broker: Remove NAT logic

We'll let the kernel deal with the different L2TPv3 sessions. Signed-off-by: Felix Kaechele <felix@kaechele.ca>
kaechele · Oct 13, 2019 · 9a683d3 · 9a683d3
1 parent 6b47f59
commit 9a683d3
Show file tree

Hide file tree

Showing 9 changed files with 5 additions and 426 deletions.
diff --git a/broker/l2tp_broker.cfg.example b/broker/l2tp_broker.cfg.example
@@ -7,16 +7,8 @@ port=53,123,8942
 interface=lo
 ; Maximum number of tunnels that will be allowed by the broker
 max_tunnels=1024
-; Tunnel port base. This port is not visible to clients, but must be free on the server.
-; This port is used by the actual l2tp tunnel, but tunneldigger sets up NAT rules so that clients
-; can keep using the control port.
-port_base=20000
 ; Tunnel id base
 tunnel_id_base=100
-; Namespace (for running multiple brokers); note that you must also
-; configure disjunct ports, and tunnel identifiers in order for
-; namespacing to work
-namespace=default
 ; Reject connections if there are less than N seconds since the last connection.
 ; Can be less than a second (e.g., 0.1).
 connection_rate_limit=10

diff --git a/broker/setup.py b/broker/setup.py
@@ -2,7 +2,7 @@
 # -*- coding: utf-8 -*-
 from setuptools import find_packages, setup
 
-VERSION = '0.3.0'
+VERSION = '0.4.0'
 
 setup(
     name='tunneldigger-broker',
@@ -14,7 +14,7 @@
     url='https://github.com/wlanslovenija/tunneldigger',
     license='AGPLv3',
     package_dir={'': 'src'},
-    packages=find_packages(where='src', exclude=['_ffi_src', '_ffi_src.*']),
+    packages=find_packages(where='src'),
     package_data={},
     classifiers=[
         'Development Status :: 4 - Beta',
@@ -24,16 +24,5 @@
     ],
     include_package_data=True,
     zip_safe=False,
-    setup_requires=[
-        'cffi>=1.4.1',
-    ],
-    install_requires=[
-        'netfilter>=0.6.2',
-        'cffi>=1.4.1',
-    ],
     extras_require={},
-    cffi_modules=[
-        'src/_ffi_src/build_conntrack.py:ffibuilder',
-    ],
-    ext_package='tunneldigger_broker._ffi',
 )
diff --git a/broker/src/_ffi_src/__init__.py b/broker/src/_ffi_src/__init__.py
diff --git a/broker/src/_ffi_src/build_conntrack.py b/broker/src/_ffi_src/build_conntrack.py
diff --git a/broker/src/tunneldigger_broker/_ffi/__init__.py b/broker/src/tunneldigger_broker/_ffi/__init__.py
diff --git a/broker/src/tunneldigger_broker/broker.py b/broker/src/tunneldigger_broker/broker.py
@@ -3,10 +3,6 @@
 import time
 import traceback
 
-from . import conntrack
-import netfilter.table
-import netfilter.rule
-
 from . import l2tp, protocol, network, tunnel as td_tunnel
 
 # Logger.
@@ -23,8 +19,6 @@ def __init__(
         hook_manager,
         max_tunnels,
         tunnel_id_base,
-        tunnel_port_base,
-        namespace,
         connection_rate_limit,
         pmtu_fixed,
         log_ip_addresses,
@@ -35,16 +29,12 @@ def __init__(
         :param hook_manager: Hook manager
         :param max_tunnels: Maximum number of tunnels to allow
         :param tunnel_id_base: Base local tunnel identifier
-        :param tunnel_port_base: Base local tunnel port
-        :param namespace: Netfilter namespace to use
         """
 
