tstest/natlab/vnet: add port mapping

Updates #13038 Change-Id: Iaf274d250398973790873534b236d5cbb34fbe0e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 months ago · 6798f8ea88
parent 12764e9db4
commit 6798f8ea88
4 changed files with 185 additions and 11 deletions
--- a/cmd/vnet/vnet-main.go
+++ b/cmd/vnet/vnet-main.go
@ -14,6 +14,7 @@ import (
 	"time"
 	"tailscale.com/tstest/natlab/vnet"
 	"tailscale.com/types/logger"
 )
 var (
@ -78,7 +79,7 @@ func main() {
 				log.Printf("NodeStatus: %v", err)
 				return
 			}
-			log.Printf("NodeStatus: %q", st)
+			log.Printf("NodeStatus: %v", logger.AsJSON(st))
 		}
 		for {
 			time.Sleep(5 * time.Second)
--- a/tstest/integration/nat/nat_test.go
+++ b/tstest/integration/nat/nat_test.go
@ -61,6 +61,13 @@ func hard(c *vnet.Config) *vnet.Node {
 		fmt.Sprintf("10.0.%d.1/24", n), vnet.HardNAT))
 }
 func hardPMP(c *vnet.Config) *vnet.Node {
 	n := c.NumNodes() + 1
 	return c.AddNode(c.AddNetwork(
 		fmt.Sprintf("2.%d.%d.%d", n, n, n), // public IP
 		fmt.Sprintf("10.7.%d.1/24", n), vnet.HardNAT, vnet.NATPMP))
 }
 func (nt *natTest) runTest(node1, node2 addNodeFunc) {
 	t := nt.tb
@ -185,7 +192,7 @@ func ping(ctx context.Context, c *vnet.NodeAgentClient, target netip.Addr) (*ipn
 	n := 0
 	var res *ipnstate.PingResult
 	anyPong := false
-	for {
+	for n < 10 {
 		n++
 		pr, err := c.PingWithOpts(ctx, target, tailcfg.PingDisco, tailscale.PingOpts{})
 		if err != nil {
@ -200,9 +207,16 @@ func ping(ctx context.Context, c *vnet.NodeAgentClient, target netip.Addr) (*ipn
 		if pr.DERPRegionID == 0 {
 			return pr, nil
 		}
-		time.Sleep(time.Second)
+		select {
 		case <-ctx.Done():
 		case <-time.After(time.Second):
 		}
 		res = pr
 	}
 	if res == nil {
 		return nil, errors.New("no ping response")
 	}
 	return res, nil
 }
 func up(ctx context.Context, c *vnet.NodeAgentClient) error {
@ -228,7 +242,11 @@ func TestEasyEasy(t *testing.T) {
 }
 func TestEasyHard(t *testing.T) {
 	t.Skip()
 	nt := newNatTest(t)
 	nt.runTest(easy, hard)
 }
 func TestEasyHardPMP(t *testing.T) {
 	nt := newNatTest(t)
 	nt.runTest(easy, hardPMP)
 }
--- a/tstest/natlab/vnet/nat.go
+++ b/tstest/natlab/vnet/nat.go
@ -33,7 +33,11 @@ type IPPool interface {
 	// and if so, its IP address.
 	SoleLANIP() (_ netip.Addr, ok bool)
-	// TODO: port availability stuff for interacting with portmapping
+	// IsPublicPortUsed reports whether the provided WAN IP+port is in use by
 	// anything. (In particular, the NAT-PMP/etc port mappers might have taken
 	// a port.) Implementations should check this before allocating a port,
 	// and then they should report IsPublicPortUsed themselves for that port.
 	IsPublicPortUsed(netip.AddrPort) bool
 }
 // newTableFunc is a constructor for a NAT table.
@ -86,6 +90,10 @@ type NATTable interface {
 	// address of a machine on the local network address, usually a private
 	// LAN IP.
