physical | ||||||
|  | NIC address and Phantun's Tun interface address. | ||||||
|  |  | ||||||
| You may customize the name of Tun interface created by Phantun and the assigned addresses. Please | You may customize the name of Tun interface created by Phantun and the assigned addresses. Please | ||||||
| run the executable with `-h` options to see how to change them. | run the executable with `-h` options to see how to change them. | ||||||
|  |  | ||||||
| Another way to help understand this network topology: | Another way to help understand this network topology (please see the diagram above for an illustration of this topology): | ||||||
|  |  | ||||||
| Phantun Client is like a machine with private IP address (`192.168.200.2`) behind a router. | Phantun Client is like a machine with private IP address (`192.168.200.2`/`fcc8::2`) behind a router. | ||||||
| In order for it to reach the Internet, you will need to SNAT the private IP address before it's traffic | In order for it to reach the Internet, you will need to SNAT the private IP address before it's traffic | ||||||
| leaves the NIC. | leaves the NIC. | ||||||
|  |  | ||||||
| Phantun Server is like a server with private IP address (`192.168.201.2`) behind a router. | Phantun Server is like a server with private IP address (`192.168.201.2`/`fcc9::2`) behind a router. | ||||||
| In order to access it from the Internet, you need to `DNAT` it's listening port on the router | In order to access it from the Internet, you need to `DNAT` it's listening port on the router | ||||||
| and change the destination IP address to where the server is listening for incoming connections. | and change the destination IP address to where the server is listening for incoming connections. | ||||||
|  |  | ||||||
| In those cases, the machine/iptables running Phantun acts as the "router" that allows Phantun | In those cases, the machine/iptables running Phantun acts as the "router" that allows Phantun | ||||||
| to communicate with outside using it's private IP addresses. | to communicate with outside using it's private IP addresses. | ||||||
|  |  | ||||||
| As of Phantun v0.2.2, IPv6 support for UDP endpoints has been added, however Fake TCP IPv6 support | As of Phantun v0.4.1, IPv6 is fully supported for both TCP and UDP sides. | ||||||
| has not been finished yet. To specify an IPv6 address, use the following format: `[::1]:1234` with | To specify an IPv6 address, use the following format: `[::1]:1234` with | ||||||
| the command line options. | the command line options. Resolving AAAA record is also supported. Please run the program | ||||||
|  | with `-h` to see detailed options on how to control the IPv6 behavior. | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| @@ -94,6 +111,12 @@ the command line options. | |||||||
|  |  | ||||||
| Edit `/etc/sysctl.conf`, add `net.ipv4.ip_forward=1` and run `sudo sysctl -p /etc/sysctl.conf`. | Edit `/etc/sysctl.conf`, add `net.ipv4.ip_forward=1` and run `sudo sysctl -p /etc/sysctl.conf`. | ||||||
|  |  | ||||||
|  | <details> | ||||||
|  |   <summary>IPv6 specific config</summary> | ||||||
|  |  | ||||||
|  |   `net.ipv6.conf.all.forwarding=1` will need to be set as well. | ||||||
|  | </details> | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| ## 2. Add required firewall rules | ## 2. Add required firewall rules | ||||||
| @@ -119,12 +142,16 @@ table inet nat { | |||||||
| } | } | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
|  | Note: The above rule uses `inet` as the table family type, so it is compatible with | ||||||
|  | both IPv4 and IPv6 usage. | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| #### Using iptables | #### Using iptables | ||||||
|  |  | ||||||
| ``` | ``` | ||||||
| iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||||||
|  | ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
| @@ -134,17 +161,18 @@ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |||||||
| Server needs to DNAT the TCP listening port to Phantun's TUN interface address. | Server needs to DNAT the TCP listening port to Phantun's TUN interface address. | ||||||
|  |  | ||||||
| Note: change `eth0` to whatever actual physical interface name is and `4567` to | Note: change `eth0` to whatever actual physical interface name is and `4567` to | ||||||
| actual TCP port number used by Phanton server | actual TCP port number used by Phantun server | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| #### Using nftables | #### Using nftables | ||||||
|  |  | ||||||
| ``` | ``` | ||||||
| table ip nat { | table inet nat { | ||||||
|     chain prerouting { |     chain prerouting { | ||||||
|         type nat hook prerouting priority dstnat; policy accept; |         type nat hook prerouting priority dstnat; policy accept; | ||||||
|         iif eth0 tcp dport 4567 dnat to 192.168.201.2 |         iif eth0 tcp dport 4567 dnat ip to 192.168.201.2 | ||||||
|  |         iif eth0 tcp dport 4567 dnat ip6 to fcc9::2 | ||||||
|     } |     } | ||||||
| } | } | ||||||
| ``` | ``` | ||||||
| @@ -155,6 +183,7 @@ table ip nat { | |||||||
|  |  | ||||||
| ``` | ``` | ||||||
| iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination 192.168.201.2 | iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination 192.168.201.2 | ||||||
|  | ip6tables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination fcc9::2 | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
| @@ -176,6 +205,8 @@ sudo setcap cap_net_admin=+pe phantun_client | |||||||
|  |  | ||||||
| **Note:** Run Phantun executable with `-h` option to see full detailed options. | **Note:** Run Phantun executable with `-h` option to see full detailed options. | ||||||
|  |  | ||||||
|  | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| ### Server | ### Server | ||||||
|  |  | ||||||
| Note: `4567` is the TCP port Phantun should listen on and must corresponds to the DNAT | Note: `4567` is the TCP port Phantun should listen on and must corresponds to the DNAT | ||||||
| @@ -185,6 +216,16 @@ rule specified above. `127.0.0.1:1234` is the UDP Server to connect to for new c | |||||||
| RUST_LOG=info /usr/local/bin/phantun_server --local 4567 --remote 127.0.0.1:1234 | RUST_LOG=info /usr/local/bin/phantun_server --local 4567 --remote 127.0.0.1:1234 | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
|  | Or use host name with `--remote`: | ||||||
|  |  | ||||||
|  | ``` | ||||||
|  | RUST_LOG=info /usr/local/bin/phantun_server --local 4567 --remote example.com:1234 | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | Note: Server by default assigns both IPv4 and IPv6 private address to the Tun interface. | ||||||
|  | If you do not wish to use IPv6, you can simply skip creating the IPv6 DNAT rule above and | ||||||
|  | the presence of IPv6 address on the Tun interface should have no side effect to the server. | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| ### Client | ### Client | ||||||
| @@ -196,25 +237,43 @@ the Phantun Server to connect. | |||||||
| RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote 10.0.0.1:4567 | RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote 10.0.0.1:4567 | ||||||
| ``` | ``` | ||||||
|  |  | ||||||
|  | Or use host name with `--remote`: | ||||||
|  |  | ||||||
|  | ``` | ||||||
|  | RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote example.com:4567 | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | <details> | ||||||
|  |   <summary>IPv6 specific config</summary> | ||||||
|  |  | ||||||
|  |   ``` | ||||||
|  |   RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote [fdxx::1234]:4567 | ||||||
|  |   ``` | ||||||
|  |  | ||||||
|  |   Domain name with AAAA record is also supported. | ||||||
|  | </details> | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| # MTU overhead | # MTU overhead | ||||||
|  |  | ||||||
| Phantun aims to keep tunneling overhead to the minimum. The overhead compared to a plain UDP packet | Phantun aims to keep tunneling overhead to the minimum. The overhead compared to a plain UDP packet | ||||||
| is the following: | is the following (using IPv4 below as an example): | ||||||
|  |  | ||||||
| Standard UDP packet: 20 byte IP header + 8 byte UDP header = 28 bytes | **Standard UDP packet:** `20 byte IP header + 8 byte UDP header = 28 bytes` | ||||||
|  |  | ||||||
| Phantun obfuscated UDP packet: 20 byte IP header + 20 byte TCP header = 40 bytes | **Obfuscated packet:** `20 byte IP header + 20 byte TCP header = 40 bytes` | ||||||
|  |  | ||||||
|  |  | ||||||
| Note that Phantun does not add any additional header other than IP and TCP headers in order to pass through | Note that Phantun does not add any additional header other than IP and TCP headers in order to pass through | ||||||
| stateful packet inspection! | stateful packet inspection! | ||||||
|  |  | ||||||
| Phantun's additional overhead: 12 bytes. I other words, when using Phantun, the usable payload for | Phantun's additional overhead: `12 bytes`. In other words, when using Phantun, the usable payload for | ||||||
| UDP packet is reduced by 12 bytes. This is the minimum overhead possible when doing such kind | UDP packet is reduced by 12 bytes. This is the minimum overhead possible when doing such kind | ||||||
| of obfuscation. | of obfuscation. | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| ## MTU calculation for WireGuard | ## MTU calculation for WireGuard | ||||||
| @@ -222,15 +281,34 @@ of obfuscation. | |||||||
| For people who use Phantun to tunnel [WireGuard®](https://www.wireguard.com) UDP packets, here are some guidelines on figuring | For people who use Phantun to tunnel [WireGuard®](https://www.wireguard.com) UDP packets, here are some guidelines on figuring | ||||||
| out the correct MTU to use for your WireGuard interface. | out the correct MTU to use for your WireGuard interface. | ||||||
|  |  | ||||||
| WireGuard MTU = Interface MTU - IP header (20 bytes) - TCP header (20 bytes) - WireGuard overhead (32 bytes) | ``` | ||||||
|  | WireGuard MTU = Link MTU - IPv4 header (20 bytes) - TCP header (20 bytes) - WireGuard overhead (32 bytes) | ||||||
|  | ``` | ||||||
|  |  | ||||||
| For example, for a Ethernet interface with 1500 bytes MTU, the WireGuard interface MTU should be set as: | or | ||||||
|  |  | ||||||
| 1500 - 20 - 20 - 32 = 1428 bytes | ``` | ||||||
|  | WireGuard MTU = Link MTU - IPv6 header (40 bytes) - TCP header (20 bytes) - WireGuard overhead (32 bytes) | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | For example, for a network link with 1500 bytes MTU, the WireGuard interface MTU should be set as: | ||||||
|  |  | ||||||
|  | **IPv4:** `1500 (link MTU) - 20 - 20 - 32 = 1428 bytes` | ||||||
|  |  | ||||||
|  | **IPv6:** `1500 (link MTU) - 40 - 20 - 32 = 1408 bytes` | ||||||
|  |  | ||||||
| The resulted Phantun TCP data packet will be 1500 bytes which does not exceed the | The resulted Phantun TCP data packet will be 1500 bytes which does not exceed the | ||||||
| interface MTU of 1500. | interface MTU of 1500. | ||||||
|  |  | ||||||
|  | Please note **Phantun can not function correctly if | ||||||
|  | the packet size exceeds that of the link MTU**, as Phantun do not perform any IP-fragmentation | ||||||
|  | and reassymbly. For the same reason, Phantun always sets the `DF` (Don't Fragment) bit | ||||||
|  | in the IP header to prevent intermidiate devices performing any fragmentation on the packet. | ||||||
|  |  | ||||||
|  | It is also *strongly recommended* to use the same interface | ||||||
|  | MTU for both ends of a WireGuard tunnel, or unexpected packet loss may occur and these issues are | ||||||
|  | generally very hard to troubleshoot. | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| # Version compatibility | # Version compatibility | ||||||
| @@ -240,21 +318,37 @@ of Server/Client of Phantun on both ends to ensure maximum compatibility. | |||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
|  | # Documentations | ||||||
|  |  | ||||||
|  | For users who wish to use `fake-tcp` library inside their own project, refer to the documentations for the library at: | ||||||
|  | [https://docs.rs/fake-tcp](https://docs.rs/fake-tcp). | ||||||
|  |  | ||||||
|  | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| # Performance | # Performance | ||||||
|  |  | ||||||
| Performance was tested on AWS t3.xlarge instance with 4 vCPUs and 5 Gb/s NIC. WireGuard was used | Performance was tested on 2 AWS `t4g.xlarge` instances with 4 vCPUs and 5 Gb/s NIC over LAN. `nftables` was used to redirect | ||||||
| for tunneling TCP/UDP traffic between two test instances and MTU has been tuned to avoid fragmentation. | UDP stream of `iperf3` to go through the Phantun/udp2raw tunnel between two test instances and MTU has been tuned to avoid fragmentation. | ||||||
|  |  | ||||||
| |                 | WireGuard   | WireGuard + Phantun | WireGuard + udp2raw (cipher-mode=none auth-mode=none disable-anti-replay) | | Phantun `v0.3.2` and `udp2raw_arm_asm_aes` `20200818.0` was used. These were the latest release of both projects as of Apr 2022. | ||||||
| |-----------------|-------------|---------------------|---------------------------------------------------------------------------| |  | ||||||
| | iperf3 -c IP -R | 1.56 Gbit/s | 540 Mbit/s          | 369 Mbit/s                                                                | | Test command: `iperf3 -c <IP> -p <PORT> -R -u -l 1400 -b 1000m -t 30 -P 5` | ||||||
| | iperf3 -c IP    | 1.71 Gbit/s | 519 Mbit/s          | 312 Mbit/s                                                                | |  | ||||||
|  | | Mode                                                                            | Send Speed     | Receive Speed  | Overall CPU Usage                                   | | ||||||
|  | |---------------------------------------------------------------------------------|----------------|----------------|-----------------------------------------------------| | ||||||
|  | | Direct (1 stream)                                                               | 3.00 Gbits/sec | 2.37 Gbits/sec | 25% (1 core at 100%)                                | | ||||||
|  | | Phantun (1 stream)                                                              | 1.30 Gbits/sec | 1.20 Gbits/sec | 60% (1 core at 100%, 3 cores at 50%)                | | ||||||
|  | | udp2raw (`cipher-mode=none` `auth-mode=none` `disable-anti-replay`) (1 stream)  | 1.30 Gbits/sec | 715 Mbits/sec  | 40% (1 core at 100%, 1 core at 50%, 2 cores idling) | | ||||||
|  | | Direct connection (5 streams)                                                   | 5.00 Gbits/sec | 3.64 Gbits/sec | 25% (1 core at 100%)                                | | ||||||
|  | | Phantun (5 streams)                                                             | 5.00 Gbits/sec | 2.38 Gbits/sec | 95% (all cores utilized)                            | | ||||||
|  | | udp2raw (`cipher-mode=none` `auth-mode=none` `disable-anti-replay`) (5 streams) | 5.00 Gbits/sec | 770 Mbits/sec  | 50% (2 cores at 100%)                               | | ||||||
|  |  | ||||||
|  | Writeup on some of the techniques used in Phantun to achieve this performance result: [Writing Highly Efficient UDP Server in Rust](https://idndx.com/writing-highly-efficient-udp-server-in-rust/). | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| # Future plans | # Future plans | ||||||
|  |  | ||||||
| * IPv6 support for fake-tcp |  | ||||||
| * Load balancing a single UDP stream into multiple TCP streams | * Load balancing a single UDP stream into multiple TCP streams | ||||||
| * Integration tests | * Integration tests | ||||||
| * Auto insertion/removal of required firewall rules | * Auto insertion/removal of required firewall rules | ||||||
| @@ -264,7 +358,7 @@ for tunneling TCP/UDP traffic between two test instances and MTU has been tuned | |||||||
| # Compariation to udp2raw | # Compariation to udp2raw | ||||||
| [udp2raw](https://github.com/wangyu-/udp2raw-tunnel) is another popular project by [@wangyu-](https://github.com/wangyu-) | [udp2raw](https://github.com/wangyu-/udp2raw-tunnel) is another popular project by [@wangyu-](https://github.com/wangyu-) | ||||||
| that is very similar to what Phantun can do. In fact I took inspirations of Phantun from udp2raw. The biggest reason for | that is very similar to what Phantun can do. In fact I took inspirations of Phantun from udp2raw. The biggest reason for | ||||||
| developing Phanton is because of lack of performance when running udp2raw (especially on multi-core systems such as Raspberry Pi). | developing Phantun is because of lack of performance when running udp2raw (especially on multi-core systems such as Raspberry Pi). | ||||||
| However, the goal is never to be as feature complete as udp2raw and only support the most common use cases. Most notably, UDP over ICMP | However, the goal is never to be as feature complete as udp2raw and only support the most common use cases. Most notably, UDP over ICMP | ||||||
| and UDP over UDP mode are not supported and there is no anti-replay nor encryption support. The benefit of this is much better | and UDP over UDP mode are not supported and there is no anti-replay nor encryption support. The benefit of this is much better | ||||||
| performance overall and less MTU overhead because lack of additional headers inside the TCP payload. | performance overall and less MTU overhead because lack of additional headers inside the TCP payload. | ||||||
| @@ -278,17 +372,17 @@ Here is a quick overview of comparison between those two to help you choose: | |||||||
| | UDP over UDP obfuscation                         |       ❌       |         ✅         | | | UDP over UDP obfuscation                         |       ❌       |         ✅         | | ||||||
| | Multi-threaded                                   |       ✅       |         ❌         | | | Multi-threaded                                   |       ✅       |         ❌         | | ||||||
| | Throughput                                       |     Better    |        Good       | | | Throughput                                       |     Better    |        Good       | | ||||||
| | Raw IP mode                                      | TUN interface | Raw sockets + BPF | | | Layer 3 mode                                     | TUN interface | Raw sockets + BPF | | ||||||
| | Tunneling MTU overhead                           |    12 bytes   |      44 bytes     | | | Tunneling MTU overhead                           |    12 bytes   |      44 bytes     | | ||||||
| | Seprate TCP connections for each UDP connection  | Client/Server |    Server only    | | | Seprate TCP connections for each UDP connection  | Client/Server |    Server only    | | ||||||
| | Anti-replay, encryption                          |       ❌       |         ✅         | | | Anti-replay, encryption                          |       ❌       |         ✅         | | ||||||
| | IPv6                                             |    UDP only    |         ✅         | | | IPv6                                             |       ✅       |          ✅        | | ||||||
|  |  | ||||||
| [Back to TOC](#table-of-contents) | [Back to TOC](#table-of-contents) | ||||||
|  |  | ||||||
| # License | # License | ||||||
|  |  | ||||||
| Copyright 2021 Datong Sun <dndx@idndx.com> | Copyright 2021-2025 Datong Sun (dndx@idndx.com) | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or | Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or | ||||||
| [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license | [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license | ||||||
|   | |||||||
							
								
								
									
										5
									
								
								debian/cargo-checksum.json
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								debian/cargo-checksum.json
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | [source.crates-io] | ||||||
|  | replace-with = "vendored-sources" | ||||||
|  |  | ||||||
|  | [source.vendored-sources] | ||||||
|  | directory = "vendor" | ||||||
							
								
								
