Documentation
¶
Index ¶
- Constants
- Variables
- func FilterNodesByACL(node *types.Node, nodes types.Nodes, filter []tailcfg.FilterRule) types.Nodes
- func GenerateFilterAndSSHRulesForTests(policy *ACLPolicy, node *types.Node, peers types.Nodes) ([]tailcfg.FilterRule, *tailcfg.SSHPolicy, error)
- func ReduceFilterRules(node *types.Node, rules []tailcfg.FilterRule) []tailcfg.FilterRule
- type ACL
- type ACLPolicy
- func (pol *ACLPolicy) CompileFilterRules(nodes types.Nodes) ([]tailcfg.FilterRule, error)
- func (pol *ACLPolicy) CompileSSHPolicy(node *types.Node, peers types.Nodes) (*tailcfg.SSHPolicy, error)
- func (pol *ACLPolicy) ExpandAlias(nodes types.Nodes, alias string) (*netipx.IPSet, error)
- func (pol ACLPolicy) IsZero() bool
- func (pol *ACLPolicy) TagsOfNode(node *types.Node) ([]string, []string)
- type ACLTest
- type AutoApprovers
- type Groups
- type Hosts
- type SSH
- type TagOwners
Constants ¶
const (
ProtocolFC = 133 // Fibre Channel
)
For some reason golang.org/x/net/internal/iana is an internal package.
Variables ¶
var ( ErrEmptyPolicy = errors.New("empty policy") ErrInvalidAction = errors.New("invalid action") ErrInvalidGroup = errors.New("invalid group") ErrInvalidTag = errors.New("invalid tag") ErrInvalidPortFormat = errors.New("invalid port format") ErrWildcardIsNeeded = errors.New("wildcard as port is required for the protocol") )
Functions ¶
func FilterNodesByACL ¶
func FilterNodesByACL( node *types.Node, nodes types.Nodes, filter []tailcfg.FilterRule, ) types.Nodes
FilterNodesByACL returns the list of peers authorized to be accessed from a given node.
func ReduceFilterRules ¶
func ReduceFilterRules(node *types.Node, rules []tailcfg.FilterRule) []tailcfg.FilterRule
ReduceFilterRules takes a node and a set of rules and removes all rules and destinations that are not relevant to that particular node.
Types ¶
type ACL ¶
type ACL struct {
Action string `json:"action"`
Protocol string `json:"proto"`
Sources []string `json:"src"`
Destinations []string `json:"dst"`
}
ACL is a basic rule for the ACL Policy.
type ACLPolicy ¶
type ACLPolicy struct {
Groups Groups `json:"groups"`
Hosts Hosts `json:"hosts"`
TagOwners TagOwners `json:"tagOwners"`
ACLs []ACL `json:"acls"`
Tests []ACLTest `json:"tests"`
AutoApprovers AutoApprovers `json:"autoApprovers"`
SSHs []SSH `json:"ssh"`
}
ACLPolicy represents a Tailscale ACL Policy.
func LoadACLPolicyFromBytes ¶
func LoadACLPolicyFromPath ¶
LoadACLPolicyFromPath loads the ACL policy from the specify path, and generates the ACL rules.
func (*ACLPolicy) CompileFilterRules ¶
CompileFilterRules takes a set of nodes and an ACLPolicy and generates a set of Tailscale compatible FilterRules used to allow traffic on clients.
func (*ACLPolicy) CompileSSHPolicy ¶
func (*ACLPolicy) ExpandAlias ¶
expandalias has an input of either - a user - a group - a tag - a host - an ip - a cidr - an autogroup and transform these in IPAddresses.
func (*ACLPolicy) TagsOfNode ¶
TagsOfNode will return the tags of the current node. Invalid tags are tags added by a user on a node, and that user doesn't have authority to add this tag. Valid tags are tags added by a user that is allowed in the ACL policy to add this tag.
type ACLTest ¶
type ACLTest struct {
Source string `json:"src"`
Accept []string `json:"accept"`
Deny []string `json:"deny,omitempty"`
}
ACLTest is not implemented, but should be used to check if a certain rule is allowed.
type AutoApprovers ¶
type AutoApprovers struct {
Routes map[string][]string `json:"routes"`
ExitNode []string `json:"exitNode"`
}
AutoApprovers specify which users (users?), groups or tags have their advertised routes or exit node status automatically enabled.
func (*AutoApprovers) GetRouteApprovers ¶
func (autoApprovers *AutoApprovers) GetRouteApprovers( prefix netip.Prefix, ) ([]string, error)
GetRouteApprovers returns the list of autoApproving users, groups or tags for a given IPPrefix.
type Hosts ¶
Hosts are alias for IP addresses or subnets.
func (*Hosts) UnmarshalJSON ¶
UnmarshalJSON allows to parse the Hosts directly into netip objects.
Source Files
Directories