-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor DNS resources #4994
Labels
area/connlib
Firezone's core connectivity library
complexity/hard
Multi-day effort or more.
kind/refactor
Code refactoring
Comments
refs #3369 -- we can probably close that when this is closed. |
jamilbk
added
complexity/hard
Multi-day effort or more.
kind/refactor
Code refactoring
labels
May 15, 2024
This was referenced May 16, 2024
Merged
github-merge-queue bot
pushed a commit
that referenced
this issue
May 17, 2024
came up while working on #4994
This was referenced May 20, 2024
This was referenced May 22, 2024
This was referenced Jun 14, 2024
github-merge-queue bot
pushed a commit
that referenced
this issue
Jun 14, 2024
As part of #4994, we need to translate IP packets between IPv4 and IPv6. This PR introduces the `ConvertiblePacket` abstraction that implements this.
jamilbk
pushed a commit
that referenced
this issue
Jun 17, 2024
As part of #4994, we need to translate IP packets between IPv4 and IPv6. This PR introduces the `ConvertiblePacket` abstraction that implements this.
github-merge-queue bot
pushed a commit
that referenced
this issue
Jun 19, 2024
As part of #4994, the IP translation and mangling of packets to and from DNS resources is moved to the gateway. This PR represents the "gateway-half" of the required changes. Eventually, the client will send a list of proxy IPs that it assigned for a certain DNS resource. The gateway assigns each proxy IP to a real IP and mangles outgoing and incoming traffic accordingly. There are a number of things that we need to take care of as part of that: - We need to implement NAT to correctly route traffic. Our NAT table maps from source port* and destination IP to an assigned port* and real IP. We say port* because that is only true for UDP and TCP. For ICMP, we use the identifier. - We need to translate between IPv4 and IPv6 in case a DNS resource e.g. only resolves to IPv6 addresses but the client gave out an IPv4 proxy address to the application. This translation is was added in #5364 and is now being used here. This PR is backwards-compatible because currently, clients don't send any IPs to the gateway. No proxy IPs means we cannot do any translation and thus, packets are simply routed through as is which is what the current clients expect. --------- Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
github-merge-queue bot
pushed a commit
that referenced
this issue
Jun 24, 2024
This PR is the "client-side" of things for #4994. Up until now, when a user wanted to connect to a DNS resource, we would establish a connection to the gateway and pass along the domain we are trying to access. The gateway would resolve that domain and send the response back to the client, allowing them to finally send a DNS response. Now, we instantly assign and respond with 4x A and 4x AAAA records to any query for one of our DNS resources. Upon the first IP packet for one of these "proxy IPs", we select a gateway, establish a connection and send our proxy IPs along. The gateway then performs the necessary mangling and NATing of all packets. See #5354 for details. Resolves: #4994. Resolves: #5491. --------- Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
This was referenced Jun 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/connlib
Firezone's core connectivity library
complexity/hard
Multi-day effort or more.
kind/refactor
Code refactoring
This is needed to:
The way to achieve this is:
Tasks & follow-ups
domain
library withhickory-proto
#5539The text was updated successfully, but these errors were encountered: