Skip to main content

microsandbox_network/
config.rs

1//! Serializable network configuration types.
2//!
3//! These types represent the user-facing declarative network configuration
4//! for sandbox networking. Designed for the smoltcp in-process engine.
5
6use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
7
8use serde::{Deserialize, Serialize};
9
10use crate::policy::NetworkPolicy;
11use crate::secrets::config::SecretsConfig;
12use crate::tls::TlsConfig;
13
14//--------------------------------------------------------------------------------------------------
15// Types
16//--------------------------------------------------------------------------------------------------
17
18/// Complete network configuration for a sandbox.
19///
20/// Narrowed for the smoltcp in-process engine. Gateway, prefix length, and
21/// other host-backend details are engine internals derived from the sandbox
22/// slot — the user only specifies what matters: interface overrides, ports,
23/// policy, DNS, TLS, and connection limits.
24#[derive(Debug, Clone, Serialize, Deserialize)]
25pub struct NetworkConfig {
26    /// Whether networking is enabled for this sandbox.
27    #[serde(default = "default_true")]
28    pub enabled: bool,
29
30    /// Guest interface overrides. Unset fields derived from sandbox slot.
31    #[serde(default)]
32    pub interface: InterfaceOverrides,
33
34    /// Host → guest port mappings.
35    #[serde(default)]
36    pub ports: Vec<PublishedPort>,
37
38    /// Egress/ingress policy rules.
39    #[serde(default)]
40    pub policy: NetworkPolicy,
41
42    /// DNS interception and filtering settings.
43    #[serde(default)]
44    pub dns: DnsConfig,
45
46    /// TLS interception settings.
47    #[serde(default)]
48    pub tls: TlsConfig,
49
50    /// Secret injection settings.
51    #[serde(default)]
52    pub secrets: SecretsConfig,
53
54    /// Max concurrent guest connections. Default: 256.
55    #[serde(default)]
56    pub max_connections: Option<usize>,
57}
58
59/// Optional overrides for the guest interface.
60///
61/// If omitted, values are derived deterministically from the sandbox slot.
62#[derive(Debug, Clone, Default, Serialize, Deserialize)]
63pub struct InterfaceOverrides {
64    /// Guest MAC address. Default: derived from slot.
65    #[serde(default)]
66    pub mac: Option<[u8; 6]>,
67
68    /// Interface MTU. Default: 1500.
69    #[serde(default)]
70    pub mtu: Option<u16>,
71
72    /// Guest IPv4 address. Default: derived from slot (100.96.0.0/11 pool).
73    #[serde(default)]
74    pub ipv4_address: Option<Ipv4Addr>,
75
76    /// Guest IPv6 address. Default: derived from slot (fd42:6d73:62::/48 pool).
77    #[serde(default)]
78    pub ipv6_address: Option<Ipv6Addr>,
79}
80
81/// DNS interception settings for the sandbox.
82#[derive(Debug, Clone, Serialize, Deserialize)]
83pub struct DnsConfig {
84    /// Exact domains to refuse locally.
85    #[serde(default)]
86    pub blocked_domains: Vec<String>,
87
88    /// Domain suffixes to refuse locally.
89    #[serde(default)]
90    pub blocked_suffixes: Vec<String>,
91
92    /// Whether DNS rebinding protection is enabled.
93    #[serde(default = "default_true")]
94    pub rebind_protection: bool,
95}
96
97/// A published port mapping between host and guest.
98#[derive(Debug, Clone, Serialize, Deserialize)]
99pub struct PublishedPort {
100    /// Host-side port to bind.
101    pub host_port: u16,
102
103    /// Guest-side port to forward to.
104    pub guest_port: u16,
105
106    /// Protocol (TCP or UDP).
107    #[serde(default)]
108    pub protocol: PortProtocol,
109
110    /// Host address to bind. Defaults to loopback.
111    #[serde(default = "default_host_bind")]
112    pub host_bind: IpAddr,
113}
114
115/// Protocol for a published port.
116#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Serialize, Deserialize)]
117pub enum PortProtocol {
118    /// TCP (default).
119    #[default]
120    Tcp,
121
122    /// UDP.
123    Udp,
124}
125
126//--------------------------------------------------------------------------------------------------
127// Trait Implementations
128//--------------------------------------------------------------------------------------------------
129
130impl Default for NetworkConfig {
131    fn default() -> Self {
132        Self {
133            enabled: true,
134            interface: InterfaceOverrides::default(),
135            ports: Vec::new(),
136            policy: NetworkPolicy::default(),
137            dns: DnsConfig::default(),
138            tls: TlsConfig::default(),
139            secrets: SecretsConfig::default(),
140            max_connections: None,
141        }
142    }
143}
144
145impl Default for DnsConfig {
146    fn default() -> Self {
147        Self {
148            blocked_domains: Vec::new(),
149            blocked_suffixes: Vec::new(),
150            rebind_protection: true,
151        }
152    }
153}
154
155//--------------------------------------------------------------------------------------------------
156// Functions
157//--------------------------------------------------------------------------------------------------
158
159fn default_true() -> bool {
160    true
161}
162
163fn default_host_bind() -> IpAddr {
164    IpAddr::V4(Ipv4Addr::LOCALHOST)
165}