Add closed stream tracking for late packet handling

Author: masterking32

TODO

@@ -1,3 +1,2 @@
 Check Clean for server and client.
-Client Reconnect.
-loop for reconnect/test mtu, and notify end of session.
+Config Recommendations

internal/client/client.go

@@ -21,9 +21,11 @@ import (
 	"masterdnsvpn-go/internal/compression"
 	"masterdnsvpn-go/internal/config"
 	dnsCache "masterdnsvpn-go/internal/dnscache"
+	Enums "masterdnsvpn-go/internal/enums"
 	fragmentStore "masterdnsvpn-go/internal/fragmentstore"
 	"masterdnsvpn-go/internal/logger"
 	"masterdnsvpn-go/internal/security"
+	VpnProto "masterdnsvpn-go/internal/vpnproto"
 )
 
 type Client struct {
@@ -76,6 +78,7 @@ type Client struct {
 	stream0Runtime                        *stream0Runtime
 	streamsMu                             sync.RWMutex
 	streams                               map[uint16]*clientStream
+	closedStreams                         map[uint16]int64
 	mtuTestRetries                        int
 	mtuTestTimeout                        time.Duration
 	packetDuplicationCount                int
@@ -104,6 +107,11 @@ type Client struct {
 	sessionInitBusyUnix atomic.Int64
 }
 
+const (
+	clientClosedStreamRecordTTL = 45 * time.Second
+	clientClosedStreamRecordCap = 2000
+)
+
 type Connection struct {
 	Domain           string
 	Resolver         string
@@ -194,6 +202,7 @@ func New(cfg config.ClientConfig, log *logger.Logger, codec *security.Codec) *Cl
 		),
 		localDNSFragTTL:                       time.Duration(cfg.LocalDNSFragmentTimeoutSec * float64(time.Second)),
 		streams:                               make(map[uint16]*clientStream, 16),
+		closedStreams:                         make(map[uint16]int64, 16),
 		mtuTestRetries:                        cfg.MTUTestRetries,
 		mtuTestTimeout:                        time.Duration(cfg.MTUTestTimeout * float64(time.Second)),
 		packetDuplicationCount:                cfg.PacketDuplicationCount,
@@ -348,6 +357,7 @@ func (c *Client) ResetRuntimeState(resetSessionCookie bool) {
 	c.closeAllStreams()
 	c.streamsMu.Lock()
 	c.streams = make(map[uint16]*clientStream, 16)
+	c.closedStreams = make(map[uint16]int64, 16)
 	c.streamsMu.Unlock()
 	c.resolverHealthMu.Lock()
 	c.resolverHealth = make(map[string]*resolverHealthState, len(c.connections))
@@ -555,6 +565,7 @@ func (c *Client) deleteStream(streamID uint16) {
 	c.streamsMu.Lock()
 	stream := c.streams[streamID]
 	delete(c.streams, streamID)
+	c.noteClosedStreamLocked(streamID, time.Now())
 	c.streamsMu.Unlock()
 	if stream != nil && stream.Conn != nil {
 		stream.stopOnce.Do(func() {
@@ -571,6 +582,7 @@ func (c *Client) closeAllStreams() {
 	c.streamsMu.Lock()
 	streams := c.streams
 	c.streams = make(map[uint16]*clientStream, 16)
+	c.closedStreams = make(map[uint16]int64, 16)
 	c.streamsMu.Unlock()
 	for _, stream := range streams {
 		if stream == nil {
@@ -585,6 +597,120 @@ func (c *Client) closeAllStreams() {
 	}
 }
 
