Documentation
¶
Overview ¶
Package filter is a stateful packet filter.
Index ¶
- type CapMatch
- type CapTestFunc
- type Filter
- func New(matches []Match, capTest CapTestFunc, localNets, logIPs *netipx.IPSet, ...) *Filter
- func NewAllowAllForTest(logf logger.Logf) *Filter
- func NewAllowNone(logf logger.Logf, logIPs *netipx.IPSet) *Filter
- func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, ...) *Filter
- func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap
- func (f *Filter) Check(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto) Response
- func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response
- func (f *Filter) RunIn(q *packet.Parsed, rf RunFlags) Response
- func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) (Response, usermetric.DropReason)
- func (f *Filter) ShieldsUp() bool
- type Match
- type NetPortRange
- type PacketMatch
- type PortRange
- type Response
- type RunFlags
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CapMatch ¶ added in v1.24.0
type CapMatch = filtertype.CapMatch
type CapTestFunc ¶ added in v1.70.0
type CapTestFunc = func(srcIP netip.Addr, cap tailcfg.NodeCapability) bool
CapTestFunc is the function signature of a function that tests whether srcIP has a given capability.
It it used in the fast path of evaluating filter rules so should be fast.
type Filter ¶
type Filter struct {
// IngressAllowHooks are hooks that allow extensions to accept inbound
// packets beyond the standard filter rules. Packets that are not dropped
// by the direction-agnostic pre-check, but would be not accepted by the
// main filter rules, including the check for destinations in the node's
// local IP set, will be accepted if they match one of these hooks.
// As of 2026-02-24, the ingress filter does not implement explicit drop
// rules, but if it does, an explicitly dropped packet will be dropped,
// and these hooks will not be evaluated.
//
// Processing of hooks stop after the first one that returns true.
// The returned why string of the first match is used in logging.
// Returning false does not drop the packet.
// See also [filter.Filter.IngressAllowHooks].
IngressAllowHooks []PacketMatch
// LinkLocalAllowHooks are hooks that provide exceptions to the default
// policy of dropping link-local unicast packets. They run inside the
// direction-agnostic pre-checks for both ingress and egress.
//
// A hook can allow a link-local packet to pass the link-local check,
// but the packet is still subject to all other filter rules, and could be
// dropped elsewhere. Matching link-local packets are not logged.
// See also [filter.Filter.LinkLocalAllowHooks].
LinkLocalAllowHooks []PacketMatch
// contains filtered or unexported fields
}
Filter is a stateful packet filter.
func New ¶
func New(matches []Match, capTest CapTestFunc, localNets, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter
New creates a new packet filter. The filter enforces that incoming packets must be destined to an IP in localNets, and must be allowed by matches. The optional capTest func is used to evaluate a Match that uses capabilities. If nil, such matches will always fail.
If shareStateWith is non-nil, the returned filter shares state with the previous one, to enable changing rules at runtime without breaking existing stateful flows.
func NewAllowAllForTest ¶ added in v1.4.0
NewAllowAllForTest returns a packet filter that accepts everything. Use in tests only, as it permits some kinds of spoofing attacks to reach the OS network stack.
func NewAllowNone ¶
NewAllowNone returns a packet filter that rejects everything.
func NewShieldsUpFilter ¶ added in v1.4.0
func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter
NewShieldsUpFilter returns a packet filter that rejects incoming connections.
If shareStateWith is non-nil, the returned filter shares state with the previous one, as long as the previous one was also a shields up filter.
func (*Filter) CapsWithValues ¶ added in v1.48.0
func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap
CapsWithValues appends to base the capabilities that srcIP has talking to dstIP.
func (*Filter) Check ¶ added in v1.56.0
Check determines whether traffic from srcIP to dstIP:dstPort is allowed using protocol proto.
func (*Filter) CheckTCP ¶ added in v1.4.0
CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort is allowed.
func (*Filter) RunIn ¶
RunIn determines whether this node is allowed to receive q from a Tailscale peer.
func (*Filter) RunOut ¶
func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) (Response, usermetric.DropReason)
RunOut determines whether this node is allowed to send q to a Tailscale peer.
type Match ¶
type Match = filtertype.Match
func MatchesFromFilterRules ¶ added in v1.2.0
func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error)
MatchesFromFilterRules converts tailcfg FilterRules into Matches. If an error is returned, the Matches result is still valid, containing the rules that were successfully converted.
type NetPortRange ¶ added in v0.98.1
type NetPortRange = filtertype.NetPortRange
type PacketMatch ¶ added in v1.96.0
PacketMatch is a function that inspects a packet and reports whether it matches a custom filter criterion. If match is true, why should be a short human-readable reason for the match, used in filter logging (e.g. "corp-dns ok").
type PortRange ¶
type PortRange = filtertype.PortRange
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package filtertype defines the types used by wgengine/filter.
|
Package filtertype defines the types used by wgengine/filter. |