рабочий вариант, но скороть 10 МБит

agents/rap-node-agent/internal/supervisor/supervisor.go

@@ -70,7 +70,7 @@ func (s StubSupervisor) applyOne(workload client.DesiredWorkload) client.Workloa
 			StatusPayload: payload,
 		}
 	}
-	if serviceType == "core-mesh" || serviceType == "mesh-listener" {
+	if serviceType == "core-mesh" || serviceType == "fabric-listener" {
 		payload["reason"] = "builtin_node_agent_service_ready"
 		payload["execution_mode"] = "builtin"
 		payload["traffic"] = serviceTrafficMode(serviceType)
@@ -143,7 +143,7 @@ func (s StubSupervisor) applyOne(workload client.DesiredWorkload) client.Workloa
 			StatusPayload: payload,
 		}
 	}
-	if (serviceType == "vpn-exit" || serviceType == "ipv4-egress" || serviceType == "vpn-client") && runtimeMode == "native" {
+	if (serviceType == "vpn-exit" || serviceType == "ipv4-egress" || serviceType == "vpn-client" || serviceType == "ipv4-ingress") && runtimeMode == "native" {
 		for key, value := range vpnFabricOnlyContract(serviceType, workload.Config) {
 			payload[key] = value
 		}
@@ -151,7 +151,7 @@ func (s StubSupervisor) applyOne(workload client.DesiredWorkload) client.Workloa
 		payload["fabric_transport"] = "quic_only"
 		payload["fabric_service_channel_required"] = true
 		payload["backend_relay_fallback"] = false
-		payload["legacy_protocol_compatibility"] = false
+		payload["compat_protocol_compatibility"] = false
 		payload["traffic"] = "fabric_service_channel_only"
 		return client.WorkloadStatusRequest{
 			ReportedState: "running",
@@ -202,8 +202,8 @@ func (s StubSupervisor) applyOne(workload client.DesiredWorkload) client.Workloa
 }
 
 func vpnFabricOnlyContract(serviceType string, config map[string]any) map[string]any {
-	role := "vpn-client"
-	reason := "vpn_client_node_contract_ready"
+	role := "ipv4-ingress"
+	reason := "ipv4_ingress_node_contract_ready"
 	serviceClass := "vpn_packets"
 	internetEgress := false
 	if serviceType == "vpn-exit" || serviceType == "ipv4-egress" {
@@ -222,7 +222,12 @@ func vpnFabricOnlyContract(serviceType string, config map[string]any) map[string
 		"allowed_cidrs":                   stringSliceConfig(config, "allowed_cidrs"),
 		"dns_servers":                     stringSliceConfig(config, "dns_servers"),
 		"client_policy_source":            stringConfig(config, "client_policy_source", "fabric_access_policy"),
-		"android_node_supported":          serviceType == "vpn-client",
+		"legacy_role_alias":               "vpn-client",
+		"node_core":                       "same_fabric_core_all_platforms",
+		"platform_adapter_scope":          "local_packet_io_only",
+		"android_node_supported":          serviceType == "vpn-client" || serviceType == "ipv4-ingress",
+		"linux_node_supported":            serviceType == "vpn-client" || serviceType == "ipv4-ingress",
+		"windows_node_supported":          serviceType == "vpn-client" || serviceType == "ipv4-ingress",
 		"ipv4_exit_supported":             internetEgress,
 		"fabric_service_channel_required": true,
 		"packet_runtime_status":           "fabric_channel_binding_pending_runtime",
@@ -237,7 +242,7 @@ func vpnServiceBindingContract(serviceType string, config map[string]any) map[st
 			"type":                         "ipv4_egress",
 			"accepts_service_class":        "vpn_packets",
 			"accepts_from_fabric_only":     true,
-			"legacy_protocol_listener":     false,
+			"compat_protocol_listener":     false,
 			"exit_pool_id":                 stringConfig(config, "pool_id", ""),
 			"region":                       stringConfig(config, "region", ""),
 			"allowed_cidrs":                stringSliceConfig(config, "allowed_cidrs"),
@@ -248,7 +253,7 @@ func vpnServiceBindingContract(serviceType string, config map[string]any) map[st
 	}
 	return map[string]any{
 		"type":                         "local_ipv4_ingress",
-		"accepts_from":                 []string{"android_vpnservice_tun", "linux_tun", "host_service_port"},
+		"accepts_from":                 []string{"android_vpnservice_tun", "linux_tun", "windows_wintun", "host_service_port"},
 		"service_class":                "vpn_packets",
 		"exit_selection":               "pool",
 		"preferred_exit_pool_id":       stringConfig(config, "exit_pool_id", ""),
@@ -256,8 +261,10 @@ func vpnServiceBindingContract(serviceType string, config map[string]any) map[st
 		"listen_udp_ports":             intSliceConfig(config, "listen_udp_ports"),
 		"tun_required":                 true,
 		"route_authority":              "fabric_farm",
-		"legacy_protocol_listener":     false,
+		"compat_protocol_listener":     false,
 		"requires_fabric_node_runtime": true,
+		"traffic_visibility":           "opaque_ipv4_packets",
+		"flow_distribution":            "opaque_packet_hash_shards",
 	}
 }
 
