astelm
/
telemt
mirror of https://github.com/telemt/telemt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
688 Commits 2 Branches 76 Tags 22 MiB
Commit Graph

252 Commits

Author SHA1 Message Date
Alexey 49f4a7bb22
ME Hardswap Generation stability 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-03-02 00:39:18 +03:00
Alexey 6f1980dfd7
ME Pool improvements 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-03-02 00:17:58 +03:00
sintanial bc432f06e2
Add per-user ad_tag with global fallback and hot-reload 
- Per-user ad_tag in [access.user_ad_tags], global fallback in general.ad_tag
- User tag overrides global; if no user tag, general.ad_tag is used
- Both general.ad_tag and user_ad_tags support hot-reload (no restart)
 2026-03-01 16:28:55 +03:00
Alexey 47b12f9489
UpstreamManager Health-check for ME Pool over SOCKS 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-03-01 04:02:32 +03:00
Alexey 44cdfd4b23
ME Pool improvements 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-03-01 03:36:00 +03:00
ivulit ed93b0a030
fix: send PROXY protocol header to mask unix socket 
When mask_unix_sock is configured, mask_proxy_protocol was silently
ignored and no PROXY protocol header was sent to the backend. Apply
the same header-building logic as the TCP path in both masking relay
and TLS fetcher (raw and rustls).
 2026-03-01 00:14:55 +03:00
ivulit e27ef04c3d
fix: pass correct dst address to outgoing PROXY protocol header 
Previously handle_bad_client used stream.local_addr() (the ephemeral
socket to the mask backend) as the dst in the outgoing PROXY protocol
header. This is wrong: the dst should be the address telemt is listening
on, or the dst from the incoming PROXY protocol header if one was present.

- handle_bad_client now receives local_addr from the caller
- handle_client_stream resolves local_addr from PROXY protocol info.dst_addr
  or falls back to a synthetic address based on config.server.port
- RunningClientHandler.do_handshake resolves local_addr from stream.local_addr()
  overridden by PROXY protocol info.dst_addr when present, and passes it
  down to handle_tls_client / handle_direct_client
- masking.rs uses the caller-supplied local_addr directly, eliminating the
  stream.local_addr() call
 2026-02-28 22:47:24 +03:00
Alexey 9afaa28add
UpstreamManager: Backoff Retries 2026-02-28 14:21:09 +03:00
Alexey 6c12af2b94
ME Connectivity: socks-url 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-28 13:38:30 +03:00
Alexey 8b39a4ef6d
Statistics on ME + Dynamic backpressure + KDF with SOCKS 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-28 13:18:31 +03:00
Alexey fa2423dadf
ME/DC Method Detection fixes 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-28 03:21:22 +03:00
Alexey a61882af6e
TLS Fetch on unix-socket 2026-02-28 02:55:21 +03:00
Alexey 6b8aa7270e
Bind_addresses prio over interfaces 2026-02-28 01:54:29 +03:00
Alexey 3d9660f83e
Upstreams for ME + Egress-data from UM + ME-over-SOCKS + Bind-aware STUN 2026-02-28 01:20:17 +03:00
Alexey ac064fe773
STUN switch + Ad-tag fixes + DNS-overrides 2026-02-27 15:59:27 +03:00
Alexey 144f81c473
ME Dead Writer w/o dead-lock on timeout 2026-02-26 19:37:17 +03:00
Alexey 04e6135935
TLS-F Fetching Optimization 2026-02-26 19:35:34 +03:00
Alexey 4eebb4feb2
ME Pool Refactoring 2026-02-26 19:01:24 +03:00
Alexey 1f255d0aa4
ME Probe + STUN Legacy 2026-02-26 18:41:11 +03:00
Alexey 9d2ff25bf5
Unified STUN + ME Primary parallelized 
- Unified STUN server source-of-truth
- parallelize per-DC primary ME init for multi-endpoint DCs
 2026-02-26 18:18:24 +03:00
Alexey 7782336264
ME Probe parallelized 2026-02-26 17:56:22 +03:00
Alexey 8ce8348cd5
Merge branch 'main' into feat/mask-proxy-protocol 2026-02-26 15:21:58 +03:00
Alexey e25b7f5ff8
STUN List 2026-02-26 15:10:21 +03:00
Alexey d7182ae817
Update defaults.rs 2026-02-26 15:07:04 +03:00
Alexey fb1f85559c
Update load.rs 2026-02-26 14:57:28 +03:00
ivulit da684b11fe
feat: add mask_proxy_protocol option for PROXY protocol to mask_host 
Adds mask_proxy_protocol config option (0 = off, 1 = v1 text, 2 = v2 binary)
that sends a PROXY protocol header when connecting to mask_host. This lets
the backend see the real client IP address.

