TUN-9470: Add OriginDialerService to include TCP

Adds an OriginDialerService that takes over the roles of both DialUDP and DialTCP 
towards the origin. This provides the possibility to leverage dialer "middleware"
to inject virtual origins, such as the DNS resolver service.

DNS Resolver service also gains access to the DialTCP operation to service TCP
DNS requests.

Minor refactoring includes changes to remove the needs previously provided by
the warp-routing configuration. This configuration cannot be disabled by cloudflared
so many of the references have been adjusted or removed.

Closes TUN-9470

Author: DevinCarr

cmd/cloudflared/tunnel/configuration.go

@@ -220,7 +220,15 @@ func prepareTunnelConfig(
 		resolvedRegion = endpoint
 	}
 
-	dnsService := origins.NewDNSResolver(log)
+	warpRoutingConfig := ingress.NewWarpRoutingConfig(&cfg.WarpRouting)
+
+	// Setup origin dialer service and virtual services
+	originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   ingress.NewDialer(warpRoutingConfig),
+		TCPWriteTimeout: c.Duration(flags.WriteStreamTimeout),
+	}, log)
+	dnsService := origins.NewDNSResolverService(origins.NewDNSDialer(), log)
+	originDialerService.AddReservedService(dnsService, []netip.AddrPort{origins.VirtualDNSServiceAddr})
 
 	tunnelConfig := &supervisor.TunnelConfig{
 		ClientConfig:    clientConfig,
@@ -250,6 +258,7 @@ func prepareTunnelConfig(
 		QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),
 		QUICStreamLevelFlowControlLimit:     c.Uint64(flags.QuicStreamLevelFlowControlLimit),
 		OriginDNSService:                    dnsService,
+		OriginDialerService:                 originDialerService,
 	}
 	icmpRouter, err := newICMPRouter(c, log)
 	if err != nil {
@@ -258,10 +267,10 @@ func prepareTunnelConfig(
 		tunnelConfig.ICMPRouterServer = icmpRouter
 	}
 	orchestratorConfig := &orchestration.Config{
-		Ingress:            &ingressRules,
-		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
-		ConfigurationFlags: parseConfigFlags(c),
-		WriteTimeout:       tunnelConfig.WriteStreamTimeout,
+		Ingress:             &ingressRules,
+		WarpRouting:         warpRoutingConfig,
+		OriginDialerService: originDialerService,
+		ConfigurationFlags:  parseConfigFlags(c),
 	}
 	return tunnelConfig, orchestratorConfig, nil
 }

connection/quic_connection_test.go

@@ -30,6 +30,7 @@ import (
 	"golang.org/x/net/nettest"
 
 	"github.com/cloudflare/cloudflared/client"
+	"github.com/cloudflare/cloudflared/config"
 	cfdflow "github.com/cloudflare/cloudflared/flow"
 
 	"github.com/cloudflare/cloudflared/datagramsession"
@@ -823,14 +824,23 @@ func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8)
 	sessionManager := datagramsession.NewManager(&log, datagramMuxer.SendToSession, sessionDemuxChan)
 	var connIndex uint8 = 0
 	packetRouter := ingress.NewPacketRouter(nil, datagramMuxer, connIndex, &log)
+	testDefaultDialer := ingress.NewDialer(ingress.WarpRoutingConfig{
+		ConnectTimeout: config.CustomDuration{Duration: 1 * time.Second},
+		TCPKeepAlive:   config.CustomDuration{Duration: 15 * time.Second},
+		MaxActiveFlows: 0,
+	})
+	originDialer := ingress.NewOriginDialer(ingress.OriginConfig{
+		DefaultDialer:   testDefaultDialer,
+		TCPWriteTimeout: 1 * time.Second,
+	}, &log)
 
 	datagramConn := &datagramV2Connection{
 		conn,
 		index,
 		sessionManager,
 		cfdflow.NewLimiter(0),
 		datagramMuxer,
-		ingress.DefaultUDPDialer,
+		originDialer,
 		packetRouter,
 		15 * time.Second,
 		0 * time.Second,

connection/quic_datagram_v2.go

@@ -57,8 +57,8 @@ type datagramV2Connection struct {
 
 	// datagramMuxer mux/demux datagrams from quic connection
 	datagramMuxer *cfdquic.DatagramMuxerV2
-	// ingressUDPProxy acts as the origin dialer for UDP requests
-	ingressUDPProxy ingress.UDPOriginProxy
+	// originDialer is the origin dialer for UDP requests
+	originDialer ingress.OriginUDPDialer
 	// packetRouter acts as the origin router for ICMP requests
 	packetRouter *ingress.PacketRouter
 
