Merge branch 'sbruens/udp-split-serving' into sbruens/websocket

Author: sbruens

caddy/shadowsocks_handler.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net"
+	"time"
 
 	"github.com/Jigsaw-Code/outline-sdk/transport"
 	"github.com/Jigsaw-Code/outline-sdk/transport/shadowsocks"
@@ -28,10 +29,11 @@ import (
 	outline "github.com/Jigsaw-Code/outline-ss-server/service"
 )
 
-const serverUDPBufferSize = 64 * 1024
-
 const ssModuleName = "layer4.handlers.shadowsocks"
 
+// A UDP NAT timeout of at least 5 minutes is recommended in RFC 4787 Section 4.3.
+const defaultNatTimeout time.Duration = 5 * time.Minute
+
 func init() {
 	caddy.RegisterModule(ModuleRegistration{
 		ID:  ssModuleName,
@@ -48,8 +50,10 @@ type KeyConfig struct {
 type ShadowsocksHandler struct {
 	Keys []KeyConfig `json:"keys,omitempty"`
 
-	service outline.Service
-	logger  *slog.Logger
+	streamHandler      outline.StreamHandler
+	associationHandler outline.AssociationHandler
+	metrics            outline.ServiceMetrics
+	logger             *slog.Logger
 }
 
 var (
@@ -73,6 +77,7 @@ func (h *ShadowsocksHandler) Provision(ctx caddy.Context) error {
 	if !ok {
 		return fmt.Errorf("module `%s` is of type `%T`, expected `OutlineApp`", outlineModuleName, app)
 	}
+	h.metrics = app.Metrics
 
 	if len(h.Keys) == 0 {
 		h.logger.Warn("no keys configured")
@@ -100,30 +105,22 @@ func (h *ShadowsocksHandler) Provision(ctx caddy.Context) error {
 	ciphers := outline.NewCipherList()
 	ciphers.Update(cipherList)
 
-	service, err := outline.NewShadowsocksService(
+	h.streamHandler, h.associationHandler = outline.NewShadowsocksHandlers(
 		outline.WithLogger(h.logger),
 		outline.WithCiphers(ciphers),
-		outline.WithMetrics(app.Metrics),
+		outline.WithMetrics(h.metrics),
 		outline.WithReplayCache(&app.ReplayCache),
 	)
-	if err != nil {
-		return err
-	}
-	h.service = service
 	return nil
 }
 
 // Handle implements layer4.NextHandler.
 func (h *ShadowsocksHandler) Handle(cx *layer4.Connection, _ layer4.Handler) error {
 	switch conn := cx.Conn.(type) {
 	case transport.StreamConn:
-		h.service.HandleStream(cx.Context, conn)
+		h.streamHandler.HandleStream(cx.Context, conn, h.metrics.AddOpenTCPConnection(conn))
 	case net.Conn:
-		assoc, err := h.service.NewConnAssociation(conn)
-		if err != nil {
-			return fmt.Errorf("Failed to handle association: %v", err)
-		}
-		assoc.Handle()
+		h.associationHandler.HandleAssociation(cx.Context, conn, h.metrics.AddOpenUDPAssociation(conn))
 	default:
 		return fmt.Errorf("failed to handle unknown connection type: %t", conn)
 	}

cmd/outline-ss-server/main.go

@@ -266,7 +266,7 @@ func (s *OutlineServer) runConfig(config Config) (func() error, error) {
 				ciphers := service.NewCipherList()
 				ciphers.Update(cipherList)
 
-				ssService, err := service.NewShadowsocksService(
+				streamHandler, associationHandler := service.NewShadowsocksHandlers(
 					service.WithCiphers(ciphers),
 					service.WithMetrics(s.serviceMetrics),
 					service.WithReplayCache(&s.replayCache),
@@ -278,14 +278,18 @@ func (s *OutlineServer) runConfig(config Config) (func() error, error) {
 					return err
 				}
 				slog.Info("TCP service started.", "address", ln.Addr().String())
-				go service.StreamServe(ln.AcceptStream, ssService.HandleStream)
+				go service.StreamServe(ln.AcceptStream, func(ctx context.Context, conn transport.StreamConn) {
+					streamHandler.HandleStream(ctx, conn, s.serviceMetrics.AddOpenTCPConnection(conn))
+				})
 
 				pc, err := lnSet.ListenPacket(addr)
 				if err != nil {
 					return err
 				}
 				slog.Info("UDP service started.", "address", pc.LocalAddr().String())
-				go service.PacketServe(pc, ssService.NewPacketAssociation, s.serverMetrics)
+				go service.PacketServe(pc, func(ctx context.Context, conn net.Conn) {
+					associationHandler.HandleAssociation(ctx, conn, s.serviceMetrics.AddOpenUDPAssociation(conn))
+				}, s.serverMetrics)
 			}
 
