filter

package
v1.2.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 8, 2020 License: BSD-3-Clause Imports: 11 Imported by: 25

Documentation

Overview

Package filter contains a stateful packet filter.

Index

Constants

This section is empty.

Variables

View Source
var MatchAllowAll = Matches{
	Match{[]NetPortRange{NetPortRangeAny}, []Net{NetAny}},
}

MatchAllowAll matches all packets.

View Source
var NetAny = Net{0, 0}
View Source
var NetNone = Net{^packet.IP(0), ^packet.IP(0)}
View Source
var NetPortRangeAny = NetPortRange{NetAny, PortRangeAny}
View Source
var PortRangeAny = PortRange{0, 65535}

Functions

func Netmask added in v0.98.1

func Netmask(bits int) packet.IP

func NewIP

func NewIP(ip net.IP) packet.IP

Types

type Filter

type Filter struct {
	// contains filtered or unexported fields
}

Filter is a stateful packet filter.

func New

func New(matches Matches, localNets []Net, shareStateWith *Filter, logf logger.Logf) *Filter

New creates a new packet filter. The filter enforces that incoming packets must be destined to an IP in localNets, and must be allowed by matches. If shareStateWith is non-nil, the returned filter shares state with the previous one, to enable rules to be changed at runtime without breaking existing flows.

func NewAllowAll

func NewAllowAll(localNets []Net, logf logger.Logf) *Filter

NewAllowAll returns a packet filter that accepts everything to and from localNets.

func NewAllowNone

func NewAllowNone(logf logger.Logf) *Filter

NewAllowNone returns a packet filter that rejects everything.

func (*Filter) RunIn

func (f *Filter) RunIn(q *packet.ParsedPacket, rf RunFlags) Response

RunIn determines whether this node is allowed to receive q from a Tailscale peer.

func (*Filter) RunOut

func (f *Filter) RunOut(q *packet.ParsedPacket, rf RunFlags) Response

RunOut determines whether this node is allowed to send q to a Tailscale peer.

type Match

type Match struct {
	Dsts []NetPortRange
	Srcs []Net
}

func (Match) Clone

func (m Match) Clone() (res Match)

func (Match) String

func (m Match) String() string

type Matches

type Matches []Match

func MatchesFromFilterRules added in v1.2.0

func MatchesFromFilterRules(pf []tailcfg.FilterRule) (Matches, error)

MatchesFromFilterRules parse a number of wire-format FilterRule values into the Matches format. If an error is returned, the Matches result is still valid, containing the rules that were successfully converted.

func (Matches) Clone

func (m Matches) Clone() (res Matches)

type Net added in v0.98.1

type Net struct {
	IP   packet.IP
	Mask packet.IP
}

func (Net) Bits added in v0.98.1

func (n Net) Bits() int

func (Net) Includes added in v0.98.1

func (n Net) Includes(ip packet.IP) bool

func (Net) String added in v0.98.1

func (n Net) String() string

type NetPortRange added in v0.98.1

type NetPortRange struct {
	Net   Net
	Ports PortRange
}

func (NetPortRange) String added in v0.98.1

func (ipr NetPortRange) String() string

type PortRange

type PortRange struct {
	First, Last uint16
}

func (PortRange) String

func (pr PortRange) String() string

type Response

type Response int

Response is a verdict: either a Drop, Accept, or noVerdict skip to continue processing.

const (
	Drop Response = iota
	Accept
)

func (Response) String

func (r Response) String() string

type RunFlags

type RunFlags int

RunFlags controls the filter's debug log verbosity at runtime.

const (
	LogDrops RunFlags = 1 << iota
	LogAccepts
	HexdumpDrops
	HexdumpAccepts
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL