diff --git a/go.mod b/go.mod index b4cf1ff029..049a760684 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 github.com/cavaliergopher/grab/v3 v3.0.1 github.com/cheggaaa/pb/v3 v3.1.5 - github.com/containers/gvisor-tap-vsock v0.7.3 + github.com/containers/gvisor-tap-vsock v0.7.4-0.20240320091526-a0238e52b61f github.com/containers/image/v5 v5.30.0 github.com/coreos/go-systemd/v22 v22.5.0 github.com/crc-org/admin-helper v0.5.2 @@ -129,6 +129,7 @@ require ( github.com/hashicorp/hcl v1.0.0 // indirect github.com/imdario/mergo v0.3.13 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/inetaf/tcpproxy v0.0.0-20240214030015-3ce58045626c // indirect github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -200,7 +201,6 @@ require ( gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gvisor.dev/gvisor v0.0.0-20231023213702-2691a8f9b1cf // indirect - inet.af/tcpproxy v0.0.0-20231102063150-2862066fc2a9 // indirect k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect diff --git a/go.sum b/go.sum index 0c753861c4..1611667620 100644 --- a/go.sum +++ b/go.sum @@ -43,8 +43,8 @@ github.com/cheggaaa/pb/v3 v3.1.5/go.mod h1:CrxkeghYTXi1lQBEI7jSn+3svI3cuc19haAj6 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= -github.com/containers/gvisor-tap-vsock v0.7.3 h1:yORnf15sP+sLFhxLNLgmB5/lOhldn9dRMHx/tmYtSOQ= -github.com/containers/gvisor-tap-vsock v0.7.3/go.mod h1:NI1fLMtKXQZoDrrOeqryGz7x7j/XSFWRmQILva7Fu9c= +github.com/containers/gvisor-tap-vsock v0.7.4-0.20240320091526-a0238e52b61f h1:NOq4UwN3M4rvN44CPznCqQlOvim7Ja1RZ082ORAJjVQ= +github.com/containers/gvisor-tap-vsock v0.7.4-0.20240320091526-a0238e52b61f/go.mod h1:hZrvqbYhTIUQCREov+M8u7sMhzGbB6umiDuVpnwtJcI= github.com/containers/image/v5 v5.30.0 h1:CmHeSwI6W2kTRWnUsxATDFY5TEX4b58gPkaQcEyrLIA= github.com/containers/image/v5 v5.30.0/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= @@ -263,6 +263,8 @@ github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/inetaf/tcpproxy v0.0.0-20240214030015-3ce58045626c h1:gYfYE403/nlrGNYj6BEOs9ucLCAGB9gstlSk92DttTg= +github.com/inetaf/tcpproxy v0.0.0-20240214030015-3ce58045626c/go.mod h1:Di7LXRyUcnvAcLicFhtM9/MlZl/TNgRSDHORM2c6CMI= github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f h1:l1QCwn715k8nYkj4Ql50rzEog3WnMdrd4YYMMwemxEo= github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E= github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8= @@ -709,8 +711,6 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gvisor.dev/gvisor v0.0.0-20231023213702-2691a8f9b1cf h1:0A28IFBR6VcMacM0m6Rn5/nr8pk8xa2TyIkjSaFAOPc= gvisor.dev/gvisor v0.0.0-20231023213702-2691a8f9b1cf/go.mod h1:8hmigyCdYtw5xJGfQDJzSH5Ju8XEIDBnpyi8+O6GRt8= -inet.af/tcpproxy v0.0.0-20231102063150-2862066fc2a9 h1:zomTWJvjwLbKRgGameQtpK6DNFUbZ2oNJuWhgUkGp3M= -inet.af/tcpproxy v0.0.0-20231102063150-2862066fc2a9/go.mod h1:Tojt5kmHpDIR2jMojxzZK2w2ZR7OILODmUo2gaSwjrk= k8s.io/api v0.28.8 h1:G0/G7yX1puRAcon/+XPLsKXZ9A5L7Ds6oKbDIe027xw= k8s.io/api v0.28.8/go.mod h1:rU8f1t9CNUAXlk/1j/wMJ7XnaxkR1g1AlZGQAOOL+sw= k8s.io/apimachinery v0.28.8 h1:hi/nrxHwk4QLV+W/SHve1bypTE59HCDorLY1stBIxKQ= diff --git a/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/dhcp/dhcp.go b/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/dhcp/dhcp.go index f464a31d6f..cfd5370ea8 100644 --- a/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/dhcp/dhcp.go +++ b/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/dhcp/dhcp.go @@ -120,7 +120,7 @@ func (s *Server) Serve() error { func (s *Server) Mux() http.Handler { mux := http.NewServeMux() - mux.HandleFunc("/leases", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/leases", func(w http.ResponseWriter, _ *http.Request) { _ = json.NewEncoder(w).Encode(s.IPPool.Leases()) }) return mux diff --git a/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/dns/dns.go b/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/dns/dns.go index 15ed72f1df..1cfe0b6cb3 100644 --- a/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/dns/dns.go +++ b/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/dns/dns.go @@ -231,7 +231,7 @@ func (s *Server) ServeTCP() error { func (s *Server) Mux() http.Handler { mux := http.NewServeMux() - mux.HandleFunc("/all", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/all", func(w http.ResponseWriter, _ *http.Request) { s.handler.zonesLock.RLock() _ = json.NewEncoder(w).Encode(s.handler.zones) s.handler.zonesLock.RUnlock() diff --git a/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/forwarder/ports.go b/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/forwarder/ports.go index 828c248b5b..7d6c06c2d2 100644 --- a/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/forwarder/ports.go +++ b/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/forwarder/ports.go @@ -17,12 +17,12 @@ import ( "github.com/containers/gvisor-tap-vsock/pkg/sshclient" "github.com/containers/gvisor-tap-vsock/pkg/types" + "github.com/inetaf/tcpproxy" log "github.com/sirupsen/logrus" "gvisor.dev/gvisor/pkg/tcpip" "gvisor.dev/gvisor/pkg/tcpip/adapters/gonet" "gvisor.dev/gvisor/pkg/tcpip/network/ipv4" "gvisor.dev/gvisor/pkg/tcpip/stack" - "inet.af/tcpproxy" ) type PortsForwarder struct { @@ -117,7 +117,7 @@ func (f *PortsForwarder) Expose(protocol types.TransportProtocol, local, remote var sshForward *sshclient.SSHForward var connLock sync.Mutex - dialFn = func(ctx context.Context, network, addr string) (net.Conn, error) { + dialFn = func(ctx context.Context, _, _ string) (net.Conn, error) { connLock.Lock() defer connLock.Unlock() @@ -145,7 +145,7 @@ func (f *PortsForwarder) Expose(protocol types.TransportProtocol, local, remote return err } - dialFn = func(ctx context.Context, network, addr string) (conn net.Conn, e error) { + dialFn = func(ctx context.Context, _, _ string) (conn net.Conn, e error) { return gonet.DialContextTCP(ctx, f.stack, address, ipv4.ProtocolNumber) } @@ -232,7 +232,7 @@ func (f *PortsForwarder) Expose(protocol types.TransportProtocol, local, remote var p tcpproxy.Proxy p.AddRoute(local, &tcpproxy.DialProxy{ Addr: remote, - DialContext: func(ctx context.Context, network, addr string) (conn net.Conn, e error) { + DialContext: func(ctx context.Context, _, _ string) (conn net.Conn, e error) { return gonet.DialContextTCP(ctx, f.stack, address, ipv4.ProtocolNumber) }, }) @@ -273,7 +273,7 @@ func (f *PortsForwarder) Unexpose(protocol types.TransportProtocol, local string func (f *PortsForwarder) Mux() http.Handler { mux := http.NewServeMux() - mux.HandleFunc("/all", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/all", func(w http.ResponseWriter, _ *http.Request) { f.proxiesLock.Lock() defer f.proxiesLock.Unlock() ret := make([]proxy, 0) diff --git a/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/forwarder/tcp.go b/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/forwarder/tcp.go index e60936ec41..6493c94c64 100644 --- a/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/forwarder/tcp.go +++ b/vendor/github.com/containers/gvisor-tap-vsock/pkg/services/forwarder/tcp.go @@ -6,13 +6,13 @@ import ( "net" "sync" + "github.com/inetaf/tcpproxy" log "github.com/sirupsen/logrus" "gvisor.dev/gvisor/pkg/tcpip" "gvisor.dev/gvisor/pkg/tcpip/adapters/gonet" "gvisor.dev/gvisor/pkg/tcpip/stack" "gvisor.dev/gvisor/pkg/tcpip/transport/tcp" "gvisor.dev/gvisor/pkg/waiter" - "inet.af/tcpproxy" ) const linkLocalSubnet = "169.254.0.0/16" @@ -47,7 +47,7 @@ func TCP(s *stack.Stack, nat map[tcpip.Address]tcpip.Address, natLock *sync.Mute } remote := tcpproxy.DialProxy{ - DialContext: func(ctx context.Context, network, address string) (net.Conn, error) { + DialContext: func(_ context.Context, _, _ string) (net.Conn, error) { return outbound, nil }, } diff --git a/vendor/github.com/containers/gvisor-tap-vsock/pkg/sshclient/bastion.go b/vendor/github.com/containers/gvisor-tap-vsock/pkg/sshclient/bastion.go index f10bddda01..956e4f458f 100644 --- a/vendor/github.com/containers/gvisor-tap-vsock/pkg/sshclient/bastion.go +++ b/vendor/github.com/containers/gvisor-tap-vsock/pkg/sshclient/bastion.go @@ -138,7 +138,7 @@ func CreateBastion(_url *url.URL, passPhrase string, identity string, initial ne } if connect == nil { - connect = func(ctx context.Context, bastion *Bastion) (net.Conn, error) { + connect = func(_ context.Context, bastion *Bastion) (net.Conn, error) { conn, err := net.DialTimeout("tcp", net.JoinHostPort(bastion.Host, bastion.Port), bastion.Config.Timeout, diff --git a/vendor/github.com/containers/gvisor-tap-vsock/pkg/transport/dial_darwin.go b/vendor/github.com/containers/gvisor-tap-vsock/pkg/transport/dial_darwin.go index 2556a386ff..da245a4e32 100644 --- a/vendor/github.com/containers/gvisor-tap-vsock/pkg/transport/dial_darwin.go +++ b/vendor/github.com/containers/gvisor-tap-vsock/pkg/transport/dial_darwin.go @@ -6,6 +6,6 @@ import ( "github.com/pkg/errors" ) -func Dial(endpoint string) (net.Conn, string, error) { +func Dial(_ string) (net.Conn, string, error) { return nil, "", errors.New("unsupported") } diff --git a/vendor/github.com/containers/gvisor-tap-vsock/pkg/virtualnetwork/mux.go b/vendor/github.com/containers/gvisor-tap-vsock/pkg/virtualnetwork/mux.go index c671177caa..cc61c5d755 100644 --- a/vendor/github.com/containers/gvisor-tap-vsock/pkg/virtualnetwork/mux.go +++ b/vendor/github.com/containers/gvisor-tap-vsock/pkg/virtualnetwork/mux.go @@ -8,26 +8,26 @@ import ( "strconv" "github.com/containers/gvisor-tap-vsock/pkg/types" + "github.com/inetaf/tcpproxy" log "github.com/sirupsen/logrus" "gvisor.dev/gvisor/pkg/tcpip" "gvisor.dev/gvisor/pkg/tcpip/adapters/gonet" "gvisor.dev/gvisor/pkg/tcpip/network/ipv4" - "inet.af/tcpproxy" ) func (n *VirtualNetwork) Mux() *http.ServeMux { mux := http.NewServeMux() mux.Handle("/services/", http.StripPrefix("/services", n.servicesMux)) - mux.HandleFunc("/stats", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/stats", func(w