Compare commits

...

6 Commits

Author SHA1 Message Date
Bogdan-Ștefan Neacşu 10270a0f6a Put a list of allowed wg keys in /root/keys_pub.json 2023-12-20 11:36:30 +02:00
Jon Häggblad 406a384393 Apply exit policy check on portless packets 2023-12-19 10:34:34 +01:00
durch 4508c1db68 Use all gateways for custom topology provider 2023-12-15 16:09:17 +01:00
durch 2d3c36f851 Add three measurements grace period 2023-12-14 15:57:17 +01:00
durch 2b998c1363 Only use good nodes for test route construction 2023-12-14 15:57:02 +01:00
Bogdan-Ștefan Neacşu 13308cf80b Enable wireguard for testing purposes 2023-12-13 16:54:27 +02:00
24 changed files with 228 additions and 86 deletions
+1 -1
View File
@@ -43,7 +43,7 @@ jobs:
uses: actions-rs/cargo@v1
with:
command: build
args: --workspace --release
args: --workspace --release --features wireguard
- name: Upload Artifact
uses: actions/upload-artifact@v3
@@ -51,7 +51,7 @@ jobs:
uses: actions-rs/cargo@v1
with:
command: build
args: --workspace --release
args: --workspace --release --features wireguard
- name: Prepare build output
shell: bash
Generated
+1
View File
@@ -7572,6 +7572,7 @@ dependencies = [
"nym-network-defaults",
"nym-task",
"nym-wireguard-types",
"serde",
"tokio",
"x25519-dalek 2.0.0",
]
@@ -275,6 +275,10 @@ impl NymApiClient {
Ok(self.nym_api.get_gateways().await?)
}
pub async fn get_all_gateways(&self) -> Result<Vec<GatewayBond>, ValidatorClientError> {
Ok(self.nym_api.get_all_gateways().await?)
}
pub async fn get_cached_described_gateways(
&self,
) -> Result<Vec<DescribedGateway>, ValidatorClientError> {
@@ -79,6 +79,11 @@ pub trait NymApiClientExt: ApiClient {
.await
}
async fn get_all_gateways(&self) -> Result<Vec<GatewayBond>, NymAPIError> {
self.get_json(&[routes::API_VERSION, routes::GATEWAYS_ALL], NO_PARAMS)
.await
}
async fn get_gateways_described(&self) -> Result<Vec<DescribedGateway>, NymAPIError> {
self.get_json(
&[routes::API_VERSION, routes::GATEWAYS, routes::DESCRIBED],
@@ -6,6 +6,7 @@ use nym_network_defaults::NYM_API_VERSION;
pub const API_VERSION: &str = NYM_API_VERSION;
pub const MIXNODES: &str = "mixnodes";
pub const GATEWAYS: &str = "gateways";
pub const GATEWAYS_ALL: &str = "gateways/all";
pub const DESCRIBED: &str = "described";
pub const DETAILED: &str = "detailed";
+63
View File
@@ -81,6 +81,15 @@ ExitPolicy accept6 *6:119
ExitPolicy accept *4:120
ExitPolicy reject6 [FC00::]/7:*
# Portless
ExitPolicy accept *:0
ExitPolicy accept *4:0
ExitPolicy accept *6:0
ExitPolicy reject *:0
ExitPolicy reject *4:0
ExitPolicy reject *6:0
#ExitPolicy accept *:8080 #and another comment here
ExitPolicy reject FE80:0000:0000:0000:0202:B3FF:FE1E:8329:*
@@ -184,6 +193,60 @@ ExitPolicy reject *:*
},
);
// ExitPolicy accept *:0
expected.push(
Accept,
AddressPortPattern {
ip_pattern: IpPattern::Star,
ports: PortRange::new_zero(),
},
);
// ExitPolicy accept *4:0
expected.push(
Accept,
AddressPortPattern {
ip_pattern: IpPattern::V4Star,
ports: PortRange::new_zero(),
},
);
// ExitPolicy accept *6:0
expected.push(
Accept,
AddressPortPattern {
ip_pattern: IpPattern::V6Star,
ports: PortRange::new_zero(),
},
);
// ExitPolicy reject *:0
expected.push(
Reject,
AddressPortPattern {
ip_pattern: IpPattern::Star,
ports: PortRange::new_zero(),
},
);
// ExitPolicy reject *4:0
expected.push(
Reject,
AddressPortPattern {
ip_pattern: IpPattern::V4Star,
ports: PortRange::new_zero(),
},
);
// ExitPolicy reject *6:0
expected.push(
Reject,
AddressPortPattern {
ip_pattern: IpPattern::V6Star,
ports: PortRange::new_zero(),
},
);
// ExitPolicy FE80:0000:0000:0000:0202:B3FF:FE1E:8329:*
expected.push(
Reject,
+37 -14
View File
@@ -264,7 +264,13 @@ mod stringified_ip_pattern {
impl AddressPortPattern {
/// Return true iff this pattern matches a given address and port.
