fix: use ObservedAddr newtype for NAT routing

[sanity]

Problem

Peers behind NAT embed incorrect addresses (e.g., 127.0.0.1:31337) in protocol messages. When responses like ReturnSub need to be routed back, they previously used these embedded addresses instead of the transport-layer observed address, causing messages to be sent to the wrong destination.

Why existing tests didn't catch this

Unit tests and in-memory network tests use localhost addresses that work correctly. The issue only manifests with real NAT traversal where the embedded and observed addresses differ.

Previous Approaches

PR #2167 introduced threading source_addr through operations using raw SocketAddr. Nacho's feedback: "Don't use SocketAddr directly anywhere in the codebase for other things than connecting to the actual socket."

This Solution

Introduces ObservedAddr newtype to wrap transport-layer addresses, making the address semantics explicit at the type level:

• Embedded address: What the peer claims (wrong behind NAT)
• Observed address: What we see at transport layer (correct for NAT)

Key changes:

1. transport/mod.rs: Add ObservedAddr newtype with explicit semantics
2. subscribe.rs: Store upstream_addr: Option<ObservedAddr>, use it for ReturnSub routing
3. seeding.rs: add_subscriber() takes Option<ObservedAddr> to store correct routing address
4. ring/mod.rs: Updated wrapper to use ObservedAddr

The conversion back to raw SocketAddr happens at the transport boundary in build_op_result().

Testing

Unit Tests

• All subscribe unit tests pass
• All connect unit tests pass (fixed peer() calls on Unknown addresses in logging)

Docker NAT Integration Test

• minimal_nat_test PASSED: PUT from NAT peer, GET from gateway, state verification

River End-to-End NAT Test

Full River message flow test with 6 Docker NAT peers:

FREENET_CORE_PATH=/path/to/this-branch \
FREENET_TEST_DOCKER_NAT=1 \
cargo test --test message_flow river_message_flow_over_freenet_six_peers_five_rounds

Results:

• Network: 6 peers behind simulated NAT (Docker iptables MASQUERADE), 1 gateway
• Room create: 1.11s (first attempt)
• Invite accept: 85.80ms (first attempt)
• Messages sent: 10/10 delivered
• Message latency: avg=1478ms, min=214ms, max=2711ms
• Verification: Each user (on different peers) confirmed receipt of all messages

This confirms that contract updates (River room messages) propagate correctly across NAT'd peers using the full Freenet subscription/update flow.

Stacked On

This PR is stacked on:

• fix: use upstream_addr for subscribe operation NAT routing #2171: fix: use upstream_addr for subscribe operation NAT routing
• refactor(connect): remove from/sender fields from ConnectMsg #2169: refactor(connect): remove from/sender fields from ConnectMsg
• refactor(routing): add upstream_addr for connection-based routing #2167: refactor(routing): add upstream_addr for connection-based routing

Fixes

Addresses #2164

[AI-assisted - Claude]

[Copilot]

Pull request overview

This PR introduces the ObservedAddr newtype to fix NAT routing issues where peers behind NAT embed incorrect addresses in protocol messages. The newtype wraps transport-layer addresses and makes address semantics explicit, preventing confusion between embedded (potentially wrong) and observed (correct) addresses.

Key changes:

• Introduced ObservedAddr newtype to wrap transport-layer socket addresses with explicit semantics
• Updated subscription logic to store and use ObservedAddr for NAT-friendly routing
• Modified add_subscriber() API to accept Option<ObservedAddr> parameter for correct address resolution

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
crates/core/src/transport/mod.rs	Adds ObservedAddr newtype with Display and From trait implementations to represent transport-layer observed addresses
crates/core/src/ring/seeding.rs	Updates add_subscriber() to accept Option<ObservedAddr> parameter and use it to replace embedded subscriber addresses when available
crates/core/src/ring/mod.rs	Updates wrapper method signature to pass through ObservedAddr parameter to seeding manager
crates/core/src/operations/update.rs	Passes None for upstream_addr when subscribing to contracts locally (self-subscription)
crates/core/src/operations/subscribe.rs	Changes upstream_addr field type to Option<ObservedAddr>, updates all add_subscriber() calls to pass appropriate address values, and adds debug logging for address tracking
crates/core/src/node/testing_impl/in_memory.rs	Updates test setup to pass None for upstream_addr in test subscriber initialization

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The address modification here is redundant. The subscriber.set_addr(addr) call on line 422 updates the subscriber's address, but then add_subscriber() (called at line 466) receives self.upstream_addr as a separate parameter and creates a new PeerKeyLocation with that address (see seeding.rs line 118-122), discarding this modification.

