Merge branch 'master' into threading

Bump log from 0.4.13 to 0.4.14

.github/workflows/package.yml

@@ -11,7 +11,7 @@ jobs:
       - name: Run builder
         uses: ./.github/actions/build-deb
         with:
-          rust: '1.48.0'
+          rust: '1.49.0'
       - name: Archive artifacts
         uses: actions/upload-artifact@v1
         with:
@@ -31,7 +31,7 @@ jobs:
       - name: Run builder
         uses: ./.github/actions/build-rpm
         with:
-          rust: '1.48.0'
+          rust: '1.49.0'
       - name: Archive artifacts
         uses: actions/upload-artifact@v1
         with:

CHANGELOG.md

@@ -4,9 +4,11 @@ This project follows [semantic versioning](http://semver.org).
 
 ### UNRELEASED
 
+- [added] Support for creating shell completions
+- [added] Support for hook scripts to handle certain situations
 - [removed] Removed dummy device type
-- [changed] Updated depdendencies
-- [changed] Changed Rust version to 1.48.0
+- [changed] Updated dependencies
+- [changed] Changed Rust version to 1.49.0
 - [fixed] Added missing peer address propagation
 
 ### v2.0.1 (2020-11-07)

Cargo.lock

@@ -11,9 +11,9 @@ dependencies = [
 
 [[package]]
 name = "attohttpc"
-version = "0.16.0"
+version = "0.16.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1082810677916862c7704351dfe4696a837aaf34da0dd6431abc60783e71ee8f"
+checksum = "ba5b30bf3a0aead269fd5dd69b385a3e90c2b55f4f215d1bdf52c3883f5fa7fa"
 dependencies = [
  "http",
  "log",
@@ -32,6 +32,12 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "autocfg"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
+
 [[package]]
 name = "base-x"
 version = "0.2.8"
@@ -51,22 +57,43 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5988cb1d626264ac94100be357308f29ff7cbdd3b36bda27f450a4ee3f713426"
 
 [[package]]
-name = "bumpalo"
-version = "3.4.0"
+name = "bstr"
+version = "0.2.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e8c087f005730276d1096a652e92a8bacee2e2472bcc9715a74d2bec38b5820"
+checksum = "473fc6b38233f9af7baa94fb5852dca389e3d95b8e21c8e3719301462c5d9faf"
+dependencies = [
+ "lazy_static",
+ "memchr",
+ "regex-automata",
+ "serde",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f07aa6688c702439a1be0307b6a94dffe1168569e45b9500c1372bc580740d59"
 
 [[package]]
 name = "byteorder"
-version = "1.3.4"
+version = "1.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08c48aae112d48ed9f069b33538ea9e3e90aa263cfa3d1c24309612b1f7472de"
+checksum = "ae44d1a3d5a19df61dd0c8beb138458ac2a53a7ac09eba97d55592540004306b"
 
 [[package]]
 name = "bytes"
-version = "0.5.6"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e4cec68f03f32e44924783795810fa50a7035d8c8ebe78580ad7e6c703fba38"
+checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040"
+
+[[package]]
+name = "cast"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4b9434b9a5aa1450faa3f9cb14ea0e8c53bb5d2b3c1bfd1ab4fc03e9f33fbfb0"
+dependencies = [
+ "rustc_version",
+]
 
 [[package]]
 name = "cc"
@@ -103,9 +130,113 @@ dependencies = [
 
 [[package]]
 name = "const_fn"
-version = "0.4.4"
+version = "0.4.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd51eab21ab4fd6a3bf889e2d0958c0a6e3a61ad04260325e919e652a2a62826"
+checksum = "28b9d6de7f49e22cf97ad17fc4036ece69300032f45f78f30b4a4482cdc3f4a6"
+
+[[package]]
+name = "criterion"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ab327ed7354547cc2ef43cbe20ef68b988e70b4b593cbd66a2a61733123a3d23"
+dependencies = [
+ "atty",
+ "cast",
+ "clap",
+ "criterion-plot",
+ "csv",
+ "itertools 0.10.0",
+ "lazy_static",
+ "num-traits",
+ "oorandom",
+ "plotters",
+ "rayon",
+ "regex",
+ "serde",
+ "serde_cbor",
+ "serde_derive",
+ "serde_json",
+ "tinytemplate",
+ "walkdir",
+]
+
+[[package]]
+name = "criterion-plot"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e022feadec601fba1649cfa83586381a4ad31c6bf3a9ab7d408118b05dd9889d"
+dependencies = [
+ "cast",
+ "itertools 0.9.0",
+]
+
+[[package]]
+name = "crossbeam-channel"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dca26ee1f8d361640700bde38b2c37d8c22b3ce2d360e1fc1c74ea4b0aa7d775"
+dependencies = [
+ "cfg-if 1.0.0",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-deque"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94af6efb46fef72616855b036a624cf27ba656ffc9be1b9a3c931cfc7749a9a9"
+dependencies = [
+ "cfg-if 1.0.0",
+ "crossbeam-epoch",
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-epoch"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1aaa739f95311c2c7887a76863f500026092fb1dce0161dab577e559ef3569d"
+dependencies = [
+ "cfg-if 1.0.0",
+ "const_fn",
+ "crossbeam-utils",
+ "lazy_static",
+ "memoffset",
+ "scopeguard",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02d96d1e189ef58269ebe5b97953da3274d83a93af647c2ddd6f9dab28cedb8d"
+dependencies = [
+ "autocfg",
+ "cfg-if 1.0.0",
+ "lazy_static",
+]
+
+[[package]]
+name = "csv"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9d58633299b24b515ac72a3f869f8b91306a3cec616a602843a383acd6f9e97"
+dependencies = [
+ "bstr",
+ "csv-core",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "csv-core"
+version = "0.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90"
+dependencies = [
+ "memchr",
+]
 
 [[package]]
 name = "daemonize"
@@ -125,9 +256,15 @@ checksum = "212d0f5754cb6769937f4501cc0e67f4f4483c8d2c3e1e922ee9edbe4ab4c7c0"
 
 [[package]]
 name = "dtoa"
-version = "0.4.6"
+version = "0.4.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "134951f4028bdadb9b84baf4232681efbf277da25144b9b0ad65df75946c422b"
+checksum = "88d7ed2934d741c6b37e33e3832298e8850b53fd2d2bea03873375596c7cea4e"
+
+[[package]]
+name = "either"
+version = "1.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
 
 [[package]]
 name = "fnv"
@@ -147,49 +284,44 @@ dependencies = [
 
 [[package]]
 name = "getrandom"
-version = "0.1.15"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc587bc0ec293155d5bfa6b9891ec18a1e330c234f896ea47fbada4cadbe47e6"
+checksum = "c9495705279e7140bf035dde1f6e750c162df8b625267cd52cc44e0b156732c8"
 dependencies = [
- "cfg-if 0.1.10",
+ "cfg-if 1.0.0",
  "libc",
  "wasi",
 ]
 
 [[package]]
-name = "getrandom"
-version = "0.2.0"
+name = "half"
+version = "1.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee8025cf36f917e6a52cce185b7c7177689b838b7ec138364e50cc2277a56cf4"
-dependencies = [
- "cfg-if 0.1.10",
- "libc",
- "wasi",
-]
+checksum = "62aca2aba2d62b4a7f5b33f3712cb1b0692779a56fb510499d5c0aa594daeaf3"
 
 [[package]]
 name = "heck"
-version = "0.3.1"
+version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "20564e78d53d2bb135c343b3f47714a56af2061f1c928fdb541dc7b9fdd94205"
+checksum = "87cbf45460356b7deeb5e3415b5563308c0a9b057c85e12b06ad551f98d0a6ac"
 dependencies = [
  "unicode-segmentation",
 ]
 
 [[package]]
 name = "hermit-abi"
-version = "0.1.17"
+version = "0.1.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5aca5565f760fb5b220e499d72710ed156fdb74e631659e99377d9ebfbd13ae8"
+checksum = "322f4de77956e22ed0e5032c359a0f1273f1f7f0d79bfa3b8ffbc730d7fbcc5c"
 dependencies = [
  "libc",
 ]
 
 [[package]]
 name = "http"
-version = "0.2.2"
+version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84129d298a6d57d246960ff8eb831ca4af3f96d29e2e28848dae275408658e26"
+checksum = "7245cd7449cc792608c3c8a9eaf69bd4eabbabf802713748fd739c98b82f0747"
 dependencies = [
  "bytes",
  "fnv",
@@ -215,7 +347,7 @@ checksum = "4c4e7ee8b51e541486d7040883fe1f00e2a9954bcc24fd155b7e4f03ed4b93dd"
 dependencies = [
  "attohttpc",
  "log",
- "rand 0.8.1",
+ "rand",
  "url",
  "xmltree",
 ]
@@ -230,16 +362,34 @@ dependencies = [
 ]
 
 [[package]]
-name = "itoa"
-version = "0.4.6"
+name = "itertools"
+version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc6f3ad7b9d11a0c00842ff8de1b60ee58661048eb8049ed33c73594f359d7e6"
+checksum = "284f18f85651fe11e8a991b2adb42cb078325c996ed026d994719efcfca1d54b"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itertools"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37d572918e350e82412fe766d24b15e6682fb2ed2bbe018280caa810397cb319"
+dependencies = [
+ "either",
+]
+
+[[package]]
+name = "itoa"
+version = "0.4.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dd25036021b0de88a0aff6b850051563c6516d0bf53f8638938edbb9de732736"
 
 [[package]]
 name = "js-sys"
-version = "0.3.46"
+version = "0.3.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf3d7383929f7c9c7c2d0fa596f325832df98c3704f2c60553080f7127a58175"
+checksum = "5cfb73131c35423a367daf8cbd24100af0d077668c8c2943f0e7dd775fef0f65"
 dependencies = [
  "wasm-bindgen",
 ]
@@ -252,15 +402,15 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 
 [[package]]
 name = "libc"
-version = "0.2.81"
+version = "0.2.84"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1482821306169ec4d07f6aca392a4681f66c75c9918aa49641a2595db64053cb"
+checksum = "1cca32fa0182e8c0989459524dc356b8f2b5c10f1b9eb521b7d182c03cf8c5ff"
 
 [[package]]
 name = "linked-hash-map"
-version = "0.5.3"
+version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8dd5a6d5999d9907cda8ed67bbd137d3af8085216c2ac62de5be860bd41f304a"
+checksum = "7fb9b38af92608140b86b693604b9ffcc5824240a484d1ecd4795bacb2fe88f3"
 
 [[package]]
 name = "lock_api"
@@ -273,11 +423,11 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.11"
+version = "0.4.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b"
+checksum = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710"
 dependencies = [
- "cfg-if 0.1.10",
+ "cfg-if 1.0.0",
 ]
 
 [[package]]
@@ -286,6 +436,21 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ffc5c5338469d4d3ea17d269fa8ea3512ad247247c30bd2df69e68309ed0a08"
 
+[[package]]
+name = "memchr"
+version = "2.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ee1c47aaa256ecabcaea351eae4a9b01ef39ed810004e298d2511ed284b1525"
+
+[[package]]
+name = "memoffset"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "157b4208e3059a8f9e78d559edc658e13df41410cb3ae03979c83130067fdd87"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "nix"
 version = "0.14.1"
@@ -311,12 +476,37 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "num-traits"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "num_cpus"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05499f3756671c15885fee9034446956fff3f243d6077b91e5767df161f766b3"
+dependencies = [
+ "hermit-abi",
+ "libc",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "13bd41f508810a131401606d54ac32a467c97172d74ba7662562ebba5ad07fa0"
 
+[[package]]
+name = "oorandom"
+version = "11.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ab1bc2a289d34bd04a330323ac98a1b4bc82c9d9fcb1e66b63caa84da26b575"
+
 [[package]]
 name = "parking_lot"
 version = "0.11.1"
@@ -337,7 +527,7 @@ dependencies = [
  "cfg-if 1.0.0",
  "instant",
  "libc",
- "redox_syscall",
+ "redox_syscall 0.1.57",
  "smallvec",
  "winapi",
 ]
@@ -348,6 +538,34 @@ version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e"
 
+[[package]]
+name = "plotters"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45ca0ae5f169d0917a7c7f5a9c1a3d3d9598f18f529dd2b8373ed988efea307a"
+dependencies = [
+ "num-traits",
+ "plotters-backend",
+ "plotters-svg",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "plotters-backend"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b07fffcddc1cb3a1de753caa4e4df03b79922ba43cf882acc1bdd7e8df9f4590"
+
+[[package]]
+name = "plotters-svg"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b38a02e23bd9604b842a812063aec4ef702b57989c37b655254bb61c471ad211"
+dependencies = [
+ "plotters-backend",
+]
+
 [[package]]
 name = "ppv-lite86"
 version = "0.2.10"
@@ -405,46 +623,23 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.7"
+version = "1.0.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aa563d17ecb180e500da1cfd2b028310ac758de548efdd203e18f283af693f37"
+checksum = "991431c3519a3f36861882da93630ce66b52918dcf1b8e2fd66b397fc96f28df"
 dependencies = [
  "proc-macro2",
 ]
 
