apparmor: add yggdrasilctl policy (#1235)

as it is long gone from the daemon code
and unexpectedly kills the daemon

.github/workflows/ci.yml

@@ -51,7 +51,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        goversion: ["1.21", "1.22", "1.23"]
+        goversion: ["1.22", "1.23", "1.24"]
 
     name: Build & Test (Linux, Go ${{ matrix.goversion }})
     needs: [lint]
@@ -75,7 +75,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        goversion: ["1.21", "1.22", "1.23"]
+        goversion: ["1.22", "1.23", "1.24"]
 
     name: Build & Test (Windows, Go ${{ matrix.goversion }})
     needs: [lint]
@@ -99,7 +99,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        goversion: ["1.21", "1.22", "1.23"]
+        goversion: ["1.22", "1.23", "1.24"]
 
     name: Build & Test (macOS, Go ${{ matrix.goversion }})
     needs: [lint]
@@ -123,7 +123,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        goversion: ["1.21", "1.22", "1.23"]
+        goversion: ["1.22", "1.23", "1.24"]
         goos:
           - freebsd
           - openbsd

CHANGELOG.md

@@ -26,6 +26,61 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - in case of vulnerabilities.
 -->
 
+## [0.5.12] - 2024-12-18
+
+* Go 1.22 is now required to build Yggdrasil
+
+### Changed
+
+* The `latency_ms` field in the admin socket `getPeers` response has been renamed to `latency`
+
+### Fixed
+
+* A timing regression which causes a higher level of idle protocol traffic on each peering has been fixed
+* The `-user` flag now correctly detects an empty user/group specification
+
+## [0.5.11] - 2024-12-12
+
+### Added
+
+* Support for `unveil` and `pledge` on OpenBSD
+
+### Changed
+
+* The parent selection algorithm now only chooses a new parent if there is a larger cost benefit to doing so, which should help to stabilise the tree
+* The bloom filters are now repropagated periodically, to avoid nodes getting stuck with bad state
+
+### Fixed
+
+* A memory leak caused by missed cleanup of the peer response map has been fixed
+* Other bug fixes with bloom filter propagation for off-tree filters and zero vs one bits
+* TLS-based peering connections now support TLS 1.2 again
+
+## [0.5.10] - 2024-11-24
+
+### Added
+
+* The `getPeers` admin endpoint will now report the current transmit/receive rate for each given peer
+* The `getMulticastInterfaces` admin endpoint now reports much more useful information about each interface, rather than just a list of interface names
+
+### Changed
+
+* Minor tweaks to the routing algorithm:
+  * The next-hop selection will now prefer shorter paths when the costed distance is otherwise equal, tiebreaking on peering uptime to fall back to more stable paths
+  * Link cost calculations have been smoothed out, making the costs less sensitive to sudden spikes in latency
+* Reusable name lookup and peer connection logic across different peering types for more consistent behaviour
+* Some comments in the configuration file have been revised for clarity
+* Upgrade dependencies
+
+### Fixed
+
+* Nodes with `IfName` set to `none` will now correctly respond to debug RPC requests
+* The admin socket will now be created reliably before dropping privileges with `-user`
+* Clear supplementary groups when providing a group ID as well as a user ID to `-user`
+* SOCKS and WebSocket peerings should now use the correct source interface when specified in `InterfacePeers`
+* `Peers` and `InterfacePeers` addresses that are obviously invalid (such as unspecified or multicast addresses) will now be correctly ignored
+* Listeners should now shut down correctly, which should resolve issues where multicast listeners for specific interfaces would not come back up or would log errors
+
 ## [0.5.9] - 2024-10-19
 
 ### Added

README.md

@@ -24,7 +24,7 @@ or tools in the `contrib` folder.
 If you want to build from source, as opposed to installing one of the pre-built
 packages:
 
-1. Install [Go](https://golang.org) (requires Go 1.21 or later)
+1. Install [Go](https://golang.org) (requires Go 1.22 or later)
 2. Clone this repository
 2. Run `./build`
 

cmd/genkeys/main.go

@@ -18,18 +18,27 @@ import (
 	"runtime"
 	"time"
 
+	"suah.dev/protect"
+
 	"github.com/yggdrasil-network/yggdrasil-go/src/address"
 )
 
 type keySet struct {
 	priv ed25519.PrivateKey
 	pub  ed25519.PublicKey
+	count uint64
 }
 
 func main() {
+	if err := protect.Pledge("stdio"); err != nil {
+		panic(err)
+	}
+
 	threads := runtime.GOMAXPROCS(0)
 	fmt.Println("Threads:", threads)
 	start := time.Now()
+	var totalKeys uint64
+	totalKeys = 0
 	var currentBest ed25519.PublicKey
 	newKeys := make(chan keySet, threads)
 	for i := 0; i < threads; i++ {
@@ -38,8 +47,9 @@ func main() {
 	for {
 		newKey := <-newKeys
 		if isBetter(currentBest, newKey.pub) || len(currentBest) == 0 {
+			totalKeys += newKey.count
 			currentBest = newKey.pub
-			fmt.Println("-----", time.Since(start))
+			fmt.Println("-----", time.Since(start), "---", totalKeys, "keys tried")
 			fmt.Println("Priv:", hex.EncodeToString(newKey.priv))
 			fmt.Println("Pub:", hex.EncodeToString(newKey.pub))
 			addr := address.AddrForKey(newKey.pub)
@@ -62,11 +72,14 @@ func isBetter(oldPub, newPub ed25519.PublicKey) bool {
 
 func doKeys(out chan<- keySet) {
 	bestKey := make(ed25519.PublicKey, ed25519.PublicKeySize)
+	var count uint64
+	count = 0
 	for idx := range bestKey {
 		bestKey[idx] = 0xff
 	}
 	for {
 		pub, priv, err := ed25519.GenerateKey(nil)
+		count++
 		if err != nil {
 			panic(err)
 		}
@@ -74,6 +87,7 @@ func doKeys(out chan<- keySet) {
 			continue
 		}
 		bestKey = pub
-		out <- keySet{priv, pub}
+		out <- keySet{priv, pub, count}
+		count = 0
 	}
 }

cmd/yggdrasil/chuser_unix.go

@@ -4,83 +4,59 @@
 package main
 
 import (
-	"errors"
 	"fmt"
-	"math"
-	osuser "os/user"
+	"os/user"
 	"strconv"
 	"strings"
-	"syscall"
+
+	"golang.org/x/sys/unix"
 )
 
-func chuser(user string) error {
-	group := ""
-	if i := strings.IndexByte(user, ':'); i >= 0 {
-		user, group = user[:i], user[i+1:]
+func chuser(input string) error {
+	givenUser, givenGroup, _ := strings.Cut(input, ":")
+	if givenUser == "" {
+		return fmt.Errorf("user is empty")
+	}
+	if strings.Contains(input, ":") && givenGroup == "" {
+		return fmt.Errorf("group is empty")
 	}
 
-	u := (*osuser.User)(nil)
-	g := (*osuser.Group)(nil)
+	var (
+		err      error
+		usr      *user.User
+		grp      *user.Group
+		uid, gid int
+	)
 
-	if user != "" {
-		if _, err := strconv.ParseUint(user, 10, 32); err == nil {
-			u, err = osuser.LookupId(user)
-			if err != nil {
-				return fmt.Errorf("failed to lookup user by id %q: %v", user, err)
-			}
-		} else {
-			u, err = osuser.Lookup(user)
-			if err != nil {
-				return fmt.Errorf("failed to lookup user by name %q: %v", user, err)
-			}
+	if usr, err = user.LookupId(givenUser); err != nil {
+		if usr, err = user.Lookup(givenUser); err != nil {
+			return err
 		}
 	}
-	if group != "" {
-		if _, err := strconv.ParseUint(group, 10, 32); err == nil {
-			g, err = osuser.LookupGroupId(group)
-			if err != nil {
-				return fmt.Errorf("failed to lookup group by id %q: %v", user, err)
-			}
-		} else {
-			g, err = osuser.LookupGroup(group)
-			if err != nil {
-				return fmt.Errorf("failed to lookup group by name %q: %v", user, err)
-			}
-		}
+	if uid, err = strconv.Atoi(usr.Uid); err != nil {
+		return err
 	}
 