Particularly useful when the masking site (nginx/HAProxy) runs on the same
host as telemt and listens on a local port — without this, the backend loses
the original client IP entirely.

PROXY protocol header is also sent during TLS emulation fetches so that
backends with proxy_protocol required don't reject the connection.
 2026-02-26 13:36:33 +03:00
Alexey 896e129155
Checked defaults 2026-02-26 12:48:22 +03:00
Alexey fed9346444
New config.toml + tls_emulation enabled by default 2026-02-25 17:49:54 +03:00
Alexey f40b645c05
Defaults in-place 2026-02-25 17:28:06 +03:00
Alexey 5558900c44
Update main.rs 2026-02-25 13:29:46 +03:00
D 206f87fe64 fix: remove bracket in info 2026-02-25 09:22:26 +03:00
Alexey f83e23c521
Update defaults.rs 2026-02-25 03:08:34 +03:00
Alexey 6b8619d3c9
Create beobachten.rs 2026-02-25 02:17:48 +03:00
Alexey 618b7a1837
ME Pool Beobachter 2026-02-25 02:10:14 +03:00
Alexey c6c3d71b08
ME Pool Flap-Detect in statistics 2026-02-25 01:26:01 +03:00
Alexey 7538967d3c
ME Hardswap being softer 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-24 23:36:33 +03:00
Alexey 4a95f6d195
ME Pool Health + Rotation 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-24 22:59:59 +03:00
Alexey d2f08fb707
ME Soft Reinit tuning 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-24 18:19:39 +03:00
Vladislav Yaroslavlev 09f56dede2
fix: resolve clippy warnings 
Reduce clippy warnings from54 to16 by fixing mechanical issues:

- collapsible_if: collapse nested if-let chains with let-chains
- clone_on_copy: remove unnecessary .clone() on Copy types
- manual_clamp: replace .max().min() with .clamp()
- unnecessary_cast: remove redundant type casts
- collapsible_else_if: flatten else-if chains
- contains_vs_iter_any: replace .iter().any() with .contains()
- unnecessary_closure: replace .or_else(|| x) with .or(x)
- useless_conversion: remove redundant .into() calls
- is_none_or: replace .map_or(true, ...) with .is_none_or(...)
- while_let_loop: convert loop with if-let-break to while-let

Remaining16 warnings are design-level issues (too_many_arguments,
await_holding_lock, type_complexity, new_ret_no_self) that require
architectural changes to fix.
 2026-02-24 05:57:53 +03:00
Vladislav Yaroslavlev d6214c6bbf
fix: add #[cfg(test)] to unused ProxyError import 
The ProxyError import in tls.rs is only used in test code
(validate_server_hello_structure function), so guard it with
#[cfg(test)] to eliminate the unused import warning.
 2026-02-24 04:20:30 +03:00
Vladislav Yaroslavlev 1d71b7e90c
fix: add missing imports in test code 
- Add ProxyError import and fix Result type annotation in tls.rs
- Add Arc import in stats/mod.rs test module
- Add BodyExt import in metrics.rs test module

These imports were missing causing compilation failures in
cargo test --release with 10 errors.
 2026-02-24 04:07:14 +03:00
Alexey 78c45626e1
Merge pull request #220 from vladon/fix-compiler-warnings 
fix: eliminate all compiler warnings
 2026-02-24 03:49:46 +03:00
Vladislav Yaroslavlev 68c3abee6c
fix: eliminate all compiler warnings 
- Remove unused imports across multiple modules
- Add #![allow(dead_code)] for public API items preserved for future use
- Add #![allow(deprecated)] for rand::Rng::gen_range usage
- Add #![allow(unused_assignments)] in main.rs
- Add #![allow(unreachable_code)] in network/stun.rs
- Prefix unused variables with underscore (_ip_tracker, _prefer_ipv6)
- Fix unused_must_use warning in tls_front/cache.rs