 [[package]]
 name = "rand"
-version = "0.7.3"
+version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03"
-dependencies = [
- "getrandom 0.1.15",
- "libc",
- "rand_chacha 0.2.2",
- "rand_core 0.5.1",
- "rand_hc 0.2.0",
-]
-
-[[package]]
-name = "rand"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c24fcd450d3fa2b592732565aa4f17a27a61c65ece4726353e000939b0edee34"
+checksum = "0ef9e7e66b4468674bfcb0c81af8b7fa0bb154fa9f28eb840da5c447baeb8d7e"
 dependencies = [
  "libc",
- "rand_chacha 0.3.0",
- "rand_core 0.6.0",
- "rand_hc 0.3.0",
-]
-
-[[package]]
-name = "rand_chacha"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402"
-dependencies = [
- "ppv-lite86",
- "rand_core 0.5.1",
+ "rand_chacha",
+ "rand_core",
+ "rand_hc",
 ]
 
 [[package]]
@@ -454,34 +649,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e12735cf05c9e10bf21534da50a147b924d555dc7a547c42e6bb2d5b6017ae0d"
 dependencies = [
  "ppv-lite86",
- "rand_core 0.6.0",
+ "rand_core",
 ]
 
 [[package]]
 name = "rand_core"
-version = "0.5.1"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19"
+checksum = "c026d7df8b298d90ccbbc5190bd04d85e159eaf5576caeacf8741da93ccbd2e5"
 dependencies = [
- "getrandom 0.1.15",
-]
-
-[[package]]
-name = "rand_core"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8b34ba8cfb21243bd8df91854c830ff0d785fff2e82ebd4434c2644cb9ada18"
-dependencies = [
- "getrandom 0.2.0",
-]
-
-[[package]]
-name = "rand_hc"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c"
-dependencies = [
- "rand_core 0.5.1",
+ "getrandom",
 ]
 
 [[package]]
@@ -490,7 +667,32 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3190ef7066a446f2e7f42e239d161e905420ccab01eb967c9eb27d21b2322a73"
 dependencies = [
- "rand_core 0.6.0",
+ "rand_core",
+]
+
+[[package]]
+name = "rayon"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b0d8e0819fadc20c74ea8373106ead0600e3a67ef1fe8da56e39b9ae7275674"
+dependencies = [
+ "autocfg",
+ "crossbeam-deque",
+ "either",
+ "rayon-core",
+]
+
+[[package]]
+name = "rayon-core"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ab346ac5921dc62ffa9f89b7a773907511cdfa5490c572ae9be1be33e8afa4a"
+dependencies = [
+ "crossbeam-channel",
+ "crossbeam-deque",
+ "crossbeam-utils",
+ "lazy_static",
+ "num_cpus",
 ]
 
 [[package]]
@@ -499,6 +701,39 @@ version = "0.1.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce"
 
+[[package]]
+name = "redox_syscall"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05ec8ca9416c5ea37062b502703cd7fcb207736bc294f6e0cf367ac6fc234570"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "regex"
+version = "1.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9251239e129e16308e70d853559389de218ac275b515068abc96829d05b948a"
+dependencies = [
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae1ded71d66a4a97f5e961fd0cb25a5f366a42a41570d16a763a69c092c26ae4"
+dependencies = [
+ "byteorder",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.6.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5eb417147ba9860a96cfe72a0b93bf88fee1744b5636ec99ab20c1aa9376581"
+
 [[package]]
 name = "remove_dir_all"
 version = "0.5.3"
@@ -538,6 +773,15 @@ version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e"
 
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "scopeguard"
 version = "1.1.0"
@@ -561,15 +805,28 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
 
 [[package]]
 name = "serde"
-version = "1.0.118"
+version = "1.0.123"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06c64263859d87aa2eb554587e2d23183398d617427327cf2b3d0ed8c69e4800"
+checksum = "92d5161132722baa40d802cc70b15262b98258453e85e5d1d365c757c73869ae"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_cbor"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e18acfa2f90e8b735b2836ab8d538de304cbb6729a7360729ea5a895d15a622"
+dependencies = [
+ "half",
+ "serde",
+]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.118"
+version = "1.0.123"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c84d3526699cd55261af4b941e4e725444df67aa4f9e6a3564f18030d12672df"
+checksum = "9391c295d64fc0abb2c556bad848f33cb8296276b1ad2677d1ae1ace4f258f31"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -578,9 +835,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.60"
+version = "1.0.61"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1500e84d27fe482ed1dc791a56eddc2f230046a040fa908c08bda1d9fb615779"
+checksum = "4fceb2595057b6891a4ee808f70054bd2d12f0e97f1cbb78689b59f676df325a"
 dependencies = [
  "itoa",
  "ryu",
@@ -589,9 +846,9 @@ dependencies = [
 
 [[package]]
 name = "serde_yaml"
-version = "0.8.14"
+version = "0.8.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f7baae0a99f1a324984bcdc5f0718384c1f69775f1c7eec8b859b71b443e3fd7"
+checksum = "971be8f6e4d4a47163b405a3df70d14359186f9ab0f3a3ec37df144ca1ce089f"
 dependencies = [
  "dtoa",
  "linked-hash-map",
@@ -617,9 +874,9 @@ dependencies = [
 
 [[package]]
 name = "smallvec"
-version = "1.6.0"
+version = "1.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a55ca5f3b68e41c979bf8c46a6f1da892ca4db8f94023ce0bd32407573b1ac0"
+checksum = "fe0f37c9e8f3c5a4a66ad655a93c74daac4ad00c441533bf5c6e7990bb42604e"
 
 [[package]]
 name = "spin"
@@ -629,9 +886,9 @@ checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
 
 [[package]]
 name = "standback"
-version = "0.2.13"
+version = "0.2.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf906c8b8fc3f6ecd1046e01da1d8ddec83e48c8b08b84dcc02b585a6bedf5a8"
+checksum = "c66a8cff4fa24853fdf6b51f75c6d7f8206d7c75cab4e467bcd7f25c2b1febe0"
 dependencies = [
  "version_check",
 ]
@@ -717,9 +974,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "1.0.54"
+version = "1.0.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a2af957a63d6bd42255c359c93d9bfdb97076bd3b820897ce55ffbfbf107f44"
+checksum = "c700597eca8a5a762beb35753ef6b94df201c81cca676604f547495a0d7f0081"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -728,14 +985,14 @@ dependencies = [
 
 [[package]]
 name = "tempfile"
-version = "3.1.0"
+version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a6e24d9338a0a5be79593e2fa15a648add6138caa803e2d5bc782c371732ca9"
+checksum = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22"
 dependencies = [
- "cfg-if 0.1.10",
+ "cfg-if 1.0.0",
  "libc",
- "rand 0.7.3",
- "redox_syscall",
+ "rand",
+ "redox_syscall 0.2.4",
  "remove_dir_all",
  "winapi",
 ]
@@ -808,10 +1065,20 @@ dependencies = [
 ]
 
 [[package]]
-name = "tinyvec"
-version = "1.1.0"
+name = "tinytemplate"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ccf8dbc19eb42fba10e8feaaec282fb50e2c14b2726d6301dbfeed0f73306a6f"
+checksum = "a2ada8616fad06a2d0c455adc530de4ef57605a8120cc65da9653e0e9623ca74"
+dependencies = [
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "tinyvec"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "317cca572a0e89c3ce0ca1f1bdc9369547fe318a683418e42ac8f59d14701023"
 dependencies = [
  "tinyvec_macros",
 ]
@@ -899,6 +1166,7 @@ name = "vpncloud"
 version = "2.0.1"
 dependencies = [
  "byteorder",
+ "criterion",
  "daemonize",
  "fnv",
  "igd",
@@ -906,10 +1174,9 @@ dependencies = [
  "log",
  "parking_lot",
  "privdrop",
- "rand 0.8.1",
+ "rand",
  "ring",
  "serde",
- "serde_derive",
  "serde_yaml",
  "signal",
  "smallvec",
@@ -921,16 +1188,27 @@ dependencies = [
 ]
 
 [[package]]
-name = "wasi"
-version = "0.9.0+wasi-snapshot-preview1"
+name = "walkdir"
+version = "2.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519"
+checksum = "777182bc735b6424e1a57516d35ed72cb8019d85c8c9bf536dccb3445c1a2f7d"
+dependencies = [
+ "same-file",
+ "winapi",
+ "winapi-util",
+]
+
+[[package]]
+name = "wasi"
+version = "0.10.2+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.69"
+version = "0.2.70"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3cd364751395ca0f68cafb17666eee36b63077fb5ecd972bbcd74c90c4bf736e"
+checksum = "55c0f7123de74f0dab9b7d00fd614e7b19349cd1e2f5252bbe9b1754b59433be"
 dependencies = [
  "cfg-if 1.0.0",
  "wasm-bindgen-macro",
@@ -938,9 +1216,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.69"
+version = "0.2.70"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1114f89ab1f4106e5b55e688b828c0ab0ea593a1ea7c094b141b14cbaaec2d62"
+checksum = "7bc45447f0d4573f3d65720f636bbcc3dd6ce920ed704670118650bcd47764c7"
 dependencies = [
  "bumpalo",
  "lazy_static",
@@ -953,9 +1231,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.69"
+version = "0.2.70"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a6ac8995ead1f084a8dea1e65f194d0973800c7f571f6edd70adf06ecf77084"
+checksum = "3b8853882eef39593ad4174dd26fc9865a64e84026d223f63bb2c42affcbba2c"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -963,9 +1241,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.69"
+version = "0.2.70"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5a48c72f299d80557c7c62e37e7225369ecc0c963964059509fbafe917c7549"
+checksum = "4133b5e7f2a531fa413b3a1695e925038a05a71cf67e87dafa295cb645a01385"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -976,15 +1254,15 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.69"
+version = "0.2.70"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e7811dd7f9398f14cc76efd356f98f03aa30419dea46aa810d71e819fc97158"
+checksum = "dd4945e4943ae02d15c13962b38a5b1e81eadd4b71214eee75af64a4d6a4fd64"
 
 [[package]]
 name = "web-sys"
-version = "0.3.46"
+version = "0.3.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "222b1ef9334f92a21d3fb53dc3fd80f30836959a90f9274a626d7e06315ba3c3"
+checksum = "c40dc691fc48003eba817c38da7113c15698142da971298003cac3ef175680b3"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -992,9 +1270,9 @@ dependencies = [
 
 [[package]]
 name = "wildmatch"
-version = "1.0.12"
+version = "1.0.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "79346daa5ca66c72db46ee4dac6e605811478ae0807b385d18328be3f5c0eb74"
+checksum = "d2399814fda0d6999a6bfe9b5c7660d836334deb162a09db8b73d5b38fd8c40a"
 
 [[package]]
 name = "winapi"
@@ -1012,6 +1290,15 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 
+[[package]]
+name = "winapi-util"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
+dependencies = [
+ "winapi",
+]
+
 [[package]]
 name = "winapi-x86_64-pc-windows-gnu"
 version = "0.4.0"

Cargo.toml

@@ -14,8 +14,7 @@ edition = "2018"
 [dependencies]
 time = "=0.2.22"
 structopt = "0.3"
-serde = "1.0"
-serde_derive = "1.0"
+serde = { version = "1.0", features = ["derive"] }
 serde_yaml = "0.8"
 log = { version = "0.4", features = ["std"] }
 signal = "0.7"
@@ -27,19 +26,24 @@ igd = { version = "0.12", optional = true }
 daemonize = "0.4"
 ring = "0.16"
 privdrop = "0.5"
-byteorder = "1.3"
+byteorder = "1.4"
 thiserror = "1.0"
 parking_lot = "*"
 smallvec = "1.6"
 
 [dev-dependencies]
 tempfile = "3"
+criterion = "0.3"
 
 [features]
 default = ["nat"]
 bench = []
 nat = ["igd"]
 