-	if g != nil {
-		gid, _ := strconv.ParseUint(g.Gid, 10, 32)
-		var err error
-		if gid < math.MaxInt {
-			err = syscall.Setgid(int(gid))
-		} else {
-			err = errors.New("gid too big")
+	if givenGroup != "" {
+		if grp, err = user.LookupGroupId(givenGroup); err != nil {
+			if grp, err = user.LookupGroup(givenGroup); err != nil {
+				return err
+			}
 		}
 
-		if err != nil {
-			return fmt.Errorf("failed to setgid %d: %v", gid, err)
-		}
-	} else if u != nil {
-		gid, _ := strconv.ParseUint(u.Gid, 10, 32)
-		err := syscall.Setgid(int(uint32(gid)))
-		if err != nil {
-			return fmt.Errorf("failed to setgid %d: %v", gid, err)
-		}
+		gid, _ = strconv.Atoi(grp.Gid)
+	} else {
+		gid, _ = strconv.Atoi(usr.Gid)
 	}
 
-	if u != nil {
-		uid, _ := strconv.ParseUint(u.Uid, 10, 32)
-		var err error
-		if uid < math.MaxInt {
-			err = syscall.Setuid(int(uid))
-		} else {
-			err = errors.New("uid too big")
-		}
-
-		if err != nil {
-			return fmt.Errorf("failed to setuid %d: %v", uid, err)
-		}
+	if err := unix.Setgroups([]int{gid}); err != nil {
+		return fmt.Errorf("setgroups: %d: %v", gid, err)
+	}
+	if err := unix.Setgid(gid); err != nil {
+		return fmt.Errorf("setgid: %d: %v", gid, err)
+	}
+	if err := unix.Setuid(uid); err != nil {
+		return fmt.Errorf("setuid: %d: %v", uid, err)
 	}
 
 	return nil

cmd/yggdrasil/chuser_unix_test.go

@@ -0,0 +1,80 @@
+//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
+// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
+
+package main
+
+import (
+	"os/user"
+	"testing"
+)
+
+// Usernames must not contain a number sign.
+func TestEmptyString(t *testing.T) {
+	if chuser("") == nil {
+		t.Fatal("the empty string is not a valid user")
+	}
+}
+
+// Either omit delimiter and group, or omit both.
+func TestEmptyGroup(t *testing.T) {
+	if chuser("0:") == nil {
+		t.Fatal("the empty group is not allowed")
+	}
+}
+
+// Either user only or user and group.
+func TestGroupOnly(t *testing.T) {
+	if chuser(":0") == nil {
+		t.Fatal("group only is not allowed")
+	}
+}
+
+// Usenames must not contain the number sign.
+func TestInvalidUsername(t *testing.T) {
+	const username = "#user"
+	if chuser(username) == nil {
+		t.Fatalf("'%s' is not a valid username", username)
+	}
+}
+
+// User IDs must be non-negative.
+func TestInvalidUserid(t *testing.T) {
+	if chuser("-1") == nil {
+		t.Fatal("User ID cannot be negative")
+	}
+}
+
+// Change to the current user by ID.
+func TestCurrentUserid(t *testing.T) {
+	usr, err := user.Current()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if usr.Uid != "0" {
+		t.Skip("setgroups(2): Only the superuser may set new groups.")
+	}
+
+	if err = chuser(usr.Uid); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Change to a common user by name.
+func TestCommonUsername(t *testing.T) {
+	usr, err := user.Current()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if usr.Uid != "0" {
+		t.Skip("setgroups(2): Only the superuser may set new groups.")
+	}
+
+	if err := chuser("nobody"); err != nil {
+		if _, ok := err.(user.UnknownUserError); ok {
+			t.Skip(err)
+		}
+		t.Fatal(err)
+	}
+}

cmd/yggdrasil/main.go

@@ -14,6 +14,8 @@ import (
 	"strings"
 	"syscall"
 
+	"suah.dev/protect"
+
 	"github.com/gologme/log"
 	gsyslog "github.com/hashicorp/go-syslog"
 	"github.com/hjson/hjson-go/v4"
@@ -39,6 +41,20 @@ type node struct {
 
 // The main function is responsible for configuring and starting Yggdrasil.
 func main() {
+	// Not all operations are coverable with pledge(2), so immediately
+	// limit file system access with unveil(2), effectively preventing
+	// "proc exec" promises right from the start:
+	//
+	// - read arbitrary config file
+	// - create/write arbitrary log file
+	// - read/write/chmod/remove admin socket, if at all
+	if err := protect.Unveil("/", "rwc"); err != nil {
+		panic(fmt.Sprintf("unveil: / rwc: %v", err))
+	}
+	if err := protect.UnveilBlock(); err != nil {
+		panic(fmt.Sprintf("unveil: %v", err))
+	}
+
 	genconf := flag.Bool("genconf", false, "print a new config to stdout")
 	useconf := flag.Bool("useconf", false, "read HJSON/JSON config from stdin")
 	useconffile := flag.String("useconffile", "", "read HJSON/JSON config from specified file path")
@@ -191,9 +207,16 @@ func main() {
 
 	// Set up the Yggdrasil node itself.
 	{
+		iprange := net.IPNet{
+			IP:   net.ParseIP("200::"),
+			Mask: net.CIDRMask(7, 128),
+		}
 		options := []core.SetupOption{
 			core.NodeInfo(cfg.NodeInfo),
 			core.NodeInfoPrivacy(cfg.NodeInfoPrivacy),
+			core.PeerFilter(func(ip net.IP) bool {
+				return !iprange.Contains(ip)
+			}),
 		}
 		for _, addr := range cfg.Listen {
 			options = append(options, core.ListenAddress(addr))
@@ -289,6 +312,21 @@ func main() {
 		}
 	}
 
+	// Promise final modes of operation.  At this point, if at all:
+	// - raw socket is created/open
+	// - admin socket is created/open
+	// - privileges are dropped to non-root user
+	//
+	// Peers, InterfacePeers, Listen can be UNIX sockets;
+	// Go's net.Listen.Close() deletes files on shutdown.
+	promises := []string{"stdio", "cpath", "inet", "unix", "dns"}
+	if len(cfg.MulticastInterfaces) > 0 {
+		promises = append(promises, "mcast")
+	}
+	if err := protect.Pledge(strings.Join(promises, " ")); err != nil {
+		panic(fmt.Sprintf("pledge: %v: %v", promises, err))
+	}
+
 	// Block until we are told to shut down.
 	<-ctx.Done()
 

cmd/yggdrasilctl/main.go

@@ -13,6 +13,8 @@ import (
 	"strings"
 	"time"
 
+	"suah.dev/protect"
+
 	"github.com/olekukonko/tablewriter"
 	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
 	"github.com/yggdrasil-network/yggdrasil-go/src/core"
@@ -22,6 +24,11 @@ import (
 )
 
 func main() {
+	// read config, speak DNS/TCP and/or over a UNIX socket
+	if err := protect.Pledge("stdio rpath inet unix dns"); err != nil {
+		panic(err)
+	}
+
 	// makes sure we can use defer and still return an error code to the OS
 	os.Exit(run())
 }
@@ -78,6 +85,11 @@ func run() int {
 		panic(err)
 	}
 
+	// config and socket are done, work without unprivileges
+	if err := protect.Pledge("stdio"); err != nil {
+		panic(err)
+	}
+
 	logger.Println("Connected")
 	defer conn.Close()
 
