feat: Introduce Polyamide Traffic Control (#19)

* Implement traffic control mechanism for more advanced packet redirection, filtering, and to enable support for future features

Author: encodeous

cmd/run.go

@@ -34,7 +34,7 @@ var runCmd = &cobra.Command{
 		}
 		if state.DBG_pprof {
 			go func() {
-				log.Println(http.ListenAndServe("localhost:6060", nil))
+				log.Println(http.ListenAndServe("0.0.0.0:6060", nil))
 			}()
 		}
 

core/nylon.go

@@ -11,13 +11,12 @@ import (
 
 // Nylon struct must be thread safe, since it can receive packets through PolyReceiver
 type Nylon struct {
-	PolySock *device.PolySock
-	PingBuf  *ttlcache.Cache[uint64, EpPing]
-	Device   *device.Device
-	Tun      tun.Device
-	wgUapi   net.Listener
-	env      *state.Env
-	itfName  string
+	PingBuf *ttlcache.Cache[uint64, EpPing]
+	Device  *device.Device
+	Tun     tun.Device
+	wgUapi  net.Listener
+	env     *state.Env
+	itfName string
 }
 
 func (n *Nylon) Init(s *state.State) error {

core/nylon_endpoints.go

@@ -6,7 +6,6 @@ import (
 	"github.com/encodeous/nylon/protocol"
 	"github.com/encodeous/nylon/state"
 	"github.com/jellydator/ttlcache/v3"
-	"google.golang.org/protobuf/proto"
 	"math/rand/v2"
 	"slices"
 	"time"
@@ -16,7 +15,7 @@ type EpPing struct {
 	TimeSent time.Time
 }
 
-func (n *Nylon) Probe(e *state.Env, ep *state.DynamicEndpoint) error {
+func (n *Nylon) Probe(ep *state.DynamicEndpoint) error {
 	token := rand.Uint64()
 	ping := &protocol.Ny{
 		Type: &protocol.Ny_ProbeOp{
@@ -26,25 +25,20 @@ func (n *Nylon) Probe(e *state.Env, ep *state.DynamicEndpoint) error {
 			},
 		},
 	}
-	marshal, err := proto.Marshal(ping)
+	peer := n.Device.LookupPeer(device.NoisePublicKey(n.env.GetNode(ep.Node()).PubKey))
+	err := n.SendNylon(ping, ep.NetworkEndpoint().GetWgEndpoint(n.Device), peer)
 	if err != nil {
 		return err
 	}
 
-	n.Send(marshal, ep)
 	n.PingBuf.Set(token, EpPing{
 		TimeSent: time.Now(),
 	}, ttlcache.DefaultTTL)
 	return nil
 }
 
-func (n *Nylon) Send(packet []byte, ep *state.DynamicEndpoint) {
-	neigh := n.env.GetRouter(ep.Node())
-	dev := n.Device
-	n.PolySock.Send(packet, ep.NetworkEndpoint().GetWgEndpoint(dev), dev.LookupPeer(device.NoisePublicKey(neigh.PubKey)))
-}
-
-func HandleProbe(e *state.Env, sock *device.PolySock, pkt *protocol.Ny_Probe, endpoint conn.Endpoint, peer *device.Peer, node state.NodeId) {
+func handleProbe(n *Nylon, pkt *protocol.Ny_Probe, endpoint conn.Endpoint, peer *device.Peer, node state.NodeId) {
+	e := n.env
 	if pkt.ResponseToken == nil {
 		// ping
 		// build pong response
@@ -53,11 +47,11 @@ func HandleProbe(e *state.Env, sock *device.PolySock, pkt *protocol.Ny_Probe, en
 		res.ResponseToken = &token
 
 		// send pong
-		pktBytes, err := proto.Marshal(&protocol.Ny{Type: &protocol.Ny_ProbeOp{ProbeOp: pkt}})
+		err := n.SendNylon(&protocol.Ny{Type: &protocol.Ny_ProbeOp{ProbeOp: pkt}}, endpoint, peer)
 		if err != nil {
+			n.env.Log.Error("Failed to send nylon packet to node", "node", node, "error", err)
 			return
 		}
-		sock.Send(pktBytes, endpoint, peer)
 
