wireguard-go/conn/conn.go

/* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2017-2023 WireGuard LLC. All Rights Reserved.
 */

// Package conn implements WireGuard's network connections.
package conn

import (
	"errors"
	"fmt"
	"net/netip"
	"reflect"
	"runtime"
	"strings"
)

const (
	IdealBatchSize = 128 // maximum number of packets handled per read and write
)

// A ReceiveFunc receives at least one packet from the network and writes them
// into packets. On a successful read it returns the number of elements of
// sizes, packets, and endpoints that should be evaluated. Some elements of
// sizes may be zero, and callers should ignore them. Callers must pass a sizes
// and eps slice with a length greater than or equal to the length of packets.
// These lengths must not exceed the length of the associated Bind.BatchSize().
type ReceiveFunc func(packets [][]byte, sizes []int, eps []Endpoint) (n int, err error)

// A Bind listens on a port for both IPv6 and IPv4 UDP traffic.
//
// A Bind interface may also be a PeekLookAtSocketFd or BindSocketToInterface,
// depending on the platform-specific implementation.
type Bind interface {
	// Open puts the Bind into a listening state on a given port and reports the actual
	// port that it bound to. Passing zero results in a random selection.
	// fns is the set of functions that will be called to receive packets.
	Open(port uint16) (fns []ReceiveFunc, actualPort uint16, err error)

	// Close closes the Bind listener.
	// All fns returned by Open must return net.ErrClosed after a call to Close.
	Close() error

	// SetMark sets the mark for each packet sent through this Bind.
	// This mark is passed to the kernel as the socket option SO_MARK.
	SetMark(mark uint32) error

	// Send writes one or more packets in buffs to address ep. The length of
	// buffs must not exceed BatchSize().
	Send(buffs [][]byte, ep Endpoint) error

	// ParseEndpoint creates a new endpoint from a string.
	ParseEndpoint(s string) (Endpoint, error)

	// BatchSize is the number of buffers expected to be passed to
	// the ReceiveFuncs, and the maximum expected to be passed to SendBatch.
	BatchSize() int
}

// BindSocketToInterface is implemented by Bind objects that support being
// tied to a single network interface. Used by wireguard-windows.
type BindSocketToInterface interface {
	BindSocketToInterface4(interfaceIndex uint32, blackhole bool) error
	BindSocketToInterface6(interfaceIndex uint32, blackhole bool) error
}

// PeekLookAtSocketFd is implemented by Bind objects that support having their
// file descriptor peeked at. Used by wireguard-android.
type PeekLookAtSocketFd interface {
	PeekLookAtSocketFd4() (fd int, err error)
	PeekLookAtSocketFd6() (fd int, err error)
}

// An Endpoint maintains the source/destination caching for a peer.
//
//	dst: the remote address of a peer ("endpoint" in uapi terminology)
//	src: the local address from which datagrams originate going to the peer
type Endpoint interface {
	ClearSrc()           // clears the source address
	SrcToString() string // returns the local source address (ip:port)
	DstToString() string // returns the destination address (ip:port)
	DstToBytes() []byte  // used for mac2 cookie calculations
	DstIP() netip.Addr
	SrcIP() netip.Addr
}

var (
	ErrBindAlreadyOpen   = errors.New("bind is already open")
	ErrWrongEndpointType = errors.New("endpoint type does not correspond with bind type")
)

func (fn ReceiveFunc) PrettyName() string {
	name := runtime.FuncForPC(reflect.ValueOf(fn).Pointer()).Name()
	// 0. cheese/taco.beansIPv6.func12.func21218-fm
	name = strings.TrimSuffix(name, "-fm")
	// 1. cheese/taco.beansIPv6.func12.func21218
	if idx := strings.LastIndexByte(name, '/'); idx != -1 {
		name = name[idx+1:]
		// 2. taco.beansIPv6.func12.func21218
	}
	for {
		var idx int
		for idx = len(name) - 1; idx >= 0; idx-- {
			if name[idx] < '0' || name[idx] > '9' {
				break
			}
		}
		if idx == len(name)-1 {
			break
		}
		const dotFunc = ".func"
		if !strings.HasSuffix(name[:idx+1], dotFunc) {
			break
		}
		name = name[:idx+1-len(dotFunc)]
		// 3. taco.beansIPv6.func12
		// 4. taco.beansIPv6
	}
	if idx := strings.LastIndexByte(name, '.'); idx != -1 {
		name = name[idx+1:]
		// 5. beansIPv6
	}
	if name == "" {
		return fmt.Sprintf("%p", fn)
	}
	if strings.HasSuffix(name, "IPv4") {
		return "v4"
	}
	if strings.HasSuffix(name, "IPv6") {
		return "v6"
	}
	return name
}
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`/* SPDX-License-Identifier: MIT`
			`*`
global: bump copyright year Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2022-09-20 17:21:32 +02:00			`* Copyright (C) 2017-2023 WireGuard LLC. All Rights Reserved.`
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`*/`

