package filter

import "tailscale.com/wgengine/filter"

Package filter is a stateful packet filter.

Index ¶

• type CapMatch
• type CapTestFunc
• type Filter
• func New(matches []Match, capTest CapTestFunc, localNets, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter
• func NewAllowAllForTest(logf logger.Logf) *Filter
• func NewAllowNone(logf logger.Logf, logIPs *netipx.IPSet) *Filter
• func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter
• func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap
• func (f *Filter) Check(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto) Response
• func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response
• func (f *Filter) RunIn(q *packet.Parsed, rf RunFlags) Response
• func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) (Response, usermetric.DropReason)
• func (f *Filter) ShieldsUp() bool
• type Match
• func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error)
• type NetPortRange
• type PortRange
• type Response
• func (r Response) IsDrop() bool
• func (r Response) String() string
• type RunFlags

Types ¶

type CapMatch ¶

type CapMatch = filtertype.CapMatch

type CapTestFunc ¶

type CapTestFunc = func(srcIP netip.Addr, cap tailcfg.NodeCapability) bool

CapTestFunc is the function signature of a function that tests whether srcIP has a given capability.

It it used in the fast path of evaluating filter rules so should be fast.

type Filter ¶

type Filter struct {
	// contains filtered or unexported fields
}

Filter is a stateful packet filter.

func New ¶

func New(matches []Match, capTest CapTestFunc, localNets, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter

New creates a new packet filter. The filter enforces that incoming packets must be destined to an IP in localNets, and must be allowed by matches. The optional capTest func is used to evaluate a Match that uses capabilities. If nil, such matches will always fail.

If shareStateWith is non-nil, the returned filter shares state with the previous one, to enable changing rules at runtime without breaking existing stateful flows.

func NewAllowAllForTest ¶

func NewAllowAllForTest(logf logger.Logf) *Filter

NewAllowAllForTest returns a packet filter that accepts everything. Use in tests only, as it permits some kinds of spoofing attacks to reach the OS network stack.

func NewAllowNone ¶

func NewAllowNone(logf logger.Logf, logIPs *netipx.IPSet) *Filter

NewAllowNone returns a packet filter that rejects everything.

func NewShieldsUpFilter ¶

func NewShieldsUpFilter(localNets *netipx.IPSet, logIPs *netipx.IPSet, shareStateWith *Filter, logf logger.Logf) *Filter

NewShieldsUpFilter returns a packet filter that rejects incoming connections.

If shareStateWith is non-nil, the returned filter shares state with the previous one, as long as the previous one was also a shields up filter.

func (*Filter) CapsWithValues ¶

func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap

CapsWithValues appends to base the capabilities that srcIP has talking to dstIP.

func (*Filter) Check ¶

func (f *Filter) Check(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto) Response

Check determines whether traffic from srcIP to dstIP:dstPort is allowed using protocol proto.

func (*Filter) CheckTCP ¶

func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response

CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort is allowed.

func (*Filter) RunIn ¶

func (f *Filter) RunIn(q *packet.Parsed, rf RunFlags) Response

RunIn determines whether this node is allowed to receive q from a Tailscale peer.

func (*Filter) RunOut ¶

func (f *Filter) RunOut(q *packet.Parsed, rf RunFlags) (Response, usermetric.DropReason)

RunOut determines whether this node is allowed to send q to a Tailscale peer.

func (*Filter) ShieldsUp ¶

func (f *Filter) ShieldsUp() bool

ShieldsUp reports whether this is a "shields up" (block everything incoming) filter.

type Match ¶

type Match = filtertype.Match

func MatchesFromFilterRules ¶

func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error)

MatchesFromFilterRules converts tailcfg FilterRules into Matches. If an error is returned, the Matches result is still valid, containing the rules that were successfully converted.

type NetPortRange ¶

type NetPortRange = filtertype.NetPortRange

type PortRange ¶

type PortRange = filtertype.PortRange

type Response ¶

type Response int

Response is a verdict from the packet filter.

const (
	Drop         Response = iota // do not continue processing packet.
	DropSilently                 // do not continue processing packet, but also don't log
	Accept                       // continue processing packet.

)

func (Response) IsDrop ¶

func (r Response) IsDrop() bool

func (Response) String ¶

func (r Response) String() string

type RunFlags ¶

type RunFlags int

RunFlags controls the filter's debug log verbosity at runtime.

const (
	LogDrops       RunFlags = 1 << iota // write dropped packet info to logf
	LogAccepts                          // write accepted packet info to logf
	HexdumpDrops                        // print packet hexdump when logging drops
	HexdumpAccepts                      // print packet hexdump when logging accepts
)

Source Files ¶

filter.go match.go tailcfg.go

Directories ¶