This ensures clean compilation without warnings while preserving
public API items that may be used in the future.
 2026-02-24 03:40:59 +03:00
Alexey 8b47fc3575
Update defaults.rs 2026-02-24 02:12:44 +03:00
Alexey 122e4729c5
Update defaults.rs 2026-02-24 00:17:33 +03:00
Alexey 08138451d8
Update types.rs 2026-02-24 00:15:37 +03:00
Alexey f710a2192a
Update types.rs 2026-02-24 00:08:03 +03:00
Alexey 0e2d42624f
ME Pool Hardswap 2026-02-24 00:04:12 +03:00
Alexey 5a0e44e311
Merge pull request #215 from vladon/improve-cli-help 
Improve CLI help text with comprehensive options
 2026-02-23 18:47:04 +03:00
Vladislav Yaroslavlev 872b47067a
Improve CLI help text with comprehensive options 
- Add version number to help header
- Restructure help into USAGE, ARGS, OPTIONS, INIT OPTIONS, EXAMPLES sections
- Include all command-line options with descriptions
- Add usage examples for common scenarios
 2026-02-23 17:22:56 +03:00
Alexey 75bfbe6e95
Update defaults.rs 2026-02-23 16:10:39 +03:00
Alexey fc2ac3d10f
ME Pool Reinit polishing 2026-02-23 16:09:09 +03:00
Alexey d8dcbbb61e
ME Pool Updater + Soft-staged Reinit w/o Reconcile 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-23 16:04:19 +03:00
Alexey d08ddd718a
Desync Full Forensics 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-23 15:28:02 +03:00
Alexey 4011812fda
TLS FC TTL Improvements 2026-02-23 05:48:55 +03:00
Alexey b5d0564f2a
Time-To-Life for TLS Full Certificate 2026-02-23 05:47:44 +03:00
Alexey cfe8fc72a5
TLS-F tuning 
Once - full certificate chain, next - only metadata
 2026-02-23 05:42:07 +03:00
Alexey 3e4b98b002
TLS Emulator tuning 2026-02-23 05:23:28 +03:00
Alexey 427d65627c
Drafting new TLS Fetcher 2026-02-23 05:16:00 +03:00
Alexey ae8124d6c6
Drafting TLS Certificates in TLS ServerHello 2026-02-23 05:12:35 +03:00
Alexey eaba926fe5
ME Buffer reuse + Bytes Len over Full + Seq-no over Wrap-add 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-23 03:52:37 +03:00
Alexey ecad96374a
ME Pool tuning 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-23 03:41:51 +03:00
Alexey 4895217828
Bounded backpressure + Semaphore Globalgate + 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-23 03:32:06 +03:00
Alexey 4d83cc1f04
Merge branch 'flow' of https://github.com/telemt/telemt into flow 2026-02-23 03:20:28 +03:00
Alexey c4c91863f0
Middle-End tuning 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-23 03:20:13 +03:00
Alexey a5c7a41c49
Update types.rs 2026-02-23 02:48:03 +03:00
Alexey 7cc78a5746
Update types.rs 2026-02-23 02:45:16 +03:00
Alexey d4d867156a
Secure Payload length fixes 2026-02-23 02:38:25 +03:00
Alexey 6ff29e43d3
Middle-End protocol hardening 
- Secure framing / hot-path fix: enforced a single length + padding contract across the framing layer. Replaced legacy runtime `len % 4` recovery with strict validation to eliminate undefined behavior paths.

- ME RPC aligned with C reference contract: handshake now includes `flags + sender_pid + peer_pid`. Added negotiated CRC mode (CRC32 / CRC32C) and applied the negotiated mode consistently in read/write paths.

- Sequence fail-fast semantics: immediate connection termination on first sequence mismatch with dedicated counter increment.

- Keepalive reworked to RPC ping/pong: removed raw CBC keepalive frames. Introduced stale ping tracker with proper timeout accounting.

- Route/backpressure observability improvements: increased per-connection route queue to 4096. Added `RouteResult` with explicit failure reasons (NoConn, ChannelClosed, QueueFull) and per-reason counters.

