prefixlist

package
v0.53.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 19, 2026 License: Apache-2.0 Imports: 12 Imported by: 0

README

Prefix List ACL

The prefixlist package provides dynamic IP prefix list management for network access control. It allows you to easily restrict connections to trusted IP ranges from various cloud providers and services.

Features

  • Multiple Provider Support: Built-in support for GitHub, Cloudflare, Google Cloud, Atlassian, GitLab, AWS, Fastly, and Hetzner
  • Self-contained Caching: Each provider manages its own cache with stale-while-revalidate support
  • Listener Pattern: Easy integration using the familiar net.Listener interface
  • YAML Configuration: Simple configuration with YAML tags for easy integration
  • Modern IP Handling: Uses net/netip.Prefix and net/netip.Addr for efficient IP operations
  • Extensible Architecture: Generic HTTP providers for JSON and text-based endpoints
  • Idiomatic Go: Clean, composable design following Go best practices

Supported Providers

Provider Description Default Cache Duration
GitHub GitHub services (webhooks, actions, git, etc.) 1 hour
Cloudflare Cloudflare CDN (IPv4 and IPv6) 24 hours
Google Google Cloud Platform 24 hours
Atlassian Atlassian Cloud services 24 hours
GitLab GitLab webhooks (static IPs) 7 days
AWS Amazon Web Services (with optional service/region filtering) 24 hours
Fastly Fastly CDN 24 hours
Hetzner Hetzner Cloud (static ranges) 7 days

Architecture

The package uses a clean, composable architecture:

  • Provider interface: All providers implement Prefixes(ctx) ([]netip.Prefix, error) and Contains(netip.Addr) bool
  • HTTPJSONProvider[T]: Generic provider for JSON-based HTTP endpoints with custom transform functions
  • HTTPTextProvider: Provider for plain text CIDR lists (e.g., Cloudflare)
  • CachingFetcher[T]: Generic caching layer with stale-while-revalidate support
  • MultiProvider: Combines multiple providers into one (also implements Provider interface)

This design makes it easy to:

  • Add new providers by creating simple transform functions
  • Compose providers (MultiProvider accepts any Provider)
  • Use providers standalone or in combination
  • Support both JSON and text-based HTTP endpoints

Usage

Basic Usage with Code
import (
    "context"
    "github.com/dioad/net/authz/prefixlist"
    "github.com/rs/zerolog"
)

// Create a provider for GitHub webhook IPs
logger := zerolog.New(os.Stdout)
provider := prefixlist.NewGitHubProvider("hooks")

// Use the provider to check IPs
ctx := context.Background()
prefixes, err := provider.Prefixes(ctx)
if err != nil {
    log.Fatal(err)
}

// Or check if an IP is allowed
addr := netip.MustParseAddr("192.30.252.1")
if provider.Contains(addr) {
    fmt.Println("Connection allowed")
}
Using MultiProvider with Configuration

The map-based filter format provides clear, explicit filtering:

config := prefixlist.Config{
    Providers: []prefixlist.ProviderConfig{
        {
            Name:    "github",
            Enabled: true,
            Filter:  map[string]string{"service": "hooks"},
        },
        {
            Name:    "aws",
            Enabled: true,
            Filter:  map[string]string{"service": "EC2", "region": "us-east-1"},
        },
        {
            Name:    "google",
            Enabled: true,
            Filter:  map[string]string{"scope": "us-central1", "service": "Google Cloud"},
        },
    },
}

multiProvider, err := prefixlist.NewMultiProviderFromConfig(config, logger)
if err != nil {
    log.Fatal(err)
}
YAML Configuration

Use explicit key-value pairs for clarity:

prefixlist:
  update_interval: 1h
  providers:
    - name: github
      enabled: true
      filter:
        service: hooks
    - name: aws
      enabled: true
      filter:
        service: EC2
        region: us-east-1
    - name: google
      enabled: true
      filter:
        scope: us-central1
        service: Google Cloud
    - name: atlassian
      enabled: true
      filter:
        region: global
        product: jira
Using with net.Listener
// Create base listener
baseListener, err := net.Listen("tcp", ":8080")
if err != nil {
    log.Fatal(err)
}

// Wrap with prefix list filtering
plListener := prefixlist.NewListener(baseListener, manager, logger)

// Accept connections (only from allowed IPs)
for {
    conn, err := plListener.Accept()
    if err != nil {
        log.Fatal(err)
    }
    go handleConnection(conn)
}