@@ -174,9 +186,9 @@ func run() int {
 		if err := json.Unmarshal(recv.Response, &resp); err != nil {
 			panic(err)
 		}
-		table.SetHeader([]string{"URI", "State", "Dir", "IP Address", "Uptime", "RTT", "RX", "TX", "Pr", "Cost", "Last Error"})
+		table.SetHeader([]string{"URI", "State", "Dir", "IP Address", "Uptime", "RTT", "RX", "TX", "Down", "Up", "Pr", "Cost", "Last Error"})
 		for _, peer := range resp.Peers {
-			state, lasterr, dir, rtt := "Up", "-", "Out", "-"
+			state, lasterr, dir, rtt, rxr, txr := "Up", "-", "Out", "-", "-", "-"
 			if !peer.Up {
 				state, lasterr = "Down", fmt.Sprintf("%s ago: %s", peer.LastErrorTime.Round(time.Second), peer.LastError)
 			} else if rttms := float64(peer.Latency.Microseconds()) / 1000; rttms > 0 {
@@ -190,6 +202,12 @@ func run() int {
 				uri.RawQuery = ""
 				uristring = uri.String()
 			}
+			if peer.RXRate > 0 {
+				rxr = peer.RXRate.String() + "/s"
+			}
+			if peer.TXRate > 0 {
+				txr = peer.TXRate.String() + "/s"
+			}
 			table.Append([]string{
 				uristring,
 				state,
@@ -199,6 +217,8 @@ func run() int {
 				rtt,
 				peer.RXBytes.String(),
 				peer.TXBytes.String(),
+				rxr,
+				txr,
 				fmt.Sprintf("%d", peer.Priority),
 				fmt.Sprintf("%d", peer.Cost),
 				lasterr,
@@ -273,9 +293,21 @@ func run() int {
 		if err := json.Unmarshal(recv.Response, &resp); err != nil {
 			panic(err)
 		}
-		table.SetHeader([]string{"Interface"})
+		fmtBool := func(b bool) string {
+			if b {
+				return "Yes"
+			}
+			return "-"
+		}
+		table.SetHeader([]string{"Name", "Listen Address", "Beacon", "Listen", "Password"})
 		for _, p := range resp.Interfaces {
-			table.Append([]string{p})
+			table.Append([]string{
+				p.Name,
+				p.Address,
+				fmtBool(p.Beacon),
+				fmtBool(p.Listen),
+				fmtBool(p.Password),
+			})
 		}
 		table.Render()
 

contrib/apparmor/usr.bin.yggdrasilctl

@@ -0,0 +1,11 @@
+# Last Modified: Mon Feb  3 22:19:45 2025
+include <tunables/global>
+
+/usr/bin/yggdrasilctl {
+  include <abstractions/base>
+
+  /etc/yggdrasil.conf rw,
+  /run/yggdrasil.sock rw,
+  owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+}

contrib/deb/generate.sh

@@ -50,11 +50,12 @@ echo 9 > /tmp/$PKGNAME/debian/compat
 cat > /tmp/$PKGNAME/debian/control << EOF
 Package: $PKGNAME
 Version: $PKGVERSION
-Section: contrib/net
-Priority: extra
+Section: golang
+Priority: optional
 Architecture: $PKGARCH
 Replaces: $PKGREPLACES
 Conflicts: $PKGREPLACES
+Depends: systemd
 Maintainer: Neil Alexander <neilalexander@users.noreply.github.com>
 Description: Yggdrasil Network
  Yggdrasil is an early-stage implementation of a fully end-to-end encrypted IPv6
@@ -102,7 +103,7 @@ then
 
   echo "Normalising and updating /etc/yggdrasil/yggdrasil.conf"
   /usr/bin/yggdrasil -useconf -normaliseconf < /var/backups/yggdrasil.conf.`date +%Y%m%d` > /etc/yggdrasil/yggdrasil.conf
-  
+
   chown root:yggdrasil /etc/yggdrasil/yggdrasil.conf
   chmod 640 /etc/yggdrasil/yggdrasil.conf
 else

contrib/mobile/mobile.go

@@ -1,6 +1,7 @@
 package mobile
 
 import (
+	"crypto/ed25519"
 	"encoding/hex"
 	"encoding/json"
 	"net"
@@ -53,7 +54,15 @@ func (m *Yggdrasil) StartJSON(configjson []byte) error {
 	}
 	// Set up the Yggdrasil node itself.
 	{
-		options := []core.SetupOption{}
+		iprange := net.IPNet{
+			IP:   net.ParseIP("200::"),
+			Mask: net.CIDRMask(7, 128),
+		}
+		options := []core.SetupOption{
+			core.PeerFilter(func(ip net.IP) bool {
+				return !iprange.Contains(ip)
+			}),
+		}
 		for _, peer := range m.config.Peers {
 			options = append(options, core.Peer{URI: peer})
 		}
@@ -265,3 +274,28 @@ func (m *Yggdrasil) GetMTU() int {
 func GetVersion() string {
 	return version.BuildVersion()
 }
+
+type ConfigSummary struct {
+	PublicKey   string
+	IPv6Address string
+	IPv6Subnet  string
+}
+
+func SummaryForConfig(b []byte) *ConfigSummary {
+	cfg := config.GenerateConfig()
+	if err := cfg.UnmarshalHJSON(b); err != nil {
+		return nil
+	}
+	pub := ed25519.PrivateKey(cfg.PrivateKey).Public().(ed25519.PublicKey)
+	hpub := hex.EncodeToString(pub)
+	addr := net.IP(address.AddrForKey(pub)[:])
+	snet := net.IPNet{
+		IP:   append(address.SubnetForKey(pub)[:], 0, 0, 0, 0, 0, 0, 0, 0),
+		Mask: net.CIDRMask(64, 128),
+	}
+	return &ConfigSummary{
+		PublicKey:   hpub,
+		IPv6Address: addr.String(),
+		IPv6Subnet:  snet.String(),
+	}
+}

contrib/openrc/yggdrasil

@@ -6,7 +6,6 @@ CONFFILE="/etc/yggdrasil.conf"
 pidfile="/run/${RC_SVCNAME}.pid"
 
 command="/usr/bin/yggdrasil"
-extra_started_commands="reload"
 
 depend() {
 	use net dns logger
@@ -42,12 +41,6 @@ start() {
 	eend $?
 }
 
-reload() {
-	ebegin "Reloading ${RC_SVCNAME}"
-	start-stop-daemon --signal HUP --pidfile "${pidfile}"
-	eend $?
-}
-
 stop() {
 	ebegin "Stopping ${RC_SVCNAME}"
 	start-stop-daemon --stop --pidfile "${pidfile}" --exec "${command}"

go.mod

@@ -1,9 +1,9 @@
 module github.com/yggdrasil-network/yggdrasil-go
 
-go 1.21
+go 1.22
 
 require (
-	github.com/Arceliar/ironwood v0.0.0-20241016082300-f6fb9da97a17
+	github.com/Arceliar/ironwood v0.0.0-20241213013129-743fe2fccbd3
 	github.com/Arceliar/phony v0.0.0-20220903101357-530938a4b13d
 	github.com/cheggaaa/pb/v3 v3.1.5
 	github.com/coder/websocket v1.8.12
@@ -11,13 +11,13 @@ require (
 	github.com/hashicorp/go-syslog v1.0.0
 	github.com/hjson/hjson-go/v4 v4.4.0
 	github.com/kardianos/minwinsvc v1.0.2
-	github.com/quic-go/quic-go v0.46.0
+	github.com/quic-go/quic-go v0.48.2
 	github.com/vishvananda/netlink v1.3.0
 	github.com/wlynxg/anet v0.0.5
-	golang.org/x/crypto v0.28.0
-	golang.org/x/net v0.30.0
-	golang.org/x/sys v0.26.0
-	golang.org/x/text v0.19.0
+	golang.org/x/crypto v0.33.0
+	golang.org/x/net v0.35.0
+	golang.org/x/sys v0.30.0
+	golang.org/x/text v0.22.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	golang.zx2c4.com/wireguard/windows v0.5.3
@@ -31,18 +31,19 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
-	go.uber.org/mock v0.4.0 // indirect
+	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/tools v0.23.0 // indirect
 )
 
 require (
 	github.com/VividCortex/ewma v1.2.0 // indirect
-	github.com/fatih/color v1.15.0 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/vishvananda/netns v0.0.5 // indirect
+	suah.dev/protect v1.2.4
 )

