feat: udp conntrack for lan interface

[LostAttractor]

Background

Previously, the wan interface had implemented udp conntrack
This PR implemented udp conntrack for lan interface.

Checklist

• The Pull Request has been fully tested
• There's an entry in the CHANGELOGS
• There is a user-facing docs PR against https://github.com/daeuniverse/dae

Full Changelogs

• Implement udp conntrack for lan interface.

Test Result

You can use those python codes for testing,
Try to initiate a request from wan to lan. You should be able to observe that DAE skips the packet instead of routing it.
You could try to have reply packets routed to a node and observe whether dae0 has the reply packet.

server:

import socket

def udp_server(host='::', port=12345):
    """A UDP server supporting IPv6 and proper cleanup."""
    server_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
    try:
        server_socket.bind((host, port))
        print(f"UDP server listening on [{host}]:{port}")

        while True:
            message, client_address = server_socket.recvfrom(1024)  # Buffer size 1024 bytes
            print(f"Received message: {message.decode()} from {client_address}")
            server_socket.sendto(b"ACK", client_address)
    except KeyboardInterrupt:
        print("Server shutting down...")
    finally:
        server_socket.close()
        print("Socket closed.")

if __name__ == "__main__":
    udp_server()

client:

import socket

def udp_client(host="::", port=12345):
    # Detect address family based on the provided server_host
    addr_info = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_DGRAM)

    # Use the first address returned (IPv6 preferred if available)
    family, socktype, proto, canonname, sockaddr = addr_info[0]

    client_socket = socket.socket(family, socktype, proto)
    client_socket.settimeout(2)  # Timeout for the response

    try:
        client_socket.sendto(b"Test", sockaddr)
        print(f"Sent to {sockaddr}")

        response, server = client_socket.recvfrom(1024)
        print(f"Received response: {response.decode()} from {server}")
    except socket.timeout:
        print("No response received, server might be unreachable.")
    except Exception as e:
        print(f"An error occurred: {e}")
    finally:
        client_socket.close()
        print("Client socket closed.")

if __name__ == "__main__":
    udp_client(host="127.0.0.1", port=23339)

[jschwinger233]

Would you like to add some test as part of CI? I'm inclined to cover this in bpf unit test.

[LostAttractor]

Would you like to add some test as part of CI? I'm inclined to cover this in bpf unit test.

I write some simple python udp server/client for testing the symmetric udp datapath.
But it seems that udp conntrack is not working, even udp conntrack for wan interface in the main branch is not working
I remember it used to be worked, and I needed some time to figure it out.

I don’t know much about the CI for dae or for ebpf part. But I will have a try.

[LostAttractor]

Would you like to add some test as part of CI? I'm inclined to cover this in bpf unit test.

I write some simple python udp server/client for testing the symmetric udp datapath. But it seems that udp conntrack is not working, even udp conntrack for wan interface in the main branch is not working I remember it used to be worked, and I needed some time to figure it out.

I don’t know much about the CI for dae or for ebpf part. But I will have a try.

There is no problem with the code. My unit tests are not working correctly, but I have completed some debugging functions. Since I use ipv6 for testing, my device has multiple addresses, and SOCK_DRGAM uses the default route with SLAAC address by default (instead of symmetric routing). This is inconsistent with the address used by my DNS server by default, causing the test failed.

I have already added the python code for testing in test result section.
Should I keep this pr as draft until I finish the CI part?

[dae-prow]

🧪 Since the PR has been fully tested, please consider merging it.

[jschwinger233]

整体的改动还是不复杂，好理解，就是 commit 切分实在是很糟糕（对不起）。留了一些想法可以讨论一下。

[jschwinger233]

- if (!refresh_udp_conn_state_timer(&reversed_tuples_key, true))
+ if (!refresh_udp_conn_state_timer(&reversed_tuples_key, false))

按照你的注释：

// For each flow (echo symmetric path), note the original flow direction

original direction 是 egress 所以第二参数应该为 false？

[LostAttractor]

流向wan ingress方向的应该为true，而流向wan ingress方向的流量在dae中是在lan egress中处理的
流量的路径是 lan egress -> route -> wan ingress，lan egress和wan ingress首次出现的流量为true，反之亦然
我这里把lan egress和wan ingress中首次出现的flow称作了inbound_flow，不知道是否有不妥

[jschwinger233]

我知道你是把首次出现的标记为 true，你都有很明确的语义了，这个命名肯定不妥。

[jschwinger233]

我没细想，也许 AI 有更好的回答，可以用 is original direction 之类的，但是这里存的是 reverse 的 tuple，所以并不是 original direction。。。 叫 require direct?

[jschwinger233]

同理，这里就应该是 refresh_udp_conn_state_timer(&tuples.five, true) ?

[LostAttractor]

同理，这里就应该是 refresh_udp_conn_state_timer(&tuples.five, true) ?

同上

[jschwinger233]

除了变量名其他都 lgtm

[jschwinger233]

我知道你是把首次出现的标记为 true，你都有很明确的语义了，这个命名肯定不妥。

[jschwinger233]

我没细想，也许 AI 有更好的回答，可以用 is original direction 之类的，但是这里存的是 reverse 的 tuple，所以并不是 original direction。。。 叫 require direct?