http.ResponseWriter, _ *http.Request) { _ = json.NewEncoder(w).Encode(statsAsJSON(n.networkSwitch.Sent, n.networkSwitch.Received, n.stack.Stats())) }) - mux.HandleFunc("/cam", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/cam", func(w http.ResponseWriter, _ *http.Request) { _ = json.NewEncoder(w).Encode(n.networkSwitch.CAM()) }) - mux.HandleFunc("/leases", func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc("/leases", func(w http.ResponseWriter, _ *http.Request) { _ = json.NewEncoder(w).Encode(n.ipPool.Leases()) }) - mux.HandleFunc(types.ConnectPath, func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc(types.ConnectPath, func(w http.ResponseWriter, _ *http.Request) { hj, ok := w.(http.Hijacker) if !ok { http.Error(w, "webserver doesn't support hijacking", http.StatusInternalServerError) @@ -83,14 +83,14 @@ func (n *VirtualNetwork) Mux() *http.ServeMux { } remote := tcpproxy.DialProxy{ - DialContext: func(ctx context.Context, network, address string) (net.Conn, error) { + DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) { return gonet.DialContextTCP(ctx, n.stack, tcpip.FullAddress{ NIC: 1, Addr: tcpip.AddrFrom4Slice(net.ParseIP(ip).To4()), Port: uint16(port), }, ipv4.ProtocolNumber) }, - OnDialError: func(src net.Conn, dstDialErr error) { + OnDialError: func(_ net.Conn, dstDialErr error) { log.Errorf("cannot dial: %v", dstDialErr) }, } diff --git a/vendor/inet.af/tcpproxy/.travis.yml b/vendor/inet.af/tcpproxy/.travis.yml deleted file mode 100644 index a8d3a50dfe..0000000000 --- a/vendor/inet.af/tcpproxy/.travis.yml +++ /dev/null @@ -1,45 +0,0 @@ -language: go -go: -- "1.16.x" -- "1.17.x" -- tip -os: -- linux -script: -- go build ./... -- go test ./... -- go vet ./... - -jobs: - include: - - stage: deploy - go: "1.16" - install: - - gem install fpm - script: - - go build ./cmd/tlsrouter - - fpm -s dir -t deb -n tlsrouter -v $(date '+%Y%m%d%H%M%S') - --license Apache2 - --vendor "David Anderson " - --maintainer "David Anderson " - --description "TLS SNI router" - --url "https://github.com/inetaf/tcpproxy/tree/master/cmd/tlsrouter" - ./tlsrouter=/usr/bin/tlsrouter - ./systemd/tlsrouter.service=/lib/systemd/system/tlsrouter.service - deploy: - - provider: packagecloud - repository: tlsrouter - username: danderson - dist: debian/stretch - skip_cleanup: true - on: - branch: master - token: - secure: gNU3o70EU4oYeIS6pr0K5oLMGqqxrcf41EOv6c/YoHPVdV6Cx4j9NW0/ISgu6a1/Xf2NgWKT5BWwLpAuhmGdALuOz1Ah//YBWd9N8mGHGaC6RpOPDU8/9NkQdBEmjEH9sgX4PNOh1KQ7d7O0OH0g8RqJlJa0MkUYbTtN6KJ29oiUXxKmZM4D/iWB8VonKOnrtx1NwQL8jL8imZyEV/1fknhDwumz2iKeU1le4Neq9zkxwICMLUonmgphlrp+SDb1EOoHxT6cn51bqBQtQUplfC4dN4OQU/CPqE9E1N1noibvN29YA93qfcrjD3I95KT9wzq+3B6he33+kb0Gz+Cj5ypGy4P85l7TuX4CtQg0U3NAlJCk32IfsdjK+o47pdmADij9IIb9yKt+g99FMERkJJY5EInqEsxHlW/vNF5OqQCmpiHstZL4R2XaHEsWh6j77npnjjC1Aea8xZTWr8PTsbSzVkbG7bTmFpZoPH8eEmr4GNuw5gnbi6D1AJDjcA+UdY9s5qZNpzuWOqfhOFxL+zUW+8sHBvcoFw3R+pwHECs2LCL1c0xAC1LtNUnmW/gnwHavtvKkzErjR1P8Xl7obCbeChJjp+b/BcFYlNACldZcuzBAPyPwIdlWVyUonL4bm63upfMEEShiAIDDJ21y7fjsQK7CfPA7g25bpyo+hV8= - - provider: script - on: - branch: master - script: go run scripts/prune_old_versions.go -user=danderson -repo=tlsrouter -distro=debian -version=stretch -package=tlsrouter -arch=amd64 -limit=2 - env: - # Packagecloud API key, for prune_old_versions.go - - secure: "SRcNwt+45QyPS1w9aGxMg9905Y6d9w4mBM29G6iTTnUB5nD7cAk4m+tf834knGSobVXlWcRnTDW8zrHdQ9yX22dPqCpH5qE+qzTmIvxRHrVJRMmPeYvligJ/9jYfHgQbvuRT8cUpIcpCQAla6rw8nXfKTOE3h8XqMP2hdc3DTVOu2HCfKCNco1tJ7is+AIAnFV2Wpsbb3ZsdKFvHvi2RKUfFaX61J1GNt2/XJIlZs8jC6Y1IAC+ftjql9UsAE/WjZ9fL0Ww1b9/LBIIGHXWI3HpVv9WvlhhIxIlJgOVjmU2lbSuj2w/EBDJ9cd1Qe+wJkT3yKzE1NRsNScVjGg+Ku5igJu/XXuaHkIX01+15BqgPduBYRL0atiNQDhqgBiSyVhXZBX9vsgsp0bgpKaBSF++CV18Q9dara8aljqqS33M3imO3I8JmXU10944QA9Wvu7pCYuIzXxhINcDXRvqxBqz5LnFJGwnGqngTrOCSVS2xn7Y+sjmhe1n5cPCEISlozfa9mPYPvMPp8zg3TbATOOM8CVfcpaNscLqa/+SExN3zMwSanjNKrBgoaQcBzGW5mIgSPxhXkWikBgapiEN7+2Y032Lhqdb9dYjH+EuwcnofspDjjMabWxnuJaln+E3/9vZi2ooQrBEtvymUTy4VMSnqwIX5bU7nPdIuQycdWhk=" diff --git a/vendor/inet.af/tcpproxy/CONTRIBUTING.md b/vendor/inet.af/tcpproxy/CONTRIBUTING.md deleted file mode 100644 index 188ad870fc..0000000000 --- a/vendor/inet.af/tcpproxy/CONTRIBUTING.md +++ /dev/null @@ -1,8 +0,0 @@ -Contributions are welcome by pull request. - -You need to sign the Google Contributor License Agreement before your -contributions can be accepted. You can find the individual and organization -level CLAs here: - -Individual: https://cla.developers.google.com/about/google-individual -Organization: https://cla.developers.google.com/about/google-corporate diff --git a/vendor/inet.af/tcpproxy/LICENSE b/vendor/inet.af/tcpproxy/LICENSE deleted file mode 100644 index d645695673..0000000000 --- a/vendor/inet.af/tcpproxy/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/vendor/inet.af/tcpproxy/README.md