refactor(proto): share Ethernet safety classification
Safety filtering now applies at several tunnel boundaries. The relay remains the trust boundary, while the client and gateway also drop unsafe frames before spending relay bandwidth. Duplicating EtherType and IPv4/IPv6 parsers across crates would make those rules drift as the MVP grows. Move the Ethernet safety classifiers into lanparty-proto, expose typed safety drop reasons, and map them back into the existing DropReason vocabulary. The relay now uses the shared client and gateway classifiers, the gateway keeps its local LAN-send drops through the shared classifier, and the client drops the same remote-to-LAN safety cases before QUIC DATAGRAM encoding. Document the client-side local drops and list the additional suspicious drop reasons in the manual MVP test guide. Test Plan: - cargo test -p lanparty-proto safety - cargo test -p lanparty-client-core connects_to_relay_control_stream_as_client - cargo test -p lanparty-gateway connects_to_relay_control_stream_as_gateway - cargo test -p lanparty-relay - cargo fmt --check - cargo test --workspace - cargo clippy --workspace --all-targets -- -D warnings - cargo check -p lanparty-client-tap --target x86_64-pc-windows-gnu --tests - cargo check -p lanparty-client-route --target x86_64-pc-windows-gnu --tests - cargo check -p lanparty-client-tap --target x86_64-pc-windows-msvc --tests - cargo check -p lanparty-client-route --target x86_64-pc-windows-msvc --tests - git diff --check Refs: PLAN.md safety filters and client source-MAC isolation
This commit is contained in:
@@ -61,8 +61,8 @@ Platform-neutral remote client relay session:
|
||||
- QUIC DATAGRAM support and negotiated datagram budget diagnostics
|
||||
- relay RTT diagnostics from the active QUIC connection
|
||||
- reliable relay control-event reads for peer lifecycle messages
|
||||
- Ethernet frame send/receive helpers over QUIC DATAGRAM with budget and source
|
||||
MAC checks plus local drop outcomes for malformed or oversized sends
|
||||
- Ethernet frame send/receive helpers over QUIC DATAGRAM with budget, source
|
||||
MAC, and remote-to-LAN safety checks plus local drop outcomes
|
||||
- client tunnel statistics for frame/datagram rx/tx and drops
|
||||
- reliable client stats snapshot sends for relay diagnostics
|
||||
- best-effort graceful disconnect messages before QUIC close
|
||||
@@ -252,10 +252,11 @@ after bridging starts become visible in later status lines. Each snapshot also
|
||||
emits short user-facing lines such as relay/gateway connection status,
|
||||
relay-route and TAP readiness warnings, DHCP address presence, relay RTT, and
|
||||
broadcast-flow confirmation when those signals are observed. Malformed frames
|
||||
read from TAP, invalid or unauthorized source-MAC frames, jumbo frames, and TAP
|
||||
frames whose encoded datagrams exceed the negotiated QUIC budget are counted and
|
||||
dropped before relay send without stopping the bridge; TAP device read/write
|
||||
errors still stop the bridge.
|
||||
read from TAP, invalid or unauthorized source-MAC frames, L2 control-plane
|
||||
traffic, remote VLAN tags, DHCP server replies, IPv6 Router Advertisements, IPv6
|
||||
fragments, jumbo frames, and TAP frames whose encoded datagrams exceed the
|
||||
negotiated QUIC budget are counted and dropped before relay send without
|
||||
stopping the bridge; TAP device read/write errors still stop the bridge.
|
||||
Relay lifecycle events are logged as they arrive, including gateway joins and
|
||||
peer leaves. The client remembers peer identities from join and catch-up events
|
||||
so later leave logs can identify a disconnected LAN gateway or client MAC when
|
||||
|
||||
Reference in New Issue
Block a user