Skip to main content

microsandbox_network/tls/
redirect.rs

1//! Platform-specific kernel redirect rule installation and cleanup.
2//!
3//! Installs nftables REDIRECT rules (Linux) or pf `rdr` anchors (macOS) that
4//! route intercepted TCP connections to the TLS proxy listener.
5
6use std::{io, net::Ipv4Addr};
7
8use ipnetwork::Ipv6Network;
9
10//--------------------------------------------------------------------------------------------------
11// Types
12//--------------------------------------------------------------------------------------------------
13
14/// Configuration for kernel-level redirect rules.
15pub struct RedirectConfig {
16    /// Guest IPv4 address to match in redirect rules.
17    pub guest_ipv4: Option<Ipv4Addr>,
18
19    /// Guest IPv6 /64 prefix to match in redirect rules.
20    /// Uses the full prefix (not a single address) to cover SLAAC and
21    /// privacy extension addresses within the subnet.
22    pub guest_ipv6_prefix: Option<Ipv6Network>,
23
24    /// TCP ports to intercept (e.g. `[443]`).
25    pub intercepted_ports: Vec<u16>,
26
27    /// Local port of the TLS proxy listener.
28    pub proxy_port: u16,
29
30    /// Sandbox ID (used for unique table/anchor naming).
31    pub sandbox_id: u32,
32
33    /// Host-side interface name (e.g. `"msbtap42"`).
34    pub ifname: String,
35}
36
37//--------------------------------------------------------------------------------------------------
38// Functions
39//--------------------------------------------------------------------------------------------------
40
41/// Installs kernel-level redirect rules for TLS interception.
42pub fn install(config: &RedirectConfig) -> io::Result<()> {
43    #[cfg(target_os = "linux")]
44    {
45        super::redirect_linux::install(config)
46    }
47
48    #[cfg(target_os = "macos")]
49    {
50        super::redirect_macos::install(config)
51    }
52
53    #[cfg(not(any(target_os = "linux", target_os = "macos")))]
54    {
55        let _ = config;
56        Err(io::Error::other(
57            "TLS redirect rules not supported on this platform",
58        ))
59    }
60}
61
62/// Removes kernel-level redirect rules for a sandbox.
63pub fn remove(sandbox_id: u32) -> io::Result<()> {
64    #[cfg(target_os = "linux")]
65    {
66        super::redirect_linux::remove(sandbox_id)
67    }
68
69    #[cfg(target_os = "macos")]
70    {
71        super::redirect_macos::remove(sandbox_id)
72    }
73
74    #[cfg(not(any(target_os = "linux", target_os = "macos")))]
75    {
76        let _ = sandbox_id;
77        Err(io::Error::other(
78            "TLS redirect rules not supported on this platform",
79        ))
80    }
81}