dearsky/numa
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 25 Wiki Activity

LAN opt-in, mDNS migration, security hardening, path-based routing

Browse Source 
- LAN discovery disabled by default (opt-in via [lan] enabled = true)
- Replace custom JSON multicast (239.255.70.78:5390) with standard mDNS
  (_numa._tcp.local on 224.0.0.251:5353) using existing DNS parser
- Instance ID in TXT record for multi-instance self-filtering
- API and proxy bind to 127.0.0.1 by default (0.0.0.0 when LAN enabled)
- Path-based routing: longest prefix match with optional prefix stripping
  via [[services]] routes = [{path, port, strip?}]
- REST API: GET/POST/DELETE /services/{name}/routes
- Dashboard shows route lines per service when configured
- Segment-boundary route matching (prevents /api matching /apiary)
- Route path validation (rejects path traversal)

Closes #11

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Razvan Dimescu
2026-03-23 06:56:31 +02:00
parent 0a43feaf1a
commit 9992418908
9 changed files with 675 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
examples/mdns_coexist.rs Normal file
View File

@@ -0,0 +1,206 @@
/// Spike: can we bind to mDNS multicast (224.0.0.251:5353) alongside macOS mDNSResponder?
///
/// Tests:
/// 1. Bind UDP socket to 0.0.0.0:5353 with SO_REUSEPORT + SO_REUSEADDR
/// 2. Join multicast group 224.0.0.251
/// 3. Send a PTR query for _services._dns-sd._udp.local (standard browse)
/// 4. Listen for mDNS responses — do we see them alongside mDNSResponder?
/// 5. Send a _numa._tcp.local announcement — does it conflict?
///
/// Run: cargo run --example mdns_coexist
use std::mem::MaybeUninit;
use std::net::{Ipv4Addr, SocketAddrV4};
use socket2::{Domain, Protocol, Socket, Type};
const MDNS_ADDR: Ipv4Addr = Ipv4Addr::new(224, 0, 0, 251);
const MDNS_PORT: u16 = 5353;
fn main() -> std::io::Result<()> {
println!("=== mDNS coexistence spike ===\n");
// Step 1: Create UDP socket with SO_REUSEPORT + SO_REUSEADDR
let socket = Socket::new(Domain::IPV4, Type::DGRAM, Some(Protocol::UDP))?;
socket.set_reuse_address(true)?;
#[cfg(unix)]
socket.set_reuse_port(true)?;
println!("[OK] Socket created with SO_REUSEADDR + SO_REUSEPORT");
// Step 2: Bind to 0.0.0.0:5353
let bind_addr = SocketAddrV4::new(Ipv4Addr::UNSPECIFIED, MDNS_PORT);
match socket.bind(&bind_addr.into()) {
Ok(()) => println!("[OK] Bound to 0.0.0.0:{}", MDNS_PORT),
Err(e) => {
println!("[FAIL] Cannot bind to port {}: {}", MDNS_PORT, e);
println!(" mDNSResponder may not allow port sharing");
return Ok(());
}
}
// Step 3: Join multicast group
match socket.join_multicast_v4(&MDNS_ADDR, &Ipv4Addr::UNSPECIFIED) {
Ok(()) => println!("[OK] Joined multicast group {}", MDNS_ADDR),
Err(e) => {
println!("[FAIL] Cannot join multicast {}: {}", MDNS_ADDR, e);
return Ok(());
}
}
// Step 4: Send a PTR query for _services._dns-sd._udp.local
let query = build_mdns_query("_services._dns-sd._udp.local");
let dest = SocketAddrV4::new(MDNS_ADDR, MDNS_PORT);
match socket.send_to(&query, &dest.into()) {
Ok(n) => println!("[OK] Sent mDNS browse query ({} bytes)", n),
Err(e) => {
println!("[FAIL] Cannot send to multicast: {}", e);
return Ok(());
}
}
// Step 5: Listen for responses (3 second timeout)
socket.set_read_timeout(Some(std::time::Duration::from_secs(3)))?;
let mut buf = [MaybeUninit::<u8>::zeroed(); 4096];
let mut count = 0;
println!("\nListening for mDNS responses (3s timeout)...\n");
loop {
match socket.recv_from(&mut buf) {
Ok((n, addr)) => {
let data: &[u8] = unsafe { &*(&buf[..n] as *const [MaybeUninit<u8>] as *const [u8]) };
count += 1;
let flags = u16::from_be_bytes([data[2], data[3]]);
let is_response = flags & 0x8000 != 0;
let qdcount = u16::from_be_bytes([data[4], data[5]]);
let ancount = u16::from_be_bytes([data[6], data[7]]);
println!(
" #{} from {}{} bytes, {}, questions={}, answers={}",
count,
addr.as_socket().map(|s| s.to_string()).unwrap_or_default(),
n,
if is_response { "RESPONSE" } else { "QUERY" },
qdcount,
ancount,
);
if count >= 20 {
println!("\n (capped at 20, stopping)");
break;
}
}
Err(e) if e.kind() == std::io::ErrorKind::WouldBlock => {
println!("\n Timeout — received {} packets total", count);
break;
}
Err(e) => {
println!("[FAIL] recv error: {}", e);
break;
}
}
}
// Step 6: Send a _numa._tcp.local announcement
let announcement = build_mdns_announcement("_numa._tcp.local", "test-numa._numa._tcp.local", 5380);
match socket.send_to(&announcement, &dest.into()) {
Ok(n) => println!("\n[OK] Sent _numa._tcp.local announcement ({} bytes)", n),
Err(e) => println!("\n[FAIL] Cannot send announcement: {}", e),
}
// Verify we can see our own announcement
socket.set_read_timeout(Some(std::time::Duration::from_secs(2)))?;
let mut buf2 = [MaybeUninit::<u8>::zeroed(); 4096];
println!("Listening for our announcement echo (2s)...\n");
loop {
match socket.recv_from(&mut buf2) {
Ok((n, addr)) => {
let data: &[u8] = unsafe { &*(&buf2[..n] as *const [MaybeUninit<u8>] as *const [u8]) };
let flags = u16::from_be_bytes([data[2], data[3]]);
let is_response = flags & 0x8000 != 0;
if is_response {
println!(
" Received response from {} ({} bytes) — multicast RX confirmed",
addr.as_socket().map(|s| s.to_string()).unwrap_or_default(),
n
);
}
}
Err(e) if e.kind() == std::io::ErrorKind::WouldBlock => {
println!(" Timeout");
break;
}
Err(_) => break,
}
}
// Verdict
println!("\n=== Verdict ===");
if count > 0 {
println!("[PASS] mDNS coexistence works — received {} packets alongside mDNSResponder", count);
println!(" Safe to proceed with mDNS-based LAN discovery");
} else {
println!("[WARN] No mDNS packets received — may need further investigation");
println!(" Possible causes: firewall, mDNSResponder not sharing port");
}
Ok(())
}
/// Build a minimal mDNS PTR query packet
fn build_mdns_query(name: &str) -> Vec<u8> {
let mut pkt = Vec::new();
// Header: ID=0, flags=0 (query), QDCOUNT=1
pkt.extend_from_slice(&[0, 0]); // ID
pkt.extend_from_slice(&[0, 0]); // Flags (standard query)
pkt.extend_from_slice(&[0, 1]); // QDCOUNT = 1
pkt.extend_from_slice(&[0, 0]); // ANCOUNT
pkt.extend_from_slice(&[0, 0]); // NSCOUNT
pkt.extend_from_slice(&[0, 0]); // ARCOUNT
// Question: encode name as labels
for label in name.split('.') {
pkt.push(label.len() as u8);
pkt.extend_from_slice(label.as_bytes());
}
pkt.push(0); // root label
pkt.extend_from_slice(&[0, 12]); // QTYPE = PTR (12)
pkt.extend_from_slice(&[0, 1]); // QCLASS = IN (1)
pkt
}
/// Build a minimal mDNS announcement (response with PTR + SRV + TXT)
fn build_mdns_announcement(service_type: &str, instance_name: &str, port: u16) -> Vec<u8> {
let mut pkt = Vec::new();
// Header: ID=0, flags=0x8400 (response, authoritative), ANCOUNT=1
pkt.extend_from_slice(&[0, 0]); // ID
pkt.extend_from_slice(&[0x84, 0x00]); // Flags: QR=1, AA=1
pkt.extend_from_slice(&[0, 0]); // QDCOUNT
pkt.extend_from_slice(&[0, 1]); // ANCOUNT = 1 (just PTR for now)
pkt.extend_from_slice(&[0, 0]); // NSCOUNT
pkt.extend_from_slice(&[0, 0]); // ARCOUNT
// PTR record: _numa._tcp.local → test-numa._numa._tcp.local
encode_name(&mut pkt, service_type);
pkt.extend_from_slice(&[0, 12]); // TYPE = PTR
pkt.extend_from_slice(&[0, 1]); // CLASS = IN
pkt.extend_from_slice(&[0, 0, 0, 120]); // TTL = 120s
// RDATA: the instance name
let mut rdata = Vec::new();
encode_name(&mut rdata, instance_name);
pkt.extend_from_slice(&(rdata.len() as u16).to_be_bytes()); // RDLENGTH
pkt.extend_from_slice(&rdata);
let _ = port; // SRV record would use this — omitted for spike simplicity
pkt
}
fn encode_name(buf: &mut Vec<u8>, name: &str) {
for label in name.split('.') {
buf.push(label.len() as u8);
buf.extend_from_slice(label.as_bytes());
}
buf.push(0);
}

