geiserx_ts_netstack_smoltcp_socket 0.6.5

userspace netstack built on smoltcp (socket wrappers)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297

//! Overlay ICMPv4 echo (`ping`) over a netstack [`Channel`][netcore::Channel].
//!
//! This is the raw-socket analogue of tsnet's `LocalClient.Ping`: it opens a raw ICMP socket
//! on the overlay netstack, emits an ICMPv4 Echo Request to a peer's tailnet IP, and waits for
//! the matching Echo Reply, returning the round-trip time.
//!
//! Anti-leak: this rides the overlay netstack only (via the [`CreateSocket`] channel); it never
//! touches a host socket. ICMPv4 only — IPv6 is rejected (IPv6-off posture).

use alloc::vec;
use core::{
    net::{IpAddr, Ipv4Addr},
    time::Duration,
};

use netcore::smoltcp::{
    phy::ChecksumCapabilities,
    wire::{IPV4_HEADER_LEN, Icmpv4Packet, Icmpv4Repr, IpProtocol, Ipv4Packet, Ipv4Repr},
};

use crate::CreateSocket;

/// Errors returned by [`ping`].
#[derive(Debug)]
pub enum PingError {
    /// No matching Echo Reply arrived before the timeout elapsed.
    Timeout,
    /// The destination was an IPv6 address; only ICMPv4 is supported.
    Ipv6Unsupported,
    /// An underlying netstack error occurred.
    Net(netcore::Error),
}

impl core::fmt::Display for PingError {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        match self {
            Self::Timeout => f.write_str("ping timed out"),
            Self::Ipv6Unsupported => f.write_str("ICMPv6 ping is unsupported (IPv6 is off)"),
            Self::Net(e) => write!(f, "netstack error: {e}"),
        }
    }
}

impl core::error::Error for PingError {
    fn source(&self) -> Option<&(dyn core::error::Error + 'static)> {
        match self {
            Self::Net(e) => Some(e),
            _ => None,
        }
    }
}

impl From<netcore::Error> for PingError {
    fn from(e: netcore::Error) -> Self {
        Self::Net(e)
    }
}

const PING_PAYLOAD: &[u8] = b"ts_netstack_smoltcp ping";

/// Per-call counter mixed into the ICMP `ident`.
///
/// The raw ICMP socket each `ping` call opens intercepts *all* ICMPv4, so two concurrent calls
/// on the same netstack would otherwise share a fixed ident+seq and cross-match each other's
/// replies (resolving the wrong awaiter with the wrong RTT). To avoid same-process collisions we
/// derive a unique `ident` per call: the low byte of `std::process::id()` (non-deterministic
/// across runs, no crate dependency) combined with a monotonically incrementing `AtomicU16`. Two
/// in-flight pings in the same process get distinct idents (the counter differs), and pings from
/// different processes are unlikely to share the high byte. We do not depend on the `rand` crate
/// because it is not a dependency of this `no-std`-flavored crate (see `Cargo.toml`); the
/// `tokio`-gated `ping` path enables `std`, so `std::process::id()` is available.
#[cfg(feature = "tokio")]
static PING_IDENT_COUNTER: core::sync::atomic::AtomicU16 = core::sync::atomic::AtomicU16::new(0);

/// Produce a per-call ICMP `ident` that does not collide with other concurrent `ping` calls in
/// this process. See [`PING_IDENT_COUNTER`] for the rationale and source of (weak) randomness.
#[cfg(feature = "tokio")]
fn next_ident() -> u16 {
    let counter = PING_IDENT_COUNTER.fetch_add(1, core::sync::atomic::Ordering::Relaxed);
    // High byte: process-randomized seed; low byte: per-call counter. The counter guarantees
    // distinct idents for concurrent in-process calls regardless of the seed.
    let seed = (std::process::id() as u16) & 0xFF00;
    seed ^ counter
}