 			// Start services with listeners.
@@ -294,7 +298,7 @@ func (s *OutlineServer) runConfig(config Config) (func() error, error) {
 				if err != nil {
 					return fmt.Errorf("failed to create cipher list from config: %v", err)
 				}
-				ssService, err := service.NewShadowsocksService(
+				streamHandler, associationHandler := service.NewShadowsocksHandlers(
 					service.WithCiphers(ciphers),
 					service.WithMetrics(s.serviceMetrics),
 					service.WithReplayCache(&s.replayCache),
@@ -318,7 +322,9 @@ func (s *OutlineServer) runConfig(config Config) (func() error, error) {
 							}
 							return serviceConfig.Dialer.Fwmark
 						}())
-						go service.StreamServe(ln.AcceptStream, ssService.HandleStream)
+						go service.StreamServe(ln.AcceptStream, func(ctx context.Context, conn transport.StreamConn) {
+							streamHandler.HandleStream(ctx, conn, s.serviceMetrics.AddOpenTCPConnection(conn))
+						})
 					case listenerTypeUDP:
 						pc, err := lnSet.ListenPacket(lnConfig.Address)
 						if err != nil {
@@ -330,7 +336,9 @@ func (s *OutlineServer) runConfig(config Config) (func() error, error) {
 							}
 							return serviceConfig.Dialer.Fwmark
 						}())
-						go service.PacketServe(pc, ssService.NewPacketAssociation, s.serverMetrics)
+						go service.PacketServe(pc, func(ctx context.Context, conn net.Conn) {
+							associationHandler.HandleAssociation(ctx, conn, s.serviceMetrics.AddOpenUDPAssociation(conn))
+						}, s.serverMetrics)
 					case listenerTypeWebsocketStream:
 						if _, exists := webServers[lnConfig.WebServer]; !exists {
 							return fmt.Errorf("listener type `%s` references unknown web server `%s`", lnConfig.Type, lnConfig.WebServer)
@@ -348,7 +356,7 @@ func (s *OutlineServer) runConfig(config Config) (func() error, error) {
 									return
 								}
 								conn := &streamConn{&wrappedConn{Conn: wsConn, raddr: raddr}}
-								ssService.HandleStream(ctx, conn)
+								streamHandler.HandleStream(ctx, conn, s.serviceMetrics.AddOpenTCPConnection(conn))
 							}
 							websocket.Handler(handler).ServeHTTP(w, r)
 						})
@@ -362,20 +370,16 @@ func (s *OutlineServer) runConfig(config Config) (func() error, error) {
 						handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 							handler := func(wsConn *websocket.Conn) {
 								defer wsConn.Close()
+								ctx, contextCancel := context.WithCancel(context.Background())
+								defer contextCancel()
 								raddr, err := net.ResolveUDPAddr("udp", r.RemoteAddr)
 								if err != nil {
 									slog.Error("failed to upgrade", "err", err)
 									w.WriteHeader(http.StatusBadGateway)
 									return
 								}
 								conn := &wrappedConn{Conn: wsConn, raddr: raddr}
-								assoc, err := ssService.NewConnAssociation(conn)
-								if err != nil {
-									slog.Error("failed to upgrade", "err", err)
-									w.WriteHeader(http.StatusBadGateway)
-									return
-								}
-								assoc.Handle()
+								associationHandler.HandleAssociation(ctx, conn, s.serviceMetrics.AddOpenUDPAssociation(conn))
 							}
 							websocket.Handler(handler).ServeHTTP(w, r)
 						})

internal/integration_test/integration_test.go

@@ -142,7 +142,7 @@ func TestTCPEcho(t *testing.T) {
 	go func() {
 		service.StreamServe(
 			func() (transport.StreamConn, error) { return proxyListener.AcceptTCP() },
-			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+			func(ctx context.Context, conn transport.StreamConn) { handler.HandleStream(ctx, conn, testMetrics) },
 		)
 		done <- struct{}{}
 	}()
@@ -221,7 +221,7 @@ func TestRestrictedAddresses(t *testing.T) {
 	go func() {
 		service.StreamServe(
 			service.WrapStreamAcceptFunc(proxyListener.AcceptTCP),
-			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+			func(ctx context.Context, conn transport.StreamConn) { handler.HandleStream(ctx, conn, testMetrics) },
 		)
 		done <- struct{}{}
 	}()
@@ -288,6 +288,8 @@ type fakeUDPAssociationMetrics struct {
 var _ service.UDPAssociationMetrics = (*fakeUDPAssociationMetrics)(nil)
 
 func (m *fakeUDPAssociationMetrics) AddAuthentication(key string) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
 	m.accessKey = key
 }
 
