From 47dcf8d68cd9e58220151a95e2f0c8fc11bae77f Mon Sep 17 00:00:00 2001 From: Viktor Liu <17948409+lixmal@users.noreply.github.com> Date: Mon, 10 Mar 2025 14:55:07 +0100 Subject: [PATCH] Fix forwarder IP source/destination (#3463) --- client/firewall/uspfilter/forwarder/icmp.go | 4 +-- client/firewall/uspfilter/forwarder/tcp.go | 8 +++--- client/firewall/uspfilter/forwarder/udp.go | 29 +++++---------------- 3 files changed, 12 insertions(+), 29 deletions(-) diff --git a/client/firewall/uspfilter/forwarder/icmp.go b/client/firewall/uspfilter/forwarder/icmp.go index 833854a21..a21ec2c87 100644 --- a/client/firewall/uspfilter/forwarder/icmp.go +++ b/client/firewall/uspfilter/forwarder/icmp.go @@ -117,8 +117,8 @@ func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.T Direction: nftypes.Ingress, Protocol: nftypes.ICMP, // TODO: handle ipv6 - SourceIP: netip.AddrFrom4(id.LocalAddress.As4()), - DestIP: netip.AddrFrom4(id.RemoteAddress.As4()), + SourceIP: netip.AddrFrom4(id.RemoteAddress.As4()), + DestIP: netip.AddrFrom4(id.LocalAddress.As4()), ICMPType: icmpType, ICMPCode: icmpCode, diff --git a/client/firewall/uspfilter/forwarder/tcp.go b/client/firewall/uspfilter/forwarder/tcp.go index c3e1eca80..71cd457ef 100644 --- a/client/firewall/uspfilter/forwarder/tcp.go +++ b/client/firewall/uspfilter/forwarder/tcp.go @@ -113,10 +113,10 @@ func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.Tr Direction: nftypes.Ingress, Protocol: nftypes.TCP, // TODO: handle ipv6 - SourceIP: netip.AddrFrom4(id.LocalAddress.As4()), - DestIP: netip.AddrFrom4(id.RemoteAddress.As4()), - SourcePort: id.LocalPort, - DestPort: id.RemotePort, + SourceIP: netip.AddrFrom4(id.RemoteAddress.As4()), + DestIP: netip.AddrFrom4(id.LocalAddress.As4()), + SourcePort: id.RemotePort, + DestPort: id.LocalPort, } if ep != nil { diff --git a/client/firewall/uspfilter/forwarder/udp.go b/client/firewall/uspfilter/forwarder/udp.go index 20e1ee3a7..7ce85e2b6 100644 --- a/client/firewall/uspfilter/forwarder/udp.go +++ b/client/firewall/uspfilter/forwarder/udp.go @@ -89,21 +89,6 @@ func (f *udpForwarder) Stop() { } } -// sendUDPEvent stores flow events for UDP connections -func (f *udpForwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID) { - f.flowLogger.StoreEvent(nftypes.EventFields{ - FlowID: flowID, - Type: typ, - Direction: nftypes.Ingress, - Protocol: 17, - // TODO: handle ipv6 - SourceIP: netip.AddrFrom4(id.LocalAddress.As4()), - DestIP: netip.AddrFrom4(id.RemoteAddress.As4()), - SourcePort: id.LocalPort, - DestPort: id.RemotePort, - }) -} - // cleanup periodically removes idle UDP connections func (f *udpForwarder) cleanup() { ticker := time.NewTicker(time.Minute) @@ -140,8 +125,6 @@ func (f *udpForwarder) cleanup() { f.Unlock() f.logger.Trace("forwarder: cleaned up idle UDP connection %v", epID(idle.id)) - - f.sendUDPEvent(nftypes.TypeEnd, idle.conn.flowID, idle.id) } } } @@ -270,18 +253,18 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack } } -// sendUDPEvent stores flow events for UDP connections, mirrors the TCP version +// sendUDPEvent stores flow events for UDP connections func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, ep tcpip.Endpoint) { fields := nftypes.EventFields{ FlowID: flowID, Type: typ, Direction: nftypes.Ingress, - Protocol: 17, // UDP protocol number + Protocol: nftypes.UDP, // TODO: handle ipv6 - SourceIP: netip.AddrFrom4(id.LocalAddress.As4()), - DestIP: netip.AddrFrom4(id.RemoteAddress.As4()), - SourcePort: id.LocalPort, - DestPort: id.RemotePort, + SourceIP: netip.AddrFrom4(id.RemoteAddress.As4()), + DestIP: netip.AddrFrom4(id.LocalAddress.As4()), + SourcePort: id.RemotePort, + DestPort: id.LocalPort, } if ep != nil {