Cecylia Bocovich · David Fifield · David Fifield · meskio · meskio · am3o
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -177,12 +177,12 @@ generate_tarball:
    - if: $CI_COMMIT_TAG
  script:
    - go mod vendor
-    - tar czf ${CI_PROJECT_NAME}-${CI_COMMIT_TAG#v}.tar.gz --transform "s,^,${CI_PROJECT_NAME}-${CI_COMMIT_TAG#v}/," *
+    - tar czf ${CI_PROJECT_NAME}-${CI_COMMIT_TAG}.tar.gz --transform "s,^,${CI_PROJECT_NAME}-${CI_COMMIT_TAG}/," *
  after_script:
    - echo TAR_JOB_ID=$CI_JOB_ID >> generate_tarball.env
  artifacts:
    paths:
-      - ${CI_PROJECT_NAME}-${CI_COMMIT_TAG#v}.tar.gz
+      - ${CI_PROJECT_NAME}-${CI_COMMIT_TAG}.tar.gz
    reports:
      dotenv: generate_tarball.env

@@ -203,6 +203,6 @@ release-job:
    ref: '$CI_COMMIT_TAG'
    assets:
      links:
-        - name: '${CI_PROJECT_NAME}-${CI_COMMIT_TAG#v}.tar.gz'
-          url: '${CI_PROJECT_URL}/-/jobs/${TAR_JOB_ID}/artifacts/file/${CI_PROJECT_NAME}-${CI_COMMIT_TAG#v}.tar.gz'
+        - name: '${CI_PROJECT_NAME}-${CI_COMMIT_TAG}.tar.gz'
+          url: '${CI_PROJECT_URL}/-/jobs/${TAR_JOB_ID}/artifacts/file/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}.tar.gz'
 
--- a/ChangeLog
+++ b/ChangeLog
+Changes in version v2.6.1 - 2023-09-11
+- a3bfc28 Update module golang.org/x/crypto to v0.12.0
+- e37e15a Update golang Docker tag to v1.21
+- b632c7d Workaround for shadow in lieu of AF_NETLINK support
+- 0cb2975 Update module golang.org/x/net to v0.13.0 [SECURITY]
+- f73fe6e Keep the 'v' from the tag on the released .tar.gz
+- 8104732 Change DefaultRelayURL back to wss://snowflake.torproject.net/.
+- d932cb2 feat: add option to expose the stats by using metrics
+- af73ab7 Add renovate config
+- aaeab3f Update dependencies
+- 58c3121 Close temporary UDPSession in TestQueuePacketConnWriteToKCP.
+- 80980a3 Fix a comment left over from turbotunnel-quic.
+- 08d1c6d Bump minimum required version of go
+
 Changes in version v2.6.0 - 2023-06-19
 - Issue 40243: Implement datachannel flow control at proxy
 - Issue 40087: Append Let's Encrypt ISRG Root X1 to cert pool

--- a/client/lib/webrtc.go
+++ b/client/lib/webrtc.go
@@ -12,6 +12,7 @@ import (
 	"time"

 	"github.com/pion/ice/v2"
+	"github.com/pion/transport/v2/stdnet"
 	"github.com/pion/webrtc/v3"
 	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/event"
 )
@@ -194,6 +195,12 @@ func (c *WebRTCPeer) preparePeerConnection(config *webrtc.Configuration) error {
 	var err error
 	s := webrtc.SettingEngine{}
 	s.SetICEMulticastDNSMode(ice.MulticastDNSModeDisabled)
+	// Use the SetNet setting https://pkg.go.dev/github.com/pion/webrtc/v3#SettingEngine.SetNet
+	// to get snowflake working in shadow (where the AF_NETLINK family is not implemented).
+	// These two lines of code functionally revert a new change in pion by silently ignoring
+	// when net.Interfaces() fails, rather than throwing an error
+	vnet, _ := stdnet.NewNet()
+	s.SetNet(vnet)
 	api := webrtc.NewAPI(webrtc.WithSettingEngine(s))
 	c.pc, err = api.NewPeerConnection(*config)
 	if err != nil {

