mirror of
https://github.com/fatedier/frp.git
synced 2024-12-03 00:49:17 +08:00
393 lines
11 KiB
Go
393 lines
11 KiB
Go
// Copyright 2023 The frp Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package nathole
|
|
|
|
import (
|
|
"context"
|
|
"crypto/md5"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"net"
|
|
"slices"
|
|
"strconv"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/fatedier/golib/errors"
|
|
"github.com/samber/lo"
|
|
"golang.org/x/sync/errgroup"
|
|
|
|
"github.com/fatedier/frp/pkg/msg"
|
|
"github.com/fatedier/frp/pkg/transport"
|
|
"github.com/fatedier/frp/pkg/util/log"
|
|
"github.com/fatedier/frp/pkg/util/util"
|
|
)
|
|
|
|
// NatHoleTimeout seconds.
|
|
var NatHoleTimeout int64 = 10
|
|
|
|
func NewTransactionID() string {
|
|
id, _ := util.RandID()
|
|
return fmt.Sprintf("%d%s", time.Now().Unix(), id)
|
|
}
|
|
|
|
type ClientCfg struct {
|
|
name string
|
|
sk string
|
|
allowUsers []string
|
|
sidCh chan string
|
|
}
|
|
|
|
type Session struct {
|
|
sid string
|
|
analysisKey string
|
|
recommandMode int
|
|
recommandIndex int
|
|
|
|
visitorMsg *msg.NatHoleVisitor
|
|
visitorTransporter transport.MessageTransporter
|
|
vResp *msg.NatHoleResp
|
|
vNatFeature *NatFeature
|
|
vBehavior RecommandBehavior
|
|
|
|
clientMsg *msg.NatHoleClient
|
|
clientTransporter transport.MessageTransporter
|
|
cResp *msg.NatHoleResp
|
|
cNatFeature *NatFeature
|
|
cBehavior RecommandBehavior
|
|
|
|
notifyCh chan struct{}
|
|
}
|
|
|
|
func (s *Session) genAnalysisKey() {
|
|
hash := md5.New()
|
|
vIPs := slices.Compact(parseIPs(s.visitorMsg.MappedAddrs))
|
|
if len(vIPs) > 0 {
|
|
hash.Write([]byte(vIPs[0]))
|
|
}
|
|
hash.Write([]byte(s.vNatFeature.NatType))
|
|
hash.Write([]byte(s.vNatFeature.Behavior))
|
|
hash.Write([]byte(strconv.FormatBool(s.vNatFeature.RegularPortsChange)))
|
|
|
|
cIPs := slices.Compact(parseIPs(s.clientMsg.MappedAddrs))
|
|
if len(cIPs) > 0 {
|
|
hash.Write([]byte(cIPs[0]))
|
|
}
|
|
hash.Write([]byte(s.cNatFeature.NatType))
|
|
hash.Write([]byte(s.cNatFeature.Behavior))
|
|
hash.Write([]byte(strconv.FormatBool(s.cNatFeature.RegularPortsChange)))
|
|
s.analysisKey = hex.EncodeToString(hash.Sum(nil))
|
|
}
|
|
|
|
type Controller struct {
|
|
clientCfgs map[string]*ClientCfg
|
|
sessions map[string]*Session
|
|
analyzer *Analyzer
|
|
|
|
mu sync.RWMutex
|
|
}
|
|
|
|
func NewController(analysisDataReserveDuration time.Duration) (*Controller, error) {
|
|
return &Controller{
|
|
clientCfgs: make(map[string]*ClientCfg),
|
|
sessions: make(map[string]*Session),
|
|
analyzer: NewAnalyzer(analysisDataReserveDuration),
|
|
}, nil
|
|
}
|
|
|
|
func (c *Controller) CleanWorker(ctx context.Context) {
|
|
ticker := time.NewTicker(time.Hour)
|
|
defer ticker.Stop()
|
|
for {
|
|
select {
|
|
case <-ticker.C:
|
|
start := time.Now()
|
|
count, total := c.analyzer.Clean()
|
|
log.Tracef("clean %d/%d nathole analysis data, cost %v", count, total, time.Since(start))
