Tproxy inbound support (linux only)#141
Open
janeblower wants to merge 19 commits into
Open
Conversation
Move the match-on-TcpServerSetupResult block into a new pub async fn process_setup_result so future tproxy inbound code can call it directly without going through TcpServerHandler trait dispatch. process_stream now delegates to process_setup_result after the setup timeout logic. Behavior is identical. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the Tproxy variant to ServerProxyConfig with tcp_enabled and udp_enabled boolean fields (both defaulting to true), Display arm, serde round-trip tests, and a placeholder arm in tcp_server_handler_factory. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Reject tproxy configs early: non-Linux builds, QUIC transport, unix-socket bind, and both tcp_enabled+udp_enabled disabled. Add four unit tests covering all error paths and the happy path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ings Add #[cfg(target_os = "linux")] to tproxy_rejects_quic_transport, tproxy_rejects_unix_socket_bind, and tproxy_rejects_both_disabled so they are not compiled on non-Linux hosts where the early-return message differs. Add new tproxy_rejects_quic_settings test covering the quic_settings.is_some() rejection path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Create src/tproxy/ module (Linux-only) with low-level socket factory functions: new_tproxy_tcp_listener, new_tproxy_udp_socket, and new_tproxy_udp_send_socket, each applying the appropriate IP_TRANSPARENT / IPV6_TRANSPARENT / IP_RECVORIGDSTADDR setsockopt calls via libc. Tests skip gracefully on EPERM (no CAP_NET_ADMIN) and run fully when privileged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add start_tproxy_servers to src/tproxy/mod.rs with per-bind TCP and UDP run-loop helpers; dispatch ServerProxyConfig::Tproxy from start_servers in tcp_server.rs (Linux cfg-gated); replace the unreachable!() placeholder in tcp_server_handler_factory.rs with a clear panic message; remove #![allow(dead_code)] from all three tproxy submodules now that the items are wired in. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TPROXY inbound support (Linux)
Adds a new
tproxyserver protocol that accepts traffic redirected by the kernel via iptables/nftables +IP_TRANSPARENT, recovers the original destination, and forwards it through the normal outbound chain.What's included
ServerProxyConfig::Tproxyvariant withtcp_enabled/udp_enabledflags and validation (Linux-only, requires non-empty bind addresses, rejects nested protocols).IP_TRANSPARENTlistener; original destination read from the accepted socket.recvmsg+ cmsg parsing (IP_ORIGDSTADDR/IPV6_ORIGDSTADDR), source-address spoofing on replies via a per-destination send-socket cache, race-safe session insertion, and per-packet error tolerance.start_tproxy_serverswired into startup.NetLocation::from_socket_addr;process_setup_resultextracted fromprocess_streamfor reuse.examples/tproxy.yamlwith iptables/ip rulesetup, plus a section inCONFIG.md.Notes
CAP_NET_RAW(orCAP_NET_ADMIN, or root).MSG_CTRUNCis detected and surfaced.