Documentation
¶
Overview ¶
Package private registers the "private" egress policy: it blocks outbound op dials whose resolved IP falls in loopback, private, link-local (incl. cloud-metadata 169.254.169.254), CGNAT/Tailscale, IPv6 ULA/link-local, and other IETF special-use space — plus any operator-supplied deny CIDRs. An allow CIDR is an explicit escape hatch and wins over deny.
The check runs at the dial step on the already-resolved IP, so it is DNS-rebinding safe. All CIDR sets are parsed once at Open(); CheckAddr is pure in-memory.
Click to show internal directories.
Click to hide internal directories.