fix network to network without masquerade (#207)

easytier/src/easytier-core.rs

@@ -271,8 +271,6 @@ impl Cli {
             }
         }
 
-        println!("parsed listeners: {:?}", listeners);
-
         listeners
     }
 

easytier/src/gateway/icmp_proxy.rs

@@ -145,6 +145,7 @@ fn socket_recv_loop(socket: Socket, nat_table: IcmpNatTable, sender: UnboundedSe
                     v.src_peer_id.into(),
                     PacketType::Data as u8,
                 );
+                p.mut_peer_manager_header().unwrap().set_no_proxy(true);
 
                 if let Err(e) = sender.send(p) {
                     tracing::error!("send icmp packet to peer failed: {:?}, may exiting..", e);
@@ -343,7 +344,7 @@ impl IcmpProxy {
         let hdr = packet.peer_manager_header().unwrap();
         let is_exit_node = hdr.is_exit_node();
 
-        if hdr.packet_type != PacketType::Data as u8 {
+        if hdr.packet_type != PacketType::Data as u8 || hdr.is_no_proxy() {
             return None;
         };
 
@@ -376,9 +377,9 @@ impl IcmpProxy {
         };
 
         if icmp_packet.get_icmp_type() != IcmpTypes::EchoRequest {
-            // drop it because we do not support other icmp types
+            // if it's other icmp type, just ignore it. may forwarding network to network replay packet.
             tracing::trace!("unsupported icmp type: {:?}", icmp_packet.get_icmp_type());
-            return Some(());
+            return None;
         }
 
         if self.global_ctx.no_tun() && Some(ipv4.get_destination()) == self.global_ctx.get_ipv4() {

easytier/src/gateway/tcp_proxy.rs

@@ -217,6 +217,11 @@ impl NicPacketFilter for TcpProxy {
             panic!("v4 nat entry src ip is not v4");
         };
 
+        zc_packet
+            .mut_peer_manager_header()
+            .unwrap()
+            .set_no_proxy(true);
+
         let mut ip_packet = MutableIpv4Packet::new(zc_packet.mut_payload()).unwrap();
         ip_packet.set_source(ip);
         let dst = ip_packet.get_destination();
@@ -557,7 +562,7 @@ impl TcpProxy {
         let hdr = packet.peer_manager_header().unwrap();
         let is_exit_node = hdr.is_exit_node();
 
-        if hdr.packet_type != PacketType::Data as u8 {
+        if hdr.packet_type != PacketType::Data as u8 || hdr.is_no_proxy() {
             return None;
         };
 
@@ -581,12 +586,13 @@ impl TcpProxy {
         let ip_packet = Ipv4Packet::new(payload_bytes).unwrap();
         let tcp_packet = TcpPacket::new(ip_packet.payload()).unwrap();
 
-        let is_tcp_syn = tcp_packet.get_flags() & pnet::packet::tcp::TcpFlags::SYN != 0;
-        if is_tcp_syn {
-            let source_ip = ip_packet.get_source();
-            let source_port = tcp_packet.get_source();
-            let src = SocketAddr::V4(SocketAddrV4::new(source_ip, source_port));
+        let source_ip = ip_packet.get_source();
+        let source_port = tcp_packet.get_source();
+        let src = SocketAddr::V4(SocketAddrV4::new(source_ip, source_port));
 
+        let is_tcp_syn = tcp_packet.get_flags() & pnet::packet::tcp::TcpFlags::SYN != 0;
+        let is_tcp_ack = tcp_packet.get_flags() & pnet::packet::tcp::TcpFlags::ACK != 0;
+        if is_tcp_syn && !is_tcp_ack {
             let dest_ip = ip_packet.get_destination();
             let dest_port = tcp_packet.get_destination();
             let dst = SocketAddr::V4(SocketAddrV4::new(dest_ip, dest_port));
@@ -595,6 +601,9 @@ impl TcpProxy {
                 .syn_map
                 .insert(src, Arc::new(NatDstEntry::new(src, dst)));
             tracing::info!(src = ?src, dst = ?dst, old_entry = ?old_val, "tcp syn received");
+        } else if !self.addr_conn_map.contains_key(&src) && !self.syn_map.contains_key(&src) {
+            // if not in syn map and addr conn map, may forwarding n2n packet
+            return None;
         }
 
         let mut ip_packet = MutableIpv4Packet::new(payload_bytes).unwrap();

easytier/src/gateway/udp_proxy.rs

@@ -117,6 +117,7 @@ impl UdpNatEntry {
             |buf| {
                 let mut p = ZCPacket::new_with_payload(buf);
                 p.fill_peer_manager_hdr(self.my_peer_id, self.src_peer_id, PacketType::Data as u8);
+                p.mut_peer_manager_header().unwrap().set_no_proxy(true);
 
                 if let Err(e) = packet_sender.send(p) {
                     tracing::error!("send icmp packet to peer failed: {:?}, may exiting..", e);
@@ -219,7 +220,7 @@ impl UdpProxy {
         let _ = self.global_ctx.get_ipv4()?;
         let hdr = packet.peer_manager_header().unwrap();
         let is_exit_node = hdr.is_exit_node();
-        if hdr.packet_type != PacketType::Data as u8 {
+        if hdr.packet_type != PacketType::Data as u8 || hdr.is_no_proxy() {
             return None;
         };
 

easytier/src/instance/virtual_nic.rs

@@ -629,8 +629,6 @@ impl NicCtx {
                     proxy_cidrs = routes;
                 }
 
-                println!("proxy_cidrs: {:?}", proxy_cidrs);
-
                 // if route is in cur_proxy_cidrs but not in proxy_cidrs, delete it.
                 for cidr in cur_proxy_cidrs.iter() {
                     if proxy_cidrs.contains(cidr) {

easytier/src/tunnel/packet_def.rs

@@ -61,6 +61,7 @@ bitflags::bitflags! {
         const ENCRYPTED = 0b0000_0001;
         const LATENCY_FIRST = 0b0000_0010;
         const EXIT_NODE = 0b0000_0100;
+        const NO_PROXY = 0b0000_1000;
 
         const _ = !0;
     }
@@ -108,6 +109,12 @@ impl PeerManagerHeader {
             .contains(PeerManagerHeaderFlags::EXIT_NODE)
     }
 
+    pub fn is_no_proxy(&self) -> bool {
+        PeerManagerHeaderFlags::from_bits(self.flags)
+            .unwrap()
+            .contains(PeerManagerHeaderFlags::NO_PROXY)
+    }
+
     pub fn set_latency_first(&mut self, latency_first: bool) -> &mut Self {
         let mut flags = PeerManagerHeaderFlags::from_bits(self.flags).unwrap();
         if latency_first {
@@ -129,6 +136,17 @@ impl PeerManagerHeader {
         self.flags = flags.bits();
         self
     }
+
+    pub fn set_no_proxy(&mut self, no_proxy: bool) -> &mut Self {
+        let mut flags = PeerManagerHeaderFlags::from_bits(self.flags).unwrap();
+        if no_proxy {
+            flags.insert(PeerManagerHeaderFlags::NO_PROXY);
+        } else {
+            flags.remove(PeerManagerHeaderFlags::NO_PROXY);
+        }
+        self.flags = flags.bits();
+        self
+    }
 }
 
 // reserve the space for aes tag and nonce