go.sum

@@ -1,5 +1,5 @@
-github.com/Arceliar/ironwood v0.0.0-20241016082300-f6fb9da97a17 h1:uOvHqPwu09ndYZQDUL6QvyDcz0M9kwooKYa/PEfLwIU=
-github.com/Arceliar/ironwood v0.0.0-20241016082300-f6fb9da97a17/go.mod h1:6WP4799FX0OuWdENGQAh+0RXp9FLh0y7NZ7tM9cJyXk=
+github.com/Arceliar/ironwood v0.0.0-20241213013129-743fe2fccbd3 h1:d8N0z+udAnbU5PdjpLSNPTWlqeU/nnYsQ42B6+879aw=
+github.com/Arceliar/ironwood v0.0.0-20241213013129-743fe2fccbd3/go.mod h1:SrrElc3FFMpYCODSr11jWbLFeOM8WsY+DbDY/l2AXF0=
 github.com/Arceliar/phony v0.0.0-20220903101357-530938a4b13d h1:UK9fsWbWqwIQkMCz1CP+v5pGbsGoWAw6g4AyvMpm1EM=
 github.com/Arceliar/phony v0.0.0-20220903101357-530938a4b13d/go.mod h1:BCnxhRf47C/dy/e/D2pmB8NkB3dQVIrkD98b220rx5Q=
 github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=
@@ -19,8 +19,8 @@ github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3C
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
@@ -45,11 +45,11 @@ github.com/kardianos/minwinsvc v1.0.2/go.mod h1:LUZNYhNmxujx2tR7FbdxqYJ9XDDoCd3M
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
-github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
@@ -58,89 +58,49 @@ github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/quic-go/quic-go v0.46.0 h1:uuwLClEEyk1DNvchH8uCByQVjo3yKL9opKulExNDs7Y=
-github.com/quic-go/quic-go v0.46.0/go.mod h1:1dLehS7TIR64+vxGR70GDcatWTOtMX2PUtnKsjbTurI=
+github.com/quic-go/quic-go v0.48.2 h1:wsKXZPeGWpMpCGSWqOcqpW2wZYic/8T3aqiOID0/KWE=
+github.com/quic-go/quic-go v0.48.2/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/twmb/murmur3 v1.1.6 h1:mqrRot1BRxm+Yct+vavLMou2/iJt0tNVTTC0QoIjaZg=
 github.com/twmb/murmur3 v1.1.6/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ=
 github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=
 github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
-github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/wlynxg/anet v0.0.5 h1:J3VJGi1gvo0JwZ/P1/Yc/8p63SoW98B5dHkYDmpgvvU=
 github.com/wlynxg/anet v0.0.5/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
-go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
+go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
 golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
 golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4=
@@ -155,3 +115,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ=
 gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
+suah.dev/protect v1.2.4 h1:iVZG/zQB63FKNpITDYM/cXoAeCTIjCiXHuFVByJFDzg=
+suah.dev/protect v1.2.4/go.mod h1:vVrquYO3u1Ep9Ez2z8x+6N6/czm+TBmWKZfiXU2tb54=

src/address/address.go

@@ -113,7 +113,7 @@ func SubnetForKey(publicKey ed25519.PublicKey) *Subnet {
 	return &snet
 }
 
-// GetKet returns the partial ed25519.PublicKey for the Address.
+// GetKey returns the partial ed25519.PublicKey for the Address.
 // This is used for key lookup.
 func (a *Address) GetKey() ed25519.PublicKey {
 	var key [ed25519.PublicKeySize]byte
@@ -141,7 +141,7 @@ func (a *Address) GetKey() ed25519.PublicKey {
 	return ed25519.PublicKey(key[:])
 }
 
-// GetKet returns the partial ed25519.PublicKey for the Subnet.
+// GetKey returns the partial ed25519.PublicKey for the Subnet.
 // This is used for key lookup.
 func (s *Subnet) GetKey() ed25519.PublicKey {
 	var addr Address

src/admin/admin.go

@@ -83,6 +83,52 @@ func New(c *core.Core, log core.Logger, opts ...SetupOption) (*AdminSocket, erro
 	if a.config.listenaddr == "none" || a.config.listenaddr == "" {
 		return nil, nil
 	}
+
+	listenaddr := string(a.config.listenaddr)
+	u, err := url.Parse(listenaddr)
+	if err == nil {
+		switch strings.ToLower(u.Scheme) {
+		case "unix":
+			if _, err := os.Stat(u.Path); err == nil {
+				a.log.Debugln("Admin socket", u.Path, "already exists, trying to clean up")
+				if _, err := net.DialTimeout("unix", u.Path, time.Second*2); err == nil || err.(net.Error).Timeout() {
+					a.log.Errorln("Admin socket", u.Path, "already exists and is in use by another process")
+					os.Exit(1)
+				} else {
+					if err := os.Remove(u.Path); err == nil {
+						a.log.Debugln(u.Path, "was cleaned up")
+					} else {
+						a.log.Errorln(u.Path, "already exists and was not cleaned up:", err)
+						os.Exit(1)
+					}
+				}
+			}
+			a.listener, err = net.Listen("unix", u.Path)
+			if err == nil {
+				switch u.Path[:1] {
+				case "@": // maybe abstract namespace
+				default:
+					if err := os.Chmod(u.Path, 0660); err != nil {
+						a.log.Warnln("WARNING:", u.Path, "may have unsafe permissions!")
+					}
+				}
+			}
+		case "tcp":
+			a.listener, err = net.Listen("tcp", u.Host)
+		default:
+			a.listener, err = net.Listen("tcp", listenaddr)
+		}
+	} else {
+		a.listener, err = net.Listen("tcp", listenaddr)
+	}
+	if err != nil {
+		a.log.Errorf("Admin socket failed to listen: %v", err)
+		os.Exit(1)
+	}
+	a.log.Infof("%s admin socket listening on %s",
+		strings.ToUpper(a.listener.Addr().Network()),
+		a.listener.Addr().String())
+
 	_ = a.AddHandler("list", "List available commands", []string{}, func(_ json.RawMessage) (interface{}, error) {
 		res := &ListResponse{}
 		for name, handler := range a.handlers {
@@ -233,50 +279,6 @@ func (a *AdminSocket) Stop() error {
 
 // listen is run by start and manages API connections.
 func (a *AdminSocket) listen() {
-	listenaddr := string(a.config.listenaddr)
-	u, err := url.Parse(listenaddr)
-	if err == nil {
-		switch strings.ToLower(u.Scheme) {
-		case "unix":
-			if _, err := os.Stat(u.Path); err == nil {
-				a.log.Debugln("Admin socket", u.Path, "already exists, trying to clean up")
-				if _, err := net.DialTimeout("unix", u.Path, time.Second*2); err == nil || err.(net.Error).Timeout() {
-					a.log.Errorln("Admin socket", u.Path, "already exists and is in use by another process")
-					os.Exit(1)
-				} else {
-					if err := os.Remove(u.Path); err == nil {
-						a.log.Debugln(u.Path, "was cleaned up")
-					} else {
-						a.log.Errorln(u.Path, "already exists and was not cleaned up:", err)
-						os.Exit(1)
-					}
-				}
-			}
-			a.listener, err = net.Listen("unix", u.Path)
-			if err == nil {
-				switch u.Path[:1] {
-				case "@": // maybe abstract namespace
-				default:
-					if err := os.Chmod(u.Path, 0660); err != nil {
-						a.log.Warnln("WARNING:", u.Path, "may have unsafe permissions!")
-					}
-				}
-			}
-		case "tcp":
-			a.listener, err = net.Listen("tcp", u.Host)
-		default:
-			a.listener, err = net.Listen("tcp", listenaddr)
-		}
-	} else {
-		a.listener, err = net.Listen("tcp", listenaddr)
-	}
-	if err != nil {
-		a.log.Errorf("Admin socket failed to listen: %v", err)
-		os.Exit(1)
-	}
-	a.log.Infof("%s admin socket listening on %s",
-		strings.ToUpper(a.listener.Addr().Network()),
-		a.listener.Addr().String())
 	defer a.listener.Close()
 	for {
 		conn, err := a.listener.Accept()
@@ -354,13 +356,15 @@ type DataUnit uint64
 
