Add IP filter to WebRTC SettingEngine and ICE AgentConfig (#306)

* Add IP filter to WebRTC SettingEngine and ICE AgentConfig

When machine's network interface have more than one ip address and
user don't want expose one of these ips to remote peer, interface
filter can't work in this case, so add a ip filter for that

* Update webrtc/src/api/setting_engine/mod.rs

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>

* Add changelog entries

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>

Author: KokaKiwi

ice/CHANGELOG.md

@@ -1,6 +1,7 @@
 # webrtc-ice changelog
 
 ## Unreleased
+* Add IP filter to ICE `AgentConfig` [#306](https://github.com/webrtc-rs/webrtc/pull/306)
 
 ## v0.8.1
 

ice/src/agent/agent_config.rs

@@ -7,6 +7,7 @@ use crate::url::*;
 
 use util::vnet::net::*;
 
+use std::net::IpAddr;
 use std::time::Duration;
 
 /// The interval at which the agent performs candidate checks in the connecting phase.
@@ -51,6 +52,7 @@ pub(crate) fn default_candidate_types() -> Vec<CandidateType> {
 }
 
 pub type InterfaceFilterFn = Box<dyn (Fn(&str) -> bool) + Send + Sync>;
+pub type IpFilterFn = Box<dyn (Fn(IpAddr) -> bool) + Send + Sync>;
 
 /// Collects the arguments to `ice::Agent` construction into a single structure, for
 /// future-proofness of the interface.
@@ -77,7 +79,7 @@ pub struct AgentConfig {
     /// Controls the hostname for this agent. If none is specified a random one will be generated.
     pub multicast_dns_host_name: String,
 
-    /// Control mDNS destination address    
+    /// Control mDNS destination address
     pub multicast_dns_dest_addr: String,
 
     /// Defaults to 5 seconds when this property is nil.
@@ -143,6 +145,10 @@ pub struct AgentConfig {
     /// used to gather ICE candidates.
     pub interface_filter: Arc<Option<InterfaceFilterFn>>,
 
+    /// A function that you can use in order to whitelist or blacklist
+    /// the ips which are used to gather ICE candidates.
+    pub ip_filter: Arc<Option<IpFilterFn>>,
+
     /// Controls if self-signed certificates are accepted when connecting to TURN servers via TLS or
     /// DTLS.
     pub insecure_skip_verify: bool,

ice/src/agent/agent_gather.rs

@@ -28,6 +28,7 @@ pub(crate) struct GatherCandidatesInternalParams {
     pub(crate) mdns_name: String,
     pub(crate) net: Arc<Net>,
     pub(crate) interface_filter: Arc<Option<InterfaceFilterFn>>,
+    pub(crate) ip_filter: Arc<Option<IpFilterFn>>,
     pub(crate) ext_ip_mapper: Arc<Option<ExternalIpMapper>>,
     pub(crate) agent_internal: Arc<AgentInternal>,
     pub(crate) gathering_state: Arc<AtomicU8>,
@@ -40,6 +41,7 @@ struct GatherCandidatesLocalParams {
     mdns_mode: MulticastDnsMode,
     mdns_name: String,
     interface_filter: Arc<Option<InterfaceFilterFn>>,
+    ip_filter: Arc<Option<IpFilterFn>>,
     ext_ip_mapper: Arc<Option<ExternalIpMapper>>,
     net: Arc<Net>,
     agent_internal: Arc<AgentInternal>,
@@ -48,6 +50,7 @@ struct GatherCandidatesLocalParams {
 struct GatherCandidatesLocalUDPMuxParams {
     network_types: Vec<NetworkType>,
     interface_filter: Arc<Option<InterfaceFilterFn>>,
+    ip_filter: Arc<Option<IpFilterFn>>,
     ext_ip_mapper: Arc<Option<ExternalIpMapper>>,
     net: Arc<Net>,
     agent_internal: Arc<AgentInternal>,
@@ -92,6 +95,7 @@ impl Agent {
                         mdns_mode: params.mdns_mode,
                         mdns_name: params.mdns_name.clone(),
                         interface_filter: Arc::clone(&params.interface_filter),
+                        ip_filter: Arc::clone(&params.ip_filter),
                         ext_ip_mapper: Arc::clone(&params.ext_ip_mapper),
                         net: Arc::clone(&params.net),
                         agent_internal: Arc::clone(&params.agent_internal),
@@ -194,6 +198,7 @@ impl Agent {
             mdns_mode,
             mdns_name,
             interface_filter,
+            ip_filter,
             ext_ip_mapper,
             net,
             agent_internal,
@@ -203,6 +208,7 @@ impl Agent {
             params.mdns_mode,
             params.mdns_name,
             params.interface_filter,
+            params.ip_filter,
             params.ext_ip_mapper,
             params.net,
             params.agent_internal,
@@ -214,6 +220,7 @@ impl Agent {
             let result = Self::gather_candidates_local_udp_mux(GatherCandidatesLocalUDPMuxParams {
                 network_types,
                 interface_filter,
+                ip_filter,
                 ext_ip_mapper,
                 net,
                 agent_internal,
@@ -228,7 +235,7 @@ impl Agent {
             return;
         }
 
