Added RPC portal whitelist function, allowing only local access by default to enhance security (#929)

easytier/src/proto/rpc_impl/standalone.rs

@@ -21,7 +21,12 @@ use super::service_registry::ServiceRegistry;
 #[async_trait::async_trait]
 #[auto_impl::auto_impl(Arc, Box)]
 pub trait RpcServerHook: Send + Sync {
-    async fn on_new_client(&self, _tunnel_info: Option<TunnelInfo>) {}
+    async fn on_new_client(
+        &self,
+        tunnel_info: Option<TunnelInfo>,
+    ) -> Result<Option<TunnelInfo>, anyhow::Error> {
+        Ok(tunnel_info)
+    }
     async fn on_client_disconnected(&self, _tunnel_info: Option<TunnelInfo>) {}
 }
 
@@ -72,7 +77,13 @@ impl<L: TunnelListener + 'static> StandAloneServer<L> {
             let inflight_server = inflight.clone();
             let hook = hook.clone();
 
-            hook.on_new_client(tunnel_info.clone()).await;
+            let tunnel_info = match hook.on_new_client(tunnel_info).await {
+                Ok(info) => info,
+                Err(e) => {
+                    tracing::warn!(?e, "standalone hook.on_new_client failed");
+                    continue;
+                }
+            };
 
             inflight_server.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
             tasks.lock().unwrap().spawn(async move {

easytier/src/proto/web.proto

@@ -66,6 +66,8 @@ message NetworkConfig {
 
     optional bool enable_magic_dns = 42;
     optional bool enable_private_mode = 43;
+
+    repeated string rpc_portal_whitelists = 44;
 }
 
 message MyNodeInfo {