+[[bench]]
+name = "bench"
+harness = false
+
 [profile.release]
 lto = true
 

benches/bench.rs

@@ -0,0 +1,149 @@
+#![allow(dead_code, unused_macros, unused_imports)]
+#[macro_use] extern crate serde;
+#[macro_use] extern crate log;
+
+use criterion::{criterion_group, criterion_main, Criterion, Throughput};
+
+use smallvec::smallvec;
+use ring::aead;
+
+use std::str::FromStr;
+use std::net::{SocketAddr, Ipv4Addr, SocketAddrV4, UdpSocket};
+
+mod util {
+    include!("../src/util.rs");
+}
+mod error {
+    include!("../src/error.rs");
+}
+mod payload {
+    include!("../src/payload.rs");
+}
+mod types {
+    include!("../src/types.rs");
+}
+mod table {
+    include!("../src/table.rs");
+}
+mod crypto_core {
+    include!("../src/crypto/core.rs");
+}
+
+pub use error::Error;
+use util::{MockTimeSource, MsgBuffer};
+use types::{Address, Range};
+use table::{ClaimTable};
+use payload::{Packet, Frame, Protocol};
+use crypto_core::{create_dummy_pair, EXTRA_LEN};
+
+fn udp_send(c: &mut Criterion) {
+    let sock = UdpSocket::bind("127.0.0.1:0").unwrap();
+    let data = [0; 1400];
+    let addr = SocketAddrV4::new(Ipv4Addr::new(127, 0, 0, 1), 1);
+    let mut g = c.benchmark_group("udp_send");
+    g.throughput(Throughput::Bytes(1400));
+    g.bench_function("udp_send", |b| {
+        b.iter(|| sock.send_to(&data, &addr).unwrap());
+    });
+    g.finish();
+}
+
+fn decode_ipv4(c: &mut Criterion) {
+    let data = [0x40, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 192, 168, 1, 1, 192, 168, 1, 2];
+    let mut g = c.benchmark_group("payload");
+    g.throughput(Throughput::Bytes(1400));
+    g.bench_function("decode_ipv4", |b| {
+        b.iter(|| Packet::parse(&data).unwrap());
+    });
+    g.finish();
+}
+
+fn decode_ipv6(c: &mut Criterion) {
+    let data = [
+        0x60, 0, 0, 0, 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 0, 9, 8, 7, 6, 5, 4, 3, 2, 1, 6, 5,
+        4, 3, 2, 1
+    ];
+    let mut g = c.benchmark_group("payload");
+    g.throughput(Throughput::Bytes(1400));
+    g.bench_function("decode_ipv6", |b| {
+        b.iter(|| Packet::parse(&data).unwrap());
+    });
+    g.finish();
+}
+
+fn decode_ethernet(c: &mut Criterion) {
+    let data = [6, 5, 4, 3, 2, 1, 1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 5, 6, 7, 8];
+    let mut g = c.benchmark_group("payload");
+    g.throughput(Throughput::Bytes(1400));
+    g.bench_function("decode_ethernet", |b| {
+        b.iter(|| Frame::parse(&data).unwrap());
+    });
+    g.finish();
+}
+
+fn decode_ethernet_with_vlan(c: &mut Criterion) {
+    let data = [6, 5, 4, 3, 2, 1, 1, 2, 3, 4, 5, 6, 0x81, 0, 4, 210, 1, 2, 3, 4, 5, 6, 7, 8];
+    let mut g = c.benchmark_group("payload");
+    g.throughput(Throughput::Bytes(1400));
+    g.bench_function("decode_ethernet_with_vlan", |b| {
+        b.iter(|| Frame::parse(&data).unwrap());
+    });
+    g.finish();
+}
+
+fn lookup_warm(c: &mut Criterion) {
+    let mut table = ClaimTable::<MockTimeSource>::new(60, 60);
+    let addr = Address::from_str("1.2.3.4").unwrap();
+    table.cache(addr, SocketAddr::from_str("1.2.3.4:3210").unwrap());
+    let mut g = c.benchmark_group("table");
+    g.throughput(Throughput::Bytes(1400));
+    g.bench_function("lookup_warm", |b| {
+        b.iter(|| table.lookup(addr));
+    });
+    g.finish();
+}
+
+fn lookup_cold(c: &mut Criterion) {
+    let mut table = ClaimTable::<MockTimeSource>::new(60, 60);
+    let addr = Address::from_str("1.2.3.4").unwrap();
+    table.set_claims(SocketAddr::from_str("1.2.3.4:3210").unwrap(), smallvec![Range::from_str("1.2.3.4/32").unwrap()]);
+    let mut g = c.benchmark_group("table");
+    g.throughput(Throughput::Bytes(1400));
+    g.bench_function("lookup_cold", |b| {
+        b.iter(|| {
+            table.clear_cache();
+            table.lookup(addr)
+        });
+    });
+    g.finish();
+}
+
+fn crypto_bench(c: &mut Criterion, algo: &'static aead::Algorithm) {
+    let mut buffer = MsgBuffer::new(EXTRA_LEN);
+    buffer.set_length(1400);
+    let (mut sender, mut receiver) = create_dummy_pair(algo);
+    let mut g = c.benchmark_group("crypto");
+    g.throughput(Throughput::Bytes(2*1400));
+    g.bench_function(format!("{:?}", algo), |b| {
+        b.iter(|| {
+            sender.encrypt(&mut buffer);
+            receiver.decrypt(&mut buffer).unwrap();
+        });
+    });
+    g.finish()
+}
+
+fn crypto_chacha20(c: &mut Criterion) {
+    crypto_bench(c, &aead::CHACHA20_POLY1305)
+}
+
+fn crypto_aes128(c: &mut Criterion) {
+    crypto_bench(c, &aead::AES_128_GCM)
+}
+
+fn crypto_aes256(c: &mut Criterion) {
+    crypto_bench(c, &aead::AES_256_GCM)
+}
+
+criterion_group!(benches, udp_send, decode_ipv4, decode_ipv6, decode_ethernet, decode_ethernet_with_vlan, lookup_cold, lookup_warm, crypto_chacha20, crypto_aes128, crypto_aes256);
+criterion_main!(benches);

builder/Dockerfile-deb

@@ -19,7 +19,7 @@ RUN useradd -ms /bin/bash user
 USER user
 WORKDIR /home/user
 
-ENV RUST=1.48.0
+ENV RUST=1.49.0
 
 RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain ${RUST}
 

builder/Dockerfile-rpm

@@ -7,7 +7,7 @@ RUN useradd -ms /bin/bash user
 USER user
 WORKDIR /home/user
 
-ENV RUST=1.48.0
+ENV RUST=1.49.0
 
 RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain ${RUST}
 

src/config.rs

@@ -4,18 +4,20 @@
 
 use super::{device::Type, types::Mode, util::Duration};
 pub use crate::crypto::Config as CryptoConfig;
-
+use crate::util::run_cmd;
 use std::{
     cmp::max,
-    net::{IpAddr, Ipv6Addr, SocketAddr}
+    collections::HashMap,
+    ffi::OsStr,
+    net::{IpAddr, Ipv6Addr, SocketAddr},
+    process::Command,
+    thread
 };
-use structopt::StructOpt;
-
+use structopt::{clap::Shell, StructOpt};
 
 pub const DEFAULT_PEER_TIMEOUT: u16 = 300;
 pub const DEFAULT_PORT: u16 = 3210;
 
-
 fn parse_listen(addr: &str) -> SocketAddr {
     if let Some(addr) = addr.strip_prefix("*:") {
         let port = try_fail!(addr.parse::<u16>(), "Invalid port: {}");
@@ -60,7 +62,9 @@ pub struct Config {
     pub statsd_server: Option<String>,
     pub statsd_prefix: Option<String>,
     pub user: Option<String>,
-    pub group: Option<String>
+    pub group: Option<String>,
+    pub hook: Option<String>,
+    pub hooks: HashMap<String, String>
 }
 
 impl Default for Config {
@@ -93,7 +97,9 @@ impl Default for Config {
             statsd_server: None,
             statsd_prefix: None,
             user: None,
-            group: None
+            group: None,
+            hook: None,
+            hooks: HashMap::new()
         }
     }
 }
@@ -198,6 +204,12 @@ impl Config {
         if !file.crypto.algorithms.is_empty() {
             self.crypto.algorithms = file.crypto.algorithms.clone();
         }
+        if let Some(val) = file.hook {
+            self.hook = Some(val)
+        }
+        for (k, v) in file.hooks {
+            self.hooks.insert(k, v);
+        }
     }
 
     pub fn merge_args(&mut self, mut args: Args) {
@@ -291,6 +303,16 @@ impl Config {
         if !args.algorithms.is_empty() {
             self.crypto.algorithms = args.algorithms.clone();
         }
+        for s in args.hook {
+            if s.contains(':') {
+                let pos = s.find(':').unwrap();
+                let name = &s[..pos];
+                let hook = &s[pos+1..];
+                self.hooks.insert(name.to_string(), hook.to_string());
+            } else {
+                self.hook = Some(s);
+            }
+        }
     }
 
     pub fn get_keepalive(&self) -> Duration {
@@ -299,8 +321,31 @@ impl Config {
             None => max(self.peer_timeout / 2 - 60, 1)
         }
     }
-}
 
+    pub fn call_hook(
+        &self, event: &'static str, envs: impl IntoIterator<Item = (&'static str, impl AsRef<OsStr>)>, detach: bool
+    ) {
+        let mut script = None;
+        if let Some(ref s) = self.hook {
+            script = Some(s);
+        }
+        if let Some(ref s) = self.hooks.get(event) {
+            script = Some(s);
+        }
+        if script.is_none() {
+            return
+        }
+        let script = script.unwrap();
+        let mut cmd = Command::new("sh");
+        cmd.arg("-c").arg(script).envs(envs).env("EVENT", event);
+        debug!("Running event script: {:?}", cmd);
+        if detach {
+            thread::spawn(move || run_cmd(cmd));
+        } else {
+            run_cmd(cmd)
+        }
+    }
+}
 
 #[derive(StructOpt, Debug, Default)]
 pub struct Args {
@@ -325,7 +370,7 @@ pub struct Args {
     pub mode: Option<Mode>,
 
     /// The shared password to encrypt all traffic
-    #[structopt(short, long, required_unless_one = &["private-key", "config", "genkey", "version"], env)]
+    #[structopt(short, long, required_unless_one = &["private-key", "config", "genkey", "version", "completion"], env)]
     pub password: Option<String>,
 
     /// The private key to use
@@ -458,7 +503,15 @@ pub struct Args {
 
     /// Migrate an old config file
     #[structopt(long, alias = "migrate", requires = "config")]
-    pub migrate_config: bool
+    pub migrate_config: bool,
+
+    /// Generate shell completions
+    #[structopt(long)]
+    pub completion: Option<Shell>,
+
+    /// Call script on event
+    #[structopt(long)]
+    pub hook: Vec<String>
 }
 
 #[derive(Serialize, Deserialize, Debug, PartialEq, Default)]
@@ -512,10 +565,11 @@ pub struct ConfigFile {
     pub stats_file: Option<String>,
     pub statsd: Option<ConfigFileStatsd>,
     pub user: Option<String>,
-    pub group: Option<String>
+    pub group: Option<String>,
+    pub hook: Option<String>,
+    pub hooks: HashMap<String, String>
 }
 
-
 #[test]
 fn config_file() {
     let config_file = "
@@ -582,7 +636,9 @@ statsd:
         statsd: Some(ConfigFileStatsd {
             server: Some("example.com:1234".to_string()),
             prefix: Some("prefix".to_string())
-        })
+        }),
+        hook: None,
+        hooks: HashMap::new()
     })
 }
 
@@ -616,9 +672,12 @@ fn default_config_as_default() {
         statsd_server: None,
         statsd_prefix: None,
         user: None,
-        group: None
+        group: None,
+        hook: None,
+        hooks: HashMap::new()
     };
-    let default_config_file = serde_yaml::from_str::<ConfigFile>(include_str!("../assets/example.net.disabled")).unwrap();
+    let default_config_file =
+        serde_yaml::from_str::<ConfigFile>(include_str!("../assets/example.net.disabled")).unwrap();
     default_config.merge_file(default_config_file);
     assert_eq!(default_config, Config::default());
 }
@@ -659,7 +718,9 @@ fn config_merge() {
         statsd: Some(ConfigFileStatsd {
             server: Some("example.com:1234".to_string()),
             prefix: Some("prefix".to_string())
-        })
+        }),
+        hook: None,
+        hooks: HashMap::new()
     });
     assert_eq!(config, Config {
         device_type: Type::Tun,
@@ -748,6 +809,8 @@ fn config_merge() {
         stats_file: Some("/var/log/vpncloud-mynet.stats".to_string()),
         statsd_server: Some("example.com:2345".to_string()),
         statsd_prefix: Some("prefix2".to_string()),
-        daemonize: true
+        daemonize: true,
+        hook: None,
+        hooks: HashMap::new()
     });
 }