Provider-Specific Options

GitHub

The GitHub provider supports filtering by service type using the service key:

Available services: hooks, git, actions, pages, importer, dependabot

// Only GitHub webhooks
provider := prefixlist.NewGitHubProvider("hooks")

// All GitHub services
provider := prefixlist.NewGitHubProvider("")

YAML Configuration:

- name: github
  enabled: true
  filter:
    service: hooks  # or actions, git, pages, importer, dependabot
Cloudflare

The Cloudflare provider supports IPv4 and IPv6 using the version key:

// IPv4 ranges
provider := prefixlist.NewCloudflareProvider(false)

// IPv6 ranges
provider := prefixlist.NewCloudflareProvider(true)

YAML Configuration:

- name: cloudflare
  enabled: true
  filter:
    version: ipv6  # or omit for IPv4
Google Cloud

The Google Cloud provider supports filtering by scope (region) and service:

// All Google Cloud IP ranges
provider := prefixlist.NewGoogleProvider(nil, nil)

// Only specific regions
provider := prefixlist.NewGoogleProvider([]string{"us-central1", "europe-west1"}, nil)

// Only specific services
provider := prefixlist.NewGoogleProvider(nil, []string{"Google Cloud"})

// Specific regions and services
provider := prefixlist.NewGoogleProvider(
    []string{"us-central1"}, 
    []string{"Google Cloud", "Google Cloud Storage"},
)

YAML Configuration (supports comma-separated values):

- name: google
  enabled: true
  filter:
    scope: us-central1,europe-west1    # comma-separated regions
    service: Google Cloud               # single or comma-separated services
Atlassian

The Atlassian provider supports filtering by region and product keys. Note: Only prefixes with "egress" direction are included.

// All Atlassian IP ranges (egress only)
provider := prefixlist.NewAtlassianProvider(nil, nil)

// Only specific regions
provider := prefixlist.NewAtlassianProvider([]string{"global", "us-east-1"}, nil)

// Only specific products
provider := prefixlist.NewAtlassianProvider(nil, []string{"jira", "confluence"})

// Specific regions and products
provider := prefixlist.NewAtlassianProvider(
    []string{"global"}, 
    []string{"jira", "confluence"},
)

YAML Configuration (supports comma-separated values):

- name: atlassian
  enabled: true
  filter:
    region: global,us-east-1           # comma-separated regions
    product: jira,confluence            # comma-separated products
AWS

The AWS provider supports filtering by service and region keys:

// All AWS services in all regions
provider := prefixlist.NewAWSProvider("", "")

// Only EC2 in all regions
provider := prefixlist.NewAWSProvider("EC2", "")

// Only EC2 in us-east-1
provider := prefixlist.NewAWSProvider("EC2", "us-east-1")

YAML Configuration:

- name: aws
  enabled: true
  filter:
    service: EC2                        # specific AWS service
    region: us-east-1                   # specific AWS region
GitLab

The GitLab provider uses static IP ranges for webhooks:

  • 34.74.90.64/28
  • 34.74.226.0/24

Note: GitLab Actions run on Google Cloud Platform, so enable the Google provider if you need to allow GitLab Actions runners.

Fastly

The Fastly provider fetches IP ranges from Fastly's public API.

provider := prefixlist.NewFastlyProvider()
Hetzner

The Hetzner provider uses static IP ranges for Hetzner Cloud services. This includes all major Hetzner Cloud data centers.

provider := prefixlist.NewHetznerProvider()

Integration with Existing authz Package

The prefix list system works alongside the existing authz.NetworkACL and authz.Listener:

// Combine static ACL with dynamic prefix lists
staticACL, _ := authz.NewNetworkACL(authz.NetworkACLConfig{
    AllowedNets: []string{"10.0.0.0/8"},
})

// You can use both:
// 1. authz.Listener for static allow/deny lists
staticListener := &authz.Listener{
    NetworkACL: staticACL,
    Listener:   baseListener,
    Logger:     logger,
}

// 2. prefixlist.Listener for dynamic provider-based lists
plListener := prefixlist.NewListener(staticListener, manager, logger)

Custom Providers

To add a custom provider, implement the Provider interface:

type CustomProvider struct{}

func (p *CustomProvider) Name() string {
    return "custom"
}

func (p *CustomProvider) CacheDuration() time.Duration {
    return 1 * time.Hour
}

func (p *CustomProvider) FetchPrefixes(ctx context.Context) ([]*net.IPNet, error) {
    // Fetch and parse your IP ranges
    cidrs := []string{"203.0.113.0/24"}
    return parseCIDRs(cidrs)
}