/// Send an ICMPv4 Echo Request from `src` to `dst` over the overlay netstack `chan` and wait
/// for the matching Echo Reply, returning the round-trip time.
///
/// `src` must be a tailnet IPv4 address owned by this netstack (the raw send path emits a full
/// IPv4 packet, so the source address goes on the wire verbatim). `dst` must be IPv4; an IPv6
/// `dst` returns [`PingError::Ipv6Unsupported`].
///
/// Non-matching ICMP traffic (wrong ident/seq, or non-EchoReply messages) is ignored. If no
/// reply arrives within `timeout`, returns [`PingError::Timeout`].
#[cfg(feature = "tokio")]
pub async fn ping<C: CreateSocket + Sync>(
    chan: &C,
    src: Ipv4Addr,
    dst: IpAddr,
    timeout: Duration,
) -> Result<Duration, PingError> {
    let dst = match dst {
        IpAddr::V4(v4) => v4,
        IpAddr::V6(_) => return Err(PingError::Ipv6Unsupported),
    };

    // The raw socket intercepts *all* ICMPv4, so a fixed ident/seq would cross-match concurrent
    // pings on the same netstack. Use a per-call unique ident (see `next_ident`) and match strictly
    // on both ident and seq, so concurrent calls never resolve each other's replies.
    let ident: u16 = next_ident();
    let seq_no: u16 = 1;

    let sock = chan.raw_open(true, IpProtocol::Icmp).await?;

    let request = build_echo_request(src, dst, ident, seq_no, PING_PAYLOAD);

    let start = tokio::time::Instant::now();
    sock.send(&request).await?;

    let deadline = start + timeout;

    loop {
        let remaining = deadline.saturating_duration_since(tokio::time::Instant::now());
        if remaining.is_zero() {
            return Err(PingError::Timeout);
        }

        let recv = tokio::time::timeout(remaining, sock.recv_bytes()).await;
        let bytes = match recv {
            Err(_elapsed) => return Err(PingError::Timeout),
            Ok(Ok(b)) => b,
            Ok(Err(e)) => return Err(PingError::Net(e)),
        };

        if matches_reply(&bytes, src, dst, ident, seq_no) {
            return Ok(start.elapsed());
        }
        // Not our reply (or not an EchoReply) -- keep waiting.
    }
}

/// Build a complete ICMPv4 Echo Request IPv4 datagram (IP header + ICMP message).
///
/// The raw socket send path parses the buffer as a full IPv4 packet and fills the IPv4 header
/// checksum on dispatch, but the ICMP checksum and the rest of the IPv4 header must be valid
/// here.
fn build_echo_request(
    src: Ipv4Addr,
    dst: Ipv4Addr,
    ident: u16,
    seq_no: u16,
    payload: &[u8],
) -> vec::Vec<u8> {
    let checksum_caps = ChecksumCapabilities::default();

    let icmp_repr = Icmpv4Repr::EchoRequest {
        ident,
        seq_no,
        data: payload,
    };

    let ipv4_repr = Ipv4Repr {
        src_addr: src,
        dst_addr: dst,
        next_header: IpProtocol::Icmp,
        payload_len: icmp_repr.buffer_len(),
        hop_limit: 64,
    };

    let total = IPV4_HEADER_LEN + icmp_repr.buffer_len();
    let mut buf = vec![0u8; total];

    {
        let mut ip_packet = Ipv4Packet::new_unchecked(&mut buf[..]);
        ipv4_repr.emit(&mut ip_packet, &checksum_caps);
    }

    {
        let mut icmp_packet = Icmpv4Packet::new_unchecked(&mut buf[IPV4_HEADER_LEN..]);
        icmp_repr.emit(&mut icmp_packet, &checksum_caps);
    }

    buf
}

/// Parse a received raw IPv4 datagram and check whether it is the Echo Reply we are waiting for.
fn matches_reply(
    bytes: &[u8],
    expect_src: Ipv4Addr,
    expect_dst: Ipv4Addr,
    ident: u16,
    seq_no: u16,
) -> bool {
    let checksum_caps = ChecksumCapabilities::default();

