2023-02-02 20:22:18 +07:00
|
|
|
/*
|
|
|
|
* SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
* Copyright (c) since 2023, mzz2017 <mzz@tuta.io>
|
|
|
|
*/
|
|
|
|
|
|
|
|
package control
|
|
|
|
|
|
|
|
import (
|
2023-02-06 15:22:07 +07:00
|
|
|
"bytes"
|
2023-02-02 20:22:18 +07:00
|
|
|
"fmt"
|
|
|
|
"github.com/cilium/ebpf"
|
|
|
|
ciliumLink "github.com/cilium/ebpf/link"
|
2023-02-04 10:38:01 +07:00
|
|
|
"github.com/safchain/ethtool"
|
2023-02-02 20:22:18 +07:00
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
"github.com/v2rayA/dae/common"
|
|
|
|
"github.com/v2rayA/dae/common/consts"
|
|
|
|
internal "github.com/v2rayA/dae/pkg/ebpf_internal"
|
|
|
|
"github.com/vishvananda/netlink"
|
|
|
|
"golang.org/x/sys/unix"
|
|
|
|
"net/netip"
|
|
|
|
"os"
|
2023-02-06 12:56:43 +07:00
|
|
|
"os/exec"
|
2023-02-04 10:38:01 +07:00
|
|
|
"regexp"
|
2023-02-02 20:22:18 +07:00
|
|
|
)
|
|
|
|
|
|
|
|
type ControlPlaneCore struct {
|
|
|
|
log *logrus.Logger
|
|
|
|
deferFuncs []func() error
|
|
|
|
bpf *bpfObjects
|
|
|
|
|
|
|
|
kernelVersion *internal.Version
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *ControlPlaneCore) Close() (err error) {
|
|
|
|
// Invoke defer funcs in reverse order.
|
|
|
|
for i := len(c.deferFuncs) - 1; i >= 0; i-- {
|
|
|
|
if e := c.deferFuncs[i](); e != nil {
|
|
|
|
// Combine errors.
|
|
|
|
if err != nil {
|
|
|
|
err = fmt.Errorf("%w; %v", err, e)
|
|
|
|
} else {
|
|
|
|
err = e
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-02-04 10:38:01 +07:00
|
|
|
func getifParamsFromLink(link netlink.Link) (ifParams bpfIfParams, err error) {
|
2023-02-02 20:22:18 +07:00
|
|
|
// TODO: We should monitor IP change of the link.
|
|
|
|
ipnets, err := netlink.AddrList(link, netlink.FAMILY_ALL)
|
|
|
|
if err != nil {
|
2023-02-04 10:38:01 +07:00
|
|
|
return bpfIfParams{}, err
|
2023-02-02 20:22:18 +07:00
|
|
|
}
|
|
|
|
if len(ipnets) == 0 {
|
2023-02-04 10:38:01 +07:00
|
|
|
return bpfIfParams{}, fmt.Errorf("interface %v has no ip", link.Attrs().Name)
|
2023-02-02 20:22:18 +07:00
|
|
|
}
|
2023-02-04 10:38:01 +07:00
|
|
|
// Get first Ip4 and Ip6.
|
2023-02-02 20:22:18 +07:00
|
|
|
for _, ipnet := range ipnets {
|
|
|
|
ip, ok := netip.AddrFromSlice(ipnet.IP)
|
|
|
|
if !ok {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
|
|
|
|
continue
|
|
|
|
}
|
2023-02-04 10:38:01 +07:00
|
|
|
if (ip.Is6() && ifParams.HasIp6) ||
|
|
|
|
(ip.Is4() && ifParams.HasIp4) {
|
2023-02-02 20:22:18 +07:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
ip6format := ip.As16()
|
|
|
|
if ip.Is4() {
|
2023-02-04 10:38:01 +07:00
|
|
|
ifParams.HasIp4 = true
|
|
|
|
ifParams.Ip4 = common.Ipv6ByteSliceToUint32Array(ip6format[:])
|
2023-02-02 20:22:18 +07:00
|
|
|
} else {
|
2023-02-04 10:38:01 +07:00
|
|
|
ifParams.HasIp6 = true
|
|
|
|
ifParams.Ip6 = common.Ipv6ByteSliceToUint32Array(ip6format[:])
|
2023-02-02 20:22:18 +07:00
|
|
|
}
|
2023-02-04 10:38:01 +07:00
|
|
|
if ifParams.HasIp4 && ifParams.HasIp6 {
|
2023-02-02 20:22:18 +07:00
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
2023-02-04 10:38:01 +07:00
|
|
|
// Get link offload features.
