Documentation ¶
Overview ¶
Package filter is a stateful packet filter.
Index ¶
- type CapMatch
- type Filter
- func New(matches []Match, localNets *netipx.IPSet, logIPs *netipx.IPSet, ...) *Filter
- func NewAllowAllForTest(logf logger.Logf) *Filter
- func NewAllowNone(logf logger.Logf, logIPs *netipx.IPSet) *Filter
- func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, ...) *Filter
- func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap
- func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response
- func (f *Filter) RunIn(q *packet.Parsed, rf RunFlags) Response
- func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) Response
- func (f *Filter) ShieldsUp() bool
- type Match
- type NetPortRange
- type PortRange
- type Response
- type RunFlags
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CapMatch ¶
type CapMatch struct { // Dst is the IP prefix that the destination IP address matches against // to get the capability. Dst netip.Prefix // Cap is the capability that's granted if the destination IP addresses // matches Dst. Cap tailcfg.PeerCapability // Values are the raw JSON values of the capability. // See tailcfg.PeerCapability and tailcfg.PeerCapMap for details. Values []json.RawMessage }
CapMatch is a capability grant match predicate.
type Filter ¶
type Filter struct {
// contains filtered or unexported fields
}
Filter is a stateful packet filter.
func New ¶
func New(matches []Match, localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter
New creates a new packet filter. The filter enforces that incoming packets must be destined to an IP in localNets, and must be allowed by matches. If shareStateWith is non-nil, the returned filter shares state with the previous one, to enable changing rules at runtime without breaking existing stateful flows.
func NewAllowAllForTest ¶
NewAllowAllForTest returns a packet filter that accepts everything. Use in tests only, as it permits some kinds of spoofing attacks to reach the OS network stack.
func NewAllowNone ¶
NewAllowNone returns a packet filter that rejects everything.
func NewShieldsUpFilter ¶
func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter
NewShieldsUpFilter returns a packet filter that rejects incoming connections.
If shareStateWith is non-nil, the returned filter shares state with the previous one, as long as the previous one was also a shields up filter.
func (*Filter) CapsWithValues ¶
func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap
CapsWithValues appends to base the capabilities that srcIP has talking to dstIP.
func (*Filter) CheckTCP ¶
CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort is allowed.
func (*Filter) RunIn ¶
RunIn determines whether this node is allowed to receive q from a Tailscale peer.
type Match ¶
type Match struct { IPProto []ipproto.Proto // required set (no default value at this layer) Srcs []netip.Prefix Dsts []NetPortRange // optional, if Srcs match Caps []CapMatch // optional, if Srcs match }
Match matches packets from any IP address in Srcs to any ip:port in Dsts.
func MatchesFromFilterRules ¶
func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error)
MatchesFromFilterRules converts tailcfg FilterRules into Matches. If an error is returned, the Matches result is still valid, containing the rules that were successfully converted.
type NetPortRange ¶
NetPortRange combines an IP address prefix and PortRange.
func (NetPortRange) String ¶
func (npr NetPortRange) String() string
type PortRange ¶
type PortRange struct {
First, Last uint16 // inclusive
}
PortRange is a range of TCP and UDP ports.