+func (c *Client) handleClosedStreamPacket(packet VpnProto.Packet, timeout time.Duration) (VpnProto.Packet, bool, error) {
+	if c == nil || packet.StreamID == 0 || !c.isRecentlyClosedStream(packet.StreamID, time.Now()) {
+		return VpnProto.Packet{}, false, nil
+	}
+
+	responsePacket := VpnProto.Packet{
+		StreamID:       packet.StreamID,
+		HasStreamID:    true,
+		SequenceNum:    packet.SequenceNum,
+		HasSequenceNum: packet.SequenceNum != 0,
+	}
+
+	outgoingType := uint8(0)
+	switch packet.PacketType {
+	case Enums.PACKET_STREAM_FIN:
+		outgoingType = Enums.PACKET_STREAM_FIN_ACK
+		responsePacket.PacketType = outgoingType
+	case Enums.PACKET_STREAM_RST:
+		outgoingType = Enums.PACKET_STREAM_RST_ACK
+		responsePacket.PacketType = outgoingType
+	case Enums.PACKET_STREAM_DATA, Enums.PACKET_STREAM_RESEND, Enums.PACKET_STREAM_DATA_ACK:
+		outgoingType = Enums.PACKET_STREAM_RST
+		responsePacket.PacketType = outgoingType
+		responsePacket.SequenceNum = 0
+		responsePacket.HasSequenceNum = false
+	default:
+		return VpnProto.Packet{}, false, nil
+	}
+
+	_ = c.sendClosedStreamOneWayPacket(outgoingType, packet.StreamID, responsePacket.SequenceNum, timeout)
+	return responsePacket, true, nil
+}
+
+func (c *Client) sendClosedStreamOneWayPacket(packetType uint8, streamID uint16, sequenceNum uint16, timeout time.Duration) error {
+	if c == nil || !c.SessionReady() {
+		return nil
+	}
+
+	connections, err := c.selectTargetConnectionsForPacket(packetType, streamID)
+	if err != nil {
+		return err
+	}
+	deadline := time.Now().Add(normalizeTimeout(timeout, defaultRuntimeTimeout))
+	var firstErr error
+	for _, connection := range connections {
+		query, buildErr := c.buildStreamQuery(connection.Domain, packetType, streamID, sequenceNum, 0, 1, nil)
+		if buildErr != nil {
+			if firstErr == nil {
+				firstErr = buildErr
+			}
+			continue
+		}
+		if sendErr := c.sendOneWaySessionPacket(connection, query, deadline); sendErr != nil && firstErr == nil {
+			firstErr = sendErr
+		}
+	}
+	return firstErr
+}
+
+func (c *Client) isRecentlyClosedStream(streamID uint16, now time.Time) bool {
+	if c == nil || streamID == 0 {
+		return false
+	}
+
+	c.streamsMu.RLock()
+	closedAt, ok := c.closedStreams[streamID]
+	c.streamsMu.RUnlock()
+	if !ok {
+		return false
+	}
+	if now.UnixNano()-closedAt <= clientClosedStreamRecordTTL.Nanoseconds() {
+		return true
+	}
+
+	c.streamsMu.Lock()
+	if staleAt, stale := c.closedStreams[streamID]; stale && staleAt == closedAt && now.UnixNano()-staleAt > clientClosedStreamRecordTTL.Nanoseconds() {
+		delete(c.closedStreams, streamID)
+	}
+	c.streamsMu.Unlock()
+	return false
+}
+
+func (c *Client) noteClosedStreamLocked(streamID uint16, now time.Time) {
+	if c == nil || streamID == 0 {
+		return
+	}
+	if c.closedStreams == nil {
+		c.closedStreams = make(map[uint16]int64, 16)
+	}
+	nowUnix := now.UnixNano()
+	expiredBefore := nowUnix - clientClosedStreamRecordTTL.Nanoseconds()
+	for closedID, closedAt := range c.closedStreams {
+		if closedAt < expiredBefore {
+			delete(c.closedStreams, closedID)
+		}
+	}
+	c.closedStreams[streamID] = nowUnix
+	if len(c.closedStreams) <= clientClosedStreamRecordCap {
+		return
+	}
+
+	var oldestID uint16
+	var oldestAt int64
+	first := true
+	for closedID, closedAt := range c.closedStreams {
+		if first || closedAt < oldestAt {
+			oldestID = closedID
+			oldestAt = closedAt
+			first = false
+		}
+	}
+	delete(c.closedStreams, oldestID)
+}
+
 func (c *Client) activeStreamCount() int {
 	if c == nil {
 		return 0

internal/client/client_test.go

@@ -1991,6 +1991,79 @@ func TestSelectTargetConnectionsForPacketUsesSetupDuplicationCount(t *testing.T)
 	}
 }
 
