github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(connlib): log malformed IP packets (#8799)

Browse Source 
When determining, how to NAT a certain packet, we need to identify
whether it is a UDP, TCP or ICMP packet and extract the relevant port or
identifier from it. When parsing these packets, we may run into a
situation where the IP number says that the packet is TCP but it is
actually malformed and we cannot parse the port from it.

In such situations, we end up constructing a `UnsupportedProtocol` error
that then confusingly states the we don't support the TCP protocol (or
UDP / ICMP if those are malformed).

The parsing error here is currently silently discarded as part of the
`.ok()` combinator when constructing the relevant slice. To make these
logs easier to understand, we now add an `inspect_err` call prior to
this the prints, why the packet could not be parsed.

Long-term, I am planning to refactor our IP packet model to eagerly
parse the layer 3 + 4 headers. This will also be necessary to implement
segmentation offloading on the TUN device. Doing so will improve
situations like because we will either pass through the malformed packet
(if at least the header is intact) or drop it much earlier already. In
either case, accessing things like port numbers will be infallible as
part of the processing code.
This commit is contained in:
Thomas Eizinger
2025-04-17 14:27:21 +10:00
committed by GitHub
parent 54e60ca820
commit 4a39d5eafb
1 changed files with 24 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
rust/ip-packet/src/lib.rs
View File

@@ -561,7 +561,9 @@ impl IpPacket {
return None;
}
UdpSlice::from_slice(self.payload()).ok()
UdpSlice::from_slice(self.payload())
.inspect_err(|e| tracing::debug!("Invalid UDP packet: {e}"))
.ok()
}
pub fn as_udp_mut(&mut self) -> Option<UdpHeaderSliceMut> {
@@ -569,7 +571,9 @@ impl IpPacket {
return None;
}
UdpHeaderSliceMut::from_slice(self.payload_mut()).ok()
UdpHeaderSliceMut::from_slice(self.payload_mut())
.inspect_err(|e| tracing::debug!("Invalid UDP packet: {e}"))
.ok()
}
pub fn as_tcp(&self) -> Option<TcpSlice> {
@@ -577,7 +581,9 @@ impl IpPacket {
return None;
}
TcpSlice::from_slice(self.payload()).ok()
TcpSlice::from_slice(self.payload())
.inspect_err(|e| tracing::debug!("Invalid TCP packet: {e}"))
.ok()
}
pub fn as_tcp_mut(&mut self) -> Option<TcpHeaderSliceMut> {
@@ -585,7 +591,9 @@ impl IpPacket {
return None;
}
TcpHeaderSliceMut::from_slice(self.payload_mut()).ok()
TcpHeaderSliceMut::from_slice(self.payload_mut())
.inspect_err(|e| tracing::debug!("Invalid TCP packet: {e}"))
.ok()
}
fn set_icmpv6_checksum(&mut self) {
@@ -632,7 +640,9 @@ impl IpPacket {
return None;
}
Icmpv4Slice::from_slice(self.payload()).ok()
Icmpv4Slice::from_slice(self.payload())
.inspect_err(|e| tracing::debug!("Invalid ICMPv4 packet: {e}"))
.ok()
}
pub fn as_icmpv4_mut(&mut self) -> Option<Icmpv4HeaderSliceMut> {
@@ -640,7 +650,9 @@ impl IpPacket {
return None;
}
Icmpv4HeaderSliceMut::from_slice(self.payload_mut()).ok()
Icmpv4HeaderSliceMut::from_slice(self.payload_mut())
.inspect_err(|e| tracing::debug!("Invalid ICMPv4 packet: {e}"))
.ok()
}
/// In case the packet is an ICMP unreachable error, parses the unroutable packet from the ICMP payload.
@@ -736,7 +748,9 @@ impl IpPacket {
return None;
}
Icmpv6Slice::from_slice(self.payload()).ok()
Icmpv6Slice::from_slice(self.payload())
.inspect_err(|e| tracing::debug!("Invalid ICMPv6 packet: {e}"))
.ok()
}
pub fn as_icmpv6_mut(&mut self) -> Option<Icmpv6EchoHeaderSliceMut> {
@@ -744,7 +758,9 @@ impl IpPacket {
return None;
}
Icmpv6EchoHeaderSliceMut::from_slice(self.payload_mut()).ok()
Icmpv6EchoHeaderSliceMut::from_slice(self.payload_mut())
.inspect_err(|e| tracing::debug!("Invalid ICMPv6 packet: {e}"))
.ok()
}
pub fn as_fz_p2p_control(&self) -> Option<FzP2pControlSlice> {