Performance Considerations

  • Prefix lists are cached in memory and updated periodically
  • IP matching uses efficient CIDR comparison
  • Updates happen in the background without blocking connections
  • Failed updates retain previously cached data

Security Notes

  • The system gracefully handles provider failures by retaining cached data
  • If all providers fail on initial start, an error is returned
  • Connections are rejected during startup until at least one provider succeeds
  • All HTTP requests to providers have a 30-second timeout

Creating Custom Providers

The package provides generic base types for easy provider creation:

JSON-based HTTP Provider

For endpoints that return JSON:

import (
    "net/netip"
    "time"
    "github.com/dioad/net/authz/prefixlist"
)

type myServiceData struct {
    IPRanges []string `json:"ip_ranges"`
}

func transformMyService(data myServiceData) ([]netip.Prefix, error) {
    return prefixlist.ParseCIDRs(data.IPRanges)
}

provider := prefixlist.NewHTTPJSONProvider[myServiceData](
    "myservice",
    "https://api.myservice.com/ip-ranges",
    prefixlist.CacheConfig{
        StaticExpiry: 24 * time.Hour,
        ReturnStale:  true,
    },
    transformMyService,
)
Text-based HTTP Provider

For endpoints that return plain text CIDR lists:

provider := prefixlist.NewHTTPTextProvider(
    "myservice",
    "https://myservice.com/ips.txt",
    prefixlist.CacheConfig{
        StaticExpiry: 24 * time.Hour,
        ReturnStale:  true,
    },
)
Static Provider

For static IP lists:

type StaticProvider struct {
    name     string
    prefixes []netip.Prefix
}

func NewStaticProvider(name string, cidrs []string) (*StaticProvider, error) {
    prefixes, err := prefixlist.ParseCIDRs(cidrs)
    if err != nil {
        return nil, err
    }
    return &StaticProvider{name: name, prefixes: prefixes}, nil
}

func (p *StaticProvider) Name() string {
    return p.name
}

func (p *StaticProvider) Prefixes(ctx context.Context) ([]netip.Prefix, error) {
    return p.prefixes, nil
}

func (p *StaticProvider) Contains(addr netip.Addr) bool {
    for _, prefix := range p.prefixes {
        if prefix.Contains(addr) {
            return true
        }
    }
    return false
}

All providers implement the same Provider interface and can be used with MultiProvider or Listener.

Documentation

Overview

Package prefixlist provides utilities for fetching and managing IP prefix lists from various cloud providers.

Example

Example demonstrates basic usage of the prefix list system 

package main

import (
	"context"
	"fmt"
	"net/netip"

	"github.com/dioad/net/authz/prefixlist"
	"github.com/rs/zerolog"
)

func main() {
	logger := zerolog.Nop()

	// Create a multi-provider with GitLab provider
	gitlabProvider := prefixlist.NewGitLabProvider()
	multiProvider := prefixlist.NewMultiProvider([]prefixlist.Provider{gitlabProvider}, logger)

	ctx := context.Background()
	_, err := multiProvider.Prefixes(ctx)
	if err != nil {
		panic(err)
	}

	// Check if an IP is in the allowed list
	addr, err := netip.ParseAddr("34.74.90.65")
	if err != nil {
		panic(err)
	}
	if multiProvider.Contains(addr) {
		fmt.Println("IP is allowed")
	} else {
		fmt.Println("IP is denied")
	}

}

Output:

IP is allowed

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func FetchTextLines 

func FetchTextLines(ctx context.Context, url string) ([]string, error)

FetchTextLines is a fetch function that retrieves plain text lines from an HTTP endpoint. It returns a slice of non-empty, non-comment lines. Lines starting with '#' are treated as comments and ignored.

Types

type AWSProvider 

type AWSProvider struct {
	*HTTPJSONProvider[awsIPRanges]
	// contains filtered or unexported fields
}

AWSProvider fetches IP ranges from AWS

func NewAWSProvider 

func NewAWSProvider(service, region string) *AWSProvider

NewAWSProvider creates a new AWS prefix list provider

type AtlassianProvider 

type AtlassianProvider struct {
	*HTTPJSONProvider[atlassianIPRanges]
	// contains filtered or unexported fields
}