-        let ips = local_interfaces(&net, &*interface_filter, &network_types).await;
+        let ips = local_interfaces(&net, &*interface_filter, &*ip_filter, &network_types).await;
         for ip in ips {
             let mut mapped_ip = ip;
 
@@ -374,10 +381,19 @@ impl Agent {
     async fn gather_candidates_local_udp_mux(
         params: GatherCandidatesLocalUDPMuxParams,
     ) -> Result<()> {
-        let (udp_mux, agent_internal, interface_filter, ext_ip_mapper, net, network_types) = (
+        let (
+            udp_mux,
+            agent_internal,
+            interface_filter,
+            ip_filter,
+            ext_ip_mapper,
+            net,
+            network_types,
+        ) = (
             params.udp_mux,
             params.agent_internal,
             params.interface_filter,
+            params.ip_filter,
             params.ext_ip_mapper,
             params.net,
             params.network_types,
@@ -389,7 +405,8 @@ impl Agent {
         let udp_mux = Arc::clone(&udp_mux);
 
         // There's actually only one, but `local_interfaces` requires a slice.
-        let local_ips = local_interfaces(&net, &interface_filter, &relevant_network_types).await;
+        let local_ips =
+            local_interfaces(&net, &interface_filter, &ip_filter, &relevant_network_types).await;
 
         let candidate_ip = ext_ip_mapper
             .as_ref() // Arc

ice/src/agent/agent_gather_test.rs

@@ -18,7 +18,13 @@ async fn test_vnet_gather_no_local_ip_address() -> Result<()> {
     })
     .await?;
 
-    let local_ips = local_interfaces(&vnet, &a.interface_filter, &[NetworkType::Udp4]).await;
+    let local_ips = local_interfaces(
+        &vnet,
+        &a.interface_filter,
+        &a.ip_filter,
+        &[NetworkType::Udp4],
+    )
+    .await;
     assert!(local_ips.is_empty(), "should return no local IP");
 
     a.close().await?;
@@ -44,7 +50,8 @@ async fn test_vnet_gather_dynamic_ip_address() -> Result<()> {
     })
     .await?;
 
-    let local_ips = local_interfaces(&nw, &a.interface_filter, &[NetworkType::Udp4]).await;
+    let local_ips =
+        local_interfaces(&nw, &a.interface_filter, &a.ip_filter, &[NetworkType::Udp4]).await;
     assert!(!local_ips.is_empty(), "should have one local IP");
 
     for ip in &local_ips {
@@ -77,7 +84,8 @@ async fn test_vnet_gather_listen_udp() -> Result<()> {
     })
     .await?;
 
