feat(net): automatic gateway configuration — port forwarding (PCP/NAT-PMP/UPnP) + private-domain DNS (RFC 2136)

.cargo/config.toml

@@ -0,0 +1,4 @@
+# LLVM codegen recurses deep enough on the apple-darwin target to overflow the
+# 2 MiB default rustc codegen-worker stack; 64 MiB clears it. Harmless on other targets.
+[env]
+RUST_MIN_STACK = "67108864"

container-runtime/src/Adapters/EffectCreator.ts

@@ -315,7 +315,9 @@ export function makeEffects(context: EffectContext): Effects {
         T.Effects["setHealth"]
       >
     },
-    setBackupProgress(...[options]: Parameters<T.Effects["setBackupProgress"]>) {
+    setBackupProgress(
+      ...[options]: Parameters<T.Effects["setBackupProgress"]>
+    ) {
       return rpcRound("set-backup-progress", options) as ReturnType<
         T.Effects["setBackupProgress"]
       >

core/Cargo.toml

@@ -100,7 +100,8 @@ futures = "0.3.28"
 gpt = "4.1.0"
 hashing-serializer = "0.1.1"
 hex = "0.4.3"
-hickory-server = { version = "0.26.1", features = ["resolver"] }
+hickory-server = { version = "0.26.1", features = ["resolver", "dnssec-ring"] }
+hkdf = "0.12"
 hmac = "0.12.1"
 http = "1.0.0"
 http-body-util = "0.1"
@@ -234,6 +235,9 @@ uuid = { version = "1.4.1", features = ["v4"] }
 visit-rs = "0.1.1"
 x25519-dalek = { version = "2.0.1", features = ["static_secrets"] }
 zbus = "5.1.1"
+igd-next = { version = "0.17.1", default-features = false, features = ["aio_tokio"] }
+xmltree = "0.10"
+crab_nat = { git = "https://github.com/Start9Labs/crab_nat.git", branch = "feat/custom-pcp-options" }
 
 [dev-dependencies]
 clap_mangen = "0.2.33"

core/locales/i18n.yaml

@@ -5659,6 +5659,13 @@ about.persist-new-notification:
   fr_FR: "Persister une nouvelle notification"
   pl_PL: "Utrwal nowe powiadomienie"
 
+about.promote-or-demote-device-kind:
+  en_US: "Promote a device to a server or demote it to a client"
+  de_DE: "Ein Gerät zu einem Server hochstufen oder zu einem Client herabstufen"
+  es_ES: "Promover un dispositivo a servidor o degradarlo a cliente"
+  fr_FR: "Promouvoir un appareil en serveur ou le rétrograder en client"
+  pl_PL: "Awansuj urządzenie do serwera lub zdegraduj je do klienta"
+
 about.promote-os-registry:
   en_US: "Promote an OS version from one registry to another"
   de_DE: "Eine OS-Version von einer Registry in eine andere heraufstufen"
@@ -5981,6 +5988,13 @@ about.set-default-outbound-gateway:
   fr_FR: "Définir la passerelle sortante par défaut"
   pl_PL: "Ustaw domyślną bramę wychodzącą"
 
+about.set-device-wan:
+  en_US: "Override the WAN IP for a single device"
+  de_DE: "Die WAN-IP für ein einzelnes Gerät überschreiben"
+  es_ES: "Anular la IP WAN para un solo dispositivo"
+  fr_FR: "Remplacer l'IP WAN pour un seul appareil"
+  pl_PL: "Zastąp adres IP WAN dla pojedynczego urządzenia"
+
 about.set-echoip-urls:
   en_US: "Set the Echo IP service URLs"
   de_DE: "Die Echo-IP-Dienst-URLs festlegen"
@@ -6072,6 +6086,13 @@ about.set-subnet-dns:
   fr_FR: "Définir le DNS du sous-réseau"
   pl_PL: "Ustaw DNS podsieci"
 
+about.set-subnet-wan:
+  en_US: "Assign the WAN IP a subnet's traffic uses"
+  de_DE: "Die WAN-IP zuweisen, die der Datenverkehr eines Subnetzes verwendet"
+  es_ES: "Asignar la IP WAN que usa el tráfico de una subred"
+  fr_FR: "Attribuer l'IP WAN qu'utilise le trafic d'un sous-réseau"
+  pl_PL: "Przypisz adres IP WAN używany przez ruch podsieci"
+
 about.set-user-interface-password:
   en_US: "Set user interface password"
   de_DE: "Passwort der Benutzeroberfläche festlegen"
@@ -6289,9 +6310,58 @@ about.update-port-forward-label:
   fr_FR: "Mettre à jour le libellé d'une redirection de port"
   pl_PL: "Zaktualizuj etykietę przekierowania portu"
 