pub fn matches(&self, addr: &IpAddr, port: u16) -> bool {
self.ip_pattern.matches(addr) && self.ports.contains(port)
// For backward compatibility, we treat port 0 as a wildcard until all gateways have
// upgraded, at which point we can add *:0 to the policy list.
if port == 0 {
self.ip_pattern.matches(addr)
} else {
self.ip_pattern.matches(addr) && self.ports.contains(port)
}
}
/// As matches, but accept a SocketAddr.
@@ -395,19 +401,9 @@ fn parse_addr(s: &str) -> Result<IpAddr, PolicyError> {
})
}
/// Helper: try to parse a port making sure it's non-zero
fn parse_port(s: &str) -> Result<u16, PolicyError> {
let port = s
.parse::<u16>()
.map_err(|_| PolicyError::InvalidPort { raw: s.to_string() })?;
if port == 0 {
Err(PolicyError::InvalidPort {
raw: port.to_string(),
})
} else {
Ok(port)
}
s.parse::<u16>()
.map_err(|_| PolicyError::InvalidPort { raw: s.to_string() })
}
impl FromStr for IpPattern {
@@ -494,6 +490,10 @@ impl PortRange {
PortRange::new_unchecked(1, 65535)
}
pub fn new_zero() -> Self {
PortRange { start: 0, end: 0 }
}
/// Create a new PortRange.
///
/// The Portrange contains all ports between `start` and `end` inclusive.
@@ -574,6 +574,7 @@ mod test {
check("marzipan:80");
check("1.2.3.4:90-80");
check("1.2.3.4:0-80");
check("1.2.3.4/100:8888");
check("[1.2.3.4]/16:80");
check("[::1]/130:8888");
@@ -612,6 +613,22 @@ mod test {
check("0.0.0.0/0:*", &["127.0.0.1:80"], &["[f00b::]:80"]);
check("[::]/0:*", &["[f00b::]:80"], &["127.0.0.1:80"]);
check(
"*:0",
&["1.2.3.4:0", "[::1]:0", "9.0.0.0:0"],
&["1.2.3.4:443", "[::1]:500", "9.0.0.0:80", "[::1]:80"],
);
check(
"*4:0",
&["1.2.3.4:0", "9.0.0.0:0"],
&["1.2.3.4:443", "9.0.0.0:80", "[::1]:0", "[::1]:80"],
);
check(
"*6:0",
&["[::1]:0"],
&["[::1]:80", "1.2.3.4:0", "1.2.3.4:443"],
);
}
#[test]
@@ -620,6 +637,7 @@ mod test {
policy.push(AddressPolicyAction::Accept, "*:443".parse()?);
policy.push(AddressPolicyAction::Accept, "[::1]:80".parse()?);
policy.push(AddressPolicyAction::Reject, "*:80".parse()?);
policy.push(AddressPolicyAction::Accept, "*:0".parse()?);
let policy = policy; // drop mut
assert!(policy
@@ -640,6 +658,9 @@ mod test {
assert!(policy
.allows_sockaddr(&"127.0.0.1:66".parse().unwrap())
.is_none());
assert!(policy
.allows_sockaddr(&"127.0.0.1:0".parse().unwrap())
.unwrap());
Ok(())
}
@@ -672,7 +693,6 @@ mod test {
assert_eq!("*".parse::<PortRange>().unwrap(), PortRange::new_all());
assert!("hello".parse::<PortRange>().is_err());
assert!("0".parse::<PortRange>().is_err());
assert!("65536".parse::<PortRange>().is_err());
assert!("65537".parse::<PortRange>().is_err());
assert!("1-2-3".parse::<PortRange>().is_err());
@@ -680,6 +700,9 @@ mod test {
assert!("1-".parse::<PortRange>().is_err());
assert!("-2".parse::<PortRange>().is_err());
assert!("-".parse::<PortRange>().is_err());
assert_eq!("0".parse::<PortRange>().unwrap(), PortRange::new_zero(),);
assert!("0-1".parse::<PortRange>().is_err());
}
#[test]
+1
View File
@@ -22,4 +22,5 @@ log.workspace = true
nym-network-defaults = { path = "../network-defaults" }
