Documentation
¶
Overview ¶
Package ffnet builds outbound net.Dialers and their egress controls: a custom DNS resolver (via ffdns) plus a CIDR egress denylist for SSRF protection. It is the single place to configure how — and where — a client is allowed to make outbound connections.
Index ¶
Constants ¶
const ( // CIDRDenylist is the list of CIDR ranges to which outbound connections are blocked, as a // core SSRF mitigation. It is empty by default. Callers should // compose an appropriate denylist depending on the client's use case. NetCIDRDenylist = "cidrDenylist" )
Variables ¶
This section is empty.
Functions ¶
func InitConfig ¶
func NewDialer ¶
NewDialer builds a *net.Dialer wired with the CIDR egress guard and provided the DNS resolver (if any). The caller is responsible for setting Timeout / KeepAlive to suit its protocol. Exported so any dialer-based client — HTTP, WebSocket, etc. — can apply identical outbound protection from the same config.
Types ¶
type Config ¶
type Config struct {
// CIDRDenylist is the set of CIDR ranges to block outbound connections to. Empty means no
// restriction.
CIDRDenylist []string
}
Config is the outbound-dialer configuration.
type DialControl ¶
func NewDialControl ¶
func NewDialControl(ctx context.Context, cfg *Config) (DialControl, error)
NewDialControl builds a net.Dialer Control function that rejects connections to any address inside the effective CIDR denylist. It runs after DNS resolution against the actual resolved IP, so it also defeats DNS-rebinding and literal-IP bypasses. Returns (nil, nil) when the effective denylist is empty (no restrictions).