ffnet

package
v1.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 29, 2026 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Overview

Package ffnet builds outbound net.Dialers and their egress controls: a custom DNS resolver (via ffdns) plus a CIDR egress denylist for SSRF protection. It is the single place to configure how — and where — a client is allowed to make outbound connections.

Index

Constants

View Source
const (
	// CIDRDenylist is the list of CIDR ranges to which outbound connections are blocked, as a
	// core SSRF mitigation. It is empty by default. Callers should
	// compose an appropriate denylist depending on the client's use case.
	NetCIDRDenylist = "cidrDenylist"
)

Variables

This section is empty.

Functions

func InitConfig

func InitConfig(conf config.Section)

func NewDialer

func NewDialer(ctx context.Context, cfg *Config, resolver *net.Resolver) (*net.Dialer, error)

NewDialer builds a *net.Dialer wired with the CIDR egress guard and provided the DNS resolver (if any). The caller is responsible for setting Timeout / KeepAlive to suit its protocol. Exported so any dialer-based client — HTTP, WebSocket, etc. — can apply identical outbound protection from the same config.

Types

type Config

type Config struct {
	// CIDRDenylist is the set of CIDR ranges to block outbound connections to. Empty means no
	// restriction.
	CIDRDenylist []string
}

Config is the outbound-dialer configuration.

func GenerateConfig

func GenerateConfig(conf config.Section) (*Config, error)

type DialControl

type DialControl func(network, address string, c syscall.RawConn) error

func NewDialControl

func NewDialControl(ctx context.Context, cfg *Config) (DialControl, error)

NewDialControl builds a net.Dialer Control function that rejects connections to any address inside the effective CIDR denylist. It runs after DNS resolution against the actual resolved IP, so it also defeats DNS-rebinding and literal-IP bypasses. Returns (nil, nil) when the effective denylist is empty (no restrictions).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL