github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
66455ab0efeb088045447da1e8904dccafee18a9
firezone/rust
History
Thomas Eizinger 66455ab0ef feat(gateway): translate TimeExceeded ICMP messages (#9812) 
In the DNS resource NAT table, we track parts of the layer 4 protocol of
the connection in order to map packets back to the correct proxy IP in
case multiple DNS names resolve to the same real IP. The involvement of
layer 4 means we need to perform some packet inspection in case we
receive ICMP errors from an upstream router.

Presently, the only ICMP error we handle here is destination
unreachable. Those are generated e.g. when we are trying to contact an
IPv6 address but we don't have an IPv6 egress interface. An additional
error that we want to handle here is "time exceeded":

Time exceeded is sent when the TTL of a packet reaches 0. Typically,
TTLs are set high enough such that the packet makes it to its
destination. When using tools such as `tracepath` however, the TTL is
specifically only incremented one-by-one in order to resolve the exact
hops a packet is taking to a destination. Without handling the time
exceeded ICMP error, using `tracepath` through Firezone is broken
because the packets get dropped at the DNS resource NAT.

With this PR, we generalise the functionality of detecting destination
unreachable ICMP errors to also handle time-exceeded errors, allowing
tools such as `tracepath` to somewhat work:

```
❯ sudo docker compose exec --env RUST_LOG=info -it client /bin/sh -c 'tracepath -b example.com'
 1?: [LOCALHOST]                      pmtu 1280
 1:  100.82.110.64 (100.82.110.64)                         0.795ms
 1:  100.82.110.64 (100.82.110.64)                         0.593ms
 2:  example.com (100.96.0.1)                              0.696ms asymm 45
 3:  example.com (100.96.0.1)                              5.788ms asymm 45
 4:  example.com (100.96.0.1)                              7.787ms asymm 45
 5:  example.com (100.96.0.1)                              8.412ms asymm 45
 6:  example.com (100.96.0.1)                              9.545ms asymm 45
 7:  example.com (100.96.0.1)                              7.312ms asymm 45
 8:  example.com (100.96.0.1)                              8.779ms asymm 45
 9:  example.com (100.96.0.1)                              9.455ms asymm 45
10:  example.com (100.96.0.1)                             14.410ms asymm 45
11:  example.com (100.96.0.1)                             24.244ms asymm 45
12:  example.com (100.96.0.1)                             31.286ms asymm 45
13:  no reply
14:  example.com (100.96.0.1)                            303.860ms asymm 45
15:  no reply
16:  example.com (100.96.0.1)                            135.616ms (This broken router returned corrupted payload) asymm 45
17:  no reply
18:  example.com (100.96.0.1)                            161.647ms asymm 45
19:  no reply
20:  no reply
21:  no reply
22:  example.com (100.96.0.1)                            238.066ms reached
     Resume: pmtu 1280 hops 22 back 45
```

We say "somewhat work" because due to the NAT that is in place for DNS
resources, the output does not disclose the intermediary hops beyond the
Gateway.