 func (d DataUnit) String() string {
 	switch {
-	case d > 1024*1024*1024*1024:
-		return fmt.Sprintf("%2.ftb", float64(d)/1024/1024/1024/1024)
-	case d > 1024*1024*1024:
-		return fmt.Sprintf("%2.fgb", float64(d)/1024/1024/1024)
-	case d > 1024*1024:
-		return fmt.Sprintf("%2.fmb", float64(d)/1024/1024)
+	case d >= 1024*1024*1024*1024:
+		return fmt.Sprintf("%2.1fTB", float64(d)/1024/1024/1024/1024)
+	case d >= 1024*1024*1024:
+		return fmt.Sprintf("%2.1fGB", float64(d)/1024/1024/1024)
+	case d >= 1024*1024:
+		return fmt.Sprintf("%2.1fMB", float64(d)/1024/1024)
+	case d >= 100:
+		return fmt.Sprintf("%2.1fKB", float64(d)/1024)
 	default:
-		return fmt.Sprintf("%2.fkb", float64(d)/1024)
+		return fmt.Sprintf("%dB", d)
 	}
 }

src/admin/getpeers.go

@@ -28,8 +28,10 @@ type PeerEntry struct {
 	Cost          uint64        `json:"cost"`
 	RXBytes       DataUnit      `json:"bytes_recvd,omitempty"`
 	TXBytes       DataUnit      `json:"bytes_sent,omitempty"`
+	RXRate        DataUnit      `json:"rate_recvd,omitempty"`
+	TXRate        DataUnit      `json:"rate_sent,omitempty"`
 	Uptime        float64       `json:"uptime,omitempty"`
-	Latency       time.Duration `json:"latency_ms,omitempty"`
+	Latency       time.Duration `json:"latency,omitempty"`
 	LastErrorTime time.Duration `json:"last_error_time,omitempty"`
 	LastError     string        `json:"last_error,omitempty"`
 }
@@ -47,6 +49,8 @@ func (a *AdminSocket) getPeersHandler(_ *GetPeersRequest, res *GetPeersResponse)
 			URI:      p.URI,
 			RXBytes:  DataUnit(p.RXBytes),
 			TXBytes:  DataUnit(p.TXBytes),
+			RXRate:   DataUnit(p.RXRate),
+			TXRate:   DataUnit(p.TXRate),
 			Uptime:   p.Uptime.Seconds(),
 		}
 		if p.Latency > 0 {

src/config/config.go

@@ -43,25 +43,25 @@ type NodeConfig struct {
 	PrivateKey          KeyBytes                   `json:",omitempty" comment:"Your private key. DO NOT share this with anyone!"`
 	PrivateKeyPath      string                     `json:",omitempty" comment:"The path to your private key file in PEM format."`
 	Certificate         *tls.Certificate           `json:"-"`
-	Peers               []string                   `comment:"List of connection strings for outbound peer connections in URI format,\ne.g. tls://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j. These connections\nwill obey the operating system routing table, therefore you should\nuse this section when you may connect via different interfaces."`
-	InterfacePeers      map[string][]string        `comment:"List of connection strings for outbound peer connections in URI format,\narranged by source interface, e.g. { \"eth0\": [ \"tls://a.b.c.d:e\" ] }.\nNote that SOCKS peerings will NOT be affected by this option and should\ngo in the \"Peers\" section instead."`
-	Listen              []string                   `comment:"Listen addresses for incoming connections. You will need to add\nlisteners in order to accept incoming peerings from non-local nodes.\nMulticast peer discovery will work regardless of any listeners set\nhere. Each listener should be specified in URI format as above, e.g.\ntls://0.0.0.0:0 or tls://[::]:0 to listen on all interfaces."`
+	Peers               []string                   `comment:"List of outbound peer connection strings (e.g. tls://a.b.c.d:e or\nsocks://a.b.c.d:e/f.g.h.i:j). Connection strings can contain options,\nsee https://yggdrasil-network.github.io/configurationref.html#peers.\nYggdrasil has no concept of bootstrap nodes - all network traffic\nwill transit peer connections. Therefore make sure to only peer with\nnearby nodes that have good connectivity and low latency. Avoid adding\npeers to this list from distant countries as this will worsen your\nnode's connectivity and performance considerably."`
+	InterfacePeers      map[string][]string        `comment:"List of connection strings for outbound peer connections in URI format,\narranged by source interface, e.g. { \"eth0\": [ \"tls://a.b.c.d:e\" ] }.\nYou should only use this option if your machine is multi-homed and you\nwant to establish outbound peer connections on different interfaces.\nOtherwise you should use \"Peers\"."`
+	Listen              []string                   `comment:"Listen addresses for incoming connections. You will need to add\nlisteners in order to accept incoming peerings from non-local nodes.\nThis is not required if you wish to establish outbound peerings only.\nMulticast peer discovery will work regardless of any listeners set\nhere. Each listener should be specified in URI format as above, e.g.\ntls://0.0.0.0:0 or tls://[::]:0 to listen on all interfaces."`
 	AdminListen         string                     `json:",omitempty" comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."`
-	MulticastInterfaces []MulticastInterfaceConfig `comment:"Configuration for which interfaces multicast peer discovery should be\nenabled on. Each entry in the list should be a json object which may\ncontain Regex, Beacon, Listen, and Port. Regex is a regular expression\nwhich is matched against an interface name, and interfaces use the\nfirst configuration that they match gainst. Beacon configures whether\nor not the node should send link-local multicast beacons to advertise\ntheir presence, while listening for incoming connections on Port.\nListen controls whether or not the node listens for multicast beacons\nand opens outgoing connections."`
-	AllowedPublicKeys   []string                   `comment:"List of peer public keys to allow incoming peering connections\nfrom. If left empty/undefined then all connections will be allowed\nby default. This does not affect outgoing peerings, nor does it\naffect link-local peers discovered via multicast."`
+	MulticastInterfaces []MulticastInterfaceConfig `comment:"Configuration for which interfaces multicast peer discovery should be\nenabled on. Regex is a regular expression which is matched against an\ninterface name, and interfaces use the first configuration that they\nmatch against. Beacon controls whether or not your node advertises its\npresence to others, whereas Listen controls whether or not your node\nlistens out for and tries to connect to other advertising nodes. See\nhttps://yggdrasil-network.github.io/configurationref.html#multicastinterfaces\nfor more supported options."`
+	AllowedPublicKeys   []string                   `comment:"List of peer public keys to allow incoming peering connections\nfrom. If left empty/undefined then all connections will be allowed\nby default. This does not affect outgoing peerings, nor does it\naffect link-local peers discovered via multicast.\nWARNING: THIS IS NOT A FIREWALL and DOES NOT limit who can reach\nopen ports or services running on your machine!"`
 	IfName              string                     `comment:"Local network interface name for TUN adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN."`
 	IfMTU               uint64                     `comment:"Maximum Transmission Unit (MTU) size for your local TUN interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
 	LogLookups          bool                       `json:",omitempty"`
 	NodeInfoPrivacy     bool                       `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Yggdrasil version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."`
-	NodeInfo            map[string]interface{}     `comment:"Optional node info. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."`
+	NodeInfo            map[string]interface{}     `comment:"Optional nodeinfo. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."`
 }
 
 type MulticastInterfaceConfig struct {
 	Regex    string
 	Beacon   bool
 	Listen   bool
-	Port     uint16
-	Priority uint64 // really uint8, but gobind won't export it
+	Port     uint16 `json:",omitempty"`
+	Priority uint64 `json:",omitempty"` // really uint8, but gobind won't export it
 	Password string
 }
 

src/config/defaults_darwin.go

@@ -17,6 +17,7 @@ func getDefaults() platformDefaultParameters {
 		DefaultMulticastInterfaces: []MulticastInterfaceConfig{
 			{Regex: "en.*", Beacon: true, Listen: true},
 			{Regex: "bridge.*", Beacon: true, Listen: true},
+			{Regex: "awdl0", Beacon: false, Listen: false},
 		},
 
