forked from Deuxfleurs/diplonat
Compare commits
41 commits
Author | SHA1 | Date | |
---|---|---|---|
e60e002863 | |||
166d74649a | |||
58ac0e3758 | |||
843104dad7 | |||
6613ea347d | |||
097a2a029d | |||
5a4bd88903 | |||
05872634a4 | |||
f5fc635b75 | |||
d27173a2b7 | |||
48da5b61ac | |||
21ab77b828 | |||
71bfd5be2d | |||
c356c4d1c4 | |||
f410230240 | |||
b3f76f272a | |||
2d39adcabb | |||
615f926618 | |||
e64be9e881 | |||
846c4344aa | |||
eba95c9b28 | |||
75aa6405f2 | |||
f306e8dc8d | |||
f8431271d9 | |||
2a910c7af2 | |||
04528d1e60 | |||
e7f6c15bc1 | |||
862e8ce876 | |||
5483db8dd4 | |||
730c9049ad | |||
04bdd029fe | |||
4560622fa1 | |||
7760b9c58f | |||
3b9e75634a | |||
4d4d453afa | |||
68cb4d5482 | |||
fd3a153103 | |||
7d478d9976 | |||
2bbc910999 | |||
bf226d077e | |||
f720070905 |
25 changed files with 5662 additions and 1203 deletions
4
.gitignore
vendored
4
.gitignore
vendored
|
@ -1,3 +1,5 @@
|
|||
target/
|
||||
target
|
||||
result
|
||||
result-bin
|
||||
*.swp
|
||||
.env
|
||||
|
|
26
.woodpecker.yml
Normal file
26
.woodpecker.yml
Normal file
|
@ -0,0 +1,26 @@
|
|||
when:
|
||||
event:
|
||||
- push
|
||||
- pull_request
|
||||
- tag
|
||||
- cron
|
||||
- manual
|
||||
|
||||
steps:
|
||||
- name: check formatting
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
environment:
|
||||
NIX_PATH: 'nixpkgs=channel:nixos-22.05'
|
||||
commands:
|
||||
- nix-shell -p cargo -p rustfmt --run 'cargo fmt -- --check'
|
||||
|
||||
- name: build
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
commands:
|
||||
- nix build --extra-experimental-features nix-command --extra-experimental-features flakes .#debug.x86_64-linux.diplonat
|
||||
|
||||
- name: test
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
commands:
|
||||
- nix build --extra-experimental-features nix-command --extra-experimental-features flakes .#test.x86_64-linux.diplonat
|
||||
- ./result-bin/bin/diplonat-*
|
45
CONTRIBUTING.md
Normal file
45
CONTRIBUTING.md
Normal file
|
@ -0,0 +1,45 @@
|
|||
# Contributing to Diplonat
|
||||
|
||||
## Development guidelines
|
||||
|
||||
### Code formatting
|
||||
|
||||
[Our CI pipeline](./.drone.yml) features a verification of the code format, using [rustfmt](https://github.com/rust-lang/rustfmt).
|
||||
|
||||
#### Installing rustfmt
|
||||
|
||||
You must install a very recent version of `rustfmt` through rust nightly
|
||||
|
||||
To install:
|
||||
|
||||
```
|
||||
rustup toolchain install nightly-x86_64-unknown-linux-gnu
|
||||
rustup component add rustfmt --toolchain nightly
|
||||
```
|
||||
|
||||
#### Usage
|
||||
|
||||
To run on Diplonat, launch the following in the root directory:
|
||||
|
||||
```
|
||||
cargo +nightly fmt
|
||||
```
|
||||
|
||||
This will format the whole repository using the settigs defined in [`.rustfmt.toml`](./.rustfmt.toml).
|
||||
|
||||
#### Auto-format code
|
||||
|
||||
You can automate formatting in a number of ways:
|
||||
|
||||
[Setup your IDE to use `rustfmt`](https://github.com/rust-lang/rustfmt#running-rustfmt-from-your-editor).
|
||||
|
||||
Setup a git hook to run `rustfmt` before each commit:
|
||||
|
||||
```bash
|
||||
cat <<EOF > .git/hooks/pre-commit
|
||||
#!/bin/bash
|
||||
|
||||
cargo +nightly fmt
|
||||
EOF
|
||||
chmod +x .git/hooks/pre-commit
|
||||
```
|
1568
Cargo.lock
generated
1568
Cargo.lock
generated
File diff suppressed because it is too large
Load diff
|
@ -10,13 +10,15 @@ edition = "2018"
|
|||
anyhow = "1.0.28"
|
||||
envy = "0.4"
|
||||
futures = "0.3.5"
|
||||
igd = { version = "0.10.0", features = ["aio"] }
|
||||
get_if_addrs = "0.5"
|
||||
igd = { version = "0.12.0", features = ["aio"] }
|
||||
iptables = "0.2.2"
|
||||
log = "0.4"
|
||||
pretty_env_logger = "0.4"
|
||||
regex = "1"
|
||||
reqwest = { version = "0.10", features = ["json"] }
|
||||
reqwest = { version = "0.11", default-features = false, features = ["json", "rustls-tls-manual-roots" ] }
|
||||
serde = { version = "1.0.107", features = ["derive"] }
|
||||
serde-lexpr = "0.1.1"
|
||||
serde_json = "1.0.53"
|
||||
tokio = "0.2"
|
||||
tokio = { version = "1", features = ["sync", "rt-multi-thread", "net", "macros"] }
|
||||
stun-client = "0.1.2"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
FROM debian:bullseye-slim as builder
|
||||
FROM rust:1.69-bullseye as builder
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get install -y rustc cargo libssl-dev pkg-config
|
||||
apt-get install -y libssl-dev pkg-config
|
||||
|
||||
WORKDIR /srv
|
||||
|
||||
|
|
661
LICENSE
Normal file
661
LICENSE
Normal file
|
@ -0,0 +1,661 @@
|
|||
GNU AFFERO GENERAL PUBLIC LICENSE
|
||||
Version 3, 19 November 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The GNU Affero General Public License is a free, copyleft license for
|
||||
software and other kinds of works, specifically designed to ensure
|
||||
cooperation with the community in the case of network server software.
|
||||
|
||||
The licenses for most software and other practical works are designed
|
||||
to take away your freedom to share and change the works. By contrast,
|
||||
our General Public Licenses are intended to guarantee your freedom to
|
||||
share and change all versions of a program--to make sure it remains free
|
||||
software for all its users.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
them if you wish), that you receive source code or can get it if you
|
||||
want it, that you can change the software or use pieces of it in new
|
||||
free programs, and that you know you can do these things.
|
||||
|
||||
Developers that use our General Public Licenses protect your rights
|
||||
with two steps: (1) assert copyright on the software, and (2) offer
|
||||
you this License which gives you legal permission to copy, distribute
|
||||
and/or modify the software.
|
||||
|
||||
A secondary benefit of defending all users' freedom is that
|
||||
improvements made in alternate versions of the program, if they
|
||||
receive widespread use, become available for other developers to
|
||||
incorporate. Many developers of free software are heartened and
|
||||
encouraged by the resulting cooperation. However, in the case of
|
||||
software used on network servers, this result may fail to come about.
|
||||
The GNU General Public License permits making a modified version and
|
||||
letting the public access it on a server without ever releasing its
|
||||
source code to the public.
|
||||
|
||||
The GNU Affero General Public License is designed specifically to
|
||||
ensure that, in such cases, the modified source code becomes available
|
||||
to the community. It requires the operator of a network server to
|
||||
provide the source code of the modified version running there to the
|
||||
users of that server. Therefore, public use of a modified version, on
|
||||
a publicly accessible server, gives the public access to the source
|
||||
code of the modified version.
|
||||
|
||||
An older license, called the Affero General Public License and
|
||||
published by Affero, was designed to accomplish similar goals. This is
|
||||
a different license, not a version of the Affero GPL, but Affero has
|
||||
released a new version of the Affero GPL which permits relicensing under
|
||||
this license.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
TERMS AND CONDITIONS
|
||||
|
||||
0. Definitions.
|
||||
|
||||
"This License" refers to version 3 of the GNU Affero General Public License.
|
||||
|
||||
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||
works, such as semiconductor masks.
|
||||
|
||||
"The Program" refers to any copyrightable work licensed under this
|
||||
License. Each licensee is addressed as "you". "Licensees" and
|
||||
"recipients" may be individuals or organizations.
|
||||
|
||||
To "modify" a work means to copy from or adapt all or part of the work
|
||||
in a fashion requiring copyright permission, other than the making of an
|
||||
exact copy. The resulting work is called a "modified version" of the
|
||||
earlier work or a work "based on" the earlier work.
|
||||
|
||||
A "covered work" means either the unmodified Program or a work based
|
||||
on the Program.
|
||||
|
||||
To "propagate" a work means to do anything with it that, without
|
||||
permission, would make you directly or secondarily liable for
|
||||
infringement under applicable copyright law, except executing it on a
|
||||
computer or modifying a private copy. Propagation includes copying,
|
||||
distribution (with or without modification), making available to the
|
||||
public, and in some countries other activities as well.
|
||||
|
||||
To "convey" a work means any kind of propagation that enables other
|
||||
parties to make or receive copies. Mere interaction with a user through
|
||||
a computer network, with no transfer of a copy, is not conveying.
|
||||
|
||||
An interactive user interface displays "Appropriate Legal Notices"
|
||||
to the extent that it includes a convenient and prominently visible
|
||||
feature that (1) displays an appropriate copyright notice, and (2)
|
||||
tells the user that there is no warranty for the work (except to the
|
||||
extent that warranties are provided), that licensees may convey the
|
||||
work under this License, and how to view a copy of this License. If
|
||||
the interface presents a list of user commands or options, such as a
|
||||
menu, a prominent item in the list meets this criterion.
|
||||
|
||||
1. Source Code.
|
||||
|
||||
The "source code" for a work means the preferred form of the work
|
||||
for making modifications to it. "Object code" means any non-source
|
||||
form of a work.
|
||||
|
||||
A "Standard Interface" means an interface that either is an official
|
||||
standard defined by a recognized standards body, or, in the case of
|
||||
interfaces specified for a particular programming language, one that
|
||||
is widely used among developers working in that language.
|
||||
|
||||
The "System Libraries" of an executable work include anything, other
|
||||
than the work as a whole, that (a) is included in the normal form of
|
||||
packaging a Major Component, but which is not part of that Major
|
||||
Component, and (b) serves only to enable use of the work with that
|
||||
Major Component, or to implement a Standard Interface for which an
|
||||
implementation is available to the public in source code form. A
|
||||
"Major Component", in this context, means a major essential component
|
||||
(kernel, window system, and so on) of the specific operating system
|
||||
(if any) on which the executable work runs, or a compiler used to
|
||||
produce the work, or an object code interpreter used to run it.
|
||||
|
||||
The "Corresponding Source" for a work in object code form means all
|
||||
the source code needed to generate, install, and (for an executable
|
||||
work) run the object code and to modify the work, including scripts to
|
||||
control those activities. However, it does not include the work's
|
||||
System Libraries, or general-purpose tools or generally available free
|
||||
programs which are used unmodified in performing those activities but
|
||||
which are not part of the work. For example, Corresponding Source
|
||||
includes interface definition files associated with source files for
|
||||
the work, and the source code for shared libraries and dynamically
|
||||
linked subprograms that the work is specifically designed to require,
|
||||
such as by intimate data communication or control flow between those
|
||||
subprograms and other parts of the work.
|
||||
|
||||
The Corresponding Source need not include anything that users
|
||||
can regenerate automatically from other parts of the Corresponding
|
||||
Source.
|
||||
|
||||
The Corresponding Source for a work in source code form is that
|
||||
same work.
|
||||
|
||||
2. Basic Permissions.
|
||||
|
||||
All rights granted under this License are granted for the term of
|
||||
copyright on the Program, and are irrevocable provided the stated
|
||||
conditions are met. This License explicitly affirms your unlimited
|
||||
permission to run the unmodified Program. The output from running a
|
||||
covered work is covered by this License only if the output, given its
|
||||
content, constitutes a covered work. This License acknowledges your
|
||||
rights of fair use or other equivalent, as provided by copyright law.
|
||||
|
||||
You may make, run and propagate covered works that you do not
|
||||
convey, without conditions so long as your license otherwise remains
|
||||
in force. You may convey covered works to others for the sole purpose
|
||||
of having them make modifications exclusively for you, or provide you
|
||||
with facilities for running those works, provided that you comply with
|
||||
the terms of this License in conveying all material for which you do
|
||||
not control copyright. Those thus making or running the covered works
|
||||
for you must do so exclusively on your behalf, under your direction
|
||||
and control, on terms that prohibit them from making any copies of
|
||||
your copyrighted material outside their relationship with you.
|
||||
|
||||
Conveying under any other circumstances is permitted solely under
|
||||
the conditions stated below. Sublicensing is not allowed; section 10
|
||||
makes it unnecessary.
|
||||
|
||||
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||
|
||||
No covered work shall be deemed part of an effective technological
|
||||
measure under any applicable law fulfilling obligations under article
|
||||
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||
similar laws prohibiting or restricting circumvention of such
|
||||
measures.
|
||||
|
||||
When you convey a covered work, you waive any legal power to forbid
|
||||
circumvention of technological measures to the extent such circumvention
|
||||
is effected by exercising rights under this License with respect to
|
||||
the covered work, and you disclaim any intention to limit operation or
|
||||
modification of the work as a means of enforcing, against the work's
|
||||
users, your or third parties' legal rights to forbid circumvention of
|
||||
technological measures.
|
||||
|
||||
4. Conveying Verbatim Copies.
|
||||
|
||||
You may convey verbatim copies of the Program's source code as you
|
||||
receive it, in any medium, provided that you conspicuously and
|
||||
appropriately publish on each copy an appropriate copyright notice;
|
||||
keep intact all notices stating that this License and any
|
||||
non-permissive terms added in accord with section 7 apply to the code;
|
||||
keep intact all notices of the absence of any warranty; and give all
|
||||
recipients a copy of this License along with the Program.
|
||||
|
||||
You may charge any price or no price for each copy that you convey,
|
||||
and you may offer support or warranty protection for a fee.
|
||||
|
||||
5. Conveying Modified Source Versions.
|
||||
|
||||
You may convey a work based on the Program, or the modifications to
|
||||
produce it from the Program, in the form of source code under the
|
||||
terms of section 4, provided that you also meet all of these conditions:
|
||||
|
||||
a) The work must carry prominent notices stating that you modified
|
||||
it, and giving a relevant date.
|
||||
|
||||
b) The work must carry prominent notices stating that it is
|
||||
released under this License and any conditions added under section
|
||||
7. This requirement modifies the requirement in section 4 to
|
||||
"keep intact all notices".