|
|
case <-ctx.Done():
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
func (c *Controller) ListenClient(name string, sk string, allowUsers []string) (chan string, error) {
|
|
cfg := &ClientCfg{
|
|
name: name,
|
|
sk: sk,
|
|
allowUsers: allowUsers,
|
|
sidCh: make(chan string),
|
|
}
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
if _, ok := c.clientCfgs[name]; ok {
|
|
return nil, fmt.Errorf("proxy [%s] is repeated", name)
|
|
}
|
|
c.clientCfgs[name] = cfg
|
|
return cfg.sidCh, nil
|
|
}
|
|
|
|
func (c *Controller) CloseClient(name string) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
delete(c.clientCfgs, name)
|
|
}
|
|
|
|
func (c *Controller) GenSid() string {
|
|
t := time.Now().Unix()
|
|
id, _ := util.RandID()
|
|
return fmt.Sprintf("%d%s", t, id)
|
|
}
|
|
|
|
func (c *Controller) HandleVisitor(m *msg.NatHoleVisitor, transporter transport.MessageTransporter, visitorUser string) {
|
|
if m.PreCheck {
|
|
cfg, ok := c.clientCfgs[m.ProxyName]
|
|
if !ok {
|
|
_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, fmt.Sprintf("xtcp server for [%s] doesn't exist", m.ProxyName)))
|
|
return
|
|
}
|
|
if !slices.Contains(cfg.allowUsers, visitorUser) && !slices.Contains(cfg.allowUsers, "*") {
|
|
_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, fmt.Sprintf("xtcp visitor user [%s] not allowed for [%s]", visitorUser, m.ProxyName)))
|
|
return
|
|
}
|
|
_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, ""))
|
|
return
|
|
}
|
|
|
|
sid := c.GenSid()
|
|
session := &Session{
|
|
sid: sid,
|
|
visitorMsg: m,
|
|
visitorTransporter: transporter,
|
|
notifyCh: make(chan struct{}, 1),
|
|
}
|
|
var (
|
|
clientCfg *ClientCfg
|
|
ok bool
|
|
)
|
|
err := func() error {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
|
|
clientCfg, ok = c.clientCfgs[m.ProxyName]
|
|
if !ok {
|
|
return fmt.Errorf("xtcp server for [%s] doesn't exist", m.ProxyName)
|
|
}
|
|
if !util.ConstantTimeEqString(m.SignKey, util.GetAuthKey(clientCfg.sk, m.Timestamp)) {
|
|
return fmt.Errorf("xtcp connection of [%s] auth failed", m.ProxyName)
|
|
}
|
|
c.sessions[sid] = session
|
|
return nil
|
|
}()
|
|
if err != nil {
|
|
log.Warnf("handle visitorMsg error: %v", err)
|
|
_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, err.Error()))
|
|
return
|
|
}
|
|
log.Tracef("handle visitor message, sid [%s], server name: %s", sid, m.ProxyName)
|
|
|
|
defer func() {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
delete(c.sessions, sid)
|
|
}()
|
|
|
|
if err := errors.PanicToError(func() {
|
|
clientCfg.sidCh <- sid
|
|
}); err != nil {
|
|
return
|
|
}
|
|
|
|
// wait for NatHoleClient message
|
|
select {
|
|
case <-session.notifyCh:
|
|
case <-time.After(time.Duration(NatHoleTimeout) * time.Second):
|
|
log.Debugf("wait for NatHoleClient message timeout, sid [%s]", sid)
|
|
return
|
|
}
|
|
|
|
// Make hole-punching decisions based on the NAT information of the client and visitor.