 		// TUN

src/core/api.go

@@ -33,6 +33,8 @@ type PeerInfo struct {
 	Cost          uint64
 	RXBytes       uint64
 	TXBytes       uint64
+	RXRate        uint64
+	TXRate        uint64
 	Uptime        time.Duration
 	Latency       time.Duration
 }
@@ -87,6 +89,8 @@ func (c *Core) GetPeers() []PeerInfo {
 				peerinfo.Inbound = state.linkType == linkTypeIncoming
 				peerinfo.RXBytes = atomic.LoadUint64(&c.rx)
 				peerinfo.TXBytes = atomic.LoadUint64(&c.tx)
+				peerinfo.RXRate = atomic.LoadUint64(&c.rxrate)
+				peerinfo.TXRate = atomic.LoadUint64(&c.txrate)
 				peerinfo.Uptime = time.Since(c.up)
 			}
 			if p, ok := conns[conn]; ok {

src/core/core.go

@@ -40,6 +40,7 @@ type Core struct {
 		tls *tls.Config // immutable after startup
 		//_peers             map[Peer]*linkInfo         // configurable after startup
 		_listeners         map[ListenAddress]struct{} // configurable after startup
+		peerFilter         func(ip net.IP) bool       // immutable after startup
 		nodeinfo           NodeInfo                   // immutable after startup
 		nodeinfoPrivacy    NodeInfoPrivacy            // immutable after startup
 		_allowedPublicKeys map[[32]byte]struct{}      // configurable after startup

src/core/link.go

@@ -99,13 +99,40 @@ func (l *links) init(c *Core) error {
 	l._links = make(map[linkInfo]*link)
 	l._listeners = make(map[*Listener]context.CancelFunc)
 
+	l.Act(nil, l._updateAverages)
 	return nil
 }
 
+func (l *links) _updateAverages() {
+	select {
+	case <-l.core.ctx.Done():
+		return
+	default:
+	}
+
+	for _, l := range l._links {
+		if l._conn == nil {
+			continue
+		}
+		rx := atomic.LoadUint64(&l._conn.rx)
+		tx := atomic.LoadUint64(&l._conn.tx)
+		lastrx := atomic.LoadUint64(&l._conn.lastrx)
+		lasttx := atomic.LoadUint64(&l._conn.lasttx)
+		atomic.StoreUint64(&l._conn.rxrate, rx-lastrx)
+		atomic.StoreUint64(&l._conn.txrate, tx-lasttx)
+		atomic.StoreUint64(&l._conn.lastrx, rx)
+		atomic.StoreUint64(&l._conn.lasttx, tx)
+	}
+
+	time.AfterFunc(time.Second, func() {
+		l.Act(nil, l._updateAverages)
+	})
+}
+
 func (l *links) shutdown() {
 	phony.Block(l, func() {
-		for listener := range l._listeners {
-			_ = listener.listener.Close()
+		for _, cancel := range l._listeners {
+			cancel()
 		}
 		for _, link := range l._links {
 			if link._conn != nil {
@@ -126,6 +153,8 @@ const ErrLinkPinnedKeyInvalid = linkError("pinned public key is invalid")
 const ErrLinkPasswordInvalid = linkError("invalid password supplied")
 const ErrLinkUnrecognisedSchema = linkError("link schema unknown")
 const ErrLinkMaxBackoffInvalid = linkError("max backoff duration invalid")
+const ErrLinkSNINotSupported = linkError("SNI not supported on this link type")
+const ErrLinkNoSuitableIPs = linkError("peer has no suitable addresses")
 
 func (l *links) add(u *url.URL, sintf string, linkType linkType) error {
 	var retErr error
@@ -336,8 +365,12 @@ func (l *links) add(u *url.URL, sintf string, linkType linkType) error {
 
 				// Give the connection to the handler. The handler will block
 				// for the lifetime of the connection.
-				if err = l.handler(linkType, options, lc, resetBackoff, false); err != nil && err != io.EOF {
-					l.core.log.Debugf("Link %s error: %s\n", info.uri, err)
+				switch err = l.handler(linkType, options, lc, resetBackoff, false); {
+				case err == nil:
+				case errors.Is(err, io.EOF):
+				case errors.Is(err, net.ErrClosed):
+				default:
+					l.core.log.Debugf("Link %s error: %s\n", u.Host, err)
 				}
 
 				// The handler has stopped running so the connection is dead,
@@ -396,7 +429,7 @@ func (l *links) remove(u *url.URL, sintf string, _ linkType) error {
 }
 
 func (l *links) listen(u *url.URL, sintf string, local bool) (*Listener, error) {
-	ctx, cancel := context.WithCancel(l.core.ctx)
+	ctx, ctxcancel := context.WithCancel(l.core.ctx)
 	var protocol linkProtocol
 	switch strings.ToLower(u.Scheme) {
 	case "tcp":
@@ -412,21 +445,25 @@ func (l *links) listen(u *url.URL, sintf string, local bool) (*Listener, error)
 	case "wss":
 		protocol = l.wss
 	default:
-		cancel()
+		ctxcancel()
 		return nil, ErrLinkUnrecognisedSchema
 	}
 	listener, err := protocol.listen(ctx, u, sintf)
 	if err != nil {
-		cancel()
+		ctxcancel()
 		return nil, err
 	}
+	addr := listener.Addr()
+	cancel := func() {
+		ctxcancel()
+		if err := listener.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
+			l.core.log.Warnf("Error closing %s listener %s: %s", strings.ToUpper(u.Scheme), addr, err)
+		}
+	}
 	li := &Listener{
 		listener: listener,
 		ctx:      ctx,
-		Cancel: func() {
-			cancel()
-			_ = listener.Close()
-		},
+		Cancel:   cancel,
 	}
 
 	var options linkOptions
@@ -449,10 +486,11 @@ func (l *links) listen(u *url.URL, sintf string, local bool) (*Listener, error)
 	})
 
 	go func() {
-		l.core.log.Infof("%s listener started on %s", strings.ToUpper(u.Scheme), li.listener.Addr())
-		defer l.core.log.Infof("%s listener stopped on %s", strings.ToUpper(u.Scheme), li.listener.Addr())
+		l.core.log.Infof("%s listener started on %s", strings.ToUpper(u.Scheme), addr)
 		defer phony.Block(l, func() {
+			cancel()
 			delete(l._listeners, li)
+			l.core.log.Infof("%s listener stopped on %s", strings.ToUpper(u.Scheme), addr)
 		})
 		for {
 			conn, err := li.listener.Accept()
@@ -652,6 +690,52 @@ func (l *links) handler(linkType linkType, options linkOptions, conn net.Conn, s
 	return err
 }
 
+func (l *links) findSuitableIP(url *url.URL, fn func(hostname string, ip net.IP, port int) (net.Conn, error)) (net.Conn, error) {
+	host, p, err := net.SplitHostPort(url.Host)
+	if err != nil {
+		return nil, err
+	}
+	port, err := strconv.Atoi(p)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := net.LookupIP(host)
+	if err != nil {
+		return nil, err
+	}
+	var _ips [64]net.IP
+	ips := _ips[:0]
+	for _, ip := range resp {
+		switch {
+		case ip.IsUnspecified():
+			continue
+		case ip.IsMulticast():
+			continue
+		case ip.IsLinkLocalMulticast():
+			continue
+		case ip.IsInterfaceLocalMulticast():
+			continue
+		case l.core.config.peerFilter != nil && !l.core.config.peerFilter(ip):
+			continue
+		}
+		ips = append(ips, ip)
+	}
+	if len(ips) == 0 {
+		return nil, ErrLinkNoSuitableIPs
+	}
+	for _, ip := range ips {
+		var conn net.Conn
+		if conn, err = fn(host, ip, port); err != nil {
+			url := *url
+			url.RawQuery = ""
+			l.core.log.Debugln("Dialling", url.Redacted(), "reported error:", err)
+			continue
+		}
+		return conn, nil
+	}
+	return nil, err
+}
+
 func urlForLinkInfo(u url.URL) url.URL {
 	u.RawQuery = ""
 	return u
@@ -660,9 +744,13 @@ func urlForLinkInfo(u url.URL) url.URL {
 type linkConn struct {
 	// tx and rx are at the beginning of the struct to ensure 64-bit alignment
 	// on 32-bit platforms, see https://pkg.go.dev/sync/atomic#pkg-note-BUG
-	rx uint64
-	tx uint64
-	up time.Time
+	rx     uint64
+	tx     uint64
+	rxrate uint64
+	txrate uint64
+	lastrx uint64
+	lasttx uint64
+	up     time.Time
 	net.Conn
 }
 