|
||||
|
||||
c) You must license the entire work, as a whole, under this
|
||||
License to anyone who comes into possession of a copy. This
|
||||
License will therefore apply, along with any applicable section 7
|
||||
additional terms, to the whole of the work, and all its parts,
|
||||
regardless of how they are packaged. This License gives no
|
||||
permission to license the work in any other way, but it does not
|
||||
invalidate such permission if you have separately received it.
|
||||
|
||||
d) If the work has interactive user interfaces, each must display
|
||||
Appropriate Legal Notices; however, if the Program has interactive
|
||||
interfaces that do not display Appropriate Legal Notices, your
|
||||
work need not make them do so.
|
||||
|
||||
A compilation of a covered work with other separate and independent
|
||||
works, which are not by their nature extensions of the covered work,
|
||||
and which are not combined with it such as to form a larger program,
|
||||
in or on a volume of a storage or distribution medium, is called an
|
||||
"aggregate" if the compilation and its resulting copyright are not
|
||||
used to limit the access or legal rights of the compilation's users
|
||||
beyond what the individual works permit. Inclusion of a covered work
|
||||
in an aggregate does not cause this License to apply to the other
|
||||
parts of the aggregate.
|
||||
|
||||
6. Conveying Non-Source Forms.
|
||||
|
||||
You may convey a covered work in object code form under the terms
|
||||
of sections 4 and 5, provided that you also convey the
|
||||
machine-readable Corresponding Source under the terms of this License,
|
||||
in one of these ways:
|
||||
|
||||
a) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by the
|
||||
Corresponding Source fixed on a durable physical medium
|
||||
customarily used for software interchange.
|
||||
|
||||
b) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by a
|
||||
written offer, valid for at least three years and valid for as
|
||||
long as you offer spare parts or customer support for that product
|
||||
model, to give anyone who possesses the object code either (1) a
|
||||
copy of the Corresponding Source for all the software in the
|
||||
product that is covered by this License, on a durable physical
|
||||
medium customarily used for software interchange, for a price no
|
||||
more than your reasonable cost of physically performing this
|
||||
conveying of source, or (2) access to copy the
|
||||
Corresponding Source from a network server at no charge.
|
||||
|
||||
c) Convey individual copies of the object code with a copy of the
|
||||
written offer to provide the Corresponding Source. This
|
||||
alternative is allowed only occasionally and noncommercially, and
|
||||
only if you received the object code with such an offer, in accord
|
||||
with subsection 6b.
|
||||
|
||||
d) Convey the object code by offering access from a designated
|
||||
place (gratis or for a charge), and offer equivalent access to the
|
||||
Corresponding Source in the same way through the same place at no
|
||||
further charge. You need not require recipients to copy the
|
||||
Corresponding Source along with the object code. If the place to
|
||||
copy the object code is a network server, the Corresponding Source
|
||||
may be on a different server (operated by you or a third party)
|
||||
that supports equivalent copying facilities, provided you maintain
|
||||
clear directions next to the object code saying where to find the
|
||||
Corresponding Source. Regardless of what server hosts the
|
||||
Corresponding Source, you remain obligated to ensure that it is
|
||||
available for as long as needed to satisfy these requirements.
|
||||
|
||||
e) Convey the object code using peer-to-peer transmission, provided
|
||||
you inform other peers where the object code and Corresponding
|
||||
Source of the work are being offered to the general public at no
|
||||
charge under subsection 6d.
|
||||
|
||||
A separable portion of the object code, whose source code is excluded
|
||||
from the Corresponding Source as a System Library, need not be
|
||||
included in conveying the object code work.
|
||||
|
||||
A "User Product" is either (1) a "consumer product", which means any
|
||||
tangible personal property which is normally used for personal, family,
|
||||
or household purposes, or (2) anything designed or sold for incorporation
|
||||
into a dwelling. In determining whether a product is a consumer product,
|
||||
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||
product received by a particular user, "normally used" refers to a
|
||||
typical or common use of that class of product, regardless of the status
|
||||
of the particular user or of the way in which the particular user
|
||||
actually uses, or expects or is expected to use, the product. A product
|
||||
is a consumer product regardless of whether the product has substantial
|
||||
commercial, industrial or non-consumer uses, unless such uses represent
|
||||
the only significant mode of use of the product.
|
||||
|
||||
"Installation Information" for a User Product means any methods,
|
||||
procedures, authorization keys, or other information required to install
|
||||
and execute modified versions of a covered work in that User Product from
|
||||
a modified version of its Corresponding Source. The information must
|
||||
suffice to ensure that the continued functioning of the modified object
|
||||
code is in no case prevented or interfered with solely because
|
||||
modification has been made.
|
||||
|
||||
If you convey an object code work under this section in, or with, or
|
||||
specifically for use in, a User Product, and the conveying occurs as
|
||||
part of a transaction in which the right of possession and use of the
|
||||
User Product is transferred to the recipient in perpetuity or for a
|
||||
fixed term (regardless of how the transaction is characterized), the
|
||||
Corresponding Source conveyed under this section must be accompanied
|
||||
by the Installation Information. But this requirement does not apply
|
||||
if neither you nor any third party retains the ability to install
|
||||
modified object code on the User Product (for example, the work has
|
||||
been installed in ROM).
|
||||
|
||||
The requirement to provide Installation Information does not include a
|
||||
requirement to continue to provide support service, warranty, or updates
|
||||
for a work that has been modified or installed by the recipient, or for
|
||||
the User Product in which it has been modified or installed. Access to a
|
||||
network may be denied when the modification itself materially and
|
||||
adversely affects the operation of the network or violates the rules and
|
||||
protocols for communication across the network.
|
||||
|
||||
Corresponding Source conveyed, and Installation Information provided,
|
||||
in accord with this section must be in a format that is publicly
|
||||
documented (and with an implementation available to the public in
|
||||
source code form), and must require no special password or key for
|
||||
unpacking, reading or copying.
|
||||
|
||||
7. Additional Terms.
|
||||
|
||||
"Additional permissions" are terms that supplement the terms of this
|
||||
License by making exceptions from one or more of its conditions.
|
||||
Additional permissions that are applicable to the entire Program shall
|
||||
be treated as though they were included in this License, to the extent
|
||||
that they are valid under applicable law. If additional permissions
|
||||
apply only to part of the Program, that part may be used separately
|
||||
under those permissions, but the entire Program remains governed by
|
||||
this License without regard to the additional permissions.
|
||||
|
||||
When you convey a copy of a covered work, you may at your option
|
||||
remove any additional permissions from that copy, or from any part of
|
||||
it. (Additional permissions may be written to require their own
|
||||
removal in certain cases when you modify the work.) You may place
|
||||
additional permissions on material, added by you to a covered work,
|
||||
for which you have or can give appropriate copyright permission.
|
||||
|
||||
Notwithstanding any other provision of this License, for material you
|
||||
add to a covered work, you may (if authorized by the copyright holders of
|
||||
that material) supplement the terms of this License with terms:
|
||||
|
||||
a) Disclaiming warranty or limiting liability differently from the
|
||||
terms of sections 15 and 16 of this License; or
|
||||
|
||||
b) Requiring preservation of specified reasonable legal notices or
|
||||
author attributions in that material or in the Appropriate Legal
|
||||
Notices displayed by works containing it; or
|
||||
|
||||
c) Prohibiting misrepresentation of the origin of that material, or
|
||||
requiring that modified versions of such material be marked in
|
||||
reasonable ways as different from the original version; or
|
||||
|
||||
d) Limiting the use for publicity purposes of names of licensors or
|
||||
authors of the material; or
|
||||
|
||||
e) Declining to grant rights under trademark law for use of some
|
||||
trade names, trademarks, or service marks; or
|
||||
|
||||
f) Requiring indemnification of licensors and authors of that
|
||||
material by anyone who conveys the material (or modified versions of
|
||||
it) with contractual assumptions of liability to the recipient, for
|
||||
any liability that these contractual assumptions directly impose on
|
||||
those licensors and authors.
|
||||
|
||||
All other non-permissive additional terms are considered "further
|
||||
restrictions" within the meaning of section 10. If the Program as you
|
||||
received it, or any part of it, contains a notice stating that it is
|
||||
governed by this License along with a term that is a further
|
||||
restriction, you may remove that term. If a license document contains
|
||||
a further restriction but permits relicensing or conveying under this
|
||||
License, you may add to a covered work material governed by the terms
|
||||
of that license document, provided that the further restriction does
|
||||
not survive such relicensing or conveying.
|
||||
|
||||
If you add terms to a covered work in accord with this section, you
|
||||
must place, in the relevant source files, a statement of the
|
||||
additional terms that apply to those files, or a notice indicating
|
||||
where to find the applicable terms.
|
||||
|
||||
Additional terms, permissive or non-permissive, may be stated in the
|
||||
form of a separately written license, or stated as exceptions;
|
||||
the above requirements apply either way.
|
||||
|
||||
8. Termination.
|
||||
|
||||
You may not propagate or modify a covered work except as expressly
|
||||
provided under this License. Any attempt otherwise to propagate or
|
||||
modify it is void, and will automatically terminate your rights under
|
||||
this License (including any patent licenses granted under the third
|
||||
paragraph of section 11).
|
||||
|
||||
However, if you cease all violation of this License, then your
|
||||
license from a particular copyright holder is reinstated (a)
|
||||
provisionally, unless and until the copyright holder explicitly and
|
||||
finally terminates your license, and (b) permanently, if the copyright
|
||||
holder fails to notify you of the violation by some reasonable means
|
||||
prior to 60 days after the cessation.
|
||||
|
||||
Moreover, your license from a particular copyright holder is
|
||||
reinstated permanently if the copyright holder notifies you of the
|
||||
violation by some reasonable means, this is the first time you have
|
||||
received notice of violation of this License (for any work) from that
|
||||
copyright holder, and you cure the violation prior to 30 days after
|
||||
your receipt of the notice.
|
||||
|
||||
Termination of your rights under this section does not terminate the
|
||||
licenses of parties who have received copies or rights from you under
|
||||
this License. If your rights have been terminated and not permanently
|
||||
reinstated, you do not qualify to receive new licenses for the same
|
||||
material under section 10.
|
||||
|
||||
9. Acceptance Not Required for Having Copies.
|
||||
|
||||
You are not required to accept this License in order to receive or
|
||||
run a copy of the Program. Ancillary propagation of a covered work
|
||||
occurring solely as a consequence of using peer-to-peer transmission
|
||||
to receive a copy likewise does not require acceptance. However,
|
||||
nothing other than this License grants you permission to propagate or
|
||||
modify any covered work. These actions infringe copyright if you do
|
||||
not accept this License. Therefore, by modifying or propagating a
|
||||
covered work, you indicate your acceptance of this License to do so.
|
||||
|
||||
10. Automatic Licensing of Downstream Recipients.
|
||||
|
||||
Each time you convey a covered work, the recipient automatically
|
||||
receives a license from the original licensors, to run, modify and
|
||||
propagate that work, subject to this License. You are not responsible
|
||||
for enforcing compliance by third parties with this License.
|
||||
|
||||
An "entity transaction" is a transaction transferring control of an
|
||||
organization, or substantially all assets of one, or subdividing an
|
||||
organization, or merging organizations. If propagation of a covered
|
||||
work results from an entity transaction, each party to that
|
||||
transaction who receives a copy of the work also receives whatever
|
||||
licenses to the work the party's predecessor in interest had or could
|
||||
give under the previous paragraph, plus a right to possession of the
|
||||
Corresponding Source of the work from the predecessor in interest, if
|
||||
the predecessor has it or can get it with reasonable efforts.
|
||||
|
||||
You may not impose any further restrictions on the exercise of the
|
||||
rights granted or affirmed under this License. For example, you may
|
||||
not impose a license fee, royalty, or other charge for exercise of
|
||||
rights granted under this License, and you may not initiate litigation
|
||||
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||
any patent claim is infringed by making, using, selling, offering for
|
||||
sale, or importing the Program or any portion of it.
|
||||
|
||||
11. Patents.
|
||||
|
||||
A "contributor" is a copyright holder who authorizes use under this
|
||||
License of the Program or a work on which the Program is based. The
|
||||
work thus licensed is called the contributor's "contributor version".
|
||||
|
||||
A contributor's "essential patent claims" are all patent claims
|
||||
owned or controlled by the contributor, whether already acquired or
|
||||
hereafter acquired, that would be infringed by some manner, permitted
|
||||
by this License, of making, using, or selling its contributor version,
|
||||
but do not include claims that would be infringed only as a
|
||||
consequence of further modification of the contributor version. For
|
||||
purposes of this definition, "control" includes the right to grant
|
||||
patent sublicenses in a manner consistent with the requirements of
|
||||
this License.
|
||||
|
||||
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||
patent license under the contributor's essential patent claims, to
|
||||
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||
propagate the contents of its contributor version.
|
||||
|
||||
In the following three paragraphs, a "patent license" is any express
|
||||
agreement or commitment, however denominated, not to enforce a patent
|
||||
(such as an express permission to practice a patent or covenant not to
|
||||
sue for patent infringement). To "grant" such a patent license to a
|
||||
party means to make such an agreement or commitment not to enforce a
|
||||
patent against the party.
|
||||
|
||||
If you convey a covered work, knowingly relying on a patent license,
|
||||
and the Corresponding Source of the work is not available for anyone
|
||||
to copy, free of charge and under the terms of this License, through a
|
||||
publicly available network server or other readily accessible means,
|
||||
then you must either (1) cause the Corresponding Source to be so
|
||||
available, or (2) arrange to deprive yourself of the benefit of the
|
||||
patent license for this particular work, or (3) arrange, in a manner
|
||||
consistent with the requirements of this License, to extend the patent
|
||||
license to downstream recipients. "Knowingly relying" means you have
|
||||
actual knowledge that, but for the patent license, your conveying the
|
||||
covered work in a country, or your recipient's use of the covered work
|
||||
in a country, would infringe one or more identifiable patents in that
|
||||
country that you have reason to believe are valid.
|
||||
|
||||
If, pursuant to or in connection with a single transaction or
|
||||
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||
covered work, and grant a patent license to some of the parties
|
||||
receiving the covered work authorizing them to use, propagate, modify
|
||||
or convey a specific copy of the covered work, then the patent license
|
||||
you grant is automatically extended to all recipients of the covered
|
||||
work and works based on it.
