merge main

changelog.d/+http-filter-docs.changed.md

@@ -0,0 +1 @@
+Extended docs for HTTP filter in the mirrord config.

changelog.d/2843.internal.md

@@ -0,0 +1 @@
+Added lint for unused crate dependencies.

changelog.d/2986.changed.md

@@ -0,0 +1 @@
+Changed log level for debugger ports detection.

medschool/src/main.rs

@@ -14,6 +14,7 @@
 #![feature(iterator_try_collect)]
 #![deny(clippy::missing_docs_in_private_items)]
 #![deny(missing_docs)]
+#![deny(unused_crate_dependencies)]
 
 use std::{fs, fs::File, io::Read, path::PathBuf};
 

mirrord-schema.json

@@ -1090,12 +1090,12 @@
       ]
     },
     "HttpFilterFileConfig": {
-      "description": "Filter configuration for the HTTP traffic stealer feature.\n\nAllows the user to set a filter (regex) for the HTTP headers, so that the stealer traffic feature only captures HTTP requests that match the specified filter, forwarding unmatched requests to their original destinations.\n\nOnly does something when [`feature.network.incoming.mode`](#feature-network-incoming-mode) is set as `\"steal\"`, ignored otherwise.\n\nFor example, to filter based on header: ```json { \"header_filter\": \"host: api\\\\..+\" } ``` Setting that filter will make mirrord only steal requests with the `host` header set to hosts that start with \"api\", followed by a dot, and then at least one more character.\n\nFor example, to filter based on path: ```json { \"path_filter\": \"^/api/\" } ``` Setting this filter will make mirrord only steal requests to URIs starting with \"/api/\".\n\nThis can be useful for filtering out Kubernetes liveness, readiness and startup probes. For example, for avoiding stealing any probe sent by kubernetes, you can set this filter: ```json { \"header_filter\": \"^User-Agent: (?!kube-probe)\" } ``` Setting this filter will make mirrord only steal requests that **do** have a user agent that **does not** begin with \"kube-probe\".\n\nSimilarly, you can exclude certain paths using a negative look-ahead: ```json { \"path_filter\": \"^(?!/health/)\" } ``` Setting this filter will make mirrord only steal requests to URIs that do not start with \"/health/\".",
+      "description": "Filter configuration for the HTTP traffic stealer feature.\n\nAllows the user to set a filter (regex) for the HTTP headers, so that the stealer traffic feature only captures HTTP requests that match the specified filter, forwarding unmatched requests to their original destinations.\n\nOnly does something when [`feature.network.incoming.mode`](#feature-network-incoming-mode) is set as `\"steal\"`, ignored otherwise.\n\nFor example, to filter based on header: ```json { \"header_filter\": \"host: api\\\\..+\" } ``` Setting that filter will make mirrord only steal requests with the `host` header set to hosts that start with \"api\", followed by a dot, and then at least one more character.\n\nFor example, to filter based on path: ```json { \"path_filter\": \"^/api/\" } ``` Setting this filter will make mirrord only steal requests to URIs starting with \"/api/\".\n\nThis can be useful for filtering out Kubernetes liveness, readiness and startup probes. For example, for avoiding stealing any probe sent by kubernetes, you can set this filter: ```json { \"header_filter\": \"^User-Agent: (?!kube-probe)\" } ``` Setting this filter will make mirrord only steal requests that **do** have a user agent that **does not** begin with \"kube-probe\".\n\nSimilarly, you can exclude certain paths using a negative look-ahead: ```json { \"path_filter\": \"^(?!/health/)\" } ``` Setting this filter will make mirrord only steal requests to URIs that do not start with \"/health/\".\n\nWith `all_of` and `any_of`, you can use multiple HTTP filters at the same time.\n\nIf you want to steal HTTP requests that match **every** pattern specified, use `all_of`. For example, this filter steals only HTTP requests to endpoint `/api/my-endpoint` that contain header `x-debug-session` with value `121212`. ```json { \"all_of\": [ { \"header\": \"^x-debug-session: 121212$\" }, { \"path\": \"^/api/my-endpoint$\" } ] }\n\nIf you want to steal HTTP requests that match **any** of the patterns specified, use `any_of`. For example, this filter steals HTTP requests to endpoint `/api/my-endpoint` **and** HTTP requests that contain header `x-debug-session` with value `121212`. ```json { \"any_of\": [ { \"path\": \"^/api/my-endpoint$\"}, { \"header\": \"^x-debug-session: 121212$\" } ] }",
       "type": "object",
       "properties": {
         "all_of": {
           "title": "feature.network.incoming.http_filter.all_of {#feature-network-incoming-http_filter-all_of}",
-          "description": "Messages must match all of the specified filters. Cannot be an empty list.",
+          "description": "An array of HTTP filters.\n\nEach inner filter specifies either header or path regex. Requests must match all of the filters to be stolen.\n\nCannot be an empty list.\n\nExample: ```json { \"all_of\": [ { \"header\": \"x-user: my-user$\" }, { \"path\": \"^/api/v1/my-endpoint\" } ] } ```",
           "type": [
             "array",
             "null"
@@ -1106,7 +1106,7 @@
         },
         "any_of": {
           "title": "feature.network.incoming.http_filter.any_of {#feature-network-incoming-http_filter-any_of}",
-          "description": "Messages must match any of the specified filters. Cannot be an empty list.",
+          "description": "An array of HTTP filters.\n\nEach inner filter specifies either header or path regex. Requests must match at least one of the filters to be stolen.\n\nCannot be an empty list.\n\nExample: ```json { \"any_of\": [ { \"header\": \"^x-user: my-user$\" }, { \"path\": \"^/api/v1/my-endpoint\" } ] } ```",
           "type": [
             "array",
             "null"

