aramperes/onetun
1
0
Fork 0
mirror of https://github.com/aramperes/onetun.git synced 2025-09-09 12:18:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Use IPv6 'next header' for TCP routing

Browse source
This commit is contained in:
Aram 🍐 2021-10-16 02:06:03 -04:00
parent 9aea0fce33
commit 660183b1c4
1 changed files with 33 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

27
src/wg.rs
View file

@ -278,16 +278,12 @@ impl WireGuardTunnel {
// Only care if the packet is destined for this tunnel // Only care if the packet is destined for this tunnel
.filter(|packet| Ipv4Addr::from(packet.dst_addr()) == self.source_peer_ip) .filter(|packet| Ipv4Addr::from(packet.dst_addr()) == self.source_peer_ip)
.map(|packet| match packet.protocol() { .map(|packet| match packet.protocol() {
IpProtocol::Tcp => Some( IpProtocol::Tcp => Some(self.route_tcp_segment(
self.route_tcp_segment(
IpVersion::Ipv4, IpVersion::Ipv4,
packet.src_addr().into(), packet.src_addr().into(),
packet.dst_addr().into(), packet.dst_addr().into(),
packet.payload(), packet.payload(),
) )),
// Note: Ipv4 drops invalid TCP packets when the specified protocol says that it should be TCP
.unwrap_or(RouteResult::Drop),
),
// Unrecognized protocol, so we'll allow it. // Unrecognized protocol, so we'll allow it.
_ => Some(RouteResult::Broadcast), _ => Some(RouteResult::Broadcast),
}) })
@ -297,17 +293,17 @@ impl WireGuardTunnel {
.ok() .ok()
// Only care if the packet is destined for this tunnel // Only care if the packet is destined for this tunnel
.filter(|packet| Ipv6Addr::from(packet.dst_addr()) == self.source_peer_ip) .filter(|packet| Ipv6Addr::from(packet.dst_addr()) == self.source_peer_ip)
.map(|packet| { .map(|packet| match packet.next_header() {
self.route_tcp_segment( IpProtocol::Tcp => Some(self.route_tcp_segment(
IpVersion::Ipv6, IpVersion::Ipv6,
packet.src_addr().into(), packet.src_addr().into(),
packet.dst_addr().into(), packet.dst_addr().into(),
packet.payload(), packet.payload(),
) )),
// Note: Since Ipv6 doesn't inform us of the protocol at this layer, // Unrecognized protocol, so we'll allow it.
// we should broadcast unrecognized packets. _ => Some(RouteResult::Broadcast),
.unwrap_or(RouteResult::Broadcast)
}) })
.flatten()
.unwrap_or(RouteResult::Drop), .unwrap_or(RouteResult::Drop),
_ => RouteResult::Drop, _ => RouteResult::Drop,
} }
@ -321,8 +317,10 @@ impl WireGuardTunnel {
src_addr: IpAddress, src_addr: IpAddress,
dst_addr: IpAddress, dst_addr: IpAddress,
segment: &[u8], segment: &[u8],
) -> Option<RouteResult> { ) -> RouteResult {
TcpPacket::new_checked(segment).ok().map(|tcp| { TcpPacket::new_checked(segment)
.ok()
.map(|tcp| {
if self.port_pool.is_in_use(tcp.dst_port()) { if self.port_pool.is_in_use(tcp.dst_port()) {
RouteResult::Broadcast RouteResult::Broadcast
} else if tcp.rst() { } else if tcp.rst() {
@ -339,6 +337,7 @@ impl WireGuardTunnel {
)) ))
} }
}) })
.unwrap_or(RouteResult::Drop)
} }
} }