8
numa.toml
View File

@@ -1,6 +1,7 @@
[server] [server]
bind_addr = "0.0.0.0:53" bind_addr = "0.0.0.0:53"
api_port = 5380 api_port = 5380
# api_bind_addr = "127.0.0.1" # default; set to "0.0.0.0" for LAN dashboard access
# [upstream] # [upstream]
# address = "" # auto-detect from system resolver (default) # address = "" # auto-detect from system resolver (default)
@@ -18,6 +19,7 @@ enabled = true
port = 80 port = 80
tls_port = 443 tls_port = 443
tld = "numa" tld = "numa"
# bind_addr = "127.0.0.1" # default; auto 0.0.0.0 when [lan] enabled
# Pre-configured services (numa.numa is always added automatically) # Pre-configured services (numa.numa is always added automatically)
# [[services]] # [[services]]
@@ -40,3 +42,9 @@ tld = "numa"
# record_type = "A" # record_type = "A"
# value = "127.0.0.1" # value = "127.0.0.1"
# ttl = 60 # ttl = 60
# LAN service discovery via mDNS (disabled by default — no network traffic unless enabled)
# [lan]
# enabled = true # discover other Numa instances via mDNS (_numa._tcp.local)
# broadcast_interval_secs = 30
# peer_timeout_secs = 90

8
site/dashboard.html
View File

@@ -1098,12 +1098,20 @@ function renderServices(entries) {
? '<span class="lan-badge shared" title="Reachable from other devices on the network">LAN</span>' ? '<span class="lan-badge shared" title="Reachable from other devices on the network">LAN</span>'
: '<span class="lan-badge local-only" title="Bound to localhost — not reachable from other devices. Start with 0.0.0.0 to share on LAN.">local only</span>') : '<span class="lan-badge local-only" title="Bound to localhost — not reachable from other devices. Start with 0.0.0.0 to share on LAN.">local only</span>')
: ''; : '';
const routeLines = (e.routes || []).map(r =>
`<div class="service-port" style="color:var(--text-dim);">` +
`<span style="display:inline-block;min-width:60px;">${r.path}</span> ` +
`&rarr; :${r.port}` +
(r.strip ? ` <span style="opacity:0.6;">(strip)</span>` : '') +
`</div>`
).join('');
return ` return `
<div class="service-item"> <div class="service-item">
<span class="health-dot ${e.healthy ? 'up' : 'down'}" title="${e.healthy ? 'running' : 'not reachable'}"></span> <span class="health-dot ${e.healthy ? 'up' : 'down'}" title="${e.healthy ? 'running' : 'not reachable'}"></span>
<div class="service-info"> <div class="service-info">
<div class="service-name"><a href="${e.url}" target="_blank">${e.name}.numa</a>${lanBadge}</div> <div class="service-name"><a href="${e.url}" target="_blank">${e.name}.numa</a>${lanBadge}</div>
<div class="service-port">localhost:${e.target_port} &rarr; proxied</div> <div class="service-port">localhost:${e.target_port} &rarr; proxied</div>
${routeLines}
</div> </div>
${e.name === 'numa' ? '' : `<button class="btn-delete" onclick="deleteService('${e.name}')" title="Remove service">&times;</button>`} ${e.name === 'numa' ? '' : `<button class="btn-delete" onclick="deleteService('${e.name}')" title="Remove service">&times;</button>`}
</div> </div>