Co-authored-by: Antoine Labarussias <antoinelabarussias@gmail.com>

---------

Co-authored-by: Antoine Labarussias <antoinelabarussias@gmail.com>
2025-07-12 21:09:48 +00:00
..
.cargo
fix(rust): use rust-lld linker for MSVC (#9641)
2025-06-24 01:55:36 +10:00
apple-client-ffi
chore(rust): bump to Rust 1.88 (#9714)
2025-07-12 06:42:50 +00:00
bin-shared
chore(rust): bump to Rust 1.88 (#9714)
2025-07-12 06:42:50 +00:00
client-ffi
feat(telemetry): grab env and distinct_id from Sentry session (#9801)
2025-07-10 20:05:08 +00:00
client-shared
chore(connlib): silence EHOSTDOWN errors (#9797)
2025-07-07 22:52:39 +00:00
connlib
feat(gateway): translate TimeExceeded ICMP messages (#9812)
2025-07-12 21:09:48 +00:00
gateway
fix(rust): remove jemalloc (#9849)
2025-07-12 19:22:06 +00:00
gui-client
chore(rust): bump to Rust 1.88 (#9714)
2025-07-12 06:42:50 +00:00
headless-client
feat(telemetry): grab env and distinct_id from Sentry session (#9801)
2025-07-10 20:05:08 +00:00
logging
chore(rust): bump to Rust 1.88 (#9714)
2025-07-12 06:42:50 +00:00
relay
fix(rust): remove jemalloc (#9849)
2025-07-12 19:22:06 +00:00
telemetry
feat(telemetry): log use of map-enobufs-to-wouldblock (#9829)
2025-07-11 13:32:11 +00:00
tests
chore(gui-smoke-test): wait for tunnel service to boot (#9766)
2025-07-02 05:16:15 +00:00
tools/uniffi-bindgen
refactor: use UniFFI for Android FFI (#9415)
2025-06-17 21:48:34 +00:00
.dockerignore
refactor(portal): Don't pin session token to user_agent or remote_ip (#2195)
2023-09-30 07:40:57 -07:00
.gitignore
Implement basic STUN server (#1603)
2023-05-10 07:58:32 -07:00
Cargo.lock
chore(rust): bump str0m (#9852)
2025-07-12 20:55:07 +00:00
Cargo.toml
fix(rust): remove jemalloc (#9849)
2025-07-12 19:22:06 +00:00
clippy.toml
chore(rust): bump to Rust 1.88 (#9714)
2025-07-12 06:42:50 +00:00
deny.toml
build(deps): bump the tauri group in /rust with 6 updates (#9720)
2025-06-30 13:25:20 +00:00
docker-init-gateway.sh
fix(gateway): Apply more specific firewall rules on start (#8483)
2025-03-19 05:32:50 +00:00
docker-init-relay.sh
feat(relay): add ec2 metadata discovery (#6617)
2024-09-12 12:28:55 -06:00
docker-init.sh
fix(gateway): always masquerade for docker-deployed gateways (#6169)
2024-08-07 03:00:50 +00:00
Dockerfile
chore(rust): remove dev stage in Dockerfile (#8688)
2025-04-10 04:00:58 +00:00
Dockerfile.xdp-tools
chore(relay): Add xdp-tools debug Docker image build script (#8591)
2025-04-03 18:17:23 +00:00
README.md
docs(rust): fix profiling command (#7547)
2024-12-18 13:01:23 +00:00
rust-toolchain.toml
chore(rust): bump to Rust 1.88 (#9714)
2025-07-12 06:42:50 +00:00

README.md

Rust development guide

Firezone uses Rust for all data plane components. This directory contains the Linux and Windows clients, and low-level networking implementations related to STUN/TURN.

We target the last stable release of Rust using rust-toolchain.toml. If you are using rustup, that is automatically handled for you. Otherwise, ensure you have the latest stable version of Rust installed.

Reading Client logs

The Client logs are written as JSONL for machine-readability.

To make them more human-friendly, pipe them through jq like this:

cd path/to/logs  # e.g. `$HOME/.cache/dev.firezone.client/data/logs` on Linux
cat *.log | jq -r '"\(.time) \(.severity) \(.message)"'

Resulting in, e.g.

2024-04-01T18:25:47.237661392Z INFO started log
2024-04-01T18:25:47.238193266Z INFO GIT_VERSION = 1.0.0-pre.11-35-gcc0d43531
2024-04-01T18:25:48.295243016Z INFO No token / actor_name on disk, starting in signed-out state
2024-04-01T18:25:48.295360641Z INFO null

Benchmarking on Linux

The recommended way for benchmarking any of the Rust components is Linux' perf utility. For example, to attach to a running application, do:

  1. Ensure the binary you are profiling is compiled with the release profile.
  2. sudo perf record -g --freq 10000 --pid $(pgrep <your-binary>).
  3. Run the speed test or whatever load-inducing task you want to measure.
  4. sudo perf script > profile.perf
  5. Open profiler.firefox.com and load profile.perf

Instead of attaching to a process with --pid, you can also specify the path to executable directly. That is useful if you want to capture perf data for a test or a micro-benchmark.

Reference in New Issue View Git Blame Copy Permalink