 	PickIncomingDst(src, dst netip.AddrPort, at time.Time) (lanDst netip.AddrPort)
 	// IsPublicPortUsed reports whether the provided WAN IP+port is in use by
 	// anything. The port mapper uses this to avoid grabbing an in-use port.
 	IsPublicPortUsed(netip.AddrPort) bool
 }
 // oneToOneNAT is a 1:1 NAT, like a typical EC2 VM.
@ -112,6 +120,10 @@ func (n *oneToOneNAT) PickIncomingDst(src, dst netip.AddrPort, at time.Time) (la
 	return netip.AddrPortFrom(n.lanIP, dst.Port())
 }
 func (n *oneToOneNAT) IsPublicPortUsed(netip.AddrPort) bool {
 	return true // all ports are owned by the 1:1 NAT
 }
 type srcDstTuple struct {
 	src netip.AddrPort
 	dst netip.AddrPort
@ -136,6 +148,7 @@ type lanAddrAndTime struct {
 // This is shown as "MappingVariesByDestIP: true" by netcheck, and what
 // Tailscale calls "Hard NAT".
 type hardNAT struct {
 	pool  IPPool
 	wanIP netip.Addr
 	out map[srcDstTuple]portMappingAndTime
@ -144,10 +157,22 @@ type hardNAT struct {
 func init() {
 	registerNATType(HardNAT, func(p IPPool) (NATTable, error) {
-		return &hardNAT{wanIP: p.WANIP()}, nil
+		return &hardNAT{pool: p, wanIP: p.WANIP()}, nil
 	})
 }
 func (n *hardNAT) IsPublicPortUsed(ap netip.AddrPort) bool {
 	if ap.Addr() != n.wanIP {
 		return false
 	}
 	for k := range n.in {
 		if k.wanPort == ap.Port() {
 			return true
 		}
 	}
 	return false
 }
 func (n *hardNAT) PickOutgoingSrc(src, dst netip.AddrPort, at time.Time) (wanSrc netip.AddrPort) {
 	ko := srcDstTuple{src, dst}
 	if pm, ok := n.out[ko]; ok {
@ -165,6 +190,10 @@ func (n *hardNAT) PickOutgoingSrc(src, dst netip.AddrPort, at time.Time) (wanSrc
 	// by tests and doesn't care about performance, this is good enough.
 	for {
 		port := rand.N(uint16(32<<10)) + 32<<10 // pick some "ephemeral" port
 		if n.pool.IsPublicPortUsed(netip.AddrPortFrom(n.wanIP, port)) {
 			continue
 		}
 		ki := hardKeyIn{wanPort: port, src: dst}
 		if _, ok := n.in[ki]; ok {
 			// Port already in use.
@ -197,6 +226,7 @@ func (n *hardNAT) PickIncomingDst(src, dst netip.AddrPort, at time.Time) (lanDst
 // Unlike Linux, this implementation is capped at 32k entries and doesn't resort
 // to other allocation strategies when all 32k WAN ports are taken.
 type easyNAT struct {
 	pool    IPPool
 	wanIP   netip.Addr
 	out     map[netip.AddrPort]portMappingAndTime
 	in      map[uint16]lanAddrAndTime
@ -205,10 +235,18 @@ type easyNAT struct {
 func init() {
 	registerNATType(EasyNAT, func(p IPPool) (NATTable, error) {
-		return &easyNAT{wanIP: p.WANIP()}, nil
+		return &easyNAT{pool: p, wanIP: p.WANIP()}, nil
 	})
 }
 func (n *easyNAT) IsPublicPortUsed(ap netip.AddrPort) bool {
 	if ap.Addr() != n.wanIP {
 		return false
 	}
 	_, ok := n.in[ap.Port()]
 	return ok
 }
 func (n *easyNAT) PickOutgoingSrc(src, dst netip.AddrPort, at time.Time) (wanSrc netip.AddrPort) {
 	mak.Set(&n.lastOut, srcDstTuple{src, dst}, at)
 	if pm, ok := n.out[src]; ok {
@ -224,6 +262,9 @@ func (n *easyNAT) PickOutgoingSrc(src, dst netip.AddrPort, at time.Time) (wanSrc
 		port := 32<<10 + (start+off)%(32<<10)
 		if _, ok := n.in[port]; !ok {
 			wanAddr := netip.AddrPortFrom(n.wanIP, port)
 			if n.pool.IsPublicPortUsed(wanAddr) {
 				continue
 			}
 			// Found a free port.
