feat(acl): add group-based ACL rules and related structures (#1265)

* feat(acl): add group-based ACL rules and related structures * refactor(acl): optimize group handling with Arc and improve cache management * refactor(acl): clippy * feat(tests): add performance tests for generate_with_proof and verify methods * feat: update group_trust_map to use HashMap for more secure group proofs * refactor: refactor the logic of the trusted group getting and setting * feat(acl): support kcp/quic use group acl * feat(proxy): optimize group retrieval by IP in Kcp and Quic proxy handlers * feat(tests): add group-based ACL tree node test * always allow quic proxy traffic --------- Co-authored-by: Sijie.Sun <sunsijie@buaa.edu.cn> Co-authored-by: sijie.sun <sijie.sun@smartx.com>
2026-05-06 17:59:11 +00:00 · 2025-08-22 22:25:00 +08:00
parent 34560af141
commit 08a92a53c3
18 changed files with 1042 additions and 29 deletions
@@ -32,7 +32,7 @@ use crate::{
        peer_conn::PeerConn,
        peer_rpc::PeerRpcManagerTransport,
        recv_packet_from_chan,
-        route_trait::{ForeignNetworkRouteInfoMap, NextHopPolicy, RouteInterface},
+        route_trait::{ForeignNetworkRouteInfoMap, MockRoute, NextHopPolicy, RouteInterface},
        PeerPacketFilter,
    },
    proto::{
@@ -634,6 +634,7 @@ impl PeerManager {
        let acl_filter = self.global_ctx.get_acl_filter().clone();
        let global_ctx = self.global_ctx.clone();
        let stats_mgr = self.global_ctx.stats_manager().clone();
+        let route = self.get_route();

        let label_set =
            LabelSet::new().with_label_type(LabelType::NetworkName(global_ctx.get_network_name()));
@@ -737,6 +738,7 @@ impl PeerManager {
                        true,
                        global_ctx.get_ipv4().map(|x| x.address()),
                        global_ctx.get_ipv6().map(|x| x.address()),
+                        &route,
                    ) {
                        continue;
                    }
@@ -914,7 +916,7 @@ impl PeerManager {
    pub fn get_route(&self) -> Box<dyn Route + Send + Sync + 'static> {
        match &self.route_algo_inst {
            RouteAlgoInst::Ospf(route) => Box::new(route.clone()),
-            RouteAlgoInst::None => panic!("no route"),
+            RouteAlgoInst::None => Box::new(MockRoute {}),
        }
    }

@@ -960,11 +962,13 @@ impl PeerManager {
    }

    async fn run_nic_packet_process_pipeline(&self, data: &mut ZCPacket) {
-        if !self
-            .global_ctx
-            .get_acl_filter()
-            .process_packet_with_acl(data, false, None, None)
-        {
+        if !self.global_ctx.get_acl_filter().process_packet_with_acl(
+            data,
+            false,
+            None,
+            None,
+            &self.get_route(),
+        ) {
            return;
        }