Documentation
¶
Index ¶
- Constants
- func Validate(doc *PolicyDocument) error
- type Action
- type ActionType
- type CompiledPolicy
- func (cp *CompiledPolicy) CycleDuration() (dur, grace string)
- func (cp *CompiledPolicy) Evaluate(eventType EventType, ctx map[string]interface{}) ([]Directive, error)
- func (cp *CompiledPolicy) EvaluatePeerExpr(ruleName string, actionIdx int, peerCtx map[string]interface{}) (bool, error)
- func (cp *CompiledPolicy) HasRulesFor(eventType EventType) bool
- func (cp *CompiledPolicy) MaxPeers() int
- type Directive
- type DirectiveType
- type EventType
- type PolicyDocument
- type Rule
Constants ¶
const Version = 1
Version is the current policy document schema version.
Variables ¶
This section is empty.
Functions ¶
func Validate ¶
func Validate(doc *PolicyDocument) error
Validate checks structural validity of a policy document. It does NOT compile expressions — use Compile for full validation.
Types ¶
type Action ¶
type Action struct {
Type ActionType `json:"type"`
Params map[string]interface{} `json:"params,omitempty"`
}
Action is a single action within a rule.
type ActionType ¶
type ActionType string
ActionType identifies what a rule does when it matches.
const ( ActionAllow ActionType = "allow" ActionDeny ActionType = "deny" ActionScore ActionType = "score" ActionTag ActionType = "tag" ActionEvict ActionType = "evict" ActionEvictWhere ActionType = "evict_where" ActionPrune ActionType = "prune" ActionFill ActionType = "fill" ActionWebhook ActionType = "webhook" ActionLog ActionType = "log" )
type CompiledPolicy ¶
type CompiledPolicy struct {
Doc PolicyDocument
// contains filtered or unexported fields
}
CompiledPolicy holds a fully compiled and validated policy ready for evaluation.
func Compile ¶
func Compile(doc *PolicyDocument) (*CompiledPolicy, error)
Compile validates and compiles all expressions in a policy document. Returns an error if any expression fails type-checking or compilation.
func (*CompiledPolicy) CycleDuration ¶
func (cp *CompiledPolicy) CycleDuration() (dur, grace string)
CycleDuration returns the configured cycle interval from config, or zero if not set.
func (*CompiledPolicy) Evaluate ¶
func (cp *CompiledPolicy) Evaluate(eventType EventType, ctx map[string]interface{}) ([]Directive, error)
Evaluate runs all rules for the given event type against the provided context. For gate events (connect, dial, datagram), evaluation stops at the first verdict. For action events (cycle, join, leave), all matching rules fire.
The context map must contain the variables declared for the event type (see env.go). Returns a list of directives the caller should execute.
func (*CompiledPolicy) EvaluatePeerExpr ¶
func (cp *CompiledPolicy) EvaluatePeerExpr(ruleName string, actionIdx int, peerCtx map[string]interface{}) (bool, error)
EvaluatePeerExpr evaluates a pre-compiled peer sub-expression (e.g. evict_where) against per-peer variables. Returns true if the peer matches.
func (*CompiledPolicy) HasRulesFor ¶
func (cp *CompiledPolicy) HasRulesFor(eventType EventType) bool
HasRulesFor returns true if the policy has any rules for the given event type.
func (*CompiledPolicy) MaxPeers ¶
func (cp *CompiledPolicy) MaxPeers() int
MaxPeers returns the configured max_peers from config, or 0 if not set.
type Directive ¶
type Directive struct {
Type DirectiveType
Rule string // source rule name
Params map[string]interface{} // action parameters
}
Directive is an instruction produced by evaluating a rule.
type DirectiveType ¶
type DirectiveType int
DirectiveType identifies the kind of directive returned by evaluation.
const ( DirectiveAllow DirectiveType = iota DirectiveDeny DirectiveScore DirectiveTag DirectiveEvict DirectiveEvictWhere DirectivePrune DirectiveFill DirectiveWebhook DirectiveLog )
type EventType ¶
type EventType string
EventType identifies the protocol event a rule matches against.
const ( EventConnect EventType = "connect" // inbound SYN EventDial EventType = "dial" // outbound SYN EventDatagram EventType = "datagram" // inbound/outbound datagram EventCycle EventType = "cycle" // periodic timer tick EventJoin EventType = "join" // peer joins network EventLeave EventType = "leave" // peer leaves network )
func (EventType) IsGateEvent ¶
IsGateEvent returns true if the event type produces allow/deny verdicts.
type PolicyDocument ¶
type PolicyDocument struct {
Version int `json:"version"`
Config map[string]interface{} `json:"config,omitempty"`
Rules []Rule `json:"rules"`
}
PolicyDocument is the top-level policy structure stored as JSON.
func Parse ¶
func Parse(data []byte) (*PolicyDocument, error)
Parse unmarshals and validates a policy document from JSON.
Source Files