src/crypto/core.rs

@@ -1,41 +1,41 @@
-//! This module implements a crypto core for encrypting and decrypting message streams
-//!
-//! The crypto core only encrypts and decrypts messages, using given keys. Negotiating and rotating the keys is out of
-//! scope of the crypto core. The crypto core assumes that the remote node will always have the necessary key to decrypt
-//! the message.
-//!
-//! The crypto core encrypts messages in place, writes some extra data (key id and nonce) into a given space and
-//! includes the given header data in the authentication tag. When decrypting messages, the crypto core reads the extra
-//! data, uses the key id to find the right key to decrypting the message and then decrypts the message, using the given
-//! nonce and including the given header data in the verification of the authentication tag.
-//!
-//! While the core only uses a single key at a time for encrypting messages, it is ready to decrypt messages based on
-//! one of 4 stored keys (the encryption key being one of them). An external key rotation is responsible for adding the
-//! key to the remote peer before switching to the key on the local peer for encryption.
-//!
-//! As mentioned, the encryption and decryption works in place. Therefore the parameter payload_and_tag contains (when
-//! decrypting) or provides space for (when encrypting) the payload and the authentication tag. When encrypting, that
-//! means, that the last TAG_LEN bytes of payload_and_tag must be reserved for the tag and must not contain payload
-//! bytes.
-//!
-//! The nonce is a value of 12 bytes (192 bits). Since both nodes can use the same key for encryption, the most
-//! significant byte (msb) of the nonce is initialized differently on both peers: one peer uses the value 0x00 and the
-//! other one 0x80. That means that the nonce space is essentially divided in two halves, one for each node.
-//!
-//! To save space and keep the encrypted data aligned to 64 bits, not all bytes of the nonce are transferred. Instead,
-//! only 7 bytes are included in messages (another byte is used for the key id, hence 64 bit alignment). The rest of the
-//! nonce is deduced by the nodes: All other bytes are assumed to be 0x00, except for the most significant byte, which
-//! is assumed to be the opposite ones own msb. This has two nice effects:
-//! 1) Long before the nonce could theoretically repeat, the messages can no longer be decrypted by the peer as the
-//! higher bytes are no longer zero as assumed.
-//! 2) By deducing the msb to be the opposite of ones own msb, it is no longer possible for an attacker to redirect a
-//! message back to the sender because then the assumed nonce will be wrong and the message fails to decrypt. Otherwise,
-//! this could lead to problems as nodes would be able to accidentally decrypt their own messages.
-//!
-//! In order to be resistent against replay attacks but allow for reordering of messages, the crypto core uses nonce
-//! pinning. For every active key, the biggest nonce seen so far is being tracked. Every second, the biggest nonce seen
-//! one second ago plus 1 becomes the minimum nonce that is accepted for that key. That means, that reordering can
-//! happen within one second but after a second, old messages will not be accepted anymore.
+// This module implements a crypto core for encrypting and decrypting message streams
+//
+// The crypto core only encrypts and decrypts messages, using given keys. Negotiating and rotating the keys is out of
+// scope of the crypto core. The crypto core assumes that the remote node will always have the necessary key to decrypt
+// the message.
+//
+// The crypto core encrypts messages in place, writes some extra data (key id and nonce) into a given space and
+// includes the given header data in the authentication tag. When decrypting messages, the crypto core reads the extra
+// data, uses the key id to find the right key to decrypting the message and then decrypts the message, using the given
+// nonce and including the given header data in the verification of the authentication tag.
+//
+// While the core only uses a single key at a time for encrypting messages, it is ready to decrypt messages based on
+// one of 4 stored keys (the encryption key being one of them). An external key rotation is responsible for adding the
+// key to the remote peer before switching to the key on the local peer for encryption.
+//
+// As mentioned, the encryption and decryption works in place. Therefore the parameter payload_and_tag contains (when
+// decrypting) or provides space for (when encrypting) the payload and the authentication tag. When encrypting, that
+// means, that the last TAG_LEN bytes of payload_and_tag must be reserved for the tag and must not contain payload
+// bytes.
+//
+// The nonce is a value of 12 bytes (192 bits). Since both nodes can use the same key for encryption, the most
+// significant byte (msb) of the nonce is initialized differently on both peers: one peer uses the value 0x00 and the
+// other one 0x80. That means that the nonce space is essentially divided in two halves, one for each node.
+//
+// To save space and keep the encrypted data aligned to 64 bits, not all bytes of the nonce are transferred. Instead,
+// only 7 bytes are included in messages (another byte is used for the key id, hence 64 bit alignment). The rest of the
+// nonce is deduced by the nodes: All other bytes are assumed to be 0x00, except for the most significant byte, which
+// is assumed to be the opposite ones own msb. This has two nice effects:
+// 1) Long before the nonce could theoretically repeat, the messages can no longer be decrypted by the peer as the
+// higher bytes are no longer zero as assumed.
+// 2) By deducing the msb to be the opposite of ones own msb, it is no longer possible for an attacker to redirect a
+// message back to the sender because then the assumed nonce will be wrong and the message fails to decrypt. Otherwise,
+// this could lead to problems as nodes would be able to accidentally decrypt their own messages.
+//
+// In order to be resistent against replay attacks but allow for reordering of messages, the crypto core uses nonce
+// pinning. For every active key, the biggest nonce seen so far is being tracked. Every second, the biggest nonce seen
+// one second ago plus 1 becomes the minimum nonce that is accepted for that key. That means, that reordering can
+// happen within one second but after a second, old messages will not be accepted anymore.
 
 use byteorder::{ReadBytesExt, WriteBytesExt};
 use ring::{
@@ -467,37 +467,3 @@ mod tests {
         assert!(speed > 10.0);
     }
 }
-
-#[cfg(feature = "bench")]
-mod benches {
-
-    use super::*;
-    use test::Bencher;
-
-    fn crypto_bench(b: &mut Bencher, algo: &'static aead::Algorithm) {
-        let mut buffer = MsgBuffer::new(EXTRA_LEN);
-        buffer.set_length(1400);
-        let (mut sender, mut receiver) = create_dummy_pair(algo);
-        b.iter(|| {
-            sender.encrypt(&mut buffer);
-            receiver.decrypt(&mut buffer).unwrap();
-        });
-        b.bytes = 1400;
-    }
-
-
-    #[bench]
-    fn crypto_chacha20(b: &mut Bencher) {
-        crypto_bench(b, &aead::CHACHA20_POLY1305)
-    }
-
-    #[bench]
-    fn crypto_aes128(b: &mut Bencher) {
-        crypto_bench(b, &aead::AES_128_GCM)
-    }
-
-    #[bench]
-    fn crypto_aes256(b: &mut Bencher) {
-        crypto_bench(b, &aead::AES_256_GCM)
-    }
-}

src/crypto/init.rs

@@ -1,59 +1,61 @@
-//! This module implements a 3-way handshake to initialize an authenticated and encrypted connection.
-//!
-//! The handshake assumes that each node has a asymmetric Curve 25519 key pair as well as a list of trusted public keys
-//! and a set of supported crypto algorithms as well as the expected speed when using them. If successful, the handshake
-//! will negotiate a crypto algorithm to use and a common ephemeral symmetric key and exchange a given payload between
-//! the nodes.
-//!
-//! The handshake consists of 3 stages, "ping", "pong" and "peng". In the following description, the node that initiates
-//! the connection is named "A" and the other node is named "B". Since a lot of things are going on in parallel in the
-//! handshake, those aspects are described separately in the following paragraphs.
-//!
-//! Every message contains the node id of the sender. If a node receives a message with its own node id, it just ignores
-//! it and closes the connection. This is the way nodes avoid to connect to themselves as it is not trivial for a node
-//! to know its own addresses (especially in the case of NAT).
-//!
-//! All initialization messages are signed by the asymmetric key of the sender. Also the messages indicate the public
-//! key being used, so the receiver can use the correct public key to verify the signature. The public key itself is not
-//! attached to the message for privacy reasons (the public key is stable over multiple restarts while the node id is
-//! only valid for a single run). Instead, a 2 byte salt value as well as the last 2 bytes of the salted sha 2 hash of
-//! the public key are used to identify the public key. This way, a receiver that trusts this public key can identify
-//! it but a random observer can't. If the public key is unknown or the signature can't be verified, the message is
-//! ignored.
-//!
-//! Every message contains a byte that specifies the stage (ping = 1, pong = 2, peng = 3). If a message with an
-//! unexpected stage is received, it is ignored and the last message that has been sent is repeated. There is only one
-//! exception to this rule: if a "pong" message is expected, but a "ping" message is received instead AND the node id of
-//! the sender is greater than the node id of the receiver, the receiving node will reset its state and assume the role
-//! of a receiver of the initialization (i.e. "B"). This is used to "negotiate" the roles A and B when both nodes
-//! initiate the connection in parallel and think they are A.
-//!
-//! Upon connection creation, both nodes create a random ephemeral ECDH key pair and exchange the public keys in the
-//! ping and pong messages. A sends the ping message to B containing A's public key and B replies with a pong message
-//! containing B's public key. That means, that after receiving the ping message B can calculate the shared key material
-//! and after receiving the pong message A can calculate the shared key material.
-//!
-//! The ping message and the pong message contain a set of supported crypto algorithms together with the estimated
-//! speeds of the algorithms. When B receives a ping message, or A receives a pong message, it can combine this
-//! information with its own algorithm list and select the algorithm with the best expected speed for the crypto core.
-//!
-//! The pong and peng message contain the payload that the nodes want to exchange in the initialization phase apart from
-//! the cryptographic initialization. This payload is encoded according to the application and encrypted using the key
-//! material and the crypto algorithm that have been negotiated via the ping and pong messages. The pong message,
-//! therefore contains information to set up symmetric encryption as well as a part that is already encrypted.
-//!
-//! The handshake ends for A after sending the peng message and for B after receiving this message. At this time both
-//! nodes initialize the connection using the payload and enter normal operation. The negotiated crypto core is used for
-//! future communication and the key rotation is started. Since the peng message can be lost, A needs to keep the
-//! initialization state in order to repeat a lost peng message. After one second, A removes that state.
-//!
-//! Once every second, both nodes check whether they have already finished the initialization. If not, they repeat their
-//! last message. After 5 seconds, the initialization is aborted as failed.
+// This module implements a 3-way handshake to initialize an authenticated and encrypted connection.
+//
+// The handshake assumes that each node has a asymmetric Curve 25519 key pair as well as a list of trusted public keys
+// and a set of supported crypto algorithms as well as the expected speed when using them. If successful, the handshake
+// will negotiate a crypto algorithm to use and a common ephemeral symmetric key and exchange a given payload between
+// the nodes.
+//
+// The handshake consists of 3 stages, "ping", "pong" and "peng". In the following description, the node that initiates
+// the connection is named "A" and the other node is named "B". Since a lot of things are going on in parallel in the
+// handshake, those aspects are described separately in the following paragraphs.
+//
+// Every message contains the node id of the sender. If a node receives a message with its own node id, it just ignores
+// it and closes the connection. This is the way nodes avoid to connect to themselves as it is not trivial for a node
+// to know its own addresses (especially in the case of NAT).
+//
+// All initialization messages are signed by the asymmetric key of the sender. Also the messages indicate the public
+// key being used, so the receiver can use the correct public key to verify the signature. The public key itself is not
+// attached to the message for privacy reasons (the public key is stable over multiple restarts while the node id is
+// only valid for a single run). Instead, a 2 byte salt value as well as the last 2 bytes of the salted sha 2 hash of
+// the public key are used to identify the public key. This way, a receiver that trusts this public key can identify
+// it but a random observer can't. If the public key is unknown or the signature can't be verified, the message is
+// ignored.
+//
+// Every message contains a byte that specifies the stage (ping = 1, pong = 2, peng = 3). If a message with an
+// unexpected stage is received, it is ignored and the last message that has been sent is repeated. There is only one
+// exception to this rule: if a "pong" message is expected, but a "ping" message is received instead AND the node id of
+// the sender is greater than the node id of the receiver, the receiving node will reset its state and assume the role
+// of a receiver of the initialization (i.e. "B"). This is used to "negotiate" the roles A and B when both nodes
+// initiate the connection in parallel and think they are A.
+//
+// Upon connection creation, both nodes create a random ephemeral ECDH key pair and exchange the public keys in the
+// ping and pong messages. A sends the ping message to B containing A's public key and B replies with a pong message
+// containing B's public key. That means, that after receiving the ping message B can calculate the shared key material
+// and after receiving the pong message A can calculate the shared key material.
+//
+// The ping message and the pong message contain a set of supported crypto algorithms together with the estimated
+// speeds of the algorithms. When B receives a ping message, or A receives a pong message, it can combine this
+// information with its own algorithm list and select the algorithm with the best expected speed for the crypto core.
+//
+// The pong and peng message contain the payload that the nodes want to exchange in the initialization phase apart from
+// the cryptographic initialization. This payload is encoded according to the application and encrypted using the key
+// material and the crypto algorithm that have been negotiated via the ping and pong messages. The pong message,
+// therefore contains information to set up symmetric encryption as well as a part that is already encrypted.
+//
+// The handshake ends for A after sending the peng message and for B after receiving this message. At this time both
+// nodes initialize the connection using the payload and enter normal operation. The negotiated crypto core is used for
+// future communication and the key rotation is started. Since the peng message can be lost, A needs to keep the
+// initialization state in order to repeat a lost peng message. After one second, A removes that state.
+//
+// Once every second, both nodes check whether they have already finished the initialization. If not, they repeat their
+// last message. After 5 seconds, the initialization is aborted as failed.
 