74
src/api.rs
View File

@@ -46,6 +46,9 @@ pub fn router(ctx: Arc<ServerCtx>) -> Router {
.route("/services", get(list_services)) .route("/services", get(list_services))
.route("/services", post(create_service)) .route("/services", post(create_service))
.route("/services/{name}", delete(remove_service)) .route("/services/{name}", delete(remove_service))
.route("/services/{name}/routes", get(list_routes))
.route("/services/{name}/routes", post(add_route))
.route("/services/{name}/routes", delete(remove_route))
.with_state(ctx) .with_state(ctx)
} }
@@ -596,6 +599,8 @@ struct ServiceResponse {
url: String, url: String,
healthy: bool, healthy: bool,
lan_accessible: bool, lan_accessible: bool,
#[serde(skip_serializing_if = "Vec::is_empty")]
routes: Vec<crate::service_store::RouteEntry>,
} }
#[derive(Deserialize)] #[derive(Deserialize)]
@@ -610,7 +615,7 @@ async fn list_services(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<ServiceRes
store store
.list() .list()
.into_iter() .into_iter()
.map(|e| (e.name.clone(), e.target_port)) .map(|e| (e.name.clone(), e.target_port, e.routes.clone()))
.collect() .collect()
}; };
let tld = &ctx.proxy_tld; let tld = &ctx.proxy_tld;
@@ -619,7 +624,7 @@ async fn list_services(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<ServiceRes
let check_futures: Vec<_> = entries let check_futures: Vec<_> = entries
.iter() .iter()
.map(|(_, port)| { .map(|(_, port, _)| {
let port = *port; let port = *port;
let localhost = std::net::SocketAddr::from(([127, 0, 0, 1], port)); let localhost = std::net::SocketAddr::from(([127, 0, 0, 1], port));
let lan_addr = lan_ip.map(|ip| std::net::SocketAddr::new(ip.into(), port)); let lan_addr = lan_ip.map(|ip| std::net::SocketAddr::new(ip.into(), port));
@@ -639,12 +644,13 @@ async fn list_services(State(ctx): State<Arc<ServerCtx>>) -> Json<Vec<ServiceRes
.into_iter() .into_iter()
.zip(check_results) .zip(check_results)
.map( .map(
|((name, port), (healthy, lan_accessible))| ServiceResponse { |((name, port, routes), (healthy, lan_accessible))| ServiceResponse {
url: format!("http://{}.{}", name, tld), url: format!("http://{}.{}", name, tld),
name, name,
target_port: port, target_port: port,
healthy, healthy,
lan_accessible, lan_accessible,
routes,
}, },
) )
.collect(); .collect();
@@ -694,6 +700,7 @@ async fn create_service(
target_port: req.target_port, target_port: req.target_port,
healthy, healthy,
lan_accessible, lan_accessible,
routes: Vec::new(),
}), }),
)) ))
} }
@@ -710,6 +717,67 @@ async fn remove_service(State(ctx): State<Arc<ServerCtx>>, Path(name): Path<Stri
} }
} }
// --- Route handlers ---
#[derive(Deserialize)]
struct AddRouteRequest {
path: String,
port: u16,
#[serde(default)]
strip: bool,
}
#[derive(Deserialize)]
struct RemoveRouteRequest {
path: String,
}
async fn list_routes(
State(ctx): State<Arc<ServerCtx>>,
Path(name): Path<String>,
) -> Result<Json<Vec<crate::service_store::RouteEntry>>, StatusCode> {
let store = ctx.services.lock().unwrap();
match store.lookup(&name) {
Some(entry) => Ok(Json(entry.routes.clone())),
None => Err(StatusCode::NOT_FOUND),
}
}
async fn add_route(
State(ctx): State<Arc<ServerCtx>>,
Path(name): Path<String>,
Json(req): Json<AddRouteRequest>,
) -> Result<StatusCode, (StatusCode, String)> {
if req.path.is_empty() || !req.path.starts_with('/') {
return Err((StatusCode::BAD_REQUEST, "path must start with /".into()));
}
if req.path.contains("/../") || req.path.ends_with("/..") {
return Err((StatusCode::BAD_REQUEST, "path must not contain '..'".into()));
}
if req.port == 0 {
return Err((StatusCode::BAD_REQUEST, "port must be > 0".into()));
}
let mut store = ctx.services.lock().unwrap();
if store.add_route(&name, req.path, req.port, req.strip) {
Ok(StatusCode::CREATED)
} else {
Err((StatusCode::NOT_FOUND, format!("service '{}' not found", name)))
}
}
async fn remove_route(
State(ctx): State<Arc<ServerCtx>>,
Path(name): Path<String>,
Json(req): Json<RemoveRouteRequest>,
) -> StatusCode {
let mut store = ctx.services.lock().unwrap();
if store.remove_route(&name, &req.path) {
StatusCode::NO_CONTENT
} else {
StatusCode::NOT_FOUND
}
}
async fn check_tcp(addr: std::net::SocketAddr) -> bool { async fn check_tcp(addr: std::net::SocketAddr) -> bool {
tokio::time::timeout( tokio::time::timeout(
std::time::Duration::from_millis(100), std::time::Duration::from_millis(100),

