vane 0.9.0

A flow-based reverse proxy with multi-layer routing and programmable pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

---
title: Network
description: Network utility functions for IP validation and port management.
icon: Network
---

The `src/common/net` module provides core network primitives used throughout Vane to validate traffic metadata and enforce routing policies.

## IP Address Validation

The `ip.rs` module contains utilities for identifying the scope and routability of IP addresses.

### Private & Reserved Ranges

Vane provides the `is_private_ip` function to determine if an address belongs to a non-publicly routable range. This is essential for:

- **Security**: Preventing Server-Side Request Forgery (SSRF) to internal infrastructure.
- **Routing**: Differentiating between local management traffic and public client requests.

#### IPv4 Coverage

The implementation checks for all standard IANA reserved ranges:

- **Private Networks**: `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`.
- **Loopback**: `127.0.0.0/8`.
- **Carrier-Grade NAT (CGN)**: `100.64.0.0/10`.
- **Link-Local**: `169.254.0.0/16`.
- **Documentation**: `192.0.2.0/24`.

#### IPv6 Coverage

Because the Rust standard library's `is_global()` method is currently unstable, Vane uses a manual implementation to identify non-global IPv6 ranges:

- **Unspecified & Loopback**: `::`, `::1`.
- **Unique-Local (ULA)**: `fc00::/7`.
- **Link-Local**: `fe80::/10`.
- **Documentation**: `2001:db8::/32`.

```rust
use crate::common::net::ip;
use std::net::IpAddr;

let internal_ip: IpAddr = "192.168.1.1".parse().unwrap();
assert!(ip.is_private_ip(&internal_ip));
```

## Port Utilities

The `port_utils.rs` module provides basic validation for network ports.

- **`is_valid_port(port: u16)`**: Ensures the port is within the valid network range (1-65535). A port value of `0` is considered invalid as it is reserved in most transport layer protocols for system assignment.

<Callout type="info" title="Why Manual IPv6 Checks?">
	Vane maintains high stability and avoids nightly Rust features. The manual bit-masking in
	`is_private_ipv6` ensures that IP scope detection is accurate and reliable across all supported
	platforms without depending on unstable library APIs.
</Callout>