Check determines whether traffic from srcIP to dstIP:dstPort is allowed using protocol proto.
(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto)
| 375 | // Check determines whether traffic from srcIP to dstIP:dstPort is allowed |
| 376 | // using protocol proto. |
| 377 | func (f *Filter) Check(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto) Response { |
| 378 | pkt := &packet.Parsed{} |
| 379 | pkt.Decode(dummyPacket) // initialize private fields |
| 380 | switch { |
| 381 | case (srcIP.Is4() && dstIP.Is6()) || (srcIP.Is6() && srcIP.Is4()): |
| 382 | // Mismatched address families, no filters will |
| 383 | // match. |
| 384 | return Drop |
| 385 | case srcIP.Is4(): |
| 386 | pkt.IPVersion = 4 |
| 387 | case srcIP.Is6(): |
| 388 | pkt.IPVersion = 6 |
| 389 | default: |
| 390 | panic("unreachable") |
| 391 | } |
| 392 | pkt.Src = netip.AddrPortFrom(srcIP, 0) |
| 393 | pkt.Dst = netip.AddrPortFrom(dstIP, dstPort) |
| 394 | pkt.IPProto = proto |
| 395 | if proto == ipproto.TCP { |
| 396 | pkt.TCPFlags = packet.TCPSyn |
| 397 | } |
| 398 | |
| 399 | return f.RunIn(pkt, 0) |
| 400 | } |
| 401 | |
| 402 | // CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort |
| 403 | // is allowed. |