 			mak.Set(&n.out, src, portMappingAndTime{port: port, at: at})
--- a/tstest/natlab/vnet/vnet.go
+++ b/tstest/natlab/vnet/vnet.go
@ -23,6 +23,7 @@ import (
 	"fmt"
 	"io"
 	"log"
 	"math/rand/v2"
 	"net"
 	"net/http"
 	"net/http/httptest"
@ -394,6 +395,11 @@ func (m MAC) String() string {
 	return fmt.Sprintf("%02x:%02x:%02x:%02x:%02x:%02x", m[0], m[1], m[2], m[3], m[4], m[5])
 }
 type portMapping struct {
 	dst    netip.AddrPort // LAN IP:port
 	expiry time.Time
 }
 type network struct {
 	s         *Server
 	mac       MAC
@ -408,6 +414,7 @@ type network struct {
 	natStyle syncs.AtomicValue[NAT]
 	natMu    sync.Mutex // held while using + changing natTable
 	natTable NATTable
 	portMap  map[netip.AddrPort]portMapping // WAN ip:port -> LAN ip:port
 	// writeFunc is a map of MAC -> func to write to that MAC.
 	// It contains entries for connected nodes only.
@ -1201,7 +1208,78 @@ func (n *network) doNATOut(src, dst netip.AddrPort) (newSrc netip.AddrPort) {
 func (n *network) doNATIn(src, dst netip.AddrPort) (newDst netip.AddrPort) {
 	n.natMu.Lock()
 	defer n.natMu.Unlock()
-	return n.natTable.PickIncomingDst(src, dst, time.Now())
+
 	now := time.Now()
 	// First see if there's a port mapping, before doing NAT.
 	if lanAP, ok := n.portMap[dst]; ok {
 		if now.Before(lanAP.expiry) {
 			log.Printf("XXX NAT: doNatIn: port mapping %v=>%v", dst, lanAP.dst)
 			return lanAP.dst
 		}
 		log.Printf("XXX NAT: doNatIn: port mapping EXPIRED for %v=>%v", dst, lanAP.dst)
 		delete(n.portMap, dst)
 		return netip.AddrPort{}
 	}
 	if len(n.portMap) > 0 {
 		log.Printf("XXX NAT: doNatIn: no port mapping for %v; have %v", dst, n.portMap)
 	}
 	return n.natTable.PickIncomingDst(src, dst, now)
 }
 // IsPublicPortUsed reports whether the given public port is currently in use.
 //
 // n.natMu must be held by the caller. (It's only called by nat implementations
 // which are always called with natMu held))
 func (n *network) IsPublicPortUsed(ap netip.AddrPort) bool {
 	_, ok := n.portMap[ap]
 	return ok
 }
 func (n *network) doPortMap(src netip.Addr, dstLANPort, wantExtPort uint16, sec int) (gotPort uint16, ok bool) {
 	n.natMu.Lock()
 	defer n.natMu.Unlock()
 	if !n.portmap {
 		return 0, false
 	}
 	wanAP := netip.AddrPortFrom(n.wanIP, wantExtPort)
 	dst := netip.AddrPortFrom(src, dstLANPort)
 	if sec == 0 {
 		lanAP, ok := n.portMap[wanAP]
 		if ok && lanAP.dst.Addr() == src {
 			delete(n.portMap, wanAP)
 		}
 		return 0, false
 	}
 	// See if they already have a mapping and extend expiry if so.