@@ -266,12 +273,10 @@ func webIngressListenerConfig(serviceType string, config map[string]any) webingr
 		RuntimeConfig: webingress.RuntimeConfig{
 			ServiceType:    serviceType,
 			Scope:          stringConfig(config, "scope", ""),
-			ServiceClasses: stringSliceConfig(config, "service_classes"),
+			ServiceClasses: webIngressServiceClasses(serviceType, config),
 			TLSMode:        stringConfig(config, "tls_mode", "terminate"),
-			HTTPPort:       intConfig(config, "listen_http_port", 80),
 			HTTPSPort:      intConfig(config, "listen_https_port", 443),
 		},
-		HTTPAddr:    stringConfig(config, "listen_http_addr", ":80"),
 		HTTPSAddr:   stringConfig(config, "listen_https_addr", ":443"),
 		TLSCertFile: stringConfig(config, "tls_cert_file", ""),
 		TLSKeyFile:  stringConfig(config, "tls_key_file", ""),
@@ -279,17 +284,13 @@ func webIngressListenerConfig(serviceType string, config map[string]any) webingr
 }
 
 func (s StubSupervisor) webIngressContract(serviceType string, config map[string]any) map[string]any {
-	httpPort := intConfig(config, "listen_http_port", 80)
 	httpsPort := intConfig(config, "listen_https_port", 443)
 	tlsMode := strings.TrimSpace(stringConfig(config, "tls_mode", "terminate"))
-	serviceClasses := stringSliceConfig(config, "service_classes")
+	serviceClasses := webIngressServiceClasses(serviceType, config)
 	scope := strings.TrimSpace(stringConfig(config, "scope", ""))
 	realListenerRequested := boolConfig(config, "real_listener_enabled")
 	allowedClasses := webIngressAllowedServiceClasses(serviceType)
 	missing := []string{}
-	if httpPort != 80 {
-		missing = append(missing, "listen_http_port_must_be_80")
-	}
 	if httpsPort != 443 {
 		missing = append(missing, "listen_https_port_must_be_443")
 	}
@@ -315,14 +316,13 @@ func (s StubSupervisor) webIngressContract(serviceType string, config map[string
 		"authority_service":               false,
 		"fabric_transport":                "quic_only",
 		"http_between_fabric_nodes":       false,
-		"listen_http_port":                httpPort,
 		"listen_https_port":               httpsPort,
 		"tls_mode":                        tlsMode,
 		"scope":                           scope,
 		"service_classes":                 serviceClasses,
 		"allowed_service_classes":         allowedClasses,
 		"fabric_service_channel_required": true,
-		"runtime_roles_required":          webIngressRuntimeRoles(serviceClasses),
+		"runtime_fabric_functions":        webIngressFabricFunctions(serviceType, serviceClasses),
 		"payload_forwarding":              "contract_only",
 		"real_listener_requested":         realListenerRequested,
 		"real_listener_runtime_enabled":   s.WebIngressRuntimeEnabled,
@@ -346,26 +346,41 @@ func (s StubSupervisor) webIngressContract(serviceType string, config map[string
 
 func webIngressAllowedServiceClasses(serviceType string) []string {
 	if serviceType == "admin-ingress" {
-		return []string{"platform_admin", "cluster_admin"}
+		return []string{"admin-ingress"}
 	}
-	return []string{"organization_portal", "user_portal"}
+	return []string{"public-ingress"}
 }
 
-func webIngressRuntimeRoles(serviceClasses []string) []string {
-	roles := []string{}
-	for _, serviceClass := range serviceClasses {
+func webIngressServiceClasses(serviceType string, config map[string]any) []string {
+	raw := stringSliceConfig(config, "service_classes")
+	if len(raw) == 0 {
+		return webIngressAllowedServiceClasses(serviceType)
+	}
+	out := []string{}
+	for _, serviceClass := range raw {
+		serviceClass = strings.TrimSpace(serviceClass)
 		switch serviceClass {
-		case "platform_admin":
-			roles = append(roles, "global-admin-runtime", "identity-runtime", "policy-authority", "audit-sink")
-		case "cluster_admin":
-			roles = append(roles, "cluster-admin-runtime", "identity-runtime", "policy-authority", "audit-sink")
-		case "organization_portal":
-			roles = append(roles, "organization-portal-runtime", "identity-runtime", "policy-authority", "audit-sink")
-		case "user_portal":
-			roles = append(roles, "user-portal-runtime", "identity-runtime", "policy-authority", "audit-sink")
+		case "admin-ingress", "public-ingress":
+			out = append(out, serviceClass)
 		}
 	}
-	return dedupeStrings(roles)
+	if len(out) == 0 {
+		return webIngressAllowedServiceClasses(serviceType)
+	}
+	return dedupeStrings(out)
+}
+
+func webIngressFabricFunctions(serviceType string, serviceClasses []string) []string {
+	functions := []string{serviceType}
+	for _, serviceClass := range serviceClasses {
+		switch serviceClass {
+		case "admin-ingress":
+			functions = append(functions, "admin-ingress")
+		case "public-ingress":
+			functions = append(functions, "public-ingress")
+		}
+	}
+	return dedupeStrings(functions)
 }
 
 func boolConfig(values map[string]any, key string) bool {
@@ -732,7 +747,7 @@ func serviceTrafficMode(serviceType string) string {
 	switch serviceType {
 	case "core-mesh":
 		return "fabric_control"
-	case "mesh-listener":
+	case "fabric-listener":
 		return "entry_listener"
 	default:
 		return "unknown"