tailcfg: document FilterRule

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
(cherry picked from commit bda53897b5)
pull/912/head
Brad Fitzpatrick 4 years ago
parent 76c2982d88
commit c1bae7ad64

@ -535,9 +535,28 @@ type NetPortRange struct {
} }
// FilterRule represents one rule in a packet filter. // FilterRule represents one rule in a packet filter.
//
// A rule is logically a set of source CIDRs to match (described by
// SrcIPs and SrcBits), and a set of destination targets that are then
// allowed if a source IP is mathces of those CIDRs.
type FilterRule struct { type FilterRule struct {
SrcIPs []string // "*" means all // SrcIPs are the source IPs/networks to match.
SrcBits []int // The special value "*" means to match all.
SrcIPs []string
// SrcBits values correspond to the SrcIPs above.
//
// If present at the same index, it changes the SrcIP above to
// be a network with /n CIDR bits. If the slice is nil or
// insufficiently long, the default value (for an IPv4
// address) for a position is 32, as if the SrcIPs above were
// a /32 mask. For a "*" SrcIPs value, the corresponding
// SrcBits value is ignored.
// TODO: for IPv6, clarify default bits length.
SrcBits []int
// DstPorts are the port ranges to allow once a source IP
// matches (is in the CIDR described by SrcIPs & SrcBits).
DstPorts []NetPortRange DstPorts []NetPortRange
} }

Loading…
Cancel
Save