Documentation
¶
Index ¶
- Constants
- func IsGateEvent(e EventType) bool
- func Validate(doc *PolicyDocument) error
- type Action
- type ActionType
- type CompiledPolicy
- func (cp *CompiledPolicy) CycleDuration() (dur, grace string)
- func (cp *CompiledPolicy) Evaluate(eventType EventType, ctx map[string]interface{}) ([]Directive, error)
- func (cp *CompiledPolicy) EvaluatePeerExpr(ruleName string, actionIdx int, peerCtx map[string]interface{}) (bool, error)
- func (cp *CompiledPolicy) HasRulesFor(eventType EventType) bool
- func (cp *CompiledPolicy) MaxPeers() int
- func (cp *CompiledPolicy) PeerProgramCount() int
- func (cp *CompiledPolicy) RuleCount() int
- type Directive
- type DirectiveType
- type EventType
- type PolicyDocument
- type Rule
Constants ¶
const ( EventConnect = coreapi.PolicyEventConnect // inbound SYN EventDial = coreapi.PolicyEventDial // outbound SYN EventDatagram = coreapi.PolicyEventDatagram // inbound/outbound datagram EventCycle = coreapi.PolicyEventCycle // periodic timer tick EventJoin = coreapi.PolicyEventJoin // peer joins network EventLeave = coreapi.PolicyEventLeave // peer leaves network )
const Version = 1
Version is the current policy document schema version.
Variables ¶
This section is empty.
Functions ¶
func IsGateEvent ¶
IsGateEvent returns true if the event type produces allow/deny verdicts. Free function (not a method) because EventType is a type alias to coreapi.PolicyEventType, and Go forbids defining methods on non-local types.
func Validate ¶
func Validate(doc *PolicyDocument) error
Validate checks structural validity of a policy document. It does NOT compile expressions — use Compile for full validation.
Types ¶
type Action ¶
type Action struct {
Type ActionType `json:"type"`
Params map[string]interface{} `json:"params,omitempty"`
}
Action is a single action within a rule.
type ActionType ¶
type ActionType string
ActionType identifies what a rule does when it matches.
const ( ActionAllow ActionType = "allow" ActionDeny ActionType = "deny" ActionTag ActionType = "tag" ActionEvict ActionType = "evict" ActionEvictWhere ActionType = "evict_where" ActionPrune ActionType = "prune" ActionFill ActionType = "fill" ActionPruneTrust ActionType = "prune_trust" ActionFillTrust ActionType = "fill_trust" ActionWebhook ActionType = "webhook" ActionLog ActionType = "log" )
type CompiledPolicy ¶
type CompiledPolicy struct {
Doc PolicyDocument
// contains filtered or unexported fields
}
CompiledPolicy holds a fully compiled and validated policy ready for evaluation.
func Compile ¶
func Compile(doc *PolicyDocument) (*CompiledPolicy, error)
Compile validates and compiles all expressions in a policy document. Returns an error if any expression fails type-checking or compilation.
func (*CompiledPolicy) CycleDuration ¶
func (cp *CompiledPolicy) CycleDuration() (dur, grace string)
CycleDuration returns the configured cycle interval from config, or zero if not set.
func (*CompiledPolicy) Evaluate ¶
func (cp *CompiledPolicy) Evaluate(eventType EventType, ctx map[string]interface{}) ([]Directive, error)
Evaluate runs all rules for the given event type against the provided context. For gate events (connect, dial, datagram), evaluation stops at the first verdict. For action events (cycle, join, leave), all matching rules fire.
The context map must contain the variables declared for the event type (see env.go). Returns a list of directives the caller should execute.
func (*CompiledPolicy) EvaluatePeerExpr ¶
func (cp *CompiledPolicy) EvaluatePeerExpr(ruleName string, actionIdx int, peerCtx map[string]interface{}) (bool, error)
EvaluatePeerExpr evaluates a pre-compiled peer sub-expression (e.g. evict_where) against per-peer variables. Returns true if the peer matches.
func (*CompiledPolicy) HasRulesFor ¶
func (cp *CompiledPolicy) HasRulesFor(eventType EventType) bool
HasRulesFor returns true if the policy has any rules for the given event type.
func (*CompiledPolicy) MaxPeers ¶
func (cp *CompiledPolicy) MaxPeers() int
MaxPeers returns the configured max_peers from config, or 0 if not set.
func (*CompiledPolicy) PeerProgramCount ¶
func (cp *CompiledPolicy) PeerProgramCount() int
PeerProgramCount returns the number of compiled per-peer evict_where programs. Exposed for tests.
func (*CompiledPolicy) RuleCount ¶
func (cp *CompiledPolicy) RuleCount() int
RuleCount returns the number of compiled rules. Exposed for tests.
type Directive ¶
type Directive struct {
Type DirectiveType
Rule string // source rule name
ActionIdx int // index of this action within the rule's Actions list (for peerProgram lookup)
Params map[string]interface{} // action parameters
}
Directive is an instruction produced by evaluating a rule.
type DirectiveType ¶
type DirectiveType int
DirectiveType identifies the kind of directive returned by evaluation.
const ( DirectiveAllow DirectiveType = iota DirectiveDeny DirectiveTag DirectiveEvict DirectiveEvictWhere DirectivePrune DirectiveFill DirectivePruneTrust DirectiveFillTrust DirectiveWebhook DirectiveLog )
type EventType ¶
type EventType = coreapi.PolicyEventType
EventType identifies the protocol event a rule matches against. Aliased to coreapi.PolicyEventType so daemon (L7) can pass values through the gate without importing this plugin package.
type PolicyDocument ¶
type PolicyDocument struct {
Version int `json:"version"`
DefaultVerdict string `json:"default_verdict,omitempty"`
Config map[string]interface{} `json:"config,omitempty"`
Rules []Rule `json:"rules"`
}
PolicyDocument is the top-level policy structure stored as JSON. DefaultVerdict controls gate-event behavior when no rule produces a verdict. Valid values: "allow" (default, backwards-compatible) or "deny" (default-deny; write explicit allow rules).
func Parse ¶
func Parse(data []byte) (*PolicyDocument, error)
Parse unmarshals and validates a policy document from JSON.
Source Files