fix packet split on udp tunnel and avoid tcp proxy access rpc portal (#2107)

* distinct control / data when forward packets
* fix rpc split for udp tunnel
* feat(easytier-web): pass public ip in validate token webhook
* protect rpc port from subnet proxy

easytier/src/common/global_ctx.rs

@@ -28,6 +28,7 @@ use crate::{
         common::{PeerFeatureFlag, PortForwardConfigPb},
         peer_rpc::PeerGroupInfo,
     },
+    rpc_service::protected_port,
     tunnel::matches_protocol,
 };
 use crossbeam::atomic::AtomicCell;
@@ -658,6 +659,7 @@ impl GlobalCtx {
         if dst_is_local_virtual_ip || dst_is_local_phy_ip {
             // if is local ip, make sure the port is not one of the listening ports
             self.is_port_in_running_listeners(dst_addr.port(), is_udp)
+                || (!is_udp && protected_port::is_protected_tcp_port(dst_addr.port()))
         } else {
             false
         }
@@ -765,6 +767,23 @@ pub mod tests {
         assert!(feature_flags.is_public_server);
     }
 
+    #[tokio::test]
+    async fn should_deny_proxy_for_process_wide_rpc_port() {
+        protected_port::clear_protected_tcp_ports_for_test();
+        protected_port::register_protected_tcp_port(15888);
+
+        let config = TomlConfigLoader::default();
+        let global_ctx = GlobalCtx::new(config);
+        let rpc_addr = SocketAddr::from(([127, 0, 0, 1], 15888));
+        let other_tcp_addr = SocketAddr::from(([127, 0, 0, 1], 15889));
+
+        assert!(global_ctx.should_deny_proxy(&rpc_addr, false));
+        assert!(!global_ctx.should_deny_proxy(&rpc_addr, true));
+        assert!(!global_ctx.should_deny_proxy(&other_tcp_addr, false));
+
+        protected_port::clear_protected_tcp_ports_for_test();
+    }
+
     pub fn get_mock_global_ctx_with_network(
         network_identy: Option<NetworkIdentity>,
     ) -> ArcGlobalCtx {