restrict

package

v0.67.3 Latest Latest Go to latest Published: Apr 2, 2026 License: BSD-3-Clause, AGPL-3.0 Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/netbirdio/netbird

Links

Open Source Insights

Documentation ¶

Overview ¶

Package restrict provides connection-level access control based on IP CIDR ranges and geolocation (country codes).

Index ¶

type Filter
- func ParseFilter(allowedCIDRs, blockedCIDRs, allowedCountries, blockedCountries []string) *Filter
- func (f *Filter) Check(addr netip.Addr, geo GeoResolver) Verdict
- func (f *Filter) HasRestrictions() bool
type GeoResolver
type Verdict
- func (v Verdict) String() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Filter ¶

type Filter struct {
	AllowedCIDRs     []netip.Prefix
	BlockedCIDRs     []netip.Prefix
	AllowedCountries []string
	BlockedCountries []string
}

Filter evaluates IP restrictions. CIDR checks are performed first (cheap), followed by country lookups (more expensive) only when needed.

func ParseFilter ¶

func ParseFilter(allowedCIDRs, blockedCIDRs, allowedCountries, blockedCountries []string) *Filter

ParseFilter builds a Filter from the raw string slices. Returns nil if all slices are empty.

func (*Filter) Check ¶

func (f *Filter) Check(addr netip.Addr, geo GeoResolver) Verdict

Check evaluates whether addr is permitted. CIDR rules are evaluated first because they are O(n) prefix comparisons. Country rules run only when CIDR checks pass and require a geo lookup.

func (*Filter) HasRestrictions ¶

func (f *Filter) HasRestrictions() bool

HasRestrictions returns true if any restriction rules are configured.

type GeoResolver ¶

type GeoResolver interface {
	LookupAddr(addr netip.Addr) geolocation.Result
	Available() bool
}

GeoResolver resolves an IP address to geographic information.

type Verdict ¶

type Verdict int

Verdict is the result of an access check.

const (
	// Allow indicates the address passed all checks.
	Allow Verdict = iota
	// DenyCIDR indicates the address was blocked by a CIDR rule.
	DenyCIDR
	// DenyCountry indicates the address was blocked by a country rule.
	DenyCountry
	// DenyGeoUnavailable indicates that country restrictions are configured
	// but the geo lookup is unavailable.
	DenyGeoUnavailable
)

func (Verdict) String ¶

func (v Verdict) String() string

String returns the deny reason string matching the HTTP auth mechanism names.

Source Files ¶

View all Source files

restrict.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL