filter
package
This package is not in the latest version of its module.
Details
Validgo.mod file
The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
- Redistributable license
Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
- Tagged version
Modules with tagged versions give importers more predictable builds.
- Stable version
When a project reaches major version v1 it is considered stable.
- Learn more about best practices
Repository
Links
Open Source Insights
Documentation¶
Overview¶
Package filter is a stateful packet filter.
Index¶
- type CapMatch
- type CapTestFunc
- type Filter
- func New(matches []Match, capTest CapTestFunc, localNets, logIPs *netipx.IPSet, ...) *Filter
- func NewAllowAllForTest(logf logger.Logf) *Filter
- func NewAllowNone(logf logger.Logf, logIPs *netipx.IPSet) *Filter
- func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, ...) *Filter
- func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap
- func (f *Filter) Check(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto) Response
- func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response
- func (f *Filter) RunIn(q *packet.Parsed, rf RunFlags) Response
- func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) (Response, usermetric.DropReason)
- func (f *Filter) ShieldsUp() bool
- type Match
- type NetPortRange
- type PortRange
- type Response
- type RunFlags
Constants¶
This section is empty.
Variables¶
This section is empty.
Functions¶
This section is empty.
Types¶
typeCapMatch¶added inv1.24.0
type CapMatch =filtertype.CapMatch
typeCapTestFunc¶added inv1.70.0
type CapTestFunc = func(srcIPnetip.Addr, captailcfg.NodeCapability)bool
CapTestFunc is the function signature of a function that tests whether srcIPhas a given capability.
It it used in the fast path of evaluating filter rules so should be fast.
typeFilter¶
type Filter struct {// contains filtered or unexported fields}Filter is a stateful packet filter.
funcNew¶
func New(matches []Match, capTestCapTestFunc, localNets, logIPs *netipx.IPSet, shareStateWith *Filter, logflogger.Logf) *Filter
New creates a new packet filter. The filter enforces that incoming packetsmust be destined to an IP in localNets, and must be allowed by matches.The optional capTest func is used to evaluate a Match that uses capabilities.If nil, such matches will always fail.
If shareStateWith is non-nil, the returned filter shares state with theprevious one, to enable changing rules at runtime without breaking existingstateful flows.
funcNewAllowAllForTest¶added inv1.4.0
NewAllowAllForTest returns a packet filter that acceptseverything. Use in tests only, as it permits some kinds of spoofingattacks to reach the OS network stack.
funcNewAllowNone¶
NewAllowNone returns a packet filter that rejects everything.
funcNewShieldsUpFilter¶added inv1.4.0
func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logflogger.Logf) *Filter
NewShieldsUpFilter returns a packet filter that rejects incoming connections.
If shareStateWith is non-nil, the returned filter shares state with the previous one,as long as the previous one was also a shields up filter.
func (*Filter)CapsWithValues¶added inv1.48.0
func (f *Filter) CapsWithValues(srcIP, dstIPnetip.Addr)tailcfg.PeerCapMap
CapsWithValues appends to base the capabilities that srcIP has talkingto dstIP.
func (*Filter)Check¶added inv1.56.0
Check determines whether traffic from srcIP to dstIP:dstPort is allowedusing protocol proto.
func (*Filter)CheckTCP¶added inv1.4.0
CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPortis allowed.
func (*Filter)RunIn¶
RunIn determines whether this node is allowed to receive q from aTailscale peer.
func (*Filter)RunOut¶
func (f *Filter) RunOut(q *packet.Parsed, rfRunFlags) (Response,usermetric.DropReason)
RunOut determines whether this node is allowed to send q to aTailscale peer.
typeMatch¶
type Match =filtertype.Match
funcMatchesFromFilterRules¶added inv1.2.0
func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match,error)
MatchesFromFilterRules converts tailcfg FilterRules into Matches.If an error is returned, the Matches result is still valid,containing the rules that were successfully converted.
typeNetPortRange¶added inv0.98.1
type NetPortRange =filtertype.NetPortRange
typePortRange¶
type PortRange =filtertype.PortRange
Source Files
Directories¶
| Path | Synopsis |
|---|---|
Package filtertype defines the types used by wgengine/filter. | Package filtertype defines the types used by wgengine/filter. |