 
 use super::{
     core::{CryptoCore, EXTRA_LEN},
-    Algorithms, EcdhPrivateKey, EcdhPublicKey, Ed25519PublicKey, Error, MsgBuffer, Payload
+    rotate::RotationState,
+    Algorithms, EcdhPrivateKey, EcdhPublicKey, Ed25519PublicKey, Error, MsgBuffer, Payload, PeerCrypto,
+    MESSAGE_TYPE_ROTATION
 };
 use crate::types::NodeId;
 use byteorder::{NetworkEndian, ReadBytesExt, WriteBytesExt};
@@ -72,6 +74,7 @@ use std::{
     sync::Arc
 };
 
+pub const INIT_MESSAGE_FIRST_BYTE: u8 = 0xff;
 
 pub const STAGE_PING: u8 = 1;
 pub const STAGE_PONG: u8 = 2;
@@ -85,6 +88,11 @@ pub const SALTED_NODE_ID_HASH_LEN: usize = 20;
 pub type SaltedNodeIdHash = [u8; SALTED_NODE_ID_HASH_LEN];
 
 
+pub fn is_init_message(msg: &[u8]) -> bool {
+    !msg.is_empty() && msg[0] == INIT_MESSAGE_FIRST_BYTE
+}
+
+
 #[allow(clippy::large_enum_variant)]
 pub enum InitMsg {
     Ping {
@@ -141,6 +149,9 @@ impl InitMsg {
     fn read_from(buffer: &[u8], trusted_keys: &[Ed25519PublicKey]) -> Result<(Self, Ed25519PublicKey), Error> {
         let mut r = Cursor::new(buffer);
 
+        if r.read_u8().map_err(|_| Error::Parse("Init message too short"))? != INIT_MESSAGE_FIRST_BYTE {
+            return Err(Error::Parse("Init message has invalid first byte"))
+        }
         let mut public_key_salt = [0; 4];
         r.read_exact(&mut public_key_salt).map_err(|_| Error::Parse("Init message too short"))?;
         let mut public_key_hash = [0; 4];
@@ -290,6 +301,7 @@ impl InitMsg {
     fn write_to(&self, buffer: &mut [u8], key: &Ed25519KeyPair) -> Result<usize, io::Error> {
         let mut w = Cursor::new(buffer);
 
+        w.write_u8(INIT_MESSAGE_FIRST_BYTE)?;
         let rand = SystemRandom::new();
         let mut salt = [0; 4];
         rand.fill(&mut salt).unwrap();
@@ -378,9 +390,9 @@ pub enum InitResult<P: Payload> {
     Success { peer_payload: P, is_initiator: bool }
 }
 
-
 pub struct InitState<P: Payload> {
     node_id: NodeId,
+    is_initiator: bool,
     salted_node_id_hash: SaltedNodeIdHash,
     payload: P,
     key_pair: Arc<Ed25519KeyPair>,
@@ -389,7 +401,7 @@ pub struct InitState<P: Payload> {
     next_stage: u8,
     close_time: usize,
     last_message: Option<Vec<u8>>,
-    crypto: Option<CryptoCore>,
+    crypto: Option<Arc<CryptoCore>>,
     algorithms: Algorithms,
     selected_algorithm: Option<&'static Algorithm>,
     failed_retries: usize
@@ -409,6 +421,7 @@ impl<P: Payload> InitState<P> {
         hash[4..].clone_from_slice(&d.as_ref()[..16]);
         Self {
             node_id,
+            is_initiator: false,
             salted_node_id_hash: hash,
             payload,
             key_pair,
@@ -431,7 +444,7 @@ impl<P: Payload> InitState<P> {
 
         // create stage 1 msg
         self.send_message(STAGE_PING, Some(ecdh_public_key), out);
-
+        self.is_initiator = true;
         self.next_stage = STAGE_PONG;
     }
 
@@ -588,6 +601,7 @@ impl<P: Payload> InitState<P> {
                 // the node with the higher node_id "wins" and gets to initialize the connection
                 if salted_node_id_hash > self.salted_node_id_hash {
                     // reset to initial state
+                    self.is_initiator = false;
                     self.next_stage = STAGE_PING;
                     self.last_message = None;
                     self.ecdh_private_key = None;
@@ -614,7 +628,8 @@ impl<P: Payload> InitState<P> {
                 self.selected_algorithm = algorithm.map(|a| a.0);
                 if let Some((algorithm, _speed)) = algorithm {
                     let master_key = self.derive_master_key(algorithm, my_ecdh_private_key, &ecdh_public_key);
-                    self.crypto = Some(CryptoCore::new(master_key, self.salted_node_id_hash > salted_node_id_hash));
+                    self.crypto =
+                        Some(Arc::new(CryptoCore::new(master_key, self.salted_node_id_hash > salted_node_id_hash)));
                 }
 
                 // create and send stage 2 reply
@@ -630,7 +645,8 @@ impl<P: Payload> InitState<P> {
                 self.selected_algorithm = algorithm.map(|a| a.0);
                 if let Some((algorithm, _speed)) = algorithm {
                     let master_key = self.derive_master_key(algorithm, ecdh_private_key, &ecdh_public_key);
-                    self.crypto = Some(CryptoCore::new(master_key, self.salted_node_id_hash > salted_node_id_hash));
+                    self.crypto =
+                        Some(Arc::new(CryptoCore::new(master_key, self.salted_node_id_hash > salted_node_id_hash)));
                 }
 
                 // decrypt the payload
@@ -657,8 +673,19 @@ impl<P: Payload> InitState<P> {
         }
     }
 
-    pub fn take_core(&mut self) -> Option<CryptoCore> {
-        self.crypto.take()
+    pub fn finish(self, buffer: &mut MsgBuffer) -> PeerCrypto {
+        assert!(buffer.is_empty());
+        let rotation = if self.crypto.is_some() { Some(RotationState::new(!self.is_initiator, buffer)) } else { None };
+        if !buffer.is_empty() {
+            buffer.prepend_byte(MESSAGE_TYPE_ROTATION);
+        }
+        PeerCrypto {
+            algorithm: self.crypto.map(|c| c.algorithm()),
+            core: self.crypto,
+            rotation,
+            rotate_counter: 0,
+            last_init_message: self.last_message
+        }
     }
 }
 

src/crypto/mod.rs

@@ -2,11 +2,10 @@ mod core;
 mod init;
 mod rotate;
 
-pub use self::core::{EXTRA_LEN, TAG_LEN, CryptoCore};
-use self::{
-    core::{test_speed, CryptoCore},
-    init::{InitResult, InitState, CLOSING},
-    rotate::RotationState
+use self::{core::test_speed, init::InitState, rotate::RotationState};
+pub use self::{
+    core::{CryptoCore, EXTRA_LEN, TAG_LEN},
+    init::{is_init_message, INIT_MESSAGE_FIRST_BYTE}
 };
 use crate::{
     error::Error,
@@ -26,7 +25,7 @@ use thiserror::Error;
 
 
 const SALT: &[u8; 32] = b"vpncloudVPNCLOUDvpncl0udVpnCloud";
-const INIT_MESSAGE_FIRST_BYTE: u8 = 0xff;
+
 const MESSAGE_TYPE_ROTATION: u8 = 0x10;
 
 pub type Ed25519PublicKey = [u8; ED25519_PUBLIC_KEY_LEN];
@@ -186,100 +185,35 @@ impl Crypto {
         Ok(result)
     }
 
-    pub fn peer_instance<P: Payload>(&self, payload: P) -> PeerCrypto<P> {
-        PeerCrypto::new(
-            self.node_id,
-            payload,
-            self.key_pair.clone(),
-            self.trusted_keys.clone(),
-            self.algorithms.clone()
-        )
+    pub fn peer_instance<P: Payload>(&self, payload: P) -> InitState<P> {
+        InitState::new(self.node_id, payload, self.key_pair.clone(), self.trusted_keys.clone(), self.algorithms.clone())
     }
 }
 
 
 #[derive(Debug, PartialEq)]
-pub enum MessageResult<P: Payload> {
+pub enum MessageResult {
     Message(u8),
-    Initialized(P),
-    InitializedWithReply(P),
     Reply,
     None
 }
 
 
-pub struct PeerCrypto<P: Payload> {
+// TODO: completely rewrite
+// PeerCrypto is only for initialized crypto
+// Init is consumed and generates PeerCrypto
+pub struct PeerCrypto {
     #[allow(dead_code)]
-    node_id: NodeId,
-    init: Option<InitState<P>>,
+    last_init_message: Option<Vec<u8>>,
+    algorithm: Option<&'static Algorithm>,
     rotation: Option<RotationState>,
-    unencrypted: bool,
-    core: Option<CryptoCore>,
+    core: Option<Arc<CryptoCore>>,
     rotate_counter: usize
 }
 
-impl<P: Payload> PeerCrypto<P> {
-    pub fn new(
-        node_id: NodeId, init_payload: P, key_pair: Arc<Ed25519KeyPair>, trusted_keys: Arc<[Ed25519PublicKey]>,
-        algorithms: Algorithms
-    ) -> Self
-    {
-        Self {
-            node_id,
-            init: Some(InitState::new(node_id, init_payload, key_pair, trusted_keys, algorithms)),
-            rotation: None,
-            unencrypted: false,
-            core: None,
-            rotate_counter: 0
-        }
-    }
-
-    fn get_init(&mut self) -> Result<&mut InitState<P>, Error> {
-        if let Some(init) = &mut self.init {
-            Ok(init)
-        } else {
-            Err(Error::InvalidCryptoState("Initialization already finished"))
-        }
-    }
-
-    fn get_core(&mut self) -> Result<&mut CryptoCore, Error> {
-        if let Some(core) = &mut self.core {
-            Ok(core)
-        } else {
-            Err(Error::InvalidCryptoState("Crypto core not ready yet"))
-        }
-    }
-
-    fn get_rotation(&mut self) -> Result<&mut RotationState, Error> {
-        if let Some(rotation) = &mut self.rotation {
-            Ok(rotation)
-        } else {
-            Err(Error::InvalidCryptoState("Key rotation not initialized"))
-        }
-    }
-
-    pub fn initialize(&mut self, out: &mut MsgBuffer) -> Result<(), Error> {
-        let init = self.get_init()?;
-        if init.stage() != init::STAGE_PING {
-            Err(Error::InvalidCryptoState("Initialization already ongoing"))
-        } else {
-            init.send_ping(out);
-            out.prepend_byte(INIT_MESSAGE_FIRST_BYTE);
-            Ok(())
-        }
-    }
-
-    pub fn has_init(&self) -> bool {
-        self.init.is_some()
-    }
-
-    pub fn is_ready(&self) -> bool {
-        self.core.is_some()
-    }
-
+impl PeerCrypto {
     pub fn algorithm_name(&self) -> &'static str {
-        if let Some(ref core) = self.core {
-            let algo = core.algorithm();
+        if let Some(algo) = self.algorithm {
             if algo == &aead::CHACHA20_POLY1305 {
                 "CHACHA20"
             } else if algo == &aead::AES_128_GCM {
@@ -294,78 +228,54 @@ impl<P: Payload> PeerCrypto<P> {
         }
     }
 
-    fn handle_init_message(&mut self, buffer: &mut MsgBuffer) -> Result<MessageResult<P>, Error> {
-        let result = self.get_init()?.handle_init(buffer)?;
-        if !buffer.is_empty() {
-            buffer.prepend_byte(INIT_MESSAGE_FIRST_BYTE);
-        }
-        match result {
-            InitResult::Continue => Ok(MessageResult::Reply),
-            InitResult::Success { peer_payload, is_initiator } => {
-                self.core = self.get_init()?.take_core();
-                if self.core.is_none() {
-                    self.unencrypted = true;
-                }
-                if self.get_init()?.stage() == init::CLOSING {
-                    self.init = None
-                }
-                if self.core.is_some() {
-                    self.rotation = Some(RotationState::new(!is_initiator, buffer));
-                }
-                if !is_initiator {
-                    if self.unencrypted {
-                        return Ok(MessageResult::Initialized(peer_payload))
-                    }
-                    assert!(!buffer.is_empty());
-                    buffer.prepend_byte(MESSAGE_TYPE_ROTATION);
-                    self.encrypt_message(buffer)?;
-                }
-                Ok(MessageResult::InitializedWithReply(peer_payload))
-            }
-        }
+    fn handle_init_message(&mut self, buffer: &mut MsgBuffer) -> Result<MessageResult, Error> {
+        // TODO: parse message stage
+        // TODO: depending on stage resend last message
+        Ok(MessageResult::None)
     }
 
     fn handle_rotate_message(&mut self, data: &[u8]) -> Result<(), Error> {
-        if self.unencrypted {
-            return Ok(())
-        }
-        if let Some(rot) = self.get_rotation()?.handle_message(data)? {
-            let core = self.get_core()?;
-            let algo = core.algorithm();
-            let key = LessSafeKey::new(UnboundKey::new(algo, &rot.key[..algo.key_len()]).unwrap());
-            core.rotate_key(key, rot.id, rot.use_for_sending);
+        if let Some(rotation) = &mut self.rotation {
+            if let Some(rot) = rotation.handle_message(data)? {
+                let algo = self.algorithm.unwrap();
+                let key = LessSafeKey::new(UnboundKey::new(algo, &rot.key[..algo.key_len()]).unwrap());
+                self.core.unwrap().rotate_key(key, rot.id, rot.use_for_sending);
+            }
         }
         Ok(())
     }
 