			`// Package conn implements WireGuard's network connections.`
			`package conn`

			`import (`
			`"errors"`
conn: reconstruct v4 vs v6 receive function based on symtab This is kind of gross but it's better than the alternatives. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-04-10 01:21:35 +02:00			`"fmt"`
all: update to Go 1.18 Bump go.mod and README. Switch to upstream net/netip. Use strings.Cut. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com> 2022-03-17 00:09:48 +01:00			`"net/netip"`
conn: reconstruct v4 vs v6 receive function based on symtab This is kind of gross but it's better than the alternatives. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-04-10 01:21:35 +02:00			`"reflect"`
			`"runtime"`
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`"strings"`
			`)`

conn, device, tun: implement vectorized I/O plumbing Accept packet vectors for reading and writing in the tun.Device and conn.Bind interfaces, so that the internal plumbing between these interfaces now passes a vector of packets. Vectors move untouched between these interfaces, i.e. if 128 packets are received from conn.Bind.Read(), 128 packets are passed to tun.Device.Write(). There is no internal buffering. Currently, existing implementations are only adjusted to have vectors of length one. Subsequent patches will improve that. Also, as a related fixup, use the unix and windows packages rather than the syscall package when possible. Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Signed-off-by: Jordan Whited <jordan@tailscale.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2023-03-02 23:48:02 +01:00			`const (`
conn: inch BatchSize toward being non-dynamic There's not really a use at the moment for making this configurable, and once bind_windows.go behaves like bind_std.go, we'll be able to use constants everywhere. So begin that simplification now. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2023-03-04 15:25:46 +01:00			`IdealBatchSize = 128 // maximum number of packets handled per read and write`
conn, device, tun: implement vectorized I/O plumbing Accept packet vectors for reading and writing in the tun.Device and conn.Bind interfaces, so that the internal plumbing between these interfaces now passes a vector of packets. Vectors move untouched between these interfaces, i.e. if 128 packets are received from conn.Bind.Read(), 128 packets are passed to tun.Device.Write(). There is no internal buffering. Currently, existing implementations are only adjusted to have vectors of length one. Subsequent patches will improve that. Also, as a related fixup, use the unix and windows packages rather than the syscall package when possible. Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Signed-off-by: Jordan Whited <jordan@tailscale.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2023-03-02 23:48:02 +01:00			`)`