									
										25
									
								
								debian/changelog
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								debian/changelog
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | |||||||
|  | phantun (0.7.0) UNRELEASED; urgency=medium | ||||||
|  |  | ||||||
|  |   [ Datong Sun ] | ||||||
|  |   * fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162) | ||||||
|  |   * chore(deps): bump dependencies to latest | ||||||
|  |   * chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0` | ||||||
|  |  | ||||||
|  |   [ dependabot[bot] ] | ||||||
|  |   * chore(deps): bump docker/build-push-action from 5 to 6 | ||||||
|  |   * chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust | ||||||
|  |   * docs(readme): latest release is now `v0.7.0` | ||||||
|  |  | ||||||
|  |   [ Randy Li ] | ||||||
|  |   * phantun: change default tun address to link local | ||||||
|  |   * phantun: add client and server xor support | ||||||
|  |   * rpm: add selinux and rpm spec | ||||||
|  |   * deb: add debian files | ||||||
|  |  | ||||||
|  |  -- Randy Li <ayaka@soulik.info>  Wed, 11 Dec 2024 15:30:45 +0000 | ||||||
|  |  | ||||||
|  | phantun (0.6.1-1) UNRELEASED; urgency=medium | ||||||
|  |  | ||||||
|  |   * Initial release. (Closes: #nnnn)  <nnnn is the bug number of your ITP> | ||||||
|  |  | ||||||
|  |  -- Randy Li <ayaka@soulik.info>  Wed, 06 Nov 2024 18:58:00 +0000 | ||||||
							
								
								
									
										1
									
								
								debian/compat
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								debian/compat
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | |||||||
|  | 10 | ||||||
							
								
								
									
										19
									
								
								debian/control
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								debian/control
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | |||||||
|  | Source: phantun | ||||||
|  | Section: net | ||||||
|  | Priority: optional | ||||||
|  | Maintainer: Randy Li <ayaka@soulik.info> | ||||||
|  | Build-Depends: debhelper (>= 9), cargo, rustc | ||||||
|  | Standards-Version: 4.5.0 | ||||||
|  | Homepage: <insert homepage here> | ||||||
|  |  | ||||||
|  | Package: phantun-client | ||||||
|  | Architecture: any | ||||||
|  | Depends: ${shlibs:Depends}, ${misc:Depends} | ||||||
|  | Description: Phantun client | ||||||
|  |  Phantun client binary. | ||||||
|  |  | ||||||
|  | Package: phantun-server | ||||||
|  | Architecture: any | ||||||
|  | Depends: ${shlibs:Depends}, ${misc:Depends} | ||||||
|  | Description: Phantun server | ||||||
|  |  Phantun server binary. | ||||||
							
								
								
									
										24
									
								
								debian/copyright
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								debian/copyright
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | |||||||
|  | Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ | ||||||
|  | Upstream-Name: phantun | ||||||
|  | Source: https://github.com/hizukiayaka/phantun | ||||||
|  |  | ||||||
|  | Files: * | ||||||
|  | Copyright: 2023, Randy Li <ayaka@soulik.info> | ||||||
|  | License: MIT | ||||||
|  |  Permission is hereby granted, free of charge, to any person obtaining a copy | ||||||
|  |  of this software and associated documentation files (the "Software"), to deal | ||||||
|  |  in the Software without restriction, including without limitation the rights | ||||||
|  |  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||||||
|  |  copies of the Software, and to permit persons to whom the Software is | ||||||
|  |  furnished to do so, subject to the following conditions: | ||||||
|  |  . | ||||||
|  |  The above copyright notice and this permission notice shall be included in all | ||||||
|  |  copies or substantial portions of the Software. | ||||||
|  |  . | ||||||
|  |  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||||||
|  |  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||||||
|  |  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||||||
|  |  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||||||
|  |  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||||||
|  |  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||||||
|  |  SOFTWARE. | ||||||
							
								
								
									
										6
									
								
								debian/phantun-client-wrapper
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								debian/phantun-client-wrapper
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | #!/bin/bash | ||||||
|  | PID_FILE=$1 | ||||||
|  | shift 1 | ||||||
|  | mkdir -p /var/run/phantun | ||||||
|  | /usr/libexec/phantun/phantun-client "$@" & | ||||||
|  | echo $! > /var/run/phantun/${PID_FILE} | ||||||
							
								
								
									
										2
									
								
								debian/phantun-client.install
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								debian/phantun-client.install
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | usr/libexec/phantun/phantun-client | ||||||
|  | usr/bin/phantun-client | ||||||
							
								
								
									
										6
									
								
								debian/phantun-server-wrapper
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								debian/phantun-server-wrapper
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | #!/bin/bash | ||||||
|  | PID_FILE=$1 | ||||||
|  | shift 1 | ||||||
|  | mkdir -p /var/run/phantun | ||||||
|  | /usr/libexec/phantun/phantun-server "$@" & | ||||||
|  | echo $! > /var/run/phantun/${PID_FILE} | ||||||
							
								
								
									
										2
									
								
								debian/phantun-server.install
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								debian/phantun-server.install
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | usr/libexec/phantun/phantun-server | ||||||
|  | usr/bin/phantun-server | ||||||
							
								
								
									
										35
									
								
								debian/rules
									
									
									
									
										vendored
									
									
										Executable file
									
								
							
							
						
						
									
										35
									
								
								debian/rules
									
									
									
									
										vendored
									
									
										Executable file
									
								
							| @@ -0,0 +1,35 @@ | |||||||
|  | #!/usr/bin/make -f | ||||||
|  |  | ||||||
|  | %: | ||||||
|  | 	dh $@ --buildsystem=cargo | ||||||
|  |  | ||||||
|  | override_dh_auto_install: | ||||||
|  | 	# Define DESTDIR | ||||||
|  | 	DESTDIR=$(CURDIR)/debian/phantun | ||||||
|  |  | ||||||
|  | 	# Install client binary | ||||||
|  | 	install -D -m 0755 target/release/client debian/tmp/usr/libexec/phantun/phantun-client | ||||||
|  |  | ||||||
|  | 	# Install server binary | ||||||
|  | 	install -D -m 0755 target/release/server debian/tmp/usr/libexec/phantun/phantun-server | ||||||
|  |      | ||||||
|  | 	# Create wrapper scripts | ||||||
|  | 	install -D -m 0755 debian/phantun-client-wrapper  debian/tmp/usr/bin/phantun-client | ||||||
|  |  | ||||||
|  | 	install -D -m 0755 debian/phantun-server-wrapper debian/tmp/usr/bin/phantun-server | ||||||
|  |  | ||||||
|  | 	chmod +x debian/tmp/usr/bin/phantun-client | ||||||
|  | 	chmod +x debian/tmp/usr/bin/phantun-server | ||||||
|  |  | ||||||
|  | override_dh_auto_configure: | ||||||
|  | 	cp ./debian/cargo-checksum.json ./.cargo-checksum.json | ||||||
|  |  | ||||||
|  | override_dh_auto_build: | ||||||
|  | 	cargo build --release | ||||||
|  |  | ||||||
|  | override_dh_install: | ||||||
|  | 	dh_install | ||||||
|  |  | ||||||
|  | override_dh_auto_test: | ||||||
|  | 	# Disable the auto test step | ||||||
|  | 	true | ||||||
							
								
								
									
										2
									
								
								docker/.dockerignore
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								docker/.dockerignore
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | README.md | ||||||
|  | docker-compose.yml | ||||||
							
								
								
									
										37
									
								
								docker/Dockerfile
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										37
									
								
								docker/Dockerfile
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,37 @@ | |||||||
|  | # | ||||||
|  | # Dockerfile for phantun | ||||||
|  | # | ||||||
|  |  | ||||||
|  | # | ||||||
|  | # Build stage | ||||||
|  | # | ||||||
|  | FROM rust:latest AS builder | ||||||
|  |  | ||||||
|  | COPY . /phantun | ||||||
|  |  | ||||||
|  | RUN cd phantun \ | ||||||
|  |   && cargo build --release \ | ||||||
|  |   && strip target/release/server target/release/client \ | ||||||
|  |   && install target/release/server /usr/local/bin/phantun-server \ | ||||||
|  |   && install target/release/client /usr/local/bin/phantun-client \ | ||||||
|  |   && cd - \ | ||||||
|  |   && rm -r phantun | ||||||
|  |  | ||||||
|  | # | ||||||
|  | # Runtime stage | ||||||
|  | # | ||||||
|  | FROM debian:latest | ||||||
|  |  | ||||||
|  | COPY --from=builder /usr/local/bin/phantun-server /usr/local/bin/ | ||||||
|  | COPY --from=builder /usr/local/bin/phantun-client /usr/local/bin/ | ||||||
|  | COPY docker/phantun.sh /usr/local/bin/ | ||||||
|  | RUN apt-get update && apt-get install -y \ | ||||||
|  |     iproute2 \ | ||||||
|  |     iptables \ | ||||||
|  |     procps | ||||||
|  |  | ||||||
|  | ENV USE_IPTABLES_NFT_BACKEND=0 | ||||||
|  | ENV RUST_LOG=INFO | ||||||
|  |  | ||||||
|  | ENTRYPOINT ["phantun.sh"] | ||||||
|  | CMD ["phantun-server", "--help"] | ||||||
							
								
								
									
										11
									
								
								docker/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								docker/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,11 @@ | |||||||
|  | # phantun (docker) | ||||||
|  |  | ||||||
|  | ## Build | ||||||
|  |  | ||||||
|  | ```sh | ||||||
|  | docker build -t phantun -f docker/Dockerfile . | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ## Usage | ||||||
|  |  | ||||||
|  | It is recommended to use docker-compose, see [docker-compose.yml](docker-compose.yml) for details. | ||||||
							
								
								
									
										26
									
								
								docker/docker-compose.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								docker/docker-compose.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | |||||||
|  | version: '3.9' | ||||||
|  |  | ||||||
|  | services: | ||||||
|  |   phantun-server: | ||||||
|  |     image: phantun | ||||||
|  |     container_name: phantun-server | ||||||
|  |     restart: unless-stopped | ||||||
|  |     network_mode: host | ||||||
|  |     privileged: true | ||||||
|  |     environment: | ||||||
|  |       USE_IPTABLES_NFT_BACKEND: 0 | ||||||
|  |       RUST_LOG: INFO | ||||||
|  |     command: > | ||||||
|  |       phantun-server --local 1985 --remote 127.0.0.1:1984 --ipv4-only | ||||||
|  |  | ||||||
|  |   phantun-client: | ||||||
|  |     image: phantun | ||||||
|  |     container_name: phantun-client | ||||||
|  |     restart: unless-stopped | ||||||
|  |     network_mode: host | ||||||
|  |     privileged: true | ||||||
|  |     environment: | ||||||
|  |       USE_IPTABLES_NFT_BACKEND: 0 | ||||||
|  |       RUST_LOG: INFO | ||||||
|  |     command: > | ||||||
|  |       phantun-client --local 127.0.0.1:1984 --remote 11.22.33.44:1985 --ipv4-only | ||||||
							
								
								
									
										209
									
								
								docker/phantun.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										209
									
