koi-common 0.2.202603241449

Shared types, traits, and utilities for the Koi local network toolkit
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

/// Firewall port metadata reported by capability modules.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct FirewallPort {
    pub name: String,
    pub protocol: FirewallProtocol,
    pub port: u16,
}

impl FirewallPort {
    pub fn new(name: impl Into<String>, protocol: FirewallProtocol, port: u16) -> Self {
        Self {
            name: name.into(),
            protocol,
            port,
        }
    }
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum FirewallProtocol {
    Tcp,
    Udp,
}

impl FirewallProtocol {
    pub fn as_str(&self) -> &'static str {
        match self {
            FirewallProtocol::Tcp => "TCP",
            FirewallProtocol::Udp => "UDP",
        }
    }
}

/// Format a firewall rule name: `"{prefix} {port.name} ({PROTO} {port})"`.
pub fn firewall_rule_name(prefix: &str, port: &FirewallPort) -> String {
    format!(
        "{} {} ({} {})",
        prefix,
        port.name,
        port.protocol.as_str(),
        port.port
    )
}

/// Best-effort ensure that Windows Firewall inbound-allow rules exist for
/// every port in the list.  Rules are **port-based** (not program-scoped) so
/// they work regardless of which exe path is running.
///
/// * Idempotent – deletes then recreates each rule.
/// * Non-fatal  – logs warnings but never panics or returns errors.
/// * No-op on non-Windows platforms.
///
/// Returns the number of rules successfully created.
#[cfg(windows)]
pub fn ensure_firewall_rules(prefix: &str, ports: &[FirewallPort]) -> usize {
    use std::collections::HashSet;
    use std::process::Command;

    // Deduplicate by (protocol, port)
    let mut seen = HashSet::new();
    let unique: Vec<_> = ports
        .iter()
        .filter(|p| seen.insert((p.protocol, p.port)))
        .collect();

    let mut ok_count = 0usize;

    for port in &unique {
        let rule_name = firewall_rule_name(prefix, port);

        // Delete first for idempotency (ignore errors – rule may not exist)
        let _ = Command::new("netsh")
            .args(["advfirewall", "firewall", "delete", "rule"])
            .arg(format!("name={rule_name}"))
            .stdout(std::process::Stdio::null())
            .stderr(std::process::Stdio::null())
            .status();

        let result = Command::new("netsh")
            .args(["advfirewall", "firewall", "add", "rule"])
            .arg(format!("name={rule_name}"))
            .args(["dir=in", "action=allow"])
            .arg(format!("protocol={}", port.protocol.as_str()))
            .arg(format!("localport={}", port.port))
            .stdout(std::process::Stdio::null())
            .stderr(std::process::Stdio::null())
            .status();

        match result {
            Ok(status) if status.success() => {
                tracing::info!(
                    rule = %rule_name,
                    "Firewall rule ensured"
                );
                ok_count += 1;
            }
            Ok(status) => {
                tracing::warn!(
                    rule = %rule_name,
                    exit_code = ?status.code(),
                    "Could not create firewall rule (not elevated?)"
                );
            }
            Err(e) => {
                tracing::warn!(
                    rule = %rule_name,
                    error = %e,
                    "Failed to run netsh"
                );
            }
        }
    }

    ok_count
}

/// No-op on non-Windows platforms – always returns 0.
#[cfg(not(windows))]
pub fn ensure_firewall_rules(_prefix: &str, _ports: &[FirewallPort]) -> usize {
    0
}