+func TestDeleteStreamTracksClosedStreamRecord(t *testing.T) {
+	c := New(config.ClientConfig{}, nil, nil)
+	stream := c.createStream(31, nil)
+
+	c.deleteStream(stream.ID)
+
+	if !c.isRecentlyClosedStream(stream.ID, time.Now()) {
+		t.Fatal("expected deleted stream to be tracked as recently closed")
+	}
+}
+
+func TestHandleClosedStreamPacketSendsOneWayResetForLateData(t *testing.T) {
+	codec, err := security.NewCodec(0, "")
+	if err != nil {
+		t.Fatalf("NewCodec returned error: %v", err)
+	}
+
+	c := New(config.ClientConfig{
+		PacketDuplicationCount: 1,
+		Domains:                []string{"v.example.com"},
+	}, nil, codec)
+	c.connections = []Connection{{
+		Domain:        "v.example.com",
+		Resolver:      "127.0.0.1",
+		ResolverPort:  5353,
+		ResolverLabel: "127.0.0.1:5353",
+		Key:           "127.0.0.1|5353|v.example.com",
+		IsValid:       true,
+	}}
+	c.connectionsByKey = map[string]int{c.connections[0].Key: 0}
+	c.rebuildBalancer()
+	c.sessionID = 7
+	c.sessionCookie = 9
+	c.sessionReady = true
+
+	stream := c.createStream(41, nil)
+	c.deleteStream(stream.ID)
+
+	var captured VpnProto.Packet
+	c.sendOneWayPacketFn = func(conn Connection, packet []byte, deadline time.Time) error {
+		parsed, err := DnsParser.ParsePacketLite(packet)
+		if err != nil {
+			t.Fatalf("ParsePacketLite returned error: %v", err)
+		}
+		if !parsed.HasQuestion {
+			t.Fatal("expected one-way stream query question")
+		}
+		captured, err = VpnProto.ParseFromLabels(extractTestTunnelLabels(parsed.FirstQuestion.Name, conn.Domain), c.codec)
+		if err != nil {
+			t.Fatalf("ParseFromLabels returned error: %v", err)
+		}
+		return nil
+	}
+
+	response, handled, err := c.handleClosedStreamPacket(VpnProto.Packet{
+		PacketType:  Enums.PACKET_STREAM_DATA,
+		StreamID:    41,
+		SequenceNum: 77,
+	}, time.Second)
+	if err != nil {
+		t.Fatalf("handleClosedStreamPacket returned error: %v", err)
+	}
+	if !handled {
+		t.Fatal("expected closed stream packet to be handled")
+	}
+	if response.PacketType != Enums.PACKET_STREAM_RST || response.StreamID != 41 || response.SequenceNum != 0 {
+		t.Fatalf("unexpected synthetic response: %+v", response)
+	}
+	if captured.PacketType != Enums.PACKET_STREAM_RST || captured.StreamID != 41 || captured.SequenceNum != 0 {
+		t.Fatalf("unexpected one-way reset packet: %+v", captured)
+	}
+}
+
 func extractTestTunnelLabels(qName string, baseDomain string) string {
 	suffix := "." + baseDomain
 	if len(qName) <= len(suffix) || qName[len(qName)-len(suffix):] != suffix {

internal/client/stream_runtime.go

@@ -201,6 +201,9 @@ func (c *Client) handlePackedServerControlBlocks(payload []byte, timeout time.Du
 func (c *Client) handleInboundStreamPacket(packet VpnProto.Packet, timeout time.Duration) (VpnProto.Packet, error) {
 	stream, ok := c.getStream(packet.StreamID)
 	if !ok || stream == nil {
+		if closedResponse, handled, err := c.handleClosedStreamPacket(packet, timeout); handled {
+			return closedResponse, err
+		}
 		return c.exchangeStreamControlPacket(Enums.PACKET_STREAM_RST, packet.StreamID, packet.SequenceNum, nil, timeout)
 	}
 

internal/udpserver/server.go

@@ -423,6 +423,10 @@ func (s *Server) handleTunnelCandidate(packet []byte, parsed DnsParser.LitePacke
 }
 
 func (s *Server) handlePostSessionPacket(decision domainMatcher.Decision, vpnPacket VpnProto.Packet, sessionRecord *sessionRuntimeView) bool {
+	if handled := s.handleClosedStreamPacket(vpnPacket); handled {
+		return true
+	}
+
 	switch vpnPacket.PacketType {
 	case Enums.PACKET_PACKED_CONTROL_BLOCKS:
 		return s.handlePackedControlBlocksRequest(vpnPacket, sessionRecord)
@@ -449,6 +453,35 @@ func (s *Server) handlePostSessionPacket(decision domainMatcher.Decision, vpnPac
 	}
 }
 