								
								docker/phantun.sh
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,209 @@ | |||||||
|  | #!/bin/bash | ||||||
|  |  | ||||||
|  | # alias settings must be global, and must be defined before the function being called with the alias | ||||||
|  | if [ "$USE_IPTABLES_NFT_BACKEND" = 1 ]; then | ||||||
|  |   alias iptables=iptables-nft | ||||||
|  |   alias iptables-save=iptables-nft-save | ||||||
|  |   alias ip6tables=ip6tables-nft | ||||||
|  |   alias ip6tables-save=ip6tables-nft-save | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | info() { | ||||||
|  |   local green='\e[0;32m' | ||||||
|  |   local clear='\e[0m' | ||||||
|  |   local time=$(date '+%Y-%m-%d %T') | ||||||
|  |   printf "${green}[${time}] [INFO]: ${clear}%s\n" "$*" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | warn() { | ||||||
|  |   local yellow='\e[1;33m' | ||||||
|  |   local clear='\e[0m' | ||||||
|  |   local time=$(date '+%Y-%m-%d %T') | ||||||
|  |   printf "${yellow}[${time}] [WARN]: ${clear}%s\n" "$*" >&2 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | error() { | ||||||
|  |   local red='\e[0;31m' | ||||||
|  |   local clear='\e[0m' | ||||||
|  |   local time=$(date '+%Y-%m-%d %T') | ||||||
|  |   printf "${red}[${time}] [ERROR]: ${clear}%s\n" "$*" >&2 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _get_default_iface() { | ||||||
|  |   ip -4 route show default | awk -F 'dev' '{print $2}' | awk '{print $1}' | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _get_default6_iface() { | ||||||
|  |   ip -6 route show default | awk -F 'dev' '{print $2}' | awk '{print $1}' | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _get_addr_by_iface() { | ||||||
|  |   ip -4 addr show dev "$1" | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | head -1 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _get_addr6_by_iface() { | ||||||
|  |   ip -6 addr show dev "$1" | grep -w "inet6" | awk '{print $2}' | awk -F '/' '{print $1}' | head -1 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _check_rule_by_comment() { | ||||||
|  |   iptables-save | grep -q "$1" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _check_rule6_by_comment() { | ||||||
|  |   ip6tables-save | grep -q "$1" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _is_server_mode() { | ||||||
|  |   [ "$1" = "phantun-server" ] | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _is_ipv4_only() { | ||||||
|  |   case "$@" in | ||||||
|  |     *-4*|*--ipv4-only*) | ||||||
|  |       return 0 | ||||||
|  |       ;; | ||||||
|  |     *\ -4*|*\ --ipv4-only*) | ||||||
|  |       return 0 | ||||||
|  |       ;; | ||||||
|  |   esac | ||||||
|  |   return 1 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _get_tun_from_args() { | ||||||
|  |   local tun=$(echo "$@" | awk -F '--tun ' '{print $2}' | awk '{print $1}') | ||||||
|  |   echo ${tun:=tun0} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _get_peer_from_args() { | ||||||
|  |   local peer=$(echo "$@" | awk -F '--tun-peer ' '{print $2}' | awk '{print $1}') | ||||||
|  |   _is_server_mode "$1" && echo ${peer:=192.168.201.2} || echo ${peer:=192.168.200.2} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _get_peer6_from_args() { | ||||||
|  |   local peer=$(echo "$@" | awk -F '--tun-peer6 ' '{print $2}' | awk '{print $1}') | ||||||
|  |   _is_server_mode "$1" && echo ${peer:=fcc9::2} || echo ${peer:=fcc8::2} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _get_port_from_args() { | ||||||
|  |   local value=$(echo "$@" | awk -F '-l|--local' '{print $2}' | awk '{print $1}') | ||||||
|  |   _is_server_mode "$1" && echo $value || echo $value | awk -F ':' '{print $2}' | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _iptables() { | ||||||
|  |   iptables -w 10 "$@" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | _ip6tables() { | ||||||
|  |   ip6tables -w 10 "$@" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | apply_sysctl() { | ||||||
|  |   info "apply sysctl: $(sysctl -w net.ipv4.ip_forward=1)" | ||||||
|  |   ! _is_ipv4_only "$@" || return | ||||||
|  |   info "apply sysctl: $(sysctl -w net.ipv6.conf.all.forwarding=1)" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | apply_iptables() { | ||||||
|  |   local interface=$(_get_default_iface) | ||||||
|  |   local address=$(_get_addr_by_iface "${interface}") | ||||||
|  |   local tun=$(_get_tun_from_args "$@") | ||||||
|  |   local peer=$(_get_peer_from_args "$@") | ||||||
|  |   local port=$(_get_port_from_args "$@") | ||||||
|  |   local comment="phantun_${tun}_${port}" | ||||||
|  |  | ||||||
|  |   if _check_rule_by_comment "${comment}"; then | ||||||
|  |     warn "iptables rules already exist, maybe needs to check." | ||||||
|  |   else | ||||||
|  |     _iptables -A FORWARD -i $tun -j ACCEPT -m comment --comment "${comment}" || error "iptables filter rule add failed." | ||||||
|  |     _iptables -A FORWARD -o $tun -j ACCEPT -m comment --comment "${comment}" || error "iptables filter rule add failed." | ||||||
|  |     if _is_server_mode "$1"; then | ||||||
|  |       info "iptables DNAT rule added: [${comment}]: ${interface} -> ${tun}, ${address} -> ${peer}" | ||||||
|  |       _iptables -t nat -A PREROUTING -p tcp -i $interface --dport $port -j DNAT --to-destination $peer \ | ||||||
|  |         -m comment --comment "${comment}" || error "iptables DNAT rule add failed." | ||||||
|  |     else | ||||||
|  |       info "iptables SNAT rule added: [${comment}]: ${tun} -> ${interface}, ${peer} -> ${address}" | ||||||
|  |       _iptables -t nat -A POSTROUTING -s $peer -o $interface -j SNAT --to-source $address \ | ||||||
|  |         -m comment --comment "${comment}" || error "iptables SNAT rule add failed." | ||||||
|  |     fi | ||||||
|  |   fi | ||||||
|  | } | ||||||
|  |  | ||||||
|  | apply_ip6tables() { | ||||||
|  |   ! _is_ipv4_only "$@" || return | ||||||
|  |  | ||||||
|  |   local interface=$(_get_default6_iface) | ||||||
|  |   local address=$(_get_addr6_by_iface "${interface}") | ||||||
|  |   local tun=$(_get_tun_from_args "$@") | ||||||
|  |   local peer=$(_get_peer6_from_args "$@") | ||||||
|  |   local port=$(_get_port_from_args "$@") | ||||||
|  |   local comment="phantun_${tun}_${port}" | ||||||
|  |  | ||||||
|  |   if _check_rule6_by_comment "${comment}"; then | ||||||
|  |     warn "ip6tables rules already exist, maybe needs to check." | ||||||
|  |   else | ||||||
|  |     _ip6tables -A FORWARD -i $tun -j ACCEPT -m comment --comment "${comment}" || error "ip6tables filter rule add failed." | ||||||
|  |     _ip6tables -A FORWARD -o $tun -j ACCEPT -m comment --comment "${comment}" || error "ip6tables filter rule add failed." | ||||||
|  |     if _is_server_mode "$1"; then | ||||||
|  |       info "ip6tables DNAT rule added: [${comment}]: ${interface} -> ${tun}, ${address} -> ${peer}" | ||||||
|  |       _ip6tables -t nat -A PREROUTING -p tcp -i $interface --dport $port -j DNAT --to-destination $peer \ | ||||||
|  |         -m comment --comment "${comment}" || error "ip6tables DNAT rule add failed." | ||||||
|  |     else | ||||||
|  |       info "ip6tables SNAT rule added: [${comment}]: ${tun} -> ${interface}, ${peer} -> ${address}" | ||||||
|  |       _ip6tables -t nat -A POSTROUTING -s $peer -o $interface -j SNAT --to-source $address \ | ||||||
|  |         -m comment --comment "${comment}" || error "ip6tables SNAT rule add failed." | ||||||
|  |     fi | ||||||
|  |   fi | ||||||
|  | } | ||||||
|  |  | ||||||
|  | stop_process() { | ||||||
|  |   kill $(pidof phantun-server phantun-client) | ||||||
|  |   info "terminate phantun process." | ||||||
|  | } | ||||||
|  |  | ||||||
|  | revoke_iptables() { | ||||||
|  |   local tun=$(_get_tun_from_args "$@") | ||||||
|  |   local port=$(_get_port_from_args "$@") | ||||||
|  |   local comment="phantun_${tun}_${port}" | ||||||
|  |  | ||||||
|  |   iptables-save -t filter | grep "${comment}" | while read rule; do | ||||||
|  |     _iptables -t filter ${rule/-A/-D} || error "iptables filter rule remove failed." | ||||||
|  |   done | ||||||
|  |   iptables-save -t nat | grep "${comment}" | while read rule; do | ||||||
|  |     _iptables -t nat ${rule/-A/-D} || error "iptables nat rule remove failed." | ||||||
|  |   done | ||||||
|  |   info "iptables rule: [${comment}] removed." | ||||||
|  | } | ||||||
|  |  | ||||||
|  | revoke_ip6tables() { | ||||||
|  |   ! _is_ipv4_only "$@" || return | ||||||
|  |  | ||||||
|  |   local tun=$(_get_tun_from_args "$@") | ||||||
|  |   local port=$(_get_port_from_args "$@") | ||||||
|  |   local comment="phantun_${tun}_${port}" | ||||||
|  |  | ||||||
|  |   ip6tables-save -t filter | grep "${comment}" | while read rule; do | ||||||
|  |     _ip6tables -t filter ${rule/-A/-D} || error "ip6tables filter rule remove failed." | ||||||
|  |   done | ||||||
|  |   ip6tables-save -t nat | grep "${comment}" | while read rule; do | ||||||
|  |     _ip6tables -t nat ${rule/-A/-D} || error "ip6tables nat rule remove failed." | ||||||
|  |   done | ||||||
|  |   info "ip6tables rule: [${comment}] removed." | ||||||
|  | } | ||||||
|  |  | ||||||
|  | graceful_stop() { | ||||||
|  |   warn "caught SIGTERM or SIGINT signal, graceful stopping..." | ||||||
|  |   stop_process | ||||||
|  |   revoke_iptables "$@" | ||||||
|  |   revoke_ip6tables "$@" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | start_phantun() { | ||||||
|  |   trap 'graceful_stop "$@"' SIGTERM SIGINT | ||||||
|  |   apply_sysctl "$@" | ||||||
|  |   apply_iptables "$@" | ||||||
|  |   apply_ip6tables "$@" | ||||||
|  |   "$@" & | ||||||
|  |   wait | ||||||
|  | } | ||||||
|  |  | ||||||
|  | start_phantun "$@" | ||||||
| @@ -1,7 +1,7 @@ | |||||||
| [package] | [package] | ||||||
| name = "fake-tcp" | name = "fake-tcp" | ||||||
| version = "0.1.2" | version = "0.7.1" | ||||||
| edition = "2021" | edition = "2024" | ||||||
| authors = ["Datong Sun <dndx@idndx.com>"] | authors = ["Datong Sun <dndx@idndx.com>"] | ||||||
| license = "MIT OR Apache-2.0" | license = "MIT OR Apache-2.0" | ||||||
| repository = "https://github.com/dndx/phantun" | repository = "https://github.com/dndx/phantun" | ||||||
| @@ -16,9 +16,10 @@ benchmark = [] | |||||||
|  |  | ||||||
| [dependencies] | [dependencies] | ||||||
| bytes = "1" | bytes = "1" | ||||||
| pnet = "0.28.0" | pnet = "0" | ||||||
| tokio = { version = "1.12.0", features = ["full"] } | rand = { version = "0", features = ["small_rng"] } | ||||||
| rand = { version = "0.8.4", features = ["small_rng"] } | internet-checksum = "0" | ||||||
| log = "0.4" | tokio-tun = "0" | ||||||
| internet-checksum = "0.2.0" | flume = "0" | ||||||
| dndx-fork-tokio-tun = "0.3.16" | tokio = { workspace = true } | ||||||
|  | log = { workspace = true } | ||||||
|   | |||||||
| @@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work. | |||||||
|    same "printed page" as the copyright notice for easier |    same "printed page" as the copyright notice for easier | ||||||
|    identification within third-party archives. |    identification within third-party archives. | ||||||
|  |  | ||||||
| Copyright 2014-2021 The Rust Project Developers | Copyright 2021-2024 Datong Sun (dndx@idndx.com) | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); | Licensed under the Apache License, Version 2.0 (the "License"); | ||||||
| you may not use this file except in compliance with the License. | you may not use this file except in compliance with the License. | ||||||
|   | |||||||
| @@ -1,6 +1,6 @@ | |||||||
| MIT License | MIT License | ||||||
|  |  | ||||||
| Copyright (c) 2014-2021 The Rust Project Developers | Copyright (c) 2021-2024 Datong Sun (dndx@idndx.com) | ||||||
|  |  | ||||||
| Permission is hereby granted, free of charge, to any | Permission is hereby granted, free of charge, to any | ||||||
| person obtaining a copy of this software and associated | person obtaining a copy of this software and associated | ||||||
|   | |||||||
| @@ -5,7 +5,7 @@ packet oriented tunneling with minimum overhead. | |||||||
|  |  | ||||||
| ## License | ## License | ||||||
|  |  | ||||||
| Copyright 2021 Datong Sun <dndx@idndx.com> | Copyright 2021-2025 Datong Sun <dndx@idndx.com> | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or | Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or | ||||||
| [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license | [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license | ||||||
|   | |||||||
| @@ -1,7 +1,46 @@ | |||||||
|  | //! A minimum, userspace TCP based datagram stack | ||||||
|  | //! | ||||||
|  | //! # Overview | ||||||
|  | //! | ||||||
|  | //! `fake-tcp` is a reusable library that implements a minimum TCP stack in | ||||||
|  | //! user space using the Tun interface. It allows programs to send datagrams | ||||||
|  | //! as if they are part of a TCP connection. `fake-tcp` has been tested to | ||||||
|  | //! be able to pass through a variety of NAT and stateful firewalls while | ||||||
|  | //! fully preserves certain desirable behavior such as out of order delivery | ||||||
|  | //! and no congestion/flow controls. | ||||||
|  | //! | ||||||
|  | //! # Core Concepts | ||||||
|  | //! | ||||||
|  | //! The core of the `fake-tcp` crate compose of two structures. [`Stack`] and | ||||||
|  | //! [`Socket`]. | ||||||
|  | //! | ||||||
|  | //! ## [`Stack`] | ||||||
|  | //! | ||||||
|  | //! [`Stack`] represents a virtual TCP stack that operates at | ||||||
|  | //! Layer 3. It is responsible for: | ||||||
|  | //! | ||||||
|  | //! * TCP active and passive open and handshake | ||||||
|  | //! * `RST` handling | ||||||
|  | //! * Interact with the Tun interface at Layer 3 | ||||||
|  | //! * Distribute incoming datagrams to corresponding [`Socket`] | ||||||
|  | //! | ||||||
|  | //! ## [`Socket`] | ||||||
|  | //! | ||||||
|  | //! [`Socket`] represents a TCP connection. It registers the identifying | ||||||
|  | //! tuple `(src_ip, src_port, dest_ip, dest_port)` inside the [`Stack`] so | ||||||
|  | //! so that incoming packets can be distributed to the right [`Socket`] with | ||||||
|  | //! using a channel. It is also what the client should use for | ||||||
|  | //! sending/receiving datagrams. | ||||||
|  | //! | ||||||
|  | //! # Examples | ||||||
|  | //! | ||||||
|  | //! Please see [`client.rs`](https://github.com/dndx/phantun/blob/main/phantun/src/bin/client.rs) | ||||||
|  | //! and [`server.rs`](https://github.com/dndx/phantun/blob/main/phantun/src/bin/server.rs) files | ||||||
|  | //! from the `phantun` crate for how to use this library in client/server mode, respectively. | ||||||
|  |  | ||||||
| #![cfg_attr(feature = "benchmark", feature(test))] | #![cfg_attr(feature = "benchmark", feature(test))] | ||||||
|  |  | ||||||
| pub mod packet; | pub mod packet; | ||||||
| extern crate dndx_fork_tokio_tun as tokio_tun; |  | ||||||
|  |  | ||||||
| use bytes::{Bytes, BytesMut}; | use bytes::{Bytes, BytesMut}; | ||||||
| use log::{error, info, trace, warn}; | use log::{error, info, trace, warn}; | ||||||
| @@ -10,28 +49,30 @@ use pnet::packet::{tcp, Packet}; | |||||||
| use rand::prelude::*; | use rand::prelude::*; | ||||||
| use std::collections::{HashMap, HashSet}; | use std::collections::{HashMap, HashSet}; | ||||||
| use std::fmt; | use std::fmt; | ||||||
| use std::net::{Ipv4Addr, SocketAddrV4}; | use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr}; | ||||||
| use std::sync::atomic::{AtomicU32, Ordering}; | use std::sync::{ | ||||||
| use std::sync::{Arc, RwLock}; |     atomic::{AtomicU32, Ordering}, | ||||||
|  |     Arc, RwLock, | ||||||
|  | }; | ||||||
| use tokio::sync::broadcast; | use tokio::sync::broadcast; | ||||||
| use tokio::sync::mpsc::{self, Receiver, Sender}; | use tokio::sync::mpsc; | ||||||
| use tokio::sync::watch; |  | ||||||
| use tokio::sync::Mutex as AsyncMutex; |  | ||||||
| use tokio::time; | use tokio::time; | ||||||
| use tokio_tun::Tun; | use tokio_tun::Tun; | ||||||
|  |  | ||||||
| const TIMEOUT: time::Duration = time::Duration::from_secs(1); | const TIMEOUT: time::Duration = time::Duration::from_secs(1); | ||||||
| const RETRIES: usize = 6; | const RETRIES: usize = 6; | ||||||
| const MPSC_BUFFER_LEN: usize = 512; | const MPMC_BUFFER_LEN: usize = 512; | ||||||
|  | const MPSC_BUFFER_LEN: usize = 128; | ||||||
|  | const MAX_UNACKED_LEN: u32 = 128 * 1024 * 1024; // 128MB | ||||||
|  |  | ||||||
| #[derive(Hash, Eq, PartialEq, Clone, Debug)] | #[derive(Hash, Eq, PartialEq, Clone, Debug)] | ||||||
| pub struct AddrTuple { | struct AddrTuple { | ||||||
|     local_addr: SocketAddrV4, |     local_addr: SocketAddr, | ||||||
|     remote_addr: SocketAddrV4, |     remote_addr: SocketAddr, | ||||||
| } | } | ||||||
|  |  | ||||||
| impl AddrTuple { | impl AddrTuple { | ||||||
|     fn new(local_addr: SocketAddrV4, remote_addr: SocketAddrV4) -> AddrTuple { |     fn new(local_addr: SocketAddr, remote_addr: SocketAddr) -> AddrTuple { | ||||||
|         AddrTuple { |         AddrTuple { | ||||||
|             local_addr, |             local_addr, | ||||||
|             remote_addr, |             remote_addr, | ||||||
| @@ -40,17 +81,18 @@ impl AddrTuple { | |||||||
| } | } | ||||||
|  |  | ||||||
| struct Shared { | struct Shared { | ||||||
|     tuples: RwLock<HashMap<AddrTuple, Sender<Bytes>>>, |     tuples: RwLock<HashMap<AddrTuple, flume::Sender<Bytes>>>, | ||||||
|     listening: RwLock<HashSet<u16>>, |     listening: RwLock<HashSet<u16>>, | ||||||
|     tun: Vec<Arc<Tun>>, |     tun: Vec<Arc<Tun>>, | ||||||
|     ready: Sender<Socket>, |     ready: mpsc::Sender<Socket>, | ||||||
|     tuples_purge: broadcast::Sender<AddrTuple>, |     tuples_purge: broadcast::Sender<AddrTuple>, | ||||||
| } | } | ||||||
|  |  | ||||||
| pub struct Stack { | pub struct Stack { | ||||||
|     shared: Arc<Shared>, |     shared: Arc<Shared>, | ||||||
|     local_ip: Ipv4Addr, |     local_ip: Ipv4Addr, | ||||||
|     ready: Receiver<Socket>, |     local_ip6: Option<Ipv6Addr>, | ||||||
|  |     ready: mpsc::Receiver<Socket>, | ||||||
| } | } | ||||||
|  |  | ||||||
| pub enum State { | pub enum State { | ||||||
| @@ -63,116 +105,123 @@ pub enum State { | |||||||
| pub struct Socket { | pub struct Socket { | ||||||
|     shared: Arc<Shared>, |     shared: Arc<Shared>, | ||||||
|     tun: Arc<Tun>, |     tun: Arc<Tun>, | ||||||
|     incoming: AsyncMutex<Receiver<Bytes>>, |     incoming: flume::Receiver<Bytes>, | ||||||