src/core/link_quic.go

@@ -51,18 +51,25 @@ func (l *links) newLinkQUIC() *linkQUIC {
 }
 
 func (l *linkQUIC) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
-	qc, err := quic.DialAddr(ctx, url.Host, l.tlsconfig, l.quicconfig)
-	if err != nil {
-		return nil, err
-	}
-	qs, err := qc.OpenStreamSync(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &linkQUICStream{
-		Connection: qc,
-		Stream:     qs,
-	}, nil
+	tlsconfig := l.tlsconfig.Clone()
+	return l.links.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
+		tlsconfig.ServerName = hostname
+		tlsconfig.MinVersion = tls.VersionTLS12
+		tlsconfig.MaxVersion = tls.VersionTLS13
+		hostport := net.JoinHostPort(ip.String(), fmt.Sprintf("%d", port))
+		qc, err := quic.DialAddr(ctx, hostport, l.tlsconfig, l.quicconfig)
+		if err != nil {
+			return nil, err
+		}
+		qs, err := qc.OpenStreamSync(ctx)
+		if err != nil {
+			return nil, err
+		}
+		return &linkQUICStream{
+			Connection: qc,
+			Stream:     qs,
+		}, nil
+	})
 }
 
 func (l *linkQUIC) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {

src/core/link_socks.go

@@ -30,21 +30,36 @@ func (l *linkSOCKS) dial(_ context.Context, url *url.URL, info linkInfo, options
 		}
 		proxyAuth.Password, _ = url.User.Password()
 	}
-	dialer, err := proxy.SOCKS5("tcp", url.Host, proxyAuth, proxy.Direct)
-	if err != nil {
-		return nil, fmt.Errorf("failed to configure proxy")
-	}
-	pathtokens := strings.Split(strings.Trim(url.Path, "/"), "/")
-	conn, err := dialer.Dial("tcp", pathtokens[0])
-	if err != nil {
-		return nil, fmt.Errorf("failed to dial: %w", err)
-	}
-	if url.Scheme == "sockstls" {
-		tlsconfig := l.tls.config.Clone()
-		tlsconfig.ServerName = options.tlsSNI
-		conn = tls.Client(conn, tlsconfig)
-	}
-	return conn, nil
+	tlsconfig := l.tls.config.Clone()
+	return l.links.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
+		hostport := net.JoinHostPort(ip.String(), fmt.Sprintf("%d", port))
+		dialer, err := l.tcp.dialerFor(&net.TCPAddr{
+			IP:   ip,
+			Port: port,
+		}, info.sintf)
+		if err != nil {
+			return nil, err
+		}
+		proxy, err := proxy.SOCKS5("tcp", hostport, proxyAuth, dialer)
+		if err != nil {
+			return nil, err
+		}
+		pathtokens := strings.Split(strings.Trim(url.Path, "/"), "/")
+		conn, err := proxy.Dial("tcp", pathtokens[0])
+		if err != nil {
+			return nil, err
+		}
+		if url.Scheme == "sockstls" {
+			tlsconfig.ServerName = hostname
+			tlsconfig.MinVersion = tls.VersionTLS12
+			tlsconfig.MaxVersion = tls.VersionTLS13
+			if sni := options.tlsSNI; sni != "" {
+				tlsconfig.ServerName = sni
+			}
+			conn = tls.Client(conn, tlsconfig)
+		}
+		return conn, nil
+	})
 }
 
 func (l *linkSOCKS) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {

src/core/link_tcp.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net"
 	"net/url"
-	"strconv"
 	"time"
 
 	"github.com/Arceliar/phony"
@@ -28,62 +27,18 @@ func (l *links) newLinkTCP() *linkTCP {
 	return lt
 }
 
-type tcpDialer struct {
-	info   linkInfo
-	dialer *net.Dialer
-	addr   *net.TCPAddr
-}
-
-func (l *linkTCP) dialersFor(url *url.URL, info linkInfo) ([]*tcpDialer, error) {
-	host, p, err := net.SplitHostPort(url.Host)
-	if err != nil {
-		return nil, err
-	}
-	port, err := strconv.Atoi(p)
-	if err != nil {
-		return nil, err
-	}
-	ips, err := net.LookupIP(host)
-	if err != nil {
-		return nil, err
-	}
-	dialers := make([]*tcpDialer, 0, len(ips))
-	for _, ip := range ips {
+func (l *linkTCP) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
+	return l.links.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
 		addr := &net.TCPAddr{
 			IP:   ip,
 			Port: port,
 		}
-		dialer, err := l.dialerFor(addr, info.sintf)
+		dialer, err := l.tcp.dialerFor(addr, info.sintf)
 		if err != nil {
-			continue
+			return nil, err
 		}
-		dialers = append(dialers, &tcpDialer{
-			info:   info,
-			dialer: dialer,
-			addr:   addr,
-		})
-	}
-	return dialers, nil
-}
-
-func (l *linkTCP) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
-	dialers, err := l.dialersFor(url, info)
-	if err != nil {
-		return nil, err
-	}
-	if len(dialers) == 0 {
-		return nil, nil
-	}
-	for _, d := range dialers {
-		var conn net.Conn
-		conn, err = d.dialer.DialContext(ctx, "tcp", d.addr.String())
-		if err != nil {
-			l.core.log.Warnf("Failed to connect to %s: %s", d.addr, err)
-			continue
-		}
-		return conn, nil
-	}
-	return nil, err
+		return dialer.DialContext(ctx, "tcp", addr.String())
+	})
 }
 
 func (l *linkTCP) listen(ctx context.Context, url *url.URL, sintf string) (net.Listener, error) {

src/core/link_tls.go

@@ -32,28 +32,28 @@ func (l *links) newLinkTLS(tcp *linkTCP) *linkTLS {
 }
 
 func (l *linkTLS) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
-	dialers, err := l.tcp.dialersFor(url, info)
-	if err != nil {
-		return nil, err
-	}
-	if len(dialers) == 0 {
-		return nil, nil
-	}
-	for _, d := range dialers {
-		tlsconfig := l.config.Clone()
-		tlsconfig.ServerName = options.tlsSNI
+	tlsconfig := l.config.Clone()
+	return l.links.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
+		tlsconfig.ServerName = hostname
+		tlsconfig.MinVersion = tls.VersionTLS12
+		tlsconfig.MaxVersion = tls.VersionTLS13
+		if sni := options.tlsSNI; sni != "" {
+			tlsconfig.ServerName = sni
+		}
+		addr := &net.TCPAddr{
+			IP:   ip,
+			Port: port,
+		}
+		dialer, err := l.tcp.dialerFor(addr, info.sintf)
+		if err != nil {
+			return nil, err
+		}
 		tlsdialer := &tls.Dialer{
-			NetDialer: d.dialer,
+			NetDialer: dialer,
 			Config:    tlsconfig,
 		}
-		var conn net.Conn
-		conn, err = tlsdialer.DialContext(ctx, "tcp", d.addr.String())
-		if err != nil {
-			continue
-		}
-		return conn, nil
-	}
-	return nil, err
+		return tlsdialer.DialContext(ctx, "tcp", addr.String())
+	})
 }
 
 func (l *linkTLS) listen(ctx context.Context, url *url.URL, sintf string) (net.Listener, error) {

src/core/link_ws.go

@@ -2,6 +2,7 @@ package core
 
 import (
 	"context"
+	"fmt"
 	"net"
 	"net/http"
 	"net/url"
@@ -87,15 +88,35 @@ func (l *links) newLinkWS() *linkWS {
 }
 
 func (l *linkWS) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
-	wsconn, _, err := websocket.Dial(ctx, url.String(), &websocket.DialOptions{
-		Subprotocols: []string{"ygg-ws"},
+	return l.links.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
+		u := *url
+		u.Host = net.JoinHostPort(ip.String(), fmt.Sprintf("%d", port))
+		addr := &net.TCPAddr{
+			IP:   ip,
+			Port: port,
+		}
+		dialer, err := l.tcp.dialerFor(addr, info.sintf)
+		if err != nil {
+			return nil, err
+		}
+		wsconn, _, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
+			HTTPClient: &http.Client{
+				Transport: &http.Transport{
+					Proxy:       http.ProxyFromEnvironment,
+					Dial:        dialer.Dial,
+					DialContext: dialer.DialContext,
+				},
+			},
+			Subprotocols: []string{"ygg-ws"},
+			Host:         hostname,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return &linkWSConn{
+			Conn: websocket.NetConn(ctx, wsconn, websocket.MessageBinary),
+		}, nil
 	})
-	if err != nil {
-		return nil, err
-	}
-	return &linkWSConn{
-		Conn: websocket.NetConn(ctx, wsconn, websocket.MessageBinary),
-	}, nil
 }
 
 func (l *linkWS) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {

src/core/link_wss.go

@@ -2,8 +2,10 @@ package core
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net"
+	"net/http"
 	"net/url"
 