30
src/config.rs
View File

@@ -35,6 +35,8 @@ pub struct ServerConfig {
pub bind_addr: String, pub bind_addr: String,
#[serde(default = "default_api_port")] #[serde(default = "default_api_port")]
pub api_port: u16, pub api_port: u16,
#[serde(default = "default_api_bind_addr")]
pub api_bind_addr: String,
} }
impl Default for ServerConfig { impl Default for ServerConfig {
@@ -42,10 +44,15 @@ impl Default for ServerConfig {
ServerConfig { ServerConfig {
bind_addr: default_bind_addr(), bind_addr: default_bind_addr(),
api_port: default_api_port(), api_port: default_api_port(),
api_bind_addr: default_api_bind_addr(),
} }
} }
} }
fn default_api_bind_addr() -> String {
"127.0.0.1".to_string()
}
fn default_bind_addr() -> String { fn default_bind_addr() -> String {
"0.0.0.0:53".to_string() "0.0.0.0:53".to_string()
} }
@@ -172,6 +179,8 @@ pub struct ProxyConfig {
pub tls_port: u16, pub tls_port: u16,
#[serde(default = "default_proxy_tld")] #[serde(default = "default_proxy_tld")]
pub tld: String, pub tld: String,
#[serde(default = "default_proxy_bind_addr")]
pub bind_addr: String,
} }
impl Default for ProxyConfig { impl Default for ProxyConfig {
@@ -181,10 +190,15 @@ impl Default for ProxyConfig {
port: default_proxy_port(), port: default_proxy_port(),
tls_port: default_proxy_tls_port(), tls_port: default_proxy_tls_port(),
tld: default_proxy_tld(), tld: default_proxy_tld(),
bind_addr: default_proxy_bind_addr(),
} }
} }
} }
fn default_proxy_bind_addr() -> String {
"127.0.0.1".to_string()
}
fn default_proxy_enabled() -> bool { fn default_proxy_enabled() -> bool {
true true
} }
@@ -202,16 +216,14 @@ fn default_proxy_tld() -> String {
pub struct ServiceConfig { pub struct ServiceConfig {
pub name: String, pub name: String,
pub target_port: u16, pub target_port: u16,
#[serde(default)]
pub routes: Vec<crate::service_store::RouteEntry>,
} }
#[derive(Deserialize, Clone)] #[derive(Deserialize, Clone)]
pub struct LanConfig { pub struct LanConfig {
#[serde(default = "default_lan_enabled")] #[serde(default = "default_lan_enabled")]
pub enabled: bool, pub enabled: bool,
#[serde(default = "default_lan_multicast_group")]
pub multicast_group: String,
#[serde(default = "default_lan_port")]
pub port: u16,
#[serde(default = "default_lan_broadcast_interval")] #[serde(default = "default_lan_broadcast_interval")]
pub broadcast_interval_secs: u64, pub broadcast_interval_secs: u64,
#[serde(default = "default_lan_peer_timeout")] #[serde(default = "default_lan_peer_timeout")]
@@ -222,8 +234,6 @@ impl Default for LanConfig {
fn default() -> Self { fn default() -> Self {
LanConfig { LanConfig {
enabled: default_lan_enabled(), enabled: default_lan_enabled(),
multicast_group: default_lan_multicast_group(),
port: default_lan_port(),
broadcast_interval_secs: default_lan_broadcast_interval(), broadcast_interval_secs: default_lan_broadcast_interval(),
peer_timeout_secs: default_lan_peer_timeout(), peer_timeout_secs: default_lan_peer_timeout(),
} }
@@ -231,13 +241,7 @@ impl Default for LanConfig {
} }
fn default_lan_enabled() -> bool { fn default_lan_enabled() -> bool {
true false
}
fn default_lan_multicast_group() -> String {
"239.255.70.78".to_string()
}
fn default_lan_port() -> u16 {
5390
} }
fn default_lan_broadcast_interval() -> u64 { fn default_lan_broadcast_interval() -> u64 {
30 30