nym-task = { path = "../task" }
nym-wireguard-types = { path = "../wireguard-types" }
serde = { workspace = true, features = ["derive"] }
tokio = { workspace = true, features = ["rt-multi-thread", "net", "io-util"] }
+10 -11
View File
@@ -9,13 +9,12 @@ use nym_wireguard_types::registration::GatewayClientRegistry;
use std::sync::Arc;
// Currently the module related to setting up the virtual network device is platform specific.
use crate::setup::PeerPair;
#[cfg(target_os = "linux")]
use crate::setup::{peer_allowed_ips, peer_static_public_key, PRIVATE_KEY};
use crate::setup::{peer_static_pairs, PRIVATE_KEY};
use defguard_wireguard_rs::WGApi;
#[cfg(target_os = "linux")]
use defguard_wireguard_rs::{
host::Peer, key::Key, net::IpAddrMask, InterfaceConfiguration, WireguardInterfaceApi,
};
use defguard_wireguard_rs::{InterfaceConfiguration, WireguardInterfaceApi};
#[cfg(target_os = "linux")]
use nym_network_defaults::{WG_PORT, WG_TUN_DEVICE_ADDRESS};
@@ -24,6 +23,7 @@ use nym_network_defaults::{WG_PORT, WG_TUN_DEVICE_ADDRESS};
pub async fn start_wireguard(
mut task_client: nym_task::TaskClient,
_gateway_client_registry: Arc<GatewayClientRegistry>,
peer_pairs: Vec<PeerPair>,
) -> Result<WGApi, Box<dyn std::error::Error + Send + Sync + 'static>> {
let ifname = String::from("wg0");
let wgapi = WGApi::new(ifname.clone(), false)?;
@@ -36,13 +36,11 @@ pub async fn start_wireguard(
peers: vec![],
};
wgapi.configure_interface(&interface_config)?;
let peer = peer_static_public_key();
let mut peer = Peer::new(Key::new(peer.to_bytes()));
let peer_ip = peer_allowed_ips();
let peer_ip_mask = IpAddrMask::new(peer_ip.network_address(), peer_ip.netmask());
peer.set_allowed_ips(vec![peer_ip_mask]);
wgapi.configure_peer(&peer)?;
wgapi.configure_peer_routing(&[peer.clone()])?;
let peers = peer_static_pairs(peer_pairs);
for peer in peers.iter() {
wgapi.configure_peer(peer)?;
}
wgapi.configure_peer_routing(&peers)?;
tokio::spawn(async move { task_client.recv().await });
@@ -52,6 +50,7 @@ pub async fn start_wireguard(
pub async fn start_wireguard(
_task_client: nym_task::TaskClient,
_gateway_client_registry: Arc<GatewayClientRegistry>,
_peer_pairs: Vec<PeerPair>,
) -> Result<WGApi, Box<dyn std::error::Error + Send + Sync + 'static>> {
todo!("WireGuard is currently only supported on Linux")
}
+38 -26
View File
@@ -1,7 +1,11 @@
use std::net::IpAddr;
use base64::{engine::general_purpose, Engine as _};
use log::info;
use defguard_wireguard_rs::host::Peer;
use defguard_wireguard_rs::key::Key;
use defguard_wireguard_rs::net::IpAddrMask;
use log::{info, warn};
use serde::Deserialize;
// The wireguard UDP listener
pub const WG_ADDRESS: &str = "0.0.0.0";
@@ -10,21 +14,23 @@ pub const WG_ADDRESS: &str = "0.0.0.0";
// Corresponding public key: "WM8s8bYegwMa0TJ+xIwhk+dImk2IpDUKslDBCZPizlE="
pub(crate) const PRIVATE_KEY: &str = "AEqXrLFT4qjYq3wmX0456iv94uM6nDj5ugp6Jedcflg=";
// The AllowedIPs for the connected peer, which is one a single IP and the same as the IP that the
// peer has configured on their side.
