Add PermissionHandler to ServerConfig #134 #267
Conversation
|
This looks like a great contribution! Anything anyone outside of the PR can do to help move it along? |
rg0now
force-pushed
the
feature-permission-handler
branch
from
3d64e9b to
2cf8902
Compare
rg0now
force-pushed
the
feature-permission-handler
branch
from
2cf8902 to
be50641
Compare
Codecov ReportBase: 68.05% // Head: 68.08% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## master #267 +/- ##
==========================================
+ Coverage 68.05% 68.08% +0.03%
==========================================
Files 38 38
Lines 2432 2469 +37
==========================================
+ Hits 1655 1681 +26
- Misses 643 657 +14
+ Partials 134 131 -3
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
stv0g
left a comment
stv0g
left a comment
There was a problem hiding this comment.
I did a review of the PR. To me it looks good overall.
From my side, we could merge it :)
|
Thanks @rg0now for addressing my comments. To get this merged, we need to rebase it on the latest master and fix the commit messages as they cause the CI to fail. Do you have the capacity to do it? Or do you need some support? |
rg0now
force-pushed
the
feature-permission-handler
branch
from
c5dca04 to
6b9edbe
Compare
|
Done (hopefully): rebased on pion/turn master and fixed the failing linter warnings. Could you please approve the CI workflow again to see if anything went wrong? |
|
Thanks @rg0now, The CI is running again. But the commit messages are still not conformant to the Pion CI checks: |
|
This really baffles me: the corresponding commit message is only a single line ( |
|
I think the Codecov error is only transient.
I agree. I think the check is also too strict. Usually, most people just repeat the first line separated by an empty line. |
|
There is also another check which fails
|
rg0now
force-pushed
the
feature-permission-handler
branch
from
6b9edbe to
85adfa2
Compare
Ohh, I thought you were going to just squash-merge the whole thing in a single commit. I redid the last commit as per your advice. If this still doesn't work I can go back and re-edit the entire commit history in another branch but I'm afraid that will take another PR. Wdyt?
I tend to agree with this: One way to go about this is to separate out the two loop bodies into a separate function each. Namely, the code that sets up PacketConnConfigs and calls the readLoop from Line 68 in 371fc35 Line 85 in 371fc35 runPacketConn, and the code that sets up the ListenerConfigs from Line 90 in 371fc35 Line 114 in 371fc35 runListener or similar. Would you be willing to take such a patch?
|
|
On a related note: the fact that there is only a single readLoop per each net.PacketConn limits the max performance of UDP TURN listeners quite substantially, since there is a single thread that handles all clients connecting via the listener (see l7mp/stunner#60). This is in contrast to net.Conns, which spawn per-client-connection threads. Would you consider a somewhat intrusive patch to remove this bottleneck? |
|
I agree with both of your comments. However, lets try to get the Could you add Also please squash the commits into a single one. Afterwards, we can address the two issues which you raised. |
rg0now
force-pushed
the
feature-permission-handler
branch
from
85adfa2 to
f35ce60
Compare
Another attempt to address pion#134, see an earlier attempt in pion#222. pion#222 introduces the DeniedPeerRange stanza into the ServerConfig to implement peer address blacklisting. This approach has a couple of issues: (1) it implements only peer blacklists, but does not allow whiletelisting or filtering based on DNS, etc.;(2) it handles only the ChannelBindRequest codepath, but leaves the CreatePermission codepath (https://datatracker.ietf.org/doc/html/rfc8656#section-3.4) open; and it introduces a new package dependency on "inet.af/netaddr". This patch takes a different approach: it allows the user to specify a PermissionHandler callback for each PacketConnConfig/ListenerConfig in the ServerConfig. Whenever a permission is about to be created via the associated PacketConn/Listener (either via a ChannelBindRequest or a CreatePermission), the PermissionHandler is called with the requested peer address and it can decide whether to accommodate the permission request (return boolean true) or deny it (return false). In the latter case, a "permission request administratively prohibited" error is returned to the client. Also added tests and an example.
rg0now
force-pushed
the
feature-permission-handler
branch
from
f35ce60 to
d7a0c2f
Compare
Done. Fixed the linter warning on my side.
Done.
Sure, Looking forward to hearing your opinion. |
|
Thanks a lot @rg0now 🥳 I merged your changes and created two new issues for the problems which you identified. |
3 participants
This is another take on #134
This is another attempt to address #134, see an earlier attempt in #222
#222 introduces the DeniedPeerRange stanza into the ServerConfig to implement peer address blacklisting. This approach has a couple of issues:
This patch takes a different approach: it allows the user to specify a PermissionHandler callback for each PacketConnConfig/ListenerConfig in the ServerConfig. Whenever a permission is about to be created via the associated PacketConn/Listener (either via a ChannelBindRequest or a CreatePermission), the PermissionHandler is called with the requested peer address and it can decide whether to accommodate the permission request (return boolean true) or deny it (return false). In the latter case, a "permission request administratively prohibited" error is returned to the client.
Also added tests and an example.