--- a/common/turbotunnel/clientmap.go
+++ b/common/turbotunnel/clientmap.go
@@ -28,10 +28,10 @@ type ClientMap struct {

 // NewClientMap creates a ClientMap that expires clients after a timeout.
 //
-// The timeout does not have to be kept in sync with QUIC's internal idle
-// timeout. If a client is removed from the client map while the QUIC session is
+// The timeout does not have to be kept in sync with smux's internal idle
+// timeout. If a client is removed from the client map while the smux session is
 // still live, the worst that can happen is a loss of whatever packets were in
-// the send queue at the time. If QUIC later decides to send more packets to the
+// the send queue at the time. If smux later decides to send more packets to the
 // same client, we'll instantiate a new send queue, and if the client ever
 // connects again with the proper client ID, we'll deliver them.
 func NewClientMap(timeout time.Duration) *ClientMap {

--- a/common/turbotunnel/queuepacketconn_test.go
+++ b/common/turbotunnel/queuepacketconn_test.go
@@ -182,6 +182,7 @@ func TestQueuePacketConnWriteToKCP(t *testing.T) {
 			if err != nil {
 				panic(err)
 			}
+			conn.Close()
 			// Signal the main test to start once we have done one
 			// iterator of this noisy loop.
 			readyClose.Do(func() { close(ready) })

--- a/common/version/version.go
+++ b/common/version/version.go
@@ -4,4 +4,4 @@ func GetVersion() string {
 	return version
 }

-var version = "2.6.0"
+var version = "2.6.1"
--- a/go.mod
+++ b/go.mod
 module gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2

-go 1.15
+go 1.17

 require (
 	github.com/clarkduvall/hyperloglog v0.0.0-20171127014514-a0107a5d8004
 	github.com/gorilla/websocket v1.5.0
-	github.com/pion/ice/v2 v2.3.1
+	github.com/pion/ice/v2 v2.3.8
 	github.com/pion/sdp/v3 v3.0.6
-	github.com/pion/stun v0.4.0
-	github.com/pion/webrtc/v3 v3.1.57
-	github.com/prometheus/client_golang v1.10.0
-	github.com/prometheus/client_model v0.2.0
-	github.com/refraction-networking/utls v1.0.0
+	github.com/pion/stun v0.6.1
+	github.com/pion/transport/v2 v2.2.1
+	github.com/pion/webrtc/v3 v3.2.11
+	github.com/prometheus/client_golang v1.16.0
+	github.com/prometheus/client_model v0.4.0
+	github.com/refraction-networking/utls v1.3.2
 	github.com/smartystreets/goconvey v1.6.4
-	github.com/stretchr/testify v1.8.1
-	github.com/xtaci/kcp-go/v5 v5.6.1
-	github.com/xtaci/smux v1.5.15
+	github.com/stretchr/testify v1.8.4
+	github.com/xtaci/kcp-go/v5 v5.6.2
+	github.com/xtaci/smux v1.5.24
 	gitlab.torproject.org/tpo/anti-censorship/geoip v0.0.0-20210928150955-7ce4b3d98d01
 	gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/goptlib v1.4.0
-	golang.org/x/crypto v0.6.0
-	golang.org/x/net v0.7.0
-	golang.org/x/sys v0.5.0
-	google.golang.org/protobuf v1.26.0
+	golang.org/x/crypto v0.12.0
+	golang.org/x/net v0.13.0
+	golang.org/x/sys v0.11.0
+	google.golang.org/protobuf v1.31.0
+)
+
+require (
+	github.com/andybalholm/brotli v1.0.5 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/gaukas/godicttls v0.0.4 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 // indirect
+	github.com/jtolds/gls v4.20.0+incompatible // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+	github.com/klauspost/reedsolomon v1.11.8 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/pion/datachannel v1.5.5 // indirect
+	github.com/pion/dtls/v2 v2.2.7 // indirect
+	github.com/pion/interceptor v0.1.17 // indirect
+	github.com/pion/logging v0.2.2 // indirect
+	github.com/pion/mdns v0.0.7 // indirect
+	github.com/pion/randutil v0.1.0 // indirect
+	github.com/pion/rtcp v1.2.10 // indirect
+	github.com/pion/rtp v1.7.13 // indirect
+	github.com/pion/sctp v1.8.7 // indirect
+	github.com/pion/srtp/v2 v2.0.15 // indirect
+	github.com/pion/turn/v2 v2.1.2 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.11.0 // indirect
+	github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d // indirect
+	github.com/templexxx/cpu v0.1.0 // indirect
+	github.com/templexxx/xorsimd v0.4.2 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	golang.org/x/text v0.12.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/probetest/Dockerfile
+++ b/probetest/Dockerfile
-FROM golang:1.13
+FROM golang:1.21