const ALLOWED_IPS: &str = "10.1.0.2";
#[derive(Deserialize, Debug)]
pub struct PeerPair {
pub addr: String,
pub public_key: String,
}
fn decode_base64_key(base64_key: &str) -> [u8; 32] {
fn decode_base64_key(base64_key: &str) -> Result<[u8; 32], String> {
general_purpose::STANDARD
.decode(base64_key)
.unwrap()
.map_err(|_| String::from("Could not decode"))?
.try_into()
.unwrap()
.map_err(|_| String::from("Not enough bytes"))
}
pub fn server_static_private_key() -> x25519_dalek::StaticSecret {
// TODO: this is a temporary solution for development
let static_private_bytes: [u8; 32] = decode_base64_key(PRIVATE_KEY);
let static_private_bytes: [u8; 32] = decode_base64_key(PRIVATE_KEY).unwrap();
let static_private = x25519_dalek::StaticSecret::from(static_private_bytes);
let static_public = x25519_dalek::PublicKey::from(&static_private);
info!(
@@ -34,23 +40,29 @@ pub fn server_static_private_key() -> x25519_dalek::StaticSecret {
static_private
}
pub fn peer_static_public_key() -> x25519_dalek::PublicKey {
// A single static public key is used during development
pub fn peer_static_pairs(raw_pairs: Vec<PeerPair>) -> Vec<Peer> {
raw_pairs
.into_iter()
.filter_map(|pair| {
if let Ok(peer_static_public_bytes) = decode_base64_key(&pair.public_key) {
let peer_static_public = x25519_dalek::PublicKey::from(peer_static_public_bytes);
let mut peer = Peer::new(Key::new(peer_static_public.to_bytes()));
// Read from NYM_PEER_PUBLIC_KEY env variable
let peer = std::env::var("NYM_PEER_PUBLIC_KEY").expect("NYM_PEER_PUBLIC_KEY must be set");
let peer_static_public_bytes: [u8; 32] = decode_base64_key(&peer);
let peer_static_public = x25519_dalek::PublicKey::from(peer_static_public_bytes);
info!(
"Adding wg peer public key: {}",
general_purpose::STANDARD.encode(peer_static_public)
);
peer_static_public
}
pub fn peer_allowed_ips() -> ip_network::IpNetwork {
let key: IpAddr = ALLOWED_IPS.parse().unwrap();
let cidr = 32u8;
ip_network::IpNetwork::new_truncate(key, cidr).unwrap()
if let Ok(key) = pair.addr.parse::<IpAddr>() {
let peer_ip = ip_network::IpNetwork::new_truncate(key, 32u8)
.expect("Netmask should be correct");
let peer_ip_mask =
IpAddrMask::new(peer_ip.network_address(), peer_ip.netmask());
peer.set_allowed_ips(vec![peer_ip_mask]);
Some(peer)
} else {
warn!("Not adding {:?} as IP doesn't parse", pair);
None
}
} else {
warn!("Not adding {:?} as public key doesn't decode", pair);
None
}
})
.collect()
}
+5
View File
@@ -242,6 +242,11 @@ impl Config {
self
}
pub fn with_client_keys_path(mut self, client_keys: PathBuf) -> Self {
self.wireguard.storage_paths.client_keys = client_keys;
self
}
pub fn with_listening_address(mut self, listening_address: IpAddr) -> Self {
self.gateway.listening_address = listening_address;
+1 -1
View File
@@ -130,7 +130,7 @@ impl From<ConfigV1_1_31> for Config {
announced_port: value.wireguard.announced_port,
private_network_prefix: Default::default(),
storage_paths: nym_node::config::persistence::WireguardPaths {
// no fields (yet)
client_keys: Default::default(),
},
},
storage_paths: GatewayPaths {
+4 -1
View File
@@ -207,7 +207,10 @@ impl<St> Gateway<St> {
