tcp,udp: attempt port forward on remote proxies

Author: ignoramous

intra/dnsx/transport.go

@@ -66,6 +66,7 @@ const (
 	// preferred forwarding network, if any
 	// ipn.Base is treated as a no-proxy
 	NetBaseProxy = x.Base
+	NetAutoProxy = x.Auto
 	NetNoProxy   = x.Block
 	NetExitProxy = x.Exit
 
@@ -1243,6 +1244,11 @@ func IsLocalProxy(pid string) bool {
 		pid == NetNoProxy
 }
 
+// return true ipn.Auto
+func IsAutoProxy(pid string) bool {
+	return pid == NetAutoProxy
+}
+
 // RegisterAddrs registers IP ports with all dialers for a given hostname.
 // If id is dnsx.Bootstrap, the hostname is "protected" from re-resolutions.
 // hostname is a domain name, and as a special case, can be protect.UidSelf or protect.UidSystem.

intra/ipn/proxies.go

@@ -1425,14 +1425,18 @@ func local(id string) bool {
 	return id == Base || id == Block || id == Exit || id == Rpn64 || id == Ingress
 }
 
+func automatic(id string) bool {
+	return id == Auto
+}
+
 func noop(typ string) bool {
 	return typ == NOOP
 }
 
 // TODO: check for hops on "noop" transports; if those
 // are NOT hoppping, then those are NOT remote, either
 func Remote(id string) bool {
-	return !local(id)
+	return !local(id) || !automatic(id)
 }
 
 func hopping(r x.Router) bool {

intra/tcp.go

@@ -377,14 +377,16 @@ func (h *tcpHandler) handle(px ipn.Proxy, gconn *netstack.GTCPConn, src, target
 	}
 
 	var bindAddr netip.AddrPort
+	pid := pidstr(px)
 	eim := settings.EndpointIndependentMapping.Load()
 	portfwd := settings.PortForward.Load()
+	canportfwd := portfwd && ipn.Remote(pid)
 
-	if portfwd { // port forwarding overriden by eim
-		bindAddr = makeAnyAddrPort(src)
-	}
 	if eim { // bindAddr may be invalid
-		bindAddr = h.natLookup(pidstr(px), src, target)
+		bindAddr = h.natLookup(pid, src, target)
+	}
+	if !bindAddr.IsValid() && canportfwd { // port forwarding overriden by eim
+		bindAddr = makeAnyAddrPort(src)
 	}
 
 	var pc protect.Conn
@@ -393,8 +395,8 @@ func (h *tcpHandler) handle(px ipn.Proxy, gconn *netstack.GTCPConn, src, target
 	start := time.Now()
 
 	if settings.Debug {
-		log.VV("tcp: %s dial %s: attempt:  %s [%s [%s]] => %s for %s",
-			smm.ID, pidstr(px), src, gconn.LocalAddr(), bindAddr, targetstr, smm.UID)
+		log.VV("tcp: %s dial %s: attempt(eim? %t / fwd? %t / canfwd? %t):  %s [%s [%s]] => %s for %s",
+			smm.ID, pid, eim, portfwd, canportfwd, src, gconn.LocalAddr(), bindAddr, targetstr, smm.UID)
 	}
 
 	dialbindOK := false
@@ -405,7 +407,7 @@ func (h *tcpHandler) handle(px ipn.Proxy, gconn *netstack.GTCPConn, src, target
 		pc, err = px.Dialer().DialBind("tcp", bindAddr.String(), targetstr)
 		dialbindOK = err == nil
 		logwif(!dialbindOK)("tcp: %s dialbind ok? %t (%s [%s] => %s via %s); err? %v",
-			smm.ID, dialbindOK, src, bindAddr, targetstr, pidstr(px), err)
+			smm.ID, dialbindOK, src, bindAddr, targetstr, pid, err)
 	}
 	if !dialbindOK {
 		pc, err = px.Dialer().Dial("tcp", targetstr)

intra/udp.go

@@ -272,6 +272,8 @@ func (h *udpHandler) Connect(gconn *netstack.GUDPConn, src, target netip.AddrPor
 	var errs error
 	var selectedTarget netip.AddrPort
 