-    fn encrypt_message(&mut self, buffer: &mut MsgBuffer) -> Result<(), Error> {
-        if self.unencrypted {
-            return Ok(())
+    fn encrypt_message(&mut self, buffer: &mut MsgBuffer) {
+        if let Some(core) = &mut self.core {
+            core.encrypt(buffer)
         }
-        self.get_core()?.encrypt(buffer);
-        Ok(())
     }
 
     fn decrypt_message(&mut self, buffer: &mut MsgBuffer) -> Result<(), Error> {
-        if self.unencrypted {
-            return Ok(())
+        // HOT PATH
+        if let Some(core) = &mut self.core {
+            core.decrypt(buffer)
+        } else {
+            Ok(())
         }
-        self.get_core()?.decrypt(buffer)
     }
 
-    pub fn handle_message(&mut self, buffer: &mut MsgBuffer) -> Result<MessageResult<P>, Error> {
+    pub fn handle_message(&mut self, buffer: &mut MsgBuffer) -> Result<MessageResult, Error> {
+        // HOT PATH
         if buffer.is_empty() {
             return Err(Error::InvalidCryptoState("No message in buffer"))
         }
         if is_init_message(buffer.buffer()) {
+            // COLD PATH
             debug!("Received init message");
-            buffer.take_prefix();
             self.handle_init_message(buffer)
         } else {
+            // HOT PATH
             debug!("Received encrypted message");
             self.decrypt_message(buffer)?;
             let msg_type = buffer.take_prefix();
             if msg_type == MESSAGE_TYPE_ROTATION {
+                // COLD PATH
                 debug!("Received rotation message");
                 self.handle_rotate_message(buffer.buffer())?;
                 buffer.clear();
@@ -376,52 +286,38 @@ impl<P: Payload> PeerCrypto<P> {
         }
     }
 
-    pub fn send_message(&mut self, type_: u8, buffer: &mut MsgBuffer) -> Result<(), Error> {
+    pub fn send_message(&mut self, type_: u8, buffer: &mut MsgBuffer) {
+        // HOT PATH
         assert_ne!(type_, MESSAGE_TYPE_ROTATION);
         buffer.prepend_byte(type_);
-        self.encrypt_message(buffer)
+        self.encrypt_message(buffer);
     }
 
-    pub fn every_second(&mut self, out: &mut MsgBuffer) -> Result<MessageResult<P>, Error> {
+    pub fn every_second(&mut self, out: &mut MsgBuffer) -> MessageResult {
         out.clear();
         if let Some(ref mut core) = self.core {
             core.every_second()
         }
-        if let Some(ref mut init) = self.init {
-            init.every_second(out)?;
-        }
-        if self.init.as_ref().map(|i| i.stage()).unwrap_or(CLOSING) == CLOSING {
-            self.init = None
-        }
-        if !out.is_empty() {
-            out.prepend_byte(INIT_MESSAGE_FIRST_BYTE);
-            return Ok(MessageResult::Reply)
-        }
         if let Some(ref mut rotate) = self.rotation {
             self.rotate_counter += 1;
             if self.rotate_counter >= ROTATE_INTERVAL {
                 self.rotate_counter = 0;
                 if let Some(rot) = rotate.cycle(out) {
-                    let core = self.get_core()?;
-                    let algo = core.algorithm();
+                    let algo = self.algorithm.unwrap();
                     let key = LessSafeKey::new(UnboundKey::new(algo, &rot.key[..algo.key_len()]).unwrap());
-                    core.rotate_key(key, rot.id, rot.use_for_sending);
+                    self.core.unwrap().rotate_key(key, rot.id, rot.use_for_sending);
                 }
                 if !out.is_empty() {
                     out.prepend_byte(MESSAGE_TYPE_ROTATION);
-                    self.encrypt_message(out)?;
-                    return Ok(MessageResult::Reply)
+                    self.encrypt_message(out);
+                    return MessageResult::Reply
                 }
             }
         }
-        Ok(MessageResult::None)
+        MessageResult::None
     }
 }
 
-pub fn is_init_message(msg: &[u8]) -> bool {
-    !msg.is_empty() && msg[0] == INIT_MESSAGE_FIRST_BYTE
-}
-
 
 #[cfg(test)]
 mod tests {

src/crypto/rotate.rs

@@ -1,29 +1,29 @@
-//! This module implements a turn based key rotation.
-//!
-//! The main idea is that both peers periodically create ecdh key pairs and exchange their public keys to create
-//! common key material. There are always two separate ecdh handshakes going on: one initiated by each peer.
-//! However, one handshake is always one step ahead of the other. That means that every message being sent contains a
-//! public key from step 1 of the handshake "proposed key" and a public key from step 2 of the handshake "confirmed
-//! key" (all messages except first message).
-//!
-//! When receiving a message from the peer, the node will create a new ecdh key pair and perform the key
-//! calculation for the proposed key. The peer will store the public key for the confirmation as pending to be
-//! confirmed in the next cycle. Also, if the message contains a confirmation (all but the very first message do),
-//! the node will use the stored private key to perform the ecdh key calculation and emit that key to be used in
-//! the crypto stream.
-//!
-//! Upon each cycle, a node first checks if it still has a proposed key that has not been confirmed by the remote
-//! peer. If so, a message must have been lost and the whole last message including the proposed key as well as the
-//! last confirmed key is being resent. If no proposed key is stored, the node will create a new ecdh key pair, and
-//! store the private key as proposed key. It then sends out a message containing the public key as proposal, as
-//! well as confirming the pending key. This key is also emitted to be added to the crypto stream but not to be
-//! used for encrypting.
-//!
-//! Monotonically increasing message ids guard the communication from message duplication and also serve as
-//! identifiers for the keys to be used in the crypto stream. Since the keys are rotating, the last 2 bits of the
-//! id are enough to identify the key.
-//!
-//! The whole communication is sent via the crypto stream and is therefore encrypted and protected against tampering.
+// This module implements a turn based key rotation.
+//
+// The main idea is that both peers periodically create ecdh key pairs and exchange their public keys to create
+// common key material. There are always two separate ecdh handshakes going on: one initiated by each peer.
+// However, one handshake is always one step ahead of the other. That means that every message being sent contains a
+// public key from step 1 of the handshake "proposed key" and a public key from step 2 of the handshake "confirmed
+// key" (all messages except first message).
+//
+// When receiving a message from the peer, the node will create a new ecdh key pair and perform the key
+// calculation for the proposed key. The peer will store the public key for the confirmation as pending to be
+// confirmed in the next cycle. Also, if the message contains a confirmation (all but the very first message do),
+// the node will use the stored private key to perform the ecdh key calculation and emit that key to be used in
+// the crypto stream.
+//
+// Upon each cycle, a node first checks if it still has a proposed key that has not been confirmed by the remote
+// peer. If so, a message must have been lost and the whole last message including the proposed key as well as the
+// last confirmed key is being resent. If no proposed key is stored, the node will create a new ecdh key pair, and
+// store the private key as proposed key. It then sends out a message containing the public key as proposal, as
+// well as confirming the pending key. This key is also emitted to be added to the crypto stream but not to be
+// used for encrypting.
+//
+// Monotonically increasing message ids guard the communication from message duplication and also serve as
+// identifiers for the keys to be used in the crypto stream. Since the keys are rotating, the last 2 bits of the
+// id are enough to identify the key.
+//
+// The whole communication is sent via the crypto stream and is therefore encrypted and protected against tampering.
 
 use super::{Error, Key, MsgBuffer};
 use byteorder::{NetworkEndian, ReadBytesExt, WriteBytesExt};

src/device.rs

@@ -5,12 +5,12 @@
 use std::{
     cmp,
     collections::VecDeque,
+    convert::TryInto,
     fmt,
     fs::{self, File},
     io::{self, BufRead, BufReader, Cursor, Error as IoError, Read, Write},
     net::{Ipv4Addr, UdpSocket},
     os::unix::io::{AsRawFd, RawFd},
-    convert::TryInto,
     str,
     str::FromStr
 };
@@ -36,7 +36,7 @@ struct IfReq {
 impl IfReq {
     fn new(name: &str) -> Self {
         assert!(name.len() < libc::IF_NAMESIZE);
-        let mut ifr_name = [0 as u8; libc::IF_NAMESIZE];
+        let mut ifr_name = [0; libc::IF_NAMESIZE];
         ifr_name[..name.len()].clone_from_slice(name.as_bytes());
         Self { ifr_name, data: IfReqData { _dummy: [0; 24] } }
     }
@@ -329,7 +329,7 @@ impl Device for MockDevice {
     }
 
     fn ifname(&self) -> &str {
-        unimplemented!()
+        "mock0"
     }
 
     fn read(&mut self, buffer: &mut MsgBuffer) -> Result<(), Error> {

src/engine/mod.rs

@@ -30,7 +30,8 @@ use crate::{
     device::{Device, Type},
     error::Error,
     messages::{
-        AddrList, NodeInfo, PeerInfo, MESSAGE_TYPE_CLOSE, MESSAGE_TYPE_DATA, MESSAGE_TYPE_KEEPALIVE, MESSAGE_TYPE_NODE_INFO
+        AddrList, NodeInfo, PeerInfo, MESSAGE_TYPE_CLOSE, MESSAGE_TYPE_DATA, MESSAGE_TYPE_KEEPALIVE,
+        MESSAGE_TYPE_NODE_INFO
     },
     net::{mapped_addr, Socket},
     payload::Protocol,
@@ -39,7 +40,7 @@ use crate::{
     table::ClaimTable,
     traffic::TrafficStats,
     types::{Address, Mode, NodeId, Range, RangeList},
-    util::{addr_nice, resolve, CtrlC, Duration, MsgBuffer, StatsdMsg, Time, TimeSource}
+    util::{addr_nice, bytes_to_hex, resolve, CtrlC, Duration, MsgBuffer, StatsdMsg, Time, TimeSource}
 };
 
 pub type Hash = BuildHasherDefault<FnvHasher>;
@@ -129,6 +130,9 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
                     info!("Auto-claiming {} due to interface address", range);
                     claims.push(range);
                 }
+                Err(Error::DeviceIo(_, e)) if e.kind() == io::ErrorKind::AddrNotAvailable => {
+                    info!("No address set on interface.")
+                }
                 Err(e) => error!("{}", e)
             }
         }
@@ -202,6 +206,7 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
 
     #[inline]
     fn send_to(&mut self, addr: SocketAddr, msg: &mut MsgBuffer) -> Result<(), Error> {
+        // HOT PATH
         debug!("Sending msg with {} bytes to {}", msg.len(), addr);
         self.traffic.count_out_traffic(addr, msg.len());
         match self.socket.send(msg.message(), addr) {
@@ -213,6 +218,7 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
 
     #[inline]
     fn send_msg(&mut self, addr: SocketAddr, type_: u8, msg: &mut MsgBuffer) -> Result<(), Error> {
+        // HOT PATH
         debug!("Sending msg with {} bytes to {}", msg.len(), addr);
         let peer = match self.peers.get_mut(&addr) {
             Some(peer) => peer,
@@ -229,6 +235,7 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
             self.own_addresses.push(pfw.get_internal_ip().into());
             self.own_addresses.push(pfw.get_external_ip().into());
         }
+        // TODO: detect address changes and call event
         Ok(())
     }
 