&self,
shutdown: TaskClient,
) -> Result<WGApi, Box<dyn Error + Send + Sync>> {
nym_wireguard::start_wireguard(shutdown, Arc::clone(&self.client_registry)).await
let file = std::fs::File::open(&self.config.wireguard.storage_paths.client_keys)?;
let reader = std::io::BufReader::new(file);
let peers = serde_json::from_reader(reader)?;
nym_wireguard::start_wireguard(shutdown, Arc::clone(&self.client_registry), peers).await
}
fn start_client_websocket_listener(
@@ -146,7 +146,7 @@ impl PacketPreparer {
let initialisation_backoff = Duration::from_secs(30);
loop {
let gateways = self.validator_cache.gateways_all().await;
let mixnodes = self.validator_cache.mixnodes_basic().await;
let mixnodes = self.validator_cache.mixnodes_all_basic().await;
if gateways.len() < minimum_full_routes {
self.topology_wait_backoff(initialisation_backoff).await;
@@ -179,12 +179,21 @@ impl PacketPreparer {
async fn all_mixnodes_and_gateways(&self) -> (Vec<MixNodeBond>, Vec<GatewayBond>) {
info!("Obtaining network topology...");
let mixnodes = self.validator_cache.mixnodes_basic().await;
let mixnodes = self.validator_cache.mixnodes_all_basic().await;
let gateways = self.validator_cache.gateways_all().await;
(mixnodes, gateways)
}
async fn filtered_mixnodes_and_gateways(&self) -> (Vec<MixNodeBond>, Vec<GatewayBond>) {
info!("Obtaining network topology...");
let mixnodes = self.validator_cache.mixnodes_filtered_basic().await;
let gateways = self.validator_cache.gateways_filtered().await;
(mixnodes, gateways)
}
pub(crate) fn try_parse_mix_bond(&self, mix: &MixNodeBond) -> Result<mix::Node, String> {
let identity = mix.mix_node.identity_key.clone();
mix.try_into().map_err(|_| identity)
@@ -208,7 +217,7 @@ impl PacketPreparer {
n: usize,
blacklist: &mut HashSet<String>,
) -> Option<Vec<TestRoute>> {
let (mixnodes, gateways) = self.all_mixnodes_and_gateways().await;
let (mixnodes, gateways) = self.filtered_mixnodes_and_gateways().await;
// separate mixes into layers for easier selection
let mut layered_mixes = HashMap::new();
for mix in mixnodes {
+14 -13
View File
@@ -182,19 +182,20 @@ impl NymContractCache {
}
}
pub async fn mixnodes_basic(&self) -> Vec<MixNodeBond> {
match time::timeout(Duration::from_millis(100), self.inner.read()).await {
Ok(cache) => cache
.mixnodes
.clone()
.into_iter()
.map(|bond| bond.bond_information)
.collect(),
Err(err) => {
error!("{err}");
Vec::new()
}
}
pub async fn mixnodes_filtered_basic(&self) -> Vec<MixNodeBond> {
self.mixnodes_filtered()
.await
.into_iter()
.map(|bond| bond.bond_information)
.collect()
}
pub async fn mixnodes_all_basic(&self) -> Vec<MixNodeBond> {
self.mixnodes_all()
.await
.into_iter()
.map(|bond| bond.bond_information)
.collect()
}
pub async fn gateways_filtered(&self) -> Vec<GatewayBond> {
+1
View File
@@ -19,6 +19,7 @@ pub(crate) fn nym_contract_cache_routes(settings: &OpenApiSettings) -> (Vec<Rout
settings: routes::get_mixnodes,
routes::get_mixnodes_detailed,
routes::get_gateways,
routes::get_all_gateways,
routes::get_active_set,
routes::get_active_set_detailed,
routes::get_rewarded_set,
+6
View File
@@ -114,6 +114,12 @@ pub async fn get_blacklisted_gateways(
