@@ -12,6 +12,8 @@ import (
1212// See below for the different policies.
1313//
1414// In case an error is returned the connection is denied.
15+ //
16+ // Deprecated: use ConnPolicyFunc instead.
1517type PolicyFunc func (upstream net.Addr ) (Policy , error )
1618
1719// ConnPolicyFunc can be used to decide whether to trust the PROXY info
@@ -53,13 +55,13 @@ const (
5355 SKIP
5456)
5557
56- // SkipProxyHeaderForCIDR returns a PolicyFunc which can be used to accept a
57- // connection from a skipHeaderCIDR without requiring a PROXY header, e.g.
58+ // ConnSkipProxyHeaderForCIDR returns a ConnPolicyFunc which can be used to accept
59+ // a connection from a skipHeaderCIDR without requiring a PROXY header, e.g.
5860// Kubernetes pods local traffic. The def is a policy to use when an upstream
5961// address doesn't match the skipHeaderCIDR.
60- func SkipProxyHeaderForCIDR (skipHeaderCIDR * net.IPNet , def Policy ) PolicyFunc {
61- return func (upstream net. Addr ) (Policy , error ) {
62- ip , err := ipFromAddr (upstream )
62+ func ConnSkipProxyHeaderForCIDR (skipHeaderCIDR * net.IPNet , def Policy ) ConnPolicyFunc {
63+ return func (connOpts ConnPolicyOptions ) (Policy , error ) {
64+ ip , err := ipFromAddr (connOpts . Upstream )
6365 if err != nil {
6466 return def , err
6567 }
@@ -72,36 +74,94 @@ func SkipProxyHeaderForCIDR(skipHeaderCIDR *net.IPNet, def Policy) PolicyFunc {
7274 }
7375}
7476
77+ // SkipProxyHeaderForCIDR returns a PolicyFunc which can be used to accept a
78+ // connection from a skipHeaderCIDR without requiring a PROXY header, e.g.
79+ // Kubernetes pods local traffic. The def is a policy to use when an upstream
80+ // address doesn't match the skipHeaderCIDR.
81+ //
82+ // Deprecated: use ConnSkipProxyHeaderForCIDR instead.
83+ func SkipProxyHeaderForCIDR (skipHeaderCIDR * net.IPNet , def Policy ) PolicyFunc {
84+ connPolicy := ConnSkipProxyHeaderForCIDR (skipHeaderCIDR , def )
85+ return func (upstream net.Addr ) (Policy , error ) {
86+ return connPolicy (ConnPolicyOptions {Upstream : upstream })
87+ }
88+ }
89+
7590// WithPolicy adds given policy to a connection when passed as option to NewConn()
7691func WithPolicy (p Policy ) func (* Conn ) {
7792 return func (c * Conn ) {
7893 c .ProxyHeaderPolicy = p
7994 }
8095}
8196
97+ // ConnLaxWhiteListPolicy returns a ConnPolicyFunc which decides whether the
98+ // upstream ip is allowed to send a proxy header based on a list of allowed
99+ // IP addresses and IP ranges. In case upstream IP is not in list the proxy
100+ // header will be ignored. If one of the provided IP addresses or IP ranges
101+ // is invalid it will return an error instead of a ConnPolicyFunc.
102+ func ConnLaxWhiteListPolicy (allowed []string ) (ConnPolicyFunc , error ) {
103+ allowFrom , err := parse (allowed )
104+ if err != nil {
105+ return nil , err
106+ }
107+
108+ return connWhitelistPolicy (allowFrom , IGNORE ), nil
109+ }
110+
82111// LaxWhiteListPolicy returns a PolicyFunc which decides whether the
83112// upstream ip is allowed to send a proxy header based on a list of allowed
84113// IP addresses and IP ranges. In case upstream IP is not in list the proxy
85114// header will be ignored. If one of the provided IP addresses or IP ranges
86115// is invalid it will return an error instead of a PolicyFunc.
116+ //
117+ // Deprecated: use ConnLaxWhiteListPolicy instead.
87118func LaxWhiteListPolicy (allowed []string ) (PolicyFunc , error ) {
88- allowFrom , err := parse (allowed )
119+ connPolicy , err := ConnLaxWhiteListPolicy (allowed )
89120 if err != nil {
90121 return nil , err
91122 }
92123
93- return whitelistPolicy (allowFrom , IGNORE ), nil
124+ return func (upstream net.Addr ) (Policy , error ) {
125+ return connPolicy (ConnPolicyOptions {Upstream : upstream })
126+ }, nil
127+ }
128+
129+ // ConnMustLaxWhiteListPolicy returns a ConnLaxWhiteListPolicy but will panic
130+ // if one of the provided IP addresses or IP ranges is invalid.
