/* * ZeroTier One - Network Virtualization Everywhere * Copyright (C) 2011-2015 ZeroTier, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * -- * * ZeroTier may be used and distributed under the terms of the GPLv3, which * are available at: http://www.gnu.org/licenses/gpl-3.0.html * * If you would like to embed ZeroTier into a commercial application or * redistribute it in a modified binary form, please contact ZeroTier Networks * LLC. Start here: http://www.zerotier.com/ */ #include #include #include #include #include #include #include #include #include #include #include #include #include "../osdep/Phy.hpp" #define ZT_TCP_PROXY_UDP_POOL_SIZE 1024 #define ZT_TCP_PROXY_UDP_POOL_START_PORT 10000 #define ZT_TCP_PROXY_CONNECTION_TIMEOUT_SECONDS 300 #define ZT_TCP_PROXY_TCP_PORT 443 using namespace ZeroTier; /* * ZeroTier TCP Proxy Server * * This implements a simple packet encapsulation that is designed to look like * a TLS connection. It's not a TLS connection, but it sends TLS format record * headers. It could be extended in the future to implement a fake TLS * handshake. * * At the moment, each packet is just made to look like TLS application data: * <[1] TLS content type> - currently 0x17 for "application data" * <[1] TLS major version> - currently 0x03 for TLS 1.2 * <[1] TLS minor version> - currently 0x03 for TLS 1.2 * <[2] payload length> - 16-bit length of payload in bytes * <[...] payload> - Message payload * * TCP is inherently inefficient for encapsulating Ethernet, since TCP and TCP * like protocols over TCP lead to double-ACKs. So this transport is only used * to enable access when UDP or other datagram protocols are not available. * * Clients send a greeting, which is a four-byte message that contains: * <[1] ZeroTier major version> * <[1] minor version> * <[2] revision> * * If a client has sent a greeting, it uses the new version of this protocol * in which every encapsulated ZT packet is prepended by an IP address where * it should be forwarded (or where it came from for replies). This causes * this proxy to act as a remote UDP socket similar to a socks proxy, which * will allow us to move this function off the supernodes and onto dedicated * proxy nodes. * * Older ZT clients that do not send this message get their packets relayed * to/from 127.0.0.1:9993, which will allow them to talk to and relay via * the ZT node on the same machine as the proxy. We'll only support this for * as long as such nodes appear to be in the wild. */ struct TcpProxyService; struct TcpProxyService { Phy *phy; PhySocket *udpPool[ZT_TCP_PROXY_UDP_POOL_SIZE]; struct Client { char tcpReadBuf[131072]; char tcpWriteBuf[131072]; unsigned long tcpWritePtr; unsigned long tcpReadPtr; PhySocket *tcp; PhySocket *assignedUdp; time_t lastActivity; bool newVersion; }; std::map< PhySocket *,Client > clients; struct ReverseMappingKey { uint64_t sourceZTAddress; PhySocket *sendingUdpSocket; uint32_t destIp; unsigned int destPort; ReverseMappingKey() {} ReverseMappingKey(uint64_t zt,PhySocket *s,uint32_t ip,unsigned int port) : sourceZTAddress(zt),sendingUdpSocket(s),destIp(ip),destPort(port) {} inline bool operator<(const ReverseMappingKey &k) const throw() { return (memcmp((const void *)this,(const void *)&k,sizeof(ReverseMappingKey)) < 0); } inline bool operator==(const ReverseMappingKey &k) const throw() { return (memcmp((const void *)this,(const void *)&k,sizeof(ReverseMappingKey)) == 0); } }; std::map< ReverseMappingKey,Client * > reverseMappings; void phyOnDatagram(PhySocket *sock,void **uptr,const struct sockaddr *from,void *data,unsigned long len) { if ((from->sa_family == AF_INET)&&(len > 16)&&(len < 2048)) { const uint64_t destZt = ( (((uint64_t)(((const unsigned char *)data)[8])) << 32) | (((uint64_t)(((const unsigned char *)data)[9])) << 24) | (((uint64_t)(((const unsigned char *)data)[10])) << 16) | (((uint64_t)(((const unsigned char *)data)[11])) << 8) | ((uint64_t)(((const unsigned char *)data)[12])) ); const uint32_t fromIp = ((const struct sockaddr_in *)from)->sin_addr.s_addr; const unsigned int fromPort = ntohs(((const struct sockaddr_in *)from)->sin_port); std::map< ReverseMappingKey,Client * >::iterator rm(reverseMappings.find(ReverseMappingKey(destZt,sock,fromIp,fromPort))); if (rm != reverseMappings.end()) { Client &c = *(rm->second); unsigned long mlen = len; if (c.newVersion) mlen += 7; // new