357
src/lan.rs
View File

@@ -1,13 +1,22 @@
use std::collections::HashMap; use std::collections::HashMap;
use std::net::{IpAddr, Ipv4Addr, SocketAddr}; use std::net::{IpAddr, Ipv4Addr, SocketAddr, SocketAddrV4};
use std::sync::Arc; use std::sync::Arc;
use std::time::{Duration, Instant}; use std::time::{Duration, Instant};
use log::{debug, info, warn}; use log::{debug, info, warn};
use serde::{Deserialize, Serialize};
use crate::buffer::BytePacketBuffer;
use crate::config::LanConfig; use crate::config::LanConfig;
use crate::ctx::ServerCtx; use crate::ctx::ServerCtx;
use crate::header::DnsHeader;
use crate::question::{DnsQuestion, QueryType};
// --- Constants ---
const MDNS_ADDR: Ipv4Addr = Ipv4Addr::new(224, 0, 0, 251);
const MDNS_PORT: u16 = 5353;
const SERVICE_TYPE: &str = "_numa._tcp.local";
const MDNS_TTL: u32 = 120;
// --- Peer Store --- // --- Peer Store ---
@@ -63,20 +72,7 @@ impl PeerStore {
} }
} }
// --- Multicast --- // --- mDNS Discovery ---
#[derive(Serialize, Deserialize)]
struct Announcement {
instance_id: u64,
host: String,
services: Vec<AnnouncedService>,
}
#[derive(Serialize, Deserialize)]
struct AnnouncedService {
name: String,
port: u16,
}
pub fn detect_lan_ip() -> Option<Ipv4Addr> { pub fn detect_lan_ip() -> Option<Ipv4Addr> {
let socket = std::net::UdpSocket::bind("0.0.0.0:0").ok()?; let socket = std::net::UdpSocket::bind("0.0.0.0:0").ok()?;
@@ -87,46 +83,40 @@ pub fn detect_lan_ip() -> Option<Ipv4Addr> {
} }
} }
pub async fn start_lan_discovery(ctx: Arc<ServerCtx>, config: &LanConfig) { fn get_hostname() -> String {
let multicast_group: Ipv4Addr = match config.multicast_group.parse::<Ipv4Addr>() { std::process::Command::new("hostname")
Ok(g) if g.is_multicast() => g, .arg("-s")
Ok(g) => { .output()
warn!("LAN: {} is not a multicast address (224.0.0.0/4)", g); .ok()
return; .and_then(|o| String::from_utf8(o.stdout).ok())
.map(|h| h.trim().to_string())
.filter(|h| !h.is_empty())
.unwrap_or_else(|| "numa".to_string())
} }
Err(e) => {
warn!(
"LAN: invalid multicast group {}: {}",
config.multicast_group, e
);
return;
}
};
let port = config.port;
let interval = Duration::from_secs(config.broadcast_interval_secs);
let instance_id: u64 = { /// Generate a per-process instance ID for self-filtering on multi-instance hosts
let pid = std::process::id() as u64; fn instance_id() -> String {
let ts = std::time::SystemTime::now() format!("{}:{}", std::process::id(), std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH) .duration_since(std::time::UNIX_EPOCH)
.unwrap_or_default() .unwrap_or_default()
.as_nanos() as u64; .as_nanos() % 1_000_000)
pid ^ ts }
};
pub async fn start_lan_discovery(ctx: Arc<ServerCtx>, config: &LanConfig) {
let interval = Duration::from_secs(config.broadcast_interval_secs);
let local_ip = *ctx.lan_ip.lock().unwrap(); let local_ip = *ctx.lan_ip.lock().unwrap();
let hostname = get_hostname();
let our_instance_id = instance_id();
info!( info!(
"LAN discovery on {}:{}, local IP {}, instance {:016x}", "LAN discovery via mDNS on {}:{}, local IP {}, instance {}._numa._tcp.local",
multicast_group, port, local_ip, instance_id MDNS_ADDR, MDNS_PORT, local_ip, hostname
); );
// Create socket with SO_REUSEADDR for multicast let std_socket = match create_mdns_socket() {
let std_socket = match create_multicast_socket(multicast_group, port) {
Ok(s) => s, Ok(s) => s,
Err(e) => { Err(e) => {
warn!( warn!("LAN: could not bind mDNS socket: {} — LAN discovery disabled", e);
"LAN: could not bind multicast socket: {} — LAN discovery disabled",
e
);
return; return;
} }
}; };
@@ -138,81 +128,264 @@ pub async fn start_lan_discovery(ctx: Arc<ServerCtx>, config: &LanConfig) {
} }
}; };
let socket = Arc::new(socket); let socket = Arc::new(socket);
let dest = SocketAddr::new(IpAddr::V4(MDNS_ADDR), MDNS_PORT);
// Spawn sender // Spawn sender: announce our services periodically
let sender_ctx = Arc::clone(&ctx); let sender_ctx = Arc::clone(&ctx);
let sender_socket = Arc::clone(&socket); let sender_socket = Arc::clone(&socket);
let dest = SocketAddr::new(IpAddr::V4(multicast_group), port); let sender_hostname = hostname.clone();
let sender_instance_id = our_instance_id.clone();
tokio::spawn(async move { tokio::spawn(async move {
let mut ticker = tokio::time::interval(interval); let mut ticker = tokio::time::interval(interval);
loop { loop {
ticker.tick().await; ticker.tick().await;
let services: Vec<AnnouncedService> = { let services: Vec<(String, u16)> = {
let store = sender_ctx.services.lock().unwrap(); let store = sender_ctx.services.lock().unwrap();
store store.list().iter().map(|e| (e.name.clone(), e.target_port)).collect()
.list()
.iter()
.map(|e| AnnouncedService {
name: e.name.clone(),
port: e.target_port,
})
.collect()
}; };
if services.is_empty() { if services.is_empty() {
continue; continue;
} }
let current_ip = sender_ctx.lan_ip.lock().unwrap().to_string(); let current_ip = *sender_ctx.lan_ip.lock().unwrap();
let announcement = Announcement { if let Ok(pkt) = build_announcement(&sender_hostname, current_ip, &services, &sender_instance_id) {
instance_id, let _ = sender_socket.send_to(pkt.filled(), dest).await;
host: current_ip,
services,
};
if let Ok(json) = serde_json::to_vec(&announcement) {
let _ = sender_socket.send_to(&json, dest).await;
} }
} }
}); });
// Receiver loop // Send initial browse query
if let Ok(pkt) = build_browse_query() {
let _ = socket.send_to(pkt.filled(), dest).await;
}
// Receiver loop: parse mDNS responses for _numa._tcp
let mut buf = vec![0u8; 4096]; let mut buf = vec![0u8; 4096];
loop { loop {
let (len, src) = match socket.recv_from(&mut buf).await { let (len, _src) = match socket.recv_from(&mut buf).await {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
debug!("LAN recv error: {}", e); debug!("mDNS recv error: {}", e);
continue; continue;
} }
}; };
let announcement: Announcement = match serde_json::from_slice(&buf[..len]) {
Ok(a) => a, let data = &buf[..len];
Err(_) => continue, if let Some((services, peer_ip, peer_id)) = parse_mdns_response(data) {
}; // Skip our own announcements via instance ID (works on multi-instance same-host)
// Skip self-announcements if peer_id.as_deref() == Some(our_instance_id.as_str()) {
if announcement.instance_id == instance_id {
continue; continue;
} }
let peer_ip: IpAddr = match announcement.host.parse() { if !services.is_empty() {
Ok(ip) => ip,
Err(_) => continue,
};
let services: Vec<(String, u16)> = announcement
.services
.iter()
.map(|s| (s.name.clone(), s.port))
.collect();