+func (s *Server) handleClosedStreamPacket(vpnPacket VpnProto.Packet) bool {
+	if s == nil || vpnPacket.StreamID == 0 || !isClosedStreamAwarePacketType(vpnPacket.PacketType) {
+		return false
+	}
+	response, handled := s.streams.HandleClosedPacket(vpnPacket.SessionID, vpnPacket.StreamID, vpnPacket.PacketType, vpnPacket.SequenceNum, time.Now())
+	if !handled {
+		return false
+	}
+	if response.PacketType != 0 {
+		_ = s.queueSessionPacket(vpnPacket.SessionID, response)
+	}
+	return true
+}
+
+func isClosedStreamAwarePacketType(packetType uint8) bool {
+	switch packetType {
+	case Enums.PACKET_STREAM_SYN,
+		Enums.PACKET_SOCKS5_SYN,
+		Enums.PACKET_STREAM_DATA,
+		Enums.PACKET_STREAM_RESEND,
+		Enums.PACKET_STREAM_DATA_ACK,
+		Enums.PACKET_STREAM_FIN,
+		Enums.PACKET_STREAM_RST:
+		return true
+	default:
+		return false
+	}
+}
+
 func (s *Server) validatePostSessionPacket(questionPacket []byte, requestName string, vpnPacket VpnProto.Packet) postSessionValidation {
 	now := time.Now()
 	validation := s.sessions.ValidateAndTouch(vpnPacket.SessionID, vpnPacket.SessionCookie, now)

internal/udpserver/server_test.go

@@ -380,6 +380,54 @@ func TestHandleStreamSynConnectsForwardTargetForTCPMode(t *testing.T) {
 	}
 }
 
+func TestHandlePacketReturnsResetForLateClosedStreamData(t *testing.T) {
+	codec, err := security.NewCodec(0, "")
+	if err != nil {
+		t.Fatalf("NewCodec returned error: %v", err)
+	}
+
+	srv := New(config.ServerConfig{
+		MaxPacketSize:     65535,
+		Domain:            []string{"a.com"},
+		MinVPNLabelLength: 3,
+	}, nil, codec)
+
+	verifyCode := []byte{1, 2, 3, 4}
+	initPayload := []byte{0, 0x00, 0x00, 0x96, 0x00, 0xC8, verifyCode[0], verifyCode[1], verifyCode[2], verifyCode[3]}
+	initResponse := srv.handlePacket(buildTunnelQueryWithSessionID(t, codec, "a.com", 0, Enums.PACKET_SESSION_INIT, initPayload))
+	packet, err := DnsParser.ExtractVPNResponse(initResponse, false)
+	if err != nil {
+		t.Fatalf("ExtractVPNResponse returned error: %v", err)
+	}
+
+	sessionID := packet.Payload[0]
+	sessionCookie := packet.Payload[1]
+	now := time.Now()
+	if _, created := srv.streams.EnsureOpen(sessionID, 9, now); !created {
+		t.Fatal("expected fresh stream state")
+	}
+	if !srv.streams.MarkReset(sessionID, 9, 5, now) {
+		t.Fatal("expected stream reset to succeed")
+	}
+
+	query := buildTunnelStreamQuery(t, codec, "a.com", sessionID, sessionCookie, Enums.PACKET_STREAM_DATA, 9, 77, []byte("late"))
+	response := srv.handlePacket(query)
+	if len(response) == 0 {
+		t.Fatal("expected late closed stream packet to get a response")
+	}
+
+	vpnResponse, err := DnsParser.ExtractVPNResponse(response, false)
+	if err != nil {
+		t.Fatalf("ExtractVPNResponse returned error: %v", err)
+	}
+	if vpnResponse.PacketType != Enums.PACKET_STREAM_RST {
+		t.Fatalf("unexpected packet type: got=%d want=%d", vpnResponse.PacketType, Enums.PACKET_STREAM_RST)
+	}
+	if vpnResponse.StreamID != 9 || vpnResponse.SequenceNum != 0 {
+		t.Fatalf("unexpected stream reset routing: stream=%d seq=%d", vpnResponse.StreamID, vpnResponse.SequenceNum)
+	}
+}
+
 func TestHandlePacketRejectsMalformedSessionInit(t *testing.T) {
 	codec, err := security.NewCodec(0, "")
 	if err != nil {