multi_fix: harden peer/session handling, tighten foreign-network trust, and improve web client metadata (#1999)

* machine-id should be scoped unbder same user-id * feat: report device os metadata to console * fix sync root key cause packet loss * fix tun packet not invalid * fix faketcp cause lat jitter * fix some packet not decrypt * fix peer info patch, improve performance of update self info * fix foreign credential identity mismatch handling
2026-05-07 02:09:06 +00:00 · 2026-03-21 21:06:07 +08:00
parent 77966916c4
commit 2bfdd44759
24 changed files with 1381 additions and 358 deletions
@@ -819,17 +819,15 @@ impl PeerManager {
                            tracing::error!(?e, "decrypt failed");
                            continue;
                        }
-                    } else if !peers.has_peer(from_peer_id)
-                        && !foreign_client.has_next_hop(from_peer_id)
-                    {
+                    } else if hdr.is_encrypted() {
                        match relay_peer_map.decrypt_if_needed(&mut ret).await {
                            Ok(true) => {}
                            Ok(false) => {
-                                tracing::error!("relay session not found");
+                                tracing::error!("secure session not found");
                                continue;
                            }
                            Err(e) => {
-                                tracing::error!(?e, "relay decrypt failed");
+                                tracing::error!(?e, "secure decrypt failed");
                                continue;
                            }
                        }
@@ -904,6 +902,16 @@ impl PeerManager {
            async fn try_process_packet_from_peer(&self, packet: ZCPacket) -> Option<ZCPacket> {
                let hdr = packet.peer_manager_header().unwrap();
                if hdr.packet_type == PacketType::Data as u8 && !hdr.is_not_send_to_tun() {
+                    if hdr.is_encrypted() || hdr.is_compressed() {
+                        tracing::warn!(
+                            from_peer_id = hdr.from_peer_id.get(),
+                            to_peer_id = hdr.to_peer_id.get(),
+                            encrypted = hdr.is_encrypted(),
+                            compressed = hdr.is_compressed(),
+                            "dropping packet before nic because it is not fully decoded"
+                        );
+                        return None;
+                    }
                    tracing::trace!(?packet, "send packet to nic channel");
                    // TODO: use a function to get the body ref directly for zero copy
                    let _ = self.nic_channel.send(packet).await;
@@ -989,6 +997,11 @@ impl PeerManager {
                }
            }

+            async fn get_peer_public_key(&self, peer_id: PeerId) -> Option<Vec<u8>> {
+                let peer_map = self.peers.upgrade()?;
+                peer_map.get_peer_public_key(peer_id)
+            }
+
            async fn get_peer_identity_type(&self, peer_id: PeerId) -> Option<PeerIdentityType> {
                let peer_map = self.peers.upgrade()?;
                peer_map.get_peer_identity_type(peer_id)