Skip to main content

BridgeNetwork

nucleus::network

Struct BridgeNetwork

pub struct BridgeNetwork { /* private fields */ }

Expand description

Bridge network manager

Implementations§

impl BridgeNetwork

pub fn setup(pid: u32, config: &BridgeConfig) -> Result<Self>

Set up bridge networking for a container

Creates bridge, veth pair, assigns IPs, enables NAT. Must be called from the parent process after fork (needs host netns).

State transitions: Unconfigured -> Configuring -> Active

pub fn setup_with_id( pid: u32, config: &BridgeConfig, container_id: &str, ) -> Result<Self>

Set up bridge networking with an explicit container ID for IP tracking.

pub fn apply_egress_policy(&self, pid: u32, policy: &EgressPolicy) -> Result<()>

Apply egress policy rules inside the container’s network namespace.

Uses iptables OUTPUT chain to restrict outbound connections. Must be called after bridge setup while the container netns is reachable.

pub fn cleanup(self) -> Result<()>

Clean up bridge networking

State transition: Active -> Cleaned

pub fn cleanup_orphaned_rules(subnet: &str)

Detect and remove orphaned iptables rules from previous Nucleus runs.

Checks for stale MASQUERADE rules referencing the nucleus subnet that have no corresponding running container. Prevents gradual degradation of network isolation from accumulated orphaned rules.

pub fn write_resolv_conf(root: &Path, dns: &[String]) -> Result<()>

Write resolv.conf inside container (for writable /etc, e.g. agent mode)

pub fn bind_mount_resolv_conf(root: &Path, dns: &[String]) -> Result<()>

Bind-mount a resolv.conf over a read-only /etc (for production rootfs mode).

Creates a memfd-backed resolv.conf and bind-mounts it over /etc/resolv.conf so it works even when the rootfs /etc is read-only. The memfd is cleaned up when the container exits.

Trait Implementations§

impl Drop for BridgeNetwork

fn drop(&mut self)

Executes the destructor for this type. Read more

Auto Trait Implementations§

impl Freeze for BridgeNetwork

impl RefUnwindSafe for BridgeNetwork

impl Send for BridgeNetwork

impl Sync for BridgeNetwork

impl Unpin for BridgeNetwork

impl UnsafeUnpin for BridgeNetwork

impl UnwindSafe for BridgeNetwork

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T> Instrument for T

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Same for T

type Output = T

Should always be Self

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<T> WithSubscriber for T

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more