let count = services.len();
ctx.lan_peers.lock().unwrap().update(peer_ip, &services); ctx.lan_peers.lock().unwrap().update(peer_ip, &services);
debug!( debug!("LAN: {} services from {} (mDNS)", services.len(), peer_ip);
"LAN: {} services from {} (via {})", }
count, announcement.host, src }
);
} }
} }
fn create_multicast_socket(group: Ipv4Addr, port: u16) -> std::io::Result<std::net::UdpSocket> { // --- mDNS Packet Building ---
use std::net::SocketAddrV4;
let addr = SocketAddrV4::new(Ipv4Addr::UNSPECIFIED, port); fn build_browse_query() -> crate::Result<BytePacketBuffer> {
let mut buf = BytePacketBuffer::new();
let mut header = DnsHeader::new();
header.questions = 1;
header.write(&mut buf)?;
DnsQuestion::new(SERVICE_TYPE.to_string(), QueryType::PTR).write(&mut buf)?;
Ok(buf)
}
fn build_announcement(
hostname: &str,
ip: Ipv4Addr,
services: &[(String, u16)],
inst_id: &str,
) -> crate::Result<BytePacketBuffer> {
let mut buf = BytePacketBuffer::new();
let instance_name = format!("{}._numa._tcp.local", hostname);
let host_local = format!("{}.local", hostname);
let mut header = DnsHeader::new();
header.response = true;
header.authoritative_answer = true;
header.answers = 4; // PTR + SRV + TXT + A
header.write(&mut buf)?;
// PTR: _numa._tcp.local → <hostname>._numa._tcp.local
write_record_header(&mut buf, SERVICE_TYPE, QueryType::PTR.to_num(), 1, MDNS_TTL)?;
let rdlen_pos = buf.pos();
buf.write_u16(0)?;
let rdata_start = buf.pos();
buf.write_qname(&instance_name)?;
patch_rdlen(&mut buf, rdlen_pos, rdata_start)?;
// SRV: <instance>._numa._tcp.local → <hostname>.local
// Port in SRV is informational; actual service ports are in TXT
write_record_header(&mut buf, &instance_name, QueryType::SRV.to_num(), 0x8001, MDNS_TTL)?;
let rdlen_pos = buf.pos();
buf.write_u16(0)?;
let rdata_start = buf.pos();
buf.write_u16(0)?; // priority
buf.write_u16(0)?; // weight
buf.write_u16(0)?; // port (services have individual ports in TXT)
buf.write_qname(&host_local)?;
patch_rdlen(&mut buf, rdlen_pos, rdata_start)?;
// TXT: services + instance ID for self-filtering
write_record_header(&mut buf, &instance_name, QueryType::TXT.to_num(), 0x8001, MDNS_TTL)?;
let rdlen_pos = buf.pos();
buf.write_u16(0)?;
let rdata_start = buf.pos();
let svc_str = services
.iter()
.map(|(name, port)| format!("{}:{}", name, port))
.collect::<Vec<_>>()
.join(",");
write_txt_string(&mut buf, &format!("services={}", svc_str))?;
write_txt_string(&mut buf, &format!("id={}", inst_id))?;
patch_rdlen(&mut buf, rdlen_pos, rdata_start)?;
// A: <hostname>.local → IP
write_record_header(&mut buf, &host_local, QueryType::A.to_num(), 0x8001, MDNS_TTL)?;
buf.write_u16(4)?;
for &b in &ip.octets() {
buf.write_u8(b)?;
}
Ok(buf)
}
fn write_record_header(
buf: &mut BytePacketBuffer,
name: &str,
rtype: u16,
class: u16,
ttl: u32,
) -> crate::Result<()> {
buf.write_qname(name)?;
buf.write_u16(rtype)?;
buf.write_u16(class)?;
buf.write_u32(ttl)?;
Ok(())
}
fn patch_rdlen(buf: &mut BytePacketBuffer, rdlen_pos: usize, rdata_start: usize) -> crate::Result<()> {
let rdlen = (buf.pos() - rdata_start) as u16;
buf.set_u16(rdlen_pos, rdlen)
}
fn write_txt_string(buf: &mut BytePacketBuffer, s: &str) -> crate::Result<()> {
let bytes = s.as_bytes();
for chunk in bytes.chunks(255) {
buf.write_u8(chunk.len() as u8)?;
for &b in chunk {
buf.write_u8(b)?;
}
}
Ok(())
}
// --- mDNS Packet Parsing ---
/// Returns (services, peer_ip, instance_id) if this is a Numa mDNS announcement
fn parse_mdns_response(data: &[u8]) -> Option<(Vec<(String, u16)>, IpAddr, Option<String>)> {
if data.len() < 12 {
return None;
}
let mut buf = BytePacketBuffer::new();
buf.buf[..data.len()].copy_from_slice(data);
let mut header = DnsHeader::new();
header.read(&mut buf).ok()?;
if !header.response || header.answers == 0 {
return None;
}
// Skip questions
for _ in 0..header.questions {
let mut q = DnsQuestion::new(String::new(), QueryType::UNKNOWN(0));
q.read(&mut buf).ok()?;
}
let total = header.answers + header.authoritative_entries + header.resource_entries;
let mut txt_services: Option<Vec<(String, u16)>> = None;
let mut peer_instance_id: Option<String> = None;
let mut a_ip: Option<IpAddr> = None;
let mut name = String::with_capacity(64);
for _ in 0..total {
if buf.pos() >= data.len() {
break;
}
name.clear();
if buf.read_qname(&mut name).is_err() {
break;
}
let rtype = buf.read_u16().unwrap_or(0);
let _rclass = buf.read_u16().unwrap_or(0);
let _ttl = buf.read_u32().unwrap_or(0);
let rdlength = buf.read_u16().unwrap_or(0) as usize;
let rdata_start = buf.pos();
match rtype {
t if t == QueryType::TXT.to_num() && name.contains("_numa._tcp") => {
let mut pos = rdata_start;
while pos < rdata_start + rdlength && pos < data.len() {
let txt_len = data[pos] as usize;
pos += 1;
if pos + txt_len > data.len() {
break;
}
if let Ok(txt) = std::str::from_utf8(&data[pos..pos + txt_len]) {
if let Some(val) = txt.strip_prefix("services=") {
let svcs: Vec<(String, u16)> = val
.split(',')
.filter_map(|s| {
let mut parts = s.splitn(2, ':');
let svc_name = parts.next()?.to_string();
let port = parts.next()?.parse().ok()?;
Some((svc_name, port))
})
.collect();
if !svcs.is_empty() {
txt_services = Some(svcs);
}
} else if let Some(id) = txt.strip_prefix("id=") {
peer_instance_id = Some(id.to_string());
}
}
pos += txt_len;
}
}
t if t == QueryType::A.to_num() && rdlength == 4 && rdata_start + 4 <= data.len() => {
a_ip = Some(IpAddr::V4(Ipv4Addr::new(
data[rdata_start],
data[rdata_start + 1],
data[rdata_start + 2],
data[rdata_start + 3],
)));
}
_ => {}
}
buf.seek(rdata_start + rdlength).ok();
}
let services = txt_services?;
// Trust the A record IP if present, otherwise this isn't a complete announcement
let peer_ip = a_ip?;
Some((services, peer_ip, peer_instance_id))
}
fn create_mdns_socket() -> std::io::Result<std::net::UdpSocket> {
let addr = SocketAddrV4::new(Ipv4Addr::UNSPECIFIED, MDNS_PORT);
let socket = socket2::Socket::new( let socket = socket2::Socket::new(
socket2::Domain::IPV4, socket2::Domain::IPV4,
socket2::Type::DGRAM, socket2::Type::DGRAM,
@@ -223,6 +396,6 @@ fn create_multicast_socket(group: Ipv4Addr, port: u16) -> std::io::Result<std::n
socket.set_reuse_port(true)?; socket.set_reuse_port(true)?;
socket.set_nonblocking(true)?; socket.set_nonblocking(true)?;
socket.bind(&socket2::SockAddr::from(addr))?; socket.bind(&socket2::SockAddr::from(addr))?;
socket.join_multicast_v4(&group, &Ipv4Addr::UNSPECIFIED)?; socket.join_multicast_v4(&MDNS_ADDR, &Ipv4Addr::UNSPECIFIED)?;
Ok(socket.into()) Ok(socket.into())
} }