+about.update-tunnel:
+  en_US: "Replace a gateway's WireGuard config in place, keeping its identity"
+  de_DE: "Die WireGuard-Konfiguration eines Gateways direkt ersetzen, unter Beibehaltung seiner Identität"
+  es_ES: "Reemplazar la configuración WireGuard de un gateway in situ, conservando su identidad"
+  fr_FR: "Remplacer la configuration WireGuard d'une passerelle sur place, en conservant son identité"
+  pl_PL: "Zastąp konfigurację WireGuard bramy w miejscu, zachowując jej tożsamość"
+
 about.view-edit-gateway-configs:
   en_US: "View and edit gateway configurations"
   de_DE: "Gateway-Konfigurationen anzeigen und bearbeiten"
   es_ES: "Ver y editar configuraciones de gateway"
   fr_FR: "Voir et modifier les configurations de passerelle"
   pl_PL: "Wyświetl i edytuj konfiguracje bramy"
+
+about.add-or-replace-a-dns-record:
+  en_US: "Add or replace a DNS record"
+  de_DE: "Einen DNS-Eintrag hinzufügen oder ersetzen"
+  es_ES: "Agregar o reemplazar un registro DNS"
+  fr_FR: "Ajouter ou remplacer un enregistrement DNS"
+  pl_PL: "Dodaj lub zastąp rekord DNS"
+
+about.allow-or-deny-device-dns-injection:
+  en_US: "Allow or deny a device to inject DNS records"
+  de_DE: "Einem Gerät das Einfügen von DNS-Einträgen erlauben oder verweigern"
+  es_ES: "Permitir o denegar que un dispositivo inyecte registros DNS"
+  fr_FR: "Autoriser ou refuser à un appareil d'injecter des enregistrements DNS"
+  pl_PL: "Zezwól lub odmów urządzeniu wstrzykiwania rekordów DNS"
+
+about.allow-or-deny-device-auto-port-forward:
+  en_US: "Allow or deny a device to auto-create port forwards"
+  de_DE: "Einem Gerät das automatische Erstellen von Portweiterleitungen erlauben oder verweigern"
+  es_ES: "Permitir o denegar que un dispositivo cree reenvíos de puertos automáticamente"
+  fr_FR: "Autoriser ou refuser à un appareil de créer automatiquement des redirections de ports"
+  pl_PL: "Zezwól lub odmów urządzeniu automatycznego tworzenia przekierowań portów"
+
+about.list-injected-dns-records:
+  en_US: "List injected DNS records"
+  de_DE: "Eingefügte DNS-Einträge auflisten"
+  es_ES: "Listar registros DNS inyectados"
+  fr_FR: "Lister les enregistrements DNS injectés"
+  pl_PL: "Wyświetl wstrzyknięte rekordy DNS"
+
+about.remove-a-dns-record:
+  en_US: "Remove a DNS record"
+  de_DE: "Einen DNS-Eintrag entfernen"
+  es_ES: "Eliminar un registro DNS"
+  fr_FR: "Supprimer un enregistrement DNS"
+  pl_PL: "Usuń rekord DNS"
+
+about.view-or-edit-injected-dns-records:
+  en_US: "View or edit injected DNS records"
+  de_DE: "Eingefügte DNS-Einträge anzeigen oder bearbeiten"
+  es_ES: "Ver o editar registros DNS inyectados"
+  fr_FR: "Voir ou modifier les enregistrements DNS injectés"
+  pl_PL: "Wyświetl lub edytuj wstrzyknięte rekordy DNS"

core/man/start-tunnel/start-tunnel-device-set-dns-injection.1

@@ -0,0 +1,22 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-tunnel-device-set-dns-injection 1  "set-dns-injection " 
+.SH NAME
+start\-tunnel\-device\-set\-dns\-injection \- Allow or deny a device to inject DNS records
+.SH SYNOPSIS
+\fBstart\-tunnel device set\-dns\-injection\fR [\fB\-\-enabled\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fISUBNET\fR> <\fIIP\fR> 
+.SH DESCRIPTION
+Allow or deny a device to inject DNS records
+.SH OPTIONS
+.TP
+\fB\-\-enabled\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fISUBNET\fR>
+
+.TP
+<\fIIP\fR>
+

core/man/start-tunnel/start-tunnel-device.1

@@ -22,5 +22,8 @@ List devices in a subnet
 start\-tunnel\-device\-remove(1)
 Remove device from subnet
 .TP
+start\-tunnel\-device\-set\-dns\-injection(1)
+Allow or deny a device to inject DNS records
+.TP
 start\-tunnel\-device\-show\-config(1)
 Show WireGuard configuration for device

core/man/start-tunnel/start-tunnel-dns-add.1

@@ -0,0 +1,25 @@
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.TH start-tunnel-dns-add 1  "add " 
+.SH NAME
+start\-tunnel\-dns\-add \- Add or replace a DNS record
+.SH SYNOPSIS
+\fBstart\-tunnel dns add\fR <\fB\-\-type\fR> [\fB\-\-ttl\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fINAME\fR> <\fIVALUE\fR> 
+.SH DESCRIPTION
+Add or replace a DNS record
+.SH OPTIONS
+.TP
+\fB\-\-type\fR \fI<RTYPE>\fR
+
+.TP
+\fB\-\-ttl\fR \fI<TTL>\fR
+
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help
+.TP
+<\fINAME\fR>
+
+.TP
+<\fIVALUE\fR>
+