Merge pull request #232 from NLipatov/fix/mss-clamping

Fix/mss clamping

Author: NLipatov

.gitignore

@@ -5,3 +5,4 @@
 /.idea/inspectionProfiles/Project_Default.xml
 .vscode/
 src/tungo
+.tool-versions

src/infrastructure/PAL/linux/network_tools/iptables/contract.go

@@ -9,5 +9,4 @@ type Contract interface {
 	DisableForwardingFromDevToTun(tunName, devName string) error
 	EnableForwardingTunToTun(tunName string) error
 	DisableForwardingTunToTun(tunName string) error
-	ConfigureMssClamping() error
 }

src/infrastructure/PAL/linux/network_tools/iptables/wrapper.go

@@ -97,41 +97,3 @@ func (w *Wrapper) DisableForwardingTunToTun(tunName string) error {
 
 	return nil
 }
-
-func (w *Wrapper) ConfigureMssClamping() error {
-	// Configuration for IPv4, chain FORWARD
-	outputForward, errForward := w.commander.CombinedOutput("iptables", "-t", "mangle",
-		"-A", "FORWARD", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
-	if errForward != nil {
-		return fmt.Errorf("failed to configure MSS clamping on FORWARD chain: %s, output: %s",
-			errForward, outputForward)
-	}
-
-	// Configuration for IPv4, chain OUTPUT
-	outputOutput, errOutput := w.commander.
-		CombinedOutput("iptables", "-t", "mangle",
-			"-A", "OUTPUT", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
-	if errOutput != nil {
-		return fmt.Errorf("failed to configure MSS clamping on OUTPUT chain: %s, output: %s",
-			errOutput, outputOutput)
-	}
-
-	// Configuration for IPv6, chain FORWARD
-	outputForward6, errForward6 := w.commander.
-		CombinedOutput("ip6tables", "-t", "mangle",
-			"-A", "FORWARD", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
-	if errForward6 != nil {
-		return fmt.Errorf("failed to configure IPv6 MSS clamping on FORWARD chain: %s, output: %s",
-			errForward6, outputForward6)
-	}
-
-	// Configuration for IPv6, chain OUTPUT
-	outputOutput6, errOutput6 := w.commander.CombinedOutput("ip6tables", "-t", "mangle", "-A",
-		"OUTPUT", "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
-	if errOutput6 != nil {
-		return fmt.Errorf("failed to configure IPv6 MSS clamping on OUTPUT chain: %s, output: %s",
-			errOutput6, outputOutput6)
-	}
-
-	return nil
-}

src/infrastructure/PAL/linux/network_tools/iptables/wrapper_test.go

@@ -1,7 +1,6 @@
 package iptables
 
 import (
-	"errors"
 	"strings"
 	"testing"
 )
@@ -53,17 +52,6 @@ func TestWrapper_AllCommands(t *testing.T) {
 		{"DisableForwardingFromDevToTun", func() error { return w.DisableForwardingFromDevToTun(tun, dev) }},
 		{"EnableForwardingTunToTun", func() error { return w.EnableForwardingTunToTun(tun) }},
 		{"DisableForwardingTunToTun", func() error { return w.DisableForwardingTunToTun(tun) }},
-		{"ConfigureMssClamping", func() error {
-			return NewWrapper(&mockCommander{
-				outputMap: map[string][]byte{
-					"iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu":  {},
-					"iptables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu":   {},
-					"ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu": {},
-					"ip6tables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu":  {},
-				},
-				errMap: map[string]error{},
-			}).ConfigureMssClamping()
-		}},
 	}
 
 	for _, tt := range tests {
@@ -74,55 +62,3 @@ func TestWrapper_AllCommands(t *testing.T) {
 		})
 	}
 }
-
-func TestWrapper_ConfigureMssClamping_ErrorCases(t *testing.T) {
-	errorCases := []struct {
-		name   string
-		errMap map[string]error
-		errMsg string
-	}{
-		{
-			name: "FORWARD IPv4 error",
-			errMap: map[string]error{
-				"iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu": errors.New("fail1"),
-			},
-			errMsg: "FORWARD chain",
-		},
-		{
-			name: "OUTPUT IPv4 error",
-			errMap: map[string]error{
-				"iptables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu": errors.New("fail2"),
-			},
-			errMsg: "OUTPUT chain",
-		},
-		{
-			name: "FORWARD IPv6 error",
-			errMap: map[string]error{
-				"ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu": errors.New("fail3"),
-			},
-			errMsg: "IPv6 MSS clamping on FORWARD",
-		},
-		{
-			name: "OUTPUT IPv6 error",
-			errMap: map[string]error{
-				"ip6tables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu": errors.New("fail4"),
-			},
-			errMsg: "IPv6 MSS clamping on OUTPUT",
-		},
-	}
-
-	for _, tc := range errorCases {
-		t.Run(tc.name, func(t *testing.T) {
-			out := map[string][]byte{}
-			for cmd := range tc.errMap {
-				out[cmd] = []byte{}
-			}
-			w := newWrapperWithMocks(out, tc.errMap)
-
-			err := w.ConfigureMssClamping()
-			if err == nil || !strings.Contains(err.Error(), tc.errMsg) {
-				t.Errorf("expected error containing '%s', got: %v", tc.errMsg, err)
-			}
-		})
-	}
-}