 COPY probetest /go/bin
--- a/proxy/README.md
+++ b/proxy/README.md
@@ -46,7 +46,7 @@ Usage of ./proxy:
  -nat-retest-interval duration
        the time interval in second before NAT type is retested, 0s disables retest. Valid time units are "s", "m", "h".  (default 24h0m0s)
  -relay string
-        websocket relay URL (default "wss://snowflake.bamsoftware.com/")
+        websocket relay URL (default "wss://snowflake.torproject.net/")
  -outbound-address string
        bind a specific outbound address. Replace all host candidates with this address without validation. 
  -stun string

--- a/proxy/lib/metrics.go
+++ b/proxy/lib/metrics.go
+package snowflake_proxy
+
+import (
+	"net/http"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+)
+
+const (
+	// metricNamespace represent prometheus namespace
+	metricNamespace = "tor_snowflake_proxy"
+)
+
+type Metrics struct {
+	totalInBoundTraffic  prometheus.Counter
+	totalOutBoundTraffic prometheus.Counter
+	totalConnections     prometheus.Counter
+}
+
+func NewMetrics() *Metrics {
+	return &Metrics{
+		totalConnections: prometheus.NewCounter(prometheus.CounterOpts{
+			Namespace: metricNamespace,
+			Name:      "connections_total",
+			Help:      "The total number of connections handled by the snowflake proxy",
+		}),
+		totalInBoundTraffic: prometheus.NewCounter(prometheus.CounterOpts{
+			Namespace: metricNamespace,
+			Name:      "traffic_inbound_bytes_total",
+			Help:      "The total in bound traffic by the snowflake proxy",
+		}),
+		totalOutBoundTraffic: prometheus.NewCounter(prometheus.CounterOpts{
+			Namespace: metricNamespace,
+			Name:      "traffic_outbound_bytes_total",
+			Help:      "The total out bound traffic by the snowflake proxy ",
+		}),
+	}
+}
+
+// Start register the metrics server and serve them on the given address
+func (m *Metrics) Start(addr string) error {
+	go func() {
+		http.Handle("/internal/metrics", promhttp.Handler())
+		if err := http.ListenAndServe(addr, nil); err != nil {
+			panic(err)
+		}
+	}()
+
+	return prometheus.Register(m)
+}
+
+func (m *Metrics) Collect(ch chan<- prometheus.Metric) {
+	m.totalConnections.Collect(ch)
+	m.totalInBoundTraffic.Collect(ch)
+	m.totalOutBoundTraffic.Collect(ch)
+}
+
+func (m *Metrics) Describe(descs chan<- *prometheus.Desc) {
+	prometheus.DescribeByCollect(m, descs)
+}
+
+// TrackInBoundTraffic counts the received traffic by the snowflake proxy
+func (m *Metrics) TrackInBoundTraffic(value int64) {
+	m.totalInBoundTraffic.Add(float64(value))
+}
+
+// TrackOutBoundTraffic counts the transmitted traffic by the snowflake proxy
+func (m *Metrics) TrackOutBoundTraffic(value int64) {
+	m.totalOutBoundTraffic.Add(float64(value))
+}
+
+// TrackNewConnection counts the new connections
+func (m *Metrics) TrackNewConnection() {
+	m.totalConnections.Inc()
+}
--- a/proxy/lib/pt_event_metrics.go
+++ b/proxy/lib/pt_event_metrics.go
+package snowflake_proxy
+
+import (
+	"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/event"
+)
+
+type EventCollector interface {
+	TrackInBoundTraffic(value int64)
+	TrackOutBoundTraffic(value int64)
+	TrackNewConnection()
+}
+
+type EventMetrics struct {
+	collector EventCollector
+}
+
+func NewEventMetrics(collector EventCollector) *EventMetrics {
+	return &EventMetrics{collector: collector}
+}
+
+func (em *EventMetrics) OnNewSnowflakeEvent(e event.SnowflakeEvent) {
+	switch e.(type) {
+	case event.EventOnProxyConnectionOver:
+		e := e.(event.EventOnProxyConnectionOver)
+		em.collector.TrackInBoundTraffic(e.InboundTraffic)
+		em.collector.TrackOutBoundTraffic(e.OutboundTraffic)
+		em.collector.TrackNewConnection()
+	}
+}
--- a/proxy/lib/snowflake.go
+++ b/proxy/lib/snowflake.go
@@ -54,7 +54,7 @@ import (
 const (
 	DefaultBrokerURL   = "https://snowflake-broker.torproject.net/"
 	DefaultNATProbeURL = "https://snowflake-broker.torproject.net:8443/probe"
-	DefaultRelayURL    = "wss://snowflake.bamsoftware.com/"
+	DefaultRelayURL    = "wss://snowflake.torproject.net/"
 	DefaultSTUNURL     = "stun:stun.l.google.com:19302"
 	DefaultProxyType   = "standalone"
 )