|
|
|
|
et, err := ethtool.NewEthtool()
|
|
|
|
if err != nil {
|
|
|
|
return bpfIfParams{}, err
|
|
|
|
}
|
|
|
|
defer et.Close()
|
|
|
|
features, err := et.Features(link.Attrs().Name)
|
|
|
|
if err != nil {
|
|
|
|
return bpfIfParams{}, err
|
|
|
|
}
|
|
|
|
if features["tx-checksum-ip-generic"] {
|
|
|
|
ifParams.TxL4CksmIp4Offload = true
|
|
|
|
ifParams.TxL4CksmIp6Offload = true
|
|
|
|
}
|
|
|
|
if features["tx-checksum-ipv4"] {
|
|
|
|
ifParams.TxL4CksmIp4Offload = true
|
|
|
|
}
|
|
|
|
if features["tx-checksum-ipv6"] {
|
|
|
|
ifParams.TxL4CksmIp6Offload = true
|
|
|
|
}
|
|
|
|
if features["rx-checksum"] {
|
|
|
|
ifParams.RxCksmOffload = true
|
|
|
|
}
|
|
|
|
switch {
|
|
|
|
case regexp.MustCompile(`^docker\d+$`).MatchString(link.Attrs().Name):
|
|
|
|
ifParams.UseNonstandardOffloadAlgorithm = true
|
|
|
|
default:
|
|
|
|
}
|
|
|
|
return ifParams, nil
|
|
|
|
}
|
|
|
|
|
2023-02-07 20:11:12 +07:00
|
|
|
func (c *ControlPlaneCore) bindLan(ifname string) error {
|
2023-02-04 10:38:01 +07:00
|
|
|
c.log.Infof("Bind to LAN: %v", ifname)
|
|
|
|
link, err := netlink.LinkByName(ifname)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2023-02-06 12:56:43 +07:00
|
|
|
/// Insert ip rule / ip route.
|
2023-02-06 15:22:07 +07:00
|
|
|
var output []byte
|
|
|
|
if output, err = exec.Command("sh", "-c", `
|
2023-02-06 12:56:43 +07:00
|
|
|
ip rule add fwmark 0x80000000/0x80000000 table 2023
|
2023-02-06 23:17:55 +07:00
|
|
|
ip route add local default dev lo table 2023
|
2023-02-06 12:56:43 +07:00
|
|
|
ip -6 rule add fwmark 0x80000000/0x80000000 table 2023
|
2023-02-07 20:11:12 +07:00
|
|
|
ip -6 route add local default dev lo table 2023
|
2023-02-06 15:22:07 +07:00
|
|
|
`).CombinedOutput(); err != nil {
|
|
|
|
return fmt.Errorf("%w: %v", err, string(bytes.TrimSpace(output)))
|
2023-02-06 12:56:43 +07:00
|
|
|
}
|
|
|
|
c.deferFuncs = append(c.deferFuncs, func() error {
|
|
|
|
return exec.Command("sh", "-c", `
|
|
|
|
ip rule del fwmark 0x80000000/0x80000000 table 2023
|
2023-02-06 23:17:55 +07:00
|
|
|
ip route del local default dev lo table 2023
|
2023-02-06 12:56:43 +07:00
|
|
|
ip -6 rule del fwmark 0x80000000/0x80000000 table 2023
|
2023-02-07 20:11:12 +07:00
|
|
|
ip -6 route del local default dev lo table 2023
|
2023-02-06 12:56:43 +07:00
|
|
|
`).Run()
|
|
|
|
})
|
2023-02-04 10:38:01 +07:00
|
|
|
/// Insert an elem into IfindexParamsMap.
|
|
|
|
ifParams, err := getifParamsFromLink(link)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err = ifParams.CheckVersionRequirement(c.kernelVersion); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := c.bpf.IfindexParamsMap.Update(uint32(link.Attrs().Index), ifParams, ebpf.UpdateAny); err != nil {
|
2023-02-02 20:22:18 +07:00
|
|
|
return fmt.Errorf("update IfindexIpsMap: %w", err)
|
|
|
|
}
|
|
|
|
// FIXME: not only this link ip.