src/infrastructure/PAL/linux/network_tools/mssclamp/contract.go

@@ -0,0 +1,8 @@
+package mssclamp
+
+// Contract defines MSS clamping management for TCP SYN packets
+// routed through the TunGo TUN interface.
+type Contract interface {
+	Install(tunName string) error
+	Remove(tunName string) error
+}

src/infrastructure/PAL/linux/network_tools/mssclamp/manager.go

@@ -0,0 +1,234 @@
+package mssclamp
+
+import (
+	"fmt"
+	"strings"
+	"tungo/infrastructure/PAL/exec_commander"
+)
+
+type backend int
+
+const (
+	backendUnknown backend = iota
+	backendIptables
+	backendNft
+
+	nftTable        = "tungo_mss"
+	nftOutputChain  = "tungo_mss_output"
+	nftForwardChain = "tungo_mss_forward"
+)
+
+// Manager installs and removes TCP MSS clamping rules bound to a TUN device.
+// TCPMSS mangle rules keep ClientHello-sized packets from blackholing inside
+// the UDP tunnel by advertising an MSS that fits the effective tunnel PMTU.
+type Manager struct {
+	commander exec_commander.Commander
+	backend   backend
+}
+
+func NewManager(commander exec_commander.Commander) *Manager {
+	return &Manager{commander: commander}
+}
+
+// Install applies MSS clamping for IPv4 and IPv6 TCP SYN packets entering or
+// leaving the given TUN interface. The rules are added before packets are
+// encapsulated into the UDP tunnel to avoid PMTU blackholes for TLS traffic.
+func (m *Manager) Install(tunName string) error {
+	backend, err := m.detectBackend()
+	if err != nil {
+		return err
+	}
+
+	switch backend {
+	case backendIptables:
+		return m.installIptables(tunName)
+	case backendNft:
+		return m.installNft(tunName)
+	default:
+		return fmt.Errorf("unsupported MSS clamping backend")
+	}
+}
+
+// Remove tears down MSS clamping rules bound to the given TUN interface.
+func (m *Manager) Remove(tunName string) error {
+	backend, err := m.detectBackend()
+	if err != nil {
+		return err
+	}
+
+	switch backend {
+	case backendIptables:
+		return m.removeIptables(tunName)
+	case backendNft:
+		return m.removeNft()
+	default:
+		return fmt.Errorf("unsupported MSS clamping backend")
+	}
+}
+
+func (m *Manager) detectBackend() (backend, error) {
+	if m.backend != backendUnknown {
+		return m.backend, nil
+	}
+
+	if _, err := m.commander.Output("iptables", "--version"); err == nil {
+		m.backend = backendIptables
+		return m.backend, nil
+	}
+
+	if _, err := m.commander.Output("nft", "--version"); err == nil {
+		m.backend = backendNft
+		return m.backend, nil
+	}
+
+	return backendUnknown, fmt.Errorf("neither iptables nor nftables is available for TCP MSS clamping")
+}
+
+type describedCommand struct {
+	name string
+	args []string
+	desc string
+}
+
+func (m *Manager) run(commands []describedCommand) error {
+	for _, cmd := range commands {
+		output, err := m.commander.CombinedOutput(cmd.name, cmd.args...)
+		if err != nil {
+			return fmt.Errorf("failed to %s: %v, output: %s", cmd.desc, err, output)
+		}
+	}
+	return nil
+}
+
+func (m *Manager) installIptables(tunName string) error {
+	rules := []describedCommand{
+		{
+			name: "iptables",
+			args: []string{"-t", "mangle", "-A", "OUTPUT", "-o", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "add IPv4 OUTPUT TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "iptables",
+			args: []string{"-t", "mangle", "-A", "FORWARD", "-o", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "add IPv4 FORWARD oif TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "iptables",
+			args: []string{"-t", "mangle", "-A", "FORWARD", "-i", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "add IPv4 FORWARD iif TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "ip6tables",
+			args: []string{"-t", "mangle", "-A", "OUTPUT", "-o", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "add IPv6 OUTPUT TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "ip6tables",