|     local_addr: SocketAddrV4, |     local_addr: SocketAddr, | ||||||
|     remote_addr: SocketAddrV4, |     remote_addr: SocketAddr, | ||||||
|     seq: AtomicU32, |     seq: AtomicU32, | ||||||
|     ack: AtomicU32, |     ack: AtomicU32, | ||||||
|  |     last_ack: AtomicU32, | ||||||
|     state: State, |     state: State, | ||||||
|     closing_tx: watch::Sender<()>, |  | ||||||
|     closing_rx: watch::Receiver<()>, |  | ||||||
| } | } | ||||||
|  |  | ||||||
|  | /// A socket that represents a unique TCP connection between a server and client. | ||||||
|  | /// | ||||||
|  | /// The `Socket` object itself satisfies `Sync` and `Send`, which means it can | ||||||
|  | /// be safely called within an async future. | ||||||
|  | /// | ||||||
|  | /// To close a TCP connection that is no longer needed, simply drop this object | ||||||
|  | /// out of scope. | ||||||
| impl Socket { | impl Socket { | ||||||
|     fn new( |     fn new( | ||||||
|         shared: Arc<Shared>, |         shared: Arc<Shared>, | ||||||
|         tun: Arc<Tun>, |         tun: Arc<Tun>, | ||||||
|         local_addr: SocketAddrV4, |         local_addr: SocketAddr, | ||||||
|         remote_addr: SocketAddrV4, |         remote_addr: SocketAddr, | ||||||
|         ack: Option<u32>, |         ack: Option<u32>, | ||||||
|         state: State, |         state: State, | ||||||
|     ) -> (Socket, Sender<Bytes>) { |     ) -> (Socket, flume::Sender<Bytes>) { | ||||||
|         let (incoming_tx, incoming_rx) = mpsc::channel(MPSC_BUFFER_LEN); |         let (incoming_tx, incoming_rx) = flume::bounded(MPMC_BUFFER_LEN); | ||||||
|         let (closing_tx, closing_rx) = watch::channel(()); |  | ||||||
|  |  | ||||||
|         ( |         ( | ||||||
|             Socket { |             Socket { | ||||||
|                 shared, |                 shared, | ||||||
|                 tun, |                 tun, | ||||||
|                 incoming: AsyncMutex::new(incoming_rx), |                 incoming: incoming_rx, | ||||||
|                 local_addr, |                 local_addr, | ||||||
|                 remote_addr, |                 remote_addr, | ||||||
|                 seq: AtomicU32::new(0), |                 seq: AtomicU32::new(0), | ||||||
|                 ack: AtomicU32::new(ack.unwrap_or(0)), |                 ack: AtomicU32::new(ack.unwrap_or(0)), | ||||||
|  |                 last_ack: AtomicU32::new(ack.unwrap_or(0)), | ||||||
|                 state, |                 state, | ||||||
|                 closing_tx, |  | ||||||
|                 closing_rx, |  | ||||||
|             }, |             }, | ||||||
|             incoming_tx, |             incoming_tx, | ||||||
|         ) |         ) | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     fn build_tcp_packet(&self, flags: u16, payload: Option<&[u8]>) -> Bytes { |     fn build_tcp_packet(&self, flags: u8, payload: Option<&[u8]>) -> Bytes { | ||||||
|  |         let ack = self.ack.load(Ordering::Relaxed); | ||||||
|  |         self.last_ack.store(ack, Ordering::Relaxed); | ||||||
|  |  | ||||||
|         build_tcp_packet( |         build_tcp_packet( | ||||||
|             self.local_addr, |             self.local_addr, | ||||||
|             self.remote_addr, |             self.remote_addr, | ||||||
|             self.seq.load(Ordering::Relaxed), |             self.seq.load(Ordering::Relaxed), | ||||||
|             self.ack.load(Ordering::Relaxed), |             ack, | ||||||
|             flags, |             flags, | ||||||
|             payload, |             payload, | ||||||
|         ) |         ) | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     /// Sends a datagram to the other end. | ||||||
|  |     /// | ||||||
|  |     /// This method takes `&self`, and it can be called safely by multiple threads | ||||||
|  |     /// at the same time. | ||||||
|  |     /// | ||||||
|  |     /// A return of `None` means the Tun socket returned an error | ||||||
|  |     /// and this socket must be closed. | ||||||
|     pub async fn send(&self, payload: &[u8]) -> Option<()> { |     pub async fn send(&self, payload: &[u8]) -> Option<()> { | ||||||
|         let mut closing = self.closing_rx.clone(); |  | ||||||
|  |  | ||||||
|         match self.state { |         match self.state { | ||||||
|             State::Established => { |             State::Established => { | ||||||
|                 let buf = self.build_tcp_packet(tcp::TcpFlags::ACK, Some(payload)); |                 let buf = self.build_tcp_packet(tcp::TcpFlags::ACK, Some(payload)); | ||||||
|                 self.seq.fetch_add(payload.len() as u32, Ordering::Relaxed); |                 self.seq.fetch_add(payload.len() as u32, Ordering::Relaxed); | ||||||
|  |                 self.tun.send(&buf).await.ok().and(Some(())) | ||||||
|                 tokio::select! { |  | ||||||
|                     res = self.tun.send(&buf) => { |  | ||||||
|                         res.unwrap(); |  | ||||||
|                         Some(()) |  | ||||||
|                     }, |  | ||||||
|                     _ = closing.changed() => { |  | ||||||
|                         None |  | ||||||
|                     } |  | ||||||
|                 } |  | ||||||
|             } |             } | ||||||
|             _ => unreachable!(), |             _ => unreachable!(), | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     /// Attempt to receive a datagram from the other end. | ||||||
|  |     /// | ||||||
|  |     /// This method takes `&self`, and it can be called safely by multiple threads | ||||||
|  |     /// at the same time. | ||||||
|  |     /// | ||||||
|  |     /// A return of `None` means the TCP connection is broken | ||||||
|  |     /// and this socket must be closed. | ||||||
|     pub async fn recv(&self, buf: &mut [u8]) -> Option<usize> { |     pub async fn recv(&self, buf: &mut [u8]) -> Option<usize> { | ||||||
|         let mut closing = self.closing_rx.clone(); |  | ||||||
|  |  | ||||||
|         match self.state { |         match self.state { | ||||||
|             State::Established => { |             State::Established => { | ||||||
|                 let mut incoming = self.incoming.lock().await; |                 self.incoming.recv_async().await.ok().and_then(|raw_buf| { | ||||||
|                 tokio::select! { |                     let (_v4_packet, tcp_packet) = parse_ip_packet(&raw_buf).unwrap(); | ||||||
|                     Some(raw_buf) = incoming.recv() => { |  | ||||||
|                         let (_v4_packet, tcp_packet) = parse_ipv4_packet(&raw_buf); |  | ||||||
|  |  | ||||||
|                     if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 { |                     if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 { | ||||||
|                         info!("Connection {} reset by peer", self); |                         info!("Connection {} reset by peer", self); | ||||||
|                             self.close(); |  | ||||||
|                         return None; |                         return None; | ||||||
|                     } |                     } | ||||||
|  |  | ||||||
|                     let payload = tcp_packet.payload(); |                     let payload = tcp_packet.payload(); | ||||||
|  |  | ||||||
|                         self.ack |                     let new_ack = tcp_packet.get_sequence().wrapping_add(payload.len() as u32); | ||||||
|                             .store(tcp_packet.get_sequence().wrapping_add(1), Ordering::Relaxed); |                     let last_ask = self.last_ack.load(Ordering::Relaxed); | ||||||
|  |                     self.ack.store(new_ack, Ordering::Relaxed); | ||||||
|  |  | ||||||
|  |                     if new_ack.overflowing_sub(last_ask).0 > MAX_UNACKED_LEN { | ||||||
|  |                         let buf = self.build_tcp_packet(tcp::TcpFlags::ACK, None); | ||||||
|  |                         if let Err(e) = self.tun.try_send(&buf) { | ||||||
|  |                             // This should not really happen as we have not sent anything for | ||||||
|  |                             // quite some time... | ||||||
|  |                             info!("Connection {} unable to send idling ACK back: {}", self, e) | ||||||
|  |                         } | ||||||
|  |                     } | ||||||
|  |  | ||||||
|                     buf[..payload.len()].copy_from_slice(payload); |                     buf[..payload.len()].copy_from_slice(payload); | ||||||
|  |  | ||||||
|                     Some(payload.len()) |                     Some(payload.len()) | ||||||
|                     }, |                 }) | ||||||
|                     _ = closing.changed() => { |  | ||||||
|                         None |  | ||||||
|                     } |  | ||||||
|                 } |  | ||||||
|             } |             } | ||||||
|             _ => unreachable!(), |             _ => unreachable!(), | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     pub fn close(&self) { |  | ||||||
|         self.closing_tx.send(()).unwrap(); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     async fn accept(mut self) { |     async fn accept(mut self) { | ||||||
|         for _ in 0..RETRIES { |         for _ in 0..RETRIES { | ||||||
|             match self.state { |             match self.state { | ||||||
| @@ -184,10 +233,10 @@ impl Socket { | |||||||
|                     info!("Sent SYN + ACK to client"); |                     info!("Sent SYN + ACK to client"); | ||||||
|                 } |                 } | ||||||
|                 State::SynReceived => { |                 State::SynReceived => { | ||||||
|                     let res = time::timeout(TIMEOUT, self.incoming.lock().await.recv()).await; |                     let res = time::timeout(TIMEOUT, self.incoming.recv_async()).await; | ||||||
|                     if let Ok(buf) = res { |                     if let Ok(buf) = res { | ||||||
|                         let buf = buf.unwrap(); |                         let buf = buf.unwrap(); | ||||||
|                         let (_v4_packet, tcp_packet) = parse_ipv4_packet(&buf); |                         let (_v4_packet, tcp_packet) = parse_ip_packet(&buf).unwrap(); | ||||||
|  |  | ||||||
|                         if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 { |                         if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 { | ||||||
|                             return; |                             return; | ||||||
| @@ -228,10 +277,10 @@ impl Socket { | |||||||
|                     info!("Sent SYN to server"); |                     info!("Sent SYN to server"); | ||||||
|                 } |                 } | ||||||
|                 State::SynSent => { |                 State::SynSent => { | ||||||
|                     match time::timeout(TIMEOUT, self.incoming.lock().await.recv()).await { |                     match time::timeout(TIMEOUT, self.incoming.recv_async()).await { | ||||||
|                         Ok(buf) => { |                         Ok(buf) => { | ||||||
|                             let buf = buf.unwrap(); |                             let buf = buf.unwrap(); | ||||||
|                             let (_v4_packet, tcp_packet) = parse_ipv4_packet(&buf); |                             let (_v4_packet, tcp_packet) = parse_ip_packet(&buf).unwrap(); | ||||||
|  |  | ||||||
|                             if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 { |                             if (tcp_packet.get_flags() & tcp::TcpFlags::RST) != 0 { | ||||||
|                                 return None; |                                 return None; | ||||||
| @@ -271,6 +320,7 @@ impl Socket { | |||||||
| } | } | ||||||
|  |  | ||||||
| impl Drop for Socket { | impl Drop for Socket { | ||||||
|  |     /// Drop the socket and close the TCP connection | ||||||
|     fn drop(&mut self) { |     fn drop(&mut self) { | ||||||
|         let tuple = AddrTuple::new(self.local_addr, self.remote_addr); |         let tuple = AddrTuple::new(self.local_addr, self.remote_addr); | ||||||
|         // dissociates ourself from the dispatch map |         // dissociates ourself from the dispatch map | ||||||
| @@ -278,16 +328,24 @@ impl Drop for Socket { | |||||||
|         // purge cache |         // purge cache | ||||||
|         self.shared.tuples_purge.send(tuple).unwrap(); |         self.shared.tuples_purge.send(tuple).unwrap(); | ||||||
|  |  | ||||||
|         let buf = self.build_tcp_packet(tcp::TcpFlags::RST, None); |         let buf = build_tcp_packet( | ||||||
|  |             self.local_addr, | ||||||
|  |             self.remote_addr, | ||||||
|  |             self.seq.load(Ordering::Relaxed), | ||||||
|  |             0, | ||||||
|  |             tcp::TcpFlags::RST, | ||||||
|  |             None, | ||||||
|  |         ); | ||||||
|         if let Err(e) = self.tun.try_send(&buf) { |         if let Err(e) = self.tun.try_send(&buf) { | ||||||
|             warn!("Unable to send RST to remote end: {}", e); |             warn!("Unable to send RST to remote end: {}", e); | ||||||
|         } |         } | ||||||
|         self.close(); |  | ||||||
|         info!("Fake TCP connection to {} closed", self); |         info!("Fake TCP connection to {} closed", self); | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| impl fmt::Display for Socket { | impl fmt::Display for Socket { | ||||||
|  |     /// User-friendly string representation of the socket | ||||||
|     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { |     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { | ||||||
|         write!( |         write!( | ||||||
|             f, |             f, | ||||||
| @@ -297,8 +355,13 @@ impl fmt::Display for Socket { | |||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
|  | /// A userspace TCP state machine | ||||||
| impl Stack { | impl Stack { | ||||||
|     pub fn new(tun: Vec<Tun>) -> Stack { |     /// Create a new stack, `tun` is an array of [`Tun`](tokio_tun::Tun). | ||||||
|  |     /// When more than one [`Tun`](tokio_tun::Tun) object is passed in, same amount | ||||||
|  |     /// of reader will be spawned later. This allows user to utilize the performance | ||||||
|  |     /// benefit of Multiqueue Tun support on machines with SMP. | ||||||
|  |     pub fn new(tun: Vec<Tun>, local_ip: Ipv4Addr, local_ip6: Option<Ipv6Addr>) -> Stack { | ||||||
|         let tun: Vec<Arc<Tun>> = tun.into_iter().map(Arc::new).collect(); |         let tun: Vec<Arc<Tun>> = tun.into_iter().map(Arc::new).collect(); | ||||||
|         let (ready_tx, ready_rx) = mpsc::channel(MPSC_BUFFER_LEN); |         let (ready_tx, ready_rx) = mpsc::channel(MPSC_BUFFER_LEN); | ||||||
|         let (tuples_purge_tx, _tuples_purge_rx) = broadcast::channel(16); |         let (tuples_purge_tx, _tuples_purge_rx) = broadcast::channel(16); | ||||||
| @@ -309,7 +372,6 @@ impl Stack { | |||||||
|             ready: ready_tx, |             ready: ready_tx, | ||||||
|             tuples_purge: tuples_purge_tx.clone(), |             tuples_purge: tuples_purge_tx.clone(), | ||||||
|         }); |         }); | ||||||
|         let local_ip = tun[0].destination().unwrap(); |  | ||||||
|  |  | ||||||
|         for t in tun { |         for t in tun { | ||||||
|             tokio::spawn(Stack::reader_task( |             tokio::spawn(Stack::reader_task( | ||||||
| @@ -322,24 +384,49 @@ impl Stack { | |||||||
|         Stack { |         Stack { | ||||||
|             shared, |             shared, | ||||||
|             local_ip, |             local_ip, | ||||||
|  |             local_ip6, | ||||||
|             ready: ready_rx, |             ready: ready_rx, | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     /// Listens for incoming connections on the given `port`. | ||||||
|     pub fn listen(&mut self, port: u16) { |     pub fn listen(&mut self, port: u16) { | ||||||
|         assert!(self.shared.listening.write().unwrap().insert(port)); |         assert!(self.shared.listening.write().unwrap().insert(port)); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     /// Accepts an incoming connection. | ||||||
|     pub async fn accept(&mut self) -> Socket { |     pub async fn accept(&mut self) -> Socket { | ||||||
|         self.ready.recv().await.unwrap() |         self.ready.recv().await.unwrap() | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     pub async fn connect(&mut self, addr: SocketAddrV4) -> Option<Socket> { |     /// Connects to the remote end. `None` returned means | ||||||
|         let mut rng = SmallRng::from_entropy(); |     /// the connection attempt failed. | ||||||
|         let local_port: u16 = rng.gen_range(1024..65535); |     pub async fn connect(&mut self, addr: SocketAddr) -> Option<Socket> { | ||||||
|         let local_addr = SocketAddrV4::new(self.local_ip, local_port); |         let mut rng = SmallRng::from_os_rng(); | ||||||
|  |         for local_port in rng.random_range(32768..=60999)..=60999 { | ||||||
|  |             let local_addr = SocketAddr::new( | ||||||
|  |                 if addr.is_ipv4() { | ||||||
|  |                     IpAddr::V4(self.local_ip) | ||||||
|  |                 } else { | ||||||
|  |                     IpAddr::V6(self.local_ip6.expect("IPv6 local address undefined")) | ||||||
|  |                 }, | ||||||
|  |                 local_port, | ||||||
|  |             ); | ||||||
|             let tuple = AddrTuple::new(local_addr, addr); |             let tuple = AddrTuple::new(local_addr, addr); | ||||||
|         let (mut sock, incoming) = Socket::new( |             let mut sock; | ||||||
|  |  | ||||||
|  |             { | ||||||
|  |                 let mut tuples = self.shared.tuples.write().unwrap(); | ||||||
|  |                 if tuples.contains_key(&tuple) { | ||||||
|  |                     trace!( | ||||||
|  |                         "Fake TCP connection to {}, local port number {} already in use, trying another one", | ||||||
|  |                         addr, local_port | ||||||
|  |                     ); | ||||||
|  |                     continue; | ||||||
|  |                 } | ||||||
|  |  | ||||||
|  |                 let incoming; | ||||||
|  |                 (sock, incoming) = Socket::new( | ||||||
|                     self.shared.clone(), |                     self.shared.clone(), | ||||||
