README
¶
networkpolicy
The package acts as an embeddable configurable container handling allow/deny verdicts over a series of conditions including
- IPs
- CIDRs
- Ports
- Schemes (eg
https, http, ftp)
General usage as allow/deny
The following program prevents the http client to follow targets belonging to the deny list:
Example - General allow/deny list
package main
import (
"errors"
"log"
"net/http"
"github.com/khulnasoft-labs/networkpolicy"
)
func main() {
var npOptions networkpolicy.Options
// deny connections to localhost
npOptions.DenyList = append(npOptions.DenyList, "127.0.0.0/8")
np, err := networkpolicy.New(npOptions)
if err != nil {
log.Fatal(err)
}
customRedirectHandler := func(req *http.Request, via []*http.Request) error {
// if at least one address is valid we follow the redirect
if _, ok := np.ValidateHost(req.Host); ok {
return nil
}
return errors.New("redirected to a forbidden target")
}
client := &http.Client{
CheckRedirect: customRedirectHandler,
}
req, err := http.NewRequest(http.MethodGet, "http://yourtarget", nil)
if err != nil {
log.Fatal(err)
}
resp, err := client.Do(req)
if err != nil {
log.Fatal(err)
}
log.Println(resp)
}
Documentation
¶
Index ¶
- Variables
- type NetworkPolicy
- func (r NetworkPolicy) Validate(host string) bool
- func (r NetworkPolicy) ValidateAddress(IP string) bool
- func (r NetworkPolicy) ValidateAddressWithPort(IP string, port int) bool
- func (r NetworkPolicy) ValidateHost(host string) (string, bool)
- func (r NetworkPolicy) ValidatePort(port int) bool
- func (r NetworkPolicy) ValidateURLWithIP(host string, ip string) bool
- type Options
Constants ¶
This section is empty.
Variables ¶
View Source
var DefaultHostDenylist = []string{
"localhost",
}
View Source
var DefaultIPv4Denylist = []string{
"255.255.255.255",
}
View Source
var DefaultIPv4DenylistRanges = []string{
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/24",
"192.0.2.0/24",
"192.88.99.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"224.0.0.0/4",
"240.0.0.0/4",
}
View Source
var DefaultIPv6Denylist = []string{}
View Source
var DefaultIPv6DenylistRanges = []string{
"::1/128",
"64:ff9b::/96",
"100::/64",
"2001::/32",
"2001:10::/28",
"2001:20::/28",
"2001:db8::/32",
"2002::/16",
"fc00::/7",
"fe80::/10",
"ff00::/8",
}
View Source
var DefaultPortAllowList = []int{
80,
443,
}
View Source
var DefaultSchemeAllowList = []string{
"http",
"https",
}
Functions ¶
This section is empty.
Types ¶
type NetworkPolicy ¶
type NetworkPolicy struct {
Options *Options
DenyRanger cidranger.Ranger
AllowRanger cidranger.Ranger
AllowRules map[string]*regexp.Regexp
DenyRules map[string]*regexp.Regexp
AllowSchemeList map[string]struct{}
DenySchemeList map[string]struct{}
AllowPortList map[int]struct{}
DenyPortList map[int]struct{}
// contains filtered or unexported fields
}
func New ¶
func New(options Options) (*NetworkPolicy, error)
New creates a new URL validator using the validator options
func (NetworkPolicy) Validate ¶
func (r NetworkPolicy) Validate(host string) bool
func (NetworkPolicy) ValidateAddress ¶
func (r NetworkPolicy) ValidateAddress(IP string) bool
func (NetworkPolicy) ValidateAddressWithPort ¶
func (r NetworkPolicy) ValidateAddressWithPort(IP string, port int) bool
func (NetworkPolicy) ValidateHost ¶
func (r NetworkPolicy) ValidateHost(host string) (string, bool)
ValidateHost checks all the ips associated to a hostname and returns the valid ip if any
func (NetworkPolicy) ValidatePort ¶
func (r NetworkPolicy) ValidatePort(port int) bool
func (NetworkPolicy) ValidateURLWithIP ¶
func (r NetworkPolicy) ValidateURLWithIP(host string, ip string) bool
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.