|
||||
|
||||
A patent license is "discriminatory" if it does not include within
|
||||
the scope of its coverage, prohibits the exercise of, or is
|
||||
conditioned on the non-exercise of one or more of the rights that are
|
||||
specifically granted under this License. You may not convey a covered
|
||||
work if you are a party to an arrangement with a third party that is
|
||||
in the business of distributing software, under which you make payment
|
||||
to the third party based on the extent of your activity of conveying
|
||||
the work, and under which the third party grants, to any of the
|
||||
parties who would receive the covered work from you, a discriminatory
|
||||
patent license (a) in connection with copies of the covered work
|
||||
conveyed by you (or copies made from those copies), or (b) primarily
|
||||
for and in connection with specific products or compilations that
|
||||
contain the covered work, unless you entered into that arrangement,
|
||||
or that patent license was granted, prior to 28 March 2007.
|
||||
|
||||
Nothing in this License shall be construed as excluding or limiting
|
||||
any implied license or other defenses to infringement that may
|
||||
otherwise be available to you under applicable patent law.
|
||||
|
||||
12. No Surrender of Others' Freedom.
|
||||
|
||||
If conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot convey a
|
||||
covered work so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you may
|
||||
not convey it at all. For example, if you agree to terms that obligate you
|
||||
to collect a royalty for further conveying from those to whom you convey
|
||||
the Program, the only way you could satisfy both those terms and this
|
||||
License would be to refrain entirely from conveying the Program.
|
||||
|
||||
13. Remote Network Interaction; Use with the GNU General Public License.
|
||||
|
||||
Notwithstanding any other provision of this License, if you modify the
|
||||
Program, your modified version must prominently offer all users
|
||||
interacting with it remotely through a computer network (if your version
|
||||
supports such interaction) an opportunity to receive the Corresponding
|
||||
Source of your version by providing access to the Corresponding Source
|
||||
from a network server at no charge, through some standard or customary
|
||||
means of facilitating copying of software. This Corresponding Source
|
||||
shall include the Corresponding Source for any work covered by version 3
|
||||
of the GNU General Public License that is incorporated pursuant to the
|
||||
following paragraph.
|
||||
|
||||
Notwithstanding any other provision of this License, you have
|
||||
permission to link or combine any covered work with a work licensed
|
||||
under version 3 of the GNU General Public License into a single
|
||||
combined work, and to convey the resulting work. The terms of this
|
||||
License will continue to apply to the part which is the covered work,
|
||||
but the work with which it is combined will remain governed by version
|
||||
3 of the GNU General Public License.
|
||||
|
||||
14. Revised Versions of this License.
|
||||
|
||||
The Free Software Foundation may publish revised and/or new versions of
|
||||
the GNU Affero General Public License from time to time. Such new versions
|
||||
will be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the
|
||||
Program specifies that a certain numbered version of the GNU Affero General
|
||||
Public License "or any later version" applies to it, you have the
|
||||
option of following the terms and conditions either of that numbered
|
||||
version or of any later version published by the Free Software
|
||||
Foundation. If the Program does not specify a version number of the
|
||||
GNU Affero General Public License, you may choose any version ever published
|
||||
by the Free Software Foundation.
|
||||
|
||||
If the Program specifies that a proxy can decide which future
|
||||
versions of the GNU Affero General Public License can be used, that proxy's
|
||||
public statement of acceptance of a version permanently authorizes you
|
||||
to choose that version for the Program.
|
||||
|
||||
Later license versions may give you additional or different
|
||||
permissions. However, no additional obligations are imposed on any
|
||||
author or copyright holder as a result of your choosing to follow a
|
||||
later version.
|
||||
|
||||
15. Disclaimer of Warranty.
|
||||
|
||||
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||
|
||||
16. Limitation of Liability.
|
||||
|
||||
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGES.
|
||||
|
||||
17. Interpretation of Sections 15 and 16.
|
||||
|
||||
If the disclaimer of warranty and limitation of liability provided
|
||||
above cannot be given local legal effect according to their terms,
|
||||
reviewing courts shall apply local law that most closely approximates
|
||||
an absolute waiver of all civil liability in connection with the
|
||||
Program, unless a warranty or assumption of liability accompanies a
|
||||
copy of the Program in return for a fee.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
state the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU Affero General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU Affero General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Affero General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If your software can interact with users remotely through a computer
|
||||
network, you should also make sure that it provides a way for users to
|
||||
get its source. For example, if your program is a web application, its
|
||||
interface could display a "Source" link that leads users to an archive
|
||||
of the code. There are many ways you could offer source, and different
|
||||
solutions will be better for different programs; see section 13 for the
|
||||
specific requirements.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or school,
|
||||
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||
For more information on this, and how to apply and follow the GNU AGPL, see
|
||||
<https://www.gnu.org/licenses/>.
|
19
README.md
19
README.md
|
@ -1,6 +1,8 @@
|
|||
Diplonat
|
||||
========
|
||||
|
||||
[![status-badge](https://woodpecker.deuxfleurs.fr/api/badges/40/status.svg)](https://woodpecker.deuxfleurs.fr/repos/40)
|
||||
|
||||
## Feature set
|
||||
|
||||
* [X] (Re)Configure NAT via UPNP/IGD (prio: high)
|
||||
|
@ -40,17 +42,18 @@ cargo build
|
|||
consul agent -dev # in a separate terminal
|
||||
|
||||
# adapt following values to your configuration
|
||||
export DIPLONAT_PRIVATE_IP="192.168.0.18"
|
||||
export DIPLONAT_REFRESH_TIME="60"
|
||||
export DIPLONAT_EXPIRATION_TIME="300"
|
||||
export DIPLONAT_CONSUL_NODE_NAME="lheureduthe"
|
||||
export DIPLONAT_FIREWALL_ENABLE="true"
|
||||
export DIPLONAT_FIREWALL_REFRESH_TIME="300"
|
||||
export DIPLONAT_IGD_ENABLE="true"
|
||||
export DIPLONAT_IGD_PRIVATE_IP="192.168.0.18"
|
||||
export DIPLONAT_IGD_REFRESH_TIME="60"
|
||||
export DIPLONAT_IGD_EXPIRATION_TIME="300"
|
||||
export RUST_LOG=debug
|
||||
cargo run
|
||||
```
|
||||
|
||||
## Contributing
|
||||
|
||||
Refer to [CONTRIBUTING.md](./CONTRIBUTING.md).
|
||||
|
||||
## Design Guidelines
|
||||
|
||||
Diplonat is made of a set of Components.
|
||||
|
@ -85,3 +88,7 @@ consul services register -name=fake_dns -tag="(diplonat (udp_port 53) (tcp_port
|
|||
consul services register -name=fake_irc -tag="(diplonat (udp_port 6667 6666))"
|
||||
consul services -id=example
|
||||
```
|
||||
|
||||
## License
|
||||
|
||||
This software is published under the AGPLv3 license.
|
||||
|
|
|
@ -5,13 +5,10 @@ services:
|
|||
image: darkgallium/amd64_diplonat:v2
|
||||
network_mode: host # required by UPNP/IGD
|
||||
environment:
|
||||
DIPLONAT_PRIVATE_IP: 192.168.0.18
|
||||
DIPLONAT_REFRESH_TIME: 60
|
||||
DIPLONAT_EXPIRATION_TIME: 300
|
||||
DIPLONAT_CONSUL_NODE_NAME: lheureduthe
|
||||
DIPLONAT_FIREWALL_ENABLE: true
|
||||
DIPLONAT_FIREWALL_REFRESH_TIME: 60
|
||||
DIPLONAT_IGD_ENABLE: true
|
||||
DIPLONAT_IGD_PRIVATE_IP: 192.168.0.18
|
||||
DIPLONAT_IGD_EXPIRATION_TIME: 300
|
||||
DIPLONAT_IGD_REFRESH_TIME: 60
|
||||
RUST_LOG: debug
|
||||
|
||||
|
||||
|
|
108
flake.lock
Normal file
108
flake.lock
Normal file
|
@ -0,0 +1,108 @@
|
|||
{
|
||||
"nodes": {
|
||||
"cargo2nix": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1666087781,
|
||||
"narHash": "sha256-trKVdjMZ8mNkGfLcY5LsJJGtdV3xJDZnMVrkFjErlcs=",
|
||||
"owner": "Alexis211",
|
||||
"repo": "cargo2nix",
|
||||
"rev": "a7a61179b66054904ef6a195d8da736eaaa06c36",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Alexis211",
|
||||
"repo": "cargo2nix",
|
||||
"rev": "a7a61179b66054904ef6a195d8da736eaaa06c36",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1650374568,
|
||||
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1659877975,
|
||||
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1665657542,
|
||||
"narHash": "sha256-mojxNyzbvmp8NtVtxqiHGhRfjCALLfk9i/Uup68Y5q8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a3073c49bc0163fea6a121c276f526837672b555",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a3073c49bc0163fea6a121c276f526837672b555",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"cargo2nix": "cargo2nix",
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
},
|
||||
"rust-overlay": {
|
||||
"inputs": {
|
||||
"flake-utils": [
|
||||
"cargo2nix",
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"cargo2nix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1664247556,
|
||||
"narHash": "sha256-J4vazHU3609ekn7dr+3wfqPo5WGlZVAgV7jfux352L0=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "524db9c9ea7bc7743bb74cdd45b6d46ea3fcc2ab",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
36
flake.nix
Normal file
36
flake.nix
Normal file
|
@ -0,0 +1,36 @@
|
|||
{
|
||||
description = "A very basic flake";
|
||||
|
||||
inputs.nixpkgs.url = "github:NixOS/nixpkgs/a3073c49bc0163fea6a121c276f526837672b555";
|
||||
inputs.cargo2nix = {
|
||||
# As of 2022-10-18: two small patches over unstable branch, one for clippy and one to fix feature detection
|
||||
url = "github:Alexis211/cargo2nix/a7a61179b66054904ef6a195d8da736eaaa06c36";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, cargo2nix }:
|
||||
let
|
||||
pkgs = import nixpkgs {
|
||||
system = "x86_64-linux";
|
||||
overlays = [ cargo2nix.overlays.default ];
|
||||
};
|
||||
packageFun = import ./Cargo.nix;
|
||||
rustVersion = "1.63.0";
|
||||
|
||||
compile = args: compileMode:
|
||||
let
|
||||
packageSet = pkgs.rustBuilder.makePackageSet ({
|
||||
inherit packageFun rustVersion;
|
||||
} // args);
|
||||
in
|
||||
packageSet.workspace.diplonat {
|
||||
inherit compileMode;
|
||||
};
|
||||
in
|
||||
{
|
||||
test.x86_64-linux.diplonat = compile { release = false; } "test";
|
||||
debug.x86_64-linux.diplonat = compile { release = false; } "build";
|
||||
packages.x86_64-linux.diplonat = compile { release = true; } "build";
|
||||
packages.x86_64-linux.default = self.packages.x86_64-linux.diplonat;
|
||||
};
|
||||
}
|
|
@ -3,9 +3,12 @@ mod options;
|
|||
mod options_test;
|
||||
mod runtime;
|
||||
|
||||
pub use options::{ConfigOpts, ConfigOptsConsul, ConfigOptsAcme, ConfigOptsFirewall, ConfigOptsIgd};
|
||||
pub use runtime::{RuntimeConfig, RuntimeConfigAcme, RuntimeConfigConsul, RuntimeConfigFirewall, RuntimeConfigIgd};
|
||||
pub use options::{ConfigOpts, ConfigOptsBase, ConfigOptsConsul};
|
||||
pub use runtime::{
|
||||
RuntimeConfig, RuntimeConfigConsul, RuntimeConfigFirewall, RuntimeConfigIgd, RuntimeConfigStun,
|
||||
};
|
||||
|
||||
pub const EXPIRATION_TIME: u16 = 300;
|
||||
pub const REFRESH_TIME: u16 = 60;
|
||||
pub const CONSUL_URL: &str = "http://127.0.0.1:8500";
|
||||
pub const STUN_SERVER: &str = "stun.nextcloud.com:443";
|
||||
|
|
|
@ -8,97 +8,70 @@ use crate::config::RuntimeConfig;
|
|||
// This file parses the options that can be declared in the environment.
|
||||
// runtime.rs applies business logic and builds RuntimeConfig structs.
|
||||
|
||||
// - Note for the future -
|
||||
// There is no *need* to have a 'DIPLONAT_XXX_*' prefix for all config options.
|
||||
// If some config options are shared by several modules, a ConfigOptsBase could
|
||||
// contain them, and parse the 'DIPLONAT_*' prefix directly.
|
||||
// Only in runtime.rs would these options find their proper location in each
|
||||
// module's struct.
|
||||
|
||||
/// Base configuration options
|
||||
#[derive(Clone, Default, Deserialize)]
|
||||
pub struct ConfigOptsBase {
|
||||
/// This node's private IP address [default: None]
|
||||
pub private_ip: Option<String>,
|
||||
/// Expiration time for IGD rules [default: 60]
|
||||
pub expiration_time: Option<u16>,
|
||||
/// Refresh time for IGD and Firewall rules [default: 300]
|
||||
pub refresh_time: Option<u16>,
|
||||
/// STUN server [default: stun.nextcloud.com:443]
|
||||
pub stun_server: Option<String>,
|
||||
/// IPv6-only mode (disables IGD, IPv4 firewall and IPv4 address autodiscovery) [default: false]
|
||||
#[serde(default)]
|
||||
pub ipv6_only: bool,
|
||||
}
|
||||
|
||||
/// Consul configuration options
|
||||
#[derive(Clone, Default, Deserialize)]
|
||||
pub struct ConfigOptsConsul {
|
||||
/// Consul's node name [default: None]
|
||||
pub node_name: Option<String>,
|
||||
/// Consul's REST URL [default: "http://127.0.0.1:8500"]
|
||||
pub url: Option<String>,
|
||||
}
|
||||
|
||||
/// ACME configuration options
|
||||
#[derive(Clone, Default, Deserialize)]
|
||||
pub struct ConfigOptsAcme {
|
||||
/// Whether the ACME module is enabled [default: false]
|
||||
#[serde(default)]
|
||||
pub enable: bool,
|
||||
|
||||
/// The default domain holder's e-mail [default: None]
|
||||
pub email: Option<String>,
|
||||
}
|
||||
|
||||
/// Firewall configuration options
|
||||
#[derive(Clone, Default, Deserialize)]
|
||||
pub struct ConfigOptsFirewall {
|
||||
/// Whether the firewall module is enabled [default: false]
|
||||
#[serde(default)]
|
||||
pub enable: bool,
|
||||
|
||||
/// Refresh time for firewall rules [default: 300]
|
||||
pub refresh_time: Option<u16>,
|
||||
}
|
||||
|
||||
/// IGD configuration options
|
||||
#[derive(Clone, Default, Deserialize)]
|
||||
pub struct ConfigOptsIgd {
|
||||
/// Whether the IGD module is enabled [default: false]
|
||||
#[serde(default)]
|
||||
pub enable: bool,
|
||||
|
||||
/// This node's private IP address [default: None]
|
||||
pub private_ip: Option<String>,
|
||||
/// Expiration time for IGD rules [default: 60]
|
||||
pub expiration_time: Option<u16>,
|
||||
/// Refresh time for IGD rules [default: 300]
|
||||
pub refresh_time: Option<u16>,
|
||||
/// Consul's node name [default: None]
|
||||
pub node_name: Option<String>,
|
||||
/// Consul's REST URL [default: "http://127.0.0.1:8500"]
|
||||
pub url: Option<String>,
|
||||
/// Consul's CA certificate [default: None]
|
||||
pub ca_cert: Option<String>,
|
||||
/// Skip TLS verification for Consul server [default: false]
|
||||
#[serde(default)]
|
||||
pub tls_skip_verify: bool,
|
||||
/// Consul's client certificate [default: None]
|
||||
pub client_cert: Option<String>,
|
||||
/// Consul's client key [default: None]
|
||||
pub client_key: Option<String>,
|
||||
}
|
||||
|
||||
/// Model of all potential configuration options
|
||||
pub struct ConfigOpts {
|
||||
pub consul: ConfigOptsConsul,
|
||||
pub acme: ConfigOptsAcme,
|
||||
pub firewall: ConfigOptsFirewall,
|
||||
pub igd: ConfigOptsIgd,
|
||||
pub base: ConfigOptsBase,
|
||||
pub consul: ConfigOptsConsul,
|
||||
}
|
||||
|
||||
impl ConfigOpts {
|
||||
pub fn from_env() -> Result<RuntimeConfig> {
|
||||
let consul: ConfigOptsConsul = envy::prefixed("DIPLONAT_CONSUL_").from_env()?;
|
||||
let acme: ConfigOptsAcme = envy::prefixed("DIPLONAT_ACME_").from_env()?;
|
||||
let firewall: ConfigOptsFirewall = envy::prefixed("DIPLONAT_FIREWALL_").from_env()?;
|
||||
let igd: ConfigOptsIgd = envy::prefixed("DIPLONAT_IGD_").from_env()?;
|
||||
pub fn from_env() -> Result<RuntimeConfig> {
|
||||
let base: ConfigOptsBase = envy::prefixed("DIPLONAT_").from_env()?;
|
||||
let consul: ConfigOptsConsul = envy::prefixed("DIPLONAT_CONSUL_").from_env()?;
|
||||
|
||||
RuntimeConfig::new(Self {
|
||||
consul,
|
||||
acme,
|
||||
firewall,
|
||||
igd,
|
||||
})
|
||||
}
|
||||
RuntimeConfig::new(Self {
|
||||
base: base,
|
||||
consul: consul,
|
||||
})
|
||||
}
|
||||
|
||||
// Currently only used in tests
|
||||
#[allow(dead_code)]
|
||||
pub fn from_iter<Iter: Clone>(iter: Iter) -> Result<RuntimeConfig>
|
||||
where Iter: IntoIterator<Item = (String, String)> {
|
||||
let consul: ConfigOptsConsul = envy::prefixed("DIPLONAT_CONSUL_").from_iter(iter.clone())?;
|
||||
let acme: ConfigOptsAcme = envy::prefixed("DIPLONAT_ACME_").from_iter(iter.clone())?;
|
||||
let firewall: ConfigOptsFirewall = envy::prefixed("DIPLONAT_FIREWALL_").from_iter(iter.clone())?;
|
||||
let igd: ConfigOptsIgd = envy::prefixed("DIPLONAT_IGD_").from_iter(iter.clone())?;
|
||||
// Currently only used in tests
|
||||
#[cfg(test)]
|
||||
pub fn from_iter<Iter: Clone>(iter: Iter) -> Result<RuntimeConfig>
|
||||
where
|
||||
Iter: IntoIterator<Item = (String, String)>,
|
||||
{
|
||||
let base: ConfigOptsBase = envy::prefixed("DIPLONAT_").from_iter(iter.clone())?;
|
||||
let consul: ConfigOptsConsul =
|
||||
envy::prefixed("DIPLONAT_CONSUL_").from_iter(iter.clone())?;
|
||||
|
||||
RuntimeConfig::new(Self {
|
||||
consul,
|
||||
acme,
|
||||
firewall,
|
||||
igd,
|
||||
})
|
||||
}
|
||||
RuntimeConfig::new(Self {
|
||||
base: base,
|
||||
consul: consul,
|
||||
})
|
||||
}
|
||||
}
|
|
@ -1,5 +1,4 @@
|
|||
use std::collections::HashMap;
|
||||
use std::time::Duration;
|
||||
use std::{collections::HashMap, time::Duration};
|
||||
|
||||
use crate::config::*;
|
||||
|
||||
|
@ -10,136 +9,111 @@ use crate::config::*;
|
|||
// This is why we only test ConfigOpts::from_iter(iter).
|
||||
|
||||
fn minimal_valid_options() -> HashMap<String, String> {
|
||||
let mut opts = HashMap::new();
|
||||
opts.insert("DIPLONAT_CONSUL_NODE_NAME".to_string(), "consul_node".to_string());
|
||||
let mut opts = HashMap::new();
|
||||
opts.insert(
|
||||
"DIPLONAT_CONSUL_NODE_NAME".to_string(),
|
||||
"consul_node".to_string(),
|
||||
);
|
||||
opts
|
||||
}
|
||||
|
||||
fn all_valid_options() -> HashMap<String, String> {
|
||||
let mut opts = minimal_valid_options();
|
||||
opts.insert("DIPLONAT_CONSUL_URL".to_string(), "http://127.0.0.1:9999".to_string());
|
||||
opts.insert("DIPLONAT_ACME_ENABLE".to_string(), "true".to_string());
|
||||
opts.insert("DIPLONAT_ACME_EMAIL".to_string(), "bozo@bozo.net".to_string());
|
||||
opts.insert("DIPLONAT_FIREWALL_ENABLE".to_string(), "true".to_string());
|
||||
opts.insert("DIPLONAT_FIREWALL_REFRESH_TIME".to_string(), "20".to_string());
|
||||
opts.insert("DIPLONAT_IGD_ENABLE".to_string(), "true".to_string());
|
||||
opts.insert("DIPLONAT_IGD_PRIVATE_IP".to_string(), "172.123.43.555".to_string());
|
||||
opts.insert("DIPLONAT_IGD_EXPIRATION_TIME".to_string(), "60".to_string());
|
||||
opts.insert("DIPLONAT_IGD_REFRESH_TIME".to_string(), "10".to_string());
|
||||
let mut opts = minimal_valid_options();
|
||||
opts.insert("DIPLONAT_EXPIRATION_TIME".to_string(), "30".to_string());
|
||||
opts.insert(
|
||||
"DIPLONAT_STUN_SERVER".to_string(),
|
||||
"stun.nextcloud.com:443".to_string(),
|
||||
);
|
||||
opts.insert(
|
||||
"DIPLONAT_PRIVATE_IP".to_string(),
|
||||
"172.123.43.55".to_string(),
|
||||
);
|
||||
opts.insert("DIPLONAT_REFRESH_TIME".to_string(), "10".to_string());
|
||||
opts.insert(
|
||||
"DIPLONAT_CONSUL_URL".to_string(),
|
||||
"http://127.0.0.1:9999".to_string(),
|
||||
);
|
||||
opts.insert("DIPLONAT_ACME_ENABLE".to_string(), "true".to_string());
|
||||
opts.insert(
|
||||
"DIPLONAT_ACME_EMAIL".to_string(),
|
||||
"bozo@bozo.net".to_string(),
|
||||
);
|
||||
opts
|
||||
}
|
||||
|
||||
// #[test]
|
||||
// #[should_panic]
|
||||
// fn err_empty_env() {
|
||||
// std::env::remove_var("DIPLONAT_CONSUL_NODE_NAME");
|
||||
// ConfigOpts::from_env().unwrap();
|
||||
// }
|
||||
|
||||
#[test]
|
||||
#[should_panic]
|
||||
fn err_empty_env() {
|
||||
std::env::remove_var("DIPLONAT_CONSUL_NODE_NAME");
|
||||
let opts: HashMap<String, String> = HashMap::new();
|
||||
ConfigOpts::from_iter(opts).unwrap();
|
||||
std::env::remove_var("DIPLONAT_CONSUL_NODE_NAME");
|
||||
ConfigOpts::from_env().unwrap();
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn ok_minimal_valid_options() {
|
||||
let opts = minimal_valid_options();
|
||||
let rt_config = ConfigOpts::from_iter(opts.clone()).unwrap();
|
||||
fn ok_from_iter_minimal_valid_options() {
|
||||
let opts = minimal_valid_options();
|
||||
let rt_config = ConfigOpts::from_iter(opts.clone()).unwrap();
|
||||
|
||||
assert_eq!(
|
||||
&rt_config.consul.node_name,
|
||||
opts.get(&"DIPLONAT_CONSUL_NODE_NAME".to_string()).unwrap()
|
||||
);
|
||||
assert_eq!(
|
||||
rt_config.consul.url,
|
||||
CONSUL_URL.to_string()
|
||||
);
|
||||
assert!(rt_config.acme.is_none());
|
||||
assert!(rt_config.firewall.is_none());
|
||||
assert!(rt_config.igd.is_none());
|
||||
/*assert_eq!(
|
||||
rt_config.firewall.refresh_time,
|
||||
Duration::from_secs(REFRESH_TIME.into())
|
||||
);
|
||||
assert_eq!(
|
||||
&rt_config.igd.private_ip,
|
||||
opts.get(&"DIPLONAT_PRIVATE_IP".to_string()).unwrap()
|
||||
);
|
||||
assert_eq!(
|
||||
rt_config.igd.expiration_time,
|
||||
Duration::from_secs(EXPIRATION_TIME.into())
|
||||
);
|
||||
assert_eq!(
|
||||
rt_config.igd.refresh_time,
|
||||
Duration::from_secs(REFRESH_TIME.into())
|
||||
);*/
|
||||
assert_eq!(
|
||||
&rt_config.consul.node_name,
|
||||
opts.get(&"DIPLONAT_CONSUL_NODE_NAME".to_string()).unwrap()
|
||||
);
|
||||
assert_eq!(rt_config.consul.url, CONSUL_URL.to_string());
|
||||
assert_eq!(
|
||||
rt_config.firewall.refresh_time,
|
||||
Duration::from_secs(REFRESH_TIME.into())
|
||||
);
|
||||
let igd = rt_config.igd.unwrap();
|
||||
assert!(igd.private_ip.is_none());
|
||||
assert_eq!(
|
||||
igd.expiration_time,
|
||||
Duration::from_secs(EXPIRATION_TIME.into())
|
||||
);
|
||||
assert_eq!(igd.refresh_time, Duration::from_secs(REFRESH_TIME.into()));
|
||||
}
|
||||
|
||||
#[test]
|
||||
#[should_panic]
|
||||
fn err_invalid_igd_options() {
|
||||
let mut opts = minimal_valid_options();
|
||||
opts.insert("DIPLONAT_IGD_ENABLE".to_string(), "true".to_string());
|
||||
opts.insert("DIPLONAT_IGD_EXPIRATION_TIME".to_string(), "60".to_string());
|
||||
opts.insert("DIPLONAT_IGD_REFRESH_TIME".to_string(), "60".to_string());
|
||||
ConfigOpts::from_iter(opts).unwrap();
|
||||
fn err_from_iter_invalid_refresh_time() {
|
||||
let mut opts = minimal_valid_options();
|
||||
opts.insert("DIPLONAT_EXPIRATION_TIME".to_string(), "60".to_string());
|
||||
opts.insert("DIPLONAT_REFRESH_TIME".to_string(), "60".to_string());
|
||||
ConfigOpts::from_iter(opts).unwrap();
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn ok_all_valid_options() {
|
||||
let opts = all_valid_options();
|
||||
let rt_config = ConfigOpts::from_iter(opts.clone()).unwrap();
|
||||
fn ok_from_iter_all_valid_options() {
|
||||
let opts = all_valid_options();
|
||||
let rt_config = ConfigOpts::from_iter(opts.clone()).unwrap();
|
||||
|
||||
let firewall_refresh_time = Duration::from_secs(
|
||||
opts.get(&"DIPLONAT_FIREWALL_REFRESH_TIME".to_string()).unwrap()
|
||||
.parse::<u64>().unwrap()
|
||||
.into());
|
||||
let igd_expiration_time = Duration::from_secs(
|
||||
opts.get(&"DIPLONAT_IGD_EXPIRATION_TIME".to_string()).unwrap()
|
||||
.parse::<u64>().unwrap()
|
||||
.into());
|
||||
let igd_refresh_time = Duration::from_secs(
|
||||
opts.get(&"DIPLONAT_IGD_REFRESH_TIME".to_string()).unwrap()
|
||||
.parse::<u64>().unwrap()
|
||||
.into());
|
||||
let expiration_time = Duration::from_secs(
|
||||
opts.get(&"DIPLONAT_EXPIRATION_TIME".to_string())
|
||||
.unwrap()
|
||||
.parse::<u64>()
|
||||
.unwrap()
|
||||
.into(),
|
||||
);
|
||||
let refresh_time = Duration::from_secs(
|
||||
opts.get(&"DIPLONAT_REFRESH_TIME".to_string())
|
||||
.unwrap()
|
||||
.parse::<u64>()
|
||||
.unwrap()
|
||||
.into(),
|
||||
);
|
||||
|
||||
assert_eq!(
|
||||
&rt_config.consul.node_name,
|
||||
opts.get(&"DIPLONAT_CONSUL_NODE_NAME".to_string()).unwrap()
|
||||
);
|
||||
assert_eq!(
|
||||
&rt_config.consul.url,
|
||||
opts.get(&"DIPLONAT_CONSUL_URL".to_string()).unwrap()
|
||||
);
|
||||
|
||||
assert!(rt_config.acme.is_some());
|
||||
let acme = rt_config.acme.unwrap();
|
||||
assert_eq!(
|
||||
&acme.email,
|
||||
opts.get(&"DIPLONAT_ACME_EMAIL".to_string()).unwrap());
|
||||
|
||||
assert!(rt_config.firewall.is_some());
|
||||
let firewall = rt_config.firewall.unwrap();
|
||||
assert_eq!(
|
||||
firewall.refresh_time,
|
||||
firewall_refresh_time
|
||||
);
|
||||
|
||||
assert!(rt_config.igd.is_some());
|
||||
let igd = rt_config.igd.unwrap();
|
||||
assert_eq!(
|
||||
&igd.private_ip,
|
||||
opts.get(&"DIPLONAT_IGD_PRIVATE_IP".to_string()).unwrap()
|
||||
);
|
||||
assert_eq!(
|
||||
igd.expiration_time,
|
||||
igd_expiration_time
|
||||
);
|
||||
assert_eq!(
|
||||
igd.refresh_time,
|
||||
igd_refresh_time
|
||||
);
|
||||
assert_eq!(
|
||||
&rt_config.consul.node_name,
|
||||
opts.get(&"DIPLONAT_CONSUL_NODE_NAME".to_string()).unwrap()
|
||||
);
|
||||
assert_eq!(
|
||||
&rt_config.consul.url,
|
||||
opts.get(&"DIPLONAT_CONSUL_URL".to_string()).unwrap()
|
||||
);
|
||||
assert_eq!(rt_config.firewall.refresh_time, refresh_time);
|
||||
let igd = rt_config.igd.unwrap();
|
||||
assert_eq!(
|
||||
&igd.private_ip.unwrap().to_string(),
|
||||
opts.get(&"DIPLONAT_PRIVATE_IP".to_string()).unwrap()
|
||||
);
|
||||
assert_eq!(igd.expiration_time, expiration_time);
|
||||
assert_eq!(igd.refresh_time, refresh_time);
|
||||
}
|
|
@ -1,130 +1,191 @@
|
|||
use std::fs::File;
|
||||
use std::io::Read;
|
||||
use std::net::{Ipv4Addr, SocketAddr, ToSocketAddrs};
|
||||
use std::time::Duration;
|
||||
|
||||
use anyhow::{Result, anyhow};
|
||||
use anyhow::{anyhow, bail, Context, Result};
|
||||
|
||||
use crate::config::{ConfigOpts, ConfigOptsConsul, ConfigOptsAcme, ConfigOptsFirewall, ConfigOptsIgd};
|
||||
use crate::config::{ConfigOpts, ConfigOptsBase, ConfigOptsConsul};
|
||||
|
||||
// This code is inspired by the Trunk crate (https://github.com/thedodd/trunk)
|
||||
|
||||
// In this file, we take ConfigOpts and transform them into ready-to-use RuntimeConfig.