AtlassianProvider fetches IP ranges from Atlassian

func NewAtlassianProvider 

func NewAtlassianProvider(regions, products []string) *AtlassianProvider

NewAtlassianProvider creates a new Atlassian prefix list provider regions: optional list of regions to filter by (e.g., ["global", "us-east-1"]) products: optional list of products to filter by (e.g., ["jira", "confluence"]) Only prefixes with "egress" direction are included

type CacheConfig 

type CacheConfig struct {
	// StaticExpiry defines a fixed cache duration (e.g., 1 hour)
	StaticExpiry time.Duration

	// ReturnStale controls whether stale data should be returned while refreshing
	// If true, returns stale data immediately and refreshes in background
	// If false, blocks until fresh data is fetched
	ReturnStale bool
}

CacheConfig configures the caching behavior of a CachingFetcher

type CacheResult 

type CacheResult int

CacheResult indicates the status of cached data 

const (
	// CacheResultFresh indicates data was freshly fetched
	CacheResultFresh CacheResult = iota
	// CacheResultCached indicates data was returned from cache
	CacheResultCached
	// CacheResultStale indicates stale data was returned due to fetch error
	CacheResultStale
)

type CachingFetcher 

type CachingFetcher[T any] struct {
	// contains filtered or unexported fields
}

CachingFetcher is a generic caching HTTP fetcher that handles HTTP requests with caching

func NewCachingFetcher 

func NewCachingFetcher[T any](url string, config CacheConfig) *CachingFetcher[T]

NewCachingFetcher creates a new caching fetcher for the specified URL and type. It uses JSON unmarshaling by default to decode the response body into type T.

func NewCachingFetcherWithFunc 

func NewCachingFetcherWithFunc[T any](url string, config CacheConfig, fetchFunc FetchFunc[T]) *CachingFetcher[T]

NewCachingFetcherWithFunc creates a new caching fetcher with a custom fetch function. If fetchFunc is nil, it defaults to JSON unmarshaling. This allows for custom parsing of the HTTP response (e.g., plain text lines).

func (*CachingFetcher[T]) Get 

func (f *CachingFetcher[T]) Get(ctx context.Context) (T, CacheResult, error)

Get fetches data from the URL with caching. It returns the data, cache result status (Fresh, Cached, or Stale), and any error encountered. If ReturnStale is enabled, it may return stale data immediately and start a background refresh.

func (*CachingFetcher[T]) GetCacheInfo 

func (f *CachingFetcher[T]) GetCacheInfo() (cachedAt, expiresAt time.Time, hasData bool)

GetCacheInfo returns information about the current cache status. It returns the time the data was cached, the time it expires, and whether data is present.

func (*CachingFetcher[T]) GetCachedData 

func (f *CachingFetcher[T]) GetCachedData() *T

GetCachedData returns the currently cached data without performing a fetch. It returns nil if no data is currently cached.

type CloudflareProvider 

type CloudflareProvider struct {
	*HTTPTextProvider
}

CloudflareProvider fetches IP ranges from Cloudflare

func NewCloudflareProvider 

func NewCloudflareProvider(ipv6 bool) *CloudflareProvider

NewCloudflareProvider creates a new Cloudflare prefix list provider

type Config 

type Config struct {
	// Providers lists the enabled providers
	Providers []ProviderConfig `mapstructure:"providers" yaml:"providers"`
}

Config represents the configuration for prefix list providers

type FastlyProvider 

type FastlyProvider struct {
	*HTTPJSONProvider[fastlyIPRanges]
}

FastlyProvider fetches IP ranges from Fastly CDN

func NewFastlyProvider 

func NewFastlyProvider() *FastlyProvider

NewFastlyProvider creates a new Fastly prefix list provider

type FetchFunc 

type FetchFunc[T any] func(ctx context.Context, url string) (T, error)

FetchFunc is a custom function type for fetching data from an HTTP endpoint

type FetchResult 

type FetchResult[T any] struct {
	Data   T
	Result CacheResult
	Error  error
}

FetchResult contains the fetched data and metadata about the fetch

type GitHubProvider 

type GitHubProvider struct {
	*HTTPJSONProvider[githubMeta]
	// contains filtered or unexported fields
}

