Documentation
¶
Overview ¶
Example ¶
// https://en.wikipedia.org/wiki/IPv4
// https://en.wikipedia.org/wiki/IPv6
wl := NewWhiteList()
err := wl.Allow("127.0.0.0/8", "192.168.0.0/16", "fd00:0:0::/48")
if err != nil {
panic(err)
}
targetIPs := []string{
"127.0.0.1", // OK
"192.168.1.1", // OK
"126.0.0.1", // NG
"192.169.1.1", // NG
"fd00:0:0::1", // OK
"fd00:0:0:1::1", // OK
"fd00:0:1::1", // NG
"fc00:0:0::1", // NG
}
for _, ip := range targetIPs {
fmt.Printf("%s is allowed? %v\n", ip, wl.Allowed(ip))
}
Output: 127.0.0.1 is allowed? true 192.168.1.1 is allowed? true 126.0.0.1 is allowed? false 192.169.1.1 is allowed? false fd00:0:0::1 is allowed? true fd00:0:0:1::1 is allowed? true fd00:0:1::1 is allowed? false fc00:0:0::1 is allowed? false
Index ¶
Examples ¶
Constants ¶
const ( NetIP = "ip" NetIP4 = "ip4" NetIP6 = "ip6" NetTCP = "tcp" NetTCP4 = "tcp4" NetTCP6 = "tcp6" NetUDP = "udp" NetUDP4 = "udp4" NetUDP6 = "udp6" NetUnix = "unix" NetUnixgram = "unixgram" NetUnixpacket = "unixpacket" )
Variables ¶
This section is empty.
Functions ¶
func ParseNetAddr ¶
ParseNetAddr parses network and address from addr. Given addr should be in "<ADDRESS>" or "<NETWORK>://<ADDRESS>" format. Returned network will be empty when the network is unknown of not found. For unix domain sockets, use "unix:///var/run/example.sock" for path name socket and use "unix://@example" for abstract socket. Note that the address format of unix sockets depends on applications. For examples, curl has following interface for unix sockets.
curl --unix-socket "/var/run/example.sock" http://foo.bar.com curl --abstract-unix-socket "example" http://foo.bar.com
Following networks are supported and compatible with net.Dial and net.Listen.
- <ADDRESS>
- ip://<ADDRESS>
- ip4://<ADDRESS>
- ip6://<ADDRESS>
- tcp://<ADDRESS>
- tcp4://<ADDRESS>
- tcp6://<ADDRESS>
- udp://<ADDRESS>
- udp4://<ADDRESS>
- udp6://<ADDRESS>
- unix://<ADDRESS>
- unixgram://<ADDRESS>
- unixpacket://<ADDRESS>
Types ¶
type BlackList ¶
type BlackList struct {
// contains filtered or unexported fields
}
BlackList is the IP blacklist. Allow list is always prior to the disallow list. Use NewBlackList to create a new instance of BlackList.
Example (Ipv4) ¶
// https://en.wikipedia.org/wiki/IPv4
prefixes := []string{
"10.0.0.0/8", // 10.0.0.0–10.255.255.255 Private network
"100.64.0.0/10", // 100.64.0.0–100.127.255.255 Private network
"127.0.0.0/8", // 127.0.0.0–127.255.255.255 Host
"172.16.0.0/12", // 172.16.0.0–172.31.255.255 Private network
"192.0.0.0/24", // 192.0.0.0–192.0.0.255 Private network
"192.168.0.0/16", // 192.168.0.0–192.168.255.255 Private network
"198.18.0.0/15", // 198.18.0.0–198.19.255.255 Private network
}
bl := NewBlackList()
_ = bl.Disallow(prefixes...) // Ignore error.
