TUN-6654: Support ICMPv6 on Linux and Darwin

Author: chungthuang

ingress/icmp_darwin.go

@@ -23,7 +23,6 @@ import (
 	"github.com/cloudflare/cloudflared/packet"
 )
 
-// TODO: TUN-6654 Extend support to IPv6
 type icmpProxy struct {
 	srcFunnelTracker *packet.FunnelTracker
 	echoIDTracker    *echoIDTracker
@@ -180,25 +179,56 @@ func (ip *icmpProxy) Serve(ctx context.Context) error {
 		ip.srcFunnelTracker.ScheduleCleanup(ctx, ip.idleTimeout)
 	}()
 	buf := make([]byte, mtu)
+	icmpDecoder := packet.NewICMPDecoder()
 	for {
-		n, src, err := ip.conn.ReadFrom(buf)
+		n, from, err := ip.conn.ReadFrom(buf)
 		if err != nil {
 			return err
 		}
-		if err := ip.handleResponse(src, buf[:n]); err != nil {
-			ip.logger.Err(err).Str("src", src.String()).Msg("Failed to handle ICMP response")
+		reply, err := parseReply(from, buf[:n])
+		if err != nil {
+			ip.logger.Debug().Err(err).Str("dst", from.String()).Msg("Failed to parse ICMP reply, continue to parse as full packet")
+			// In unit test, we found out when the listener listens on 0.0.0.0, the socket reads the full packet after
+			// the second reply
+			if err := ip.handleFullPacket(icmpDecoder, buf[:n]); err != nil {
+				ip.logger.Err(err).Str("dst", from.String()).Msg("Failed to parse ICMP reply as full packet")
+			}
+			continue
+		}
+		if !isEchoReply(reply.msg) {
+			ip.logger.Debug().Str("dst", from.String()).Msgf("Drop ICMP %s from reply", reply.msg.Type)
+			continue
+		}
+		if ip.sendReply(reply); err != nil {
+			ip.logger.Error().Err(err).Str("dst", from.String()).Msg("Failed to send ICMP reply")
 			continue
 		}
 	}
 }
 
-func (ip *icmpProxy) handleResponse(from net.Addr, rawMsg []byte) error {
-	reply, err := parseReply(from, rawMsg)
+func (ip *icmpProxy) handleFullPacket(decoder *packet.ICMPDecoder, rawPacket []byte) error {
+	icmpPacket, err := decoder.Decode(packet.RawPacket{Data: rawPacket})
 	if err != nil {
 		return err
 	}
-	funnel, exists := ip.srcFunnelTracker.Get(echoFunnelID(reply.echo.ID))
-	if !exists {
+	echo, err := getICMPEcho(icmpPacket.Message)
+	if err != nil {
+		return err
+	}
+	reply := echoReply{
+		from: icmpPacket.Src,
+		msg:  icmpPacket.Message,
+		echo: echo,
+	}
+	if ip.sendReply(&reply); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (ip *icmpProxy) sendReply(reply *echoReply) error {
+	funnel, ok := ip.srcFunnelTracker.Get(echoFunnelID(reply.echo.ID))
+	if !ok {
 		return packet.ErrFunnelNotFound
 	}
 	icmpFlow, err := toICMPEchoFlow(funnel)

ingress/icmp_linux.go

@@ -110,26 +110,26 @@ func (ip *icmpProxy) Serve(ctx context.Context) error {
 func (ip *icmpProxy) listenResponse(flow *icmpEchoFlow, conn *icmp.PacketConn) error {
 	buf := make([]byte, mtu)
 	for {
-		n, src, err := conn.ReadFrom(buf)
+		n, from, err := conn.ReadFrom(buf)
 		if err != nil {
 			return err
 		}
-
-		if err := ip.handleResponse(flow, src, buf[:n]); err != nil {
-			ip.logger.Err(err).Str("dst", src.String()).Msg("Failed to handle ICMP response")
+		reply, err := parseReply(from, buf[:n])
+		if err != nil {
+			ip.logger.Error().Err(err).Str("dst", from.String()).Msg("Failed to parse ICMP reply")
+			continue
+		}
+		if !isEchoReply(reply.msg) {
+			ip.logger.Debug().Str("dst", from.String()).Msgf("Drop ICMP %s from reply", reply.msg.Type)
+			continue
+		}
+		if err := flow.returnToSrc(reply); err != nil {
+			ip.logger.Err(err).Str("dst", from.String()).Msg("Failed to send ICMP reply")
 			continue
 		}
 	}
 }
 
-func (ip *icmpProxy) handleResponse(flow *icmpEchoFlow, from net.Addr, rawMsg []byte) error {
-	reply, err := parseReply(from, rawMsg)
-	if err != nil {
-		return err
-	}
-	return flow.returnToSrc(reply)
-}
-
 // originSender wraps icmp.PacketConn to implement packet.FunnelUniPipe interface
 type originSender struct {
 	conn *icmp.PacketConn

