feat: rate limiting in irpc and irpc-iroh

[rklaehn]

This implements hooks to implement rate limiting for irpc and iroh. You can rate limit / filter based on SocketAddr (for irpc) and SocketAddr and EndpointId (for irpc-iroh).

You can filter by SocketAddr even before the SocketAddr is validated, but you should usually wait until it is validated, otherwise somebody could send you spoofed packets and rate limit valid clients.

There is also a system in place to allow for per-request rate limiting and filtering. This is the same for irpc and irpc-iroh.

[Frando]

Is the irpc-iroh rate limiter compatible with using a Router? I pretty much always use irpc with a router (and n0des, where this feature request comes from, does too).

[rklaehn]

I just looked at the n0des code. For per request filtering I think there isn't that much you can do. n0des calls read_request manually, you could just apply a filter immediately afterwards. You could use the new RequestFilter trait for that, but it doesn't add that much value.

let Some(first_request) = read_request::<N0desProtocol>(&connection).await? else {
    return Ok(());
};
/// apply stateful per request filter
if !filter.accept(first_request) {
  return Ok(());
}

For per SocketAddr and per EndpointId filtering in the router, that would be a feature in the iroh router. You could even throw in per ALPN filtering. I guess we could do a PR in iroh instead and reuse that part from here.

[rklaehn]

Ah, never mind. We now have on_accepting, so we can intercept very early...

Actually no, on_accepting is 1. not quite early enough to deal with direct addresses in the cheapest way possible, and 2. Accepting does not even have the remote_addr.

[rklaehn]

OK, so the plan is to

1. have additional info in iroh so we can rate limit based on origin in on_accept: feat(iroh): more precise information about incoming connections iroh#3949

2. move/copy the very early socket based rate limiting for direct connections to the router