b/vendor/inet.af/tcpproxy/README.md deleted file mode 100644 index f526c213a9..0000000000 --- a/vendor/inet.af/tcpproxy/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# tcpproxy - -For library usage, see https://godoc.org/inet.af/tcpproxy/ - -For CLI usage, see https://github.com/inetaf/tcpproxy/blob/master/cmd/tlsrouter/README.md diff --git a/vendor/inet.af/tcpproxy/http.go b/vendor/inet.af/tcpproxy/http.go deleted file mode 100644 index d28c66fa88..0000000000 --- a/vendor/inet.af/tcpproxy/http.go +++ /dev/null @@ -1,125 +0,0 @@ -// Copyright 2017 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package tcpproxy - -import ( - "bufio" - "bytes" - "context" - "net/http" -) - -// AddHTTPHostRoute appends a route to the ipPort listener that -// routes to dest if the incoming HTTP/1.x Host header name is -// httpHost. If it doesn't match, rule processing continues for any -// additional routes on ipPort. -// -// The ipPort is any valid net.Listen TCP address. -func (p *Proxy) AddHTTPHostRoute(ipPort, httpHost string, dest Target) { - p.AddHTTPHostMatchRoute(ipPort, equals(httpHost), dest) -} - -// AddHTTPHostMatchRoute appends a route to the ipPort listener that -// routes to dest if the incoming HTTP/1.x Host header name is -// accepted by matcher. If it doesn't match, rule processing continues -// for any additional routes on ipPort. -// -// The ipPort is any valid net.Listen TCP address. -func (p *Proxy) AddHTTPHostMatchRoute(ipPort string, match Matcher, dest Target) { - p.addRoute(ipPort, httpHostMatch{match, dest}) -} - -type httpHostMatch struct { - matcher Matcher - target Target -} - -func (m httpHostMatch) match(br *bufio.Reader) (Target, string) { - hh := httpHostHeader(br) - if m.matcher(context.TODO(), hh) { - return m.target, hh - } - return nil, "" -} - -// httpHostHeader returns the HTTP Host header from br without -// consuming any of its bytes. It returns "" if it can't find one. -func httpHostHeader(br *bufio.Reader) string { - const maxPeek = 4 << 10 - peekSize := 0 - for { - peekSize++ - if peekSize > maxPeek { - b, _ := br.Peek(br.Buffered()) - return httpHostHeaderFromBytes(b) - } - b, err := br.Peek(peekSize) - if n := br.Buffered(); n > peekSize { - b, _ = br.Peek(n) - peekSize = n - } - if len(b) > 0 { - if b[0] < 'A' || b[0] > 'Z' { - // Doesn't look like an HTTP verb - // (GET, POST, etc). - return "" - } - if bytes.Index(b, crlfcrlf) != -1 || bytes.Index(b, lflf) != -1 { - req, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(b))) - if err != nil { - return "" - } - if len(req.Header["Host"]) > 1 { - // TODO(bradfitz): what does - // ReadRequest do if there are - // multiple Host headers? - return "" - } - return req.Host - } - } - if err != nil { - return httpHostHeaderFromBytes(b) - } - } -} - -var ( - lfHostColon = []byte("\nHost:") - lfhostColon = []byte("\nhost:") - crlf = []byte("\r\n") - lf = []byte("\n") - crlfcrlf = []byte("\r\n\r\n") - lflf = []byte("\n\n") -) - -func httpHostHeaderFromBytes(b []byte) string { - if i := bytes.Index(b, lfHostColon); i != -1 { - return string(bytes.TrimSpace(untilEOL(b[i+len(lfHostColon):]))) - } - if i := bytes.Index(b, lfhostColon); i != -1 { - return string(bytes.TrimSpace(untilEOL(b[i+len(lfhostColon):]))) - } - return "" -} - -// untilEOL returns v, truncated before the first '\n' byte, if any. -// The returned slice may include a '\r' at the end. -func untilEOL(v []byte) []byte { - if i := bytes.IndexByte(v, '\n'); i != -1 { - return v[:i] - } - return v -} diff --git a/vendor/inet.af/tcpproxy/listener.go b/vendor/inet.af/tcpproxy/listener.go deleted file mode 100644 index 1ddc48ee21..0000000000 --- a/vendor/inet.af/tcpproxy/listener.go +++ /dev/null @@ -1,108 +0,0 @@ -// Copyright 2017 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package tcpproxy - -import ( - "io" - "net" - "sync" -) - -// TargetListener implements both net.Listener and Target. -// Matched Targets become accepted connections. -type TargetListener struct { - Address string // Address is the string reported by TargetListener.Addr().String(). - - mu sync.Mutex - cond *sync.Cond - closed bool - nextConn net.Conn -} - -var ( - _ net.Listener = (*TargetListener)(nil) - _ Target = (*TargetListener)(nil) -) - -func (tl *TargetListener) lock() { - tl.mu.Lock() - if tl.cond == nil { - tl.cond = sync.NewCond(&tl.mu) - } -} - -type tcpAddr string - -func (a tcpAddr) Network() string { return "tcp" } -func (a tcpAddr) String() string { return string(a) } - -// Addr returns the listener's Address field as a net.Addr. -func (tl *TargetListener) Addr() net.Addr { return tcpAddr(tl.Address) } - -// Close stops listening for new connections. All new connections -// routed to this listener will be closed. Already accepted -// connections are not closed. -func (tl *TargetListener) Close() error { - tl.lock() - if tl.closed { - tl.mu.Unlock() - return nil - } - tl.closed = true - tl.mu.Unlock() - tl.cond.Broadcast() - return nil -} - -// HandleConn implements the Target interface. It blocks until tl is -// closed or another goroutine has called Accept and received c. -func (tl *TargetListener) HandleConn(c net.Conn) { - tl.lock() - defer tl.mu.Unlock() - for tl.nextConn != nil && !tl.closed { - tl.cond.Wait() - } - if tl.closed { - c.Close() - return - } - tl.nextConn = c - tl.cond.Broadcast() // Signal might be sufficient; verify. - for tl.nextConn == c && !tl.closed { - tl.cond.Wait() - } - if tl.closed { - c.Close() - return - } -} - -// Accept implements the Accept method in the net.Listener interface. -func (tl *TargetListener) Accept() (net.Conn, error) { - tl.lock() - for tl.nextConn == nil && !tl.closed { - tl.cond.Wait() - } - if tl.closed { - tl.mu.Unlock() - return nil, io.EOF - } - c := tl.nextConn - tl.nextConn = nil - tl.mu.Unlock() - tl.cond.Broadcast() // Signal might be sufficient; verify. - - return c, nil -} diff --git a/vendor/inet.af/tcpproxy/sni.go b/vendor/inet.af/tcpproxy/sni.go deleted file mode 100644 index c2d37e01ed..0000000000 --- a/vendor/inet.af/tcpproxy/sni.go +++ /dev/null @@ -1,115 +0,0 @@ -// Copyright 2017 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package tcpproxy - -import ( - "bufio" - "bytes" - "context" - "crypto/tls" - "io" - "net" -) - -// AddSNIRoute appends a route to the ipPort listener that routes to -// dest if the incoming TLS SNI server name is sni. If it doesn't -// match, rule processing continues for any additional routes on -// ipPort. -// -// The ipPort is any valid net.Listen TCP address. -func (p *Proxy) AddSNIRoute(ipPort, sni string, dest Target) { - p.AddSNIMatchRoute(ipPort, equals(sni), dest) -} - -// AddSNIMatchRoute appends a route to the ipPort listener that routes -// to dest if the incoming TLS SNI server name is accepted by -// matcher. If it doesn't match, rule processing continues for any -// additional routes on ipPort. -// -// The ipPort is any valid net.Listen TCP address. -func (p *Proxy) AddSNIMatchRoute(ipPort string, matcher Matcher, dest Target) { - p.addRoute(ipPort, sniMatch{matcher: matcher, target: dest}) -} - -// SNITargetFunc is the func callback used by Proxy.AddSNIRouteFunc. -type SNITargetFunc func(ctx context.Context, sniName string) (t Target, ok bool) - -// AddSNIRouteFunc adds a route to ipPort that matches an SNI request and calls -// fn to map its nap to a target. -func (p *Proxy) AddSNIRouteFunc(ipPort string, fn SNITargetFunc) { - p.addRoute(ipPort, sniMatch{targetFunc: fn}) -} - -type sniMatch struct { - matcher Matcher - target Target - - // Alternatively, if targetFunc is non-nil, it's used instead: - targetFunc SNITargetFunc -} - -func (m sniMatch) match(br *bufio.Reader) (Target, string) { - sni := clientHelloServerName(br) - if sni == "" { - return nil, "" - } - if m.targetFunc != nil { - if t, ok := m.targetFunc(context.TODO(), sni); ok { - return t, sni - } - return nil, "" - } - if m.matcher(context.TODO(), sni) { - return m.target, sni - } - return nil, "" -} - -// clientHelloServerName returns the SNI server name inside the TLS ClientHello, -// without consuming any bytes from br. -// On any error, the empty string is returned. -func clientHelloServerName(br *bufio.Reader) (sni string) { - const recordHeaderLen = 5 - hdr, err := br.Peek(recordHeaderLen) - if err != nil { - return "" - } - const recordTypeHandshake = 0x16 - if hdr[0] != recordTypeHandshake { - return "" // Not TLS. - } - recLen := int(hdr[3])<<8 | int(hdr[4]) // ignoring version in hdr[1:3] - helloBytes, err := br.Peek(recordHeaderLen + recLen) - if err != nil { - return "" - } - tls.Server(sniSniffConn{r: bytes.NewReader(helloBytes)}, &tls.Config{ - GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) { - sni = hello.ServerName - return nil, nil - }, - }).Handshake() - return -} - -// sniSniffConn is a net.Conn that reads from r, fails on Writes, -// and crashes otherwise. -type sniSniffConn struct { - r io.Reader - net.Conn // nil; crash on any unexpected use -} - -func (c sniSniffConn) Read(p []byte) (int, error) { return c.r.Read(p) } -func (sniSniffConn) Write(p []byte) (int, error) { return 0, io.EOF } diff --git a/vendor/inet.af/tcpproxy/tcpproxy.go b/vendor/inet.af/tcpproxy/tcpproxy.go deleted file mode 100644 index 1f03e3201c..0000000000 --- a/vendor/inet.af/tcpproxy/tcpproxy.go +++ /dev/null @@ -1,496 +0,0 @@ -// Copyright 2017 Google Inc. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Package tcpproxy lets users build TCP proxies, optionally making -// routing decisions based on HTTP/1 Host headers and the SNI hostname -// in TLS connections. -// -// Typical usage: -// -// var p tcpproxy.Proxy -// p.AddHTTPHostRoute(":80", "foo.com", tcpproxy.To("10.0.0.1:8081")) -// p.AddHTTPHostRoute(":80", "bar.com", tcpproxy.To("10.0.0.2:8082")) -// p.AddRoute(":80", tcpproxy.To("10.0.0.1:8081")) // fallback -// p.AddSNIRoute(":443", "foo.com", tcpproxy.To("10.0.0.1:4431")) -// p.AddSNIRoute(":443", "bar.com", tcpproxy.To("10.0.0.2:4432")) -// p.AddRoute(":443", tcpproxy.To("10.0.0.1:4431")) // fallback -// log.Fatal(p.Run()) -// -// Calling Run (or Start) on a proxy also starts all the necessary -// listeners. -// -// For each accepted connection, the rules for that ipPort are -// matched, in order. If one matches (currently HTTP Host, SNI, or -// always), then the connection is handed to the target. -// -// The two predefined Target implementations are: -// -// 1) DialProxy, proxying to another address (use the To func to return a -// DialProxy value), -// -// 2) TargetListener, making the matched connection available via a -// net.Listener.Accept call. -// -// But Target is an interface, so you can also write your own. -// -// Note that tcpproxy does not do any TLS encryption or decryption. It -// only (via DialProxy) copies bytes around. The SNI hostname in the TLS -// header is unencrypted, for better or worse. -// -// This package makes no API stability promises. If you depend on it, -// vendor it. -package tcpproxy - -import ( - "bufio" - "context" - "errors" - "fmt" - "io" - "log" - "net" - "time" -) - -// Proxy is a proxy. Its zero value is a valid proxy that does -// nothing. Call methods to add routes before calling Start or Run. -// -// The order that routes are added in matters; each is matched in the order -// registered. -type Proxy struct { - configs map[string]*config // ip:port => config - - lns []net.Listener - donec chan struct{} // closed before err - err error // any error from listening - - // ListenFunc optionally specifies an alternate listen - // function. If nil, net.Dial is used. - // The provided net is always "tcp". - ListenFunc func(net, laddr string) (net.Listener, error) -} - -// Matcher reports whether hostname matches the Matcher's criteria. -type Matcher func(ctx context.Context, hostname string) bool - -// equals is a trivial Matcher that implements string equality. -func equals(want string) Matcher { - return func(_ context.Context, got string) bool { - return want == got - } -} - -// config contains the proxying state for one listener. -type config struct { - routes []route -} - -// A route matches a connection to a target. -type route interface { - // match examines the initial bytes of a connection, looking for a - // match. If a match is found, match returns a non-nil Target to - // which the stream should be proxied. match returns nil if the - // connection doesn't match. - // - // match must not consume bytes from the given bufio.Reader, it - // can only Peek. - // - // If an sni or host header was parsed successfully, that will be - // returned as the second parameter. - match(*bufio.Reader) (Target, string) -} - -func (p *Proxy) netListen() func(net, laddr string) (net.Listener, error) { - if p.ListenFunc != nil { - return p.ListenFunc - } - return net.Listen -} - -func (p *Proxy) configFor(ipPort string) *config { - if p.configs == nil { - p.configs = make(map[string]*config) - } - if p.configs[ipPort] == nil { - p.configs[ipPort] = &config{} - } - return p.configs[ipPort] -} - -func (p *Proxy) addRoute(ipPort string, r route) { - cfg := p.configFor(ipPort) - cfg.routes = append(cfg.routes, r) -} - -// AddRoute appends an always-matching route to the ipPort listener, -// directing any connection to dest. -// -// This is generally used as either the only rule (for simple TCP -// proxies), or as the final fallback rule for an ipPort. -// -// The ipPort is any valid net.Listen TCP address. -func (p *Proxy) AddRoute(ipPort string, dest Target) { - p.addRoute(ipPort, fixedTarget{dest}) -} - -type fixedTarget struct { - t Target -} - -func (m fixedTarget) match(*bufio.Reader) (Target, string) { return m.t, "" } - -// Run is calls Start, and then Wait. -// -// It blocks until there's an error. The return value is always -// non-nil. -func (p *Proxy) Run() error { - if err := p.Start(); err != nil { - return err - } - return p.Wait() -} - -// Wait waits for the Proxy to finish running. Currently this can only -// happen if a Listener is closed, or Close is called on the proxy. -// -// It is only valid to call Wait after a successful call to Start. -func (p *Proxy) Wait() error { - <-p.donec - return p.err -} - -// Close closes all the proxy's self-opened listeners. -func (p *Proxy) Close() error { - for _, c := range p.lns { - c.Close() - } - return nil -} - -// Start creates a TCP listener for each unique ipPort from the -// previously created routes and starts the proxy. It returns any -// error from starting listeners. -// -// If it returns a non-nil error, any successfully opened listeners -// are closed. -func (p *Proxy) Start() error { - if p.donec != nil { - return errors.New("already started") - } - p.donec = make(chan struct{}) - errc := make(chan