filter

package
v0.0.0-...-113f59a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 16, 2024 License: BSD-3-Clause Imports: 16 Imported by: 0

Documentation

Overview

Package filter is a stateful packet filter.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CapMatch

type CapMatch struct {
	// Dst is the IP prefix that the destination IP address matches against
	// to get the capability.
	Dst netip.Prefix

	// Cap is the capability that's granted if the destination IP addresses
	// matches Dst.
	Cap tailcfg.PeerCapability

	// Values are the raw JSON values of the capability.
	// See tailcfg.PeerCapability and tailcfg.PeerCapMap for details.
	Values []tailcfg.RawMessage
}

CapMatch is a capability grant match predicate.

func (*CapMatch) Clone

func (src *CapMatch) Clone() *CapMatch

Clone makes a deep copy of CapMatch. The result aliases no memory with the original.

type Filter

type Filter struct {
	// contains filtered or unexported fields
}

Filter is a stateful packet filter.

func New

func New(matches []Match, localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter

New creates a new packet filter. The filter enforces that incoming packets must be destined to an IP in localNets, and must be allowed by matches. If shareStateWith is non-nil, the returned filter shares state with the previous one, to enable changing rules at runtime without breaking existing stateful flows.

func NewAllowAllForTest

func NewAllowAllForTest(logf logger.Logf) *Filter

NewAllowAllForTest returns a packet filter that accepts everything. Use in tests only, as it permits some kinds of spoofing attacks to reach the OS network stack.

func NewAllowNone

func NewAllowNone(logf logger.Logf, logIPs *netipx.IPSet) *Filter

NewAllowNone returns a packet filter that rejects everything.

func NewShieldsUpFilter

func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter

NewShieldsUpFilter returns a packet filter that rejects incoming connections.

If shareStateWith is non-nil, the returned filter shares state with the previous one, as long as the previous one was also a shields up filter.

func (*Filter) CapsWithValues

func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap

CapsWithValues appends to base the capabilities that srcIP has talking to dstIP.

func (*Filter) Check

func (f *Filter) Check(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto) Response

Check determines whether traffic from srcIP to dstIP:dstPort is allowed using protocol proto.

func (*Filter) CheckTCP

func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response

CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort is allowed.

func (*Filter) RunIn

func (f *Filter) RunIn(q *packet.Parsed, rf RunFlags) Response

RunIn determines whether this node is allowed to receive q from a Tailscale peer.

func (*Filter) RunOut

func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) Response

RunOut determines whether this node is allowed to send q to a Tailscale peer.

func (*Filter) ShieldsUp

func (f *Filter) ShieldsUp() bool

ShieldsUp reports whether this is a "shields up" (block everything incoming) filter.

type Match

type Match struct {
	IPProto []ipproto.Proto // required set (no default value at this layer)
	Srcs    []netip.Prefix
	Dsts    []NetPortRange // optional, if Srcs match
	Caps    []CapMatch     // optional, if Srcs match
}

Match matches packets from any IP address in Srcs to any ip:port in Dsts.

func MatchesFromFilterRules

func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error)

MatchesFromFilterRules converts tailcfg FilterRules into Matches. If an error is returned, the Matches result is still valid, containing the rules that were successfully converted.

func (*Match) Clone

func (src *Match) Clone() *Match

Clone makes a deep copy of Match. The result aliases no memory with the original.

func (Match) String

func (m Match) String() string

type NetPortRange

type NetPortRange struct {
	Net   netip.Prefix
	Ports PortRange
}

NetPortRange combines an IP address prefix and PortRange.

func (NetPortRange) String

func (npr NetPortRange) String() string

type PortRange

type PortRange struct {
	First, Last uint16 // inclusive
}

PortRange is a range of TCP and UDP ports.

func (PortRange) String

func (pr PortRange) String() string

type Response

type Response int

Response is a verdict from the packet filter.

const (
	Drop         Response = iota // do not continue processing packet.
	DropSilently                 // do not continue processing packet, but also don't log
	Accept                       // continue processing packet.

)

func (Response) IsDrop

func (r Response) IsDrop() bool

func (Response) String

func (r Response) String() string

type RunFlags

type RunFlags int

RunFlags controls the filter's debug log verbosity at runtime.

const (
	LogDrops       RunFlags = 1 << iota // write dropped packet info to logf
	LogAccepts                          // write accepted packet info to logf
	HexdumpDrops                        // print packet hexdump when logging drops
	HexdumpAccepts                      // print packet hexdump when logging accepts
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL