Documentation
¶
Overview ¶
Package restrict provides connection-level access control based on IP CIDR ranges and geolocation (country codes).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CrowdSecChecker ¶ added in v0.69.0
type CrowdSecChecker interface {
CheckIP(addr netip.Addr) *CrowdSecDecision
Ready() bool
}
CrowdSecChecker queries CrowdSec decisions for an IP address.
type CrowdSecDecision ¶ added in v0.69.0
type CrowdSecDecision struct {
Type DecisionType
}
CrowdSecDecision holds the type of a CrowdSec decision.
type CrowdSecMode ¶ added in v0.69.0
type CrowdSecMode string
CrowdSecMode is the per-service enforcement mode.
const ( CrowdSecOff CrowdSecMode = "" CrowdSecEnforce CrowdSecMode = "enforce" CrowdSecObserve CrowdSecMode = "observe" )
type DecisionType ¶ added in v0.69.0
type DecisionType string
DecisionType is the type of CrowdSec remediation action.
const ( DecisionBan DecisionType = "ban" DecisionCaptcha DecisionType = "captcha" DecisionThrottle DecisionType = "throttle" )
type Filter ¶
type Filter struct {
AllowedCIDRs []netip.Prefix
BlockedCIDRs []netip.Prefix
AllowedCountries []string
BlockedCountries []string
CrowdSec CrowdSecChecker
CrowdSecMode CrowdSecMode
}
Filter evaluates IP restrictions. CIDR checks are performed first (cheap), followed by country lookups (more expensive) only when needed.
func ParseFilter ¶
func ParseFilter(cfg FilterConfig) *Filter
ParseFilter builds a Filter from the config. Returns nil if no restrictions are configured.
func (*Filter) Check ¶
func (f *Filter) Check(addr netip.Addr, geo GeoResolver) Verdict
Check evaluates whether addr is permitted. CIDR rules are evaluated first because they are O(n) prefix comparisons. Country rules run only when CIDR checks pass and require a geo lookup. CrowdSec checks run last.
func (*Filter) HasRestrictions ¶
HasRestrictions returns true if any restriction rules are configured.
func (*Filter) IsObserveOnly ¶ added in v0.69.0
IsObserveOnly returns true when v is a CrowdSec verdict and the filter is in observe mode. Callers should log the verdict but not block the request.
type FilterConfig ¶ added in v0.69.0
type FilterConfig struct {
AllowedCIDRs []string
BlockedCIDRs []string
AllowedCountries []string
BlockedCountries []string
CrowdSec CrowdSecChecker
CrowdSecMode CrowdSecMode
Logger *log.Entry
}
FilterConfig holds the raw configuration for building a Filter.
type GeoResolver ¶
type GeoResolver interface {
LookupAddr(addr netip.Addr) geolocation.Result
Available() bool
}
GeoResolver resolves an IP address to geographic information.
type Verdict ¶
type Verdict int
Verdict is the result of an access check.
const ( // Allow indicates the address passed all checks. Allow Verdict = iota // DenyCIDR indicates the address was blocked by a CIDR rule. DenyCIDR // DenyCountry indicates the address was blocked by a country rule. DenyCountry // but the geo lookup is unavailable. DenyGeoUnavailable // DenyCrowdSecBan indicates a CrowdSec "ban" decision. DenyCrowdSecBan // DenyCrowdSecCaptcha indicates a CrowdSec "captcha" decision. DenyCrowdSecCaptcha // DenyCrowdSecThrottle indicates a CrowdSec "throttle" decision. DenyCrowdSecThrottle // completed its initial sync. DenyCrowdSecUnavailable )
func (Verdict) IsCrowdSec ¶ added in v0.69.0
IsCrowdSec returns true when the verdict originates from a CrowdSec check.
Source Files