The backend will be split into two processes:
* The privileged daemon
* The unprivileged web server
These processes will communicate using JSON-RPC over a UNIX socket. The
web server is unprivileged to mitigate the risk of vulnerabilities being
exploited to gain control of the system. The privileged daemon will
handle all actual firewall management. Additionally, the backend also
acts as a command-line interface for communicating with the daemon.
The application's main entry point determines which process to launch
based on the name of the executable. This can be controlled, e.g. by
creating symbolic links pointing to the binary, or using the `@` prefix
in the `ExecStart` setting in a systemd unit.
This first commit introduces the Rocket framework for the web process.
Unfortunately, Rocket is rather inflexible in how it is started. It
expects to have complete control of the `main` function, and does not
provide any mechanism for passing data to its initialization routines.
Thus, in order to configure it using command-line arguments, arguments
have to be parsed inside Rocket's main function; they cannot be parsed
ahead of time and passed in.
Dustin