mirrord/agent/Cargo.toml

@@ -18,7 +18,7 @@ workspace = true
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
-[dependencies]
+[target.'cfg(target_os = "linux")'.dependencies]
 containerd-client = "0.6"
 tokio = { workspace = true, features = [
     "rt",
@@ -49,7 +49,6 @@ streammap-ext.workspace = true
 libc.workspace = true
 faccess = "0.2"
 bytes.workspace = true
-regex.workspace = true
 wildmatch = "2"
 enum_dispatch.workspace = true
 http-body-util = { workspace = true }
@@ -72,14 +71,11 @@ envy = "0.4"
 socket2.workspace = true
 prometheus = { version = "0.13", features = ["process"] }
 axum = { version = "0.7", features = ["macros"] }
-axum-server = "0.7"
-
-[target.'cfg(target_os = "linux")'.dependencies]
 iptables = { git = "https://github.com/metalbear-co/rust-iptables.git", rev = "e66c7332e361df3c61a194f08eefe3f40763d624" }
 rawsocket = { git = "https://github.com/metalbear-co/rawsocket.git" }
 procfs = "0.17.0"
 
-[dev-dependencies]
+[target.'cfg(target_os = "linux")'.dev-dependencies]
 rstest.workspace = true
 mockall = "0.13"
 test_bin = "0.4"

mirrord/agent/src/main.rs

@@ -1,55 +1,39 @@
+#![cfg(target_os = "linux")]
 #![feature(hash_extract_if)]
 #![feature(let_chains)]
 #![feature(iterator_try_collect)]
 #![feature(try_blocks)]
-#![cfg_attr(target_os = "linux", feature(tcp_quickack))]
+#![feature(tcp_quickack)]
 #![warn(clippy::indexing_slicing)]
+#![deny(unused_crate_dependencies)]
+
+/// Silences `deny(unused_crate_dependencies)`.
+///
+/// This dependency is only used in integration tests.
+#[cfg(test)]
+use test_bin as _;
 
-#[cfg(target_os = "linux")]
 mod cli;
-#[cfg(target_os = "linux")]
 mod client_connection;
-#[cfg(target_os = "linux")]
 mod container_handle;
-#[cfg(target_os = "linux")]
 mod dns;
-#[cfg(target_os = "linux")]
 mod entrypoint;
-#[cfg(target_os = "linux")]
 mod env;
-#[cfg(target_os = "linux")]
 mod error;
-#[cfg(target_os = "linux")]
 mod file;
-#[cfg(target_os = "linux")]
 mod http;
-#[cfg(target_os = "linux")]
+mod metrics;
 mod namespace;
-#[cfg(target_os = "linux")]
 mod outgoing;
-#[cfg(target_os = "linux")]
 mod runtime;
-#[cfg(target_os = "linux")]
 mod sniffer;
-#[cfg(target_os = "linux")]
 mod steal;
-#[cfg(target_os = "linux")]
 mod util;
-#[cfg(target_os = "linux")]
 mod vpn;
-#[cfg(target_os = "linux")]
 mod watched_task;
 
-#[cfg(target_os = "linux")]
-mod metrics;
-
 #[cfg(target_os = "linux")]
 #[tokio::main(flavor = "current_thread")]
 async fn main() -> crate::error::AgentResult<()> {
     crate::entrypoint::main().await
 }
-
-#[cfg(not(target_os = "linux"))]
-fn main() {
-    panic!("This program is only supported on Linux");
-}

mirrord/agent/src/steal/ip_tables.rs

@@ -19,36 +19,6 @@ use crate::{
     },
 };
 
-#[cfg(not(target_os = "linux"))]
-mod iptables {
-    pub struct IPTables;
-
-    impl IPTables {
-        pub fn list(&self, _: &str, _: &str) -> AgentResult<Vec<String>, String> {
-            todo!()
-        }
-        pub fn insert(&self, _: &str, _: &str, _: &str, _: i32) -> AgentResult<(), String> {
-            todo!()
-        }
-        pub fn append(&self, _: &str, _: &str, _: &str) -> AgentResult<(), String> {
-            todo!()
-        }
-        pub fn delete(&self, _: &str, _: &str, _: &str) -> AgentResult<(), String> {
-            todo!()
-        }
-
-        pub fn new_chain(&self, _: &str, _: &str) -> AgentResult<(), String> {
-            todo!()
-        }
-        pub fn delete_chain(&self, _: &str, _: &str) -> AgentResult<(), String> {
-            todo!()
-        }
-        pub fn flush_chain(&self, _: &str, _: &str) -> AgentResult<(), String> {
-            todo!()
-        }
-    }
-}
-
 pub(crate) mod chain;
 pub(crate) mod flush_connections;
 pub(crate) mod mesh;

mirrord/agent/src/steal/orig_dst.rs

@@ -5,7 +5,6 @@ use std::{io, net::SocketAddr};
 
 use tokio::net::TcpStream;
 
-#[cfg(target_os = "linux")]
 #[allow(unsafe_code)]
 #[tracing::instrument(level = "trace")]
 pub(super) fn orig_dst_addr(sock: &TcpStream) -> io::Result<SocketAddr> {
@@ -14,15 +13,6 @@ pub(super) fn orig_dst_addr(sock: &TcpStream) -> io::Result<SocketAddr> {
     unsafe { linux::so_original_dst(fd) }
 }
 
-#[cfg(not(target_os = "linux"))]
-pub(super) fn orig_dst_addr(_: &TcpStream) -> io::Result<SocketAddr> {
-    Err(io::Error::new(
-        io::ErrorKind::Other,
-        "SO_ORIGINAL_DST not supported on this operating system",
-    ))
-}
-
-#[cfg(target_os = "linux")]
 #[allow(unsafe_code)]
 mod linux {
     use std::{