_ = bl.Allow("10.1.2.3/32") // Ignore error.
targetIPs := []string{
"10.255.255.1", // NG
"127.0.0.1", // NG
"192.168.1.2", // NG
"192.88.10.20", // OK
"224.10.20.30", // OK
"255.255.10.20", // OK
"10.1.2.3", // OK (Allow list is prior to disallow list)
}
for _, ip := range targetIPs {
fmt.Printf("%s is allowed? %v\n", ip, bl.Allowed(ip))
}
Output: 10.255.255.1 is allowed? false 127.0.0.1 is allowed? false 192.168.1.2 is allowed? false 192.88.10.20 is allowed? true 224.10.20.30 is allowed? true 255.255.10.20 is allowed? true 10.1.2.3 is allowed? true
func NewBlackList ¶
func NewBlackList() *BlackList
NewBlackList returns a new instance of BlackList. BlackList is for filtering IPv4 and IPv6 addresses using network addresses in blacklist. See the comments on BlackList.
func (BlackList) Allow ¶
Allow registers network addresses to the allow list. Given ip addresses are parsed with net/netip.ParsePrefix. When one of the ips is invalid, it returns an error without adding any given ips. CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix.
func (BlackList) AllowPrefix ¶
AllowPrefix registers network addresses to the allow list. Invalid prefixes are returned with and error and only valid prefixes are registered to the allow list. CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix.
func (*BlackList) Allowed ¶
Allowed returns if the ip is allowed by the blacklist. Both IPv4 and IPv6 are accepted. It returns false when the ip is not valid ip address. Given ip is parsed with net/netip.ParseAddr. For blacklist, allow list is always prior to the disallow list. It returns true for addresses that are not contained in both allow list and disallow list.
func (*BlackList) AllowedAddr ¶
AllowedAddr returns if the addr is allowed by the blacklist. Both IPv4 and IPv6 are accepted. It returns false when the addr is not valid ip address. For blacklist, allow list is always prior to the disallow list. It returns true for addresses that are not contained in both allow list and disallow list.
func (BlackList) Disallow ¶
Disallow registers network addresses to the disallow list. Given ip addresses are parsed with net/netip.ParsePrefix. When one of the ips is invalid, it returns an error without adding any given ips. Note that CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP.
func (BlackList) DisallowPrefix ¶
DisallowPrefix registers network addresses to the disallow list. Invalid prefixes are returned with and error and only valid prefixes are registered to the disallow list. Note that CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP.
type BlackListListener ¶
type BlackListListener struct {
net.Listener
// BL is the blacklist.
// New connections allowed by the list is acceptable.
// Otherwise, the new connection will be force closed.
// BL must not be nil.
BL *BlackList
// Allow optionally judges if the connection is allowed or not.
// If non-nil, it is called with host and port of the remote addr.
// Given host is allowed by the blacklist.
Allow func(host, port string) bool
}
BlackListListener is the listener that accepts new connections allowed by the blacklist. BlackList is based on IP addresses.
func NewBlackListListener ¶
func NewBlackListListener(ln net.Listener, disallow ...string) (*BlackListListener, error)
NewBlackListListener returns a new instance of BlackListListener. Returned listener does not allow new connections from given networks. Given networks must be valid form for net/netip.ParsePrefix. Both IPv4 and IPV6 are acceptable. For example, "0.0.0.0/0" does not allow any new connections and "127.0.0.1/32" does not allow only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix. See also BlackListListener and BlackList.
type LimitListener ¶
LimitListener limits the number of simultaneous connection. Use NewLimitListener to create a new instance of LimitListener.
Note that the linux command "netstat" or "ss" like below does not show the correct number of connections currently accepted.
- netstat -uant | grep ESTABLISHED | grep 8080 | wc
- ss -o state established "( dport = :8080 )" -np | wc
This is described in https://github.com/golang/go/issues/36212#issuecomment-567838193 Use "lsof" command instead. For example,
- lsof -i:8080 | grep foobar
func NewLimitListener ¶
func NewLimitListener(ln net.Listener, limit int) *LimitListener
NewLimitListener returns a net listener with maximum concurrent connections. For limit<1, 1 is used.
type WhiteList ¶
type WhiteList struct {
// contains filtered or unexported fields
}
WhiteList is the IP whitelist. Disallow list is always prior to the allow list. Use NewWhiteList to create a new instance of WhiteList.