-    let local_ips = local_interfaces(&nw, &a.interface_filter, &[NetworkType::Udp4]).await;
+    let local_ips =
+        local_interfaces(&nw, &a.interface_filter, &a.ip_filter, &[NetworkType::Udp4]).await;
     assert!(!local_ips.is_empty(), "should have one local IP");
 
     for ip in local_ips {
@@ -334,7 +342,8 @@ async fn test_vnet_gather_with_interface_filter() -> Result<()> {
         })
         .await?;
 
-        let local_ips = local_interfaces(&nw, &a.interface_filter, &[NetworkType::Udp4]).await;
+        let local_ips =
+            local_interfaces(&nw, &a.interface_filter, &a.ip_filter, &[NetworkType::Udp4]).await;
         assert!(
             local_ips.is_empty(),
             "InterfaceFilter should have excluded everything"
@@ -354,7 +363,8 @@ async fn test_vnet_gather_with_interface_filter() -> Result<()> {
         })
         .await?;
 
-        let local_ips = local_interfaces(&nw, &a.interface_filter, &[NetworkType::Udp4]).await;
+        let local_ips =
+            local_interfaces(&nw, &a.interface_filter, &a.ip_filter, &[NetworkType::Udp4]).await;
         assert_eq!(
             local_ips.len(),
             1,

ice/src/agent/mod.rs

@@ -97,6 +97,7 @@ pub struct Agent {
 
     pub(crate) udp_network: UDPNetwork,
     pub(crate) interface_filter: Arc<Option<InterfaceFilterFn>>,
+    pub(crate) ip_filter: Arc<Option<IpFilterFn>>,
     pub(crate) mdns_mode: MulticastDnsMode,
     pub(crate) mdns_name: String,
     pub(crate) mdns_conn: Option<Arc<DnsConn>>,
@@ -195,6 +196,7 @@ impl Agent {
             udp_network: config.udp_network,
             internal: Arc::new(ai),
             interface_filter: Arc::clone(&config.interface_filter),
+            ip_filter: Arc::clone(&config.ip_filter),
             mdns_mode,
             mdns_name,
             mdns_conn,
@@ -462,6 +464,7 @@ impl Agent {
             mdns_name: self.mdns_name.clone(),
             net: Arc::clone(&self.net),
             interface_filter: self.interface_filter.clone(),
+            ip_filter: self.ip_filter.clone(),
             ext_ip_mapper: Arc::clone(&self.ext_ip_mapper),
             agent_internal: Arc::clone(&self.internal),
             gathering_state: Arc::clone(&self.gathering_state),

ice/src/util/mod.rs

@@ -1,7 +1,7 @@
 #[cfg(test)]
 mod util_test;
 
-use crate::agent::agent_config::InterfaceFilterFn;
+use crate::agent::agent_config::{InterfaceFilterFn, IpFilterFn};
 use crate::error::*;
 use crate::network_type::*;
 
@@ -90,6 +90,7 @@ pub async fn stun_request(
 pub async fn local_interfaces(
     vnet: &Arc<Net>,
     interface_filter: &Option<InterfaceFilterFn>,
+    ip_filter: &Option<IpFilterFn>,
     network_types: &[NetworkType],
 ) -> HashSet<IpAddr> {
     let mut ips = HashSet::new();
@@ -114,11 +115,20 @@ pub async fn local_interfaces(
 
         for ipnet in iface.addrs() {
             let ipaddr = ipnet.addr();
+
             if !ipaddr.is_loopback()
                 && ((ipv4requested && ipaddr.is_ipv4()) || (ipv6requested && ipaddr.is_ipv6()))
             {
-                ips.insert(ipaddr);
+                continue;
             }
+
+            if let Some(filter) = ip_filter {
+                if !filter(ipaddr) {
+                    continue;
+                }
+            }
+
+            ips.insert(ipaddr);
         }
     }
 

