So looks like nftables is my only choice then?
On Friday, March 15, 2019 at 10:30:28 PM UTC+8, Andrei Tudor Călin wrote:
>
> That sounds like something a firewall would do, not your Go program.
>
> On 3/15/19 3:14 PM, Glen Huang wrote:
> > Thanks, but if I'm not wrong, that means the three-way handshake has to
> > complete before I can reject a client? Anyway I can reject them at SYN?
> >
> > On Friday, March 15, 2019 at 10:07:57 PM UTC+8, Andrei Tudor Călin
> wrote:
> >>
> >> Here is a rough sketch:
> >>
> >> type allowedIPsListener struct {
> >> allowed []net.IP
> >> inner net.Listener
> >> }
> >>
> >> func (ln *allowedIPsListener) Accept() (net.Conn, error) {
> >> for {
> >> conn, err := ln.inner.Accept()
> >> if err != nil {
> >> return nil, err
> >> }
> >> if !ln.allowed(conn.RemoteAddr()) {
> >> conn.Close()
> >> continue
> >> }
> >> return conn, nil
> >> }
> >> }
> >>
> >> func (ln *allowedIPsListener) Close() error {
> >> return ln.inner.Close()
> >> }
> >>
> >> func (ln *allowedIPsListener) Addr() net.Addr {
> >> return ln.inner.Addr()
> >> }
> >>
> >> func (ln *allowedIPsListener) allowed(addr net.Addr) bool {
> >> // TODO: implement
> >> return true
> >> }
> >>
> >> Then, to use:
> >>
> >> ln, err := net.Listen("tcp", addr)
> >> if err != nil {
> >> log.Fatal(err)
> >> }
> >> aln := &allowedIPsListener{allowed: yourListOfIPs, inner: ln}
> >> tlsln := tls.NewListener(aln, yourTLSConfig)
> >>
> >> // use tlsln
> >>
> >> On 3/15/19 2:58 PM, Glen Huang wrote:
> >>> Thanks for the quick reply.
> >>>
> >>> I want to use tcp, is it possible to leverage TCPListener or I have to
> >>> invent my own? It seems I'll face the same issue as I do with tls?
> >>>
> >>> On Friday, March 15, 2019 at 9:46:00 PM UTC+8, Andrei Tudor Călin
> wrote:
> >>>>
> >>>> Begin by implementing a `net.Listener` which checks the list of
> allowed
> >>>> IPs.
> >>>> You'll be able to run code before the connection is passed on to
> >>>> crypto/tls.
> >>>> Wrap it using https://golang.org/pkg/crypto/tls/#NewListener.
> >>>>
> >>>> On 3/15/19 2:10 PM, Glen Huang wrote:
> >>>>> I'm trying to limit which clients are allowed to connect to my tls
> >>>> server
> >>>>> by their IPs.
> >>>>>
> >>>>> I know I can do that after Accept, check their IPs and close the
> >>>> connection
> >>>>> if they're not whitelisted. But that means the full tls handshake
> has
> >> to
> >>>>> complete before I can do that.
> >>>>>
> >>>>> Another option is that I can use nftables to whitelist clients at
> the
> >>>>> kernel level. But to do that, I either have to spawn a subprocess to
> >>>> call
> >>>>> nft, which is kinda slow or use google/nftables that isn't
> production
> >>>> ready
> >>>>> yet (also missing some features I need).
> >>>>>
> >>>>> Is there anyway I can drop the tls connection when a client sends
> SYN?
> >>>>>
> >>>>> Thanks in advance.
> >>>>>
> >>>>
> >>>> --
> >>>> Andrei Tudor Călin
> >>>>
> >>>
> >>
> >> --
> >> Andrei Tudor Călin
> >>
> >
>
> --
> Andrei Tudor Călin
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