ingress/icmp_posix.go

@@ -113,19 +113,22 @@ type echoReply struct {
 }
 
 func parseReply(from net.Addr, rawMsg []byte) (*echoReply, error) {
-	// TODO: TUN-6654 Check for IPv6
-	msg, err := icmp.ParseMessage(int(layers.IPProtocolICMPv4), rawMsg)
+	fromAddr, ok := netipAddr(from)
+	if !ok {
+		return nil, fmt.Errorf("cannot convert %s to netip.Addr", from)
+	}
+	proto := layers.IPProtocolICMPv4
+	if fromAddr.Is6() {
+		proto = layers.IPProtocolICMPv6
+	}
+	msg, err := icmp.ParseMessage(int(proto), rawMsg)
 	if err != nil {
 		return nil, err
 	}
 	echo, err := getICMPEcho(msg)
 	if err != nil {
 		return nil, err
 	}
-	fromAddr, ok := netipAddr(from)
-	if !ok {
-		return nil, fmt.Errorf("cannot convert %s to netip.Addr", from)
-	}
 	return &echoReply{
 		from: fromAddr,
 		msg:  msg,

ingress/icmp_windows.go

@@ -145,6 +145,9 @@ type icmpProxy struct {
 }
 
 func newICMPProxy(listenIP netip.Addr, logger *zerolog.Logger, idleTimeout time.Duration) (ICMPProxy, error) {
+	if listenIP.Is6() {
+		return nil, fmt.Errorf("ICMPv6 not implemented for Windows")
+	}
 	handle, _, err := IcmpCreateFile_proc.Call()
 	// Windows procedure calls always return non-nil error constructed from the result of GetLastError.
 	// Caller need to inspect the primary returned value

ingress/origin_icmp_proxy.go

@@ -8,6 +8,8 @@ import (
 
 	"github.com/rs/zerolog"
 	"golang.org/x/net/icmp"
+	"golang.org/x/net/ipv4"
+	"golang.org/x/net/ipv6"
 
 	"github.com/cloudflare/cloudflared/packet"
 )
@@ -32,8 +34,65 @@ type ICMPProxy interface {
 	Request(pk *packet.ICMP, responder packet.FunnelUniPipe) error
 }
 
-func NewICMPProxy(listenIP netip.Addr, logger *zerolog.Logger) (ICMPProxy, error) {
-	return newICMPProxy(listenIP, logger, funnelIdleTimeout)
+type icmpRouter struct {
+	ipv4Proxy ICMPProxy
+	ipv6Proxy ICMPProxy
+}
+
+// NewICMPProxy doesn't return an error if either ipv4 proxy or ipv6 proxy can be created. The machine might only
+// support one of them
+func NewICMPProxy(logger *zerolog.Logger) (ICMPProxy, error) {
+	// TODO: TUN-6741: don't bind to all interface
+	ipv4Proxy, ipv4Err := newICMPProxy(netip.IPv4Unspecified(), logger, funnelIdleTimeout)
+	ipv6Proxy, ipv6Err := newICMPProxy(netip.IPv6Unspecified(), logger, funnelIdleTimeout)
+	if ipv4Err != nil && ipv6Err != nil {
+		return nil, fmt.Errorf("cannot create ICMPv4 proxy: %v nor ICMPv6 proxy: %v", ipv4Err, ipv6Err)
+	}
+	if ipv4Err != nil {
+		logger.Warn().Err(ipv4Err).Msg("failed to create ICMPv4 proxy, only ICMPv6 proxy is created")
+		ipv4Proxy = nil
+	}
+	if ipv6Err != nil {
+		logger.Warn().Err(ipv6Err).Msg("failed to create ICMPv6 proxy, only ICMPv4 proxy is created")
+		ipv6Proxy = nil
+	}
+	return &icmpRouter{
+		ipv4Proxy: ipv4Proxy,
+		ipv6Proxy: ipv6Proxy,
+	}, nil
+}
+
+func (ir *icmpRouter) Serve(ctx context.Context) error {
+	if ir.ipv4Proxy != nil && ir.ipv6Proxy != nil {
+		errC := make(chan error, 2)
+		go func() {
+			errC <- ir.ipv4Proxy.Serve(ctx)
+		}()
+		go func() {
+			errC <- ir.ipv6Proxy.Serve(ctx)
+		}()
+		return <-errC
+	}
+	if ir.ipv4Proxy != nil {
+		return ir.ipv4Proxy.Serve(ctx)
+	}
+	if ir.ipv6Proxy != nil {
+		return ir.ipv6Proxy.Serve(ctx)
+	}
+	return fmt.Errorf("ICMPv4 proxy and ICMPv6 proxy are both nil")
+}
+
+func (ir *icmpRouter) Request(pk *packet.ICMP, responder packet.FunnelUniPipe) error {
+	if pk.Dst.Is4() {
+		if ir.ipv4Proxy != nil {
+			return ir.ipv4Proxy.Request(pk, responder)
+		}
+		return fmt.Errorf("ICMPv4 proxy was not instantiated")
+	}
+	if ir.ipv6Proxy != nil {
+		return ir.ipv6Proxy.Request(pk, responder)
+	}
+	return fmt.Errorf("ICMPv6 proxy was not instantiated")
 }
 
 func getICMPEcho(msg *icmp.Message) (*icmp.Echo, error) {
@@ -43,3 +102,7 @@ func getICMPEcho(msg *icmp.Message) (*icmp.Echo, error) {
 	}
 	return echo, nil
 }
+
+func isEchoReply(msg *icmp.Message) bool {
+	return msg.Type == ipv4.ICMPTypeEchoReply || msg.Type == ipv6.ICMPTypeEchoReply
+}