			`// A ReceiveFunc receives at least one packet from the network and writes them`
			`// into packets. On a successful read it returns the number of elements of`
			`// sizes, packets, and endpoints that should be evaluated. Some elements of`
			`// sizes may be zero, and callers should ignore them. Callers must pass a sizes`
			`// and eps slice with a length greater than or equal to the length of packets.`
			`// These lengths must not exceed the length of the associated Bind.BatchSize().`
			`type ReceiveFunc func(packets [][]byte, sizes []int, eps []Endpoint) (n int, err error)`
all: make conn.Bind.Open return a slice of receive functions Instead of hard-coding exactly two sources from which to receive packets (an IPv4 source and an IPv6 source), allow the conn.Bind to specify a set of sources. Beneficial consequences: * If there's no IPv6 support on a system, conn.Bind.Open can choose not to return a receive function for it, which is simpler than tracking that state in the bind. This simplification removes existing data races from both conn.StdNetBind and bindtest.ChannelBind. * If there are more than two sources on a system, the conn.Bind no longer needs to add a separate muxing layer. Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com> 2021-03-31 22:55:18 +02:00
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`// A Bind listens on a port for both IPv6 and IPv4 UDP traffic.`
conn: add comments saying what uses these interfaces Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2020-06-22 02:40:59 +02:00			`//`
			`// A Bind interface may also be a PeekLookAtSocketFd or BindSocketToInterface,`
			`// depending on the platform-specific implementation.`
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`type Bind interface {`
conn: make binds replacable Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-22 02:01:50 +01:00			`// Open puts the Bind into a listening state on a given port and reports the actual`
			`// port that it bound to. Passing zero results in a random selection.`
all: make conn.Bind.Open return a slice of receive functions Instead of hard-coding exactly two sources from which to receive packets (an IPv4 source and an IPv6 source), allow the conn.Bind to specify a set of sources. Beneficial consequences: * If there's no IPv6 support on a system, conn.Bind.Open can choose not to return a receive function for it, which is simpler than tracking that state in the bind. This simplification removes existing data races from both conn.StdNetBind and bindtest.ChannelBind. * If there are more than two sources on a system, the conn.Bind no longer needs to add a separate muxing layer. Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com> 2021-03-31 22:55:18 +02:00			`// fns is the set of functions that will be called to receive packets.`
			`Open(port uint16) (fns []ReceiveFunc, actualPort uint16, err error)`
conn: make binds replacable Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-22 02:01:50 +01:00
			`// Close closes the Bind listener.`
all: make conn.Bind.Open return a slice of receive functions Instead of hard-coding exactly two sources from which to receive packets (an IPv4 source and an IPv6 source), allow the conn.Bind to specify a set of sources. Beneficial consequences: * If there's no IPv6 support on a system, conn.Bind.Open can choose not to return a receive function for it, which is simpler than tracking that state in the bind. This simplification removes existing data races from both conn.StdNetBind and bindtest.ChannelBind. * If there are more than two sources on a system, the conn.Bind no longer needs to add a separate muxing layer. Signed-off-by: Josh Bleecher Snyder <josharian@gmail.com> 2021-03-31 22:55:18 +02:00			`// All fns returned by Open must return net.ErrClosed after a call to Close.`
conn: make binds replacable Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-22 02:01:50 +01:00			`Close() error`
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00
			`// SetMark sets the mark for each packet sent through this Bind.`
			`// This mark is passed to the kernel as the socket option SO_MARK.`
			`SetMark(mark uint32) error`

conn, device, tun: implement vectorized I/O plumbing Accept packet vectors for reading and writing in the tun.Device and conn.Bind interfaces, so that the internal plumbing between these interfaces now passes a vector of packets. Vectors move untouched between these interfaces, i.e. if 128 packets are received from conn.Bind.Read(), 128 packets are passed to tun.Device.Write(). There is no internal buffering. Currently, existing implementations are only adjusted to have vectors of length one. Subsequent patches will improve that. Also, as a related fixup, use the unix and windows packages rather than the syscall package when possible. Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Signed-off-by: Jordan Whited <jordan@tailscale.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2023-03-02 23:48:02 +01:00			`// Send writes one or more packets in buffs to address ep. The length of`
			`// buffs must not exceed BatchSize().`
			`Send(buffs [][]byte, ep Endpoint) error`
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00
conn: make binds replacable Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-22 02:01:50 +01:00			`// ParseEndpoint creates a new endpoint from a string.`
			`ParseEndpoint(s string) (Endpoint, error)`
conn, device, tun: implement vectorized I/O plumbing Accept packet vectors for reading and writing in the tun.Device and conn.Bind interfaces, so that the internal plumbing between these interfaces now passes a vector of packets. Vectors move untouched between these interfaces, i.e. if 128 packets are received from conn.Bind.Read(), 128 packets are passed to tun.Device.Write(). There is no internal buffering. Currently, existing implementations are only adjusted to have vectors of length one. Subsequent patches will improve that. Also, as a related fixup, use the unix and windows packages rather than the syscall package when possible. Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> Signed-off-by: Jordan Whited <jordan@tailscale.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2023-03-02 23:48:02 +01:00
			`// BatchSize is the number of buffers expected to be passed to`
			`// the ReceiveFuncs, and the maximum expected to be passed to SendBatch.`
			`BatchSize() int`
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`}`

