Begin performing Stubby handshake inspection in the prod --> off-net direction.
For now, all prod --> off-net Stubby connections will be inspected, logged, and then accepted. Once we fill out the qbone.acl with acceptable on-net clients, we can begin enforcing the ACL by flipping the qbone_enforce_acl_for_on_net_clients flag.
This change includes a renaming of the enum QbonePacketProcessor::Direction::FROM_CLIENT to FROM_OFF_NETWORK along with several other replacements of peer --> on-net and client --> off-net. These values are in reference to the direction of the packets through the tunnel, *not* in reference to the client/server roles in the TCP connection being inspected through the tunnel.
For tracking the client/server roles in each TCP connection, a new QboneTcpHandshakeInspector::Party enum has been introduced to track which side of the TCP connection is currently being inspected.
gfe-relnote: n/a (QBONE-only change)
PiperOrigin-RevId: 284260144
Change-Id: I820fcbdd9b37620fa33afcd13d5e36d8a5cac90e
diff --git a/quic/qbone/qbone_packet_processor.cc b/quic/qbone/qbone_packet_processor.cc
index 39b622b..3bfb97a 100644
--- a/quic/qbone/qbone_packet_processor.cc
+++ b/quic/qbone/qbone_packet_processor.cc
@@ -75,7 +75,7 @@
switch (result) {
case ProcessingResult::OK:
switch (direction) {
- case Direction::FROM_CLIENT:
+ case Direction::FROM_OFF_NETWORK:
output_->SendPacketToNetwork(*packet);
break;
case Direction::FROM_NETWORK:
@@ -184,7 +184,7 @@
uint8_t address_reject_code;
bool ip_parse_result;
switch (direction) {
- case Direction::FROM_CLIENT:
+ case Direction::FROM_OFF_NETWORK:
// Expect the source IP to match the client.
ip_parse_result = address_to_check.FromPackedString(
reinterpret_cast<const char*>(&header->ip6_src),
@@ -257,7 +257,7 @@
void QbonePacketProcessor::SendResponse(Direction original_direction,
QuicStringPiece packet) {
switch (original_direction) {
- case Direction::FROM_CLIENT:
+ case Direction::FROM_OFF_NETWORK:
output_->SendPacketToClient(packet);
break;
case Direction::FROM_NETWORK:
diff --git a/quic/qbone/qbone_packet_processor.h b/quic/qbone/qbone_packet_processor.h
index 4476771..04b7412 100644
--- a/quic/qbone/qbone_packet_processor.h
+++ b/quic/qbone/qbone_packet_processor.h
@@ -28,7 +28,7 @@
public:
enum class Direction {
// Packet is going from the QBONE client into the network behind the QBONE.
- FROM_CLIENT = 0,
+ FROM_OFF_NETWORK = 0,
// Packet is going from the network begin QBONE to the client.
FROM_NETWORK = 1
};
diff --git a/quic/qbone/qbone_packet_processor_test.cc b/quic/qbone/qbone_packet_processor_test.cc
index f7e642a..a2b0201 100644
--- a/quic/qbone/qbone_packet_processor_test.cc
+++ b/quic/qbone/qbone_packet_processor_test.cc
@@ -146,7 +146,7 @@
void SendPacketFromClient(QuicStringPiece packet) {
string packet_buffer(packet.data(), packet.size());
- processor_->ProcessPacket(&packet_buffer, Direction::FROM_CLIENT);
+ processor_->ProcessPacket(&packet_buffer, Direction::FROM_OFF_NETWORK);
}
void SendPacketFromNetwork(QuicStringPiece packet) {
@@ -164,7 +164,7 @@
};
TEST_F(QbonePacketProcessorTest, EmptyPacket) {
- EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_CLIENT));
+ EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_OFF_NETWORK));
SendPacketFromClient("");
EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_NETWORK));
@@ -172,7 +172,7 @@
}
TEST_F(QbonePacketProcessorTest, RandomGarbage) {
- EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_CLIENT));
+ EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_OFF_NETWORK));
SendPacketFromClient(string(1280, 'a'));
EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_NETWORK));
@@ -184,19 +184,19 @@
packet[4] = 0;
packet[5] = 0;
- EXPECT_CALL(stats_, OnPacketDroppedWithIcmp(Direction::FROM_CLIENT));
+ EXPECT_CALL(stats_, OnPacketDroppedWithIcmp(Direction::FROM_OFF_NETWORK));
EXPECT_CALL(output_, SendPacketToClient(IsIcmpMessage(ICMP6_DST_UNREACH)));
SendPacketFromClient(packet);
}
TEST_F(QbonePacketProcessorTest, GoodPacketFromClient) {
- EXPECT_CALL(stats_, OnPacketForwarded(Direction::FROM_CLIENT));
+ EXPECT_CALL(stats_, OnPacketForwarded(Direction::FROM_OFF_NETWORK));
EXPECT_CALL(output_, SendPacketToNetwork(_));
SendPacketFromClient(kReferenceClientPacket);
}
TEST_F(QbonePacketProcessorTest, GoodPacketFromClientSubnet) {
- EXPECT_CALL(stats_, OnPacketForwarded(Direction::FROM_CLIENT));
+ EXPECT_CALL(stats_, OnPacketForwarded(Direction::FROM_OFF_NETWORK));
EXPECT_CALL(output_, SendPacketToNetwork(_));
SendPacketFromClient(kReferenceClientSubnetPacket);
}
@@ -208,7 +208,7 @@
}
TEST_F(QbonePacketProcessorTest, GoodPacketFromNetworkWrongDirection) {
- EXPECT_CALL(stats_, OnPacketDroppedWithIcmp(Direction::FROM_CLIENT));
+ EXPECT_CALL(stats_, OnPacketDroppedWithIcmp(Direction::FROM_OFF_NETWORK));
EXPECT_CALL(output_, SendPacketToClient(IsIcmpMessage(ICMP6_DST_UNREACH)));
SendPacketFromClient(kReferenceNetworkPacket);
}
@@ -237,7 +237,7 @@
.WillRepeatedly(Return(ProcessingResult::SILENT_DROP));
processor_->set_filter(std::move(filter));
- EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_CLIENT));
+ EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_OFF_NETWORK));
SendPacketFromClient(kReferenceClientPacket);
}
@@ -275,7 +275,7 @@
TestFilter* filter = filter_owned.get();
processor_->set_filter(std::move(filter_owned));
- EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_CLIENT));
+ EXPECT_CALL(stats_, OnPacketDroppedSilently(Direction::FROM_OFF_NETWORK));
SendPacketFromClient(kReferenceClientPacket);
ASSERT_EQ(1, filter->called());
}
diff --git a/quic/qbone/qbone_server_session.cc b/quic/qbone/qbone_server_session.cc
index 2b4a736..1360e6d 100644
--- a/quic/qbone/qbone_server_session.cc
+++ b/quic/qbone/qbone_server_session.cc
@@ -80,7 +80,7 @@
void QboneServerSession::ProcessPacketFromPeer(QuicStringPiece packet) {
string buffer = string(packet);
processor_.ProcessPacket(&buffer,
- QbonePacketProcessor::Direction::FROM_CLIENT);
+ QbonePacketProcessor::Direction::FROM_OFF_NETWORK);
}
void QboneServerSession::SendPacketToClient(QuicStringPiece packet) {
