Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Share kernel Wireguard port with raw socket #826

Merged
merged 32 commits into from
May 3, 2023
Merged

Share kernel Wireguard port with raw socket #826

merged 32 commits into from
May 3, 2023

Conversation

mlsmaycon
Copy link
Collaborator

@mlsmaycon mlsmaycon commented Apr 26, 2023
edited
Loading

Describe your changes

This is initial changes to support shared port between stun (ICE agent) and
the kernel Wireguard

Implement single port mode for execution with kernel Wireguard interfaces using a raw socket listener.

BPF filters ensure that only stun packets hit the raw socket

Removed a lot of the proxy logic and direct mode exchange

now we are doing an extra hole punch to the remote wireguard port for best-effort cases and support to old client's direct mode.

Issue ticket number and link

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)
  • Extended the README / documentation, if necessary

@mlsmaycon mlsmaycon changed the base branch from main to wg_use_forked_bind April 26, 2023 15:34
pappz
pappz requested changes Apr 26, 2023
View reviewed changes
Base automatically changed from wg_use_forked_bind to main April 27, 2023 15:50
@mlsmaycon mlsmaycon changed the title Use raw socket with bpf filters for stun packets Share kernel Wireguard port with raw socket Apr 27, 2023
@mlsmaycon mlsmaycon requested review from pappz and braginini April 27, 2023 21:30
@mlsmaycon mlsmaycon marked this pull request as ready for review April 27, 2023 21:30
pappz
pappz requested changes Apr 28, 2023
View reviewed changes
pappz
pappz requested changes Apr 29, 2023
View reviewed changes
client/stunlistener/listener_linux.go Outdated
select {
case <-s.ctx.Done():
return
case s.packetDemux <- rcvdPacket{n, addr, buf[:], err}:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make no sense to create a new buf slice with the same content. Just pass the buf variable.

pappz
pappz requested changes Apr 29, 2023
View reviewed changes
braginini
braginini previously approved these changes May 3, 2023
View reviewed changes
pappz
pappz reviewed May 3, 2023
View reviewed changes
sharedsock/sock_linux.go

decodedLayers := make([]gopacket.LayerType, 0, 3)

err = parser.DecodeLayers(pkt.buf[:], &decodedLayers)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At this point the buf is may half empty. Maybe we should handle the N variable to reduca the len of the slice.

@braginini braginini merged commit ecac82a into main May 3, 2023
@braginini braginini deleted the feature/use-raw-sock-with-bpf-filters branch May 3, 2023 12:47
pulsastrix pushed a commit to pulsastrix/netbird that referenced this pull request Dec 24, 2023
@mlsmaycon
Share kernel Wireguard port with raw socket (netbirdio#826)
36122df 
This PR brings support of a shared port between stun (ICE agent) and
the kernel WireGuard

It implements a single port mode for execution with kernel WireGuard
interface using a raw socket listener.

BPF filters ensure that only STUN packets hit the NetBird userspace app

Removed a lot of the proxy logic and direct mode exchange.

Now we are doing an extra hole punch to the remote WireGuard 
port for best-effort cases and support to old client's direct mode.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pappz pappz pappz approved these changes

@braginini braginini braginini left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mlsmaycon @braginini @pappz