131+ func ConnMustLaxWhiteListPolicy (allowed []string ) ConnPolicyFunc {
132+ pfunc , err := ConnLaxWhiteListPolicy (allowed )
133+ if err != nil {
134+ panic (err )
135+ }
136+
137+ return pfunc
94138}
95139
96140// MustLaxWhiteListPolicy returns a LaxWhiteListPolicy but will panic if one
97141// of the provided IP addresses or IP ranges is invalid.
142+ //
143+ // Deprecated: use ConnMustLaxWhiteListPolicy instead.
98144func MustLaxWhiteListPolicy (allowed []string ) PolicyFunc {
99- pfunc , err := LaxWhiteListPolicy (allowed )
145+ connPolicy := ConnMustLaxWhiteListPolicy (allowed )
146+ return func (upstream net.Addr ) (Policy , error ) {
147+ return connPolicy (ConnPolicyOptions {Upstream : upstream })
148+ }
149+ }
150+
151+ // ConnStrictWhiteListPolicy returns a ConnPolicyFunc which decides whether the
152+ // upstream ip is allowed to send a proxy header based on a list of allowed
153+ // IP addresses and IP ranges. In case upstream IP is not in list reading on
154+ // the connection will be refused on the first read. Please note: subsequent
155+ // reads do not error. It is the task of the code using the connection to
156+ // handle that case properly. If one of the provided IP addresses or IP
157+ // ranges is invalid it will return an error instead of a ConnPolicyFunc.
158+ func ConnStrictWhiteListPolicy (allowed []string ) (ConnPolicyFunc , error ) {
159+ allowFrom , err := parse (allowed )
100160 if err != nil {
101- panic ( err )
161+ return nil , err
102162 }
103163
104- return pfunc
164+ return connWhitelistPolicy ( allowFrom , REJECT ), nil
105165}
106166
107167// StrictWhiteListPolicy returns a PolicyFunc which decides whether the
@@ -111,29 +171,44 @@ func MustLaxWhiteListPolicy(allowed []string) PolicyFunc {
111171// reads do not error. It is the task of the code using the connection to
112172// handle that case properly. If one of the provided IP addresses or IP
113173// ranges is invalid it will return an error instead of a PolicyFunc.
174+ //
175+ // Deprecated: use ConnStrictWhiteListPolicy instead.
114176func StrictWhiteListPolicy (allowed []string ) (PolicyFunc , error ) {
115- allowFrom , err := parse (allowed )
177+ connPolicy , err := ConnStrictWhiteListPolicy (allowed )
116178 if err != nil {
117179 return nil , err
118180 }
119181
120- return whitelistPolicy (allowFrom , REJECT ), nil
182+ return func (upstream net.Addr ) (Policy , error ) {
183+ return connPolicy (ConnPolicyOptions {Upstream : upstream })
184+ }, nil
121185}
122186
123- // MustStrictWhiteListPolicy returns a StrictWhiteListPolicy but will panic
187+ // ConnMustStrictWhiteListPolicy returns a ConnStrictWhiteListPolicy but will panic
124188// if one of the provided IP addresses or IP ranges is invalid.
125- func MustStrictWhiteListPolicy (allowed []string ) PolicyFunc {
126- pfunc , err := StrictWhiteListPolicy (allowed )
189+ func ConnMustStrictWhiteListPolicy (allowed []string ) ConnPolicyFunc {
190+ pfunc , err := ConnStrictWhiteListPolicy (allowed )
127191 if err != nil {
128192 panic (err )
129193 }
130194
131195 return pfunc
132196}
133197
134- func whitelistPolicy (allowed []func (net.IP ) bool , def Policy ) PolicyFunc {
198+ // MustStrictWhiteListPolicy returns a StrictWhiteListPolicy but will panic
199+ // if one of the provided IP addresses or IP ranges is invalid.
200+ //
201+ // Deprecated: use ConnMustStrictWhiteListPolicy instead.
202+ func MustStrictWhiteListPolicy (allowed []string ) PolicyFunc {
203+ connPolicy := ConnMustStrictWhiteListPolicy (allowed )
135204 return func (upstream net.Addr ) (Policy , error ) {
136- upstreamIP , err := ipFromAddr (upstream )
205+ return connPolicy (ConnPolicyOptions {Upstream : upstream })
206+ }
207+ }
208+
209+ func connWhitelistPolicy (allowed []func (net.IP ) bool , def Policy ) ConnPolicyFunc {
210+ return func (connOpts ConnPolicyOptions ) (Policy , error ) {
211+ upstreamIP , err := ipFromAddr (connOpts .Upstream )
137212 if err != nil {
138213 // something is wrong with the source IP, better reject the connection
139214 return REJECT , err
0 commit comments