+	portfwd := settings.PortForward.Load()
+	canportfwd := portfwd
 	if mux {
 		if muxpid := h.mux.pid(src); len(muxpid) > 0 && containsPid(pids, muxpid) {
 			if settings.Debug {
@@ -283,8 +285,8 @@ func (h *udpHandler) Connect(gconn *netstack.GUDPConn, src, target netip.AddrPor
 	}
 
 	if settings.Debug {
-		log.VV("udp: connect: %s [%s] proxying %s => %s [%v]; pids: %s, mux? %t",
-			cid, uid, src, target, actualTargets, pids, mux)
+		log.VV("udp: connect: %s [%s] proxying %s => %s [%v]; pids: %s, mux? %t / fwd? %t",
+			cid, uid, src, target, actualTargets, pids, mux, canportfwd)
 	}
 
 	// note: fake-dns-ips shouldn't be un-nated / un-alg'd
@@ -301,20 +303,22 @@ func (h *udpHandler) Connect(gconn *netstack.GUDPConn, src, target netip.AddrPor
 		selectedTarget = dstipp
 
 		if err != nil || px == nil {
-			log.W("udp: connect: #%d: %s [%s] failed to get proxy from %s: %v", i, cid, uid, pidstr(px), err)
+			log.W("udp: connect: #%d: %s [%s] failed to get proxy from %s: %v", i, cid, uid, pxid, err)
 			errs = err // disconnect if loop terminates
 			continue
 		}
 
+		canportfwd = portfwd && ipn.Remote(pxid)
+
 		if mux { // mux is not supported by all proxies (few like Exit, Base, WG support it)
-			pc, err = h.mux.associate(cid, pxid, uid, src, selectedTarget, px.Dialer().Announce, vendor(dmx))
+			pc, err = h.mux.associate(cid, pxid, uid, src, selectedTarget, px.Dialer().Announce, vendor(dmx), canportfwd)
 		} else {
 			if settings.Debug {
-				log.VV("udp: connect: #%d: attempt: %s [%s] proxy(%s) to dst(%s); mux? %t",
-					i, cid, uid, pxid, selectedTarget, mux)
+				log.VV("udp: connect: #%d: attempt: %s [%s] proxy(%s) to dst(%s); mux? %t / fwd? %t",
+					i, cid, uid, pxid, selectedTarget, mux, canportfwd)
 			}
 
-			if settings.PortForward.Load() {
+			if canportfwd {
 				boundSrc := makeAnyAddrPort(src)
 				pc, err = px.Dialer().DialBind("udp", boundSrc.String(), selectedTarget.String())
 			} else {
@@ -329,8 +333,8 @@ func (h *udpHandler) Connect(gconn *netstack.GUDPConn, src, target netip.AddrPor
 		errs = err // store just the last err; complicates logging
 		end := time.Since(smm.start)
 		smm.Rtt = time.Since(rttstart).Milliseconds()
-		log.W("udp: connect: #%d: %s [%s] failed; mux? %t, addr(%s) / fallback? %t; (rtt:%dms, dur:%s) w err(%v)",
-			i, cid, uid, mux, dstipp, fallingback, smm.Rtt, core.FmtPeriod(end), err)
+		log.W("udp: connect: #%d: %s [%s] failed; mux? %t / fwd? %t, addr(%s) / fallback? %t; (rtt:%dms, dur:%s) w err(%v)",
+			i, cid, uid, mux, canportfwd, dstipp, fallingback, smm.Rtt, core.FmtPeriod(end), err)
 		if end > retryTimeout {
 			break
 		}
@@ -343,7 +347,8 @@ func (h *udpHandler) Connect(gconn *netstack.GUDPConn, src, target netip.AddrPor
 	}
 
 	if !selectedTarget.IsValid() {
-		log.E("udp: connect: %s [%s] no target addr for %s from %v", cid, uid, target, actualTargets)
+		log.E("udp: connect: %s [%s] no target addr for %s from %v",
+			cid, uid, target, actualTargets)
 		return nil, smm, errUdpNoTarget
 	}
 