|                     self.shared.tun.choose(&mut rng).unwrap().clone(), |                     self.shared.tun.choose(&mut rng).unwrap().clone(), | ||||||
|                     local_addr, |                     local_addr, | ||||||
| @@ -348,12 +435,17 @@ impl Stack { | |||||||
|                     State::Idle, |                     State::Idle, | ||||||
|                 ); |                 ); | ||||||
|  |  | ||||||
|         { |                 assert!(tuples.insert(tuple, incoming).is_none()); | ||||||
|             let mut tuples = self.shared.tuples.write().unwrap(); |  | ||||||
|             assert!(tuples.insert(tuple, incoming.clone()).is_none()); |  | ||||||
|             } |             } | ||||||
|  |  | ||||||
|         sock.connect().await.map(|_| sock) |             return sock.connect().await.map(|_| sock); | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         error!( | ||||||
|  |             "Fake TCP connection to {} failed, emphemeral port number exhausted", | ||||||
|  |             addr | ||||||
|  |         ); | ||||||
|  |         None | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     async fn reader_task( |     async fn reader_task( | ||||||
| @@ -361,11 +453,10 @@ impl Stack { | |||||||
|         shared: Arc<Shared>, |         shared: Arc<Shared>, | ||||||
|         mut tuples_purge: broadcast::Receiver<AddrTuple>, |         mut tuples_purge: broadcast::Receiver<AddrTuple>, | ||||||
|     ) { |     ) { | ||||||
|         let mut tuples: HashMap<AddrTuple, Sender<Bytes>> = HashMap::new(); |         let mut tuples: HashMap<AddrTuple, flume::Sender<Bytes>> = HashMap::new(); | ||||||
|  |  | ||||||
|         loop { |         loop { | ||||||
|             let mut buf = BytesMut::with_capacity(MAX_PACKET_LEN); |             let mut buf = BytesMut::zeroed(MAX_PACKET_LEN); | ||||||
|             buf.resize(MAX_PACKET_LEN, 0); |  | ||||||
|  |  | ||||||
|             tokio::select! { |             tokio::select! { | ||||||
|                 size = tun.recv(&mut buf) => { |                 size = tun.recv(&mut buf) => { | ||||||
| @@ -373,19 +464,15 @@ impl Stack { | |||||||
|                     buf.truncate(size); |                     buf.truncate(size); | ||||||
|                     let buf = buf.freeze(); |                     let buf = buf.freeze(); | ||||||
|  |  | ||||||
|                     if buf[0] >> 4 != 4 { |                     match parse_ip_packet(&buf) { | ||||||
|                         // not an IPv4 packet |                         Some((ip_packet, tcp_packet)) => { | ||||||
|                         continue; |  | ||||||
|                     } |  | ||||||
|  |  | ||||||
|                     let (ip_packet, tcp_packet) = parse_ipv4_packet(&buf); |  | ||||||
|                             let local_addr = |                             let local_addr = | ||||||
|                         SocketAddrV4::new(ip_packet.get_destination(), tcp_packet.get_destination()); |                                 SocketAddr::new(ip_packet.get_destination(), tcp_packet.get_destination()); | ||||||
|                     let remote_addr = SocketAddrV4::new(ip_packet.get_source(), tcp_packet.get_source()); |                             let remote_addr = SocketAddr::new(ip_packet.get_source(), tcp_packet.get_source()); | ||||||
|  |  | ||||||
|                             let tuple = AddrTuple::new(local_addr, remote_addr); |                             let tuple = AddrTuple::new(local_addr, remote_addr); | ||||||
|                             if let Some(c) = tuples.get(&tuple) { |                             if let Some(c) = tuples.get(&tuple) { | ||||||
|                         if c.send(buf).await.is_err() { |                                 if c.send_async(buf).await.is_err() { | ||||||
|                                     trace!("Cache hit, but receiver already closed, dropping packet"); |                                     trace!("Cache hit, but receiver already closed, dropping packet"); | ||||||
|                                 } |                                 } | ||||||
|  |  | ||||||
| @@ -393,19 +480,17 @@ impl Stack { | |||||||
|  |  | ||||||
|                                 // If not Ok, receiver has been closed and just fall through to the slow |                                 // If not Ok, receiver has been closed and just fall through to the slow | ||||||
|                                 // path below |                                 // path below | ||||||
|  |  | ||||||
|                             } else { |                             } else { | ||||||
|                                 trace!("Cache miss, checking the shared tuples table for connection"); |                                 trace!("Cache miss, checking the shared tuples table for connection"); | ||||||
|                         let sender; |                                 let sender = { | ||||||
|                         { |  | ||||||
|                                     let tuples = shared.tuples.read().unwrap(); |                                     let tuples = shared.tuples.read().unwrap(); | ||||||
|                             sender = tuples.get(&tuple).cloned(); |                                     tuples.get(&tuple).cloned() | ||||||
|                         } |                                 }; | ||||||
|  |  | ||||||
|                                 if let Some(c) = sender { |                                 if let Some(c) = sender { | ||||||
|                                     trace!("Storing connection information into local tuples"); |                                     trace!("Storing connection information into local tuples"); | ||||||
|                                     tuples.insert(tuple, c.clone()); |                                     tuples.insert(tuple, c.clone()); | ||||||
|                             c.send(buf).await.unwrap(); |                                     c.send_async(buf).await.unwrap(); | ||||||
|                                     continue; |                                     continue; | ||||||
|                                 } |                                 } | ||||||
|                             } |                             } | ||||||
| @@ -440,8 +525,8 @@ impl Stack { | |||||||
|                                         local_addr, |                                         local_addr, | ||||||
|                                         remote_addr, |                                         remote_addr, | ||||||
|                                         0, |                                         0, | ||||||
|                                 tcp_packet.get_sequence() + 1, |                                         tcp_packet.get_sequence() + tcp_packet.payload().len() as u32 + 1, // +1 because of SYN flag set | ||||||
|                                 tcp::TcpFlags::RST, |                                         tcp::TcpFlags::RST | tcp::TcpFlags::ACK, | ||||||
|                                         None, |                                         None, | ||||||
|                                     ); |                                     ); | ||||||
|                                     shared.tun[0].try_send(&buf).unwrap(); |                                     shared.tun[0].try_send(&buf).unwrap(); | ||||||
| @@ -452,17 +537,22 @@ impl Stack { | |||||||
|                                     local_addr, |                                     local_addr, | ||||||
|                                     remote_addr, |                                     remote_addr, | ||||||
|                                     tcp_packet.get_acknowledgement(), |                                     tcp_packet.get_acknowledgement(), | ||||||
|                             0, |                                     tcp_packet.get_sequence() + tcp_packet.payload().len() as u32, | ||||||
|                             tcp::TcpFlags::RST, |                                     tcp::TcpFlags::RST | tcp::TcpFlags::ACK, | ||||||
|                                     None, |                                     None, | ||||||
|                                 ); |                                 ); | ||||||
|                                 shared.tun[0].try_send(&buf).unwrap(); |                                 shared.tun[0].try_send(&buf).unwrap(); | ||||||
|                             } |                             } | ||||||
|  |                         } | ||||||
|  |                         None => { | ||||||
|  |                             continue; | ||||||
|  |                         } | ||||||
|  |                     } | ||||||
|                 }, |                 }, | ||||||
|                 tuple = tuples_purge.recv() => { |                 tuple = tuples_purge.recv() => { | ||||||
|                     let tuple = tuple.unwrap(); |                     let tuple = tuple.unwrap(); | ||||||
|                     tuples.remove(&tuple); |                     tuples.remove(&tuple); | ||||||
|                     trace!("Removed cached tuple"); |                     trace!("Removed cached tuple: {:?}", tuple); | ||||||
|                 } |                 } | ||||||
|             } |             } | ||||||
|         } |         } | ||||||
|   | |||||||
| @@ -1,45 +1,84 @@ | |||||||
| use bytes::{Bytes, BytesMut}; | use bytes::{Bytes, BytesMut}; | ||||||
| use internet_checksum::Checksum; | use internet_checksum::Checksum; | ||||||
| use pnet::packet::Packet; | use pnet::packet::Packet; | ||||||
| use pnet::packet::{ip, ipv4, tcp}; | use pnet::packet::{ip, ipv4, ipv6, tcp}; | ||||||
| use std::convert::TryInto; | use std::convert::TryInto; | ||||||
| use std::net::SocketAddrV4; | use std::net::{IpAddr, SocketAddr}; | ||||||
|  |  | ||||||
| const IPV4_HEADER_LEN: usize = 20; | const IPV4_HEADER_LEN: usize = 20; | ||||||
|  | const IPV6_HEADER_LEN: usize = 40; | ||||||
| const TCP_HEADER_LEN: usize = 20; | const TCP_HEADER_LEN: usize = 20; | ||||||
| pub const MAX_PACKET_LEN: usize = 1500; | pub const MAX_PACKET_LEN: usize = 1500; | ||||||
|  |  | ||||||
|  | pub enum IPPacket<'p> { | ||||||
|  |     V4(ipv4::Ipv4Packet<'p>), | ||||||
|  |     V6(ipv6::Ipv6Packet<'p>), | ||||||
|  | } | ||||||
|  |  | ||||||
|  | impl IPPacket<'_> { | ||||||
|  |     pub fn get_source(&self) -> IpAddr { | ||||||
|  |         match self { | ||||||
|  |             IPPacket::V4(p) => IpAddr::V4(p.get_source()), | ||||||
|  |             IPPacket::V6(p) => IpAddr::V6(p.get_source()), | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     pub fn get_destination(&self) -> IpAddr { | ||||||
|  |         match self { | ||||||
|  |             IPPacket::V4(p) => IpAddr::V4(p.get_destination()), | ||||||
|  |             IPPacket::V6(p) => IpAddr::V6(p.get_destination()), | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  | } | ||||||
|  |  | ||||||
| pub fn build_tcp_packet( | pub fn build_tcp_packet( | ||||||
|     local_addr: SocketAddrV4, |     local_addr: SocketAddr, | ||||||
|     remote_addr: SocketAddrV4, |     remote_addr: SocketAddr, | ||||||
|     seq: u32, |     seq: u32, | ||||||
|     ack: u32, |     ack: u32, | ||||||
|     flags: u16, |     flags: u8, | ||||||
|     payload: Option<&[u8]>, |     payload: Option<&[u8]>, | ||||||
| ) -> Bytes { | ) -> Bytes { | ||||||
|  |     let ip_header_len = match local_addr { | ||||||
|  |         SocketAddr::V4(_) => IPV4_HEADER_LEN, | ||||||
|  |         SocketAddr::V6(_) => IPV6_HEADER_LEN, | ||||||
|  |     }; | ||||||
|     let wscale = (flags & tcp::TcpFlags::SYN) != 0; |     let wscale = (flags & tcp::TcpFlags::SYN) != 0; | ||||||
|     let tcp_header_len = TCP_HEADER_LEN + if wscale { 4 } else { 0 }; // nop + wscale |     let tcp_header_len = TCP_HEADER_LEN + if wscale { 4 } else { 0 }; // nop + wscale | ||||||
|     let tcp_total_len = tcp_header_len + payload.map_or(0, |payload| payload.len()); |     let tcp_total_len = tcp_header_len + payload.map_or(0, |payload| payload.len()); | ||||||
|     let total_len = IPV4_HEADER_LEN + tcp_total_len; |     let total_len = ip_header_len + tcp_total_len; | ||||||
|     let mut buf = BytesMut::with_capacity(total_len); |     let mut buf = BytesMut::zeroed(total_len); | ||||||
|     buf.resize(total_len, 0); |  | ||||||
|  |  | ||||||
|     let mut v4_buf = buf.split_to(IPV4_HEADER_LEN); |     let mut ip_buf = buf.split_to(ip_header_len); | ||||||
|     let mut tcp_buf = buf.split_to(tcp_total_len); |     let mut tcp_buf = buf.split_to(tcp_total_len); | ||||||
|     assert_eq!(0, buf.len()); |     assert_eq!(0, buf.len()); | ||||||
|  |  | ||||||
|     let mut v4 = ipv4::MutableIpv4Packet::new(&mut v4_buf).unwrap(); |     match (local_addr, remote_addr) { | ||||||
|  |         (SocketAddr::V4(local), SocketAddr::V4(remote)) => { | ||||||
|  |             let mut v4 = ipv4::MutableIpv4Packet::new(&mut ip_buf).unwrap(); | ||||||
|             v4.set_version(4); |             v4.set_version(4); | ||||||
|             v4.set_header_length(IPV4_HEADER_LEN as u8 / 4); |             v4.set_header_length(IPV4_HEADER_LEN as u8 / 4); | ||||||
|             v4.set_next_level_protocol(ip::IpNextHeaderProtocols::Tcp); |             v4.set_next_level_protocol(ip::IpNextHeaderProtocols::Tcp); | ||||||
|             v4.set_ttl(64); |             v4.set_ttl(64); | ||||||
|     v4.set_source(*local_addr.ip()); |             v4.set_source(*local.ip()); | ||||||
|     v4.set_destination(*remote_addr.ip()); |             v4.set_destination(*remote.ip()); | ||||||
|             v4.set_total_length(total_len.try_into().unwrap()); |             v4.set_total_length(total_len.try_into().unwrap()); | ||||||
|             v4.set_flags(ipv4::Ipv4Flags::DontFragment); |             v4.set_flags(ipv4::Ipv4Flags::DontFragment); | ||||||
|             let mut cksm = Checksum::new(); |             let mut cksm = Checksum::new(); | ||||||
|             cksm.add_bytes(v4.packet()); |             cksm.add_bytes(v4.packet()); | ||||||
|             v4.set_checksum(u16::from_be_bytes(cksm.checksum())); |             v4.set_checksum(u16::from_be_bytes(cksm.checksum())); | ||||||
|  |         } | ||||||
|  |         (SocketAddr::V6(local), SocketAddr::V6(remote)) => { | ||||||
|  |             let mut v6 = ipv6::MutableIpv6Packet::new(&mut ip_buf).unwrap(); | ||||||
|  |             v6.set_version(6); | ||||||
|  |             v6.set_payload_length(tcp_total_len.try_into().unwrap()); | ||||||
|  |             v6.set_next_header(ip::IpNextHeaderProtocols::Tcp); | ||||||
|  |             v6.set_hop_limit(64); | ||||||
|  |             v6.set_source(*local.ip()); | ||||||
|  |             v6.set_destination(*remote.ip()); | ||||||
|  |         } | ||||||
|  |         _ => unreachable!(), | ||||||
|  |     }; | ||||||
|  |  | ||||||
|     let mut tcp = tcp::MutableTcpPacket::new(&mut tcp_buf).unwrap(); |     let mut tcp = tcp::MutableTcpPacket::new(&mut tcp_buf).unwrap(); | ||||||
|     tcp.set_window(0xffff); |     tcp.set_window(0xffff); | ||||||
| @@ -59,24 +98,55 @@ pub fn build_tcp_packet( | |||||||
|     } |     } | ||||||
|  |  | ||||||
|     let mut cksm = Checksum::new(); |     let mut cksm = Checksum::new(); | ||||||
|     cksm.add_bytes(&local_addr.ip().octets()); |  | ||||||
|     cksm.add_bytes(&remote_addr.ip().octets()); |  | ||||||
|     let ip::IpNextHeaderProtocol(tcp_protocol) = ip::IpNextHeaderProtocols::Tcp; |     let ip::IpNextHeaderProtocol(tcp_protocol) = ip::IpNextHeaderProtocols::Tcp; | ||||||
|  |  | ||||||
|  |     match (local_addr, remote_addr) { | ||||||
|  |         (SocketAddr::V4(local), SocketAddr::V4(remote)) => { | ||||||
|  |             cksm.add_bytes(&local.ip().octets()); | ||||||
|  |             cksm.add_bytes(&remote.ip().octets()); | ||||||
|  |  | ||||||
|             let mut pseudo = [0u8, tcp_protocol, 0, 0]; |             let mut pseudo = [0u8, tcp_protocol, 0, 0]; | ||||||
|             pseudo[2..].copy_from_slice(&(tcp_total_len as u16).to_be_bytes()); |             pseudo[2..].copy_from_slice(&(tcp_total_len as u16).to_be_bytes()); | ||||||
|             cksm.add_bytes(&pseudo); |             cksm.add_bytes(&pseudo); | ||||||
|  |         } | ||||||
|  |         (SocketAddr::V6(local), SocketAddr::V6(remote)) => { | ||||||
|  |             cksm.add_bytes(&local.ip().octets()); | ||||||
|  |             cksm.add_bytes(&remote.ip().octets()); | ||||||
|  |  | ||||||
|  |             let mut pseudo = [0u8, 0, 0, 0, 0, 0, 0, tcp_protocol]; | ||||||
|  |             pseudo[0..4].copy_from_slice(&(tcp_total_len as u32).to_be_bytes()); | ||||||
|  |             cksm.add_bytes(&pseudo); | ||||||
|  |         } | ||||||
|  |         _ => unreachable!(), | ||||||
|  |     }; | ||||||
|  |  | ||||||
|     cksm.add_bytes(tcp.packet()); |     cksm.add_bytes(tcp.packet()); | ||||||
|     tcp.set_checksum(u16::from_be_bytes(cksm.checksum())); |     tcp.set_checksum(u16::from_be_bytes(cksm.checksum())); | ||||||
|  |  | ||||||
|     v4_buf.unsplit(tcp_buf); |     ip_buf.unsplit(tcp_buf); | ||||||
|     v4_buf.freeze() |     ip_buf.freeze() | ||||||
| } | } | ||||||
|  |  | ||||||
| pub fn parse_ipv4_packet(buf: &Bytes) -> (ipv4::Ipv4Packet, tcp::TcpPacket) { | pub fn parse_ip_packet(buf: &Bytes) -> Option<(IPPacket<'_>, tcp::TcpPacket<'_>)> { | ||||||
|  |     if buf[0] >> 4 == 4 { | ||||||
|         let v4 = ipv4::Ipv4Packet::new(buf).unwrap(); |         let v4 = ipv4::Ipv4Packet::new(buf).unwrap(); | ||||||
|     let tcp = tcp::TcpPacket::new(&buf[IPV4_HEADER_LEN..]).unwrap(); |         if v4.get_next_level_protocol() != ip::IpNextHeaderProtocols::Tcp { | ||||||
|  |             return None; | ||||||
|  |         } | ||||||
|  |  | ||||||
|     (v4, tcp) |         let tcp = tcp::TcpPacket::new(&buf[IPV4_HEADER_LEN..]).unwrap(); | ||||||
|  |         Some((IPPacket::V4(v4), tcp)) | ||||||
|  |     } else if buf[0] >> 4 == 6 { | ||||||
|  |         let v6 = ipv6::Ipv6Packet::new(buf).unwrap(); | ||||||
|  |         if v6.get_next_header() != ip::IpNextHeaderProtocols::Tcp { | ||||||
|  |             return None; | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         let tcp = tcp::TcpPacket::new(&buf[IPV6_HEADER_LEN..]).unwrap(); | ||||||
|  |         Some((IPPacket::V6(v6), tcp)) | ||||||
|  |     } else { | ||||||
|  |         None | ||||||
|  |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| #[cfg(all(test, feature = "benchmark"))] | #[cfg(all(test, feature = "benchmark"))] | ||||||
|   | |||||||
							