error, len(p.configs)) - p.lns = make([]net.Listener, 0, len(p.configs)) - for ipPort, config := range p.configs { - ln, err := p.netListen()("tcp", ipPort) - if err != nil { - p.Close() - return err - } - p.lns = append(p.lns, ln) - go p.serveListener(errc, ln, config.routes) - } - go p.awaitFirstError(errc) - return nil -} - -func (p *Proxy) awaitFirstError(errc <-chan error) { - p.err = <-errc - close(p.donec) -} - -func (p *Proxy) serveListener(ret chan<- error, ln net.Listener, routes []route) { - for { - c, err := ln.Accept() - if err != nil { - ret <- err - return - } - go p.serveConn(c, routes) - } -} - -// serveConn runs in its own goroutine and matches c against routes. -// It returns whether it matched purely for testing. -func (p *Proxy) serveConn(c net.Conn, routes []route) bool { - br := bufio.NewReader(c) - for _, route := range routes { - if target, hostName := route.match(br); target != nil { - if n := br.Buffered(); n > 0 { - peeked, _ := br.Peek(br.Buffered()) - c = &Conn{ - HostName: hostName, - Peeked: peeked, - Conn: c, - } - } - target.HandleConn(c) - return true - } - } - // TODO: hook for this? - log.Printf("tcpproxy: no routes matched conn %v/%v; closing", c.RemoteAddr().String(), c.LocalAddr().String()) - c.Close() - return false -} - -// Conn is an incoming connection that has had some bytes read from it -// to determine how to route the connection. The Read method stitches -// the peeked bytes and unread bytes back together. -type Conn struct { - // HostName is the hostname field that was sent to the request router. - // In the case of TLS, this is the SNI header, in the case of HTTPHost - // route, it will be the host header. In the case of a fixed - // route, i.e. those created with AddRoute(), this will always be - // empty. This can be useful in the case where further routing decisions - // need to be made in the Target impementation. - HostName string - - // Peeked are the bytes that have been read from Conn for the - // purposes of route matching, but have not yet been consumed - // by Read calls. It set to nil by Read when fully consumed. - Peeked []byte - - // Conn is the underlying connection. - // It can be type asserted against *net.TCPConn or other types - // as needed. It should not be read from directly unless - // Peeked is nil. - net.Conn -} - -func (c *Conn) Read(p []byte) (n int, err error) { - if len(c.Peeked) > 0 { - n = copy(p, c.Peeked) - c.Peeked = c.Peeked[n:] - if len(c.Peeked) == 0 { - c.Peeked = nil - } - return n, nil - } - return c.Conn.Read(p) -} - -// Target is what an incoming matched connection is sent to. -type Target interface { - // HandleConn is called when an incoming connection is - // matched. After the call to HandleConn, the tcpproxy - // package never touches the conn again. Implementations are - // responsible for closing the connection when needed. - // - // The concrete type of conn will be of type *Conn if any - // bytes have been consumed for the purposes of route - // matching. - HandleConn(net.Conn) -} - -// To is shorthand way of writing &tcpproxy.DialProxy{Addr: addr}. -func To(addr string) *DialProxy { - return &DialProxy{Addr: addr} -} - -// DialProxy implements Target by dialing a new connection to Addr -// and then proxying data back and forth. -// -// The To func is a shorthand way of creating a DialProxy. -type DialProxy struct { - // Addr is the TCP address to proxy to. - Addr string - - // KeepAlivePeriod sets the period between TCP keep alives. - // If zero, a default is used. To disable, use a negative number. - // The keep-alive is used for both the client connection and - KeepAlivePeriod time.Duration - - // DialTimeout optionally specifies a dial timeout. - // If zero, a default is used. - // If negative, the timeout is disabled. - DialTimeout time.Duration - - // DialContext optionally specifies an alternate dial function - // for TCP targets. If nil, the standard - // net.Dialer.DialContext method is used. - DialContext func(ctx context.Context, network, address string) (net.Conn, error) - - // OnDialError optionally specifies an alternate way to handle errors dialing Addr. - // If nil, the error is logged and src is closed. - // If non-nil, src is not closed automatically. - OnDialError func(src net.Conn, dstDialErr error) - - // ProxyProtocolVersion optionally specifies the version of - // HAProxy's PROXY protocol to use. The PROXY protocol provides - // connection metadata to the DialProxy target, via a header - // inserted ahead of the client's traffic. The DialProxy target - // must explicitly support and expect the PROXY header; there is - // no graceful downgrade. - // If zero, no PROXY header is sent. Currently, version 1 is supported. - ProxyProtocolVersion int -} - -// UnderlyingConn returns c.Conn if c of type *Conn, -// otherwise it returns c. -func UnderlyingConn(c net.Conn) net.Conn { - if wrap, ok := c.