Since add_subscriber() handles the address replacement internally when upstream_addr is provided, this direct modification is unnecessary and creates confusion about where the address is actually being set. Consider removing the subscriber.set_addr(addr) call and relying solely on the upstream_addr parameter.

[sanity]

The set_addr call does appear redundant since add_subscriber() replaces the address anyway. However, it's useful for the debug log immediately after (line 423-428) which shows the transport source address - this helps with debugging NAT routing issues.

That said, I could simplify by logging source_addr directly rather than modifying subscriber first. Will leave as-is for now since the behavior is correct, but marking as a future cleanup opportunity.

[AI-assisted - Claude]

[iduartgomez]

If the fgoal is to debug, just debug, dont do side effects just for debugging. (!)

[Copilot]

This debug log should use tracing::debug! instead of tracing::info!. The message "subscribe: load_or_init creating new op with source_addr as upstream_addr" is implementation-level detail useful for debugging, not a significant event that should be logged at info level. Other similar operational details in this file use debug! (e.g., lines 158, 197, 431).

[sanity]

Fixed - changed to debug! in a0196fe.

[AI-assisted - Claude]

[Copilot]

This debug log should use tracing::debug! instead of tracing::info!. The message "subscribe: creating ReturnSub with upstream_addr" is implementation-level detail useful for debugging, not a significant event that should be logged at info level. Other similar operational details in this file use debug! (e.g., lines 423, 431).

[sanity]

Fixed - changed to debug! in a0196fe.

[AI-assisted - Claude]

[Copilot]

This debug log should use tracing::debug! instead of tracing::info!. The message "build_op_result: computed target_addr" is implementation-level detail useful for debugging, not a significant event that should be logged at info level. This function is called for every operation result and would generate excessive info-level logs.

[sanity]

Fixed - changed to debug! in a0196fe.

[AI-assisted - Claude]

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This changes error handling from graceful degradation to a panic. Previously, if sender_from_addr lookup failed, the code would log a warning and return an error, allowing the node to continue. Now it uses expect() which will panic and crash the node if the lookup fails. The previous error handling approach was better. Consider restoring the if let Some(sender) = sender_from_addr.clone() else { ... } pattern or using .ok_or_else() with proper error propagation.

Suggested change

	let sender = sender_from_addr.clone().expect(
	"ReturnGet requires sender lookup from connection - source_addr should resolve to known peer",
	);
	let sender = if let Some(sender) = sender_from_addr.clone() {
	sender
	} else {
	tracing::warn!(
	tx = %id,
	%key,
	"ReturnGet: Could not resolve sender from address; aborting operation"
	);
	return Err(ErrorKind::NodeError(
	"ReturnGet requires sender lookup from connection - source_addr could not be resolved to known peer".into(),
	).into());
	};

[iduartgomez]

+1 remove the unwrap

[Copilot]

The error path for max subscribers creates a ReturnSub but uses return_msg.target_addr() for routing, which extracts the address from subscriber. This is inconsistent with the success path (lines 540-544) which uses self.upstream_addr for routing. For NAT peers, subscriber may contain an incorrect embedded address (e.g., 127.0.0.1:31337), so this should use build_op_result(self.id, None, Some(return_msg), self.upstream_addr) instead to ensure proper NAT routing.

Suggested change

	return Ok(OperationResult {
	target_addr: return_msg.target_addr(),
	return_msg: Some(NetMessage::from(return_msg)),
	state: None,
	});
	return build_op_result(self.id, None, Some(return_msg), self.upstream_addr);

[Copilot]

This change removes the use of upstream_addr for routing ReturnSub responses in SeekNode error handling. Previously, the code captured self.upstream_addr and used build_op_result to route responses correctly for NAT scenarios. Now it directly constructs OperationResult using return_msg.target_addr(), which extracts the address from the subscriber field. This creates the same NAT routing issue that this PR is supposed to fix: for NAT peers, subscriber may contain an incorrect embedded address. The closure should be restored to use: build_op_result(*id, None, Some(return_msg), self.upstream_addr).