								
								
									
										
											BIN
										
									
								
								images/packet-headers.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								images/packet-headers.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 30 KiB | 
							
								
								
									
										
											BIN
										
									
								
								images/phantun-vs-udp2raw-benchmark-result.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								images/phantun-vs-udp2raw-benchmark-result.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 15 KiB | 
										
											Binary file not shown.
										
									
								
							| Before Width: | Height: | Size: 82 KiB After Width: | Height: | Size: 89 KiB | 
| @@ -1,7 +1,7 @@ | |||||||
| [package] | [package] | ||||||
| name = "phantun" | name = "phantun" | ||||||
| version = "0.2.2" | version = "0.8.1" | ||||||
| edition = "2021" | edition = "2024" | ||||||
| authors = ["Datong Sun <dndx@idndx.com>"] | authors = ["Datong Sun <dndx@idndx.com>"] | ||||||
| license = "MIT OR Apache-2.0" | license = "MIT OR Apache-2.0" | ||||||
| repository = "https://github.com/dndx/phantun" | repository = "https://github.com/dndx/phantun" | ||||||
| @@ -11,11 +11,14 @@ Transforms UDP stream into (fake) TCP streams that can go through | |||||||
| Layer 3 & Layer 4 (NAPT) firewalls/NATs. | Layer 3 & Layer 4 (NAPT) firewalls/NATs. | ||||||
| """ | """ | ||||||
| [dependencies] | [dependencies] | ||||||
| clap = "2.33.3" | clap = { version = "4", features = ["cargo"] } | ||||||
| socket2 = { version = "0.4.2", features = ["all"] } | socket2 = { version = "0", features = ["all"] } | ||||||
| fake-tcp = "0.1.2" | fake-tcp = { path = "../fake-tcp", version = "0" } | ||||||
| tokio = { version = "1.12.0", features = ["full"] } | tokio-util = "0" | ||||||
| log = "0.4" | pretty_env_logger = "0" | ||||||
| pretty_env_logger = "0.4.0" | tokio-tun = "0" | ||||||
| dndx-fork-tokio-tun = "0.3.16" | num_cpus = "1" | ||||||
| num_cpus = "1.13.0" | neli = "0" | ||||||
|  | nix = { version = "0", features = ["net", "uio", "socket"] } | ||||||
|  | tokio = { workspace = true } | ||||||
|  | log = { workspace = true } | ||||||
|   | |||||||
| @@ -186,7 +186,7 @@ APPENDIX: How to apply the Apache License to your work. | |||||||
|    same "printed page" as the copyright notice for easier |    same "printed page" as the copyright notice for easier | ||||||
|    identification within third-party archives. |    identification within third-party archives. | ||||||
|  |  | ||||||
| Copyright 2014-2021 The Rust Project Developers | Copyright 2021-2024 Datong Sun (dndx@idndx.com) | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 (the "License"); | Licensed under the Apache License, Version 2.0 (the "License"); | ||||||
| you may not use this file except in compliance with the License. | you may not use this file except in compliance with the License. | ||||||
|   | |||||||
| @@ -1,6 +1,6 @@ | |||||||
| MIT License | MIT License | ||||||
|  |  | ||||||
| Copyright (c) 2014-2021 The Rust Project Developers | Copyright (c) 2021-2024 Datong Sun (dndx@idndx.com) | ||||||
|  |  | ||||||
| Permission is hereby granted, free of charge, to any | Permission is hereby granted, free of charge, to any | ||||||
| person obtaining a copy of this software and associated | person obtaining a copy of this software and associated | ||||||
|   | |||||||
| @@ -4,7 +4,7 @@ Client/Server crate, see [Phantun Project README.md](https://github.com/dndx/pha | |||||||
|  |  | ||||||
| ## License | ## License | ||||||
|  |  | ||||||
| Copyright 2021 Datong Sun <dndx@idndx.com> | Copyright 2021-2025 Datong Sun <dndx@idndx.com> | ||||||
|  |  | ||||||
| Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or | Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or | ||||||
| [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license | [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)> or the MIT license | ||||||
|   | |||||||
| @@ -1,151 +1,191 @@ | |||||||
| extern crate dndx_fork_tokio_tun as tokio_tun; | use clap::{crate_version, Arg, ArgAction, Command}; | ||||||
|  |  | ||||||
| use clap::{crate_version, App, Arg}; |  | ||||||
| use fake_tcp::packet::MAX_PACKET_LEN; | use fake_tcp::packet::MAX_PACKET_LEN; | ||||||
| use fake_tcp::{Socket, Stack}; | use fake_tcp::{Socket, Stack}; | ||||||
| use log::{debug, error, info}; | use log::{debug, error, info}; | ||||||
|  | use phantun::utils::{assign_ipv6_address, new_udp_reuseport, udp_recv_pktinfo}; | ||||||
| use std::collections::HashMap; | use std::collections::HashMap; | ||||||
| use std::convert::TryInto; | use std::fs; | ||||||
| use std::net::{Ipv4Addr, SocketAddr, SocketAddrV4}; | use std::io; | ||||||
|  | use std::net::{IpAddr, Ipv4Addr, SocketAddr, SocketAddrV4, SocketAddrV6}; | ||||||
| use std::sync::Arc; | use std::sync::Arc; | ||||||
| use std::time::Duration; | use tokio::sync::{Notify, RwLock}; | ||||||
| use tokio::net::UdpSocket; |  | ||||||
| use tokio::sync::RwLock; |  | ||||||
| use tokio::time; | use tokio::time; | ||||||
| use tokio_tun::TunBuilder; | use tokio_tun::TunBuilder; | ||||||
|  | use tokio_util::sync::CancellationToken; | ||||||
|  |  | ||||||
| const UDP_TTL: Duration = Duration::from_secs(180); | use phantun::UDP_TTL; | ||||||
|  |  | ||||||
| fn new_udp_reuseport(addr: SocketAddr) -> UdpSocket { |  | ||||||
|     let udp_sock = socket2::Socket::new( |  | ||||||
|         if addr.is_ipv4() { |  | ||||||
|             socket2::Domain::IPV4 |  | ||||||
|         } else { |  | ||||||
|             socket2::Domain::IPV6 |  | ||||||
|         }, |  | ||||||
|         socket2::Type::DGRAM, |  | ||||||
|         None, |  | ||||||
|     ) |  | ||||||
|     .unwrap(); |  | ||||||
|     udp_sock.set_reuse_port(true).unwrap(); |  | ||||||
|     // from tokio-rs/mio/blob/master/src/sys/unix/net.rs |  | ||||||
|     udp_sock.set_cloexec(true).unwrap(); |  | ||||||
|     udp_sock.set_nonblocking(true).unwrap(); |  | ||||||
|     udp_sock.bind(&socket2::SockAddr::from(addr)).unwrap(); |  | ||||||
|     let udp_sock: std::net::UdpSocket = udp_sock.into(); |  | ||||||
|     udp_sock.try_into().unwrap() |  | ||||||
| } |  | ||||||
|  |  | ||||||
| #[tokio::main] | #[tokio::main] | ||||||
| async fn main() { | async fn main() -> io::Result<()> { | ||||||
|     pretty_env_logger::init(); |     pretty_env_logger::init(); | ||||||
|  |  | ||||||
|     let matches = App::new("Phantun Client") |     let matches = Command::new("Phantun Client") | ||||||
|         .version(crate_version!()) |         .version(crate_version!()) | ||||||
|         .author("Datong Sun (github.com/dndx)") |         .author("Datong Sun (github.com/dndx)") | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("local") |             Arg::new("local") | ||||||
|                 .short("l") |                 .short('l') | ||||||
|                 .long("local") |                 .long("local") | ||||||
|                 .required(true) |                 .required(true) | ||||||
|                 .value_name("IP:PORT") |                 .value_name("IP:PORT") | ||||||
|                 .help("Sets the IP and port where Phantun Client listens for incoming UDP datagrams, IPv6 address need to be specified as: \"[IPv6]:PORT\"") |                 .help("Sets the IP and port where Phantun Client listens for incoming UDP datagrams, IPv6 address need to be specified as: \"[IPv6]:PORT\"") | ||||||
|                 .takes_value(true), |  | ||||||
|         ) |         ) | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("remote") |             Arg::new("remote") | ||||||
|                 .short("r") |                 .short('r') | ||||||
|                 .long("remote") |                 .long("remote") | ||||||
|                 .required(true) |                 .required(true) | ||||||
|                 .value_name("IP:PORT") |                 .value_name("IP or HOST NAME:PORT") | ||||||
|                 .help("Sets the address and port where Phantun Client connects to Phantun Server") |                 .help("Sets the address or host name and port where Phantun Client connects to Phantun Server, IPv6 address need to be specified as: \"[IPv6]:PORT\"") | ||||||
|                 .takes_value(true), |  | ||||||
|         ) |         ) | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("tun") |             Arg::new("tun") | ||||||
|                 .long("tun") |                 .long("tun") | ||||||
|                 .required(false) |                 .required(false) | ||||||
|                 .value_name("tunX") |                 .value_name("tunX") | ||||||
|                 .help("Sets the Tun interface name, if absent, pick the next available name") |                 .help("Sets the Tun interface name, if absent, pick the next available name") | ||||||
|                 .default_value("") |                 .default_value("") | ||||||
|                 .takes_value(true), |  | ||||||
|         ) |         ) | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("tun_local") |             Arg::new("tun_local") | ||||||
|                 .long("tun-local") |                 .long("tun-local") | ||||||
|                 .required(false) |                 .required(false) | ||||||
|                 .value_name("IP") |                 .value_name("IP") | ||||||
|                 .help("Sets the Tun interface local address (O/S's end)") |                 .help("Sets the Tun interface IPv4 local address (O/S's end)") | ||||||
|                 .default_value("192.168.200.1") |                 .default_value("192.168.200.1") | ||||||
|                 .takes_value(true), |  | ||||||
|         ) |         ) | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("tun_peer") |             Arg::new("tun_peer") | ||||||
|                 .long("tun-peer") |                 .long("tun-peer") | ||||||
|                 .required(false) |                 .required(false) | ||||||
|                 .value_name("IP") |                 .value_name("IP") | ||||||
|                 .help("Sets the Tun interface destination (peer) address (Phantun Client's end). \ |                 .help("Sets the Tun interface IPv4 destination (peer) address (Phantun Client's end). \ | ||||||
|                        You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \ |                        You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \ | ||||||
|                        in order for Phantun Client to connect to Phantun Server") |                        in order for Phantun Client to connect to Phantun Server") | ||||||
|                 .default_value("192.168.200.2") |                 .default_value("192.168.200.2") | ||||||
|                 .takes_value(true), |         ) | ||||||
|  |         .arg( | ||||||
|  |             Arg::new("ipv4_only") | ||||||
|  |                 .long("ipv4-only") | ||||||
|  |                 .short('4') | ||||||
|  |                 .required(false) | ||||||
|  |                 .help("Only use IPv4 address when connecting to remote") | ||||||
|  |                 .action(ArgAction::SetTrue) | ||||||
|  |                 .conflicts_with_all(["tun_local6", "tun_peer6"]), | ||||||
|  |         ) | ||||||
|  |         .arg( | ||||||
|  |             Arg::new("tun_local6") | ||||||
|  |                 .long("tun-local6") | ||||||
|  |                 .required(false) | ||||||
|  |                 .value_name("IP") | ||||||
|  |                 .help("Sets the Tun interface IPv6 local address (O/S's end)") | ||||||
|  |                 .default_value("fcc8::1") | ||||||
|  |         ) | ||||||
|  |         .arg( | ||||||
|  |             Arg::new("tun_peer6") | ||||||
|  |                 .long("tun-peer6") | ||||||
|  |                 .required(false) | ||||||
|  |                 .value_name("IP") | ||||||
|  |                 .help("Sets the Tun interface IPv6 destination (peer) address (Phantun Client's end). \ | ||||||
|  |                        You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \ | ||||||
|  |                        in order for Phantun Client to connect to Phantun Server") | ||||||
|  |                 .default_value("fcc8::2") | ||||||
|  |         ) | ||||||
|  |         .arg( | ||||||
|  |             Arg::new("handshake_packet") | ||||||
|  |                 .long("handshake-packet") | ||||||
|  |                 .required(false) | ||||||
|  |                 .value_name("PATH") | ||||||
|  |                 .help("Specify a file, which, after TCP handshake, its content will be sent as the \ | ||||||
|  |                       first data packet to the server.\n\ | ||||||
|  |                       Note: ensure this file's size does not exceed the MTU of the outgoing interface. \ | ||||||
|  |                       The content is always sent out in a single packet and will not be further segmented") | ||||||
|         ) |         ) | ||||||
|         .get_matches(); |         .get_matches(); | ||||||
|  |  | ||||||
|     let local_addr: SocketAddr = matches |     let local_addr: SocketAddr = matches | ||||||
|         .value_of("local") |         .get_one::<String>("local") | ||||||
|         .unwrap() |         .unwrap() | ||||||
|         .parse() |         .parse() | ||||||
|         .expect("bad local address"); |         .expect("bad local address"); | ||||||
|     let remote_addr: SocketAddrV4 = matches |  | ||||||
|         .value_of("remote") |     let ipv4_only = matches.get_flag("ipv4_only"); | ||||||
|         .unwrap() |  | ||||||
|         .parse() |     let remote_addr = tokio::net::lookup_host(matches.get_one::<String>("remote").unwrap()) | ||||||
|         .expect("bad remote address"); |         .await | ||||||
|  |         .expect("bad remote address or host") | ||||||
|  |         .find(|addr| !ipv4_only || addr.is_ipv4()) | ||||||
|  |         .expect("unable to resolve remote host name"); | ||||||
|  |     info!("Remote address is: {}", remote_addr); | ||||||
|  |  | ||||||
|     let tun_local: Ipv4Addr = matches |     let tun_local: Ipv4Addr = matches | ||||||
|         .value_of("tun_local") |         .get_one::<String>("tun_local") | ||||||
|         .unwrap() |         .unwrap() | ||||||
|         .parse() |         .parse() | ||||||
|         .expect("bad local address for Tun interface"); |         .expect("bad local address for Tun interface"); | ||||||
|     let tun_peer: Ipv4Addr = matches |     let tun_peer: Ipv4Addr = matches | ||||||
|         .value_of("tun_peer") |         .get_one::<String>("tun_peer") | ||||||
|         .unwrap() |         .unwrap() | ||||||
|         .parse() |         .parse() | ||||||
|         .expect("bad peer address for Tun interface"); |         .expect("bad peer address for Tun interface"); | ||||||
|  |  | ||||||
|  |     let (tun_local6, tun_peer6) = if matches.get_flag("ipv4_only") { | ||||||
|  |         (None, None) | ||||||
|  |     } else { | ||||||
|  |         ( | ||||||
|  |             matches | ||||||
|  |                 .get_one::<String>("tun_local6") | ||||||
|  |                 .map(|v| v.parse().expect("bad local address for Tun interface")), | ||||||
|  |             matches | ||||||
|  |                 .get_one::<String>("tun_peer6") | ||||||
|  |                 .map(|v| v.parse().expect("bad peer address for Tun interface")), | ||||||
|  |         ) | ||||||
|  |     }; | ||||||
|  |  | ||||||
|  |     let tun_name = matches.get_one::<String>("tun").unwrap(); | ||||||
|  |     let handshake_packet: Option<Vec<u8>> = matches | ||||||
|  |         .get_one::<String>("handshake_packet") | ||||||
|  |         .map(fs::read) | ||||||
|  |         .transpose()?; | ||||||
|  |  | ||||||
|  |     let num_cpus = num_cpus::get(); | ||||||
|  |     info!("{} cores available", num_cpus); | ||||||
|  |  | ||||||
|     let tun = TunBuilder::new() |     let tun = TunBuilder::new() | ||||||
|         .name(matches.value_of("tun").unwrap()) // if name is empty, then it is set by kernel. |         .name(tun_name) // if name is empty, then it is set by kernel. | ||||||
|         .tap(false) // false (default): TUN, true: TAP. |  | ||||||
|         .packet_info(false) // false: IFF_NO_PI, default is true. |  | ||||||
|         .up() // or set it up manually using `sudo ip link set <tun-name> up`. |         .up() // or set it up manually using `sudo ip link set <tun-name> up`. | ||||||
|         .address(tun_local) |         .address(tun_local) | ||||||
|         .destination(tun_peer) |         .destination(tun_peer) | ||||||
|         .try_build_mq(num_cpus::get()) |         .queues(num_cpus) | ||||||
|  |         .build() | ||||||
|         .unwrap(); |         .unwrap(); | ||||||
|  |  | ||||||
|  |     if remote_addr.is_ipv6() { | ||||||
|  |         assign_ipv6_address(tun[0].name(), tun_local6.unwrap(), tun_peer6.unwrap()); | ||||||
|  |     } | ||||||
|  |  | ||||||
|     info!("Created TUN device {}", tun[0].name()); |     info!("Created TUN device {}", tun[0].name()); | ||||||
|  |  | ||||||
|     let udp_sock = Arc::new(new_udp_reuseport(local_addr)); |     let udp_sock = Arc::new(new_udp_reuseport(local_addr)); | ||||||
|     let connections = Arc::new(RwLock::new(HashMap::<SocketAddr, Arc<Socket>>::new())); |     let connections = Arc::new(RwLock::new(HashMap::<SocketAddr, Arc<Socket>>::new())); | ||||||
|  |  | ||||||
|     let mut stack = Stack::new(tun); |     let mut stack = Stack::new(tun, tun_peer, tun_peer6); | ||||||
|  |  | ||||||
|     let main_loop = tokio::spawn(async move { |     let main_loop = tokio::spawn(async move { | ||||||
|         let mut buf_r = [0u8; MAX_PACKET_LEN]; |         let mut buf_r = [0u8; MAX_PACKET_LEN]; | ||||||
|  |  | ||||||
|         loop { |         loop { | ||||||
|             tokio::select! { |             let (size, udp_remote_addr, udp_local_addr) = udp_recv_pktinfo(&udp_sock, &mut buf_r).await?; | ||||||
|                 Ok((size, addr)) = udp_sock.recv_from(&mut buf_r) => { |  | ||||||
|             // seen UDP packet to listening socket, this means: |             // seen UDP packet to listening socket, this means: | ||||||
|             // 1. It is a new UDP connection, or |             // 1. It is a new UDP connection, or | ||||||
|             // 2. It is some extra packets not filtered by more specific |             // 2. It is some extra packets not filtered by more specific | ||||||
|             //    connected UDP socket yet |             //    connected UDP socket yet | ||||||
|                     if let Some(sock) = connections.read().await.get(&addr) { |             if let Some(sock) = connections.read().await.get(&udp_remote_addr) { | ||||||
|                 sock.send(&buf_r[..size]).await; |                 sock.send(&buf_r[..size]).await; | ||||||
|                 continue; |                 continue; | ||||||
|             } |             } | ||||||
|  |  | ||||||
|                     info!("New UDP client from {}", addr); |             info!("New UDP client from {}", udp_remote_addr); | ||||||
|             let sock = stack.connect(remote_addr).await; |             let sock = stack.connect(remote_addr).await; | ||||||
|             if sock.is_none() { |             if sock.is_none() { | ||||||
|                 error!("Unable to connect to remote {}", remote_addr); |                 error!("Unable to connect to remote {}", remote_addr); | ||||||
| @@ -153,67 +193,135 @@ async fn main() { | |||||||
|             } |             } | ||||||
|  |  | ||||||
|             let sock = Arc::new(sock.unwrap()); |             let sock = Arc::new(sock.unwrap()); | ||||||
|                     // send first packet |             if let Some(ref p) = handshake_packet { | ||||||
|                     let res = sock.send(&buf_r[..size]).await; |                 if sock.send(p).await.is_none() { | ||||||
|                     if res.is_none() { |                     error!("Failed to send handshake packet to remote, closing connection."); | ||||||
|                     continue; |                     continue; | ||||||
|                 } |                 } | ||||||
|  |  | ||||||
|                     assert!(connections.write().await.insert(addr, sock.clone()).is_none()); |                 debug!("Sent handshake packet to: {}", sock); | ||||||
|                     debug!("inserted fake TCP socket into connection table"); |             } | ||||||
|  |  | ||||||
|                     let connections = connections.clone(); |             // send first packet | ||||||
|  |             if sock.send(&buf_r[..size]).await.is_none() { | ||||||
|  |                 continue; | ||||||
|  |             } | ||||||
|  |  | ||||||
|  |             assert!(connections | ||||||
|  |                 .write() | ||||||
|  |                 .await | ||||||
|  |                 .insert(udp_remote_addr, sock.clone()) | ||||||
|  |                 .is_none()); | ||||||
|  |             debug!("inserted fake TCP socket into connection table"); | ||||||
|  |  | ||||||
|             // spawn "fastpath" UDP socket and task, this will offload main task |             // spawn "fastpath" UDP socket and task, this will offload main task | ||||||
|             // from forwarding UDP packets |             // from forwarding UDP packets | ||||||
|  |  | ||||||
|  |             let packet_received = Arc::new(Notify::new()); | ||||||
|  |             let quit = CancellationToken::new(); | ||||||
|  |  | ||||||
|  |             for i in 0..num_cpus { | ||||||
|  |                 let sock = sock.clone(); | ||||||
|  |                 let quit = quit.clone(); | ||||||
|  |                 let packet_received = packet_received.clone(); | ||||||
|  |  | ||||||
|                 tokio::spawn(async move { |                 tokio::spawn(async move { | ||||||
|                     let mut buf_udp = [0u8; MAX_PACKET_LEN]; |                     let mut buf_udp = [0u8; MAX_PACKET_LEN]; | ||||||
|                     let mut buf_tcp = [0u8; MAX_PACKET_LEN]; |                     let mut buf_tcp = [0u8; MAX_PACKET_LEN]; | ||||||
|                         let udp_sock = new_udp_reuseport(local_addr); |                     // Always reply from the same address that the peer used to communicate with | ||||||
|                         udp_sock.connect(addr).await.unwrap(); |                     // us. This avoids a frequent problem with IPv6 privacy extensions when we | ||||||
|  |                     // erroneously bind to wrong short-lived temporary address even if the peer | ||||||
|  |                     // explicitly used a persistent address to communicate to us. | ||||||
|  |                     // | ||||||
|  |                     // To do so, first bind to (<incoming packet dst_ip>, <local addr port>), and then | ||||||
|  |                     // connect to (<incoming packet src_ip>, <incoming packet src_port>). | ||||||
|  |                     let bind_addr = match (udp_remote_addr, udp_local_addr) { | ||||||
|  |                         (SocketAddr::V4(_), IpAddr::V4(udp_local_ipv4)) => { | ||||||
|  |                             SocketAddr::V4(SocketAddrV4::new( | ||||||
|  |                                 udp_local_ipv4, | ||||||
|  |                                 local_addr.port(), | ||||||
|  |                             )) | ||||||
|  |                         } | ||||||
|  |                         (SocketAddr::V6(udp_remote_addr), IpAddr::V6(udp_local_ipv6)) => { | ||||||
|  |                             SocketAddr::V6(SocketAddrV6::new( | ||||||
|  |                                 udp_local_ipv6, | ||||||
|  |                                 local_addr.port(), | ||||||
|  |                                 udp_remote_addr.flowinfo(), | ||||||
|  |                                 udp_remote_addr.scope_id(), | ||||||
|  |                             )) | ||||||
|  |                         } | ||||||
|  |                         (_, _) => { | ||||||
|  |                             panic!("unexpected family combination for udp_remote_addr={udp_remote_addr} and udp_local_addr={udp_local_addr}"); | ||||||
|  |                         } | ||||||
|  |                     }; | ||||||
|  |                     let udp_sock = new_udp_reuseport(bind_addr); | ||||||
|  |                     udp_sock.connect(udp_remote_addr).await.unwrap(); | ||||||
|  |  | ||||||
|                     loop { |                     loop { | ||||||
|                             let read_timeout = time::sleep(UDP_TTL); |  | ||||||
|  |  | ||||||
|                         tokio::select! { |                         tokio::select! { | ||||||
|                             Ok(size) = udp_sock.recv(&mut buf_udp) => { |                             Ok(size) = udp_sock.recv(&mut buf_udp) => { | ||||||