@@ -283,6 +290,13 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
                 return Ok(())
             }
         }
+        if !addrs.is_empty() {
+            self.config.call_hook(
+                "peer_connecting",
+                vec![("PEER", format!("{:?}", addr_nice(addrs[0]))), ("IFNAME", self.device.ifname().to_owned())],
+                true
+            );
+        }
         // Send a message to each resolved address
         for a in addrs {
             // Ignore error this time
@@ -458,6 +472,7 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
             self.next_stats_out = now + STATS_INTERVAL;
             self.traffic.period(Some(5));
         }
+        // TODO: every 5 minutes: EVENT periodic
         if let Some(peers) = self.beacon_serializer.get_cmd_results() {
             debug!("Loaded beacon with peers: {:?}", peers);
             for peer in peers {
@@ -601,15 +616,18 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
     }
 
     pub fn handle_interface_data(&mut self, data: &mut MsgBuffer) -> Result<(), Error> {
+        // HOT PATH
         let (src, dst) = P::parse(data.message())?;
         debug!("Read data from interface: src: {}, dst: {}, {} bytes", src, dst, data.len());
         self.traffic.count_out_payload(dst, src, data.len());
         match self.table.lookup(dst) {
             Some(addr) => {
+                // HOT PATH
                 // Peer found for destination
                 debug!("Found destination for {} => {}", dst, addr);
                 self.send_msg(addr, MESSAGE_TYPE_DATA, data)?;
                 if !self.peers.contains_key(&addr) {
+                    // COLD PATH
                     // If the peer is not actually connected, remove the entry in the table and try
                     // to reconnect.
                     warn!("Destination for {} not found in peers: {}", dst, addr_nice(addr));
@@ -618,6 +636,7 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
                 }
             }
             None => {
+                // COLD PATH
                 if self.broadcast {
                     debug!("No destination for {} found, broadcasting", dst);
                     self.broadcast_msg(MESSAGE_TYPE_DATA, data)?;
@@ -632,6 +651,16 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
 
     fn add_new_peer(&mut self, addr: SocketAddr, info: NodeInfo) -> Result<(), Error> {
         info!("Added peer {}", addr_nice(addr));
+        self.config.call_hook(
+            "peer_connected",
+            vec![
+                ("PEER", format!("{:?}", addr_nice(addr))),
+                ("IFNAME", self.device.ifname().to_owned()),
+                ("CLAIMS", info.claims.iter().map(|r| format!("{:?}", r)).collect::<Vec<String>>().join(" ")),
+                ("NODE_ID", bytes_to_hex(&info.node_id)),
+            ],
+            true
+        );
         if let Some(init) = self.pending_inits.remove(&addr) {
             self.peers.insert(addr, PeerData {
                 addrs: info.addrs.clone(),
@@ -649,9 +678,18 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
     }
 
     fn remove_peer(&mut self, addr: SocketAddr) {
-        if let Some(_peer) = self.peers.remove(&addr) {
+        if let Some(peer) = self.peers.remove(&addr) {
             info!("Closing connection to {}", addr_nice(addr));
             self.table.remove_claims(addr);
+            self.config.call_hook(
+                "peer_disconnected",
+                vec![
+                    ("PEER", format!("{:?}", addr)),
+                    ("IFNAME", self.device.ifname().to_owned()),
+                    ("NODE_ID", bytes_to_hex(&peer.node_id)),
+                ],
+                true
+            );
         }
     }
 
@@ -695,6 +733,7 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
     }
 
     fn handle_payload_from(&mut self, peer: SocketAddr, data: &mut MsgBuffer) -> Result<(), Error> {
+        // HOT PATH
         let (src, dst) = P::parse(data.message())?;
         let len = data.len();
         debug!("Writing data to device: {} bytes", len);
@@ -713,11 +752,17 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
     fn handle_message(
         &mut self, src: SocketAddr, msg_result: MessageResult<NodeInfo>, data: &mut MsgBuffer
     ) -> Result<(), Error> {
+        // HOT PATH
         match msg_result {
             MessageResult::Message(type_) => {
+                // HOT PATH
                 match type_ {
-                    MESSAGE_TYPE_DATA => self.handle_payload_from(src, data)?,
+                    MESSAGE_TYPE_DATA => {
+                        // HOT PATH
+                        self.handle_payload_from(src, data)?
+                    }
                     MESSAGE_TYPE_NODE_INFO => {
+                        // COLD PATH
                         let info = match NodeInfo::decode(Cursor::new(data.message())) {
                             Ok(val) => val,
                             Err(err) => {
@@ -727,31 +772,50 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
                         };
                         self.update_peer_info(src, Some(info))?
                     }
-                    MESSAGE_TYPE_KEEPALIVE => self.update_peer_info(src, None)?,
-                    MESSAGE_TYPE_CLOSE => self.remove_peer(src),
+                    MESSAGE_TYPE_KEEPALIVE => {
+                        // COLD PATH
+                        self.update_peer_info(src, None)?
+                    }
+                    MESSAGE_TYPE_CLOSE => {
+                        // COLD PATH
+                        self.remove_peer(src)
+                    }
                     _ => {
+                        // COLD PATH
                         self.traffic.count_invalid_protocol(data.len());
                         return Err(Error::Message("Unknown message type"))
                     }
                 }
             }
-            MessageResult::Initialized(info) => self.add_new_peer(src, info)?,
+            MessageResult::Initialized(info) => {
+                // COLD PATH
+                self.add_new_peer(src, info)?
+            }
             MessageResult::InitializedWithReply(info) => {
+                // COLD PATH
                 self.add_new_peer(src, info)?;
                 self.send_to(src, data)?
             }
-            MessageResult::Reply => self.send_to(src, data)?,
-            MessageResult::None => ()
+            MessageResult::Reply => {
+                // COLD PATH
+                self.send_to(src, data)?
+            }
+            MessageResult::None => {
+                // COLD PATH
+            }
         }
         Ok(())
     }
 
     pub fn handle_net_message(&mut self, src: SocketAddr, data: &mut MsgBuffer) -> Result<(), Error> {
+        // HOT PATH
         let src = mapped_addr(src);
         debug!("Received {} bytes from {}", data.len(), src);
         let msg_result = if let Some(init) = self.pending_inits.get_mut(&src) {
+            // COLD PATH
             init.handle_message(data)
         } else if is_init_message(data.message()) {
+            // COLD PATH
             let mut result = None;
             if let Some(peer) = self.peers.get_mut(&src) {
                 if peer.crypto.has_init() {
@@ -765,6 +829,14 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
                 let msg_result = init.handle_message(data);
                 match msg_result {
                     Ok(res) => {
+                        self.config.call_hook(
+                            "peer_connecting",
+                            vec![
+                                ("PEER", format!("{:?}", addr_nice(src))),
+                                ("IFNAME", self.device.ifname().to_owned()),
+                            ],
+                            true
+                        );
                         self.pending_inits.insert(src, init);
                         Ok(res)
                     }
@@ -775,15 +847,22 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
                 }
             }
         } else if let Some(peer) = self.peers.get_mut(&src) {
+            // HOT PATH
             peer.crypto.handle_message(data)
         } else {
+            // COLD PATH
             info!("Ignoring non-init message from unknown peer {}", addr_nice(src));
             self.traffic.count_invalid_protocol(data.len());
             return Ok(())
         };
+        // HOT PATH
         match msg_result {
-            Ok(val) => self.handle_message(src, val, data),
+            Ok(val) => {
+                // HOT PATH
+                self.handle_message(src, val, data)
+            },
             Err(err) => {
+                // COLD PATH
                 self.traffic.count_invalid_protocol(data.len());
                 Err(err)
             }
@@ -797,26 +876,36 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
     }
 
     fn handle_socket_event(&mut self, buffer: &mut MsgBuffer) {
+        // HOT PATH
         let src = try_fail!(self.socket.receive(buffer), "Failed to read from network socket: {}");
         self.traffic.count_in_traffic(src, buffer.len());
         match self.handle_net_message(src, buffer) {
             Err(e @ Error::CryptoInitFatal(_)) => {
+                // COLD PATH
                 debug!("Fatal crypto init error from {}: {}", src, e);
                 info!("Closing pending connection to {} due to error in crypto init", addr_nice(src));
                 self.pending_inits.remove(&src);
+                self.config.call_hook(
+                    "peer_disconnected",
+                    vec![("PEER", format!("{:?}", addr_nice(src))), ("IFNAME", self.device.ifname().to_owned())],
+                    true
+                );
             }
             Err(e @ Error::CryptoInit(_)) => {
+                // COLD PATH
                 debug!("Recoverable init error from {}: {}", src, e);
                 info!("Ignoring invalid init message from peer {}", addr_nice(src));
             }
             Err(e) => {
+                // COLD PATH
                 error!("{}", e);
             }
-            Ok(_) => {}
+            Ok(_) => {} // HOT PATH
         }
     }
 
     fn handle_device_event(&mut self, buffer: &mut MsgBuffer) {
+        // HOT PATH
         try_fail!(self.device.read(buffer), "Failed to read from device: {}");
         if let Err(e) = self.handle_interface_data(buffer) {
             error!("{}", e);
@@ -835,9 +924,12 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
         let waiter = try_fail!(WaitImpl::new(&self.socket, &self.device, 1000), "Failed to setup poll: {}");
         let mut buffer = MsgBuffer::new(SPACE_BEFORE);
         let mut poll_error = false;
+        self.config.call_hook("vpn_started", vec![("IFNAME", self.device.ifname())], true);
         for evt in waiter {
+            // HOT PATH
             match evt {
                 WaitResult::Error(err) => {
+                    // COLD PATH
                     if poll_error {
                         fail!("Poll wait failed again: {}", err);
                     }
@@ -849,6 +941,7 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
                 WaitResult::Device => self.handle_device_event(&mut buffer)
             }
             if self.next_housekeep < TS::now() {
+                // COLD PATH
                 poll_error = false;
                 if ctrlc.was_pressed() {
                     break
@@ -860,6 +953,7 @@ impl<D: Device, P: Protocol, S: Socket, TS: TimeSource> GenericCloud<D, P, S, TS
             }
         }
         info!("Shutting down...");
+        self.config.call_hook("vpn_shutdown", vec![("IFNAME", self.device.ifname())], true);
         buffer.clear();
         self.broadcast_msg(MESSAGE_TYPE_CLOSE, &mut buffer).ok();
         if let Some(ref path) = self.config.beacon_store {

src/engine/shared.rs

@@ -12,7 +12,7 @@ use parking_lot::Mutex;
 use std::{collections::HashMap, net::SocketAddr, sync::Arc};
 
 pub struct SharedPeerCrypto {
-    peers: Arc<Mutex<HashMap<SocketAddr, CryptoCore, Hash>>>
+    peers: Arc<Mutex<HashMap<SocketAddr, Arc<CryptoCore>, Hash>>>
 }
 
 impl SharedPeerCrypto {

src/main.rs

@@ -2,13 +2,10 @@
 // Copyright (C) 2015-2020  Dennis Schwerdel
 // This software is licensed under GPL-3 or newer (see LICENSE.md)
 
-#![cfg_attr(feature = "bench", feature(test))]
-
 #[macro_use] extern crate log;
-#[macro_use] extern crate serde_derive;
+#[macro_use] extern crate serde;
 
 #[cfg(test)] extern crate tempfile;
-#[cfg(feature = "bench")] extern crate test;
 
 #[macro_use]
 pub mod util;
@@ -140,6 +137,7 @@ fn setup_device(config: &Config) -> TunTapDevice {
         config.device_name
     );
     info!("Opened device {}", device.ifname());
+    config.call_hook("device_setup", vec![("IFNAME", device.ifname())], true);
     if let Err(err) = device.set_mtu(None) {
         error!("Error setting optimal MTU on {}: {}", device.ifname(), err);
     }
@@ -159,6 +157,7 @@ fn setup_device(config: &Config) -> TunTapDevice {
             warn!("Your networking configuration might be affected by a vulnerability (https://vpncloud.ddswd.de/docs/security/cve-2019-14899/), please change your rp_filter setting to 1 (currently {}).", val);
         }
     }
+    config.call_hook("device_configured", vec![("IFNAME", device.ifname())], true);
     device
 }
 
@@ -234,6 +233,10 @@ fn main() {
         );
         return
     }
+    if let Some(shell) = args.completion {
+        Args::clap().gen_completions_to(env!("CARGO_PKG_NAME"), shell, &mut io::stdout());
+        return
+    }
     let logger = try_fail!(DualLogger::new(args.log_file.as_ref()), "Failed to open logfile: {}");
     log::set_boxed_logger(Box::new(logger)).unwrap();
     assert!(!args.verbose || !args.quiet);

src/net.rs

@@ -13,6 +13,7 @@ use std::{
 use super::util::{MockTimeSource, MsgBuffer, Time, TimeSource};
 
 pub fn mapped_addr(addr: SocketAddr) -> SocketAddr {
+    // HOT PATH
     match addr {
         SocketAddr::V4(addr4) => SocketAddr::new(IpAddr::V6(addr4.ip().to_ipv6_mapped()), addr4.port()),
         _ => addr
@@ -133,18 +134,3 @@ impl Socket for MockSocket {
         Ok(self.address)
     }
 }
-
-#[cfg(feature = "bench")]
-mod bench {
-    use std::net::{Ipv4Addr, SocketAddrV4, UdpSocket};
-    use test::Bencher;
-
-    #[bench]
-    fn udp_send(b: &mut Bencher) {
-        let sock = UdpSocket::bind("127.0.0.1:0").unwrap();
-        let data = [0; 1400];
-        let addr = SocketAddrV4::new(Ipv4Addr::new(127, 0, 0, 1), 1);
-        b.iter(|| sock.send_to(&data, &addr).unwrap());
-        b.bytes = 1400;
-    }
-}

src/oldconfig.rs

@@ -1,5 +1,6 @@
 use super::{device::Type, types::Mode, util::Duration};
 use crate::config::{ConfigFile, ConfigFileBeacon, ConfigFileDevice, ConfigFileStatsd, CryptoConfig};
+use std::collections::HashMap;
 