|
||||
// We apply default values and business logic.
|
||||
|
||||
// Consul config is mandatory, all the others are optional.
|
||||
// In this file, we take ConfigOpts and transform them into ready-to-use
|
||||
// RuntimeConfig. We apply default values and business logic.
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct RuntimeConfigConsul {
|
||||
pub node_name: String,
|
||||
pub url: String,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct RuntimeConfigAcme {
|
||||
pub email: String,
|
||||
pub node_name: String,
|
||||
pub url: String,
|
||||
pub tls: Option<(Option<reqwest::Certificate>, bool, reqwest::Identity)>,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct RuntimeConfigFirewall {
|
||||
pub refresh_time: Duration,
|
||||
pub ipv6_only: bool,
|
||||
pub refresh_time: Duration,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct RuntimeConfigIgd {
|
||||
pub private_ip: String,
|
||||
pub expiration_time: Duration,
|
||||
pub refresh_time: Duration,
|
||||
pub private_ip: Option<Ipv4Addr>,
|
||||
pub expiration_time: Duration,
|
||||
pub refresh_time: Duration,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct RuntimeConfigStun {
|
||||
pub stun_server_v4: Option<SocketAddr>,
|
||||
pub stun_server_v6: SocketAddr,
|
||||
pub refresh_time: Duration,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct RuntimeConfig {
|
||||
pub consul: RuntimeConfigConsul,
|
||||
pub acme: Option<RuntimeConfigAcme>,
|
||||
pub firewall: Option<RuntimeConfigFirewall>,
|
||||
pub igd: Option<RuntimeConfigIgd>,
|
||||
pub consul: RuntimeConfigConsul,
|
||||
pub firewall: RuntimeConfigFirewall,
|
||||
pub igd: Option<RuntimeConfigIgd>,
|
||||
pub stun: RuntimeConfigStun,
|
||||
}
|
||||
|
||||
impl RuntimeConfig {
|
||||
pub fn new(opts: ConfigOpts) -> Result<Self> {
|
||||
let consul = RuntimeConfigConsul::new(opts.consul.clone())?;
|
||||
let acme = RuntimeConfigAcme::new(opts.acme.clone())?;
|
||||
let firewall = RuntimeConfigFirewall::new(opts.firewall.clone())?;
|
||||
let igd = RuntimeConfigIgd::new(opts.igd.clone())?;
|
||||
pub fn new(opts: ConfigOpts) -> Result<Self> {
|
||||
let consul = RuntimeConfigConsul::new(opts.consul)?;
|
||||
let firewall = RuntimeConfigFirewall::new(&opts.base)?;
|
||||
let igd = match opts.base.ipv6_only {
|
||||
false => Some(RuntimeConfigIgd::new(&opts.base)?),
|
||||
true => None,
|
||||
};
|
||||
let stun = RuntimeConfigStun::new(&opts.base)?;
|
||||
|
||||
Ok(Self {
|
||||
acme,
|
||||
consul,
|
||||
firewall,
|
||||
igd,
|
||||
})
|
||||
}
|
||||
Ok(Self {
|
||||
consul,
|
||||
firewall,
|
||||
igd,
|
||||
stun,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
impl RuntimeConfigConsul {
|
||||
pub(super) fn new(opts: ConfigOptsConsul) -> Result<Self> {
|
||||
let node_name = opts.node_name.expect(
|
||||
"'DIPLONAT_CONSUL_NODE_NAME' is required");
|
||||
let url = opts.url.unwrap_or(super::CONSUL_URL.to_string());
|
||||
pub(super) fn new(opts: ConfigOptsConsul) -> Result<Self> {
|
||||
let node_name = opts
|
||||
.node_name
|
||||
.expect("'DIPLONAT_CONSUL_NODE_NAME' environment variable is required");
|
||||
let url = opts.url.unwrap_or(super::CONSUL_URL.to_string());
|
||||
|
||||
Ok(Self {
|
||||
node_name,
|
||||
url,
|
||||
})
|
||||
}
|
||||
}
|
||||
let tls = match (&opts.client_cert, &opts.client_key) {
|
||||
(Some(client_cert), Some(client_key)) => {
|
||||
let cert = match &opts.ca_cert {
|
||||
Some(ca_cert) => {
|
||||
let mut ca_cert_buf = vec![];
|
||||
File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
|
||||
Some(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
|
||||
}
|
||||
None => None,
|
||||
};
|
||||
|
||||
impl RuntimeConfigAcme {
|
||||
pub fn new(opts: ConfigOptsAcme) -> Result<Option<Self>> {
|
||||
if !opts.enable {
|
||||
return Ok(None);
|
||||
}
|
||||
let mut client_cert_buf = vec![];
|
||||
File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
|
||||
|
||||
let email = opts.email.expect(
|
||||
"'DIPLONAT_ACME_EMAIL' is required if ACME is enabled");
|
||||
let mut client_key_buf = vec![];
|
||||
File::open(client_key)?.read_to_end(&mut client_key_buf)?;
|
||||
|
||||
Ok(Some(Self {
|
||||
email,
|
||||
}))
|
||||
}
|
||||
let ident = reqwest::Identity::from_pem(
|
||||
&[&client_cert_buf[..], &client_key_buf[..]].concat()[..],
|
||||
)?;
|
||||
|
||||
Some((cert, opts.tls_skip_verify, ident))
|
||||
}
|
||||
(None, None) => None,
|
||||
_ => bail!("Incomplete TLS configuration parameters"),
|
||||
};
|
||||
|
||||
Ok(Self {
|
||||
node_name,
|
||||
url,
|
||||
tls,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
impl RuntimeConfigFirewall {
|
||||
pub(super) fn new(opts: ConfigOptsFirewall) -> Result<Option<Self>> {
|
||||
if !opts.enable {
|
||||
return Ok(None);
|
||||
}
|
||||
pub(super) fn new(opts: &ConfigOptsBase) -> Result<Self> {
|
||||
let refresh_time =
|
||||
Duration::from_secs(opts.refresh_time.unwrap_or(super::REFRESH_TIME).into());
|
||||
|
||||
let refresh_time = Duration::from_secs(
|
||||
opts.refresh_time.unwrap_or(super::REFRESH_TIME).into());
|
||||
|
||||
Ok(Some(Self {
|
||||
refresh_time,
|
||||
}))
|
||||
}
|
||||
Ok(Self {
|
||||
refresh_time,
|
||||
ipv6_only: opts.ipv6_only,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
impl RuntimeConfigIgd {
|
||||
pub(super) fn new(opts: ConfigOptsIgd) -> Result<Option<Self>> {
|
||||
if !opts.enable {
|
||||
return Ok(None);
|
||||
}
|
||||
pub(super) fn new(opts: &ConfigOptsBase) -> Result<Self> {
|
||||
let private_ip = opts
|
||||
.private_ip
|
||||
.as_ref()
|
||||
.map(|x| x.parse())
|
||||
.transpose()
|
||||
.context("parse private_ip")?;
|
||||
let expiration_time = Duration::from_secs(
|
||||
opts.expiration_time
|
||||
.unwrap_or(super::EXPIRATION_TIME)
|
||||
.into(),
|
||||
);
|
||||
let refresh_time =
|
||||
Duration::from_secs(opts.refresh_time.unwrap_or(super::REFRESH_TIME).into());
|
||||
|
||||
let private_ip = opts.private_ip.expect(
|
||||
"'DIPLONAT_IGD_PRIVATE_IP' is required if IGD is enabled");
|
||||
let expiration_time = Duration::from_secs(
|
||||
opts.expiration_time.unwrap_or(super::EXPIRATION_TIME).into());
|
||||
let refresh_time = Duration::from_secs(
|
||||
opts.refresh_time.unwrap_or(super::REFRESH_TIME).into());
|
||||
if refresh_time.as_secs() * 2 > expiration_time.as_secs() {
|
||||
return Err(anyhow!(
|
||||
"IGD expiration time (currently: {}s) must be at least twice bigger than refresh time \
|
||||
(currently: {}s)",
|
||||
expiration_time.as_secs(),
|
||||
refresh_time.as_secs()
|
||||
));
|
||||
}
|
||||
|
||||
if refresh_time.as_secs() * 2 > expiration_time.as_secs() {
|
||||
return Err(anyhow!(
|
||||
"IGD expiration time (currently: {}s) must be at least twice bigger than refresh time (currently: {}s)",
|
||||
expiration_time.as_secs(),
|
||||
refresh_time.as_secs()));
|
||||
}
|
||||
|
||||
Ok(Some(Self {
|
||||
private_ip,
|
||||
expiration_time,
|
||||
refresh_time,
|
||||
}))
|
||||
}
|
||||
Ok(Self {
|
||||
private_ip,
|
||||
expiration_time,
|
||||
refresh_time,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
impl RuntimeConfigStun {
|
||||
pub(super) fn new(opts: &ConfigOptsBase) -> Result<Self> {
|
||||
let mut stun_server_v4 = None;
|
||||
let mut stun_server_v6 = None;
|
||||
for addr in opts
|
||||
.stun_server
|
||||
.as_deref()
|
||||
.unwrap_or(super::STUN_SERVER)
|
||||
.to_socket_addrs()?