@@ -70,7 +70,7 @@ type datagramV2Connection struct {
 
 func NewDatagramV2Connection(ctx context.Context,
 	conn quic.Connection,
-	ingressUDPProxy ingress.UDPOriginProxy,
+	originDialer ingress.OriginUDPDialer,
 	icmpRouter ingress.ICMPRouter,
 	index uint8,
 	rpcTimeout time.Duration,
@@ -89,7 +89,7 @@ func NewDatagramV2Connection(ctx context.Context,
 		sessionManager:     sessionManager,
 		flowLimiter:        flowLimiter,
 		datagramMuxer:      datagramMuxer,
-		ingressUDPProxy:    ingressUDPProxy,
+		originDialer:       originDialer,
 		packetRouter:       packetRouter,
 		rpcTimeout:         rpcTimeout,
 		streamWriteTimeout: streamWriteTimeout,
@@ -159,7 +159,7 @@ func (q *datagramV2Connection) RegisterUdpSession(ctx context.Context, sessionID
 
 	// Each session is a series of datagram from an eyeball to a dstIP:dstPort.
 	// (src port, dst IP, dst port) uniquely identifies a session, so it needs a dedicated connected socket.
-	originProxy, err := q.ingressUDPProxy.DialUDP(dstAddrPort)
+	originProxy, err := q.originDialer.DialUDP(dstAddrPort)
 	if err != nil {
 		log.Err(err).Msgf("Failed to create udp proxy to %s", dstAddrPort)
 		tracing.EndWithErrorStatus(registerSpan, err)

connection/quic_datagram_v2_test.go

@@ -13,7 +13,6 @@ import (
 	"go.uber.org/mock/gomock"
 
 	cfdflow "github.com/cloudflare/cloudflared/flow"
-	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/mocks"
 )
 
@@ -84,7 +83,7 @@ func TestRateLimitOnNewDatagramV2UDPSession(t *testing.T) {
 	datagramConn := NewDatagramV2Connection(
 		t.Context(),
 		conn,
-		ingress.DefaultUDPDialer,
+		nil,
 		nil,
 		0,
 		0*time.Second,

ingress/origin_connection.go

@@ -19,7 +19,7 @@ import (
 type OriginConnection interface {
 	// Stream should generally be implemented as a bidirectional io.Copy.
 	Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger)
-	Close()
+	Close() error
 }
 
 type streamHandlerFunc func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)
@@ -48,16 +48,7 @@ func (tc *tcpConnection) Write(b []byte) (int, error) {
 		}
 	}
 
-	nBytes, err := tc.Conn.Write(b)
-	if err != nil {
-		tc.logger.Err(err).Msg("Error writing to the TCP connection")
-	}
-
-	return nBytes, err
-}
-
-func (tc *tcpConnection) Close() {
-	tc.Conn.Close()
+	return tc.Conn.Write(b)
 }
 
 // tcpOverWSConnection is an OriginConnection that streams to TCP over WS.
@@ -75,8 +66,8 @@ func (wc *tcpOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWri
 	wsConn.Close()
 }
 
-func (wc *tcpOverWSConnection) Close() {
-	wc.conn.Close()
+func (wc *tcpOverWSConnection) Close() error {
+	return wc.conn.Close()
 }
 
 // socksProxyOverWSConnection is an OriginConnection that streams SOCKS connections over WS.
@@ -95,5 +86,6 @@ func (sp *socksProxyOverWSConnection) Stream(ctx context.Context, tunnelConn io.
 	wsConn.Close()
 }
 
-func (sp *socksProxyOverWSConnection) Close() {
+func (sp *socksProxyOverWSConnection) Close() error {
+	return nil
 }

