Documentation
¶
Overview ¶
Example ¶
// https://en.wikipedia.org/wiki/IPv4
// https://en.wikipedia.org/wiki/IPv6
wl := NewWhiteList()
err := wl.Allow("127.0.0.0/8", "192.168.0.0/16", "fd00:0:0::/48")
if err != nil {
panic(err)
}
targetIPs := []string{
"127.0.0.1", // OK
"192.168.1.1", // OK
"126.0.0.1", // NG
"192.169.1.1", // NG
"fd00:0:0::1", // OK
"fd00:0:0:1::1", // OK
"fd00:0:1::1", // NG
"fc00:0:0::1", // NG
}
for _, ip := range targetIPs {
fmt.Printf("%s is allowed? %v\n", ip, wl.Allowed(ip))
}
Output: 127.0.0.1 is allowed? true 192.168.1.1 is allowed? true 126.0.0.1 is allowed? false 192.169.1.1 is allowed? false fd00:0:0::1 is allowed? true fd00:0:0:1::1 is allowed? true fd00:0:1::1 is allowed? false fc00:0:0::1 is allowed? false
Index ¶
Examples ¶
Constants ¶
const ( NetIP = "ip" NetIP4 = "ip4" NetIP6 = "ip6" NetTCP = "tcp" NetTCP4 = "tcp4" NetTCP6 = "tcp6" NetUDP = "udp" NetUDP4 = "udp4" NetUDP6 = "udp6" NetUnix = "unix" NetUnixgram = "unixgram" NetUnixpacket = "unixpacket" )
Variables ¶
This section is empty.
Functions ¶
func ParseNetAddr ¶
ParseNetAddr parses network and address from addr. Given addr should be in "<ADDRESS>" or "<NETWORK>://<ADDRESS>" format. Returned network will be empty when the network is unknown of not found. For unix domain sockets, use "unix:///var/run/example.sock" for path name socket and use "unix://@example" for abstract socket. Note that the address format of unix sockets depends on applications. For examples, curl has following interface for unix sockets.
curl --unix-socket "/var/run/example.sock" http://foo.bar.com curl --abstract-unix-socket "example" http://foo.bar.com
Following networks are supported and compatible with net.Dial and net.Listen.
- <ADDRESS>
- ip://<ADDRESS>
- ip4://<ADDRESS>
- ip6://<ADDRESS>
- tcp://<ADDRESS>
- tcp4://<ADDRESS>
- tcp6://<ADDRESS>
- udp://<ADDRESS>
- udp4://<ADDRESS>
- udp6://<ADDRESS>
- unix://<ADDRESS>
- unixgram://<ADDRESS>
- unixpacket://<ADDRESS>
Types ¶
type ACMEListener ¶
type ACMEListener struct {
net.Listener
// Manager is a autocert manager that
// provides a TLSConfig.
// Manager must not be nil.
Manager *autocert.Manager
// Modifier optionally specifies a function to modify
// the TLSConfig generated by the [autocert.Manager.TLSConfig].
//
// Example:
//
// func(c *tls.Config) {
// c.NextProtos = []string{
// "h2", "http/1.1", // enable HTTP/2
// acme.ALPNProto, // enable tls-alpn ACME challenges
// }
// }
Modifier func(*tls.Config)
}
ACMEListener is a listener that applies auto certification, ACME. See also golang.org/x/crypto/acme/autocert.Manager
func NewACMEListener ¶
func NewACMEListener(ln net.Listener, domains ...string) *ACMEListener
NewACMEListener returns a net listener that returns *tls.Conn connections with LetsEncrypt certificates for the provided domain or domains. See also golang.org/x/crypto/acme/autocert.NewListener.
type AllowListener ¶
type AllowListener struct {
net.Listener
// Allowed returns if the connection should be allowed or not.
// A connection will be immediately closed when Allowed returned false.
// Allowed must not be nil.
Allowed func(host, port string) bool
}
AllowListener is the listener that accepts connections allowed by the client address. Basically, use NewWhiteListListener or NewBlackListListener to create a new AllowListener.
func NewBlackListListener ¶
func NewBlackListListener(ln net.Listener, disallow ...string) (*AllowListener, error)
NewBlackListListener returns a new instance of [BlackListListener]. Returned listener does not allow new connections from given networks. Given networks must be valid form for net/netip.ParsePrefix. Both IPv4 and IPV6 are acceptable. For example, "0.0.0.0/0" does not allow any new connections and "127.0.0.1/32" does not allow only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix. See also [BlackListListener] and BlackList.
func NewWhiteListListener ¶
func NewWhiteListListener(ln net.Listener, allow ...string) (*AllowListener, error)
NewWhiteListListener returns a new instance of [WhiteListListener]. Returned listener allows new connections only from given networks. Given networks must be valid form for net/netip.ParsePrefix. Both IPv4 and IPV6 are acceptable. For example, "0.0.0.0/0" allows all new connections and "127.0.0.1/32" allows only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix. See also [WhiteListListener] and WhiteList.
type BlackList ¶
type BlackList struct {
// contains filtered or unexported fields
}
BlackList is the IP blacklist. Allow list is always prior to the disallow list. Use NewBlackList to create a new instance of BlackList.