 	for k, v := range n.portMap {
 		if v.dst == dst {
 			n.portMap[k] = portMapping{
 				dst:    dst,
 				expiry: time.Now().Add(time.Duration(sec) * time.Second),
 			}
 			return k.Port(), true
 		}
 	}
 	for try := 0; try < 20_000; try++ {
 		if wanAP.Port() > 0 && !n.natTable.IsPublicPortUsed(wanAP) {
 			mak.Set(&n.portMap, wanAP, portMapping{
 				dst:    dst,
 				expiry: time.Now().Add(time.Duration(sec) * time.Second),
 			})
 			log.Printf("XXX allocated NAT mapping from %v to %v", wanAP, dst)
 			return wanAP.Port(), true
 		}
 		wantExtPort = rand.N(uint16(32<<10)) + 32<<10
 		wanAP = netip.AddrPortFrom(n.wanIP, wantExtPort)
 	}
 	return 0, false
 }
 func (n *network) createARPResponse(pkt gopacket.Packet) ([]byte, error) {
@ -1254,6 +1332,9 @@ func (n *network) createARPResponse(pkt gopacket.Packet) ([]byte, error) {
 }
 func (n *network) handleNATPMPRequest(req UDPPacket) {
 	if !n.portmap {
 		return
 	}
 	if string(req.Payload) == "\x00\x00" {
 		// https://www.rfc-editor.org/rfc/rfc6886#section-3.2
@ -1274,8 +1355,43 @@ func (n *network) handleNATPMPRequest(req UDPPacket) {
 		return
 	}
 	// Map UDP request
 	if len(req.Payload) == 12 && req.Payload[0] == 0 && req.Payload[1] == 1 {
 		// https://www.rfc-editor.org/rfc/rfc6886#section-3.3
 		// "00 01 00 00 ed 40 00 00 00 00 1c 20" =>
 		//   00 ver
 		//   01 op=map UDP
 		//   00 00 reserved  (0 in request; in response, this is the result code)
 		//   ed 40 internal port 60736
 		//   00 00 suggested external port
 		//   00 00 1c 20 suggested lifetime in seconds (7200 sec = 2 hours)
 		internalPort := binary.BigEndian.Uint16(req.Payload[4:6])
 		wantExtPort := binary.BigEndian.Uint16(req.Payload[6:8])
 		lifetimeSec := binary.BigEndian.Uint32(req.Payload[8:12])
 		gotPort, ok := n.doPortMap(req.Src.Addr(), internalPort, wantExtPort, int(lifetimeSec))
 		if !ok {
 			log.Printf("NAT-PMP map request for %v:%d failed", req.Src.Addr(), internalPort)
 			return
 		}
 		res := make([]byte, 0, 16)
 		res = append(res,
 			0,     // version 0 (NAT-PMP)
 			1+128, // response to op 1
 			0, 0,  // result code success
 		)
 		res = binary.BigEndian.AppendUint32(res, uint32(time.Now().Unix()))
 		res = binary.BigEndian.AppendUint16(res, internalPort)
 		res = binary.BigEndian.AppendUint16(res, gotPort)
 		res = binary.BigEndian.AppendUint32(res, lifetimeSec)
 		n.WriteUDPPacketNoNAT(UDPPacket{
 			Src:     req.Dst,
 			Dst:     req.Src,
 			Payload: res,
 		})
 		return
 	}
 	log.Printf("TODO: handle NAT-PMP packet % 02x", req.Payload)
-	// TODO: handle NAT-PMP packet 00 01 00 00 ed 40 00 00 00 00 1c 20
+
 }
 // UDPPacket is a UDP packet.
@ -1349,11 +1465,9 @@ func (s *Server) takeAgentConnOne(n *node) (_ *agentConn, ok bool) {
 	for ac := range s.agentConns {
 		if ac.node == n {
 			s.agentConns.Delete(ac)
 			log.Printf("XXX takeAgentConnOne HIT for %v", n.mac)
 			return ac, true
 		}
 	}
 	log.Printf("XXX takeAgentConnOne MISS for %v", n.mac)
 	return nil, false
 }