- Direct-DC secure mode-gate relaxation: removed TLS/secure conflict in Direct-DC handshake path.
 2026-02-23 02:28:00 +03:00
Alexey 69be44b2b6
Merge pull request #206 from telemt/flow 
Flush on Response + Hotpath tunings + Reuseport Checker
 2026-02-23 01:03:15 +03:00
Alexey 07ca94ce57
Reuseport Checker 2026-02-23 00:55:47 +03:00
Alexey d050c4794a
Hotpath tunings 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-23 00:50:10 +03:00
Alexey 197f9867e0
Flush-response experiments 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-22 23:53:10 +03:00
Dimasssss b2aaf404e1
Add files via upload 2026-02-22 01:19:26 +03:00
Alexey 3ab56f55e9
ME Connection error handling 2026-02-21 16:28:47 +03:00
Alexey 06d2cdef78
ME Connection lost fixes 2026-02-21 16:12:19 +03:00
Alexey eaff96b8c1
Merge pull request #198 from telemt/flow 
Peer - Connection closed fixes
 2026-02-21 14:09:05 +03:00
Alexey c3ebb42120
Peer - Connection closed fixes 2026-02-21 13:56:24 +03:00
ivulit 6ce25c6600
Use mask_host for TLS emulation fetcher 2026-02-21 10:40:59 +03:00
Alexey 2dcbdbe302
Merge pull request #194 from telemt/flow 
ME Frame too large Fixes
 2026-02-21 05:04:42 +03:00
Alexey 1bd495a224
Fixed tests 2026-02-21 04:04:49 +03:00
Alexey b0e6c04c54
Merge pull request #193 from artemws/main 
Fix config reload for Docker
 2026-02-21 03:37:48 +03:00
Alexey 83fc9d6db3
Middle-End Fixes 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-21 03:36:13 +03:00
Alexey c9a043d8d5
ME Frame too large Fixes 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-21 02:15:10 +03:00
artemws a74bdf8aea
Update hot_reload.rs 2026-02-20 23:03:26 +02:00
Vladislav Yaroslavlev 100cb92ad1
feat: add hostname support for SOCKS4/SOCKS5 upstream proxies 
Previously, SOCKS proxy addresses only accepted IP:port format.
Now both IP:port and hostname:port formats are supported.

Changes:
- Try parsing as SocketAddr first (IP:port) for backward compatibility
- Fall back to tokio::net::TcpStream::connect() for hostname resolution
- Log warning if interface binding is specified with hostname (not supported)

Example usage:
[[upstreams]]
type = "socks5"
address = "proxy.example.com:1080"
username = "user"
password = "pass"
 2026-02-20 21:42:15 +03:00
Alexey 1fd78e012d
Metrics + Fixes in tests 2026-02-20 18:02:02 +03:00
Alexey 7304dacd60
Update main.rs 2026-02-20 17:42:20 +03:00
Alexey eb3245b78f
Merge branch 'main-stage' into flow 2026-02-20 17:19:23 +03:00
Alexey a303fee65f
ALPN Extract tests 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-20 17:12:16 +03:00
artemws 8892860490
Change whitelist to use IpNetwork for IP filtering 2026-02-20 16:04:21 +02:00
artemws 0d2958fea7
Change metrics whitelist to use IpNetwork 2026-02-20 16:03:57 +02:00
artemws dbd9b53940
Change metrics_whitelist type from Vec<IpAddr> to Vec<IpNetwork> 2026-02-20 16:03:38 +02:00
Alexey 471c680def
TLS Improvements 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-20 17:02:17 +03:00
Alexey 781947a08a
TlsFrontCache + X509 Parser + GREASE Tolerance 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-20 16:56:33 +03:00
Alexey e8454ea370
HAProxy PROXY Protocol Fixes 
Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
 2026-02-20 16:42:40 +03:00
artemws ea88a40c8f
Add config path canonicalization 
Canonicalize the config path to match notify events.
 2026-02-20 15:37:44 +02:00
Alexey 2ea4c83d9d
Normalize IP + Masking + TLS 2026-02-20 16:32:14 +03:00
artemws 953fab68c4
Refactor hot-reload mechanism to use notify crate 
Updated hot-reload functionality to use notify crate for file watching and improved documentation.
 2026-02-20 15:29:37 +02:00
artemws 0f6621d359
Refactor hot-reload watcher implementation 2026-02-20 15:29:20 +02:00