ingress/origin_dialer.go

@@ -0,0 +1,146 @@
+package ingress
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
+
+	"github.com/rs/zerolog"
+)
+
+// OriginTCPDialer provides a TCP dial operation to a requested address.
+type OriginTCPDialer interface {
+	DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error)
+}
+
+// OriginUDPDialer provides a UDP dial operation to a requested address.
+type OriginUDPDialer interface {
+	DialUDP(addr netip.AddrPort) (net.Conn, error)
+}
+
+// OriginDialer provides both TCP and UDP dial operations to an address.
+type OriginDialer interface {
+	OriginTCPDialer
+	OriginUDPDialer
+}
+
+type OriginConfig struct {
+	// The default Dialer used if no reserved services are found for an origin request.
+	DefaultDialer OriginDialer
+	// Timeout on write operations for TCP connections to the origin.
+	TCPWriteTimeout time.Duration
+}
+
+// OriginDialerService provides a proxy TCP and UDP dialer to origin services while allowing reserved
+// services to be provided. These reserved services are assigned to specific [netip.AddrPort]s
+// and provide their own [OriginDialer]'s to handle origin dialing per protocol.
+type OriginDialerService struct {
+	// Reserved TCP services for reserved AddrPort values
+	reservedTCPServices map[netip.AddrPort]OriginTCPDialer
+	// Reserved UDP services for reserved AddrPort values
+	reservedUDPServices map[netip.AddrPort]OriginUDPDialer
+	// The default Dialer used if no reserved services are found for an origin request
+	defaultDialer  OriginDialer
+	defaultDialerM sync.RWMutex
+	// Write timeout for TCP connections
+	writeTimeout time.Duration
+
+	logger *zerolog.Logger
+}
+
+func NewOriginDialer(config OriginConfig, logger *zerolog.Logger) *OriginDialerService {
+	return &OriginDialerService{
+		reservedTCPServices: map[netip.AddrPort]OriginTCPDialer{},
+		reservedUDPServices: map[netip.AddrPort]OriginUDPDialer{},
+		defaultDialer:       config.DefaultDialer,
+		writeTimeout:        config.TCPWriteTimeout,
+		logger:              logger,
+	}
+}
+
+// AddReservedService adds a reserved virtual service to dial to.
+// Not locked and expected to be initialized before calling first dial and not afterwards.
+func (d *OriginDialerService) AddReservedService(service OriginDialer, addrs []netip.AddrPort) {
+	for _, addr := range addrs {
+		d.reservedTCPServices[addr] = service
+		d.reservedUDPServices[addr] = service
+	}
+}
+
+// UpdateDefaultDialer updates the default dialer.
+func (d *OriginDialerService) UpdateDefaultDialer(dialer *Dialer) {
+	d.defaultDialerM.Lock()
+	defer d.defaultDialerM.Unlock()
+	d.defaultDialer = dialer
+}
+
+// DialTCP will perform a dial TCP to the requested addr.
+func (d *OriginDialerService) DialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {
+	conn, err := d.dialTCP(ctx, addr)
+	if err != nil {
+		return nil, err
+	}
+	// Assign the write timeout for the TCP operations
+	return &tcpConnection{
+		Conn:         conn,
+		writeTimeout: d.writeTimeout,
+		logger:       d.logger,
+	}, nil
+}
+
+func (d *OriginDialerService) dialTCP(ctx context.Context, addr netip.AddrPort) (net.Conn, error) {
+	// Check to see if any reserved services are available for this addr and call their dialer instead.
+	if dialer, ok := d.reservedTCPServices[addr]; ok {
+		return dialer.DialTCP(ctx, addr)
+	}
+	d.defaultDialerM.RLock()
+	dialer := d.defaultDialer
+	d.defaultDialerM.RUnlock()
+	return dialer.DialTCP(ctx, addr)
+}
+
+// DialUDP will perform a dial UDP to the requested addr.
+func (d *OriginDialerService) DialUDP(addr netip.AddrPort) (net.Conn, error) {
+	// Check to see if any reserved services are available for this addr and call their dialer instead.
+	if dialer, ok := d.reservedUDPServices[addr]; ok {
+		return dialer.DialUDP(addr)
+	}
+	d.defaultDialerM.RLock()
+	dialer := d.defaultDialer
+	d.defaultDialerM.RUnlock()
+	return dialer.DialUDP(addr)
+}
+
+type Dialer struct {
+	Dialer net.Dialer
+}
+
+func NewDialer(config WarpRoutingConfig) *Dialer {
+	return &Dialer{
+		Dialer: net.Dialer{
+			Timeout:   config.ConnectTimeout.Duration,
+			KeepAlive: config.TCPKeepAlive.Duration,
+		},
+	}
+}
+
+func (d *Dialer) DialTCP(ctx context.Context, dest netip.AddrPort) (net.Conn, error) {
+	conn, err := d.Dialer.DialContext(ctx, "tcp", dest.String())
+	if err != nil {
+		return nil, fmt.Errorf("unable to dial tcp to origin %s: %w", dest, err)
+	}
+
+	return conn, nil
+}
+
+func (d *Dialer) DialUDP(dest netip.AddrPort) (net.Conn, error) {
+	conn, err := d.Dialer.Dial("udp", dest.String())
+	if err != nil {
+		return nil, fmt.Errorf("unable to dial udp to origin %s: %w", dest, err)
+	}
+
+	return conn, nil
+}