clients get IP info if ((c.tcpWritePtr + 5 + mlen) <= sizeof(c.tcpWriteBuf)) { if (!c.tcpWritePtr) phy->tcpSetNotifyWritable(c.tcp,true); c.tcpWriteBuf[c.tcpWritePtr++] = 0x17; // look like TLS data c.tcpWriteBuf[c.tcpWritePtr++] = 0x03; // look like TLS 1.2 c.tcpWriteBuf[c.tcpWritePtr++] = 0x03; // look like TLS 1.2 c.tcpWriteBuf[c.tcpWritePtr++] = (char)((mlen >> 8) & 0xff); c.tcpWriteBuf[c.tcpWritePtr++] = (char)(mlen & 0xff); if (c.newVersion) { c.tcpWriteBuf[c.tcpWritePtr++] = (char)4; // IPv4 *((uint32_t *)(c.tcpWriteBuf + c.tcpWritePtr)) = fromIp; c.tcpWritePtr += 4; c.tcpWriteBuf[c.tcpWritePtr++] = (char)((fromPort >> 8) & 0xff); c.tcpWriteBuf[c.tcpWritePtr++] = (char)(fromPort & 0xff); } for(unsigned long i=0;i::iterator rm(reverseMappings.begin());rm!=reverseMappings.end();) { if (rm->second == (Client *)*uptr) reverseMappings.erase(rm++); else ++rm; } clients.erase(sock); } void phyOnTcpData(PhySocket *sock,void **uptr,void *data,unsigned long len) { Client &c = *((Client *)*uptr); c.lastActivity = time((time_t *)0); for(unsigned long i=0;i= sizeof(c.tcpReadBuf)) { phy->close(sock); return; } c.tcpReadBuf[c.tcpReadPtr++] = ((const char *)data)[i]; if (c.tcpReadPtr >= 5) { unsigned long mlen = ( ((((unsigned long)c.tcpReadBuf[3]) & 0xff) << 8) | (((unsigned long)c.tcpReadBuf[4]) & 0xff) ); if (c.tcpReadPtr >= (mlen + 5)) { if (mlen == 4) { // Right now just sending this means the client is 'new enough' for the IP header c.newVersion = true; } else if (mlen >= 7) { char *payload = c.tcpReadBuf + 5; unsigned long payloadLen = mlen; struct sockaddr_in dest; memset(&dest,0,sizeof(dest)); if (c.newVersion) { if (*payload == (char)4) { // New clients tell us where their packets go. ++payload; dest.sin_family = AF_INET; dest.sin_addr.s_addr = *((uint32_t *)payload); payload += 4; dest.sin_port = *((uint16_t *)payload); // will be in network byte order already payload += 2; payloadLen -= 7; } } else { // For old clients we will just proxy everything to a local ZT instance. The // fact that this will come from 127.0.0.1 will in turn prevent that instance // from doing unite() with us. It'll just forward. There will not be many of // these. dest.sin_family = AF_INET; dest.sin_addr.s_addr = htonl(0x7f000001); // 127.0.0.1 dest.sin_port = htons(9993); } // Note: we do not relay to privileged ports... just an abuse prevention rule. if ((ntohs(dest.sin_port) > 1024)&&(payloadLen >= 16)) { if ((payloadLen >= 28)&&(payload[13] != (char)0xff)) { // Learn reverse mappings -- we will route replies to these packets // back to their sending TCP socket. They're on a first come first // served basis. const uint64_t sourceZt = ( (((uint64_t)(((const unsigned char *)payload)[13])) << 32) | (((uint64_t)(((const unsigned char *)payload)[14])) << 24) | (((uint64_t)(((const unsigned char *)payload)[15])) << 16) | (((uint64_t)(((const unsigned char *)payload)[16])) << 8) | ((uint64_t)(((const unsigned char *)payload)[17])) ); ReverseMappingKey k(sourceZt,c.assignedUdp,dest.sin_addr.s_addr,ntohl(dest.sin_port)); if (reverseMappings.count(k) == 0) reverseMappings[k] = &c; } phy->udpSend(c.assignedUdp,(const struct sockaddr *)&dest,payload,payloadLen); } } memmove(c.tcpReadBuf,c.tcpReadBuf + (mlen + 5),c.tcpReadPtr -= (mlen + 5)); } } } } void phyOnTcpWritable(PhySocket *sock,void **uptr) { Client &c = *((Client *)*uptr); if (c.tcpWritePtr) { long n = phy->tcpSend(sock,c.tcpWriteBuf,c.tcpWritePtr); if (n > 0) { memmove(c.tcpWriteBuf,c.tcpWriteBuf + n,c.tcpWritePtr -= (unsigned long)n); if (!c.tcpWritePtr) phy->tcpSetNotifyWritable(sock,false); } } else phy->tcpSetNotifyWritable(sock,false); } void doHousekeeping() { std::vector toClose; time_t now = time((time_t *)0); for(std::map< PhySocket *,Client >::iterator c(clients.begin());c!=clients.end();++c) { if ((now - c->second.lastActivity) >= ZT_TCP_PROXY_CONNECTION_TIMEOUT_SECONDS) toClose.push_back(c->first); } for(std::vector::iterator s(toClose.begin());s!=toClose.end();++s) phy->close(*s); // will call phyOnTcpClose() which does cleanup } }; int main(int argc,char **argv) { signal(SIGPIPE,SIG_IGN); signal(SIGHUP,SIG_IGN); srand(time((time_t *)0)); TcpProxyService svc; Phy phy(&svc,true); svc.phy = &phy; { int poolSize = 0; for(unsigned int p=ZT_TCP_PROXY_UDP_POOL_START_PORT;((poolSize 120) { lastDidHousekeeping = now; svc.doHousekeeping(); } } return 0; }