|
||||
{
|
||||
if addr.is_ipv4() {
|
||||
stun_server_v4 = Some(addr);
|
||||
}
|
||||
if addr.is_ipv6() {
|
||||
stun_server_v6 = Some(addr);
|
||||
}
|
||||
}
|
||||
|
||||
let refresh_time =
|
||||
Duration::from_secs(opts.refresh_time.unwrap_or(super::REFRESH_TIME).into());
|
||||
|
||||
let stun_server_v4 = match opts.ipv6_only {
|
||||
false => Some(
|
||||
stun_server_v4.ok_or(anyhow!("Unable to resolve STUN server's IPv4 address"))?,
|
||||
),
|
||||
true => None,
|
||||
};
|
||||
|
||||
Ok(Self {
|
||||
stun_server_v4,
|
||||
stun_server_v6: stun_server_v6
|
||||
.ok_or(anyhow!("Unable to resolve STUN server's IPv6 address"))?,
|
||||
refresh_time,
|
||||
})
|
||||
}
|
||||
}
|
|
@ -1,50 +1,86 @@
|
|||
use std::collections::HashMap;
|
||||
|
||||
use anyhow::{Result, anyhow};
|
||||
use serde::{Serialize, Deserialize};
|
||||
use anyhow::{anyhow, Result};
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
use crate::config::RuntimeConfigConsul;
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
pub struct ServiceEntry {
|
||||
pub Tags: Vec<String>
|
||||
#[serde(rename = "Tags")]
|
||||
pub tags: Vec<String>,
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
#[derive(Serialize, Deserialize, Debug, Default)]
|
||||
pub struct CatalogNode {
|
||||
pub Services: HashMap<String, ServiceEntry>
|
||||
#[serde(rename = "Services")]
|
||||
pub services: HashMap<String, ServiceEntry>,
|
||||
}
|
||||
|
||||
pub struct Consul {
|
||||
client: reqwest::Client,
|
||||
url: String,
|
||||
idx: Option<u64>
|
||||
client: reqwest::Client,
|
||||
url: String,
|
||||
idx: Option<u64>,
|
||||
}
|
||||
|
||||
impl Consul {
|
||||
pub fn new(url: &str) -> Self {
|
||||
return Self {
|
||||
client: reqwest::Client::new(),
|
||||
url: url.to_string(),
|
||||
idx: None
|
||||
};
|
||||
}
|
||||
pub fn new(config: &RuntimeConfigConsul) -> Self {
|
||||
let client = if let Some((ca, skip_verify, ident)) = config.tls.clone() {
|
||||
if skip_verify {
|
||||
reqwest::Client::builder()
|
||||
.use_rustls_tls()
|
||||
.danger_accept_invalid_certs(true)
|
||||
.identity(ident)
|
||||
.build()
|
||||
.expect("Unable to build reqwest client")
|
||||
} else if let Some(ca) = ca {
|
||||
reqwest::Client::builder()
|
||||
.use_rustls_tls()
|
||||
.add_root_certificate(ca)
|
||||
.identity(ident)
|
||||
.build()
|
||||
.expect("Unable to build reqwest client")
|
||||
} else {
|
||||
reqwest::Client::builder()
|
||||
.use_rustls_tls()
|
||||
.identity(ident)
|
||||
.build()
|
||||
.expect("Unable to build reqwest client")
|
||||
}
|
||||
} else {
|
||||
reqwest::Client::new()
|
||||
};
|
||||
return Self {
|
||||
client,
|
||||
url: config.url.clone(),
|
||||
idx: None,
|
||||
};
|
||||
}
|
||||
|
||||
pub fn watch_node_reset(&mut self) -> () {
|
||||
self.idx = None;
|
||||
}
|
||||
pub fn watch_node_reset(&mut self) -> () {
|
||||
self.idx = None;
|
||||
}
|
||||
|
||||
pub async fn watch_node(&mut self, host: &str) -> Result<CatalogNode> {
|
||||
let url = match self.idx {
|
||||
Some(i) => format!("{}/v1/catalog/node/{}?index={}", self.url, host, i),
|
||||
None => format!("{}/v1/catalog/node/{}", self.url, host)
|
||||
};
|
||||
pub async fn watch_node(&mut self, host: &str) -> Result<CatalogNode> {
|
||||
let url = match self.idx {
|
||||
Some(i) => format!("{}/v1/catalog/node/{}?index={}", self.url, host, i),
|
||||
None => format!("{}/v1/catalog/node/{}", self.url, host),
|
||||
};
|
||||
|
||||
let http = self.client.get(&url).send().await?;
|
||||
self.idx = match http.headers().get("X-Consul-Index") {
|
||||
Some(v) => Some(v.to_str()?.parse::<u64>()?),
|
||||
None => return Err(anyhow!("X-Consul-Index header not found"))
|
||||
};
|
||||
let http = self.client.get(&url).send().await?;
|
||||
self.idx = match http.headers().get("X-Consul-Index") {
|
||||
Some(v) => Some(v.to_str()?.parse::<u64>()?),
|
||||
None => return Err(anyhow!("X-Consul-Index header not found")),
|
||||
};
|
||||
|
||||
let resp: CatalogNode = http.json().await?;
|
||||
return Ok(resp)
|
||||
}
|
||||
let resp: Option<CatalogNode> = http.json().await?;
|
||||
return Ok(resp.unwrap_or_default());
|
||||
}
|
||||
|
||||
pub async fn kv_put(&self, key: &str, bytes: Vec<u8>) -> Result<()> {
|
||||
let url = format!("{}/v1/kv/{}", self.url, key);
|
||||
let http = self.client.put(&url).body(bytes).send().await?;
|
||||
http.error_for_status()?;
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,114 +1,120 @@
|
|||
use std::cmp;
|
||||
use std::collections::HashSet;
|
||||
use std::time::Duration;
|
||||
use std::{cmp, collections::HashSet, time::Duration};
|
||||
|
||||
use anyhow::Result;
|
||||
use log::*;
|
||||
use serde::{Serialize, Deserialize};
|
||||
use serde_lexpr::{from_str,error};
|
||||
use tokio::sync::watch;
|
||||
use tokio::time::delay_for;
|
||||
use serde::{Deserialize, Serialize};
|
||||
use serde_lexpr::{error, from_str};
|
||||
use tokio::{sync::watch, time::sleep};
|
||||
|
||||
use crate::config::RuntimeConfigConsul;
|
||||
use crate::consul;
|
||||
use crate::messages;
|
||||
use crate::{consul, messages};
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
pub enum DiplonatParameter {
|
||||
tcp_port(HashSet<u16>),
|
||||
udp_port(HashSet<u16>)
|
||||
#[serde(rename = "tcp_port")]
|
||||
TcpPort(HashSet<u16>),
|
||||
#[serde(rename = "udp_port")]
|
||||
UdpPort(HashSet<u16>),
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
pub enum DiplonatConsul {
|
||||
diplonat(Vec<DiplonatParameter>)
|
||||
#[serde(rename = "diplonat")]
|
||||
Diplonat(Vec<DiplonatParameter>),
|
||||
}
|
||||
|
||||
pub struct ConsulActor {
|
||||
pub rx_open_ports: watch::Receiver<messages::PublicExposedPorts>,
|
||||
pub rx_open_ports: watch::Receiver<messages::PublicExposedPorts>,
|
||||
|
||||
consul: consul::Consul,
|
||||
node: String,
|
||||
retries: u32,
|
||||
|
||||
tx_open_ports: watch::Sender<messages::PublicExposedPorts>
|
||||
consul: consul::Consul,
|
||||
node: String,
|
||||
retries: u32,
|
||||
tx_open_ports: watch::Sender<messages::PublicExposedPorts>,
|
||||
}
|
||||
|
||||
fn retry_to_time(retries: u32, max_time: Duration) -> Duration {
|
||||
// 1.2^x seems to be a good value to exponentially increase time at a good pace
|
||||
// eg. 1.2^32 = 341 seconds ~= 5 minutes - ie. after 32 retries we wait 5 minutes
|
||||
return Duration::from_secs(cmp::min(max_time.as_secs(), 1.2f64.powf(retries as f64) as u64))
|
||||
// 1.2^x seems to be a good value to exponentially increase time at a good pace
|
||||
// eg. 1.2^32 = 341 seconds ~= 5 minutes - ie. after 32 retries we wait 5
|
||||
// minutes
|
||||
return Duration::from_secs(cmp::min(
|
||||
max_time.as_secs(),
|
||||
1.2f64.powf(retries as f64) as u64,
|
||||
));
|
||||
}
|
||||
|
||||
fn to_parameters(catalog: &consul::CatalogNode) -> Vec<DiplonatConsul> {
|
||||
let mut r = Vec::new();
|
||||
let mut r = Vec::new();
|
||||
|
||||
for (_, service_info) in &catalog.Services {
|
||||
for tag in &service_info.Tags {
|
||||
let diplo_conf: error::Result<DiplonatConsul> = from_str(tag);
|
||||
match diplo_conf {
|
||||
Ok(conf) => r.push(conf),
|
||||
Err(e) => debug!("Failed to parse entry {}. {}", tag, e),
|
||||
};
|
||||
for (_, service_info) in &catalog.services {
|
||||
for tag in &service_info.tags {
|
||||
let diplo_conf: error::Result<DiplonatConsul> = from_str(tag);
|
||||
match diplo_conf {
|
||||
Ok(conf) => r.push(conf),
|
||||
Err(e) => debug!("Failed to parse entry {}. {}", tag, e),
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return r;
|
||||
return r;
|
||||
}
|
||||
|
||||
fn to_open_ports(params: &Vec<DiplonatConsul>) -> messages::PublicExposedPorts {
|
||||
let mut op = messages::PublicExposedPorts {
|
||||
tcp_ports: HashSet::new(),
|
||||
udp_ports: HashSet::new()
|
||||
};
|
||||
let mut op = messages::PublicExposedPorts {
|
||||
tcp_ports: HashSet::new(),
|
||||
udp_ports: HashSet::new(),
|
||||
};
|
||||
|
||||
for conf in params {
|
||||
let DiplonatConsul::diplonat(c) = conf;
|
||||
for parameter in c {
|
||||
match parameter {
|
||||
DiplonatParameter::tcp_port(p) => op.tcp_ports.extend(p),
|
||||
DiplonatParameter::udp_port(p) => op.udp_ports.extend(p),
|
||||
};
|
||||
for conf in params {
|
||||
let DiplonatConsul::Diplonat(c) = conf;
|
||||
for parameter in c {
|
||||
match parameter {
|
||||
DiplonatParameter::TcpPort(p) => op.tcp_ports.extend(p),
|
||||
DiplonatParameter::UdpPort(p) => op.udp_ports.extend(p),
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return op;
|
||||
return op;
|
||||
}
|
||||
|
||||
impl ConsulActor {
|
||||
pub fn new(config: RuntimeConfigConsul) -> Self {
|
||||
let (tx, rx) = watch::channel(messages::PublicExposedPorts{
|
||||
tcp_ports: HashSet::new(),
|
||||
udp_ports: HashSet::new()
|
||||
});
|
||||
pub fn new(config: &RuntimeConfigConsul, node: &str) -> Self {
|
||||
let (tx, rx) = watch::channel(messages::PublicExposedPorts {
|
||||
tcp_ports: HashSet::new(),
|
||||
udp_ports: HashSet::new(),
|
||||
});
|
||||
|
||||
return Self {
|
||||
consul: consul::Consul::new(&config.url),
|
||||
node: config.node_name,
|
||||
retries: 0,
|
||||
rx_open_ports: rx,
|
||||
tx_open_ports: tx,
|
||||
};
|
||||
}
|
||||
|
||||
pub async fn listen(&mut self) -> Result<()> {
|
||||
loop {
|
||||
let catalog = match self.consul.watch_node(&self.node).await {
|
||||
Ok(c) => c,
|
||||
Err(e) => {
|
||||
self.consul.watch_node_reset();
|
||||
self.retries = cmp::min(std::u32::MAX - 1, self.retries) + 1;
|
||||
let will_retry_in = retry_to_time(self.retries, Duration::from_secs(600));
|
||||
error!("Failed to query consul. Will retry in {}s. {}", will_retry_in.as_secs(), e);
|
||||
delay_for(will_retry_in).await;
|
||||
continue;
|
||||
}
|
||||
};
|
||||
self.retries = 0;
|
||||
let msg = to_open_ports(&to_parameters(&catalog));
|
||||
debug!("Extracted configuration: {:#?}", msg);
|
||||
|
||||
self.tx_open_ports.broadcast(msg)?;
|
||||
return Self {
|
||||
consul: consul::Consul::new(config),
|
||||
rx_open_ports: rx,
|
||||
tx_open_ports: tx,
|
||||
node: node.to_string(),
|
||||
retries: 0,
|
||||
};
|
||||
}
|
||||
|
||||
pub async fn listen(&mut self) -> Result<()> {
|
||||
loop {
|
||||
let catalog = match self.consul.watch_node(&self.node).await {
|
||||
Ok(c) => c,
|
||||
Err(e) => {
|
||||
self.consul.watch_node_reset();
|
||||
self.retries = cmp::min(std::u32::MAX - 1, self.retries) + 1;
|
||||
let will_retry_in = retry_to_time(self.retries, Duration::from_secs(600));
|
||||
error!(
|
||||
"Failed to query consul. Will retry in {}s. {}",
|
||||
will_retry_in.as_secs(),
|
||||
e
|
||||
);
|
||||
sleep(will_retry_in).await;
|
||||
continue;
|
||||
}
|
||||
};
|
||||
self.retries = 0;
|
||||
let msg = to_open_ports(&to_parameters(&catalog));
|
||||
debug!("Extracted configuration: {:#?}", msg);
|
||||
|
||||
self.tx_open_ports.send(msg)?;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
115
src/diplonat.rs
115
src/diplonat.rs
|
@ -1,69 +1,78 @@
|
|||
use anyhow::{Result, anyhow};
|
||||
use anyhow::{Context, Result};
|
||||
use futures::future::FutureExt;
|
||||
use tokio::try_join;
|
||||
|
||||
use crate::config::ConfigOpts;
|
||||
use crate::consul_actor::ConsulActor;
|
||||
use crate::fw_actor::FirewallActor;
|
||||
use crate::igd_actor::IgdActor;
|
||||
use crate::{
|
||||
config::ConfigOpts, consul_actor::ConsulActor, fw_actor::FirewallActor, igd_actor::IgdActor,
|
||||
stun_actor::StunActor,
|
||||
};
|
||||
|
||||
pub struct Diplonat {
|
||||
consul: ConsulActor,
|
||||
|
||||
firewall: Option<FirewallActor>,
|
||||
igd: Option<IgdActor>,
|
||||
consul: ConsulActor,
|
||||
firewall: FirewallActor,
|
||||
igd: Option<IgdActor>,
|
||||
stun: StunActor,
|
||||
}
|
||||
|
||||
impl Diplonat {
|
||||
pub async fn new() -> Result<Self> {
|
||||
let config = ConfigOpts::from_env()?;
|
||||
println!("{:#?}", config);
|
||||
pub async fn new() -> Result<Self> {
|
||||
let rt_cfg = ConfigOpts::from_env().context("Parse configuration")?;
|
||||
println!("{:#?}", rt_cfg);
|
||||
|
||||
let consul_actor = ConsulActor::new(config.consul);
|
||||
let ca = ConsulActor::new(&rt_cfg.consul, &rt_cfg.consul.node_name);
|
||||
|
||||
let firewall_actor = FirewallActor::new(
|
||||
config.firewall,
|
||||
&consul_actor.rx_open_ports
|
||||
).await?;
|
||||
let fw = FirewallActor::new(
|
||||
rt_cfg.firewall.ipv6_only,
|
||||
rt_cfg.firewall.refresh_time,
|
||||
&ca.rx_open_ports,
|
||||
)
|
||||
.await
|
||||
.context("Setup fireall actor")?;
|
||||
|
||||
let igd_actor = IgdActor::new(
|
||||
config.igd,
|
||||
&consul_actor.rx_open_ports
|
||||
).await?;
|
||||
let ia = match rt_cfg.igd {
|
||||
Some(igdc) => Some(
|
||||
IgdActor::new(
|
||||
igdc.private_ip,
|
||||
igdc.refresh_time,
|
||||
igdc.expiration_time,
|
||||
&ca.rx_open_ports,
|
||||
)
|
||||
.await
|
||||
.context("Setup IGD actor")?,
|
||||
),
|
||||
None => None,
|
||||
};
|
||||
|
||||
if firewall_actor.is_none() && igd_actor.is_none() {
|
||||
return Err(anyhow!(
|
||||
"At least enable *one* module, otherwise it's boring!"));
|
||||
let sa = StunActor::new(&rt_cfg.consul, &rt_cfg.stun, &rt_cfg.consul.node_name);
|
||||
|
||||
let ctx = Self {
|
||||
consul: ca,
|
||||
igd: ia,
|
||||
firewall: fw,
