improvement: use SetIPFilter for local addrs

Closes https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40271. Supersedes https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/merge_requests/417. This simplifies the code and (probably) removes the need for `StripLocalAddresses`, although makes us more dependent on Pion. Signed-off-by: Cecylia Bocovich <cohosh@torproject.org>
2025-10-13 11:11:30 -04:00 · 2024-11-25 01:43:29 +04:00 · 2024-11-25 01:43:29 +04:00 · ae5bd52821
commit ae5bd52821
parent 43799819a1
6 changed files with 56 additions and 32 deletions
--- a/client/lib/rendezvous.go
+++ b/client/lib/rendezvous.go
@ -127,15 +127,6 @@ func newBrokerChannelFromConfig(config ClientConfig) (*BrokerChannel, error) {
 func (bc *BrokerChannel) Negotiate(offer *webrtc.SessionDescription) (
 	*webrtc.SessionDescription, error,
 ) {
-	// Ideally, we could specify an `RTCIceTransportPolicy` that would handle
-	// this for us.  However, "public" was removed from the draft spec.
-	// See https://developer.mozilla.org/en-US/docs/Web/API/RTCConfiguration#RTCIceTransportPolicy_enum
-	if !bc.keepLocalAddresses {
-		offer = &webrtc.SessionDescription{
-			Type: offer.Type,
-			SDP:  util.StripLocalAddresses(offer.SDP),
-		}
-	}
 	offerSDP, err := util.SerializeSessionDescription(offer)
 	if err != nil {
 		return nil, err
--- a/client/lib/webrtc.go
+++ b/client/lib/webrtc.go
@ -6,6 +6,7 @@ import (
 	"errors"
 	"io"
 	"log"
+	"net"
 	"net/url"
 	"sync"
 	"time"
@ -17,6 +18,7 @@ import (

 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/event"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/proxy"
+	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/util"
 )

 // WebRTCPeer represents a WebRTC connection to a remote snowflake proxy.
@ -166,7 +168,8 @@ func (c *WebRTCPeer) checkForStaleness(timeout time.Duration) {
 // receive an answer from broker, and wait for data channel to open
 func (c *WebRTCPeer) connect(config *webrtc.Configuration, broker *BrokerChannel) error {
 	log.Println(c.id, " connecting...")
-	err := c.preparePeerConnection(config)
+
+	err := c.preparePeerConnection(config, broker.keepLocalAddresses)
 	localDescription := c.pc.LocalDescription()
 	c.eventsLogger.OnNewSnowflakeEvent(event.EventOnOfferCreated{
 		WebRTCLocalDescription: localDescription,
@ -207,10 +210,25 @@ func (c *WebRTCPeer) connect(config *webrtc.Configuration, broker *BrokerChannel

 // preparePeerConnection creates a new WebRTC PeerConnection and returns it
 // after non-trickle ICE candidate gathering is complete.
-func (c *WebRTCPeer) preparePeerConnection(config *webrtc.Configuration) error {
+func (c *WebRTCPeer) preparePeerConnection(
+	config *webrtc.Configuration,
+	keepLocalAddresses bool,
+) error {
 	var err error
 	s := webrtc.SettingEngine{}
-	s.SetICEMulticastDNSMode(ice.MulticastDNSModeDisabled)
+
+	if !keepLocalAddresses {
+		s.SetIPFilter(func(ip net.IP) (keep bool) {
+			// `IsLoopback()` and `IsUnspecified` are likely not neded here,
+			// but let's keep them just in case.
+			// FYI there is similar code in other files in this project.
+			keep = !util.IsLocal(ip) && !ip.IsLoopback() && !ip.IsUnspecified()
+			return
+		})
+		s.SetICEMulticastDNSMode(ice.MulticastDNSModeDisabled)
+	}
+	s.SetIncludeLoopbackCandidate(keepLocalAddresses)
+
 	// Use the SetNet setting https://pkg.go.dev/github.com/pion/webrtc/v3#SettingEngine.SetNet
 	// to get snowflake working in shadow (where the AF_NETLINK family is not implemented).
 	// These two lines of code functionally revert a new change in pion by silently ignoring