 	"github.com/Arceliar/phony"
@@ -13,6 +15,7 @@ import (
 type linkWSS struct {
 	phony.Inbox
 	*links
+	tlsconfig *tls.Config
 }
 
 type linkWSSConn struct {
@@ -21,21 +24,47 @@ type linkWSSConn struct {
 
 func (l *links) newLinkWSS() *linkWSS {
 	lwss := &linkWSS{
-		links: l,
+		links:     l,
+		tlsconfig: l.core.config.tls.Clone(),
 	}
 	return lwss
 }
 
 func (l *linkWSS) dial(ctx context.Context, url *url.URL, info linkInfo, options linkOptions) (net.Conn, error) {
-	wsconn, _, err := websocket.Dial(ctx, url.String(), &websocket.DialOptions{
-		Subprotocols: []string{"ygg-ws"},
+	tlsconfig := l.tlsconfig.Clone()
+	return l.links.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
+		tlsconfig.ServerName = hostname
+		tlsconfig.MinVersion = tls.VersionTLS12
+		tlsconfig.MaxVersion = tls.VersionTLS13
+		u := *url
+		u.Host = net.JoinHostPort(ip.String(), fmt.Sprintf("%d", port))
+		addr := &net.TCPAddr{
+			IP:   ip,
+			Port: port,
+		}
+		dialer, err := l.tcp.dialerFor(addr, info.sintf)
+		if err != nil {
+			return nil, err
+		}
+		wsconn, _, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
+			HTTPClient: &http.Client{
+				Transport: &http.Transport{
+					Proxy:           http.ProxyFromEnvironment,
+					Dial:            dialer.Dial,
+					DialContext:     dialer.DialContext,
+					TLSClientConfig: tlsconfig,
+				},
+			},
+			Subprotocols: []string{"ygg-ws"},
+			Host:         hostname,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return &linkWSSConn{
+			Conn: websocket.NetConn(ctx, wsconn, websocket.MessageBinary),
+		}, nil
 	})
-	if err != nil {
-		return nil, err
-	}
-	return &linkWSSConn{
-		Conn: websocket.NetConn(ctx, wsconn, websocket.MessageBinary),
-	}, nil
 }
 
 func (l *linkWSS) listen(ctx context.Context, url *url.URL, _ string) (net.Listener, error) {

src/core/options.go

@@ -3,6 +3,7 @@ package core
 import (
 	"crypto/ed25519"
 	"fmt"
+	"net"
 	"net/url"
 )
 
@@ -24,6 +25,8 @@ func (c *Core) _applyOption(opt SetupOption) (err error) {
 		}
 	case ListenAddress:
 		c.config._listeners[v] = struct{}{}
+	case PeerFilter:
+		c.config.peerFilter = v
 	case NodeInfo:
 		c.config.nodeinfo = v
 	case NodeInfoPrivacy:
@@ -48,9 +51,11 @@ type Peer struct {
 type NodeInfo map[string]interface{}
 type NodeInfoPrivacy bool
 type AllowedPublicKey ed25519.PublicKey
+type PeerFilter func(net.IP) bool
 
 func (a ListenAddress) isSetupOption()    {}
 func (a Peer) isSetupOption()             {}
 func (a NodeInfo) isSetupOption()         {}
 func (a NodeInfoPrivacy) isSetupOption()  {}
 func (a AllowedPublicKey) isSetupOption() {}
+func (a PeerFilter) isSetupOption()       {}

src/multicast/admin.go

@@ -2,20 +2,47 @@ package multicast
 
 import (
 	"encoding/json"
+	"slices"
+	"strings"
 
+	"github.com/Arceliar/phony"
 	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
 )
 
 type GetMulticastInterfacesRequest struct{}
 type GetMulticastInterfacesResponse struct {
-	Interfaces []string `json:"multicast_interfaces"`
+	Interfaces []MulticastInterfaceState `json:"multicast_interfaces"`
+}
+
+type MulticastInterfaceState struct {
+	Name     string `json:"name"`
+	Address  string `json:"address"`
+	Beacon   bool   `json:"beacon"`
+	Listen   bool   `json:"listen"`
+	Password bool   `json:"password"`
 }
 
 func (m *Multicast) getMulticastInterfacesHandler(_ *GetMulticastInterfacesRequest, res *GetMulticastInterfacesResponse) error {
-	res.Interfaces = []string{}
-	for _, v := range m.Interfaces() {
-		res.Interfaces = append(res.Interfaces, v.Name)
-	}
+	res.Interfaces = []MulticastInterfaceState{}
+	phony.Block(m, func() {
+		for name, intf := range m._interfaces {
+			is := MulticastInterfaceState{
+				Name:     intf.iface.Name,
+				Beacon:   intf.beacon,
+				Listen:   intf.listen,
+				Password: len(intf.password) > 0,
+			}
+			if li := m._listeners[name]; li != nil && li.listener != nil {
+				is.Address = li.listener.Addr().String()
+			} else {
+				is.Address = "-"
+			}
+			res.Interfaces = append(res.Interfaces, is)
+		}
+	})
+	slices.SortStableFunc(res.Interfaces, func(a, b MulticastInterfaceState) int {
+		return strings.Compare(a.Name, b.Name)
+	})
 	return nil
 }
 

src/multicast/multicast.go

@@ -156,7 +156,13 @@ func (m *Multicast) _updateInterfaces() {
 			delete(interfaces, name)
 			continue
 		}
-		info.addrs = addrs
+		for _, addr := range addrs {
+			addrIP, _, err := net.ParseCIDR(addr.String())
+			if err != nil || addrIP.To4() != nil || !addrIP.IsLinkLocalUnicast() {
+				continue
+			}
+			info.addrs = append(info.addrs, addr)
+		}
 		interfaces[name] = info
 		m.log.Debugf("Discovered addresses for interface %s: %s", name, addrs)
 	}
@@ -299,13 +305,9 @@ func (m *Multicast) _announce() {
 	for _, info := range m._interfaces {
 		iface := info.iface
 		for _, addr := range info.addrs {
-			addrIP, _, _ := net.ParseCIDR(addr.String())
-			// Ignore IPv4 addresses
-			if addrIP.To4() != nil {
-				continue
-			}
-			// Ignore non-link-local addresses
-			if !addrIP.IsLinkLocalUnicast() {
+			addrIP, _, err := net.ParseCIDR(addr.String())
+			// Ignore IPv4 addresses or non-link-local addresses
+			if err != nil || addrIP.To4() != nil || !addrIP.IsLinkLocalUnicast() {
 				continue
 			}
 			if info.listen {

src/tun/tun.go

@@ -125,6 +125,7 @@ func (tun *TunAdapter) _start() error {
 	if tun.config.name == "none" || tun.config.name == "dummy" {
 		tun.log.Debugln("Not starting TUN as ifname is none or dummy")
 		tun.isEnabled = false
+		go tun.queue()
 		go tun.write()
 		return nil
 	}