Example (Ipv4) ¶
// https://en.wikipedia.org/wiki/IPv4
prefixes := []string{
"10.0.0.0/8", // 10.0.0.0–10.255.255.255 Private network
"100.64.0.0/10", // 100.64.0.0–100.127.255.255 Private network
"127.0.0.0/8", // 127.0.0.0–127.255.255.255 Host
"172.16.0.0/12", // 172.16.0.0–172.31.255.255 Private network
"192.0.0.0/24", // 192.0.0.0–192.0.0.255 Private network
"192.168.0.0/16", // 192.168.0.0–192.168.255.255 Private network
"198.18.0.0/15", // 198.18.0.0–198.19.255.255 Private network
}
bl := NewBlackList()
_ = bl.Disallow(prefixes...) // Ignore error.
_ = bl.Allow("10.1.2.3/32") // Ignore error.
targetIPs := []string{
"10.255.255.1", // NG
"127.0.0.1", // NG
"192.168.1.2", // NG
"192.88.10.20", // OK
"224.10.20.30", // OK
"255.255.10.20", // OK
"10.1.2.3", // OK (Allow list is prior to disallow list)
}
for _, ip := range targetIPs {
fmt.Printf("%s is allowed? %v\n", ip, bl.Allowed(ip))
}
Output: 10.255.255.1 is allowed? false 127.0.0.1 is allowed? false 192.168.1.2 is allowed? false 192.88.10.20 is allowed? true 224.10.20.30 is allowed? true 255.255.10.20 is allowed? true 10.1.2.3 is allowed? true
func NewBlackList ¶
func NewBlackList() *BlackList
NewBlackList returns a new instance of BlackList. BlackList is for filtering IPv4 and IPv6 addresses using network addresses in blacklist. See the comments on BlackList.
func (BlackList) Allow ¶
Allow registers network addresses to the allow list. Given ip addresses are parsed with net/netip.ParsePrefix. When one of the ips is invalid, it returns an error without adding any given ips. CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix.
func (BlackList) AllowPrefix ¶
AllowPrefix registers network addresses to the allow list. Invalid prefixes are returned with and error and only valid prefixes are registered to the allow list. CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix.
func (*BlackList) Allowed ¶
Allowed returns if the ip is allowed by the blacklist. Both IPv4 and IPv6 are accepted. It returns false when the ip is not valid ip address. Given ip is parsed with net/netip.ParseAddr. For blacklist, allow list is always prior to the disallow list. It returns true for addresses that are not contained in both allow list and disallow list.
func (*BlackList) AllowedAddr ¶
AllowedAddr returns if the addr is allowed by the blacklist. Both IPv4 and IPv6 are accepted. It returns false when the addr is not valid ip address. For blacklist, allow list is always prior to the disallow list. It returns true for addresses that are not contained in both allow list and disallow list.
func (BlackList) Disallow ¶
Disallow registers network addresses to the disallow list. Given ip addresses are parsed with net/netip.ParsePrefix. When one of the ips is invalid, it returns an error without adding any given ips. Note that CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP.
func (BlackList) DisallowPrefix ¶
DisallowPrefix registers network addresses to the disallow list. Invalid prefixes are returned with and error and only valid prefixes are registered to the disallow list. Note that CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP.
type LimitListener ¶
LimitListener limits the number of simultaneous connection. Use NewLimitListener to create a new instance of LimitListener.
Note that the linux command "netstat" or "ss" like below does not show the correct number of connections currently accepted.
- netstat -uant | grep ESTABLISHED | grep 8080 | wc
- ss -o state established "( dport = :8080 )" -np | wc
This is described in https://github.com/golang/go/issues/36212#issuecomment-567838193 Use "lsof" command instead. For example,
- lsof -i:8080 | grep foobar
func NewLimitListener ¶
func NewLimitListener(ln net.Listener, limit int) *LimitListener
NewLimitListener returns a net listener with maximum concurrent connections. For limit<1, 1 is used. See also LimitListener.
type TLSListener ¶
type TLSListener struct {
net.Listener
// TLSConfig is the configuration applied for
// new TLS connections.