|
||||
stun: sa,
|
||||
};
|
||||
|
||||
Ok(ctx)
|
||||
}
|
||||
|
||||
let ctx = Self {
|
||||
consul: consul_actor,
|
||||
firewall: firewall_actor,
|
||||
igd: igd_actor,
|
||||
};
|
||||
pub async fn listen(&mut self) -> Result<()> {
|
||||
let igd_opt = &mut self.igd;
|
||||
|
||||
return Ok(ctx);
|
||||
}
|
||||
try_join!(
|
||||
self.consul.listen().map(|x| x.context("Run consul actor")),
|
||||
async {
|
||||
if let Some(igd) = igd_opt {
|
||||
igd.listen().await.context("Run IGD actor")
|
||||
} else {
|
||||
Ok(())
|
||||
}
|
||||
},
|
||||
self.firewall
|
||||
.listen()
|
||||
.map(|x| x.context("Run firewall actor")),
|
||||
self.stun.listen().map(|x| x.context("Run STUN actor")),
|
||||
)?;
|
||||
|
||||
pub async fn listen(&mut self) -> Result<()> {
|
||||
let firewall = &mut self.firewall;
|
||||
let igd = &mut self.igd;
|
||||
|
||||
try_join!(
|
||||
self.consul.listen(),
|
||||
async {
|
||||
match firewall {
|
||||
Some(x) => x.listen().await,
|
||||
None => Ok(())
|
||||
}
|
||||
},
|
||||
async {
|
||||
match igd {
|
||||
Some(x) => x.listen().await,
|
||||
None => Ok(())
|
||||
}
|
||||
},
|
||||
)?;
|
||||
|
||||
return Ok(());
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
|
62
src/fw.rs
62
src/fw.rs
|
@ -1,6 +1,6 @@
|
|||
use std::collections::HashSet;
|
||||
|
||||
use anyhow::{Result,Context};
|
||||
use anyhow::{Context, Result};
|
||||
use iptables;
|
||||
use log::*;
|
||||
use regex::Regex;
|
||||
|
@ -8,23 +8,37 @@ use regex::Regex;
|
|||
use crate::messages;
|
||||
|
||||
pub fn setup(ipt: &iptables::IPTables) -> Result<()> {
|
||||
|
||||
// ensure we start from a clean state without any rule already set
|
||||
cleanup(ipt)?;
|
||||
|
||||
ipt.new_chain("filter", "DIPLONAT").context("Failed to create new chain")?;
|
||||
ipt.insert_unique("filter", "INPUT", "-j DIPLONAT", 1).context("Failed to insert jump rule")?;
|
||||
info!("{}: creating DIPLONAT chain", ipt.cmd);
|
||||
ipt.new_chain("filter", "DIPLONAT")
|
||||
.context("Failed to create new chain")?;
|
||||
ipt.insert_unique("filter", "INPUT", "-j DIPLONAT", 1)
|
||||
.context("Failed to insert jump rule")?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub fn open_ports(ipt: &iptables::IPTables, ports: messages::PublicExposedPorts) -> Result<()> {
|
||||
for p in ports.tcp_ports {
|
||||
ipt.append("filter", "DIPLONAT", &format!("-p tcp --dport {} -j ACCEPT", p)).context("Failed to insert port rule")?;
|
||||
info!("{}: opening TCP port {}", ipt.cmd, p);
|
||||
ipt.append(
|
||||
"filter",
|
||||
"DIPLONAT",
|
||||
&format!("-p tcp --dport {} -j ACCEPT", p),
|
||||
)
|
||||
.context("Failed to insert port rule")?;
|
||||
}
|
||||
|
||||
for p in ports.udp_ports {
|
||||
ipt.append("filter", "DIPLONAT", &format!("-p udp --dport {} -j ACCEPT", p)).context("Failed to insert port rule")?;
|
||||
info!("{}: opening UDP port {}", ipt.cmd, p);
|
||||
ipt.append(
|
||||
"filter",
|
||||
"DIPLONAT",
|
||||
&format!("-p udp --dport {} -j ACCEPT", p),
|
||||
)
|
||||
.context("Failed to insert port rule")?;
|
||||
}
|
||||
|
||||
Ok(())
|
||||
|
@ -33,51 +47,57 @@ pub fn open_ports(ipt: &iptables::IPTables, ports: messages::PublicExposedPorts)
|
|||
pub fn get_opened_ports(ipt: &iptables::IPTables) -> Result<messages::PublicExposedPorts> {
|
||||
let mut ports = messages::PublicExposedPorts {
|
||||
tcp_ports: HashSet::new(),
|
||||
udp_ports: HashSet::new()
|
||||
udp_ports: HashSet::new(),
|
||||
};
|
||||
|
||||
let list = ipt.list("filter", "DIPLONAT")?;
|
||||
let re = Regex::new(r"\-A.*? \-p (\w+).*\-\-dport (\d+).*?\-j ACCEPT").context("Regex matching open ports encountered an unexpected rule")?;
|
||||
let re = Regex::new(r"\-A.*? \-p (\w+).*\-\-dport (\d+).*?\-j ACCEPT")
|
||||
.context("Regex matching open ports encountered an unexpected rule")?;
|
||||
for i in list {
|
||||
debug!("{} list DIPLONAT: got {}", ipt.cmd, i);
|
||||
let caps = re.captures(&i);
|
||||
match caps {
|
||||
Some(c) => {
|
||||
|
||||
if let (Some(raw_proto), Some(raw_port)) = (c.get(1), c.get(2)) {
|
||||
|
||||
let proto = String::from(raw_proto.as_str());
|
||||
let number = String::from(raw_port.as_str()).parse::<u16>()?;
|
||||
|
||||
if proto == "tcp" {
|
||||
if proto == "tcp" || proto == "6" {
|
||||
ports.tcp_ports.insert(number);
|
||||
} else {
|
||||
} else if proto == "udp" || proto == "17" {
|
||||
ports.udp_ports.insert(number);
|
||||
} else {
|
||||
error!("Unexpected protocol in iptables rule: {}", proto);
|
||||
}
|
||||
|
||||
} else {
|
||||
error!("Unexpected rule found in DIPLONAT chain")
|
||||
}
|
||||
|
||||
},
|
||||
_ => {}
|
||||
}
|
||||
_ => {
|
||||
debug!("{} rule not parsed: {}", ipt.cmd, i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
debug!("{} ports already openned: {:?}", ipt.cmd, ports);
|
||||
|
||||
Ok(ports)
|
||||
}
|
||||
|
||||
pub fn cleanup(ipt: &iptables::IPTables) -> Result<()> {
|
||||
|
||||
if ipt.chain_exists("filter", "DIPLONAT")? {
|
||||
ipt.flush_chain("filter", "DIPLONAT").context("Failed to flush the DIPLONAT chain")?;
|
||||
info!("{}: removing old DIPLONAT chain", ipt.cmd);
|
||||
ipt.flush_chain("filter", "DIPLONAT")
|
||||
.context("Failed to flush the DIPLONAT chain")?;
|
||||
|
||||
if ipt.exists("filter", "INPUT", "-j DIPLONAT")? {
|
||||
ipt.delete("filter", "INPUT", "-j DIPLONAT").context("Failed to delete jump rule")?;
|
||||
ipt.delete("filter", "INPUT", "-j DIPLONAT")
|
||||
.context("Failed to delete jump rule")?;
|
||||
}
|
||||
|
||||
ipt.delete_chain("filter", "DIPLONAT").context("Failed to delete chain")?;
|
||||
ipt.delete_chain("filter", "DIPLONAT")
|
||||
.context("Failed to delete chain")?;
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
|
|
140
src/fw_actor.rs
140
src/fw_actor.rs
|
@ -4,82 +4,100 @@ use anyhow::Result;
|
|||
use iptables;
|
||||
use log::*;
|
||||
use tokio::{
|
||||
select,
|
||||
sync::watch,
|
||||
time::{
|
||||
Duration,
|
||||
self,
|
||||
}};
|
||||
|
||||
use crate::config::RuntimeConfigFirewall;
|
||||
use crate::fw;
|
||||
use crate::messages;
|
||||
select,
|
||||
sync::watch,
|
||||
time::{self, Duration},
|
||||
};
|
||||
|
||||
use crate::{fw, messages};
|
||||
|
||||
pub struct FirewallActor {
|
||||
pub ipt: iptables::IPTables,
|
||||
|
||||
last_ports: messages::PublicExposedPorts,
|
||||
refresh: Duration,
|
||||
|
||||
rx_ports: watch::Receiver<messages::PublicExposedPorts>,
|
||||
pub ipt_v4: Option<iptables::IPTables>,
|
||||
pub ipt_v6: iptables::IPTables,
|
||||
rx_ports: watch::Receiver<messages::PublicExposedPorts>,
|
||||
last_ports: messages::PublicExposedPorts,
|
||||
refresh: Duration,
|
||||
}
|
||||
|
||||
impl FirewallActor {
|
||||
pub async fn new(config: Option<RuntimeConfigFirewall>, rxp: &watch::Receiver<messages::PublicExposedPorts>) -> Result<Option<Self>> {
|
||||
if config.is_none() {
|
||||
return Ok(None);
|
||||
pub async fn new(
|
||||
ipv6_only: bool,
|
||||
refresh: Duration,
|
||||
rxp: &watch::Receiver<messages::PublicExposedPorts>,
|
||||
) -> Result<Self> {
|
||||
let ctx = Self {
|
||||
ipt_v4: match ipv6_only {
|
||||
false => Some(iptables::new(false)?),
|
||||
true => None,
|
||||
},
|
||||
ipt_v6: iptables::new(true)?,
|
||||
rx_ports: rxp.clone(),
|
||||
last_ports: messages::PublicExposedPorts::new(),
|
||||
refresh,
|
||||
};
|
||||
|
||||
if let Some(ipt_v4) = &ctx.ipt_v4 {
|
||||
fw::setup(ipt_v4)?;
|
||||
}
|
||||
fw::setup(&ctx.ipt_v6)?;
|
||||
|
||||
return Ok(ctx);
|
||||
}
|
||||
let config = config.unwrap();
|
||||
|
||||
let ctx = Self {
|
||||
ipt: iptables::new(false)?,
|
||||
last_ports: messages::PublicExposedPorts::new(),
|
||||
refresh: config.refresh_time,
|
||||
rx_ports: rxp.clone(),
|
||||
};
|
||||
pub async fn listen(&mut self) -> Result<()> {
|
||||
let mut interval = time::interval(self.refresh);
|
||||
loop {
|
||||
// 1. Wait for an event
|
||||
let new_ports = select! {
|
||||
_ = self.rx_ports.changed() => Some(self.rx_ports.borrow().clone()),
|
||||
_ = interval.tick() => None,
|
||||
else => return Ok(()) // Sender dropped, terminate loop.
|
||||
};
|
||||
|
||||
fw::setup(&ctx.ipt)?;
|
||||
// 2. Update last ports if needed
|
||||
if let Some(p) = new_ports {
|
||||
self.last_ports = p;
|
||||
}
|
||||
|
||||
return Ok(Some(ctx));
|
||||
}
|
||||
|
||||
pub async fn listen(&mut self) -> Result<()> {
|
||||
let mut interval = time::interval(self.refresh);
|
||||
loop {
|
||||
// 1. Wait for an event
|
||||
let new_ports = select! {
|
||||
Some(ports) = self.rx_ports.recv() => Some(ports),
|
||||
_ = interval.tick() => None,
|
||||
else => return Ok(()) // Sender dropped, terminate loop.
|
||||
};
|
||||
|
||||
// 2. Update last ports if needed
|
||||
if let Some(p) = new_ports { self.last_ports = p; }
|
||||
|
||||
// 3. Update firewall rules
|
||||
match self.do_fw_update().await {
|
||||
Ok(()) => debug!("Successfully updated firewall rules"),
|
||||
Err(e) => error!("An error occured while updating firewall rules. {}", e),
|
||||
}
|
||||
// 3. Update firewall rules
|
||||
match self.do_fw_update().await {
|
||||
Ok(()) => debug!("Successfully updated firewall rules"),
|
||||
Err(e) => error!("An error occured while updating firewall rules. {}", e),
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub async fn do_fw_update(&self) -> Result<()> {
|
||||
let curr_opened_ports = fw::get_opened_ports(&self.ipt)?;
|
||||
pub async fn do_fw_update(&self) -> Result<()> {
|
||||
if let Some(ipt_v4) = &self.ipt_v4 {
|
||||
self.do_fw_update_on(ipt_v4).await?;
|
||||
}
|
||||
self.do_fw_update_on(&self.ipt_v6).await?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
let diff_tcp = self.last_ports.tcp_ports.difference(&curr_opened_ports.tcp_ports).copied().collect::<HashSet<u16>>();
|
||||
let diff_udp = self.last_ports.udp_ports.difference(&curr_opened_ports.udp_ports).copied().collect::<HashSet<u16>>();
|
||||
pub async fn do_fw_update_on(&self, ipt: &iptables::IPTables) -> Result<()> {
|
||||
let curr_opened_ports = fw::get_opened_ports(ipt)?;
|
||||
|
||||
let ports_to_open = messages::PublicExposedPorts {
|
||||
tcp_ports: diff_tcp,
|
||||
udp_ports: diff_udp
|
||||
};
|
||||
let diff_tcp = self
|
||||
.last_ports
|
||||
.tcp_ports
|
||||
.difference(&curr_opened_ports.tcp_ports)
|
||||
.copied()
|
||||
.collect::<HashSet<u16>>();
|
||||
let diff_udp = self
|
||||
.last_ports
|
||||
.udp_ports
|
||||
.difference(&curr_opened_ports.udp_ports)
|
||||
.copied()
|
||||
.collect::<HashSet<u16>>();
|
||||
|
||||
fw::open_ports(&self.ipt, ports_to_open)?;
|
||||
let ports_to_open = messages::PublicExposedPorts {
|
||||
tcp_ports: diff_tcp,
|
||||
udp_ports: diff_udp,
|
||||
};
|
||||
|
||||
return Ok(());
|
||||
}
|
||||
fw::open_ports(ipt, ports_to_open)?;
|
||||
|
||||
return Ok(());
|
||||
}
|
||||
}
|
||||
|
||||
|
|
180
src/igd_actor.rs
180
src/igd_actor.rs
|
@ -1,90 +1,122 @@
|
|||
use std::net::SocketAddrV4;
|
||||
use std::net::{Ipv4Addr, SocketAddrV4};
|
||||
|
||||
use anyhow::{Result, Context};
|
||||
use igd::aio::*;
|
||||
use igd::PortMappingProtocol;
|
||||
use anyhow::{Context, Result};
|
||||
use igd::{aio::*, PortMappingProtocol};
|
||||
use log::*;
|
||||
use tokio::{
|
||||
select,
|
||||
sync::watch,
|
||||
time::{
|
||||
Duration,
|
||||
self,
|
||||
}};
|
||||
select,
|
||||
sync::watch,
|
||||
time::{self, Duration},
|
||||
};
|
||||
|
||||
use crate::config::RuntimeConfigIgd;
|
||||
use crate::messages;
|
||||
|
||||
pub struct IgdActor {
|
||||
expire: Duration,
|
||||
gateway: Gateway,
|
||||
last_ports: messages::PublicExposedPorts,
|
||||
private_ip: String,
|
||||
refresh: Duration,
|
||||
|
||||
rx_ports: watch::Receiver<messages::PublicExposedPorts>,
|
||||
last_ports: messages::PublicExposedPorts,
|
||||
rx_ports: watch::Receiver<messages::PublicExposedPorts>,
|
||||
gateway: Gateway,
|
||||
refresh: Duration,
|
||||
expire: Duration,
|
||||
private_ip: Ipv4Addr,
|
||||
}
|
||||
|
||||
impl IgdActor {
|
||||
pub async fn new(config: Option<RuntimeConfigIgd>, rxp: &watch::Receiver<messages::PublicExposedPorts>) -> Result<Option<Self>> {
|
||||
if config.is_none() {
|
||||
return Ok(None);
|
||||
}
|
||||
let config = config.unwrap();
|
||||
pub async fn new(
|
||||
priv_ip: Option<Ipv4Addr>,
|
||||
refresh: Duration,
|
||||
expire: Duration,
|
||||
rxp: &watch::Receiver<messages::PublicExposedPorts>,
|
||||
) -> Result<Self> {
|
||||
let gw = search_gateway(Default::default())
|
||||
.await
|
||||
.context("Failed to find IGD gateway")?;
|
||||
info!("IGD gateway: {}", gw);
|
||||
|
||||
let gw = search_gateway(Default::default())
|
||||
.await
|
||||
.context("Failed to find IGD gateway")?;
|
||||
info!("IGD gateway: {}", gw);
|
||||
let private_ip = if let Some(ip) = priv_ip {
|
||||
info!("Using private IP from config: {}", ip);
|
||||
ip
|
||||
} else {
|
||||
info!("Trying to automatically detect private IP");
|
||||
let gwa = gw.addr.ip().octets();
|
||||
let cmplen = match gwa {
|
||||
[192, 168, _, _] => 3,
|
||||
[10, _, _, _] => 2,
|
||||
_ => panic!(
|
||||
"Gateway IP does not appear to be in a local network ({})",
|
||||
gw.addr.ip()
|
||||
),
|
||||
};
|
||||
#[allow(unused_parens)]
|
||||
let private_ip = get_if_addrs::get_if_addrs()?