conn: fix windows situation with boundif This was evidently never tested before committing. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2020-06-07 09:24:06 +02:00			`// BindSocketToInterface is implemented by Bind objects that support being`
conn: add comments saying what uses these interfaces Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2020-06-22 02:40:59 +02:00			`// tied to a single network interface. Used by wireguard-windows.`
conn: fix windows situation with boundif This was evidently never tested before committing. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2020-06-07 09:24:06 +02:00			`type BindSocketToInterface interface {`
			`BindSocketToInterface4(interfaceIndex uint32, blackhole bool) error`
			`BindSocketToInterface6(interfaceIndex uint32, blackhole bool) error`
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`}`

conn: unbreak boundif on android Another thing never tested ever. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2020-06-07 09:41:08 +02:00			`// PeekLookAtSocketFd is implemented by Bind objects that support having their`
conn: add comments saying what uses these interfaces Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2020-06-22 02:40:59 +02:00			`// file descriptor peeked at. Used by wireguard-android.`
conn: unbreak boundif on android Another thing never tested ever. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2020-06-07 09:41:08 +02:00			`type PeekLookAtSocketFd interface {`
			`PeekLookAtSocketFd4() (fd int, err error)`
			`PeekLookAtSocketFd6() (fd int, err error)`
			`}`

conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`// An Endpoint maintains the source/destination caching for a peer.`
			`//`
conn: make binds replacable Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-22 02:01:50 +01:00			`// dst: the remote address of a peer ("endpoint" in uapi terminology)`
			`// src: the local address from which datagrams originate going to the peer`
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`type Endpoint interface {`
			`ClearSrc() // clears the source address`
			`SrcToString() string // returns the local source address (ip:port)`
			`DstToString() string // returns the destination address (ip:port)`
			`DstToBytes() []byte // used for mac2 cookie calculations`
global: use netip where possible now There are more places where we'll need to add it later, when Go 1.18 comes out with support for it in the "net" package. Also, allowedips still uses slices internally, which might be suboptimal. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-11-05 01:52:54 +01:00			`DstIP() netip.Addr`
			`SrcIP() netip.Addr`
conn: introduce new package that splits out the Bind and Endpoint types The sticky socket code stays in the device package for now, as it reaches deeply into the peer list. This is the first step in an effort to split some code out of the very busy device package. Signed-off-by: David Crawshaw <crawshaw@tailscale.com> 2019-11-07 17:13:05 +01:00			`}`

conn: reconstruct v4 vs v6 receive function based on symtab This is kind of gross but it's better than the alternatives. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-04-10 01:21:35 +02:00			`var (`
			`ErrBindAlreadyOpen = errors.New("bind is already open")`
			`ErrWrongEndpointType = errors.New("endpoint type does not correspond with bind type")`
			`)`

			`func (fn ReceiveFunc) PrettyName() string {`
			`name := runtime.FuncForPC(reflect.ValueOf(fn).Pointer()).Name()`
			`// 0. cheese/taco.beansIPv6.func12.func21218-fm`
			`name = strings.TrimSuffix(name, "-fm")`
			`// 1. cheese/taco.beansIPv6.func12.func21218`
			`if idx := strings.LastIndexByte(name, '/'); idx != -1 {`
			`name = name[idx+1:]`
			`// 2. taco.beansIPv6.func12.func21218`
			`}`
			`for {`
			`var idx int`
			`for idx = len(name) - 1; idx >= 0; idx-- {`
			`if name[idx] < '0' \|\| name[idx] > '9' {`
			`break`
			`}`
			`}`
			`if idx == len(name)-1 {`
			`break`
			`}`
			`const dotFunc = ".func"`
			`if !strings.HasSuffix(name[:idx+1], dotFunc) {`
			`break`
			`}`
			`name = name[:idx+1-len(dotFunc)]`
			`// 3. taco.beansIPv6.func12`
			`// 4. taco.beansIPv6`
			`}`
			`if idx := strings.LastIndexByte(name, '.'); idx != -1 {`
			`name = name[idx+1:]`
			`// 5. beansIPv6`
			`}`
			`if name == "" {`
			`return fmt.Sprintf("%p", fn)`
			`}`
			`if strings.HasSuffix(name, "IPv4") {`
			`return "v4"`
			`}`
			`if strings.HasSuffix(name, "IPv6") {`
			`return "v6"`
			`}`
			`return name`
			`}`