|                                 if sock.send(&buf_udp[..size]).await.is_none() { |                                 if sock.send(&buf_udp[..size]).await.is_none() { | ||||||
|                                         connections.write().await.remove(&addr); |  | ||||||
|                                     debug!("removed fake TCP socket from connections table"); |                                     debug!("removed fake TCP socket from connections table"); | ||||||
|  |                                     quit.cancel(); | ||||||
|                                     return; |                                     return; | ||||||
|                                 } |                                 } | ||||||
|  |  | ||||||
|  |                                 packet_received.notify_one(); | ||||||
|                             }, |                             }, | ||||||
|                             res = sock.recv(&mut buf_tcp) => { |                             res = sock.recv(&mut buf_tcp) => { | ||||||
|                                 match res { |                                 match res { | ||||||
|                                     Some(size) => { |                                     Some(size) => { | ||||||
|                                             if size > 0 { |                                         if size > 0 | ||||||
|                                                 if let Err(e) = udp_sock.send(&buf_tcp[..size]).await { |                                             && let Err(e) = udp_sock.send(&buf_tcp[..size]).await { | ||||||
|                                                     connections.write().await.remove(&addr); |                                                 error!("Unable to send UDP packet to {}: {}, closing connection", e, remote_addr); | ||||||
|                                                     error!("Unable to send UDP packet to {}: {}, closing connection", e, addr); |                                                 quit.cancel(); | ||||||
|                                                 return; |                                                 return; | ||||||
|                                             } |                                             } | ||||||
|                                             } |  | ||||||
|                                     }, |                                     }, | ||||||
|                                     None => { |                                     None => { | ||||||
|                                             connections.write().await.remove(&addr); |  | ||||||
|                                         debug!("removed fake TCP socket from connections table"); |                                         debug!("removed fake TCP socket from connections table"); | ||||||
|  |                                         quit.cancel(); | ||||||
|                                         return; |                                         return; | ||||||
|                                     }, |                                     }, | ||||||
|                                 } |                                 } | ||||||
|  |  | ||||||
|  |                                 packet_received.notify_one(); | ||||||
|                             }, |                             }, | ||||||
|                                 _ = read_timeout => { |                             _ = quit.cancelled() => { | ||||||
|                                     info!("No traffic seen in the last {:?}, closing connection", UDP_TTL); |                                 debug!("worker {} terminated", i); | ||||||
|                                     connections.write().await.remove(&addr); |  | ||||||
|                                     debug!("removed fake TCP socket from connections table"); |  | ||||||
|                                 return; |                                 return; | ||||||
|                                 } |                             }, | ||||||
|                         }; |                         }; | ||||||
|                     } |                     } | ||||||
|                 }); |                 }); | ||||||
|  |             } | ||||||
|  |  | ||||||
|  |             let connections = connections.clone(); | ||||||
|  |             tokio::spawn(async move { | ||||||
|  |                 loop { | ||||||
|  |                     let read_timeout = time::sleep(UDP_TTL); | ||||||
|  |                     let packet_received_fut = packet_received.notified(); | ||||||
|  |  | ||||||
|  |                     tokio::select! { | ||||||
|  |                         _ = read_timeout => { | ||||||
|  |                             info!("No traffic seen in the last {:?}, closing connection", UDP_TTL); | ||||||
|  |                             connections.write().await.remove(&udp_remote_addr); | ||||||
|  |                             debug!("removed fake TCP socket from connections table"); | ||||||
|  |  | ||||||
|  |                             quit.cancel(); | ||||||
|  |                             return; | ||||||
|                         }, |                         }, | ||||||
|  |                         _ = quit.cancelled() => { | ||||||
|  |                             connections.write().await.remove(&udp_remote_addr); | ||||||
|  |                             debug!("removed fake TCP socket from connections table"); | ||||||
|  |                             return; | ||||||
|  |                         }, | ||||||
|  |                         _ = packet_received_fut => {}, | ||||||
|                     } |                     } | ||||||
|                 } |                 } | ||||||
|             }); |             }); | ||||||
|  |         } | ||||||
|  |     }); | ||||||
|  |  | ||||||
|     tokio::join!(main_loop).0.unwrap(); |     tokio::join!(main_loop).0.unwrap() | ||||||
| } | } | ||||||
|   | |||||||
| @@ -1,60 +1,61 @@ | |||||||
| extern crate dndx_fork_tokio_tun as tokio_tun; | use clap::{crate_version, Arg, ArgAction, Command}; | ||||||
|  |  | ||||||
| use clap::{crate_version, App, Arg}; |  | ||||||
| use fake_tcp::packet::MAX_PACKET_LEN; | use fake_tcp::packet::MAX_PACKET_LEN; | ||||||
| use fake_tcp::Stack; | use fake_tcp::Stack; | ||||||
| use log::{error, info}; | use log::{debug, error, info}; | ||||||
| use std::net::{Ipv4Addr, SocketAddr}; | use phantun::utils::{assign_ipv6_address, new_udp_reuseport}; | ||||||
|  | use std::fs; | ||||||
|  | use std::io; | ||||||
|  | use std::net::Ipv4Addr; | ||||||
|  | use std::sync::Arc; | ||||||
| use tokio::net::UdpSocket; | use tokio::net::UdpSocket; | ||||||
| use tokio::time::{self, Duration}; | use tokio::sync::Notify; | ||||||
|  | use tokio::time; | ||||||
| use tokio_tun::TunBuilder; | use tokio_tun::TunBuilder; | ||||||
| const UDP_TTL: Duration = Duration::from_secs(180); | use tokio_util::sync::CancellationToken; | ||||||
|  |  | ||||||
|  | use phantun::UDP_TTL; | ||||||
|  |  | ||||||
| #[tokio::main] | #[tokio::main] | ||||||
| async fn main() { | async fn main() -> io::Result<()> { | ||||||
|     pretty_env_logger::init(); |     pretty_env_logger::init(); | ||||||
|  |  | ||||||
|     let matches = App::new("Phantun Server") |     let matches = Command::new("Phantun Server") | ||||||
|         .version(crate_version!()) |         .version(crate_version!()) | ||||||
|         .author("Datong Sun (github.com/dndx)") |         .author("Datong Sun (github.com/dndx)") | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("local") |             Arg::new("local") | ||||||
|                 .short("l") |                 .short('l') | ||||||
|                 .long("local") |                 .long("local") | ||||||
|                 .required(true) |                 .required(true) | ||||||
|                 .value_name("PORT") |                 .value_name("PORT") | ||||||
|                 .help("Sets the port where Phantun Server listens for incoming Phantun Client TCP connections") |                 .help("Sets the port where Phantun Server listens for incoming Phantun Client TCP connections") | ||||||
|                 .takes_value(true), |  | ||||||
|         ) |         ) | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("remote") |             Arg::new("remote") | ||||||
|                 .short("r") |                 .short('r') | ||||||
|                 .long("remote") |                 .long("remote") | ||||||
|                 .required(true) |                 .required(true) | ||||||
|                 .value_name("IP:PORT") |                 .value_name("IP or HOST NAME:PORT") | ||||||
|                 .help("Sets the address and port where Phantun Server forwards UDP packets to, IPv6 address need to be specified as: \"[IPv6]:PORT\"") |                 .help("Sets the address or host name and port where Phantun Server forwards UDP packets to, IPv6 address need to be specified as: \"[IPv6]:PORT\"") | ||||||
|                 .takes_value(true), |  | ||||||
|         ) |         ) | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("tun") |             Arg::new("tun") | ||||||
|                 .long("tun") |                 .long("tun") | ||||||
|                 .required(false) |                 .required(false) | ||||||
|                 .value_name("tunX") |                 .value_name("tunX") | ||||||
|                 .help("Sets the Tun interface name, if absent, pick the next available name") |                 .help("Sets the Tun interface name, if absent, pick the next available name") | ||||||
|                 .default_value("") |                 .default_value("") | ||||||
|                 .takes_value(true), |  | ||||||
|         ) |         ) | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("tun_local") |             Arg::new("tun_local") | ||||||
|                 .long("tun-local") |                 .long("tun-local") | ||||||
|                 .required(false) |                 .required(false) | ||||||
|                 .value_name("IP") |                 .value_name("IP") | ||||||
|                 .help("Sets the Tun interface local address (O/S's end)") |                 .help("Sets the Tun interface local address (O/S's end)") | ||||||
|                 .default_value("192.168.201.1") |                 .default_value("192.168.201.1") | ||||||
|                 .takes_value(true), |  | ||||||
|         ) |         ) | ||||||
|         .arg( |         .arg( | ||||||
|             Arg::with_name("tun_peer") |             Arg::new("tun_peer") | ||||||
|                 .long("tun-peer") |                 .long("tun-peer") | ||||||
|                 .required(false) |                 .required(false) | ||||||
|                 .value_name("IP") |                 .value_name("IP") | ||||||
| @@ -62,45 +63,110 @@ async fn main() { | |||||||
|                        You will need to setup DNAT rules to this address in order for Phantun Server \ |                        You will need to setup DNAT rules to this address in order for Phantun Server \ | ||||||
|                        to accept TCP traffic from Phantun Client") |                        to accept TCP traffic from Phantun Client") | ||||||
|                 .default_value("192.168.201.2") |                 .default_value("192.168.201.2") | ||||||
|                 .takes_value(true), |         ) | ||||||
|  |         .arg( | ||||||
|  |             Arg::new("ipv4_only") | ||||||
|  |                 .long("ipv4-only") | ||||||
|  |                 .short('4') | ||||||
|  |                 .required(false) | ||||||
|  |                 .help("Do not assign IPv6 addresses to Tun interface") | ||||||
|  |                 .action(ArgAction::SetTrue) | ||||||
|  |                 .conflicts_with_all(["tun_local6", "tun_peer6"]), | ||||||
|  |         ) | ||||||
|  |         .arg( | ||||||
|  |             Arg::new("tun_local6") | ||||||
|  |                 .long("tun-local6") | ||||||
|  |                 .required(false) | ||||||
|  |                 .value_name("IP") | ||||||
|  |                 .help("Sets the Tun interface IPv6 local address (O/S's end)") | ||||||
|  |                 .default_value("fcc9::1") | ||||||
|  |         ) | ||||||
|  |         .arg( | ||||||
|  |             Arg::new("tun_peer6") | ||||||
|  |                 .long("tun-peer6") | ||||||
|  |                 .required(false) | ||||||
|  |                 .value_name("IP") | ||||||
|  |                 .help("Sets the Tun interface IPv6 destination (peer) address (Phantun Client's end). \ | ||||||
|  |                        You will need to setup SNAT/MASQUERADE rules on your Internet facing interface \ | ||||||
|  |                        in order for Phantun Client to connect to Phantun Server") | ||||||
|  |                 .default_value("fcc9::2") | ||||||
|  |         ) | ||||||
|  |         .arg( | ||||||
|  |             Arg::new("handshake_packet") | ||||||
|  |                 .long("handshake-packet") | ||||||
|  |                 .required(false) | ||||||
|  |                 .value_name("PATH") | ||||||
|  |                 .help("Specify a file, which, after TCP handshake, its content will be sent as the \ | ||||||
|  |                       first data packet to the client.\n\ | ||||||
|  |                       Note: ensure this file's size does not exceed the MTU of the outgoing interface. \ | ||||||
|  |                       The content is always sent out in a single packet and will not be further segmented") | ||||||
|         ) |         ) | ||||||
|         .get_matches(); |         .get_matches(); | ||||||
|  |  | ||||||
|     let local_port: u16 = matches |     let local_port: u16 = matches | ||||||
|         .value_of("local") |         .get_one::<String>("local") | ||||||
|         .unwrap() |         .unwrap() | ||||||
|         .parse() |         .parse() | ||||||
|         .expect("bad local port"); |         .expect("bad local port"); | ||||||
|     let remote_addr: SocketAddr = matches |  | ||||||
|         .value_of("remote") |     let remote_addr = tokio::net::lookup_host(matches.get_one::<String>("remote").unwrap()) | ||||||
|         .unwrap() |         .await | ||||||
|         .parse() |         .expect("bad remote address or host") | ||||||
|         .expect("bad remote address"); |         .next() | ||||||
|  |         .expect("unable to resolve remote host name"); | ||||||
|  |  | ||||||
|  |     info!("Remote address is: {}", remote_addr); | ||||||
|  |  | ||||||
|     let tun_local: Ipv4Addr = matches |     let tun_local: Ipv4Addr = matches | ||||||
|         .value_of("tun_local") |         .get_one::<String>("tun_local") | ||||||
|         .unwrap() |         .unwrap() | ||||||
|         .parse() |         .parse() | ||||||
|         .expect("bad local address for Tun interface"); |         .expect("bad local address for Tun interface"); | ||||||
|     let tun_peer: Ipv4Addr = matches |     let tun_peer: Ipv4Addr = matches | ||||||
|         .value_of("tun_peer") |         .get_one::<String>("tun_peer") | ||||||
|         .unwrap() |         .unwrap() | ||||||
|         .parse() |         .parse() | ||||||
|         .expect("bad peer address for Tun interface"); |         .expect("bad peer address for Tun interface"); | ||||||
|  |  | ||||||
|  |     let (tun_local6, tun_peer6) = if matches.get_flag("ipv4_only") { | ||||||
|  |         (None, None) | ||||||
|  |     } else { | ||||||
|  |         ( | ||||||
|  |             matches | ||||||
|  |                 .get_one::<String>("tun_local6") | ||||||
|  |                 .map(|v| v.parse().expect("bad local address for Tun interface")), | ||||||
|  |             matches | ||||||
|  |                 .get_one::<String>("tun_peer6") | ||||||
|  |                 .map(|v| v.parse().expect("bad peer address for Tun interface")), | ||||||
|  |         ) | ||||||
|  |     }; | ||||||
|  |  | ||||||
|  |     let tun_name = matches.get_one::<String>("tun").unwrap(); | ||||||
|  |     let handshake_packet: Option<Vec<u8>> = matches | ||||||
|  |         .get_one::<String>("handshake_packet") | ||||||
|  |         .map(fs::read) | ||||||
|  |         .transpose()?; | ||||||
|  |  | ||||||
|  |     let num_cpus = num_cpus::get(); | ||||||
|  |     info!("{} cores available", num_cpus); | ||||||
|  |  | ||||||
|     let tun = TunBuilder::new() |     let tun = TunBuilder::new() | ||||||
|         .name(matches.value_of("tun").unwrap()) // if name is empty, then it is set by kernel. |         .name(tun_name) // if name is empty, then it is set by kernel. | ||||||
|         .tap(false) // false (default): TUN, true: TAP. |  | ||||||
|         .packet_info(false) // false: IFF_NO_PI, default is true. |  | ||||||
|         .up() // or set it up manually using `sudo ip link set <tun-name> up`. |         .up() // or set it up manually using `sudo ip link set <tun-name> up`. | ||||||
|         .address(tun_local) |         .address(tun_local) | ||||||
|         .destination(tun_peer) |         .destination(tun_peer) | ||||||
|         .try_build_mq(num_cpus::get()) |         .queues(num_cpus) | ||||||
|  |         .build() | ||||||
|         .unwrap(); |         .unwrap(); | ||||||
|  |  | ||||||
|  |     if let (Some(tun_local6), Some(tun_peer6)) = (tun_local6, tun_peer6) { | ||||||
|  |         assign_ipv6_address(tun[0].name(), tun_local6, tun_peer6); | ||||||
|  |     } | ||||||
|  |  | ||||||
|     info!("Created TUN device {}", tun[0].name()); |     info!("Created TUN device {}", tun[0].name()); | ||||||
|  |  | ||||||
|     //thread::sleep(time::Duration::from_secs(5)); |     //thread::sleep(time::Duration::from_secs(5)); | ||||||
|     let mut stack = Stack::new(tun); |     let mut stack = Stack::new(tun, tun_local, tun_local6); | ||||||
|     stack.listen(local_port); |     stack.listen(local_port); | ||||||
|     info!("Listening on {}", local_port); |     info!("Listening on {}", local_port); | ||||||
|  |  | ||||||
| @@ -109,50 +175,92 @@ async fn main() { | |||||||
|         let mut buf_tcp = [0u8; MAX_PACKET_LEN]; |         let mut buf_tcp = [0u8; MAX_PACKET_LEN]; | ||||||
|  |  | ||||||
|         loop { |         loop { | ||||||
|             let sock = stack.accept().await; |             let sock = Arc::new(stack.accept().await); | ||||||
|             info!("New connection: {}", sock); |             info!("New connection: {}", sock); | ||||||
|  |             if let Some(ref p) = handshake_packet { | ||||||
|  |                 if sock.send(p).await.is_none() { | ||||||
|  |                     error!("Failed to send handshake packet to remote, closing connection."); | ||||||
|  |                     continue; | ||||||
|  |                 } | ||||||
|  |  | ||||||
|             tokio::spawn(async move { |                 debug!("Sent handshake packet to: {}", sock); | ||||||
|  |             } | ||||||
|  |  | ||||||
|  |             let packet_received = Arc::new(Notify::new()); | ||||||
|  |             let quit = CancellationToken::new(); | ||||||
|             let udp_sock = UdpSocket::bind(if remote_addr.is_ipv4() { |             let udp_sock = UdpSocket::bind(if remote_addr.is_ipv4() { | ||||||
|                 "0.0.0.0:0" |                 "0.0.0.0:0" | ||||||
|             } else { |             } else { | ||||||
|                 "[::]:0" |                 "[::]:0" | ||||||
|             }) |             }) | ||||||
|                 .await |             .await?; | ||||||
|                 .unwrap(); |             let local_addr = udp_sock.local_addr()?; | ||||||
|  |             drop(udp_sock); | ||||||
|  |  | ||||||
|  |             for i in 0..num_cpus { | ||||||
|  |                 let sock = sock.clone(); | ||||||
|  |                 let quit = quit.clone(); | ||||||
|  |                 let packet_received = packet_received.clone(); | ||||||
|  |                 let udp_sock = new_udp_reuseport(local_addr); | ||||||
|  |  | ||||||
|  |                 tokio::spawn(async move { | ||||||
|                     udp_sock.connect(remote_addr).await.unwrap(); |                     udp_sock.connect(remote_addr).await.unwrap(); | ||||||
|  |  | ||||||
|                     loop { |                     loop { | ||||||
|                     let read_timeout = time::sleep(UDP_TTL); |  | ||||||
|  |  | ||||||
|                         tokio::select! { |                         tokio::select! { | ||||||
|                             Ok(size) = udp_sock.recv(&mut buf_udp) => { |                             Ok(size) = udp_sock.recv(&mut buf_udp) => { | ||||||
|                                 if sock.send(&buf_udp[..size]).await.is_none() { |                                 if sock.send(&buf_udp[..size]).await.is_none() { | ||||||
|  |                                     quit.cancel(); | ||||||
|                                     return; |                                     return; | ||||||
|                                 } |                                 } | ||||||
|  |  | ||||||
|  |                                 packet_received.notify_one(); | ||||||
|                             }, |                             }, | ||||||
|                             res = sock.recv(&mut buf_tcp) => { |                             res = sock.recv(&mut buf_tcp) => { | ||||||
|                                 match res { |                                 match res { | ||||||
|                                     Some(size) => { |                                     Some(size) => { | ||||||
|                                     if size > 0 { |                                         if size > 0 | ||||||
|                                         if let Err(e) = udp_sock.send(&buf_tcp[..size]).await { |                                             && let Err(e) = udp_sock.send(&buf_tcp[..size]).await { | ||||||
|                                                 error!("Unable to send UDP packet to {}: {}, closing connection", e, remote_addr); |                                                 error!("Unable to send UDP packet to {}: {}, closing connection", e, remote_addr); | ||||||
|  |                                                 quit.cancel(); | ||||||
|                                                 return; |                                                 return; | ||||||
|                                             } |                                             } | ||||||
|                                     } |  | ||||||
|                                     }, |                                     }, | ||||||
|                                 None => { return; }, |                                     None => { | ||||||
|                             } |                                         quit.cancel(); | ||||||
|  |                                         return; | ||||||
|                                     }, |                                     }, | ||||||
|  |                                 } | ||||||
|  |  | ||||||
|  |                                 packet_received.notify_one(); | ||||||
|  |                             }, | ||||||
|  |                             _ = quit.cancelled() => { | ||||||
|  |                                 debug!("worker {} terminated", i); | ||||||
|  |                                 return; | ||||||
|  |                             }, | ||||||
|  |                         }; | ||||||
|  |                     } | ||||||
|  |                 }); | ||||||
|  |             } | ||||||
|  |  | ||||||
|  |             tokio::spawn(async move { | ||||||
|  |                 loop { | ||||||
|  |                     let read_timeout = time::sleep(UDP_TTL); | ||||||
|  |                     let packet_received_fut = packet_received.notified(); | ||||||
|  |  | ||||||
|  |                     tokio::select! { | ||||||
|                         _ = read_timeout => { |                         _ = read_timeout => { | ||||||
|                             info!("No traffic seen in the last {:?}, closing connection", UDP_TTL); |                             info!("No traffic seen in the last {:?}, closing connection", UDP_TTL); | ||||||
|  |  | ||||||
|  |                             quit.cancel(); | ||||||
|                             return; |                             return; | ||||||
|  |                         }, | ||||||
|  |                         _ = packet_received_fut => {}, | ||||||
|                     } |                     } | ||||||
|                     }; |  | ||||||
|                 } |                 } | ||||||
|             }); |             }); | ||||||
|         } |         } | ||||||
|     }); |     }); | ||||||
|  |  | ||||||
|     tokio::join!(main_loop).0.unwrap(); |     tokio::join!(main_loop).0.unwrap() | ||||||
| } | } | ||||||
|   | |||||||
							