}
}
#[openapi(tag = "contract-cache")]
#[get("/gateways/all")]
pub async fn get_all_gateways(cache: &State<NymContractCache>) -> Json<Vec<GatewayBond>> {
Json(cache.gateways_all().await.clone())
}
#[openapi(tag = "contract-cache")]
#[get("/epoch/reward_params")]
pub async fn get_interval_reward_params(
+1 -1
View File
@@ -119,7 +119,7 @@ impl StorageManager {
r#"
SELECT
d.identity as "identity: String",
AVG(reliability) as "value: f32"
CASE WHEN count(*) > 3 THEN AVG(reliability) ELSE 100 END as "value: f32"
FROM
gateway_details d
JOIN
+3 -1
View File
@@ -93,7 +93,9 @@ impl Default for Wireguard {
),
announced_port: DEFAULT_WIREGUARD_PORT,
private_network_prefix: DEFAULT_WIREGUARD_PREFIX,
storage_paths: persistence::WireguardPaths {},
storage_paths: persistence::WireguardPaths {
client_keys: PathBuf::from("/root/keys_pub.json"),
},
}
}
}
+2 -1
View File
@@ -2,9 +2,10 @@
// SPDX-License-Identifier: GPL-3.0-only
use serde::{Deserialize, Serialize};
use std::path::PathBuf;
#[derive(Debug, Clone, Deserialize, PartialEq, Eq, Serialize)]
#[serde(deny_unknown_fields)]
pub struct WireguardPaths {
// pub keys:
pub client_keys: PathBuf,
}
@@ -35,7 +35,7 @@ impl MyTopologyProvider {
})
.collect::<Vec<_>>();
let gateways = self.validator_client.get_cached_gateways().await.unwrap();
let gateways = self.validator_client.get_all_gateways().await.unwrap();
nym_topology_from_detailed(filtered_mixnodes, gateways)
}
@@ -1,4 +1,4 @@
use std::net::SocketAddr;
use std::net::{IpAddr, SocketAddr};
pub use nym_client_core::error::ClientCoreError;
use nym_exit_policy::PolicyError;
@@ -57,9 +57,15 @@ pub enum IpPacketRouterError {
#[error("the provided socket address, '{addr}' is not covered by the exit policy!")]
AddressNotCoveredByExitPolicy { addr: SocketAddr },
#[error("the provided ip address, '{ip}' is not covered by the exit policy!")]
IpNotCoveredByExitPolicy { ip: IpAddr },
#[error("failed filter check: '{addr}'")]
AddressFailedFilterCheck { addr: SocketAddr },
#[error("failed filter check: '{ip}'")]
IpFailedFilterCheck { ip: IpAddr },
#[error("failed to apply the exit policy: {source}")]
ExitPolicyFailure {
#[from]
@@ -1,4 +1,7 @@
use std::{collections::HashMap, net::IpAddr};
use std::{
collections::HashMap,
net::{IpAddr, SocketAddr},
};
use futures::StreamExt;
use nym_ip_packet_requests::{
@@ -320,15 +323,11 @@ impl MixnetListener {
}
// Filter check
if let Some(dst) = dst {
if !self.request_filter.check_address(&dst).await {
log::warn!("Failed filter check: {dst}");
// TODO: we could consider sending back a response here
return Err(IpPacketRouterError::AddressFailedFilterCheck { addr: dst });
}
} else {
// TODO: we should also filter packets without port number
log::warn!("Ignoring filter check for packet without port number! TODO!");
let dst = dst.unwrap_or_else(|| SocketAddr::new(dst_addr, 0));
if !self.request_filter.check_address(&dst).await {
log::info!("Denied filter check: {dst}");
// TODO: we could consider sending back a response here
return Err(IpPacketRouterError::AddressFailedFilterCheck { addr: dst });
}
// TODO: consider changing from Vec<u8> to bytes::Bytes?