mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
5e0ca45c67
To prevent userspace relaying, all traffic that seemingly looked like STUN/TURN but we couldn't handle via the eBPF codepath we would `XDP_DROP`. This turned out to be too heavy-handed of an approach since it end up matching DNS query responses as well due to them arriving within the TURN ephemeral port range. To fix this, we `XDP_PASS` the traffic up the stack so that the kernel is able to match it to existing conntrack entries. We've identified a minor race condition where the first few channel data packets might be dropped when a channel is first being bound, but fixing this will be saved for a later PR. Related: https://github.com/firezone/infra/pull/132