Another 2 weekends of development.

- updated gvisor to head, moved to ugate/ext/gvisor
- same for lwIP
- added a test harness with stable IDs
- improved the stream basic interface to allow eager send
- better use of buffers

cmd/ugate/iptables.sh → cmd/iptables.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-# Simplified istio iptables, for single port
-# Use a different GID to run the iperf3 or tests.
+# Simplified istio iptables
+# Use a different GID to run iperf3 or tests.
 
 # Defaults:
 # - capture all in and out traffic, unless:
@@ -15,12 +15,9 @@
 # Capturing with tproxy can be done with separate script, should
 # not be mixed in.
 
-
 # For testing iperf3, use:
 # PROXY_GROUP=costin INBOUND_PORTS_INCLUDE=5201 OUTBOUND_PORTS_INCLUDE=5201
 
-# also ENVOY_PORT - Istio doesn't have tests with othre ports
-# so can be assumed to be fixed.
 OUTBOUND_CAPTURE_PORT=${OUTBOUND_CAPTURE_PORT:-15001}
 INBOUND_CAPTURE_PORT=${INBOUND_CAPTURE_PORT:-15006}
 

cmd/test.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+export TOP=$(cd .. && pwd)
+
+export TUNUSER=${USER}
+
+mkdir -p ${TOP}/build
+
+_do_stop() {
+  local name=shift
+  kill -9 ${TOP}/build/${name}.pid
+}
+
+_do_start() {
+  local name=shift
+  local base=shift
+  kill -9 ${TOP}/build/${name}.pid
+  (cd $base && $* & )
+  echo $! >${TOP}/build/${name}.pid
+}
+
+prepare_root() {
+  sudo TUNDEV=0  ./setup.sh setup
+  sudo TUNDEV=1  ./setup.sh setup
+}
+
+# setup test rig
+test_setup() {
+  _do_start iperf3 ${TOP} iperf3 -s
+  _do_start gate ${TOP}/cmd/ugate/testdata/gate ${TOP}/build/ugate
+  _do_start alice ${TOP}/cmd/ugate/testdata/alice ${TOP}/build/ugate
+  _do_start bob ${TOP}/cmd/ugate/testdata/bob ${TOP}/build/ugate
+}
+
+test_run() {
+  # Direct access
+  iperf3 -c localhost:5201
+  # Via ugate, whitebox TCP capture
+  iperf3 -c localhost:12111
+
+  # Via routes
+  iperf3 -c 10.13.0.1:12111
+  iperf3 -c 10.15.0.1:12211
+  iperf3 -c 10.17.0.1:15311
+}
+
+test_cleanup() {
+  TUNDEV=0 sudo setup.sh clean
+  TUNDEV=1 sudo setup.sh clean
+}