|
2023-02-04 10:38:01 +07:00
|
|
|
if ifParams.HasIp4 {
|
2023-02-02 20:22:18 +07:00
|
|
|
if err := c.bpf.HostIpLpm.Update(_bpfLpmKey{
|
|
|
|
PrefixLen: 128,
|
2023-02-04 10:38:01 +07:00
|
|
|
Data: ifParams.Ip4,
|
2023-02-02 20:22:18 +07:00
|
|
|
}, uint32(1), ebpf.UpdateAny); err != nil {
|
|
|
|
return fmt.Errorf("update IfindexIpsMap: %w", err)
|
|
|
|
}
|
|
|
|
}
|
2023-02-04 10:38:01 +07:00
|
|
|
if ifParams.HasIp6 {
|
2023-02-02 20:22:18 +07:00
|
|
|
if err := c.bpf.HostIpLpm.Update(_bpfLpmKey{
|
|
|
|
PrefixLen: 128,
|
2023-02-04 10:38:01 +07:00
|
|
|
Data: ifParams.Ip6,
|
2023-02-02 20:22:18 +07:00
|
|
|
}, uint32(1), ebpf.UpdateAny); err != nil {
|
|
|
|
return fmt.Errorf("update IfindexIpsMap: %w", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Insert qdisc and filters.
|
|
|
|
qdisc := &netlink.GenericQdisc{
|
|
|
|
QdiscAttrs: netlink.QdiscAttrs{
|
|
|
|
LinkIndex: link.Attrs().Index,
|
|
|
|
Handle: netlink.MakeHandle(0xffff, 0),
|
|
|
|
Parent: netlink.HANDLE_CLSACT,
|
|
|
|
},
|
|
|
|
QdiscType: "clsact",
|
|
|
|
}
|
|
|
|
if err := netlink.QdiscAdd(qdisc); err != nil {
|
|
|
|
if os.IsExist(err) {
|
|
|
|
_ = netlink.QdiscDel(qdisc)
|
|
|
|
err = netlink.QdiscAdd(qdisc)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot add clsact qdisc: %w", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
c.deferFuncs = append(c.deferFuncs, func() error {
|
|
|
|
if err := netlink.QdiscDel(qdisc); err != nil {
|
|
|
|
return fmt.Errorf("QdiscDel: %w", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
filterIngress := &netlink.BpfFilter{
|
|
|
|
FilterAttrs: netlink.FilterAttrs{
|
|
|
|
LinkIndex: link.Attrs().Index,
|
|
|
|
Parent: netlink.HANDLE_MIN_INGRESS,
|
|
|
|
Handle: netlink.MakeHandle(0, 1),
|
|
|
|
Protocol: unix.ETH_P_ALL,
|
|
|
|
Priority: 0,
|
|
|
|
},
|
|
|
|
Fd: c.bpf.bpfPrograms.TproxyLanIngress.FD(),
|
|
|
|
Name: consts.AppName + "_ingress",
|
|
|
|
DirectAction: true,
|
|
|
|
}
|
|
|
|
if err := netlink.FilterAdd(filterIngress); err != nil {
|
|
|
|
return fmt.Errorf("cannot attach ebpf object to filter ingress: %w", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-02-07 20:11:12 +07:00
|
|
|
func (c *ControlPlaneCore) bindWan(ifname string) error {
|
2023-02-02 20:22:18 +07:00
|
|
|
c.log.Infof("Bind to WAN: %v", ifname)
|
|
|
|
link, err := netlink.LinkByName(ifname)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2023-02-07 20:11:12 +07:00
|
|
|
if link.Attrs().Index == consts.LoopbackIfIndex {
|
|
|
|
return fmt.Errorf("cannot bind to loopback interface")
|
|
|
|
}
|
2023-02-04 10:38:01 +07:00
|
|
|
/// Insert an elem into IfindexParamsMap.
|
|
|
|
ifParams, err := getifParamsFromLink(link)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err = ifParams.CheckVersionRequirement(c.kernelVersion); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := c.bpf.IfindexParamsMap.Update(uint32(link.Attrs().Index), ifParams, ebpf.UpdateAny); err != nil {
|
|
|
|
return fmt.Errorf("update IfindexIpsMap: %w", err)
|
|
|
|
}
|
2023-02-02 20:22:18 +07:00
|
|
|
|
|
|
|
/// Set-up SrcPidMapper.
|
|
|
|
/// Attach programs to support pname routing.
|
|
|
|
// Get the first-mounted cgroupv2 path.
