That sounds like something a firewall would do, not your Go program.
On 3/15/19 3:14 PM, Glen Huang wrote:
> Thanks, but if I'm not wrong, that means the three-way handshake has to
> complete before I can reject a client? Anyway I can reject them at SYN?
>
> On Friday, March 15, 2019 at 10:07:57 PM UTC+8, Andrei Tudor Călin wrote:
>>
>> Here is a rough sketch:
>>
>> type allowedIPsListener struct {
>> allowed []net.IP
>> inner net.Listener
>> }
>>
>> func (ln *allowedIPsListener) Accept() (net.Conn, error) {
>> for {
>> conn, err := ln.inner.Accept()
>> if err != nil {
>> return nil, err
>> }
>> if !ln.allowed(conn.RemoteAddr()) {
>> conn.Close()
>> continue
>> }
>> return conn, nil
>> }
>> }
>>
>> func (ln *allowedIPsListener) Close() error {
>> return ln.inner.Close()
>> }
>>
>> func (ln *allowedIPsListener) Addr() net.Addr {
>> return ln.inner.Addr()
>> }
>>
>> func (ln *allowedIPsListener) allowed(addr net.Addr) bool {
>> // TODO: implement
>> return true
>> }
>>
>> Then, to use:
>>
>> ln, err := net.Listen("tcp", addr)
>> if err != nil {
>> log.Fatal(err)
>> }
>> aln := &allowedIPsListener{allowed: yourListOfIPs, inner: ln}
>> tlsln := tls.NewListener(aln, yourTLSConfig)
>>
>> // use tlsln
>>
>> On 3/15/19 2:58 PM, Glen Huang wrote:
>>> Thanks for the quick reply.
>>>
>>> I want to use tcp, is it possible to leverage TCPListener or I have to
>>> invent my own? It seems I'll face the same issue as I do with tls?
>>>
>>> On Friday, March 15, 2019 at 9:46:00 PM UTC+8, Andrei Tudor Călin wrote:
>>>>
>>>> Begin by implementing a `net.Listener` which checks the list of allowed
>>>> IPs.
>>>> You'll be able to run code before the connection is passed on to
>>>> crypto/tls.
>>>> Wrap it using https://golang.org/pkg/crypto/tls/#NewListener.
>>>>
>>>> On 3/15/19 2:10 PM, Glen Huang wrote:
>>>>> I'm trying to limit which clients are allowed to connect to my tls
>>>> server
>>>>> by their IPs.
>>>>>
>>>>> I know I can do that after Accept, check their IPs and close the
>>>> connection
>>>>> if they're not whitelisted. But that means the full tls handshake has
>> to
>>>>> complete before I can do that.
>>>>>
>>>>> Another option is that I can use nftables to whitelist clients at the
>>>>> kernel level. But to do that, I either have to spawn a subprocess to
>>>> call
>>>>> nft, which is kinda slow or use google/nftables that isn't production
>>>> ready
>>>>> yet (also missing some features I need).
>>>>>
>>>>> Is there anyway I can drop the tls connection when a client sends SYN?
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>
>>>> --
>>>> Andrei Tudor Călin
>>>>
>>>
>>
>> --
>> Andrei Tudor Călin
>>
>
--
Andrei Tudor Călin
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