|
|
vResp, cResp, err := c.analysis(session)
|
|
if err != nil {
|
|
log.Debugf("sid [%s] analysis error: %v", err)
|
|
vResp = c.GenNatHoleResponse(session.visitorMsg.TransactionID, nil, err.Error())
|
|
cResp = c.GenNatHoleResponse(session.clientMsg.TransactionID, nil, err.Error())
|
|
}
|
|
session.cResp = cResp
|
|
session.vResp = vResp
|
|
|
|
// send response to visitor and client
|
|
var g errgroup.Group
|
|
g.Go(func() error {
|
|
// if it's sender, wait for a while to make sure the client has send the detect messages
|
|
if vResp.DetectBehavior.Role == "sender" {
|
|
time.Sleep(1 * time.Second)
|
|
}
|
|
_ = session.visitorTransporter.Send(vResp)
|
|
return nil
|
|
})
|
|
g.Go(func() error {
|
|
// if it's sender, wait for a while to make sure the client has send the detect messages
|
|
if cResp.DetectBehavior.Role == "sender" {
|
|
time.Sleep(1 * time.Second)
|
|
}
|
|
_ = session.clientTransporter.Send(cResp)
|
|
return nil
|
|
})
|
|
_ = g.Wait()
|
|
|
|
time.Sleep(time.Duration(cResp.DetectBehavior.ReadTimeoutMs+30000) * time.Millisecond)
|
|
}
|
|
|
|
func (c *Controller) HandleClient(m *msg.NatHoleClient, transporter transport.MessageTransporter) {
|
|
c.mu.RLock()
|
|
session, ok := c.sessions[m.Sid]
|
|
c.mu.RUnlock()
|
|
if !ok {
|
|
return
|
|
}
|
|
log.Tracef("handle client message, sid [%s], server name: %s", session.sid, m.ProxyName)
|
|
session.clientMsg = m
|
|
session.clientTransporter = transporter
|
|
select {
|
|
case session.notifyCh <- struct{}{}:
|
|
default:
|
|
}
|
|
}
|
|
|
|
func (c *Controller) HandleReport(m *msg.NatHoleReport) {
|
|
c.mu.RLock()
|
|
session, ok := c.sessions[m.Sid]
|
|
c.mu.RUnlock()
|
|
if !ok {
|
|
log.Tracef("sid [%s] report make hole success: %v, but session not found", m.Sid, m.Success)
|
|
return
|
|
}
|
|
if m.Success {
|
|
c.analyzer.ReportSuccess(session.analysisKey, session.recommandMode, session.recommandIndex)
|
|
}
|
|
log.Infof("sid [%s] report make hole success: %v, mode %v, index %v",
|
|
m.Sid, m.Success, session.recommandMode, session.recommandIndex)
|
|
}
|
|
|
|
func (c *Controller) GenNatHoleResponse(transactionID string, session *Session, errInfo string) *msg.NatHoleResp {
|
|
var sid string
|
|
if session != nil {
|
|
sid = session.sid
|
|
}
|
|
return &msg.NatHoleResp{
|
|
TransactionID: transactionID,
|
|
Sid: sid,
|
|
Error: errInfo,
|
|
}
|
|
}
|
|
|
|
// analysis analyzes the NAT type and behavior of the visitor and client, then makes hole-punching decisions.
|
|
// return the response to the visitor and client.
