filter

package

v1.71.0-pre Latest Latest Go to latest Published: Jul 17, 2024 License: BSD-3-Clause Imports: 20 Imported by: 25

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/tailscale/tailscale

Documentation ¶

Overview ¶

Package filter is a stateful packet filter.

Index ¶

type CapMatch
type CapTestFunc
type Filter
type Match
- func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error)
type NetPortRange
type PortRange
type Response
- func (r Response) IsDrop() bool
- func (r Response) String() string
type RunFlags

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CapMatch ¶ added in v1.24.0

type CapMatch = filtertype.CapMatch

type CapTestFunc ¶ added in v1.70.0

type CapTestFunc = func(srcIP netip.Addr, cap tailcfg.NodeCapability) bool

CapTestFunc is the function signature of a function that tests whether srcIP has a given capability.

It it used in the fast path of evaluating filter rules so should be fast.

type Filter ¶

type Filter struct {
	// contains filtered or unexported fields
}

Filter is a stateful packet filter.

func New ¶

func New(matches []Match, capTest CapTestFunc, localNets, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter

New creates a new packet filter. The filter enforces that incoming packets must be destined to an IP in localNets, and must be allowed by matches. The optional capTest func is used to evaluate a Match that uses capabilities. If nil, such matches will always fail.

If shareStateWith is non-nil, the returned filter shares state with the previous one, to enable changing rules at runtime without breaking existing stateful flows.

func NewAllowAllForTest ¶ added in v1.4.0

func NewAllowAllForTest(logf logger.Logf) *Filter

NewAllowAllForTest returns a packet filter that accepts everything. Use in tests only, as it permits some kinds of spoofing attacks to reach the OS network stack.

func NewAllowNone ¶

func NewAllowNone(logf logger.Logf, logIPs *netipx.IPSet) *Filter

NewAllowNone returns a packet filter that rejects everything.

func NewShieldsUpFilter ¶ added in v1.4.0

func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter

NewShieldsUpFilter returns a packet filter that rejects incoming connections.

If shareStateWith is non-nil, the returned filter shares state with the previous one, as long as the previous one was also a shields up filter.

func (*Filter) CapsWithValues ¶ added in v1.48.0

func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap

CapsWithValues appends to base the capabilities that srcIP has talking to dstIP.

func (*Filter) Check ¶ added in v1.56.0

func (f *Filter) Check(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto) Response

Check determines whether traffic from srcIP to dstIP:dstPort is allowed using protocol proto.

func (*Filter) CheckTCP ¶ added in v1.4.0

func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response

CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort is allowed.

func (*Filter) RunIn ¶

func (f *Filter) RunIn(q *packet.Parsed, rf RunFlags) Response

RunIn determines whether this node is allowed to receive q from a Tailscale peer.

func (*Filter) RunOut ¶

func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) Response

RunOut determines whether this node is allowed to send q to a Tailscale peer.

func (*Filter) ShieldsUp ¶ added in v1.4.0

func (f *Filter) ShieldsUp() bool

ShieldsUp reports whether this is a "shields up" (block everything incoming) filter.

type Match ¶

type Match = filtertype.Match

func MatchesFromFilterRules ¶ added in v1.2.0

func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error)

MatchesFromFilterRules converts tailcfg FilterRules into Matches. If an error is returned, the Matches result is still valid, containing the rules that were successfully converted.

type NetPortRange ¶ added in v0.98.1

type NetPortRange = filtertype.NetPortRange

type PortRange ¶

type PortRange = filtertype.PortRange

type Response ¶

type Response int

Response is a verdict from the packet filter.

const (
	Drop         Response = iota // do not continue processing packet.
	DropSilently                 // do not continue processing packet, but also don't log
	Accept                       // continue processing packet.

)

func (Response) IsDrop ¶ added in v1.4.0

func (r Response) IsDrop() bool

func (Response) String ¶

func (r Response) String() string

type RunFlags ¶

type RunFlags int

RunFlags controls the filter's debug log verbosity at runtime.

const (
	LogDrops       RunFlags = 1 << iota // write dropped packet info to logf
	LogAccepts                          // write accepted packet info to logf
	HexdumpDrops                        // print packet hexdump when logging drops
	HexdumpAccepts                      // print packet hexdump when logging accepts
)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
filtertype Package filtertype defines the types used by wgengine/filter.	Package filtertype defines the types used by wgengine/filter.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL