Prioritize VPN gateway control packets

agents/rap-node-agent/internal/vpnruntime/gateway.go

@@ -261,10 +261,11 @@ func (g *Gateway) run(ctx context.Context, tun readWriteCloser) error {
 }
 
 func (g *Gateway) copyGatewayToClient(ctx context.Context, tun io.Reader) error {
+	priorityPackets := make(chan []byte, 1024)
 	packets := make(chan []byte, 32768)
 	errCh := make(chan error, 1)
 	go func() {
-		errCh <- g.uploadGatewayPackets(ctx, packets)
+		errCh <- g.uploadGatewayPackets(ctx, priorityPackets, packets)
 	}()
 
 	buffer := make([]byte, 65535)
@@ -288,6 +289,15 @@ func (g *Gateway) copyGatewayToClient(ctx context.Context, tun io.Reader) error
 		packet := append([]byte(nil), buffer[:n]...)
 		normalizeIPv4PacketChecksums(packet)
 		g.recordTunRead(packet)
+		if isTCPControlPacket(packet) {
+			select {
+			case priorityPackets <- packet:
+			default:
+				g.uploadQueueDrops.Add(1)
+				log.Printf("vpn gateway priority packet upload queue full; dropping packet: vpn_connection_id=%s", g.VPNConnectionID)
+			}
+			continue
+		}
 		select {
 		case packets <- packet:
 		default:
@@ -297,7 +307,7 @@ func (g *Gateway) copyGatewayToClient(ctx context.Context, tun io.Reader) error
 	}
 }
 
-func (g *Gateway) uploadGatewayPackets(ctx context.Context, packets <-chan []byte) error {
+func (g *Gateway) uploadGatewayPackets(ctx context.Context, priorityPackets <-chan []byte, packets <-chan []byte) error {
 	batch := make([][]byte, 0, vpnGatewayBatchMaxPackets)
 	batchBytes := 0
 	timer := time.NewTimer(time.Hour)
@@ -323,6 +333,27 @@ func (g *Gateway) uploadGatewayPackets(ctx context.Context, packets <-chan []byt
 		batch = batch[:0]
 		batchBytes = 0
 	}
+	addPacket := func(packet []byte) bool {
+		packetBytes := len(packet)
+		if packetBytes <= 0 {
+			return false
+		}
+		packetFrameSize := 4 + packetBytes
+		if len(batch) > 0 {
+			if len(batch) >= vpnGatewayBatchMaxPackets || batchBytes+packetFrameSize > vpnGatewayBatchMaxBytes {
+				flush()
+			}
+		}
+		batch = append(batch, packet)
+		batchBytes += packetFrameSize
+		return true
+	}
+	flushPriority := func(packet []byte) {
+		flush()
+		if addPacket(packet) {
+			flush()
+		}
+	}
 	for {
 		if len(batch) == 0 && timerActive {
 			if !timer.Stop() {
@@ -334,22 +365,21 @@ func (g *Gateway) uploadGatewayPackets(ctx context.Context, packets <-chan []byt
 			timerActive = false
 		}
 		select {
+		case packet := <-priorityPackets:
+			flushPriority(packet)
+			continue
+		default:
+		}
+		select {
 		case <-ctx.Done():
 			flush()
 			return ctx.Err()
+		case packet := <-priorityPackets:
+			flushPriority(packet)
 		case packet := <-packets:
-			packetBytes := len(packet)
-			if packetBytes <= 0 {
+			if !addPacket(packet) {
 				continue
 			}
-			packetFrameSize := 4 + packetBytes
-			if len(batch) > 0 {
-				if len(batch) >= vpnGatewayBatchMaxPackets || batchBytes+packetFrameSize > vpnGatewayBatchMaxBytes {
-					flush()
-				}
-			}
-			batch = append(batch, packet)
-			batchBytes += packetFrameSize
 			if len(batch) >= vpnGatewayBatchMaxPackets || batchBytes >= vpnGatewayBatchMaxBytes {
 				flush()
 				continue
@@ -365,6 +395,18 @@ func (g *Gateway) uploadGatewayPackets(ctx context.Context, packets <-chan []byt
 	}
 }
 
+func isTCPControlPacket(packet []byte) bool {
+	if len(packet) < 20 || packet[0]>>4 != 4 {
+		return false
+	}
+	ihl := int(packet[0]&0x0f) * 4
+	if ihl < 20 || len(packet) < ihl+20 || packet[9] != 6 {
+		return false
+	}
+	flags := packet[ihl+13]
+	return flags&0x17 != 0
+}
+
 func (g *Gateway) copyClientToGateway(ctx context.Context, tun io.Writer) error {
 	for {
 		packets, err := g.Transport.ReceiveGatewayPacketBatch(ctx, g.PollTimeout)