fips-core 0.3.6

Reusable FIPS mesh, endpoint, transport, and protocol library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

//! Network setup for the gateway.
//!
//! Manages proxy NDP entries and routes for the virtual IP range.
//! Checks IP forwarding prerequisites.

use std::net::Ipv6Addr;
use tracing::{debug, error, info, warn};

/// Check if IPv6 forwarding is enabled.
///
/// The gateway is completely non-functional without forwarding — packets
/// cannot traverse the NAT pipeline. Exits the process on failure.
pub fn check_ipv6_forwarding() {
    match std::fs::read_to_string("/proc/sys/net/ipv6/conf/all/forwarding") {
        Ok(val) if val.trim() == "1" => {
            debug!("IPv6 forwarding is enabled");
        }
        Ok(_) => {
            error!(
                "IPv6 forwarding is disabled. Enable with: \
                 sysctl -w net.ipv6.conf.all.forwarding=1"
            );
            std::process::exit(1);
        }
        Err(e) => {
            error!(error = %e, "Could not check IPv6 forwarding state");
            std::process::exit(1);
        }
    }
}

/// Check that a network interface exists using rtnetlink.
pub async fn check_interface_exists(name: &str) -> Result<u32, std::io::Error> {
    let index = rustables::iface_index(name)
        .map_err(|e| std::io::Error::new(std::io::ErrorKind::NotFound, e.to_string()))?;
    debug!(interface = %name, index, "Interface found");
    Ok(index)
}

/// Manages proxy NDP entries and routes for gateway virtual IPs.
pub struct NetSetup {
    lan_interface: String,
    /// Proxy NDP entries added during this run (for cleanup).
    proxy_entries: Vec<Ipv6Addr>,
    /// Whether a route was added for the pool range.
    route_added: bool,
    pool_cidr: String,
}

impl NetSetup {
    /// Create a new network setup manager.
    pub fn new(lan_interface: String, pool_cidr: String) -> Self {
        Self {
            lan_interface,
            proxy_entries: Vec::new(),
            route_added: false,
            pool_cidr,
        }
    }

    /// Add a local route for the virtual IP pool range.
    ///
    /// The `local` route tells the kernel to accept packets destined for
    /// addresses in the pool as locally-owned, enabling NAT processing.
    /// Uses `dev lo` because local routes don't need to reference the LAN
    /// interface — the kernel matches on the routing table regardless of
    /// which interface the packet arrives on.
    pub async fn add_pool_route(&mut self) -> Result<(), std::io::Error> {
        let output = tokio::process::Command::new("ip")
            .args(["-6", "route", "add", "local", &self.pool_cidr, "dev", "lo"])
            .output()
            .await?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            // "File exists" means route already present — not an error
            if stderr.contains("File exists") {
                debug!(cidr = %self.pool_cidr, "Pool route already exists");
                return Ok(());
            }
            return Err(std::io::Error::other(format!(
                "Failed to add pool route: {stderr}"
            )));
        }

        self.route_added = true;
        info!(cidr = %self.pool_cidr, "Added local pool route");
        Ok(())
    }

    /// Add a proxy NDP entry for a virtual IP on the LAN interface.
    pub async fn add_proxy_ndp(&mut self, addr: Ipv6Addr) -> Result<(), std::io::Error> {
        let addr_str = addr.to_string();
        let output = tokio::process::Command::new("ip")
            .args([
                "-6",
                "neigh",
                "add",
                "proxy",
                &addr_str,
                "dev",
                &self.lan_interface,
            ])
            .output()
            .await?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            if stderr.contains("File exists") {
                debug!(addr = %addr, "Proxy NDP entry already exists");
                return Ok(());
            }
            return Err(std::io::Error::other(format!(
                "Failed to add proxy NDP: {stderr}"
            )));
        }

        self.proxy_entries.push(addr);
        debug!(addr = %addr, iface = %self.lan_interface, "Added proxy NDP entry");
        Ok(())
    }

    /// Remove a proxy NDP entry.
    pub async fn remove_proxy_ndp(&mut self, addr: Ipv6Addr) -> Result<(), std::io::Error> {
        let addr_str = addr.to_string();
        let output = tokio::process::Command::new("ip")
            .args([
                "-6",
                "neigh",
                "del",
                "proxy",
                &addr_str,
                "dev",
                &self.lan_interface,
            ])
            .output()
            .await?;

        if !output.status.success() {
            let stderr = String::from_utf8_lossy(&output.stderr);
            // Silently ignore "No such file" — entry may have been cleaned already
            if !stderr.contains("No such file") {
                warn!(addr = %addr, error = %stderr.trim(), "Failed to remove proxy NDP");
            }
        }

        self.proxy_entries.retain(|a| *a != addr);
        Ok(())
    }

    /// Clean up all proxy NDP entries and routes added during this run.
    pub async fn cleanup(&mut self) {
        // Remove proxy NDP entries
        let entries: Vec<Ipv6Addr> = self.proxy_entries.clone();
        for addr in entries {
            let _ = self.remove_proxy_ndp(addr).await;
        }

        // Remove pool route
        if self.route_added {
            let output = tokio::process::Command::new("ip")
                .args(["-6", "route", "del", "local", &self.pool_cidr, "dev", "lo"])
                .output()
                .await;

            match output {
                Ok(o) if o.status.success() => {
                    info!(cidr = %self.pool_cidr, "Removed pool route");
                }
                Ok(o) => {
                    let stderr = String::from_utf8_lossy(&o.stderr);
                    warn!(error = %stderr.trim(), "Failed to remove pool route");
                }
                Err(e) => {
                    warn!(error = %e, "Failed to run ip route del");
                }
            }
            self.route_added = false;
        }
    }
}