19
src/main.rs
View File

@@ -109,9 +109,9 @@ async fn main() -> numa::Result<()> {
// Build service store: config services + persisted user services // Build service store: config services + persisted user services
let mut service_store = ServiceStore::new(); let mut service_store = ServiceStore::new();
service_store.insert_from_config("numa", config.server.api_port); service_store.insert_from_config("numa", config.server.api_port, Vec::new());
for svc in &config.services { for svc in &config.services {
service_store.insert_from_config(&svc.name, svc.target_port); service_store.insert_from_config(&svc.name, svc.target_port, svc.routes.clone());
} }
service_store.load_persisted(); service_store.load_persisted();
@@ -170,7 +170,7 @@ async fn main() -> numa::Result<()> {
} }
if config.lan.enabled { if config.lan.enabled {
eprintln!("\x1b[38;2;192;98;58m ║\x1b[0m \x1b[38;2;107;124;78mLAN\x1b[0m {:<30}\x1b[38;2;192;98;58m║\x1b[0m", eprintln!("\x1b[38;2;192;98;58m ║\x1b[0m \x1b[38;2;107;124;78mLAN\x1b[0m {:<30}\x1b[38;2;192;98;58m║\x1b[0m",
format!("{}:{}", config.lan.multicast_group, config.lan.port)); "mDNS (_numa._tcp.local)");
} }
if !ctx.forwarding_rules.is_empty() { if !ctx.forwarding_rules.is_empty() {
eprintln!("\x1b[38;2;192;98;58m ║\x1b[0m \x1b[38;2;107;124;78mRouting\x1b[0m {:<30}\x1b[38;2;192;98;58m║\x1b[0m", eprintln!("\x1b[38;2;192;98;58m ║\x1b[0m \x1b[38;2;107;124;78mRouting\x1b[0m {:<30}\x1b[38;2;192;98;58m║\x1b[0m",
@@ -205,7 +205,7 @@ async fn main() -> numa::Result<()> {
// Spawn HTTP API server // Spawn HTTP API server
let api_ctx = Arc::clone(&ctx); let api_ctx = Arc::clone(&ctx);
let api_addr: SocketAddr = format!("0.0.0.0:{}", api_port).parse()?; let api_addr: SocketAddr = format!("{}:{}", config.server.api_bind_addr, api_port).parse()?;
tokio::spawn(async move { tokio::spawn(async move {
let app = numa::api::router(api_ctx); let app = numa::api::router(api_ctx);
let listener = tokio::net::TcpListener::bind(api_addr).await.unwrap(); let listener = tokio::net::TcpListener::bind(api_addr).await.unwrap();
@@ -213,12 +213,19 @@ async fn main() -> numa::Result<()> {
axum::serve(listener, app).await.unwrap(); axum::serve(listener, app).await.unwrap();
}); });
// Proxy binds 0.0.0.0 when LAN is enabled (cross-machine access), otherwise config value
let proxy_bind: std::net::Ipv4Addr = if config.lan.enabled {
std::net::Ipv4Addr::UNSPECIFIED
} else {
config.proxy.bind_addr.parse().unwrap_or(std::net::Ipv4Addr::LOCALHOST)
};
// Spawn HTTP reverse proxy for .numa domains // Spawn HTTP reverse proxy for .numa domains
if config.proxy.enabled { if config.proxy.enabled {
let proxy_ctx = Arc::clone(&ctx); let proxy_ctx = Arc::clone(&ctx);
let proxy_port = config.proxy.port; let proxy_port = config.proxy.port;
tokio::spawn(async move { tokio::spawn(async move {
numa::proxy::start_proxy(proxy_ctx, proxy_port).await; numa::proxy::start_proxy(proxy_ctx, proxy_port, proxy_bind).await;
}); });
} }
@@ -237,7 +244,7 @@ async fn main() -> numa::Result<()> {
let proxy_ctx = Arc::clone(&ctx); let proxy_ctx = Arc::clone(&ctx);
let tls_port = config.proxy.tls_port; let tls_port = config.proxy.tls_port;
tokio::spawn(async move { tokio::spawn(async move {
numa::proxy::start_proxy_tls(proxy_ctx, tls_port, tls_config).await; numa::proxy::start_proxy_tls(proxy_ctx, tls_port, proxy_bind, tls_config).await;
}); });
} }
Err(e) => { Err(e) => {