 #[derive(Serialize, Deserialize, Debug, PartialEq, Clone, Copy)]
 pub enum OldCryptoMethod {
@@ -112,12 +113,11 @@ impl OldConfigFile {
             pid_file: self.pid_file,
             port_forwarding: self.port_forwarding,
             stats_file: self.stats_file,
-            statsd: Some(ConfigFileStatsd {
-                prefix: self.statsd_prefix,
-                server: self.statsd_server
-            }),
+            statsd: Some(ConfigFileStatsd { prefix: self.statsd_prefix, server: self.statsd_server }),
             switch_timeout: self.dst_timeout,
-            user: self.user
+            user: self.user,
+            hook: None,
+            hooks: HashMap::new()
         }
     }
 }

src/payload.rs

@@ -23,6 +23,7 @@ impl Protocol for Frame {
     /// # Errors
     /// This method will fail when the given data is not a valid ethernet frame.
     fn parse(data: &[u8]) -> Result<(Address, Address), Error> {
+        // HOT PATH
         let mut cursor = Cursor::new(data);
         let mut src = [0; 16];
         let mut dst = [0; 16];
@@ -77,26 +78,6 @@ fn decode_invalid_frame() {
     assert!(Frame::parse(&[6, 5, 4, 3, 2, 1, 1, 2, 3, 4, 5, 6, 0x81, 0x00]).is_err());
 }
 
-#[cfg(feature = "bench")]
-mod bench_ethernet {
-    use super::*;
-    use test::Bencher;
-
-    #[bench]
-    fn decode_ethernet(b: &mut Bencher) {
-        let data = [6, 5, 4, 3, 2, 1, 1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 5, 6, 7, 8];
-        b.iter(|| Frame::parse(&data).unwrap());
-        b.bytes = 1400;
-    }
-
-    #[bench]
-    fn decode_ethernet_with_vlan(b: &mut Bencher) {
-        let data = [6, 5, 4, 3, 2, 1, 1, 2, 3, 4, 5, 6, 0x81, 0, 4, 210, 1, 2, 3, 4, 5, 6, 7, 8];
-        b.iter(|| Frame::parse(&data).unwrap());
-        b.bytes = 1400;
-    }
-}
-
 /// An IP packet dissector
 ///
 /// This dissector is able to extract the source and destination ip addresses of ipv4 packets and
@@ -110,6 +91,7 @@ impl Protocol for Packet {
     /// # Errors
     /// This method will fail when the given data is not a valid ipv4 and ipv6 packet.
     fn parse(data: &[u8]) -> Result<(Address, Address), Error> {
+        // HOT PATH
         if data.is_empty() {
             return Err(Error::Parse("Empty header"))
         }
@@ -177,27 +159,3 @@ fn decode_invalid_packet() {
     ])
     .is_err());
 }
-
-
-#[cfg(feature = "bench")]
-mod bench_ip {
-    use super::*;
-    use test::Bencher;
-
-    #[bench]
-    fn decode_ipv4(b: &mut Bencher) {
-        let data = [0x40, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 192, 168, 1, 1, 192, 168, 1, 2];
-        b.iter(|| Packet::parse(&data).unwrap());
-        b.bytes = 1400;
-    }
-
-    #[bench]
-    fn decode_ipv6(b: &mut Bencher) {
-        let data = [
-            0x60, 0, 0, 0, 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 0, 9, 8, 7, 6, 5, 4, 3, 2, 1, 6,
-            5, 4, 3, 2, 1
-        ];
-        b.iter(|| Packet::parse(&data).unwrap());
-        b.bytes = 1400;
-    }
-}

src/table.rs

@@ -41,9 +41,14 @@ impl<TS: TimeSource> ClaimTable<TS> {
     }
 
     pub fn cache(&mut self, addr: Address, peer: SocketAddr) {
+        // HOT PATH
         self.cache.insert(addr, CacheValue { peer, timeout: TS::now() + self.cache_timeout as Time });
     }
 
+    pub fn clear_cache(&mut self) {
+        self.cache.clear()
+    }
+
     pub fn set_claims(&mut self, peer: SocketAddr, mut claims: RangeList) {
         for entry in &mut self.claims {
             if entry.peer == peer {
@@ -85,9 +90,11 @@ impl<TS: TimeSource> ClaimTable<TS> {
     }
 
     pub fn lookup(&mut self, addr: Address) -> Option<SocketAddr> {
+        // HOT PATH
         if let Some(entry) = self.cache.get(&addr) {
             return Some(entry.peer)
         }
+        // COLD PATH
         let mut found = None;
         let mut prefix_len = -1;
         for entry in &self.claims {
@@ -149,36 +156,3 @@ impl<TS: TimeSource> ClaimTable<TS> {
 }
 
 // TODO: test
-
-#[cfg(feature = "bench")]
-mod bench {
-    use super::*;
-    use crate::util::MockTimeSource;
-
-    use smallvec::smallvec;
-    use std::str::FromStr;
-    use test::Bencher;
-
-    #[bench]
-    fn lookup_warm(b: &mut Bencher) {
-        let mut table = ClaimTable::<MockTimeSource>::new(60, 60);
-        let addr = Address::from_str("1.2.3.4").unwrap();
-        table.cache(addr, SocketAddr::from_str("1.2.3.4:3210").unwrap());
-        b.iter(|| table.lookup(addr));
-        b.bytes = 1400;
-    }
-
-    #[bench]
-    fn lookup_cold(b: &mut Bencher) {
-        let mut table = ClaimTable::<MockTimeSource>::new(60, 60);
-        let addr = Address::from_str("1.2.3.4").unwrap();
-        table.set_claims(SocketAddr::from_str("1.2.3.4:3210").unwrap(), smallvec![
-            Range::from_str("1.2.3.4/32").unwrap()
-        ]);
-        b.iter(|| {
-            table.cache.clear();
-            table.lookup(addr)
-        });
-        b.bytes = 1400;
-    }
-}

src/traffic.rs

@@ -83,21 +83,25 @@ pub struct TrafficStats {
 impl TrafficStats {
     #[inline]
     pub fn count_out_traffic(&mut self, peer: SocketAddr, bytes: usize) {
+        // HOT PATH
         self.peers.entry(peer).or_insert_with(TrafficEntry::default).count_out(bytes);
     }
 
     #[inline]
     pub fn count_in_traffic(&mut self, peer: SocketAddr, bytes: usize) {
+        // HOT PATH
         self.peers.entry(peer).or_insert_with(TrafficEntry::default).count_in(bytes);
     }
 
     #[inline]
     pub fn count_out_payload(&mut self, remote: Address, local: Address, bytes: usize) {
+        // HOT PATH
         self.payload.entry((remote, local)).or_insert_with(TrafficEntry::default).count_out(bytes);
     }
 
     #[inline]
     pub fn count_in_payload(&mut self, remote: Address, local: Address, bytes: usize) {
+        // HOT PATH
         self.payload.entry((remote, local)).or_insert_with(TrafficEntry::default).count_in(bytes);
     }
 

src/util.rs

@@ -2,31 +2,31 @@
 // Copyright (C) 2015-2020  Dennis Schwerdel
 // This software is licensed under GPL-3 or newer (see LICENSE.md)
 
+use std::process::Command;
 use std::{
     fmt,
     net::{Ipv4Addr, SocketAddr, ToSocketAddrs, UdpSocket},
-    sync::atomic::{AtomicIsize, Ordering}
+    sync::atomic::{AtomicIsize, Ordering},
 };
 
 use crate::error::Error;
 
-#[cfg(not(target_os = "linux"))] use time;
+#[cfg(not(target_os = "linux"))]
+use time;
 
 use signal::{trap::Trap, Signal};
 use smallvec::SmallVec;
 use std::time::Instant;
 
-
 pub type Duration = u32;
 pub type Time = i64;
 
-
 #[derive(Clone)]
 pub struct MsgBuffer {
     space_before: usize,
     buffer: [u8; 65535],
     start: usize,
-    end: usize
+    end: usize,
 }
 
 impl MsgBuffer {
@@ -98,7 +98,6 @@ impl MsgBuffer {
     }
 }
 
-
 const HEX_CHARS: &[u8] = b"0123456789abcdef";
 
 pub fn bytes_to_hex(bytes: &[u8]) -> String {
@@ -113,13 +112,12 @@ pub fn bytes_to_hex(bytes: &[u8]) -> String {
 pub fn addr_nice(addr: SocketAddr) -> SocketAddr {
     if let SocketAddr::V6(v6addr) = addr {
         if let Some(ip) = v6addr.ip().to_ipv4() {
-            return (ip, addr.port()).into()
+            return (ip, addr.port()).into();
         }
     }
     addr
 }
 
-
 pub struct Encoder;
 
 impl Encoder {
@@ -172,7 +170,6 @@ impl Encoder {
     }
 }
 
-
 macro_rules! fail {
     ($format:expr) => ( {
         use std::process;
@@ -215,17 +212,14 @@ pub fn get_internal_ip() -> Ipv4Addr {
     }
 }
 
-
 #[allow(unknown_lints, clippy::needless_pass_by_value)]
 pub fn resolve<Addr: ToSocketAddrs + fmt::Debug>(addr: Addr) -> Result<SmallVec<[SocketAddr; 4]>, Error> {
     let mut addrs =
         addr.to_socket_addrs().map_err(|_| Error::NameUnresolvable(format!("{:?}", addr)))?.collect::<SmallVec<_>>();
     // Try IPv4 first as it usually is faster
-    addrs.sort_by_key(|addr| {
-        match *addr {
-            SocketAddr::V4(_) => 4,
-            SocketAddr::V6(_) => 6
-        }
+    addrs.sort_by_key(|addr| match *addr {
+        SocketAddr::V4(_) => 4,
+        SocketAddr::V6(_) => 6,
     });
     // Remove duplicates in addrs (why are there duplicates???)
     addrs.dedup();
@@ -239,7 +233,6 @@ macro_rules! addr {
     }};
 }
 
-
 pub struct Bytes(pub u64);
 
 impl fmt::Display for Bytes {
@@ -248,31 +241,30 @@ impl fmt::Display for Bytes {
         if size >= 512.0 {
             size /= 1024.0;
         } else {
-            return write!(formatter, "{:.0} B", size)
+            return write!(formatter, "{:.0} B", size);
         }
         if size >= 512.0 {
             size /= 1024.0;
         } else {
-            return write!(formatter, "{:.1} KiB", size)
+            return write!(formatter, "{:.1} KiB", size);
         }
         if size >= 512.0 {
             size /= 1024.0;
         } else {
-            return write!(formatter, "{:.1} MiB", size)
+            return write!(formatter, "{:.1} MiB", size);
         }
         if size >= 512.0 {
             size /= 1024.0;
         } else {
-            return write!(formatter, "{:.1} GiB", size)
+            return write!(formatter, "{:.1} GiB", size);
         }
         write!(formatter, "{:.1} TiB", size)
     }
 }
 
-
 pub struct CtrlC {
     dummy_time: Instant,
-    trap: Trap
+    trap: Trap,
 }
 
 impl CtrlC {
@@ -293,7 +285,6 @@ impl Default for CtrlC {
     }
 }
 
-
 pub trait TimeSource: Sync + Copy + Send + 'static {
     fn now() -> Time;
 }
@@ -336,7 +327,6 @@ impl TimeSource for MockTimeSource {
     }
 }
 
-
 /// Helper function that multiplies the base62 data in buf[0..buflen] by 16 and adds m to it
 fn base62_add_mult_16(buf: &mut [u8], mut buflen: usize, m: u8) -> usize {
     let mut d: usize = m as usize;
@@ -356,7 +346,7 @@ fn base62_add_mult_16(buf: &mut [u8], mut buflen: usize, m: u8) -> usize {
 const BASE62: [char; 62] = [
     '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
     'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j',
-    'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'
+    'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
 ];
 
 pub fn to_base62(data: &[u8]) -> String {
@@ -382,7 +372,7 @@ pub fn from_base62(data: &str) -> Result<Vec<u8>, char> {
             '0'..='9' => ((c as usize) % ('0' as usize)),
             'A'..='Z' => ((c as usize) % ('A' as usize)) + 10,
             'a'..='z' => ((c as usize) % ('a' as usize)) + 36,
-            _ => return Err(c)
+            _ => return Err(c),
         };
         for item in &mut buf {
             val += *item as usize * 62;
@@ -397,11 +387,10 @@ pub fn from_base62(data: &str) -> Result<Vec<u8>, char> {
     Ok(buf)
 }
 
-
 #[derive(Default)]
 pub struct StatsdMsg {
     entries: Vec<String>,
-    key: Vec<String>
+    key: Vec<String>,
 }
 
 impl StatsdMsg {
@@ -426,6 +415,16 @@ impl StatsdMsg {
     }
 }
 
+pub fn run_cmd(mut cmd: Command) {
+    match cmd.status() {
+        Ok(status) => {
+            if !status.success() {
+                error!("Command returned error: {:?}", status.code())
+            }
+        }
+        Err(e) => error!("Failed to execute command {:?}: {}", cmd, e),
+    }
+}
 
 #[test]
 fn base62() {