diff --git a/go.mod b/go.mod index 22af21f6..e1d7d5a5 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,6 @@ require ( golang.org/x/sync v0.8.0 golang.org/x/sys v0.26.0 gvisor.dev/gvisor v0.0.0-20240826182512-9f3309e5b121 - inet.af/tcpproxy v0.0.0-20220326234310-be3ee21c9fa0 ) require ( @@ -52,5 +51,3 @@ require ( gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) - -replace inet.af/tcpproxy => github.com/inetaf/tcpproxy v0.0.0-20221017015627-91f861402626 diff --git a/pkg/services/forwarder/ports.go b/pkg/services/forwarder/ports.go index 887092cb..a99af460 100644 --- a/pkg/services/forwarder/ports.go +++ b/pkg/services/forwarder/ports.go @@ -16,13 +16,13 @@ import ( "sync" "github.com/containers/gvisor-tap-vsock/pkg/sshclient" + "github.com/containers/gvisor-tap-vsock/pkg/tcpproxy" "github.com/containers/gvisor-tap-vsock/pkg/types" log "github.com/sirupsen/logrus" "gvisor.dev/gvisor/pkg/tcpip" "gvisor.dev/gvisor/pkg/tcpip/adapters/gonet" "gvisor.dev/gvisor/pkg/tcpip/network/ipv4" "gvisor.dev/gvisor/pkg/tcpip/stack" - "inet.af/tcpproxy" ) type PortsForwarder struct { diff --git a/pkg/services/forwarder/tcp.go b/pkg/services/forwarder/tcp.go index 71a79988..a1868bbe 100644 --- a/pkg/services/forwarder/tcp.go +++ b/pkg/services/forwarder/tcp.go @@ -6,13 +6,13 @@ import ( "net" "sync" + "github.com/containers/gvisor-tap-vsock/pkg/tcpproxy" log "github.com/sirupsen/logrus" "gvisor.dev/gvisor/pkg/tcpip" "gvisor.dev/gvisor/pkg/tcpip/adapters/gonet" "gvisor.dev/gvisor/pkg/tcpip/stack" "gvisor.dev/gvisor/pkg/tcpip/transport/tcp" "gvisor.dev/gvisor/pkg/waiter" - "inet.af/tcpproxy" ) const linkLocalSubnet = "169.254.0.0/16" diff --git a/vendor/inet.af/tcpproxy/tcpproxy.go b/pkg/tcpproxy/tcpproxy.go similarity index 97% rename from vendor/inet.af/tcpproxy/tcpproxy.go rename to pkg/tcpproxy/tcpproxy.go index 5d178c63..eac25fde 100644 --- a/vendor/inet.af/tcpproxy/tcpproxy.go +++ b/pkg/tcpproxy/tcpproxy.go @@ -1,3 +1,5 @@ +// Copied from https://github.com/inetaf/tcpproxy/blob/91f861402626c6ba93eaa57ee257109c4f07bd00/tcpproxy.go + // Copyright 2017 Google Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); @@ -81,16 +83,6 @@ type Proxy struct { ListenFunc func(net, laddr string) (net.Listener, error) } -// Matcher reports whether hostname matches the Matcher's criteria. -type Matcher func(ctx context.Context, hostname string) bool - -// equals is a trivial Matcher that implements string equality. -func equals(want string) Matcher { - return func(_ context.Context, got string) bool { - return want == got - } -} - // config contains the proxying state for one listener. type config struct { routes []route @@ -372,11 +364,15 @@ func (dp *DialProxy) HandleConn(src net.Conn) { if ka := dp.keepAlivePeriod(); ka > 0 { if c, ok := UnderlyingConn(src).(*net.TCPConn); ok { + //nolint:errcheck c.SetKeepAlive(true) + //nolint:errcheck c.SetKeepAlivePeriod(ka) } if c, ok := dst.