 		e.Dispatch(func(s *state.State) error {
 			return handleProbePing(s, node, endpoint)
@@ -147,10 +141,10 @@ func handleProbePong(s *state.State, node state.NodeId, token uint64, ep conn.En
 func (n *Nylon) probeLinks(s *state.State, active bool) error {
 	// probe links
 	for _, neigh := range s.Neighbours {
-		for _, dpLink := range neigh.Eps {
-			if dpLink.IsActive() == active {
+		for _, ep := range neigh.Eps {
+			if ep.IsActive() == active {
 				go func() {
-					err := n.Probe(s.Env, dpLink)
+					err := n.Probe(ep)
 					if err != nil {
 						s.Log.Debug("probe failed", "err", err.Error())
 					}
@@ -185,7 +179,7 @@ func (n *Nylon) probeNew(s *state.State) error {
 				dpl := state.NewEndpoint(ep, peer, false, nil)
 				neigh.Eps = append(neigh.Eps, dpl)
 				go func() {
-					err := n.Probe(s.Env, dpl)
+					err := n.Probe(dpl)
 					if err != nil {
 						//s.Log.Debug("discovery probe failed", "err", err.Error())
 					}

core/nylon_passive.go

@@ -35,10 +35,7 @@ func cleanPassivePeers(s *state.State) error {
 	for _, client := range r.Clients {
 		cCfg := s.GetClient(client)
 		peer := n.Device.LookupPeer(device.NoisePublicKey(cCfg.PubKey))
-		ep := peer.GetEndpoints()
-		if len(ep) > 1 {
-			peer.SetEndpoints(ep[:1]) // prevent littering of too many endpoints
-		}
+		peer.CleanEndpoints()
 		if peer == nil || time.Now().Sub(peer.LastReceivedPacket()) > state.ClientDeadThreshold {
 			// dead client
 			s.Log.Debug("passive client dead", "node", client)

core/nylon_sock.go

@@ -0,0 +1,110 @@
+package core
+
+import (
+	"github.com/encodeous/nylon/polyamide/conn"
+	"github.com/encodeous/nylon/polyamide/device"
+	"github.com/encodeous/nylon/protocol"
+	"github.com/encodeous/nylon/state"
+	"google.golang.org/protobuf/proto"
+)
+
+const (
+	NyProtoId  = 8
+	NyPriority = 10
+)
+
+// polyamide traffic control for nylon
+
+func (n *Nylon) InstallTC() {
+	// bounce back packets if using system routing
+	if n.env.UseSystemRouting {
+		n.Device.InstallFilter(func(dev *device.Device, packet *device.TCElement) (device.TCAction, error) {
+			if packet.Incoming() {
+				// bounce incoming packets
+				return device.TcBounce, nil
+			}
+			return device.TcPass, nil
+		})
+	}
+
+	// bounce back packets destined for the current node
+	n.Device.InstallFilter(func(dev *device.Device, packet *device.TCElement) (device.TCAction, error) {
+		if n.env.GetNode(n.env.Id).Address == packet.GetDst() {
+			//dev.Log.Verbosef("BounceCur packet: %v -> %v", packet.GetSrc(), packet.GetDst())
+			return device.TcBounce, nil
+		}
+		return device.TcPass, nil
+	})
+
+	// handle incoming nylon packets
+	n.Device.InstallFilter(func(dev *device.Device, packet *device.TCElement) (device.TCAction, error) {
+		if packet.Incoming() && packet.GetIPVersion() == NyProtoId {
+			n.handleNylonPacket(packet.Payload(), packet.FromEp, packet.FromPeer)
+			return device.TcDrop, nil
+		}
+		return device.TcPass, nil
+	})
+}
+
+func (n *Nylon) SendNylon(pkt proto.Message, endpoint conn.Endpoint, peer *device.Peer) error {
+	tce := n.Device.NewTCElement()
+	offset := device.MessageTransportOffsetContent + device.PolyHeaderSize
+	buf, err := proto.MarshalOptions{
+		Deterministic: true,
+	}.MarshalAppend(tce.Buffer[offset:offset], pkt)
+	if err != nil {
+		n.Device.PutMessageBuffer(tce.Buffer)
+		n.Device.PutTCElement(tce)
+		return err
+	}
+	tce.InitPacket(NyProtoId, uint16(len(buf)+device.PolyHeaderSize))
+	tce.Priority = device.TcHighPriority
+
+	tce.ToEp = endpoint
+	tce.ToPeer = peer
+
+	// TODO: Optimize? is it worth it?
+
+	tcs := device.NewTCState()
+
+	n.Device.TCBatch([]*device.TCElement{tce}, tcs)
+	return nil
+}
+
+func (n *Nylon) handleNylonPacket(packet []byte, endpoint conn.Endpoint, peer *device.Peer) {
+	pkt := &protocol.Ny{}
+	err := proto.Unmarshal(packet, pkt)
+	if err != nil {
+		// log skipped message
+		n.env.Log.Debug("Failed to unmarshal packet", "err", err)
+		return
+	}
+
+	e := n.env
+
+	neigh := e.FindNodeBy(state.NyPublicKey(peer.GetPublicKey()))
+	if neigh == nil {
+		// this should not be possible
+		panic("impossible state, peer added, but not a node in the network")
+		return
+	}
+
+	switch pkt.Type.(type) {
+	case *protocol.Ny_SeqnoRequestOp:
+		e.Dispatch(func(s *state.State) error {
+			return routerHandleSeqnoRequest(s, *neigh, pkt.GetSeqnoRequestOp())
+		})
+	case *protocol.Ny_RouteOp:
+		e.Dispatch(func(s *state.State) error {
+			return routerHandleRouteUpdate(s, *neigh, pkt.GetRouteOp())
+		})
+	case *protocol.Ny_ProbeOp:
+		handleProbe(n, pkt.GetProbeOp(), endpoint, peer, *neigh)
+	}
+	defer func() {
+		err := recover()
+		if err != nil {
+			n.env.Log.Error("panic while handling poly socket: %v", err)
+		}
+	}()
+}

