gortc / gortcd Goto Github PK

Something like

peers:
   - action: allow
     net: 10.22.108.13:22
   - action: drop
     net: 0.0.0.0/0

https://tools.ietf.org/html/rfc5766#section-9.1

The port portion of each XOR-PEER-ADDRESS
attribute will be ignored and can be any arbitrary value

Related: #33

Docker-compose-like style

In the below function ,when c, err = reuseport.ListenPacket(serverNet, laddr) was executed,this s.conn did not execute ReadFrom method,so when message arrived ,it won't be handled,the client didn't get a response and will throw a transaction is timed out error.

func ListenUDPAndServe(log *zap.Logger, serverNet, laddr string, u *server.Updater) error {
	var (
		c   net.PacketConn
		err error
	)
	opt := u.Get()
	if reuseport.Available() && opt.ReusePort {
		c, err = reuseport.ListenPacket(serverNet, laddr)
		if err != nil {
			// Trying to listen without reuseport.
			// Sometimes reuseport.Available() can be true, but for subset
			// of interfaces it is not available.
			reusePortErr := err
			c, err = net.ListenPacket(serverNet, laddr)
			if err == nil {
				opt.ReusePort = false
				log.Warn("failed to use REUSEPORT, falling back to non-reuseport", zap.Error(reusePortErr))
			}
		}
	} else {
		c, err = net.ListenPacket(serverNet, laddr)
	}
	if err != nil {
		return err
	}
	opt.Conn = c
	s, err := server.New(opt)
	if err != nil {
		return err
	}
	u.Subscribe(s)
	return s.Serve()
}

add the below code will fixed it

func (s *Server) Serve() error {
	s.start()
	// ++++++++++++
	if s.reusePort {
		go s.worker(s.conn)
	}
	// +++++++++++++
	for i := 0; i < runtime.GOMAXPROCS(-1); i++ {
		s.wg.Add(1)
		if s.reusePort {
			s.log.Debug("reusing port for worker", zap.Int("w", i))
			laddr := s.conn.LocalAddr()
			conn, err := reuseport.ListenPacket(laddr.Network(), laddr.String())
			if err != nil {
				s.log.Warn("failed to listen for additional socket")
				conn = s.conn
			} else {
				s.conns = append(s.conns, conn)
			}
			go s.worker(conn)
		} else {
			go s.worker(s.conn)
		}
	}
	s.wg.Wait()
	return nil
}

With default command options:

deploy@example:~/gortcd$ ./gortcd-pie 
{"level":"info","ts":1555665627.3852997,"msg":"config file used","path":"/home/deploy/gortcd/gortcd.yml"}
{"level":"info","ts":1555665627.3855886,"msg":"parsed credentials","n":0}
{"level":"info","ts":1555665627.3856893,"msg":"realm","k":"gortc.io"}
{"level":"info","ts":1555665627.385987,"logger":"filter.peer","msg":"default action set","action":"allow"}
{"level":"info","ts":1555665627.3861253,"logger":"filter.client","msg":"default action set","action":"allow"}
{"level":"info","ts":1555665627.386219,"msg":"will be sending SOFTWARE attribute","software":"gortcd"}
{"level":"info","ts":1555665627.386445,"msg":"got addr","addr":"0.0.0.0:3478"}
{"level":"warn","ts":1555665627.38652,"msg":"running on all interfaces"}
{"level":"warn","ts":1555665627.3866117,"msg":"picking addr from ICE"}
{"level":"warn","ts":1555665627.3869166,"msg":"got","a":"127.0.0.1 [45]"}
{"level":"warn","ts":1555665627.387017,"msg":"got","a":"10.162.58.13 [35]"}
{"level":"warn","ts":1555665627.3870754,"msg":"using","a":"10.162.58.13 [35]"}
{"level":"warn","ts":1555665627.3871744,"msg":"got","a":"218.244.128.99 [35]"}
{"level":"warn","ts":1555665627.387245,"msg":"using","a":"218.244.128.99 [35]"}
{"level":"info","ts":1555665627.3873508,"msg":"gortc/gortcd listening","addr":"218.244.128.99:3478","network":"udp"}
{"level":"fatal","ts":1555665627.387498,"msg":"failed to listen","error":"listen udp 218.244.128.99:3478: protocol not available"}

