ddidderr/softlan-vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(gateway): capture whole LAN frames before budget checks

Browse Source 
The gateway AF_PACKET read path used the standard 1514 byte Ethernet frame
length as its receive buffer. VLAN-tagged or jumbo LAN frames could therefore
be truncated before the bridge reached the encoded-datagram budget check, so
logs and drop accounting saw a corrupted shorter frame.

Use an overlay payload-sized capture buffer instead. This lets the Linux
gateway observe the whole frame that the kernel reports, then leave the
existing Ethernet parsing and negotiated QUIC datagram budget checks to decide
whether the frame can cross the tunnel. The bridge still never fragments
Ethernet frames.

Document the behavior in the gateway README section and add a compile-time
guard so the capture buffer stays above the standard Ethernet frame size.

Test Plan:
- cargo fmt --check
- git diff --check
- cargo test -p lanparty-gateway
- cargo test --workspace
- cargo clippy --workspace --all-targets -- -D warnings

Refs: PLAN.md
This commit is contained in:
ddidderr
2026-05-21 22:40:16 +02:00
parent d8f281e1cd
commit 022e74d62b
2 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+5 -3
View File
@@ -167,9 +167,11 @@ cargo run -p lanparty-gateway -- \
The gateway connects to the relay as `role = gateway`, completes the
control-stream hello/welcome handshake, opens an AF_PACKET socket on the LAN
interface with promiscuous packet membership, and bridges Ethernet frames
between the relay and wired LAN until shutdown. It never fragments Ethernet
frames; LAN frames whose encoded datagrams exceed the negotiated QUIC budget are
counted, dropped, and logged instead of stopping the bridge.
between the relay and wired LAN until shutdown. It captures whole LAN frames up
to the overlay payload-length ceiling before deciding whether they fit the
tunnel. It never fragments Ethernet frames; LAN frames whose encoded datagrams
exceed the negotiated QUIC budget are counted, dropped, and logged instead of
stopping the bridge.
`--relay` accepts a DNS name or socket address; bare hosts default to UDP/443.
It tracks remote-client source MACs seen from relay traffic and periodically
emits small CAM refresh frames so the physical switch keeps those MACs