    let Ok(ip_packet) = Ipv4Packet::new_checked(bytes) else {
        return false;
    };
    let Ok(ipv4_repr) = Ipv4Repr::parse(&ip_packet, &checksum_caps) else {
        return false;
    };
    if ipv4_repr.next_header != IpProtocol::Icmp {
        return false;
    }
    // Reply travels dst -> src.
    if ipv4_repr.src_addr != expect_dst || ipv4_repr.dst_addr != expect_src {
        return false;
    }

    let Ok(icmp_packet) = Icmpv4Packet::new_checked(ip_packet.payload()) else {
        return false;
    };
    let Ok(icmp_repr) = Icmpv4Repr::parse(&icmp_packet, &checksum_caps) else {
        return false;
    };

    matches!(
        icmp_repr,
        Icmpv4Repr::EchoReply { ident: i, seq_no: s, .. } if i == ident && s == seq_no
    )
}

#[cfg(test)]
mod tests {
    use super::*;

    const SRC: Ipv4Addr = Ipv4Addr::new(100, 64, 0, 1);
    const DST: Ipv4Addr = Ipv4Addr::new(100, 64, 0, 2);

    /// Build a full IPv4 Echo *Reply* datagram travelling `from` -> `to` with the given
    /// ident/seq, mirroring what a peer responder emits.
    fn build_echo_reply(from: Ipv4Addr, to: Ipv4Addr, ident: u16, seq_no: u16) -> vec::Vec<u8> {
        let checksum_caps = ChecksumCapabilities::default();
        let icmp_repr = Icmpv4Repr::EchoReply {
            ident,
            seq_no,
            data: PING_PAYLOAD,
        };
        let ipv4_repr = Ipv4Repr {
            src_addr: from,
            dst_addr: to,
            next_header: IpProtocol::Icmp,
            payload_len: icmp_repr.buffer_len(),
            hop_limit: 64,
        };
        let mut buf = vec![0u8; IPV4_HEADER_LEN + icmp_repr.buffer_len()];
        {
            let mut p = Ipv4Packet::new_unchecked(&mut buf[..]);
            ipv4_repr.emit(&mut p, &checksum_caps);
        }
        {
            let mut p = Icmpv4Packet::new_unchecked(&mut buf[IPV4_HEADER_LEN..]);
            icmp_repr.emit(&mut p, &checksum_caps);
        }
        buf
    }

    #[test]
    fn matches_reply_accepts_matching_ident_and_seq() {
        let reply = build_echo_reply(DST, SRC, 0xABCD, 7);
        assert!(matches_reply(&reply, SRC, DST, 0xABCD, 7));
    }

    #[test]
    fn matches_reply_rejects_foreign_ident() {
        // A concurrent ping's reply: correct addressing and seq, but a different ident. It must
        // NOT satisfy this call (otherwise concurrent pings cross-match).
        let foreign = build_echo_reply(DST, SRC, 0x1111, 7);
        assert!(!matches_reply(&foreign, SRC, DST, 0xABCD, 7));
    }

    #[test]
    fn matches_reply_rejects_foreign_seq() {
        let foreign = build_echo_reply(DST, SRC, 0xABCD, 99);
        assert!(!matches_reply(&foreign, SRC, DST, 0xABCD, 7));
    }

    #[test]
    fn matches_reply_rejects_non_echo_reply() {
        // An Echo *Request* with our exact ident/seq must not be accepted as our reply.
        let request = build_echo_request(DST, SRC, 0xABCD, 7, PING_PAYLOAD);
        assert!(!matches_reply(&request, SRC, DST, 0xABCD, 7));
    }

    #[cfg(feature = "tokio")]
    #[test]
    fn next_ident_is_unique_for_concurrent_calls() {
        // Distinct calls get distinct idents (the per-call counter differs), so concurrent pings
        // never share an ident and thus never cross-match.
        let a = next_ident();
        let b = next_ident();
        let c = next_ident();
        assert_ne!(a, b);
        assert_ne!(b, c);
        assert_ne!(a, c);
    }
}