connmap: track [destaddr, (cid,uid)]

ignoramous · ignoramous · commit 5ddf68001472 · 2024-04-09T21:59:22.000+05:30
Track both owner uid and connection id against a destination address to later
filter out connection to destination that were attributed to protect.UidSelf
(which are connections owned by Rethink). protect.UidSelf is ever useful
in Loopback mode (routing Rethink's traffic back within Rethink's tunnel),
and so, it mostly contains, among genuine traffic originating from Rethink
(like DNS queries to user-selected upstreams, for example), traffic "mirrored"
or duplicated (cloned) to the same destination (as it was loopbacked in)
belonging to another uid. Tracking both (cid, uid) against a destination addr
lets us ignore all protect.UidSelf connections as "non-mirrored".
diff --git a/intra/common.go b/intra/common.go
@@ -19,6 +19,7 @@ import (
 	"github.com/celzero/firestack/intra/core"
 	"github.com/celzero/firestack/intra/dnsx"
 	"github.com/celzero/firestack/intra/log"
+	"github.com/celzero/firestack/intra/protect"
 )
 
 // pipe copies data from src to dst, and returns the number of bytes copied.
@@ -67,8 +68,10 @@ func download(cid string, local net.Conn, remote net.Conn) (n int64, err error)
 // It also sends a summary to the listener when done. Always called in a goroutine.
 func forward(local net.Conn, remote net.Conn, t core.ConnMapper, l SocketListener, smm *SocketSummary) {
 	cid := smm.ID
+	uid := smm.UID
+	ct := core.ConnTuple{CID: cid, UID: uid}
 
-	t.Track(cid, local, remote)
+	t.Track(ct, local, remote)
 	defer t.Untrack(cid)
 
 	uploadch := make(chan ioinfo)
@@ -136,14 +139,6 @@ func stall(m *core.ExpMap, k string) (secs uint32) {
 	return
 }
 
-func netipFrom(ip net.IP) *netip.Addr {
-	if addr, ok := netip.AddrFromSlice(ip); ok {
-		addr = addr.Unmap()
-		return &addr
-	}
-	return nil
-}
-
 func oneRealIp(realips string, origipp netip.AddrPort) netip.AddrPort {
 	if len(realips) <= 0 {
 		return origipp
@@ -208,7 +203,7 @@ func hasActiveConn(cm core.ConnMapper, ip, ips string) bool {
 		return false
 	}
 	// TODO: filter by protocol (tcp/udp) when finding conns
-	return len(cm.Find(ip)) > 0 || len(cm.FindAny(ips)) > 0
+	return !hasSelfUid(cm.Find(ip), true) || !hasSelfUid(cm.FindAll(ips), true)
 }
 
 // returns proxy-id, conn-id, user-id
@@ -227,26 +222,6 @@ func ipp(addr net.Addr) (netip.AddrPort, error) {
 	return netip.ParseAddrPort(addr.String())
 }
 
-func addr2ip(a net.Addr) string {
-	if a == nil {
-		return ""
-	}
-	switch x := a.(type) {
-	case *net.TCPAddr:
-		return x.IP.String()
-	case *net.UDPAddr:
-		return x.IP.String()
-	case *net.IPAddr:
-		return x.IP.String()
-	case *net.IPNet:
-		return x.IP.String()
-	}
-	if b, err := netip.ParseAddrPort(a.String()); err == nil {
-		return b.Addr().String()
-	}
-	return ""
-}
-
 func conn2str(a net.Conn, b net.Conn) string {
 	ar := a.RemoteAddr()
 	br := b.RemoteAddr()
@@ -266,6 +241,18 @@ func closeconns(cm core.ConnMapper, cids []string) (closed []string) {
 	return closed
 }
 
+func hasSelfUid(t []core.ConnTuple, d bool) bool {
+	if len(t) <= 0 {
+		return d // default
+	}
+	for _, x := range t {
+		if x.UID == protect.UidSelf {
+			return true
+		}
+	}
+	return false // regardless of d
+}
+
 func clos(c ...net.Conn) {
 	for _, x := range c {
 		if x != nil {
diff --git a/intra/core/connmap.go b/intra/core/connmap.go
@@ -12,48 +12,55 @@ import (
 	"sync"
 )
 
+type ConnTuple struct {
+	CID string // conn id
+	UID string // proc id
+}
+
 type ConnMapper interface {
 	Clear() []string
-	Track(id string, x ...net.Conn) int
-	Find(dst string) (ids []string)
-	FindAny(csvdst string) (ids []string)
-	Get(id string) []net.Conn
-	Untrack(id string) int
-	UntrackBatch(ids []string) []string
+	Track(t ConnTuple, x ...net.Conn) int
+	Find(dst string) (t []ConnTuple)
+	FindAll(csvdst string) (t []ConnTuple)
+	Get(cid string) []net.Conn
+	Untrack(cid string) int
+	UntrackBatch(cids []string) []string
 }
 
 type cm struct {
 	sync.RWMutex
-	conntracker map[string][]net.Conn // id -> conns
-	dsttracker  map[string][]string   // dst ipport -> ids
+	conntracker map[string][]net.Conn  // id -> conns
+	dsttracker  map[string][]ConnTuple // dst ipport -> conntuple
 }
 
 var _ ConnMapper = (*cm)(nil)
 
 func NewConnMap() *cm {
 	return &cm{
 		conntracker: make(map[string][]net.Conn),
-		dsttracker:  make(map[string][]string),
+		dsttracker:  make(map[string][]ConnTuple),
 	}
 }
 
