Skip to main content

microsandbox_network/
config.rs

1//! Serializable network configuration types.
2//!
3//! These types represent the user-facing declarative network configuration
4//! that flows from `SandboxBuilder` through the supervisor to `msbnet`.
5
6use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
7
8use serde::{Deserialize, Serialize};
9
10use crate::policy::NetworkPolicy;
11
12//--------------------------------------------------------------------------------------------------
13// Types
14//--------------------------------------------------------------------------------------------------
15
16/// Complete network configuration for a sandbox.
17///
18/// Declarative and serializable. Closure-based hooks and custom backend
19/// objects are not supported in the subprocess architecture and are deferred.
20#[derive(Debug, Clone, Default, Serialize, Deserialize)]
21pub struct NetworkConfig {
22    /// Whether networking is enabled for this sandbox.
23    #[serde(default)]
24    pub enabled: bool,
25
26    /// Network interface settings.
27    #[serde(default)]
28    pub interface: InterfaceConfig,
29
30    /// Port mappings (host:guest).
31    #[serde(default)]
32    pub ports: Vec<PublishedPort>,
33
34    /// Packet policy enforced by `msbnet`.
35    #[serde(default)]
36    pub policy: NetworkPolicy,
37
38    /// DNS interception and filtering settings.
39    #[serde(default)]
40    pub dns: DnsConfig,
41
42    /// TLS interception configuration.
43    #[serde(default)]
44    pub tls: crate::tls::TlsConfig,
45}
46
47/// Network interface configuration (dual-stack).
48#[derive(Debug, Clone, Default, Serialize, Deserialize)]
49pub struct InterfaceConfig {
50    /// Guest MAC address. Auto-generated if `None`.
51    #[serde(default)]
52    pub mac: Option<[u8; 6]>,
53
54    /// MTU. Defaults to backend-reported value if `None`.
55    #[serde(default)]
56    pub mtu: Option<u16>,
57
58    /// IPv4 configuration. Auto-assigned from the pool if `None`.
59    #[serde(default)]
60    pub ipv4: Option<Ipv4Config>,
61
62    /// IPv6 configuration. Auto-assigned from the pool if `None`.
63    #[serde(default)]
64    pub ipv6: Option<Ipv6Config>,
65}
66
67/// DNS interception settings for the sandbox.
68#[derive(Debug, Clone, Serialize, Deserialize)]
69pub struct DnsConfig {
70    /// Exact domains to refuse locally.
71    #[serde(default)]
72    pub blocked_domains: Vec<String>,
73
74    /// Domain suffixes to refuse locally.
75    #[serde(default)]
76    pub blocked_suffixes: Vec<String>,
77
78    /// Whether DNS rebinding protection is enabled.
79    #[serde(default = "default_rebind_protection")]
80    pub rebind_protection: bool,
81}
82
83/// IPv4 address configuration for a sandbox interface.
84#[derive(Debug, Clone, Serialize, Deserialize)]
85pub struct Ipv4Config {
86    /// Guest IPv4 address.
87    pub address: Ipv4Addr,
88
89    /// Prefix length (e.g. `30` for a `/30` subnet).
90    pub prefix_len: u8,
91
92    /// Default gateway.
93    pub gateway: Ipv4Addr,
94}
95
96/// IPv6 address configuration for a sandbox interface.
97#[derive(Debug, Clone, Serialize, Deserialize)]
98pub struct Ipv6Config {
99    /// Guest IPv6 address.
100    pub address: Ipv6Addr,
101
102    /// Prefix length (e.g. `64` for a `/64` prefix).
103    pub prefix_len: u8,
104
105    /// Default gateway.
106    pub gateway: Ipv6Addr,
107}
108
109/// A published port mapping between host and guest.
110#[derive(Debug, Clone, Serialize, Deserialize)]
111pub struct PublishedPort {
112    /// Host-side port to bind.
113    pub host_port: u16,
114
115    /// Guest-side port to forward to.
116    pub guest_port: u16,
117
118    /// Protocol (TCP or UDP).
119    #[serde(default)]
120    pub protocol: PortProtocol,
121
122    /// Host address to bind. Defaults to loopback.
123    #[serde(default = "default_host_bind")]
124    pub host_bind: IpAddr,
125}
126
127/// Protocol for a published port.
128#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Serialize, Deserialize)]
129pub enum PortProtocol {
130    /// TCP (default).
131    #[default]
132    Tcp,
133
134    /// UDP.
135    Udp,
136}
137
138//--------------------------------------------------------------------------------------------------
139// Trait Implementations
140//--------------------------------------------------------------------------------------------------
141
142impl Default for DnsConfig {
143    fn default() -> Self {
144        Self {
145            blocked_domains: Vec::new(),
146            blocked_suffixes: Vec::new(),
147            rebind_protection: default_rebind_protection(),
148        }
149    }
150}
151
152//--------------------------------------------------------------------------------------------------
153// Functions
154//--------------------------------------------------------------------------------------------------
155
156fn default_host_bind() -> IpAddr {
157    IpAddr::V4(Ipv4Addr::LOCALHOST)
158}
159
160fn default_rebind_protection() -> bool {
161    true
162}