27
src/proxy.rs
View File

@@ -1,4 +1,4 @@
use std::net::SocketAddr; use std::net::{Ipv4Addr, SocketAddr};
use std::sync::Arc; use std::sync::Arc;
use axum::body::Body; use axum::body::Body;
@@ -25,8 +25,8 @@ struct ProxyState {
client: HttpClient, client: HttpClient,
} }
pub async fn start_proxy(ctx: Arc<ServerCtx>, port: u16) { pub async fn start_proxy(ctx: Arc<ServerCtx>, port: u16, bind_addr: Ipv4Addr) {
let addr: SocketAddr = ([0, 0, 0, 0], port).into(); let addr: SocketAddr = (bind_addr, port).into();
let listener = match tokio::net::TcpListener::bind(addr).await { let listener = match tokio::net::TcpListener::bind(addr).await {
Ok(l) => l, Ok(l) => l,
Err(e) => { Err(e) => {
@@ -50,8 +50,8 @@ pub async fn start_proxy(ctx: Arc<ServerCtx>, port: u16) {
axum::serve(listener, app).await.unwrap(); axum::serve(listener, app).await.unwrap();
} }
pub async fn start_proxy_tls(ctx: Arc<ServerCtx>, port: u16, tls_config: Arc<ServerConfig>) { pub async fn start_proxy_tls(ctx: Arc<ServerCtx>, port: u16, bind_addr: Ipv4Addr, tls_config: Arc<ServerConfig>) {
let addr: SocketAddr = ([0, 0, 0, 0], port).into(); let addr: SocketAddr = (bind_addr, port).into();
let listener = match tokio::net::TcpListener::bind(addr).await { let listener = match tokio::net::TcpListener::bind(addr).await {
Ok(l) => l, Ok(l) => l,
Err(e) => { Err(e) => {
@@ -135,14 +135,17 @@ async fn proxy_handler(State(state): State<ProxyState>, req: Request) -> axum::r
} }
}; };
let (target_host, target_port) = { let request_path = req.uri().path().to_string();
let (target_host, target_port, rewritten_path) = {
let store = state.ctx.services.lock().unwrap(); let store = state.ctx.services.lock().unwrap();
if let Some(entry) = store.lookup(&service_name) { if let Some(entry) = store.lookup(&service_name) {
("localhost".to_string(), entry.target_port) let (port, path) = entry.resolve_route(&request_path);
("localhost".to_string(), port, path)
} else { } else {
let mut peers = state.ctx.lan_peers.lock().unwrap(); let mut peers = state.ctx.lan_peers.lock().unwrap();
match peers.lookup(&service_name) { match peers.lookup(&service_name) {
Some((ip, port)) => (ip.to_string(), port), Some((ip, port)) => (ip.to_string(), port, request_path.clone()),
None => { None => {
return ( return (
StatusCode::NOT_FOUND, StatusCode::NOT_FOUND,
@@ -268,13 +271,9 @@ pre .str {{ color: #d48a5a }}
} }
}; };
let path_and_query = req let query_string = req.uri().query().map(|q| format!("?{}", q)).unwrap_or_default();
.uri()
.path_and_query()
.map(|pq| pq.as_str())
.unwrap_or("/");
let target_uri: hyper::Uri = let target_uri: hyper::Uri =
format!("http://{}:{}{}", target_host, target_port, path_and_query) format!("http://{}:{}{}{}", target_host, target_port, rewritten_path, query_string)
.parse() .parse()
.unwrap(); .unwrap();

70
src/service_store.rs
View File

@@ -8,6 +8,47 @@ use serde::{Deserialize, Serialize};
pub struct ServiceEntry { pub struct ServiceEntry {
pub name: String, pub name: String,
pub target_port: u16, pub target_port: u16,
#[serde(default)]
pub routes: Vec<RouteEntry>,
}
#[derive(Clone, Serialize, Deserialize)]
pub struct RouteEntry {
pub path: String,
pub port: u16,
#[serde(default)]
pub strip: bool,
}
impl ServiceEntry {
/// Resolve backend port and (possibly rewritten) path for a request
pub fn resolve_route(&self, request_path: &str) -> (u16, String) {
// Longest prefix match
let matched = self.routes.iter()
.filter(|r| {
request_path == r.path
|| request_path.starts_with(&r.path)
&& (r.path.ends_with('/') || request_path.as_bytes().get(r.path.len()) == Some(&b'/'))
})
.max_by_key(|r| r.path.len());
match matched {
Some(route) => {
let path = if route.strip {
let stripped = &request_path[route.path.len()..];
if stripped.is_empty() || !stripped.starts_with('/') {
format!("/{}", stripped.trim_start_matches('/'))
} else {
stripped.to_string()
}
} else {
request_path.to_string()
};
(route.port, path)
}
None => (self.target_port, request_path.to_string()),
}
}
} }
pub struct ServiceStore { pub struct ServiceStore {
@@ -34,7 +75,7 @@ impl ServiceStore {
} }
/// Insert a service from numa.toml config (not persisted) /// Insert a service from numa.toml config (not persisted)
pub fn insert_from_config(&mut self, name: &str, target_port: u16) { pub fn insert_from_config(&mut self, name: &str, target_port: u16, routes: Vec<RouteEntry>) {
let key = name.to_lowercase(); let key = name.to_lowercase();
self.config_services.insert(key.clone()); self.config_services.insert(key.clone());
self.entries.insert( self.entries.insert(
@@ -42,6 +83,7 @@ impl ServiceStore {
ServiceEntry { ServiceEntry {
name: key, name: key,
target_port, target_port,
routes,
}, },
); );
} }
@@ -54,11 +96,37 @@ impl ServiceStore {
ServiceEntry { ServiceEntry {
name: key, name: key,
target_port, target_port,
routes: Vec::new(),
}, },
); );
self.save(); self.save();
} }
pub fn add_route(&mut self, service: &str, path: String, port: u16, strip: bool) -> bool {
let key = service.to_lowercase();
if let Some(entry) = self.entries.get_mut(&key) {
entry.routes.retain(|r| r.path != path);
entry.routes.push(RouteEntry { path, port, strip });
self.save();
true
} else {
false
}
}
pub fn remove_route(&mut self, service: &str, path: &str) -> bool {
let key = service.to_lowercase();
if let Some(entry) = self.entries.get_mut(&key) {
let before = entry.routes.len();
entry.routes.retain(|r| r.path != path);
if entry.routes.len() < before {
self.save();
return true;
}
}
false
}
pub fn lookup(&self, name: &str) -> Option<&ServiceEntry> { pub fn lookup(&self, name: &str) -> Option<&ServiceEntry> {
self.entries.get(&name.to_lowercase()) self.entries.get(&name.to_lowercase())
} }