|
||||
.into_iter()
|
||||
.map(|i| i.addr.ip())
|
||||
.filter_map(|a| match a {
|
||||
std::net::IpAddr::V4(a4) if a4.octets()[..cmplen] == gwa[..cmplen] => Some(a4),
|
||||
_ => None,
|
||||
})
|
||||
.next()
|
||||
.expect("No interface has an IP on same subnet as gateway");
|
||||
info!("Autodetected private IP: {}", private_ip);
|
||||
private_ip
|
||||
};
|
||||
|
||||
let ctx = Self {
|
||||
expire: config.expiration_time,
|
||||
gateway: gw,
|
||||
last_ports: messages::PublicExposedPorts::new(),
|
||||
private_ip: config.private_ip,
|
||||
refresh: config.refresh_time,
|
||||
rx_ports: rxp.clone(),
|
||||
};
|
||||
let ctx = Self {
|
||||
gateway: gw,
|
||||
rx_ports: rxp.clone(),
|
||||
private_ip,
|
||||
refresh: refresh,
|
||||
expire: expire,
|
||||
last_ports: messages::PublicExposedPorts::new(),
|
||||
};
|
||||
|
||||
return Ok(Some(ctx));
|
||||
}
|
||||
|
||||
pub async fn listen(&mut self) -> Result<()> {
|
||||
let mut interval = time::interval(self.refresh);
|
||||
loop {
|
||||
// 1. Wait for an event
|
||||
let new_ports = select! {
|
||||
Some(ports) = self.rx_ports.recv() => Some(ports),
|
||||
_ = interval.tick() => None,
|
||||
else => return Ok(()) // Sender dropped, terminate loop.
|
||||
};
|
||||
|
||||
// 2. Update last ports if needed
|
||||
if let Some(p) = new_ports { self.last_ports = p; }
|
||||
|
||||
// 3. Flush IGD requests
|
||||
match self.do_igd().await {
|
||||
Ok(()) => debug!("Successfully updated IGD"),
|
||||
Err(e) => error!("An error occured while updating IGD. {}", e),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub async fn do_igd(&self) -> Result<()> {
|
||||
let actions = [
|
||||
(PortMappingProtocol::TCP, &self.last_ports.tcp_ports),
|
||||
(PortMappingProtocol::UDP, &self.last_ports.udp_ports)
|
||||
];
|
||||
|
||||
for (proto, list) in actions.iter() {
|
||||
for port in *list {
|
||||
let service_str = format!("{}:{}", self.private_ip, port);
|
||||
let service = service_str.parse::<SocketAddrV4>().context("Invalid socket address")?;
|
||||
self.gateway.add_port(*proto, *port, service, self.expire.as_secs() as u32, "diplonat").await?;
|
||||
debug!("IGD request successful for {:#?} {}", proto, service);
|
||||
}
|
||||
return Ok(ctx);
|
||||
}
|
||||
|
||||
return Ok(());
|
||||
}
|
||||
pub async fn listen(&mut self) -> Result<()> {
|
||||
let mut interval = time::interval(self.refresh);
|
||||
loop {
|
||||
// 1. Wait for an event
|
||||
let new_ports = select! {
|
||||
_ = self.rx_ports.changed() => Some(self.rx_ports.borrow().clone()),
|
||||
_ = interval.tick() => None,
|
||||
else => return Ok(()) // Sender dropped, terminate loop.
|
||||
};
|
||||
|
||||
// 2. Update last ports if needed
|
||||
if let Some(p) = new_ports {
|
||||
self.last_ports = p;
|
||||
}
|
||||
|
||||
// 3. Flush IGD requests
|
||||
match self.do_igd().await {
|
||||
Ok(()) => debug!("Successfully updated IGD"),
|
||||
Err(e) => error!("An error occured while updating IGD. {}", e),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub async fn do_igd(&self) -> Result<()> {
|
||||
let actions = [
|
||||
(PortMappingProtocol::TCP, &self.last_ports.tcp_ports),
|
||||
(PortMappingProtocol::UDP, &self.last_ports.udp_ports),
|
||||
];
|
||||
|
||||
for (proto, list) in actions.iter() {
|
||||
for port in *list {
|
||||
let service = SocketAddrV4::new(self.private_ip, *port);
|
||||
self.gateway
|
||||
.add_port(
|
||||
*proto,
|
||||
*port,
|
||||
service,
|
||||
self.expire.as_secs() as u32,
|
||||
"diplonat",
|
||||
)
|
||||
.await?;
|
||||
debug!("IGD request successful for {:#?} {}", proto, service);
|
||||
}
|
||||
}
|
||||
|
||||
return Ok(());
|
||||
}
|
||||
}
|
||||
|
|
15
src/main.rs
15
src/main.rs
|
@ -6,15 +6,20 @@ mod fw;
|
|||
mod fw_actor;
|
||||
mod igd_actor;
|
||||
mod messages;
|
||||
mod stun_actor;
|
||||
|
||||
use log::*;
|
||||
use diplonat::Diplonat;
|
||||
use log::*;
|
||||
|
||||
#[tokio::main]
|
||||
async fn main() {
|
||||
pretty_env_logger::init();
|
||||
info!("Starting Diplonat");
|
||||
pretty_env_logger::init();
|
||||
info!("Starting Diplonat");
|
||||
|
||||
let mut diplo = Diplonat::new().await.expect("Setup failed");
|
||||
diplo.listen().await.expect("A runtime error occured");
|
||||
Diplonat::new()
|
||||
.await
|
||||
.expect("Setup failed")
|
||||
.listen()
|
||||
.await
|
||||
.expect("A runtime error occured");
|
||||
}
|
||||
|
|
|
@ -2,15 +2,15 @@ use std::collections::HashSet;
|
|||
|
||||
#[derive(Debug, Clone, PartialEq, Eq)]
|
||||
pub struct PublicExposedPorts {
|
||||
pub tcp_ports: HashSet<u16>,
|
||||
pub udp_ports: HashSet<u16>
|
||||
pub tcp_ports: HashSet<u16>,
|
||||
pub udp_ports: HashSet<u16>,
|
||||
}
|
||||
|
||||
impl PublicExposedPorts {
|
||||
pub fn new() -> Self {
|
||||
return Self {
|
||||
tcp_ports: HashSet::new(),
|
||||
udp_ports: HashSet::new()
|
||||
pub fn new() -> Self {
|
||||
return Self {
|
||||
tcp_ports: HashSet::new(),
|
||||
udp_ports: HashSet::new(),
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
176
src/stun_actor.rs
Normal file
176
src/stun_actor.rs
Normal file
|
@ -0,0 +1,176 @@
|
|||
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
|
||||
use std::time::{Duration, SystemTime};
|
||||
|
||||
use anyhow::{anyhow, bail, Result};
|
||||
use log::*;
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
use crate::config::{RuntimeConfigConsul, RuntimeConfigStun};
|
||||
use crate::consul;
|
||||
|
||||
/// If autodiscovery returns None but an address was obtained less than
|
||||
/// this number of seconds ago (here 15 minutes), we keep that address
|
||||
/// in the Consul db instead of insterting a None.
|
||||
const PERSIST_SOME_RESULT_DURATION_SECS: u64 = 900;
|
||||
|
||||
pub struct StunActor {
|
||||
consul: consul::Consul,
|
||||
refresh_time: Duration,
|
||||
|
||||
autodiscovery_v4: StunAutodiscovery,
|
||||
autodiscovery_v6: StunAutodiscovery,
|
||||
}
|
||||
|
||||
pub struct StunAutodiscovery {
|
||||
consul_key: String,
|
||||
is_ipv4: bool,
|
||||
stun_server: Option<SocketAddr>,
|
||||
last_result: Option<AutodiscoverResult>,
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
pub struct AutodiscoverResult {
|
||||
pub timestamp: u64,
|
||||
pub address: Option<IpAddr>,
|
||||
}
|
||||
|
||||
impl StunActor {
|
||||
pub fn new(
|
||||
consul_config: &RuntimeConfigConsul,
|
||||
stun_config: &RuntimeConfigStun,
|
||||
node: &str,
|
||||
) -> Self {
|
||||
assert!(stun_config
|
||||
.stun_server_v4
|
||||
.map(|x| x.is_ipv4())
|
||||
.unwrap_or(true));
|
||||
assert!(stun_config.stun_server_v6.is_ipv6());
|
||||
|
||||
let autodiscovery_v4 = StunAutodiscovery {
|
||||
consul_key: format!("diplonat/autodiscovery/ipv4/{}", node),
|
||||
is_ipv4: true,
|
||||
stun_server: stun_config.stun_server_v4,
|
||||
last_result: None,
|
||||
};
|
||||
|
||||
let autodiscovery_v6 = StunAutodiscovery {
|
||||
consul_key: format!("diplonat/autodiscovery/ipv6/{}", node),
|
||||
is_ipv4: false,
|
||||
stun_server: Some(stun_config.stun_server_v6),
|
||||
last_result: None,
|
||||
};
|
||||
|
||||
Self {
|
||||
consul: consul::Consul::new(consul_config),
|
||||
autodiscovery_v4,
|
||||
autodiscovery_v6,
|
||||
refresh_time: stun_config.refresh_time,
|
||||
}
|
||||
}
|
||||
|
||||
pub async fn listen(&mut self) -> Result<()> {
|
||||
loop {
|
||||
if let Err(e) = self.autodiscovery_v4.do_iteration(&self.consul).await {
|
||||
error!("Unable to autodiscover IPv4 address: {}", e);
|
||||
}
|
||||
|
||||
if let Err(e) = self.autodiscovery_v6.do_iteration(&self.consul).await {
|
||||
error!("Unable to autodiscover IPv6 address: {}", e);
|
||||
}
|
||||
tokio::time::sleep(self.refresh_time).await;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl StunAutodiscovery {
|
||||
async fn do_iteration(&mut self, consul: &consul::Consul) -> Result<()> {
|
||||
let binding_ip = match self.is_ipv4 {
|
||||
true => IpAddr::V4(Ipv4Addr::UNSPECIFIED), // 0.0.0.0
|
||||
false => IpAddr::V6(Ipv6Addr::UNSPECIFIED), // [::]
|
||||
};
|
||||
let binding_addr = SocketAddr::new(binding_ip, 0);
|
||||
|
||||
let discovered_addr = match self.stun_server {
|
||||
Some(stun_server) => {
|
||||
assert_eq!(self.is_ipv4, stun_server.is_ipv4());
|
||||
|
||||
get_mapped_addr(stun_server, binding_addr)
|
||||
.await?
|
||||
.map(|x| x.ip())
|
||||
}
|
||||
None => None,
|
||||
};
|
||||
|
||||
let now = timestamp();
|
||||
|
||||
if discovered_addr.is_none() {
|
||||
if let Some(last_result) = &self.last_result {
|
||||
if last_result.address.is_some()
|
||||
&& now - last_result.timestamp <= PERSIST_SOME_RESULT_DURATION_SECS
|
||||
{
|
||||
// Keep non-None result that was obtained before by not
|
||||
// writing/taking into account None result.
|
||||
return Ok(());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
let current_result = AutodiscoverResult {
|
||||
timestamp: now,
|
||||
address: discovered_addr,
|
||||
};
|
||||
|
||||
let msg = format!(
|
||||
"STUN autodiscovery result: {} -> {:?}",
|
||||
self.consul_key, discovered_addr
|
||||
);
|
||||
if self.last_result.as_ref().and_then(|x| x.address) != discovered_addr {
|
||||
info!("{}", msg);
|
||||
} else {
|
||||
debug!("{}", msg);
|
||||
}
|
||||
|
||||
consul
|
||||
.kv_put(&self.consul_key, serde_json::to_vec(¤t_result)?)
|
||||
.await?;
|
||||
|
||||
self.last_result = Some(current_result);
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
async fn get_mapped_addr(
|
||||
stun_server: SocketAddr,
|
||||
binding_addr: SocketAddr,
|
||||
) -> Result<Option<SocketAddr>> {
|
||||
use stun_client::*;
|
||||
|
||||
let mut client = Client::new(binding_addr, None).await?;
|
||||
let res = match client.binding_request(stun_server, None).await {
|
||||
Err(e) => {
|
||||
info!(
|
||||
"STUN binding request to {} failed, assuming no address (error: {})",
|
||||
binding_addr, e
|
||||
);
|
||||
return Ok(None);
|
||||
}
|
||||
Ok(r) => r,
|
||||
};
|
||||
|
||||
if res.get_class() != Class::SuccessResponse {
|
||||
bail!("STUN server did not responde with a success response");
|
||||
}
|
||||
|
||||
let xor_mapped_addr = Attribute::get_xor_mapped_address(&res)
|
||||
.ok_or(anyhow!("no XorMappedAddress found in STUN response"))?;
|
||||
|
||||
Ok(Some(xor_mapped_addr))
|
||||
}
|
||||
|
||||
fn timestamp() -> u64 {
|
||||
SystemTime::now()
|
||||
.duration_since(SystemTime::UNIX_EPOCH)
|
||||
.expect("clock error")
|
||||
.as_secs()
|
||||
}
|
Loading…
Reference in a new issue