core/nylon_tc.go

@@ -1,6 +1,7 @@
 package core
 
 import (
+	"cmp"
 	"encoding/hex"
 	"fmt"
 	"github.com/encodeous/nylon/polyamide/conn"
@@ -22,15 +23,13 @@ func (n *Nylon) initWireGuard(s *state.State) error {
 		return err
 	}
 
-	dev.AllowAllInbound = true
-	dev.UseSystemRouting = s.UseSystemRouting
-	n.PolySock = dev.PolyListen(n)
-	s.Log.Info("started polysock listener")
-
 	n.Device = dev
 	n.Tun = tdev
 	n.itfName = itfName
 
+	n.InstallTC()
+	s.Log.Info("installed nylon traffic control filter for polysock")
+
 	// TODO: fully convert to code-based api
 	err = dev.IpcSet(
 		fmt.Sprintf(
@@ -169,11 +168,16 @@ func UpdateWireGuard(s *state.State) error {
 		if nhNeigh != nil {
 			links := slices.Clone(nhNeigh.Eps)
 			slices.SortStableFunc(links, func(a, b *state.DynamicEndpoint) int {
-				return -int(a.Metric() - b.Metric())
+				return cmp.Compare(a.Metric(), b.Metric())
 			})
 			for _, ep := range links {
 				eps = append(eps, ep.NetworkEndpoint().GetWgEndpoint(n.Device))
 			}
+			//if nhNeigh.Id == "melon" {
+			//	for _, link := range links {
+			//		fmt.Printf("link: %s, %d\n", link.NetworkEndpoint().Ep, link.Metric())
+			//	}
+			//}
 		}
 
 		// add endpoint if it is not in the list

core/nylon_wireguard.go

@@ -2,6 +2,7 @@ package core
 
 import (
 	"fmt"
+	"github.com/encodeous/nylon/polyamide/device"
 	"github.com/encodeous/nylon/protocol"
 	"github.com/encodeous/nylon/state"
 	"google.golang.org/protobuf/proto"
@@ -24,11 +25,11 @@ func broadcast(s *state.State, message proto.Message, neighs []*state.Neighbour)
 			// TODO, investigate effect of packet loss on control messages
 			best := neigh.BestEndpoint()
 			if best != nil && best.IsActive() {
-				marshal, err := proto.Marshal(message)
+				peer := n.Device.LookupPeer(device.NoisePublicKey(n.env.GetNode(best.Node()).PubKey))
+				err := n.SendNylon(message, nil, peer)
 				if err != nil {
 					s.Env.Log.Error("error while broadcasting", "err", err.Error())
 				}
-				n.Send(marshal, best)
 			}
 		}
 	}()

core/router_utils.go

@@ -1,6 +1,6 @@
 module github.com/encodeous/nylon
 
-go 1.24.0
+go 1.24.4
 
 require (
 	github.com/docker/docker v27.1.1+incompatible

go.mod

@@ -260,10 +260,11 @@ func (i *InMemoryNetwork) virtualRouteTable(node state.NodeId, src, dst netip.Ad
 			if n.Address == dst {
 				select {
 				case i.virtTun[curIdx].Outbound <- pkt: // send back into our tun to get routed by WireGuard/Polyamide
+					return true
 				default:
-					panic(fmt.Sprintf("node %s's tun is not ready to accept data", n.Id))
+					fmt.Printf("%s's tun is not ready to accept data\n", n.Id)
+					return true
 				}
-				return true
 			}
 		}
 		return false