@@ -317,13 +319,13 @@ func TestUDPEcho(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	proxy := service.NewPacketHandler(cipherList, &fakeShadowsocksMetrics{})
+	proxy := service.NewAssociationHandler(cipherList, &fakeShadowsocksMetrics{})
 
 	proxy.SetTargetIPValidator(allowAll)
 	natMetrics := &natTestMetrics{}
 	associationMetrics := &fakeUDPAssociationMetrics{}
-	go service.PacketServe(proxyConn, func(conn net.Conn) (service.PacketAssociation, error) {
-		return proxy.NewPacketAssociation(conn, associationMetrics)
+	go service.PacketServe(proxyConn, func(ctx context.Context, conn net.Conn) {
+		proxy.HandleAssociation(ctx, conn, associationMetrics)
 	}, natMetrics)
 
 	cryptoKey, err := shadowsocks.NewEncryptionKey(shadowsocks.CHACHA20IETFPOLY1305, secrets[0])
@@ -408,7 +410,7 @@ func BenchmarkTCPThroughput(b *testing.B) {
 	go func() {
 		service.StreamServe(
 			service.WrapStreamAcceptFunc(proxyListener.AcceptTCP),
-			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+			func(ctx context.Context, conn transport.StreamConn) { handler.HandleStream(ctx, conn, testMetrics) },
 		)
 		done <- struct{}{}
 	}()
@@ -475,7 +477,7 @@ func BenchmarkTCPMultiplexing(b *testing.B) {
 	go func() {
 		service.StreamServe(
 			service.WrapStreamAcceptFunc(proxyListener.AcceptTCP),
-			func(ctx context.Context, conn transport.StreamConn) { handler.Handle(ctx, conn, testMetrics) },
+			func(ctx context.Context, conn transport.StreamConn) { handler.HandleStream(ctx, conn, testMetrics) },
 		)
 		done <- struct{}{}
 	}()
@@ -545,12 +547,12 @@ func BenchmarkUDPEcho(b *testing.B) {
 	if err != nil {
 		b.Fatal(err)
 	}
-	proxy := service.NewPacketHandler(cipherList, &fakeShadowsocksMetrics{})
+	proxy := service.NewAssociationHandler(cipherList, &fakeShadowsocksMetrics{})
 	proxy.SetTargetIPValidator(allowAll)
 	done := make(chan struct{})
 	go func() {
-		service.PacketServe(server, func(conn net.Conn) (service.PacketAssociation, error) {
-			return proxy.NewPacketAssociation(conn, nil)
+		service.PacketServe(server, func(ctx context.Context, conn net.Conn) {
+			proxy.HandleAssociation(ctx, conn, &fakeUDPAssociationMetrics{})
 		}, &natTestMetrics{})
 		done <- struct{}{}
 	}()
@@ -591,12 +593,12 @@ func BenchmarkUDPManyKeys(b *testing.B) {
 	if err != nil {
 		b.Fatal(err)
 	}
-	proxy := service.NewPacketHandler(cipherList, &fakeShadowsocksMetrics{})
+	proxy := service.NewAssociationHandler(cipherList, &fakeShadowsocksMetrics{})
 	proxy.SetTargetIPValidator(allowAll)
 	done := make(chan struct{})
 	go func() {
-		service.PacketServe(proxyConn, func(conn net.Conn) (service.PacketAssociation, error) {
-			return proxy.NewPacketAssociation(conn, nil)
+		service.PacketServe(proxyConn, func(ctx context.Context, conn net.Conn) {
+			proxy.HandleAssociation(ctx, conn, &fakeUDPAssociationMetrics{})
 		}, &natTestMetrics{})
 		done <- struct{}{}
 	}()

prometheus/metrics.go

@@ -509,6 +509,8 @@ func (m *serviceMetrics) getIPInfoFromAddr(addr net.Addr) ipinfo.IPInfo {
 	return ipInfo
 }
 
+// TODO: Split TCP and UDP metrics.
+
 func (m *serviceMetrics) AddOpenTCPConnection(clientConn net.Conn) service.TCPConnMetrics {
 	clientAddr := clientConn.RemoteAddr()
 	clientInfo := m.getIPInfoFromAddr(clientAddr)
@@ -521,12 +523,12 @@ func (m *serviceMetrics) AddOpenUDPAssociation(clientConn net.Conn) service.UDPA
 	return newUDPAssociationMetrics(m.udpServiceMetrics, m.tunnelTimeMetrics, clientAddr, clientInfo)
 }
 
-func (m *serviceMetrics) AddCipherSearch(proto string, accessKeyFound bool, timeToCipher time.Duration) {
-	if proto == "tcp" {
-		m.tcpServiceMetrics.AddCipherSearch(accessKeyFound, timeToCipher)
-	} else if proto == "udp" {
-		m.udpServiceMetrics.AddCipherSearch(accessKeyFound, timeToCipher)
-	}
+func (m *serviceMetrics) AddTCPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {
+	m.tcpServiceMetrics.AddCipherSearch(accessKeyFound, timeToCipher)
+}
+
+func (m *serviceMetrics) AddUDPCipherSearch(accessKeyFound bool, timeToCipher time.Duration) {
+	m.udpServiceMetrics.AddCipherSearch(accessKeyFound, timeToCipher)
 }
 
 // addIfNonZero helps avoid the creation of series that are always zero.