Suggested change

	OperationResult {
	target_addr: return_msg.target_addr(),
	return_msg: Some(NetMessage::from(return_msg)),
	state: None,
	}
	build_op_result(*id, None, Some(return_msg), self.upstream_addr)

[Copilot]

The added null check for source_addr is redundant and uses the wrong variable. Line 817 already unwraps source_addr into upstream_addr, so if we reach this point, source_addr is guaranteed to be Some. The code should use upstream_addr directly (which is a SocketAddr, not an Option) instead of re-checking source_addr: network_bridge.send(upstream_addr, NetMessage::V1(NetMessageV1::Connect(msg))).await?;

Suggested change

	if let Some(upstream) = &source_addr {
	network_bridge
	.send(*upstream, NetMessage::V1(NetMessageV1::Connect(msg)))
	.await?;
	}
	network_bridge
	.send(upstream_addr, NetMessage::V1(NetMessageV1::Connect(msg)))
	.await?;

[Copilot]

Same issue as above: the null check for source_addr is redundant and uses the wrong variable. Line 817 already unwraps source_addr into upstream_addr, so the code should use upstream_addr directly: network_bridge.send(upstream_addr, NetMessage::V1(NetMessageV1::Connect(response_msg))).await?;

Suggested change

	if let Some(upstream) = &source_addr {
	network_bridge
	.send(
	*upstream,
	NetMessage::V1(NetMessageV1::Connect(response_msg)),
	)
	.await?;
	}
	network_bridge
	.send(
	upstream_addr,
	NetMessage::V1(NetMessageV1::Connect(response_msg)),
	)
	.await?;

[iduartgomez]

what happens if source_addr is not none? can it even be none?

[iduartgomez]

what happens if source_addr is not none? can it even be none?

[iduartgomez]

"sender is opurselves" but this comes from "remote_target" ? Soemthing is off here.

[sanity]

@iduartgomez Addressing all your feedback:

1. subscribe.rs:429 - Debug side effects

You're right - the debug trace at line 434 shows subscriber.peer() AFTER potentially modifying subscriber at line 422. This is confusing because it's not clear whether the trace shows the original or modified value.

Fix needed: Move the debug trace to before the modification, or split into two traces (before/after).

2. connect.rs:833 & 879 - source_addr nullability

Can source_addr be None? Yes - for locally-initiated operations (client requests), there's no inbound source address.

What happens if None? Currently, the ObservedAddress message is silently dropped (no upstream to route through). This could hide bugs.

Fix needed: Add explicit handling:

let Some(upstream) = source_addr else {
    tracing::warn!("ObservedAddress has no upstream - locally initiated?");
    return Ok(...);
};

3. get.rs:860 - Remove unwrap

Agreed. The .expect() can panic.

Fix needed: Return error instead:

let Some(sender) = sender_from_addr.clone() else {
    tracing::warn!("ReturnGet without sender lookup");
    return Err(OpError::invalid_transition(self.id));
};

4. update.rs:1008 - Confusing comment

The comment "sender is ourselves" is misleading. Looking at line 1005, sender comes from the function parameter (the peer requesting the update), not ourselves.

Fix needed: Clarify:

// Subscribe on behalf of the requesting peer (no upstream_addr - direct registration)

I'll prepare fixes for all these issues.

[AI-assisted - Claude]

[sanity]

@iduartgomez - Implemented all requested fixes in commit 8bd39fc:

1. subscribe.rs:416-438 - Moved debug trace before modification

• Now logs original subscriber address before updating from source_addr
• Prevents confusion about which address is being displayed

2. connect.rs:825-848, 882-901 - Added explicit None handling

• ObservedAddress and ConnectResponse now check for upstream before sending
• Warns when locally-initiated operations lack source_addr

3. get.rs:552-558, 710-716, 858-864, 1131-1137 - Replaced expect() with error handling

• Fixed 4 instances: RequestGet, SeekNode, and ReturnGet (2 cases)
• Returns OpError::invalid_transition instead of panicking
• Applied same pattern consistently across all message types

4. update.rs:1008 - Clarified comment

• Changed "sender is ourselves" → "on behalf of the requesting peer"
• Accurately reflects that sender comes from function parameter

[AI-assisted - Claude]

[iduartgomez]

why is this optional ?

[iduartgomez]

this is really confussing, whenever you add a subscriber, yolu should know its external address. this shouldn't be optional, and that address should be clearly identified and embedded in the message.

[iduartgomez]

A change I do not see here, but in the configuration, wherever socket addresses are created for the different connections, also typing them strictly to avoid illegal conversions/usages etc. would be good.

A lof of the confussion comes from makign illegal states representable, encode all usages of socket addresses out of the transport module by their provenance (are they observed? are they private coming from config?) and only accept the types in the messages you would be expecting (e.g. messages sent over the network shouldn't ever contain advertised addresses, sicne those may be private).