ice/src/util/util_test.rs

@@ -4,7 +4,7 @@ use super::*;
 async fn test_local_interfaces() -> Result<()> {
     let vnet = Arc::new(Net::new(None));
     let interfaces = vnet.get_interfaces().await;
-    let ips = local_interfaces(&vnet, &None, &[NetworkType::Udp4, NetworkType::Udp6]).await;
+    let ips = local_interfaces(&vnet, &None, &None, &[NetworkType::Udp4, NetworkType::Udp6]).await;
     log::info!("interfaces: {:?}, ips: {:?}", interfaces, ips);
     Ok(())
 }

webrtc/CHANGELOG.md

@@ -4,6 +4,7 @@
 
 * Added more stats to `RemoteInboundRTPStats` and `RemoteOutboundRTPStats` [#282](https://github.com/webrtc-rs/webrtc/pull/282) by [@k0nserv](https://github.com/k0nserv).
 * Don't register `video/rtx` codecs in `MediaEngine::register_default_codecs`. These weren't actually support and prevented RTX in the existing RTP stream from being used. Long term we should support RTX via this method, this is tracked in [#295](https://github.com/webrtc-rs/webrtc/issues/295). [#294 Remove video/rtx codecs](https://github.com/webrtc-rs/webrtc/pull/294) contributed by [k0nserv](https://github.com/k0nserv)
+* Add IP filter to WebRTC `SettingEngine` [#306](https://github.com/webrtc-rs/webrtc/pull/306)
 
 
 ## 0.5.1

webrtc/src/api/setting_engine/mod.rs

@@ -4,7 +4,7 @@ mod setting_engine_test;
 use crate::dtls_transport::dtls_role::DTLSRole;
 use crate::ice_transport::ice_candidate_type::RTCIceCandidateType;
 use dtls::extension::extension_use_srtp::SrtpProtectionProfile;
-use ice::agent::agent_config::InterfaceFilterFn;
+use ice::agent::agent_config::{InterfaceFilterFn, IpFilterFn};
 use ice::mdns::MulticastDnsMode;
 use ice::network_type::NetworkType;
 use ice::udp_network::UDPNetwork;
@@ -37,6 +37,7 @@ pub struct Candidates {
     pub ice_lite: bool,
     pub ice_network_types: Vec<NetworkType>,
     pub interface_filter: Arc<Option<InterfaceFilterFn>>,
+    pub ip_filter: Arc<Option<IpFilterFn>>,
     pub nat_1to1_ips: Vec<String>,
     pub nat_1to1_ip_candidate_type: RTCIceCandidateType,
     pub multicast_dns_mode: MulticastDnsMode,
@@ -160,6 +161,14 @@ impl SettingEngine {
         self.candidates.interface_filter = Arc::new(Some(filter));
     }
 
+    /// set_ip_filter sets the filtering functions when gathering ICE candidates
+    /// This can be used to exclude certain ip from ICE. Which may be
+    /// useful if you know a certain ip will never succeed, or if you wish to reduce
+    /// the amount of information you wish to expose to the remote peer
+    pub fn set_ip_filter(&mut self, filter: IpFilterFn) {
+        self.candidates.ip_filter = Arc::new(Some(filter));
+    }
+
     /// set_nat_1to1_ips sets a list of external IP addresses of 1:1 (D)NAT
     /// and a candidate type for which the external IP address is used.
     /// This is useful when you are host a server using Pion on an AWS EC2 instance

webrtc/src/ice_transport/ice_gatherer.rs

@@ -123,6 +123,7 @@ impl RTCIceGatherer {
             prflx_acceptance_min_wait: self.setting_engine.timeout.ice_prflx_acceptance_min_wait,
             relay_acceptance_min_wait: self.setting_engine.timeout.ice_relay_acceptance_min_wait,
             interface_filter: self.setting_engine.candidates.interface_filter.clone(),
+            ip_filter: self.setting_engine.candidates.ip_filter.clone(),
             nat_1to1_ips: self.setting_engine.candidates.nat_1to1_ips.clone(),
             nat_1to1_ip_candidate_type: nat_1to1_cand_type,
             net: self.setting_engine.vnet.clone(),