-func (h *cm) Track(cid string, conns ...net.Conn) (n int) {
+func (h *cm) Track(t ConnTuple, conns ...net.Conn) (n int) {
 	h.Lock()
 	defer h.Unlock()
 
+	cid := t.CID
+
 	if v, ok := h.conntracker[cid]; !ok {
 		h.conntracker[cid] = conns
 		n = len(conns)
 	} else { // should not happen?
 		h.conntracker[cid] = append(v, conns...)
 		n = len(v) + len(conns)
 	}
-	h.trackDstLocked(cid, conns)
+	h.trackDstLocked(t, conns)
 
 	return
 }
 
-func (h *cm) trackDstLocked(cid string, conns []net.Conn) {
+func (h *cm) trackDstLocked(t ConnTuple, conns []net.Conn) {
 	for _, c := range conns {
 		if c == nil {
 			continue
@@ -63,10 +70,10 @@ func (h *cm) trackDstLocked(cid string, conns []net.Conn) {
 			continue
 		}
 		dst := raddr.String()
-		if ids, ok := h.dsttracker[dst]; ok {
-			h.dsttracker[dst] = append(ids, cid)
+		if tups, ok := h.dsttracker[dst]; ok {
+			h.dsttracker[dst] = append(tups, t)
 		} else {
-			h.dsttracker[dst] = []string{cid}
+			h.dsttracker[dst] = []ConnTuple{t}
 		}
 	}
 }
@@ -92,12 +99,12 @@ func (h *cm) untrackDstLocked(cid string, c net.Conn) {
 		return
 	}
 	dst := raddr.String()
-	if ids, ok := h.dsttracker[dst]; ok {
-		for i, id := range ids {
-			if id == cid {
+	if tups, ok := h.dsttracker[dst]; ok {
+		for i, t := range tups {
+			if t.CID == cid {
 				// ids[i+1:] does not panic if i+1 is out of range
 				// go.dev/play/p/troeQ5djf9h
-				h.dsttracker[dst] = append(ids[:i], ids[i+1:]...)
+				h.dsttracker[dst] = append(tups[:i], tups[i+1:]...)
 				break
 			}
 		}
@@ -125,31 +132,33 @@ func (h *cm) UntrackBatch(cids []string) (out []string) {
 	return
 }
 
-func (h *cm) Get(id string) (conns []net.Conn) {
+func (h *cm) Get(cid string) (conns []net.Conn) {
 	h.RLock()
 	defer h.RUnlock()
 
-	if conns, ok := h.conntracker[id]; ok {
+	if conns, ok := h.conntracker[cid]; ok {
 		return conns
 	}
 	return
 }
 
-func (h *cm) Find(dst string) (ids []string) {
+func (h *cm) Find(dst string) (tups []ConnTuple) {
 	if len(dst) == 0 {
 		return
 	}
 
 	h.RLock()
 	defer h.RUnlock()
 
-	if ids, ok := h.dsttracker[dst]; ok {
-		return ids
+	if tups, ok := h.dsttracker[dst]; ok {
+		return tups
 	}
 	return
 }
 
-func (h *cm) FindAny(csvdst string) (ids []string) {
+func (h *cm) FindAll(csvdst string) (out []ConnTuple) {
+	out = make([]ConnTuple, 0)
+
 	if len(csvdst) == 0 {
 		return
 	}
@@ -159,25 +168,25 @@ func (h *cm) FindAny(csvdst string) (ids []string) {
 
 	dsts := strings.Split(csvdst, ",")
 	for _, dst := range dsts {
-		if ids, ok := h.dsttracker[string(dst)]; ok {
-			return ids
+		if tups, ok := h.dsttracker[dst]; ok {
+			out = append(out, tups...)
 		}
 	}
 	return
 }
 
-func (h *cm) Clear() (ids []string) {
+func (h *cm) Clear() (cids []string) {
 	h.Lock()
 	defer h.Unlock()
 
-	ids = make([]string, 0, len(h.conntracker))
+	cids = make([]string, 0, len(h.conntracker))
 	for k, v := range h.conntracker {
 		for _, c := range v {
 			if c != nil {
 				go c.Close()
 			}
 		}
-		ids = append(ids, k)
+		cids = append(cids, k)
 	}
 	clear(h.conntracker)
 	clear(h.dsttracker)