cmd/tun_setup.sh

@@ -0,0 +1,120 @@
+#!/bin/sh
+
+# Setup the TUN device for capture.
+#
+# Must be run as root.
+#
+# Will setup rules for tagging using 1${N}0 1${N}1
+
+export TUNUSER=${TUNUSER:-istio-proxy}
+export N=${N:-0}
+
+echo Create dmesh${N}. owned by ${TUNUSER}
+echo Address: 10.11.${N}.1
+echo 10.10.${N}.0/24 will be routed to dmesh${N}
+
+# Create a TUN device.
+setupTUN() {
+  ip tuntap add dev dmesh${N} mode tun user ${TUNUSER} group ${TUNUSER}
+  ip addr add 10.11.${N}.1/24 dev dmesh${N}
+  # No IP6 address - confuses linux
+  ip link set dmesh${N} up
+
+  # Route various ranges to dmesh1 - the gate can't initiate its own
+  # connections to those ranges. Service VIPs can also use this simpler model.
+  # ip route add fd::/8 dev ${N}
+  ip route add 10.10.${N}.0/24 dev dmesh${N}
+
+  # Don't remember why this was required
+  echo 2 > /proc/sys/net/ipv4/conf/dmesh${N}/rp_filter
+  sysctl -w net.ipv4.ip_forward=1
+}
+
+# Setup routes
+# - add a routing table (1338) to dmesh
+# - all packets with mark 1338 will use the new routing table
+# - route 10.10.0.0/16 via the tun
+setup() {
+  # For iptables capture/marks:
+  # 101 means capture and send to TUN
+  ip route add default dev dmesh${N} table 1${N}1
+  ip rule add  fwmark 1${N}1 priority 10  lookup 1${N}1
+
+
+  # 100 means deliver to local host
+  ip route add local 0.0.0.0/0 dev lo table 1${N}0
+  ip rule add fwmark 1${N}0 lookup 1${N}0
+  # Anything from the TUN will be sent to localhost
+  # That means packets injected into TUN.
+  ip rule add iif dmesh${N} lookup 1${N}0
+  #ip route add local ::/0 dev lo table ${N}0
+}
+
+cleanup() {
+  # App must be stopped
+  ip tuntap del dev dmesh${N} mode tun
+
+  ip rule delete  fwmark 1{N}1 priority 10  lookup 1{N}1
+  ip route del default dev dmesh${N} table 1{N}1
+
+  ip rule del fwmark 1{N}0 lookup 1{N}0
+  ip rule del iif dmesh${N} lookup 1{N}0
+  ip route del local 0.0.0.0/0 dev lo table 1{N}0
+}
+
+
+stop() {
+  iptables -t mangle -D OUTPUT -j DMESH_MANGLE_OUT${N}
+  iptables -t mangle -D PREROUTING  -i dmesh${N} -j MARK --set-mark 1{N}0
+  #iptables -t mangle -D PREROUTING -j DMESH_MANGLE_PRE
+
+  iptables -t mangle -F DMESH_MANGLE_OUT${N} 2>/dev/null
+  iptables -t mangle -X DMESH_MANGLE_OUT${N} 2>/dev/null
+}
+
+# Setup will create route-based rules for the NAT.
+# This function intercepts additional packets, using
+# Istio-style rules.
+start() {
+  GID=$(id -g ${TUNUSER})
+
+  # -j MARK only works in mangle table !
+  # Allows selecting a different route table
+  # This is for preroute, i.e. incoming packets on an interface
+
+  # Mark packets injected into dmesh1 so they get injected into localhost
+  #iptables -t mangle -A DMESH_MANGLE_PRE -j MARK -p tcp --dport 5201 --set-mark 1338
+  iptables -t mangle -A PREROUTING -i dmesh${N} -j MARK --set-mark 1{N}0
+
+  # Capture outbound packets
+  iptables -t mangle -N DMESH_MANGLE_OUT${N}
+  iptables -t mangle -F DMESH_MANGLE_OUT${N}
+  iptables -t mangle -A DMESH_MANGLE_OUT${N} -m owner --gid-owner "${GID}" -j RETURN
+
+  # Capture everything else
+  #iptables -t mangle -A DMESH_MANGLE_OUT -j MARK --set-mark 1338
+
+  # Explicit
+  #iptables -t mangle -A DMESH_MANGLE_OUT -p tcp -d 169.254.169.254 -j DROP
+
+  # Explicit by-port capture, for testing
+  #  iptables -t mangle -A DMESH_MANGLE_OUT -j MARK -p tcp --dport 5201 --set-mark 1{N}1
+  iptables -t mangle -A DMESH_MANGLE_OUT${N} -j MARK -p udp --dport 12311 --set-mark 1{N}1
+
+  #iptables -t mangle -A DMESH_MANGLE_OUT -j MARK -p tcp --dport 80 --set-mark 1338
+
+  # Jump to the ISTIO_OUTPUT chain from OUTPUT chain for all tcp traffic.
+  iptables -t mangle -A OUTPUT -j DMESH_MANGLE_OUT${N}
+}
+
+if [ "$1" = "setup" ] ; then
+  setupTUN
+  setup
+elif [ "$1" = "start" ] ; then
+  start
+elif [  "$1" = "stop" ] ; then
+  stop
+elif [ "$1" = "clean" ] ; then
+  cleanup
+  stop
+fi

cmd/ugate/go.mod

@@ -12,16 +12,25 @@ replace github.com/costinm/ugate/ext/xds => ../../ext/xds
 
 replace github.com/costinm/ugate/ext/h2r => ../../ext/h2r
 
+replace github.com/costinm/ugate/ext/gvisor => ../../ext/gvisor
+
+replace github.com/costinm/ugate/ext/lwip => ../../ext/lwip
+
 replace github.com/costinm/ugate/ext/quic => ../../ext/quic
 
 replace github.com/lucas-clemente/quic-go => ../../../quic
 
+replace gvisor.dev/gvisor => github.com/costinm/gvisor v0.0.0-20210509154143-a94fe58cda62
+replace github.com/eycorsican/go-tun2socks => github.com/costinm/go-tun2socks v1.16.12-0.20210328172757-88f6d54235cb
+
 //replace github.com/lucas-clemente/quic-go => github.com/costinm/quic v0.5.1-0.20210425224043-9f67435d0255
 
 require (
 	github.com/costinm/ugate v0.0.0-20210425213441-05024f5e8910
 	github.com/costinm/ugate/dns v0.0.0-20210425213441-05024f5e8910
+	github.com/costinm/ugate/ext/gvisor v0.0.0-00010101000000-000000000000
 	github.com/costinm/ugate/ext/h2r v0.0.0-20210425213441-05024f5e8910
+	github.com/costinm/ugate/ext/lwip v0.0.0-00010101000000-000000000000
 	github.com/costinm/ugate/ext/quic v0.0.0-20210425213441-05024f5e8910
 	github.com/costinm/ugate/ext/webrtc v0.0.0-20210425213441-05024f5e8910
 	github.com/costinm/ugate/ext/xds v0.0.0-20210425213441-05024f5e8910
@@ -30,9 +39,7 @@ require (
 	github.com/pion/ice/v2 v2.1.6 // indirect
 	github.com/pion/rtp v1.6.5 // indirect
 	github.com/pion/webrtc/v3 v3.0.25 // indirect
+	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
 	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b // indirect
-	golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6 // indirect
-	golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7 // indirect
-	google.golang.org/genproto v0.0.0-20210423144448-3a41ef94ed2b // indirect
 	google.golang.org/grpc v1.37.0
 )