(*net.TCPConn); ok { + //nolint:errcheck c.SetKeepAlive(true) + //nolint:errcheck c.SetKeepAlivePeriod(ka) } } diff --git a/pkg/virtualnetwork/mux.go b/pkg/virtualnetwork/mux.go index 94e89e03..6b991d39 100644 --- a/pkg/virtualnetwork/mux.go +++ b/pkg/virtualnetwork/mux.go @@ -7,12 +7,12 @@ import ( "net/http" "strconv" + "github.com/containers/gvisor-tap-vsock/pkg/tcpproxy" "github.com/containers/gvisor-tap-vsock/pkg/types" log "github.com/sirupsen/logrus" "gvisor.dev/gvisor/pkg/tcpip" "gvisor.dev/gvisor/pkg/tcpip/adapters/gonet" "gvisor.dev/gvisor/pkg/tcpip/network/ipv4" - "inet.af/tcpproxy" ) func (n *VirtualNetwork) Mux() *http.ServeMux { diff --git a/vendor/inet.af/tcpproxy/.travis.yml b/vendor/inet.af/tcpproxy/.travis.yml deleted file mode 100644 index a8d3a50d..00000000 --- a/vendor/inet.af/tcpproxy/.travis.yml +++ /dev/null @@ -1,45 +0,0 @@ -language: go -go: -- "1.16.x" -- "1.17.x" -- tip -os: -- linux -script: -- go build ./... -- go test ./... -- go vet ./... - -jobs: - include: - - stage: deploy - go: "1.16" - install: - - gem install fpm - script: - - go build ./cmd/tlsrouter - - fpm -s dir -t deb -n tlsrouter -v $(date '+%Y%m%d%H%M%S') - --license Apache2 - --vendor "David Anderson " - --maintainer "David Anderson " - --description "TLS SNI router" - --url "https://github.com/inetaf/tcpproxy/tree/master/cmd/tlsrouter" - ./tlsrouter=/usr/bin/tlsrouter - ./systemd/tlsrouter.service=/lib/systemd/system/tlsrouter.service - deploy: - - provider: packagecloud - repository: tlsrouter - username: danderson - dist: debian/stretch - skip_cleanup: true - on: - branch: master - token: - secure: gNU3o70EU4oYeIS6pr0K5oLMGqqxrcf41EOv6c/YoHPVdV6Cx4j9NW0/ISgu6a1/Xf2NgWKT5BWwLpAuhmGdALuOz1Ah//YBWd9N8mGHGaC6RpOPDU8/9NkQdBEmjEH9sgX4PNOh1KQ7d7O0OH0g8RqJlJa0MkUYbTtN6KJ29oiUXxKmZM4D/iWB8VonKOnrtx1NwQL8jL8imZyEV/1fknhDwumz2iKeU1le4Neq9zkxwICMLUonmgphlrp+SDb1EOoHxT6cn51bqBQtQUplfC4dN4OQU/CPqE9E1N1noibvN29YA93qfcrjD3I95KT9wzq+3B6he33+kb0Gz+Cj5ypGy4P85l7TuX4CtQg0U3NAlJCk32IfsdjK+o47pdmADij9IIb9yKt+g99FMERkJJY5EInqEsxHlW/vNF5OqQCmpiHstZL4R2XaHEsWh6j77npnjjC1Aea8xZTWr8PTsbSzVkbG7bTmFpZoPH8eEmr4GNuw5gnbi6D1AJDjcA+UdY9s5qZNpzuWOqfhOFxL+zUW+8sHBvcoFw3R+pwHECs2LCL1c0xAC1LtNUnmW/gnwHavtvKkzErjR1P8Xl7obCbeChJjp+b/BcFYlNACldZcuzBAPyPwIdlWVyUonL4bm63upfMEEShiAIDDJ21y7fjsQK7CfPA7g25bpyo+hV8= - - provider: script - on: - branch: master - script: go run scripts/prune_old_versions.go -user=danderson -repo=tlsrouter -distro=debian -version=stretch -package=tlsrouter -arch=amd64 -limit=2 - env: - # Packagecloud API key, for prune_old_versions.go - - secure: "SRcNwt+45QyPS1w9aGxMg9905Y6d9w4mBM29G6iTTnUB5nD7cAk4m+tf834knGSobVXlWcRnTDW8zrHdQ9yX22dPqCpH5qE+qzTmIvxRHrVJRMmPeYvligJ/9jYfHgQbvuRT8cUpIcpCQAla6rw8nXfKTOE3h8XqMP2hdc3DTVOu2HCfKCNco1tJ7is+AIAnFV2Wpsbb3ZsdKFvHvi2RKUfFaX61J1GNt2/XJIlZs8jC6Y1IAC+ftjql9UsAE/WjZ9fL0Ww1b9/LBIIGHXWI3HpVv9WvlhhIxIlJgOVjmU2lbSuj2w/EBDJ9cd1Qe+wJkT3yKzE1NRsNScVjGg+Ku5igJu/XXuaHkIX01+15BqgPduBYRL0atiNQDhqgBiSyVhXZBX9vsgsp0bgpKaBSF++CV18Q9dara8aljqqS33M3imO3I8JmXU10944QA9Wvu7pCYuIzXxhINcDXRvqxBqz5LnFJGwnGqngTrOCSVS2xn7Y+sjmhe1n5cPCEISlozfa9mPYPvMPp8zg3TbATOOM8CVfcpaNscLqa/+SExN3zMwSanjNKrBgoaQcBzGW5mIgSPxhXkWikBgapiEN7+2Y032Lhqdb9dYjH+EuwcnofspDjjMabWxnuJaln+E3/9vZi2ooQrBEtvymUTy4VMSnqwIX5bU7nPdIuQycdWhk=" diff --git a/vendor/inet.af/tcpproxy/CONTRIBUTING.md b/vendor/inet.af/tcpproxy/CONTRIBUTING.md deleted file mode 100644 index 188ad870..00000000 --- a/vendor/inet.af/tcpproxy/CONTRIBUTING.md +++ /dev/null @@ -1,8 +0,0 @@ -Contributions are welcome by pull request. - -You need to sign the Google Contributor License Agreement before your -contributions can be accepted. You can find the individual and organization -level CLAs here: - -Individual: https://cla.developers.google.com/about/google-individual -Organization: https://cla.developers.google.com/about/google-corporate diff --git a/vendor/inet.af/tcpproxy/LICENSE b/vendor/inet.af/tcpproxy/LICENSE deleted file mode 100644 index d6456956..00000000 --- a/vendor/inet.af/tcpproxy/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/vendor/inet.af/tcpproxy/README.md b/vendor/inet.af/tcpproxy/README.md deleted file mode 100644 index f526c213..00000000 --- a/vendor/inet.af/tcpproxy/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# tcpproxy - -For library usage, see https://godoc.org/inet.af/tcpproxy/ - -For CLI usage, see https://github.com/inetaf/tcpproxy/blob/master/cmd/tlsrouter/README.md diff --git a/vendor/inet.af/tcpproxy/http.go b/vendor/inet.af/tcpproxy/http.go deleted file mode 100644 index d28c66fa..00000000 --- a/vendor/inet.af/tcpproxy/http.go +++ /dev/null @@ -1,125 +0,0 @@ -// Copyright 2017 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package tcpproxy - -import ( - "bufio" - "bytes" - "context" - "net/http" -) - -// AddHTTPHostRoute appends a route to the ipPort listener that -// routes to dest if the incoming HTTP/1.x Host header name is -// httpHost. If it doesn't match, rule processing continues for any -// additional routes on ipPort. -// -// The ipPort is any valid net.Listen TCP address. -func (p *Proxy) AddHTTPHostRoute(ipPort, httpHost string, dest Target) { - p.AddHTTPHostMatchRoute(ipPort, equals(httpHost), dest) -} - -// AddHTTPHostMatchRoute appends a route to the ipPort listener that -// routes to dest if the incoming HTTP/1.x Host header name is -// accepted by matcher. If it doesn't match, rule processing continues -// for any additional routes on ipPort. -// -// The ipPort is any valid net.Listen TCP address. -func (p *Proxy) AddHTTPHostMatchRoute(ipPort string, match Matcher, dest Target) { - p.addRoute(ipPort, httpHostMatch{match, dest}) -} - -type httpHostMatch struct { - matcher Matcher - target Target -} - -func (m httpHostMatch) match(br *bufio.Reader) (Target, string) { - hh := httpHostHeader(br) - if m.matcher(context.TODO(), hh) { - return m.target, hh - } - return nil, "" -} - -// httpHostHeader returns the HTTP Host header from br without -// consuming any of its bytes. It returns "" if it can't find one. -func httpHostHeader(br *bufio.Reader) string { - const maxPeek = 4 << 10 - peekSize := 0 - for { - peekSize++ - if peekSize > maxPeek { - b, _ := br.Peek(br.Buffered()) - return httpHostHeaderFromBytes(b) - } - b, err := br.Peek(peekSize) - if n := br.Buffered(); n > peekSize { - b, _ = br.Peek(n) - peekSize = n - } - if len(b) > 0 { - if b[0] < 'A' || b[0] > 'Z' { - // Doesn't look like an HTTP verb - // (GET, POST, etc). - return "" - } - if bytes.Index(b, crlfcrlf) != -1 || bytes.Index(b, lflf) != -1 { - req, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(b))) - if err != nil { - return "" - } - if len(req.Header["Host"]) > 1 { - // TODO(bradfitz): what does - // ReadRequest do if there are - // multiple Host headers? - return "" - } - return req.Host - } - } - if err != nil { - return httpHostHeaderFromBytes(b) - } - } -} - -var ( - lfHostColon = []byte("\nHost:") - lfhostColon = []byte("\nhost:") - crlf = []byte("\r\n") - lf = []byte("\n") - crlfcrlf = []byte("\r\n\r\n") - lflf = []byte("\n\n") -) - -func httpHostHeaderFromBytes(b []byte) string { - if i := bytes.Index(b, lfHostColon); i != -1 { - return string(bytes.TrimSpace(untilEOL(b[i+len(lfHostColon):]))) - } - if i := bytes.Index(b, lfhostColon); i != -1 { - return string(bytes.TrimSpace(untilEOL(b[i+len(lfhostColon):]))) - } - return "" -} - -// untilEOL returns v, truncated before the first '\n' byte, if any. -// The returned slice may include a '\r' at the end. -func untilEOL(v []byte) []byte { - if i := bytes.IndexByte(v, '\n'); i != -1 { - return v[:i] - } - return v -} diff --git a/vendor/inet.af/tcpproxy/listener.go b/vendor/inet.af/tcpproxy/listener.go deleted file mode 100644 index 1ddc48ee..00000000 --- a/vendor/inet.af/tcpproxy/listener.go +++ /dev/null @@ -1,108 +0,0 @@ -// Copyright 2017 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package tcpproxy - -import ( - "io" - "net" - "sync" -) - -// TargetListener implements both net.Listener and Target. -// Matched Targets become accepted connections. -type TargetListener struct { - Address string // Address is the string reported by TargetListener.Addr().String(). - - mu sync.Mutex - cond *sync.Cond - closed bool - nextConn net.Conn -} - -var ( - _ net.Listener = (*TargetListener)(nil) - _ Target = (*TargetListener)(nil) -) - -func (tl *TargetListener) lock() { - tl.mu.Lock() - if tl.cond == nil { - tl.cond = sync.NewCond(&tl.mu) - } -} - -type tcpAddr string - -func (a tcpAddr) Network() string { return "tcp" } -func (a tcpAddr) String() string { return string(a) } - -// Addr returns the listener's Address field as a net.Addr. -func (tl *TargetListener) Addr() net.Addr { return tcpAddr(tl.Address) } - -// Close stops listening for new connections. All new connections -// routed to this listener will be closed. Already accepted -// connections are not closed. -func (tl *TargetListener) Close() error { - tl.lock() - if tl.closed { - tl.mu.Unlock() - return nil - } - tl.closed = true - tl.mu.Unlock() - tl.cond.Broadcast() - return nil -} - -// HandleConn implements the Target interface. It blocks until tl is -// closed or another goroutine has called Accept and received c. -func (tl *TargetListener) HandleConn(c net.Conn) { - tl.lock() - defer tl.mu.Unlock() - for tl.nextConn != nil && !tl.closed { - tl.cond.Wait() - } - if tl.closed { - c.Close() - return - } - tl.nextConn = c - tl.cond.Broadcast() // Signal might be sufficient; verify. - for tl.nextConn == c && !tl.closed { - tl.cond.Wait() - } - if tl.closed { - c.Close() - return - } -} - -// Accept implements the Accept method in the net.Listener interface. -func (tl *TargetListener) Accept() (net.Conn, error) { - tl.lock() - for tl.nextConn == nil && !tl.closed { - tl.cond.Wait() - } - if tl.closed { - tl.mu.Unlock() - return nil, io.EOF - } - c := tl.nextConn - tl.nextConn = nil - tl.mu.Unlock() - tl.cond.Broadcast() // Signal might be sufficient; verify. - - return c, nil -} diff --git a/vendor/inet.af/tcpproxy/sni.go b/vendor/inet.af/tcpproxy/sni.go deleted file mode 100644 index c2d37e01..00000000 --- a/vendor/inet.af/tcpproxy/sni.go +++ /dev/null @@ -1,115 +0,0 @@ -// Copyright 2017 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package tcpproxy - -import ( - "bufio" - "bytes" - "context" - "crypto/tls" - "io" - "net" -) - -// AddSNIRoute appends a route to the ipPort listener that routes to -// dest if the incoming