								
								
									
										5
									
								
								phantun/src/lib.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								phantun/src/lib.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | use std::time::Duration; | ||||||
|  |  | ||||||
|  | pub mod utils; | ||||||
|  |  | ||||||
|  | pub const UDP_TTL: Duration = Duration::from_secs(180); | ||||||
							
								
								
									
										155
									
								
								phantun/src/utils.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										155
									
								
								phantun/src/utils.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,155 @@ | |||||||
|  | use neli::{ | ||||||
|  |     consts::{ | ||||||
|  |         nl::NlmF, | ||||||
|  |         rtnl::{Ifa, IfaF, RtAddrFamily, RtScope, Rtm}, | ||||||
|  |         socket::NlFamily, | ||||||
|  |     }, | ||||||
|  |     nl::{NlPayload, NlmsghdrBuilder}, | ||||||
|  |     rtnl::{IfaddrmsgBuilder, RtattrBuilder}, | ||||||
|  |     socket::synchronous::NlSocketHandle, | ||||||
|  |     types::RtBuffer, | ||||||
|  |     utils::Groups, | ||||||
|  | }; | ||||||
|  | use nix::sys::socket::{ | ||||||
|  |     CmsgIterator, ControlMessageOwned, MsgFlags, SockaddrLike, SockaddrStorage, cmsg_space, | ||||||
|  | }; | ||||||
|  | use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6}; | ||||||
|  | use std::os::unix::io::AsRawFd; | ||||||
|  | use tokio::io::Interest; | ||||||
|  | use tokio::net::UdpSocket; | ||||||
|  |  | ||||||
|  | pub fn new_udp_reuseport(local_addr: SocketAddr) -> UdpSocket { | ||||||
|  |     let udp_sock = socket2::Socket::new( | ||||||
|  |         if local_addr.is_ipv4() { | ||||||
|  |             socket2::Domain::IPV4 | ||||||
|  |         } else { | ||||||
|  |             socket2::Domain::IPV6 | ||||||
|  |         }, | ||||||
|  |         socket2::Type::DGRAM, | ||||||
|  |         None, | ||||||
|  |     ) | ||||||
|  |     .unwrap(); | ||||||
|  |     udp_sock.set_reuse_port(true).unwrap(); | ||||||
|  |     // from tokio-rs/mio/blob/master/src/sys/unix/net.rs | ||||||
|  |     udp_sock.set_cloexec(true).unwrap(); | ||||||
|  |     udp_sock.set_nonblocking(true).unwrap(); | ||||||
|  |  | ||||||
|  |     // enable IP_PKTINFO/IPV6_PKTINFO delivery so we know the destination address of incoming | ||||||
|  |     // packets | ||||||
|  |     if local_addr.is_ipv4() { | ||||||
|  |         nix::sys::socket::setsockopt(&udp_sock, nix::sys::socket::sockopt::Ipv4PacketInfo, &true) | ||||||
|  |             .unwrap(); | ||||||
|  |     } else { | ||||||
|  |         nix::sys::socket::setsockopt( | ||||||
|  |             &udp_sock, | ||||||
|  |             nix::sys::socket::sockopt::Ipv6RecvPacketInfo, | ||||||
|  |             &true, | ||||||
|  |         ) | ||||||
|  |         .unwrap(); | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     udp_sock.bind(&socket2::SockAddr::from(local_addr)).unwrap(); | ||||||
|  |     let udp_sock: std::net::UdpSocket = udp_sock.into(); | ||||||
|  |     udp_sock.try_into().unwrap() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | /// Similiar to `UdpSocket::recv_from()`, but returns a 3rd value `IPAddr` | ||||||
|  | /// which corresponds to where the UDP datagram was destined to, this is useful | ||||||
|  | /// for disambigous when socket can receive on multiple IP address | ||||||
|  | /// or interfaces. | ||||||
|  | pub async fn udp_recv_pktinfo( | ||||||
|  |     sock: &UdpSocket, | ||||||
|  |     buf: &mut [u8], | ||||||
|  | ) -> std::io::Result<(usize, SocketAddr, IpAddr)> { | ||||||
|  |     sock.async_io(Interest::READABLE, || { | ||||||
|  |         const CONTROL_MESSAGE_BUFFER_SIZE: usize = max_usize( | ||||||
|  |             cmsg_space::<nix::libc::in_pktinfo>(), | ||||||
|  |             cmsg_space::<nix::libc::in6_pktinfo>(), | ||||||
|  |         ); | ||||||
|  |         let mut control_message_buffer = [0u8; CONTROL_MESSAGE_BUFFER_SIZE]; | ||||||
|  |         let iov = &mut [std::io::IoSliceMut::new(buf)]; | ||||||
|  |         let res = nix::sys::socket::recvmsg::<SockaddrStorage>( | ||||||
|  |             sock.as_raw_fd(), | ||||||
|  |             iov, | ||||||
|  |             Some(&mut control_message_buffer), | ||||||
|  |             MsgFlags::empty(), | ||||||
|  |         )?; | ||||||
|  |  | ||||||
|  |         let src_addr = res.address.expect("missing source address"); | ||||||
|  |         let src_addr: SocketAddr = { | ||||||
|  |             if let Some(inaddr) = src_addr.as_sockaddr_in() { | ||||||
|  |                 SocketAddrV4::new(inaddr.ip(), inaddr.port()).into() | ||||||
|  |             } else if let Some(in6addr) = src_addr.as_sockaddr_in6() { | ||||||
|  |                 SocketAddrV6::new( | ||||||
|  |                     in6addr.ip(), | ||||||
|  |                     in6addr.port(), | ||||||
|  |                     in6addr.flowinfo(), | ||||||
|  |                     in6addr.scope_id(), | ||||||
|  |                 ) | ||||||
|  |                 .into() | ||||||
|  |             } else { | ||||||
|  |                 panic!("unexpected source address family {:#?}", src_addr.family()); | ||||||
|  |             } | ||||||
|  |         }; | ||||||
|  |  | ||||||
|  |         let dst_addr = dst_addr_from_cmsgs(res.cmsgs()?).expect("didn't receive pktinfo"); | ||||||
|  |  | ||||||
|  |         Ok((res.bytes, src_addr, dst_addr)) | ||||||
|  |     }) | ||||||
|  |     .await | ||||||
|  | } | ||||||
|  |  | ||||||
|  | fn dst_addr_from_cmsgs(cmsgs: CmsgIterator) -> Option<IpAddr> { | ||||||
|  |     for cmsg in cmsgs { | ||||||
|  |         if let ControlMessageOwned::Ipv4PacketInfo(pktinfo) = cmsg { | ||||||
|  |             return Some(Ipv4Addr::from(pktinfo.ipi_addr.s_addr.to_ne_bytes()).into()); | ||||||
|  |         } | ||||||
|  |         if let ControlMessageOwned::Ipv6PacketInfo(pktinfo) = cmsg { | ||||||
|  |             return Some(Ipv6Addr::from(pktinfo.ipi6_addr.s6_addr).into()); | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     None | ||||||
|  | } | ||||||
|  |  | ||||||
|  | pub fn assign_ipv6_address(device_name: &str, local: Ipv6Addr, peer: Ipv6Addr) { | ||||||
|  |     let index = nix::net::if_::if_nametoindex(device_name).unwrap(); | ||||||
|  |  | ||||||
|  |     let rtnl = NlSocketHandle::connect(NlFamily::Route, None, Groups::empty()).unwrap(); | ||||||
|  |     let mut rtattrs = RtBuffer::new(); | ||||||
|  |     rtattrs.push( | ||||||
|  |         RtattrBuilder::default() | ||||||
|  |             .rta_type(Ifa::Local) | ||||||
|  |             .rta_payload(&local.octets()[..]) | ||||||
|  |             .build() | ||||||
|  |             .unwrap(), | ||||||
|  |     ); | ||||||
|  |     rtattrs.push( | ||||||
|  |         RtattrBuilder::default() | ||||||
|  |             .rta_type(Ifa::Address) | ||||||
|  |             .rta_payload(&peer.octets()[..]) | ||||||
|  |             .build() | ||||||
|  |             .unwrap(), | ||||||
|  |     ); | ||||||
|  |  | ||||||
|  |     let ifaddrmsg = IfaddrmsgBuilder::default() | ||||||
|  |         .ifa_family(RtAddrFamily::Inet6) | ||||||
|  |         .ifa_prefixlen(128) | ||||||
|  |         .ifa_flags(IfaF::empty()) | ||||||
|  |         .ifa_scope(RtScope::Universe) | ||||||
|  |         .ifa_index(index) | ||||||
|  |         .rtattrs(rtattrs) | ||||||
|  |         .build() | ||||||
|  |         .unwrap(); | ||||||
|  |     let nl_header = NlmsghdrBuilder::default() | ||||||
|  |         .nl_type(Rtm::Newaddr) | ||||||
|  |         .nl_flags(NlmF::REQUEST) | ||||||
|  |         .nl_payload(NlPayload::Payload(ifaddrmsg)) | ||||||
|  |         .build() | ||||||
|  |         .unwrap(); | ||||||
|  |     rtnl.send(&nl_header).unwrap(); | ||||||
|  | } | ||||||
|  |  | ||||||
|  | const fn max_usize(a: usize, b: usize) -> usize { | ||||||
|  |     if a > b { a } else { b } | ||||||
|  | } | ||||||
							
								
								
									
										128
									
								
								rpm/phantun.spec
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										128
									
								
								rpm/phantun.spec
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,128 @@ | |||||||
|  | Name:         	phantun  | ||||||
|  | Version:        0.7.0 | ||||||
|  | Release:        2%{?dist} | ||||||
|  | Summary:        A lightweight and fast UDP to TCP obfuscator | ||||||
|  |  | ||||||
|  | License:        Apache-2.0 | ||||||
|  | URL:            https://github.com/dndx/phantun/tree/main | ||||||
|  | Source0:        %{name}-%{version}.tar.gz | ||||||
|  |  | ||||||
|  | BuildRequires:  rust | ||||||
|  | BuildRequires:  cargo | ||||||
|  | BuildRequires:  selinux-policy-devel | ||||||
|  |  | ||||||
|  | %description | ||||||
|  | Your project with client and server components. | ||||||
|  |  | ||||||
|  | %package client | ||||||
|  | Summary:        Client component of phantun | ||||||
|  | Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) | ||||||
|  |  | ||||||
|  | %description client | ||||||
|  | Phantun Client is like a machine with private IP address | ||||||
|  | (192.168.200.2/fcc8::2) behind a router. In order for it to reach | ||||||
|  | the Internet, you will need to SNAT the private IP address | ||||||
|  | before it's traffic leaves the NIC. | ||||||
|  |  | ||||||
|  | %package server | ||||||
|  | Summary:        Server component of phantun | ||||||
|  | Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) | ||||||
|  |  | ||||||
|  | %description server | ||||||
|  | Phantun Server is like a server with private IP address | ||||||
|  | (192.168.201.2/fcc9::2) behind a router. In order to access it from | ||||||
|  | the Internet, you need to DNAT it's listening port on the router | ||||||
|  | and change the destination IP address to where the server | ||||||
|  | is listening for incoming connections. | ||||||
|  |  | ||||||
|  | %package selinux | ||||||
|  | Summary:        SELinux module for phantun | ||||||
|  | %{?selinux_requires} | ||||||
|  | %global modulename phantun | ||||||
|  | %global selinuxtype targeted | ||||||
|  |  | ||||||
|  | %description selinux | ||||||
|  | This package provides the SELinux policy module to ensure phantun | ||||||
|  | runs properly under an environment with SELinux enabled. | ||||||
|  |  | ||||||
|  | %global debug_package %{nil} | ||||||
|  |  | ||||||
|  | %prep | ||||||
|  | %setup -q | ||||||
|  |  | ||||||
|  | %build | ||||||
|  | cargo build --release | ||||||
|  | make -C selinux | ||||||
|  |  | ||||||
|  | %install | ||||||
|  | # Install binaries | ||||||
|  | install -D -m 0755 target/release/client %{buildroot}/usr/libexec/phantun/phantun-client | ||||||
|  | install -D -m 0755 target/release/server %{buildroot}/usr/libexec/phantun/phantun-server | ||||||
|  |  | ||||||
|  | mkdir -p %{buildroot}/usr/bin | ||||||
|  | # Create wrapper scripts | ||||||
|  | echo '#!/bin/bash | ||||||
|  | PID_FILE=$1 | ||||||
|  | shift 1 | ||||||
|  | mkdir -p /var/run/phantun | ||||||
|  | /usr/libexec/phantun/phantun-client "$@" & | ||||||
|  | echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-client | ||||||
|  |  | ||||||
|  | echo '#!/bin/bash | ||||||
|  | PID_FILE=$1 | ||||||
|  | shift 1 | ||||||
|  | mkdir -p /var/run/phantun | ||||||
|  | /usr/libexec/phantun/phantun-server "$@" & | ||||||
|  | echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-server | ||||||
|  |  | ||||||
|  | # Make wrapper scripts executable | ||||||
|  | chmod +x %{buildroot}/usr/bin/phantun-client | ||||||
|  | chmod +x %{buildroot}/usr/bin/phantun-server | ||||||
|  |  | ||||||
|  | # SELinux | ||||||
|  | install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} | ||||||
|  | install -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} | ||||||
|  |  | ||||||
|  | %pre selinux | ||||||
|  | %selinux_relabel_pre -s %{selinuxtype} | ||||||
|  |  | ||||||
|  | %post selinux | ||||||
|  | %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 | ||||||
|  |  | ||||||
|  | %postun selinux | ||||||
|  | if [ $1 -eq 0 ]; then | ||||||
|  |     %selinux_modules_uninstall -s %{selinuxtype} %{modulename} | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | %posttrans selinux | ||||||
|  | %selinux_relabel_post -s %{selinuxtype} | ||||||
|  |  | ||||||
|  | %files client | ||||||
|  | /usr/libexec/phantun/phantun-client | ||||||
|  | /usr/bin/phantun-client | ||||||
|  |  | ||||||
|  | %files server | ||||||
|  | /usr/libexec/phantun/phantun-server | ||||||
|  | /usr/bin/phantun-server | ||||||
|  |  | ||||||
|  | %files selinux | ||||||
|  | %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 | ||||||
|  |  | ||||||
|  | %changelog | ||||||
|  | * Wed Dec 11 2024 Randy Li <ayaka@soulik.info> - 0.7.0-2 | ||||||
|  | - chore(deps): update tokio-tun requirement from 0.9 to 0.11 | ||||||
|  | - chore(deps): update nix requirement from 0.27 to 0.28 | ||||||
|  | - chore(deps): bump softprops/action-gh-release from 1 to 2 | ||||||
|  | - chore(docs): update license year to 2024 | ||||||
|  | - docs(readme): update `README.md` to include incoming interface (`-i tun0`) in client NAT commands example (#163) | ||||||
|  | - Revert "docs(readme): update `README.md` to include incoming interface (`-i t…" | ||||||
|  | - fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162) | ||||||
|  | - chore(deps): bump dependencies to latest | ||||||
|  | - chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0` | ||||||
|  | - chore(deps): bump docker/build-push-action from 5 to 6 | ||||||
|  | - chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust | ||||||
|  | - docs(readme): latest release is now `v0.7.0` | ||||||
|  |  | ||||||
|  | * Sat Oct 14 2023 Randy Li <ayaka@soulik.info> - 0.6.1-1 | ||||||
|  | - Initial package | ||||||
|  |  | ||||||
							
								
								
									
										26
									
								
								selinux/Makefile
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								selinux/Makefile
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | |||||||
|  | TARGET?=phantun | ||||||
|  | MODULES?=${TARGET:=.pp.bz2} | ||||||
|  | SHAREDIR?=/usr/share | ||||||
|  |  | ||||||
|  | all: ${TARGET:=.pp.bz2} | ||||||
|  |  | ||||||
|  | %.pp.bz2: %.pp | ||||||
|  | 	@echo Compressing $^ -\> $@ | ||||||
|  | 	bzip2 -9 $^ | ||||||
|  |  | ||||||
|  | %.pp: %.te | ||||||
|  | 	make -f ${SHAREDIR}/selinux/devel/Makefile $@ | ||||||
|  |  | ||||||
|  | clean: | ||||||
|  | 	rm -f *~  *.tc *.pp *.pp.bz2 | ||||||
|  | 	rm -rf tmp *.tar.gz | ||||||
|  |  | ||||||
|  | man: install-policy | ||||||
|  | 	sepolicy manpage --path . --domain ${TARGET}_t | ||||||
|  |  | ||||||
|  | install-policy: all | ||||||
|  | 	semodule -i ${TARGET}.pp.bz2 | ||||||
|  |  | ||||||
|  | install: man | ||||||
|  | 	install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2 | ||||||
|  | 	install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/ | ||||||
							
								
								
									
										5
									
								
								selinux/phantun.fc
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								selinux/phantun.fc
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | /usr/libexec/phantun/phantun-client -- gen_context(system_u:object_r:phantun_client_exec_t,s0) | ||||||
|  | /usr/libexec/phantun/phantun-server -- gen_context(system_u:object_r:phantun_server_exec_t,s0) | ||||||
|  | /usr/bin/phantun-client -- gen_context(system_u:object_r:wireguard_exec_t,s0) | ||||||
|  | /usr/bin/phantun-server -- gen_context(system_u:object_r:wireguard_exec_t,s0) | ||||||
|  | /var/run/phantun(/.*)? gen_context(system_u:object_r:phantun_var_run_t,s0) | ||||||
							
								
								
									
										60
									
								
								selinux/phantun.te
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										60
									
								
								selinux/phantun.te
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,60 @@ | |||||||
|  | policy_module(phantun, 1.0) | ||||||
|  |  | ||||||
|  | gen_require(` | ||||||
|  |     type wireguard_t; | ||||||
|  |     type wireguard_exec_t; | ||||||
|  |     class capability net_admin; | ||||||
|  |     class tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write }; | ||||||
|  |     class tcp_socket { name_bind listen accept connect }; | ||||||
|  |     class udp_socket { name_bind }; | ||||||
|  |     class file { getattr open read write create unlink execute }; | ||||||
|  |     class process { transition }; | ||||||
|  | ') | ||||||
|  |  | ||||||
|  |  | ||||||
|  | # Define custom types | ||||||
|  | type phantun_server_exec_t; | ||||||
|  | type phantun_client_exec_t; | ||||||
|  | type phantun_server_port_t; | ||||||
|  | type phantun_client_port_t; | ||||||
|  | type phantun_var_run_t; | ||||||
|  |  | ||||||
|  | # Allow the wrapper scripts to execute the phantun client and server binaries | ||||||
|  | allow wireguard_exec_t phantun_client_exec_t:file { getattr open read execute }; | ||||||
|  | allow wireguard_exec_t phantun_server_exec_t:file { getattr open read execute }; | ||||||
|  |  | ||||||
|  | # Allow the wrapper scripts to write to the PID file | ||||||
|  | allow wireguard_exec_t phantun_var_run_t:file { getattr open read write create unlink }; | ||||||
|  | allow wireguard_t self:process transition; | ||||||
|  |  | ||||||
|  | #################################### | ||||||
|  | # Server | ||||||
|  | # | ||||||
|  |  | ||||||
|  | # Allow wireguard_t to execute the server binary | ||||||
|  | allow wireguard_t phantun_server_exec_t:file { getattr open read execute }; | ||||||
|  |  | ||||||
|  | # Allow the server to create and manage tun devices | ||||||
|  | allow phantun_server_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write }; | ||||||
|  |  | ||||||
|  | # Allow the server to bind to the custom TCP port and listen for incoming connections | ||||||
|  | allow phantun_server_exec_t phantun_server_port_t:tcp_socket { name_bind listen accept }; | ||||||
|  |  | ||||||
|  | # Allow the server to use net_admin capability | ||||||
|  | allow phantun_server_exec_t self:capability net_admin; | ||||||
|  |  | ||||||
|  | #################################### | ||||||
|  | # Client | ||||||
|  | # | ||||||
|  |  | ||||||
|  | # Allow wireguard_t to execute the client binary | ||||||
|  | allow wireguard_t phantun_client_exec_t:file { getattr open read execute }; | ||||||
|  |  | ||||||
|  | # Allow the client to create and manage tun devices | ||||||
|  | allow phantun_client_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write }; | ||||||
|  |  | ||||||
|  | # Allow the client to bind to the custom UDP port | ||||||
|  | #allow phantun_client_exec_t phantun_client_port_t:udp_socket { name_bind }; | ||||||
|  |  | ||||||
|  | # Allow the client to use net_admin capability | ||||||
|  | allow phantun_client_exec_t self:capability net_admin; | ||||||
		Reference in New Issue
	
	Block a user