+			args: []string{"-t", "mangle", "-A", "FORWARD", "-o", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "add IPv6 FORWARD oif TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "ip6tables",
+			args: []string{"-t", "mangle", "-A", "FORWARD", "-i", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "add IPv6 FORWARD iif TCPMSS clamp for " + tunName,
+		},
+	}
+
+	return m.run(rules)
+}
+
+func (m *Manager) removeIptables(tunName string) error {
+	rules := []describedCommand{
+		{
+			name: "iptables",
+			args: []string{"-t", "mangle", "-D", "OUTPUT", "-o", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "delete IPv4 OUTPUT TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "iptables",
+			args: []string{"-t", "mangle", "-D", "FORWARD", "-o", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "delete IPv4 FORWARD oif TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "iptables",
+			args: []string{"-t", "mangle", "-D", "FORWARD", "-i", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "delete IPv4 FORWARD iif TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "ip6tables",
+			args: []string{"-t", "mangle", "-D", "OUTPUT", "-o", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "delete IPv6 OUTPUT TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "ip6tables",
+			args: []string{"-t", "mangle", "-D", "FORWARD", "-o", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "delete IPv6 FORWARD oif TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "ip6tables",
+			args: []string{"-t", "mangle", "-D", "FORWARD", "-i", tunName, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"},
+			desc: "delete IPv6 FORWARD iif TCPMSS clamp for " + tunName,
+		},
+	}
+
+	return m.run(rules)
+}
+
+func (m *Manager) installNft(tunName string) error {
+	// Clean up any stale table from previous runs so we can install a fresh set.
+	_, _ = m.commander.CombinedOutput("nft", "delete", "table", "inet", nftTable)
+
+	commands := []describedCommand{
+		{
+			name: "nft",
+			args: []string{"add", "table", "inet", nftTable},
+			desc: "create nftable table for MSS clamping",
+		},
+		{
+			name: "nft",
+			args: []string{"add", "chain", "inet", nftTable, nftOutputChain, "{", "type", "route", "hook", "output", "priority", "mangle", ";", "policy", "accept", ";", "}"},
+			desc: "create nftable output chain",
+		},
+		{
+			name: "nft",
+			args: []string{"add", "chain", "inet", nftTable, nftForwardChain, "{", "type", "filter", "hook", "forward", "priority", "mangle", ";", "policy", "accept", ";", "}"},
+			desc: "create nftable forward chain",
+		},
+		{
+			name: "nft",
+			args: append([]string{"add", "rule", "inet", nftTable, nftOutputChain, "oifname", tunName}, nftClampRule()...),
+			desc: "add nft OUTPUT TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "nft",
+			args: append([]string{"add", "rule", "inet", nftTable, nftForwardChain, "oifname", tunName}, nftClampRule()...),
+			desc: "add nft FORWARD oif TCPMSS clamp for " + tunName,
+		},
+		{
+			name: "nft",
+			args: append([]string{"add", "rule", "inet", nftTable, nftForwardChain, "iifname", tunName}, nftClampRule()...),
+			desc: "add nft FORWARD iif TCPMSS clamp for " + tunName,
+		},
+	}
+
+	return m.run(commands)
+}
+
+func (m *Manager) removeNft() error {
+	output, err := m.commander.CombinedOutput("nft", "delete", "table", "inet", nftTable)
+	if err != nil {
+		// Treat missing tables as benign; they mean nothing is left to clean up.
+		msg := strings.ToLower(err.Error() + string(output))
+		if strings.Contains(msg, "no such file or directory") ||
+			strings.Contains(msg, "does not exist") ||
+			strings.Contains(msg, "no such table") {
+			return nil
+		}
+		return fmt.Errorf("failed to delete nft MSS clamp table: %v, output: %s", err, output)
+	}
+	return nil
+}
+
+func nftClampRule() []string {
+	return []string{"tcp", "flags", "syn|rst", "==", "syn", "tcp", "option", "maxseg", "size", "set", "clamp", "to", "pmtu"}
+}