TLS SNI server name is sni. If it doesn't -// match, rule processing continues for any additional routes on -// ipPort. -// -// The ipPort is any valid net.Listen TCP address. -func (p *Proxy) AddSNIRoute(ipPort, sni string, dest Target) { - p.AddSNIMatchRoute(ipPort, equals(sni), dest) -} - -// AddSNIMatchRoute appends a route to the ipPort listener that routes -// to dest if the incoming TLS SNI server name is accepted by -// matcher. If it doesn't match, rule processing continues for any -// additional routes on ipPort. -// -// The ipPort is any valid net.Listen TCP address. -func (p *Proxy) AddSNIMatchRoute(ipPort string, matcher Matcher, dest Target) { - p.addRoute(ipPort, sniMatch{matcher: matcher, target: dest}) -} - -// SNITargetFunc is the func callback used by Proxy.AddSNIRouteFunc. -type SNITargetFunc func(ctx context.Context, sniName string) (t Target, ok bool) - -// AddSNIRouteFunc adds a route to ipPort that matches an SNI request and calls -// fn to map its nap to a target. -func (p *Proxy) AddSNIRouteFunc(ipPort string, fn SNITargetFunc) { - p.addRoute(ipPort, sniMatch{targetFunc: fn}) -} - -type sniMatch struct { - matcher Matcher - target Target - - // Alternatively, if targetFunc is non-nil, it's used instead: - targetFunc SNITargetFunc -} - -func (m sniMatch) match(br *bufio.Reader) (Target, string) { - sni := clientHelloServerName(br) - if sni == "" { - return nil, "" - } - if m.targetFunc != nil { - if t, ok := m.targetFunc(context.TODO(), sni); ok { - return t, sni - } - return nil, "" - } - if m.matcher(context.TODO(), sni) { - return m.target, sni - } - return nil, "" -} - -// clientHelloServerName returns the SNI server name inside the TLS ClientHello, -// without consuming any bytes from br. -// On any error, the empty string is returned. -func clientHelloServerName(br *bufio.Reader) (sni string) { - const recordHeaderLen = 5 - hdr, err := br.Peek(recordHeaderLen) - if err != nil { - return "" - } - const recordTypeHandshake = 0x16 - if hdr[0] != recordTypeHandshake { - return "" // Not TLS. - } - recLen := int(hdr[3])<<8 | int(hdr[4]) // ignoring version in hdr[1:3] - helloBytes, err := br.Peek(recordHeaderLen + recLen) - if err != nil { - return "" - } - tls.Server(sniSniffConn{r: bytes.NewReader(helloBytes)}, &tls.Config{ - GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) { - sni = hello.ServerName - return nil, nil - }, - }).Handshake() - return -} - -// sniSniffConn is a net.Conn that reads from r, fails on Writes, -// and crashes otherwise. -type sniSniffConn struct { - r io.Reader - net.Conn // nil; crash on any unexpected use -} - -func (c sniSniffConn) Read(p []byte) (int, error) { return c.r.Read(p) } -func (sniSniffConn) Write(p []byte) (int, error) { return 0, io.EOF } diff --git a/vendor/modules.txt b/vendor/modules.txt index ce0cb10f..5f2dbc45 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -279,7 +279,3 @@ gvisor.dev/gvisor/pkg/tcpip/transport/tcp gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack gvisor.dev/gvisor/pkg/tcpip/transport/udp gvisor.dev/gvisor/pkg/waiter -# inet.af/tcpproxy v0.0.0-20220326234310-be3ee21c9fa0 => github.com/inetaf/tcpproxy v0.0.0-20221017015627-91f861402626 -## explicit; go 1.16 -inet.af/tcpproxy -# inet.af/tcpproxy => github.com/inetaf/tcpproxy v0.0.0-20221017015627-91f861402626