|
|
func (c *Controller) analysis(session *Session) (*msg.NatHoleResp, *msg.NatHoleResp, error) {
|
|
cm := session.clientMsg
|
|
vm := session.visitorMsg
|
|
|
|
cNatFeature, err := ClassifyNATFeature(cm.MappedAddrs, parseIPs(cm.AssistedAddrs))
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("classify client nat feature error: %v", err)
|
|
}
|
|
|
|
vNatFeature, err := ClassifyNATFeature(vm.MappedAddrs, parseIPs(vm.AssistedAddrs))
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("classify visitor nat feature error: %v", err)
|
|
}
|
|
session.cNatFeature = cNatFeature
|
|
session.vNatFeature = vNatFeature
|
|
session.genAnalysisKey()
|
|
|
|
mode, index, cBehavior, vBehavior := c.analyzer.GetRecommandBehaviors(session.analysisKey, cNatFeature, vNatFeature)
|
|
session.recommandMode = mode
|
|
session.recommandIndex = index
|
|
session.cBehavior = cBehavior
|
|
session.vBehavior = vBehavior
|
|
|
|
timeoutMs := max(cBehavior.SendDelayMs, vBehavior.SendDelayMs) + 5000
|
|
if cBehavior.ListenRandomPorts > 0 || vBehavior.ListenRandomPorts > 0 {
|
|
timeoutMs += 30000
|
|
}
|
|
|
|
protocol := vm.Protocol
|
|
vResp := &msg.NatHoleResp{
|
|
TransactionID: vm.TransactionID,
|
|
Sid: session.sid,
|
|
Protocol: protocol,
|
|
CandidateAddrs: slices.Compact(cm.MappedAddrs),
|
|
AssistedAddrs: slices.Compact(cm.AssistedAddrs),
|
|
DetectBehavior: msg.NatHoleDetectBehavior{
|
|
Mode: mode,
|
|
Role: vBehavior.Role,
|
|
TTL: vBehavior.TTL,
|
|
SendDelayMs: vBehavior.SendDelayMs,
|
|
ReadTimeoutMs: timeoutMs - vBehavior.SendDelayMs,
|
|
SendRandomPorts: vBehavior.PortsRandomNumber,
|
|
ListenRandomPorts: vBehavior.ListenRandomPorts,
|
|
CandidatePorts: getRangePorts(cm.MappedAddrs, cNatFeature.PortsDifference, vBehavior.PortsRangeNumber),
|
|
},
|
|
}
|
|
cResp := &msg.NatHoleResp{
|
|
TransactionID: cm.TransactionID,
|
|
Sid: session.sid,
|
|
Protocol: protocol,
|
|
CandidateAddrs: slices.Compact(vm.MappedAddrs),
|
|
AssistedAddrs: slices.Compact(vm.AssistedAddrs),
|
|
DetectBehavior: msg.NatHoleDetectBehavior{
|
|
Mode: mode,
|
|
Role: cBehavior.Role,
|
|
TTL: cBehavior.TTL,
|
|
SendDelayMs: cBehavior.SendDelayMs,
|
|
ReadTimeoutMs: timeoutMs - cBehavior.SendDelayMs,
|
|
SendRandomPorts: cBehavior.PortsRandomNumber,
|
|
ListenRandomPorts: cBehavior.ListenRandomPorts,
|
|
CandidatePorts: getRangePorts(vm.MappedAddrs, vNatFeature.PortsDifference, cBehavior.PortsRangeNumber),
|
|
},
|
|
}
|
|
|
|
log.Debugf("sid [%s] visitor nat: %+v, candidateAddrs: %v; client nat: %+v, candidateAddrs: %v, protocol: %s",
|
|
session.sid, *vNatFeature, vm.MappedAddrs, *cNatFeature, cm.MappedAddrs, protocol)
|
|
log.Debugf("sid [%s] visitor detect behavior: %+v", session.sid, vResp.DetectBehavior)
|
|
log.Debugf("sid [%s] client detect behavior: %+v", session.sid, cResp.DetectBehavior)
|
|
return vResp, cResp, nil
|
|
}
|
|
|
|
func getRangePorts(addrs []string, difference, maxNumber int) []msg.PortsRange {
|
|
if maxNumber <= 0 {
|
|
return nil
|
|
}
|
|
|
|
addr, err := lo.Last(addrs)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
var ports []msg.PortsRange
|
|
_, portStr, err := net.SplitHostPort(addr)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
port, err := strconv.Atoi(portStr)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
ports = append(ports, msg.PortsRange{
|
|
From: max(port-difference-5, port-maxNumber, 1),
|
|
To: min(port+difference+5, port+maxNumber, 65535),
|
|
})
|
|
return ports
|
|
}
|