GitHubProvider fetches IP ranges from GitHub's meta API

func NewGitHubProvider 

func NewGitHubProvider(filter string) *GitHubProvider

NewGitHubProvider creates a new GitHub prefix list provider

type GitLabProvider 

type GitLabProvider struct {
	// contains filtered or unexported fields
}

GitLabProvider provides static IP ranges for GitLab webhooks

func NewGitLabProvider 

func NewGitLabProvider() *GitLabProvider

NewGitLabProvider creates a new GitLab prefix list provider

func (*GitLabProvider) Contains 

func (p *GitLabProvider) Contains(addr netip.Addr) bool

func (*GitLabProvider) Name 

func (p *GitLabProvider) Name() string

func (*GitLabProvider) Prefixes 

func (p *GitLabProvider) Prefixes(ctx context.Context) ([]netip.Prefix, error)

type GoogleProvider 

type GoogleProvider struct {
	*HTTPJSONProvider[googleIPRanges]
	// contains filtered or unexported fields
}

GoogleProvider fetches IP ranges from Google Cloud

func NewGoogleProvider 

func NewGoogleProvider(scopes, services []string) *GoogleProvider

NewGoogleProvider creates a new Google Cloud prefix list provider scopes: optional list of scopes to filter by (e.g., ["us-central1", "europe-west1"]) services: optional list of services to filter by (e.g., ["Google Cloud"])

type HTTPJSONProvider 

type HTTPJSONProvider[T any] struct {
	// contains filtered or unexported fields
}

HTTPJSONProvider is a generic provider that fetches JSON data and transforms it into prefixes

func NewHTTPJSONProvider 

func NewHTTPJSONProvider[T any](name, url string, config CacheConfig, transform TransformFunc[T]) *HTTPJSONProvider[T]

NewHTTPJSONProvider creates a new HTTP JSON-based provider Parameters:

  • name: the name of the provider (e.g., "github", "aws")
  • url: the HTTP endpoint to fetch from
  • config: caching configuration
  • transform: function to transform the JSON response into prefixes

func (*HTTPJSONProvider[T]) Contains 

func (p *HTTPJSONProvider[T]) Contains(addr netip.Addr) bool

func (*HTTPJSONProvider[T]) Name 

func (p *HTTPJSONProvider[T]) Name() string

func (*HTTPJSONProvider[T]) Prefixes 

func (p *HTTPJSONProvider[T]) Prefixes(ctx context.Context) ([]netip.Prefix, error)

type HTTPTextProvider 

type HTTPTextProvider struct {
	// contains filtered or unexported fields
}

HTTPTextProvider is a provider for HTTP endpoints that return plain text lists of prefixes

func NewHTTPTextProvider 

func NewHTTPTextProvider(name, url string, config CacheConfig) *HTTPTextProvider

NewHTTPTextProvider creates a new HTTP text-based provider The endpoint is expected to return a plain text list of CIDR ranges (one per line)

func (*HTTPTextProvider) Contains 

func (p *HTTPTextProvider) Contains(addr netip.Addr) bool

func (*HTTPTextProvider) Name 

func (p *HTTPTextProvider) Name() string

func (*HTTPTextProvider) Prefixes 

func (p *HTTPTextProvider) Prefixes(ctx context.Context) ([]netip.Prefix, error)

type HetznerProvider 

type HetznerProvider struct {
	// contains filtered or unexported fields
}

HetznerProvider provides static IP ranges for Hetzner Cloud

func NewHetznerProvider 

func NewHetznerProvider() *HetznerProvider

NewHetznerProvider creates a new Hetzner prefix list provider

func (*HetznerProvider) Contains 

func (p *HetznerProvider) Contains(addr netip.Addr) bool

func (*HetznerProvider) Name 

func (p *HetznerProvider) Name() string

func (*HetznerProvider) Prefixes 

func (p *HetznerProvider) Prefixes(ctx context.Context) ([]netip.Prefix, error)

type Listener 

type Listener struct {
	// contains filtered or unexported fields
}

Listener wraps a net.Listener and filters connections based on prefix lists

Example

ExampleListener demonstrates using the prefix list listener 

package main

import (
	"context"
	"fmt"
	"net"

	"github.com/dioad/net/authz/prefixlist"
	"github.com/rs/zerolog"
)

func main() {
	logger := zerolog.Nop()

	// Create a base listener
	baseListener, err := net.Listen("tcp", "127.0.0.1:0")
	if err != nil {
		panic(err)
	}
	defer baseListener.Close()

	// Create a multi-provider with GitLab provider
	gitlabProvider := prefixlist.NewGitLabProvider()
	multiProvider := prefixlist.NewMultiProvider([]prefixlist.Provider{gitlabProvider}, logger)

	ctx := context.Background()
	_, err = multiProvider.Prefixes(ctx)
	if err != nil {
		panic(err)
	}