Example (Ipv4) ¶
// https://en.wikipedia.org/wiki/IPv4
prefixes := []string{
"10.0.0.0/8", // 10.0.0.0–10.255.255.255 Private network
"100.64.0.0/10", // 100.64.0.0–100.127.255.255 Private network
"127.0.0.0/8", // 127.0.0.0–127.255.255.255 Host
"172.16.0.0/12", // 172.16.0.0–172.31.255.255 Private network
"192.0.0.0/24", // 192.0.0.0–192.0.0.255 Private network
"192.168.0.0/16", // 192.168.0.0–192.168.255.255 Private network
"198.18.0.0/15", // 198.18.0.0–198.19.255.255 Private network
}
wl := NewWhiteList()
_ = wl.Allow(prefixes...) // Ignore error.
_ = wl.Disallow("10.1.2.3/32") // Ignore error.
targetIPs := []string{
"10.255.255.1", // OK
"127.0.0.1", // OK
"192.168.1.2", // OK
"192.88.10.20", // NG
"224.10.20.30", // NG
"255.255.10.20", // NG
"10.1.2.3", // NG (Disallow list is prior to allow list)
}
for _, ip := range targetIPs {
fmt.Printf("%s is allowed? %v\n", ip, wl.Allowed(ip))
}
Output: 10.255.255.1 is allowed? true 127.0.0.1 is allowed? true 192.168.1.2 is allowed? true 192.88.10.20 is allowed? false 224.10.20.30 is allowed? false 255.255.10.20 is allowed? false 10.1.2.3 is allowed? false
func NewWhiteList ¶
func NewWhiteList() *WhiteList
NewWhiteList returns a new instance of WhiteList. WhiteList is for filtering IPv4 and IPv6 addresses using network addresses in whitelist. See the comments on WhiteList.
func (WhiteList) Allow ¶
Allow registers network addresses to the allow list. Given ip addresses are parsed with net/netip.ParsePrefix. When one of the ips is invalid, it returns an error without adding any given ips. CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix.
func (WhiteList) AllowPrefix ¶
AllowPrefix registers network addresses to the allow list. Invalid prefixes are returned with and error and only valid prefixes are registered to the allow list. CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix.
func (*WhiteList) Allowed ¶
Allowed returns if the ip is allowed by the whitelist. Both IPv4 and IPv6 are accepted. It returns false when the ip is not valid ip address. Given ip is parsed with net/netip.ParseAddr. For whitelist, disallow list is always prior to the allow list. It returns false for addresses that are not contained in both allow list and disallow list.
func (*WhiteList) AllowedAddr ¶
AllowedAddr returns if the addr is allowed by the whitelist. Both IPv4 and IPv6 are accepted. It returns false when the addr is not valid ip address. For whitelist, disallow list is always prior to the allow list. It returns false for addresses that are not contained in both allow list and disallow list.
func (WhiteList) Disallow ¶
Disallow registers network addresses to the disallow list. Given ip addresses are parsed with net/netip.ParsePrefix. When one of the ips is invalid, it returns an error without adding any given ips. Note that CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP.
func (WhiteList) DisallowPrefix ¶
DisallowPrefix registers network addresses to the disallow list. Invalid prefixes are returned with and error and only valid prefixes are registered to the disallow list. Note that CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP.
type WhiteListListener ¶
type WhiteListListener struct {
net.Listener
// WL is the whitelist.
// New connections allowed by the list is acceptable.
// Otherwise, the new connection will be force closed.
// WL must not be nil.
WL *WhiteList
// Allow optionally judges if the connection is allowed or not.
// If non-nil, it is called with host and port of the remote addr.
// Given host is allowed by the whitelist.
Allow func(host, port string) bool
}
WhiteListListener is the listener that accepts new connections allowed by the whitelist. Whitelist is based on IP addresses.
func NewWhiteListListener ¶
func NewWhiteListListener(ln net.Listener, allow ...string) (*WhiteListListener, error)
NewWhiteListListener returns a new instance of WhiteListListener. Returned listener allows new connections only from given networks. Given networks must be valid form for net/netip.ParsePrefix. Both IPv4 and IPV6 are acceptable. For example, "0.0.0.0/0" allows all new connections and "127.0.0.1/32" allows only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix. See also WhiteListListener and WhiteList.
Source Files
Directories