fix(gateway): don't route packets from expired NAT sessions#8124
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
jamilbk
left a comment
jamilbk
left a comment
There was a problem hiding this comment.
LGTM.
Another edge case is when the client is restarted, the server it was talking to will continue to send data back to it.
Since our tunnel IPs persist across sessions, is it possible that when the client re-authenticates, these packets are able to "route" back all the way to the client.
If that's true, I'm wondering if this is a security issue:
- Client has access to DNS Resource A
- Client signs out
- Admin removes Client accesss to DNS Resource A
- Client signs back in
- Packets from DNS Resource A make their way back to client
You think the above is possible?
thomaseizinger
force-pushed
the
chore/no-route-untranslated-packets
branch
from
a078809 to
8ccc91e
Compare
This will immediately deauthorize the resource on the Gateway.
At this point, the client will have to send another connection intent which will get refused by the policy engine. |
|
@jamilbk Had to change the design a bit because it wasn't actually working (thank god I decided to write a unit-test !) |
One day I hope to be able to catch Rust bugs by eye-balling them 🥹 |
@jamilbk I added some more notes on the design here. |
thomaseizinger
changed the title
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
2 participants
When we receive an inbound packet from the TUN device on the Gateway, we make a lookup in the NAT table to see if it needs to be translated back to a DNS proxy IP.
At present, non-existence of such a NAT entry results in the packet being sent entirely unmodified because that is what needs to happen for CIDR resources. Whilst that is important, the same code path is currently being executed for DNS resources whose NAT session expired! Those packets should be dropped instead which is what we do with this PR.
To differentiate between not having a NAT session at all or whether a previous one existed but is expired now, we keep around all previous "outside" tuples of NAT sessions around. Those are only very small in their memory-footprint. The entire NAT table is scoped to a connection to the given peer and will thus eventually freed once the peer disconnects. This allows us to reliably and cheaply detect, whether a packet is using an expired NAT session. This check must be cheap because all traffic of CIDR resources and the Internet resource needs to perform this check such that we know that they don't have to be translated.
This might be the source of some of the "Source not allowed" errors we have been seeing in client logs.