TLSConfig *tls.Config
// NonTLS optionally judges if the connection is non-TLS.
// Users who does not use NonTLS, use [crypto/tls.NewListener]
// instead.
// [BlackList] and [WhiteList] can be used.
NonTLS func(host, port string) bool
}
TLSListener is the listener that accepts new TLS connections.
func NewTLSListener ¶
NewTLSListener creates a new net listener that returns a *tls.Conn connection. IP addresses provided by the nonTLS arguments are considered as non-TLS connection. WhiteList is used internally for nonTLS to determine the connection should be TLS or non-TLS.
type WhiteList ¶
type WhiteList struct {
// contains filtered or unexported fields
}
WhiteList is the IP whitelist. Disallow list is always prior to the allow list. Use NewWhiteList to create a new instance of WhiteList.
Example (Ipv4) ¶
// https://en.wikipedia.org/wiki/IPv4
prefixes := []string{
"10.0.0.0/8", // 10.0.0.0–10.255.255.255 Private network
"100.64.0.0/10", // 100.64.0.0–100.127.255.255 Private network
"127.0.0.0/8", // 127.0.0.0–127.255.255.255 Host
"172.16.0.0/12", // 172.16.0.0–172.31.255.255 Private network
"192.0.0.0/24", // 192.0.0.0–192.0.0.255 Private network
"192.168.0.0/16", // 192.168.0.0–192.168.255.255 Private network
"198.18.0.0/15", // 198.18.0.0–198.19.255.255 Private network
}
wl := NewWhiteList()
_ = wl.Allow(prefixes...) // Ignore error.
_ = wl.Disallow("10.1.2.3/32") // Ignore error.
targetIPs := []string{
"10.255.255.1", // OK
"127.0.0.1", // OK
"192.168.1.2", // OK
"192.88.10.20", // NG
"224.10.20.30", // NG
"255.255.10.20", // NG
"10.1.2.3", // NG (Disallow list is prior to allow list)
}
for _, ip := range targetIPs {
fmt.Printf("%s is allowed? %v\n", ip, wl.Allowed(ip))
}
Output: 10.255.255.1 is allowed? true 127.0.0.1 is allowed? true 192.168.1.2 is allowed? true 192.88.10.20 is allowed? false 224.10.20.30 is allowed? false 255.255.10.20 is allowed? false 10.1.2.3 is allowed? false
func NewWhiteList ¶
func NewWhiteList() *WhiteList
NewWhiteList returns a new instance of WhiteList. WhiteList is for filtering IPv4 and IPv6 addresses using network addresses in whitelist. See the comments on WhiteList.
func (WhiteList) Allow ¶
Allow registers network addresses to the allow list. Given ip addresses are parsed with net/netip.ParsePrefix. When one of the ips is invalid, it returns an error without adding any given ips. CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix.
func (WhiteList) AllowPrefix ¶
AllowPrefix registers network addresses to the allow list. Invalid prefixes are returned with and error and only valid prefixes are registered to the allow list. CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP. Invalid addresses such as "/16" (CIDR only) or "127.0.0.1" (address only) will results in an error because they are not accepted by net/netip.ParsePrefix.
func (*WhiteList) Allowed ¶
Allowed returns if the ip is allowed by the whitelist. Both IPv4 and IPv6 are accepted. It returns false when the ip is not valid ip address. Given ip is parsed with net/netip.ParseAddr. For whitelist, disallow list is always prior to the allow list. It returns false for addresses that are not contained in both allow list and disallow list.
func (*WhiteList) AllowedAddr ¶
AllowedAddr returns if the addr is allowed by the whitelist. Both IPv4 and IPv6 are accepted. It returns false when the addr is not valid ip address. For whitelist, disallow list is always prior to the allow list. It returns false for addresses that are not contained in both allow list and disallow list.
func (WhiteList) Disallow ¶
Disallow registers network addresses to the disallow list. Given ip addresses are parsed with net/netip.ParsePrefix. When one of the ips is invalid, it returns an error without adding any given ips. Note that CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP.
func (WhiteList) DisallowPrefix ¶
DisallowPrefix registers network addresses to the disallow list. Invalid prefixes are returned with and error and only valid prefixes are registered to the disallow list. Note that CIDR "/0" matches to all IPs and "<IPv4>/32" or "<IPv6>/128" matches to the only specified IP.
Source Files
Directories