	// Wrap with prefix list listener
	plListener := prefixlist.NewListener(baseListener, multiProvider, logger)

	fmt.Printf("Listening on %s with prefix list filtering\n", plListener.Addr())

	// Now only connections from allowed IPs will be accepted
	// conn, err := plListener.Accept()
}

func NewListener 

func NewListener(listener net.Listener, provider Provider, logger zerolog.Logger) *Listener

NewListener creates a new prefix list filtering listener

func (*Listener) Accept 

func (l *Listener) Accept() (net.Conn, error)

Accept waits for and returns the next connection, filtering based on prefix lists

func (*Listener) Addr 

func (l *Listener) Addr() net.Addr

Addr returns the listener's network address

func (*Listener) Close 

func (l *Listener) Close() error

Close closes the underlying listener

type MultiProvider 

type MultiProvider struct {
	// contains filtered or unexported fields
}

MultiProvider wraps multiple providers and implements the Provider interface

func NewMultiProvider 

func NewMultiProvider(providers []Provider, logger zerolog.Logger) *MultiProvider

NewMultiProvider creates a new multi-provider that wraps multiple providers

func NewMultiProviderFromConfig 

func NewMultiProviderFromConfig(cfg Config, logger zerolog.Logger) (*MultiProvider, error)

NewMultiProviderFromConfig creates a MultiProvider from configuration

Example

ExampleNewMultiProviderFromConfig demonstrates creating a multi-provider from configuration 

package main

import (
	"context"
	"fmt"

	"github.com/dioad/net/authz/prefixlist"
	"github.com/rs/zerolog"
)

func main() {
	logger := zerolog.Nop()

	config := prefixlist.Config{
		Providers: []prefixlist.ProviderConfig{
			{
				Name:    "github",
				Enabled: true,
				Filter:  map[string]string{"service": "hooks"}, // Only GitHub webhook IPs
			},
			{
				Name:    "gitlab",
				Enabled: true,
			},
		},
	}

	multiProvider, err := prefixlist.NewMultiProviderFromConfig(config, logger)
	if err != nil {
		panic(err)
	}

	ctx := context.Background()
	_, err = multiProvider.Prefixes(ctx)
	if err != nil {
		panic(err)
	}

	fmt.Println("MultiProvider created with multiple providers")
}

Output:

MultiProvider created with multiple providers

func (*MultiProvider) Contains 

func (m *MultiProvider) Contains(addr netip.Addr) bool

Contains checks if an IP address is in any of the cached prefix lists

func (*MultiProvider) GetPrefixes 

func (m *MultiProvider) GetPrefixes() []netip.Prefix

GetPrefixes returns a copy of all current prefixes

func (*MultiProvider) Name 

func (m *MultiProvider) Name() string

Name returns a combined name of all providers

func (*MultiProvider) Prefixes 

func (m *MultiProvider) Prefixes(ctx context.Context) ([]netip.Prefix, error)

Prefixes fetches prefixes from all wrapped providers

type Provider 

type Provider interface {
	// Name returns the provider name (e.g., "github", "cloudflare")
	Name() string

	// Prefixes returns the current list of IP prefixes from the provider
	Prefixes(ctx context.Context) ([]netip.Prefix, error)

	// Contains checks if an IP address is in the provider's prefix list
	Contains(addr netip.Addr) bool
}

Provider defines the interface for fetching IP prefix lists from different sources

func NewProviderFromConfig 

func NewProviderFromConfig(cfg ProviderConfig) (Provider, error)

NewProviderFromConfig creates a provider instance from configuration

type ProviderConfig 

type ProviderConfig struct {
	// Name is the provider name (github, cloudflare, google, atlassian, gitlab, aws)
	Name string `mapstructure:"name" yaml:"name"`

	// Enabled controls whether this provider is active
	Enabled bool `mapstructure:"enabled" yaml:"enabled"`

	// Filter optionally filters prefixes using a map of key-value pairs
	// Examples:
	//   GitHub: {"service": "hooks"} or {"service": "actions"}
	//   AWS: {"service": "EC2", "region": "us-east-1"}
	//   Google: {"scope": "us-central1", "service": "Google Cloud"}
	//   Atlassian: {"region": "global", "product": "jira"}
	//   Cloudflare: {"version": "ipv6"}
	Filter map[string]string `mapstructure:"filter" yaml:"filter,omitempty"`
}

ProviderConfig represents configuration for a single provider

type TransformFunc 

type TransformFunc[T any] func(T) ([]netip.Prefix, error)

TransformFunc is a function that transforms fetched data into a list of prefixes

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.