@@ -354,8 +359,8 @@ func (h *udpHandler) Connect(gconn *netstack.GUDPConn, src, target netip.AddrPor
 	if errs != nil {
 		return nil, smm, errs // disconnect
 	} else if px == nil || pc == nil || core.IsNil(pc) {
-		log.W("udp: connect: %s [%s] no proxy/egress-conn (mux? %t) for addr(%s/%s)",
-			cid, uid, mux, target, selectedTarget)
+		log.W("udp: connect: %s [%s] no proxy/egress-conn (mux? %t / fwd? %t) for addr(%s/%s)",
+			cid, uid, mux, canportfwd, target, selectedTarget)
 		return nil, smm, errUdpSetupConn // disconnect
 	}
 
@@ -370,12 +375,12 @@ func (h *udpHandler) Connect(gconn *netstack.GUDPConn, src, target netip.AddrPor
 	default:
 		clos(pc)
 		log.E("udp: connect: %s [%s] proxy(%s) does not impl core.UDPConn(%s/%s); mux? %t",
-			cid, uid, pxid, target, selectedTarget, mux, uid)
+			cid, uid, pxid, target, selectedTarget, mux, canportfwd, uid)
 		return nil, smm, errUdpSetupConn // disconnect
 	}
 
-	log.I("udp: connect: %s [%s] (proxy? %s@%s) %v => %s/%s; fallback? %t / mux? %t",
-		cid, uid, pxid, px.GetAddr(), laddr, target, selectedTarget, fallingback, mux)
+	log.I("udp: connect: %s [%s] (proxy? %s@%s) %v => %s/%s; fallback? %t / mux? %t / fwd? %t",
+		cid, uid, pxid, px.GetAddr(), laddr, target, selectedTarget, fallingback, mux, canportfwd)
 
 	return pc, smm, nil // connect
 }

intra/udpmux.go

@@ -18,7 +18,6 @@ import (
 
 	"github.com/celzero/firestack/intra/core"
 	"github.com/celzero/firestack/intra/dialers"
-	"github.com/celzero/firestack/intra/ipn"
 	"github.com/celzero/firestack/intra/log"
 	"github.com/celzero/firestack/intra/settings"
 )
@@ -600,7 +599,7 @@ func (e *muxTable) pid(src netip.AddrPort) string {
 	return ""
 }
 
-func (e *muxTable) associate(cid, pid, uid string, src, dst netip.AddrPort, mk assocFn, v vendor) (_ net.Conn, err error) {
+func (e *muxTable) associate(cid, pid, uid string, src, dst netip.AddrPort, mk assocFn, v vendor, portfwd bool) (_ net.Conn, err error) {
 	e.Lock() // lock
 
 	pxm := e.t[pid]
@@ -621,7 +620,7 @@ func (e *muxTable) associate(cid, pid, uid string, src, dst netip.AddrPort, mk a
 			anyaddr = anyaddr4
 		}
 		anyaddrport := netip.AddrPortFrom(anyaddr, anyport)
-		if settings.PortForward.Load() || ipn.Remote(pid) {
+		if portfwd {
 			anyaddrport = netip.AddrPortFrom(anyaddr, src.Port())
 		}
 
@@ -637,8 +636,8 @@ func (e *muxTable) associate(cid, pid, uid string, src, dst netip.AddrPort, mk a
 			e.dissociate(cid, pid, src)
 		})
 		pxm[src] = mxr
-		log.I("udp: mux: %s new assoc for %s %s via %s",
-			cid, pid, src, anyaddrport)
+		log.I("udp: mux: %s new assoc for %s %s via %s; fwd? %t",
+			cid, pid, src, anyaddrport, portfwd)
 	}
 
 	if mxr.pid != pid {