--- a/proxy/main.go
+++ b/proxy/main.go
@@ -6,6 +6,7 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
+	"net"
 	"os"
 	"strconv"
 	"strings"
@@ -32,6 +33,9 @@ func main() {
 		"the time interval in second before NAT type is retested, 0s disables retest. Valid time units are \"s\", \"m\", \"h\". ")
 	SummaryInterval := flag.Duration("summary-interval", time.Hour,
 		"the time interval to output summary, 0s disables summaries. Valid time units are \"s\", \"m\", \"h\". ")
+	disableStatsLogger := flag.Bool("disable-stats-logger", false, "disable the exposing mechanism for stats using logs")
+	enableMetrics := flag.Bool("metrics", false, "enable the exposing mechanism for stats using metrics")
+	metricsPort := flag.Int("metrics-port", 9999, "set port for the metrics service")
 	verboseLogging := flag.Bool("verbose", false, "increase log verbosity")
 	ephemeralPortsRangeFlag := flag.String("ephemeral-ports-range", "", "ICE UDP ephemeral ports range (format:\"<min>:<max>\")")
 	versionFlag := flag.Bool("version", false, "display version info to stderr and quit")
@@ -120,8 +124,21 @@ func main() {
 		log.SetOutput(&safelog.LogScrubber{Output: logOutput})
 	}

-	periodicEventLogger := sf.NewProxyEventLogger(*SummaryInterval, eventlogOutput)
-	eventLogger.AddSnowflakeEventListener(periodicEventLogger)
+	if !*disableStatsLogger {
+		periodicEventLogger := sf.NewProxyEventLogger(*SummaryInterval, eventlogOutput)
+		eventLogger.AddSnowflakeEventListener(periodicEventLogger)
+	}
+
+	if *enableMetrics {
+		metrics := sf.NewMetrics()
+
+		err := metrics.Start(net.JoinHostPort("localhost", strconv.Itoa(*metricsPort)))
+		if err != nil {
+			log.Fatalf("could not enable metrics: %v", err)
+		}
+
+		eventLogger.AddSnowflakeEventListener(sf.NewEventMetrics(metrics))
+	}

 	log.Printf("snowflake-proxy %s\n", version.GetVersion())


--- a/renovate.json
+++ b/renovate.json
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "constraints": {
+	  "go": "1.17"
+  },
+  "postUpdateOptions": ["gomodTidy", "gomodUpdateImportPaths"],
+  "osvVulnerabilityAlerts": true
+}