With different listened port:

deploy@binatify:~/gortcd$ ./gortcd-pie -l="0.0.0.0:3479"
{"level":"info","ts":1555665654.0974624,"msg":"config file used","path":"/home/deploy/gortcd/gortcd.yml"}
{"level":"info","ts":1555665654.0977643,"msg":"parsed credentials","n":0}
{"level":"info","ts":1555665654.0978677,"msg":"realm","k":"gortc.io"}
{"level":"info","ts":1555665654.0981438,"logger":"filter.peer","msg":"default action set","action":"allow"}
{"level":"info","ts":1555665654.0982912,"logger":"filter.client","msg":"default action set","action":"allow"}
{"level":"info","ts":1555665654.0983856,"msg":"will be sending SOFTWARE attribute","software":"gortcd"}
{"level":"info","ts":1555665654.0985594,"msg":"got addr","addr":"[0.0.0.0:3479]"}
{"level":"info","ts":1555665654.098647,"msg":"gortc/gortcd listening","addr":"[0.0.0.0:3479]","network":"udp"}
{"level":"fatal","ts":1555665654.0987477,"msg":"failed to listen","error":"listen udp: address [0.0.0.0:3479]: missing port in address"}

Is it a bug? it can work well on Mac OS.

Explicitly wait until controlled agent starts listening on websocket connection.

This is causing e2e to fail in CI.

As we known, client create a Permission need the peer's transport address (Server-Reflexive), but I want to known the peer transport address is for which port in TURN server ?

If it is the default 3478. As code allocator.go#L130 , it should not have ability to send data to peer through the relayed transport address for Symmetric NAT.

If it is the client relayed transport address port, how can we get peer's server-reflexive transport address for this relayed port , HandlePeerData no about this logic.

Maybe there is something I misunderstand, let me known please.

Daemon should support zero downtime hot reload, ideally persisting internal state.

Provide systemd service file.

Like implemented in gortc/sdp e2e.

TURN specs:

• RFC 5766 – base TURN specs
• RFC 6062 – TCP relaying TURN extension
• RFC 6156 – IPv6 extension for TURN
• RFC 7443 – ALPN support for STUN & TURN
• RFC 7635 – oAuth third-party TURN/STUN authorization
• DTLS support (http://tools.ietf.org/html/draft-petithuguenin-tram-turn-dtls-00).
• Mobile ICE (MICE) support (http://tools.ietf.org/html/draft-wing-tram-turn-mobility-02).
• TURN REST API (http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00)
• Origin field in TURN (Multi-tenant TURN Server) (https://tools.ietf.org/html/draft-ietf-tram-stun-origin-06)
• TURN Bandwidth draft specs (http://tools.ietf.org/html/draft-thomson-tram-turn-bandwidth-01)
• TURN-bis (with dual allocation) draft specs (http://tools.ietf.org/html/draft-ietf-tram-turnbis-04).

STUN specs:

• RFC 3489 – "classic" STUN
• RFC 5389 – base "new" STUN specs
• RFC 5769 – test vectors for STUN protocol testing
• RFC 5780 – NAT behavior discovery support
• RFC 7443 – ALPN support for STUN & TURN
• RFC 7635 – oAuth third-party TURN/STUN authorization

Supported ICE and related specs:

• RFC 5245 – ICE
• RFC 5768 – ICE–SIP
• RFC 6336 – ICE–IANA Registry
• RFC 6544 – ICE–TCP
• RFC 5928 – TURN Resolution Mechanism

The implementation fully supports the following client-to-TURN-server protocols:

• UDP (per RFC 5766)
• TCP (per RFC 5766 and RFC 6062)
• TLS (per RFC 5766 and RFC 6062): TLS1.0/TLS1.1/TLS1.2; ECDHE is supported.
• DTLS (http://tools.ietf.org/html/draft-petithuguenin-tram-turn-dtls-00): DTLS versions 1.0 and 1.2.
• SCTP (experimental implementation).

Supported relay protocols:

• UDP (per RFC 5766)
• TCP (per RFC 6062)

Supported user databases (for user repository, with passwords or keys, if authentication is required):

• SQLite
• MySQL
• PostgreSQL
• Redis
• MongoDB

This is a question, not an issue.

What would a dockerfile need to look like to make this into an app engine instance?
https://cloud.google.com/appengine/docs/flexible

With a custom config.

Thank you!!

Optimally the pool of allocated ports should be maintained for that feature.
The work will be started separate branch.

• docker image
• releases
• ansible role
• PPA