         self.hook_manager = hook_manager
         self.max_tunnels = max_tunnels
         self.tunnel_id_base = tunnel_id_base
         self.tunnel_ids = set(range(tunnel_id_base, tunnel_id_base + max_tunnels))
-        self.tunnel_port_base = tunnel_port_base
-        self.namespace = namespace
         self.tunnels = {}
         self.last_tunnel_created = None
         self.connection_rate_limit = connection_rate_limit
@@ -103,7 +93,7 @@ def create_tunnel(self, broker, address, uuid, remote_tunnel_id, client_features
         try:
             tunnel = td_tunnel.Tunnel(
                 broker=broker,
-                address=(broker.address[0], self.tunnel_port_base + tunnel_id),
+                address=broker.address,
                 endpoint=address,
                 uuid=uuid,
                 tunnel_id=tunnel_id,
@@ -149,45 +139,6 @@ def destroy_tunnel(self, tunnel):
         del self.tunnels[tunnel.tunnel_id]
 
     def initialize(self):
-        """
-        Sets up netfilter rules so new packets to the same port are redirected
-        into the per-tunnel socket.
-        """
-
-        prerouting_chain = "L2TP_PREROUTING_%s" % self.namespace
-        postrouting_chain = "L2TP_POSTROUTING_%s" % self.namespace
-        nat = netfilter.table.Table('nat')
-        self.rule_prerouting_jmp = netfilter.rule.Rule(jump=prerouting_chain)
-        self.rule_postrouting_jmp = netfilter.rule.Rule(jump=postrouting_chain)
-
-        try:
-            nat.flush_chain(prerouting_chain)
-            nat.delete_chain(prerouting_chain)
-        except netfilter.table.IptablesError:
-            pass
-
-        try:
-            nat.flush_chain(postrouting_chain)
-            nat.delete_chain(postrouting_chain)
-        except netfilter.table.IptablesError:
-            pass
-
-        nat.create_chain(prerouting_chain)
-        nat.create_chain(postrouting_chain)
-        try:
-            nat.delete_rule('PREROUTING', self.rule_prerouting_jmp)
-        except netfilter.table.IptablesError:
-            pass
-        nat.prepend_rule('PREROUTING', self.rule_prerouting_jmp)
-
-        try:
-            nat.delete_rule('POSTROUTING', self.rule_postrouting_jmp)
-        except netfilter.table.IptablesError:
-            pass
-        nat.prepend_rule('POSTROUTING', self.rule_postrouting_jmp)
-
-        # Initialize connection tracking manager.
-        self.conntrack = conntrack.ConnectionManager()
         # Initialize netlink.
         self.netlink = l2tp.NetlinkInterface()
 
@@ -204,8 +155,8 @@ def initialize(self):
 
     def close(self):
         """
-        Shuts down all managed tunnels and restores netfilter state. The tunnel
-        manager instance should not be used after calling this method.
+        Shuts down all managed tunnels. The tunnel manager instance
+        should not be used after calling this method.
         """
 
         for tunnel in list(self.tunnels.values()):
@@ -214,16 +165,6 @@ def close(self):
             except:
                 traceback.print_exc()
 
-        # Restore netfilter rules.
-        nat = netfilter.table.Table('nat')
-        nat.delete_rule('PREROUTING', self.rule_prerouting_jmp)
-        nat.delete_rule('POSTROUTING', self.rule_postrouting_jmp)
-        nat.flush_chain('L2TP_PREROUTING_%s' % self.namespace)
-        nat.flush_chain('L2TP_POSTROUTING_%s' % self.namespace)
-        nat.delete_chain('L2TP_PREROUTING_%s' % self.namespace)
-        nat.delete_chain('L2TP_POSTROUTING_%s' % self.namespace)
-
-        del self.conntrack
         del self.netlink
 
 
@@ -245,13 +186,8 @@ def __init__(self, address, interface, tunnel_manager):
 
         self.tunnel_manager = tunnel_manager
         self.hook_manager = tunnel_manager.hook_manager
-        self.conntrack = tunnel_manager.conntrack
         self.netlink = tunnel_manager.netlink
 
-        # Clear out the connection tracking tables.
-        self.conntrack.killall(proto=socket.IPPROTO_UDP, src=self.address[0])
-        self.conntrack.killall(proto=socket.IPPROTO_UDP, dst=self.address[0])
-
     def get_tunnel_manager(self):
         """
         Returns the tunnel manager for this broker.