|
|
|
|
cgroupPath, err := detectCgroupPath()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
// Bind cg programs
|
|
|
|
type cgProg struct {
|
|
|
|
Name string
|
|
|
|
Prog *ebpf.Program
|
|
|
|
Attach ebpf.AttachType
|
|
|
|
}
|
|
|
|
cgProgs := []cgProg{
|
|
|
|
{Prog: c.bpf.TproxyWanCgSockCreate, Attach: ebpf.AttachCGroupInetSockCreate},
|
|
|
|
{Prog: c.bpf.TproxyWanCgSockRelease, Attach: ebpf.AttachCgroupInetSockRelease},
|
|
|
|
//{Prog: c.bpf.TproxyWanCgConnect4, Attach: ebpf.AttachCGroupInet4Connect},
|
|
|
|
//{Prog: c.bpf.TproxyWanCgConnect6, Attach: ebpf.AttachCGroupInet6Connect},
|
|
|
|
//{Prog: c.bpf.TproxyWanCgSendmsg4, Attach: ebpf.AttachCGroupUDP4Sendmsg},
|
|
|
|
//{Prog: c.bpf.TproxyWanCgSendmsg6, Attach: ebpf.AttachCGroupUDP6Sendmsg},
|
|
|
|
}
|
|
|
|
for _, prog := range cgProgs {
|
|
|
|
attached, err := ciliumLink.AttachCgroup(ciliumLink.CgroupOptions{
|
|
|
|
Path: cgroupPath,
|
|
|
|
Attach: prog.Attach,
|
|
|
|
Program: prog.Prog,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("AttachTracing: %v: %w", prog.Prog.String(), err)
|
|
|
|
}
|
|
|
|
c.deferFuncs = append(c.deferFuncs, func() error {
|
|
|
|
if err := attached.Close(); err != nil {
|
|
|
|
return fmt.Errorf("inet6Bind.Close(): %w", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Set-up WAN ingress/egress TC programs.
|
|
|
|
// Insert qdisc.
|
|
|
|
qdisc := &netlink.GenericQdisc{
|
|
|
|
QdiscAttrs: netlink.QdiscAttrs{
|
|
|
|
LinkIndex: link.Attrs().Index,
|
|
|
|
Handle: netlink.MakeHandle(0xffff, 0),
|
|
|
|
Parent: netlink.HANDLE_CLSACT,
|
|
|
|
},
|
|
|
|
QdiscType: "clsact",
|
|
|
|
}
|
|
|
|
if err := netlink.QdiscAdd(qdisc); err != nil {
|
|
|
|
if os.IsExist(err) {
|
|
|
|
_ = netlink.QdiscDel(qdisc)
|
|
|
|
err = netlink.QdiscAdd(qdisc)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("cannot add clsact qdisc: %w", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
c.deferFuncs = append(c.deferFuncs, func() error {
|
|
|
|
if err := netlink.QdiscDel(qdisc); err != nil {
|
|
|
|
return fmt.Errorf("QdiscDel: %w", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
// Insert TC filters
|
|
|
|
filterEgress := &netlink.BpfFilter{
|
|
|
|
FilterAttrs: netlink.FilterAttrs{
|
|
|
|
LinkIndex: link.Attrs().Index,
|
|
|
|
Parent: netlink.HANDLE_MIN_EGRESS,
|
|
|
|
Handle: netlink.MakeHandle(0, 1),
|
|
|
|
Protocol: unix.ETH_P_ALL,
|
|
|
|
Priority: 0,
|
|
|
|
},
|
|
|
|
Fd: c.bpf.bpfPrograms.TproxyWanEgress.FD(),
|
|
|
|
Name: consts.AppName + "_egress",
|
|
|
|
DirectAction: true,
|
|
|
|
}
|
|
|
|
if err := netlink.FilterAdd(filterEgress); err != nil {
|
|
|
|
return fmt.Errorf("cannot attach ebpf object to filter egress: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
filterIngress := &netlink.BpfFilter{
|
|
|
|
FilterAttrs: netlink.FilterAttrs{
|
|
|
|
LinkIndex: link.Attrs().Index,
|
|
|
|
Parent: netlink.HANDLE_MIN_INGRESS,
|
|
|
|
Handle: netlink.MakeHandle(0, 1),
|
|
|
|
Protocol: unix.ETH_P_ALL,
|
|
|
|
Priority: 0,
|
|
|
|
},
|
|
|
|
Fd: c.bpf.bpfPrograms.TproxyWanIngress.FD(),
|
|
|
|
Name: consts.AppName + "_ingress",
|
|
|
|
DirectAction: true,
|
|
|
|
}
|
|
|
|
if err := netlink.FilterAdd(filterIngress); err != nil {
|
|
|
|
return fmt.Errorf("cannot attach ebpf object to filter ingress: %w", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|