(*Conn); ok { - return wrap.Conn - } - return c -} - -func tcpConn(c net.Conn) (t *net.TCPConn, ok bool) { - if c, ok := UnderlyingConn(c).(*net.TCPConn); ok { - return c, ok - } - if c, ok := c.(*net.TCPConn); ok { - return c, ok - } - return nil, false -} - -func goCloseConn(c net.Conn) { go c.Close() } - -func closeRead(c net.Conn) { - if c, ok := tcpConn(c); ok { - c.CloseRead() - } -} - -func closeWrite(c net.Conn) { - if c, ok := tcpConn(c); ok { - c.CloseWrite() - } -} - -// HandleConn implements the Target interface. -func (dp *DialProxy) HandleConn(src net.Conn) { - ctx := context.Background() - var cancel context.CancelFunc - if dp.DialTimeout >= 0 { - ctx, cancel = context.WithTimeout(ctx, dp.dialTimeout()) - } - dst, err := dp.dialContext()(ctx, "tcp", dp.Addr) - if cancel != nil { - cancel() - } - if err != nil { - dp.onDialError()(src, err) - return - } - defer goCloseConn(dst) - - if err = dp.sendProxyHeader(dst, src); err != nil { - dp.onDialError()(src, err) - return - } - defer goCloseConn(src) - - if ka := dp.keepAlivePeriod(); ka > 0 { - for _, c := range []net.Conn{src, dst} { - if c, ok := tcpConn(c); ok { - c.SetKeepAlive(true) - c.SetKeepAlivePeriod(ka) - } - } - } - - errc := make(chan error, 2) - go proxyCopy(errc, src, dst) - go proxyCopy(errc, dst, src) - <-errc - <-errc -} - -func (dp *DialProxy) sendProxyHeader(w io.Writer, src net.Conn) error { - switch dp.ProxyProtocolVersion { - case 0: - return nil - case 1: - var srcAddr, dstAddr *net.TCPAddr - if a, ok := src.RemoteAddr().(*net.TCPAddr); ok { - srcAddr = a - } - if a, ok := src.LocalAddr().(*net.TCPAddr); ok { - dstAddr = a - } - - if srcAddr == nil || dstAddr == nil { - _, err := io.WriteString(w, "PROXY UNKNOWN\r\n") - return err - } - - family := "TCP4" - if srcAddr.IP.To4() == nil { - family = "TCP6" - } - _, err := fmt.Fprintf(w, "PROXY %s %s %s %d %d\r\n", family, srcAddr.IP, dstAddr.IP, srcAddr.Port, dstAddr.Port) - return err - default: - return fmt.Errorf("PROXY protocol version %d not supported", dp.ProxyProtocolVersion) - } -} - -// proxyCopy is the function that copies bytes around. -// It's a named function instead of a func literal so users get -// named goroutines in debug goroutine stack dumps. -func proxyCopy(errc chan<- error, dst, src net.Conn) { - defer closeRead(src) - defer closeWrite(dst) - - // Before we unwrap src and/or dst, copy any buffered data. - if wc, ok := src.(*Conn); ok && len(wc.Peeked) > 0 { - if _, err := dst.Write(wc.Peeked); err != nil { - errc <- err - return - } - wc.Peeked = nil - } - - // Unwrap the src and dst from *Conn to *net.TCPConn so Go - // 1.11's splice optimization kicks in. - src = UnderlyingConn(src) - dst = UnderlyingConn(dst) - - _, err := io.Copy(dst, src) - errc <- err -} - -func (dp *DialProxy) keepAlivePeriod() time.Duration { - if dp.KeepAlivePeriod != 0 { - return dp.KeepAlivePeriod - } - return time.Minute -} - -func (dp *DialProxy) dialTimeout() time.Duration { - if dp.DialTimeout > 0 { - return dp.DialTimeout - } - return 10 * time.Second -} - -var defaultDialer = new(net.Dialer) - -func (dp *DialProxy) dialContext() func(ctx context.Context, network, address string) (net.Conn, error) { - if dp.DialContext != nil { - return dp.DialContext - } - return defaultDialer.DialContext -} - -func (dp *DialProxy) onDialError() func(src net.Conn, dstDialErr error) { - if dp.OnDialError != nil { - return dp.OnDialError - } - return func(src net.Conn, dstDialErr error) { - log.Printf("tcpproxy: for incoming conn %v, error dialing %q: %v", src.RemoteAddr().String(), dp.Addr, dstDialErr) - src.Close() - } -} diff --git a/vendor/modules.txt b/vendor/modules.txt index a75d107342..b666ea61f0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -89,7 +89,7 @@ github.com/cloudflare/circl/math/mlsbset github.com/cloudflare/circl/sign github.com/cloudflare/circl/sign/ed25519 github.com/cloudflare/circl/sign/ed448 -# github.com/containers/gvisor-tap-vsock v0.7.3 +# github.com/containers/gvisor-tap-vsock v0.7.4-0.20240320091526-a0238e52b61f ## explicit; go 1.20 github.com/containers/gvisor-tap-vsock/pkg/client github.com/containers/gvisor-tap-vsock/pkg/fs @@ -433,6 +433,9 @@ github.com/imdario/mergo # github.com/inconshreveable/mousetrap v1.1.0 ## explicit; go 1.18 github.com/inconshreveable/mousetrap +# github.com/inetaf/tcpproxy v0.0.0-20240214030015-3ce58045626c +## explicit; go 1.16 +github.com/inetaf/tcpproxy # github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f ## explicit; go 1.13 github.com/insomniacslk/dhcp/dhcpv4 @@ -1081,9 +1084,6 @@ gvisor.dev/gvisor/pkg/tcpip/transport/tcp gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack gvisor.dev/gvisor/pkg/tcpip/transport/udp gvisor.dev/gvisor/pkg/waiter -# inet.af/tcpproxy v0.0.0-20231102063150-2862066fc2a9 -## explicit; go 1.16 -inet.af/tcpproxy # k8s.io/api v0.28.8 ## explicit; go 1.20 k8s.io/api/admissionregistration/v1