Skip to main content

NetworkPolicy

microsandbox_network::policy

Struct NetworkPolicy 

Source 
pub struct NetworkPolicy {
    pub default_egress: Action,
    pub default_ingress: Action,
    pub rules: Vec<Rule>,
}
Expand description

Network policy: single ordered rule list plus per-direction default actions.

Rules carry a Direction field that determines which evaluator considers them. Egress evaluation iterates rules where direction ∈ {Egress, Both}; ingress evaluation iterates rules where direction ∈ {Ingress, Both}. First-match-wins within a direction.

Fields§

§default_egress: Action

Default action for egress traffic not matching any rule. Deny paired with an implicit allow-Public rule reproduces today’s “public internet only” reachability.

§default_ingress: Action

Default action for ingress traffic not matching any rule. The per-field serde default is Deny so partially-specified JSON fails closed; permissive presets like NetworkPolicy::public_only flip this back to Allow explicitly.

§rules: Vec<Rule>

Ordered list of rules, evaluated first-match-wins per direction.

Implementations§

Source§

impl NetworkPolicy

Source

pub fn builder() -> NetworkPolicyBuilder

Start building a NetworkPolicy via the fluent builder.

Source§

impl NetworkPolicy

Source

pub fn none() -> Self

No network access — deny everything in both directions.

Source

pub fn allow_all() -> Self

Unrestricted network access — allow everything in both directions.

Source

pub fn public_only() -> Self

Public internet only — allow egress to public IPs, deny private, loopback, link-local, and metadata. Ingress defaults to allow (preserves today’s unfiltered published-port behavior).

Source

pub fn non_local() -> Self

Non-local network access — allow public internet and private/LAN egress; deny loopback, link-local, and metadata. Ingress defaults to allow.

Source

pub fn evaluate_egress( &self, dst: SocketAddr, protocol: Protocol, shared: &SharedState, ) -> Action

Evaluate an outbound connection against the rule list.

Iterates rules in order, considering only rules where direction ∈ {Egress, Any}. Returns the action from the first matching rule, or default_egress if no rule matches.

Source

pub fn evaluate_egress_ip( &self, dst: IpAddr, protocol: Protocol, shared: &SharedState, ) -> Action

Evaluate an outbound ICMP packet against the rule list. Like Self::evaluate_egress but skips rules with a port filter (ICMP has no ports).

Source

pub fn evaluate_egress_with_source( &self, dst: SocketAddr, protocol: Protocol, shared: &SharedState, source: HostnameSource<'_>, ) -> EgressEvaluation

Evaluate an outbound connection with an explicit HostnameSource for Domain / DomainSuffix matching. Walk order and protocol/port filtering are identical across sources — only the Domain match predicate varies.

Source

pub fn evaluate_ingress( &self, peer: SocketAddr, guest_port: u16, protocol: Protocol, shared: &SharedState, ) -> Action

Evaluate an inbound connection against the rule list.

Iterates rules in order, considering only rules where direction ∈ {Ingress, Any}. peer is the source of the incoming connection (peer IP and source port — only the IP is matched). guest_port is the guest-side listening port; rules’ ports filter is matched against guest_port, not the peer’s port.

Source

pub fn has_domain_rules(&self) -> bool

True if any rule references a Domain or DomainSuffix destination. The TCP proxy uses this to skip its SNI peek when no rule could possibly need a hostname for evaluation.

Source

pub fn evaluate_dns_query( &self, name: &DomainName, protocol: Protocol, port: u16, ) -> Action

Evaluate a DNS query name against egress policy.

DNS queries do not have a resolved destination IP yet, so IP-based destinations (Cidr, most Group variants) cannot match here. Group::Host is the one exception: it names the gateway forwarder the query is actually delivered to, so a Group::Host rule is honored for DNS subject to its protocol/port filter. Name-based destinations (Domain / DomainSuffix) match the query name directly, ignoring protocol and port filters that apply to the later connection. Any rules still match the DNS transport’s protocol and port. If no rule matches, default_egress applies.

Source

pub fn evaluate_dns_query_without_name( &self, protocol: Protocol, port: u16, ) -> Action

Evaluate a DNS query whose name cannot be represented as a DomainName. Only Any rules can match; otherwise the egress default applies.

Source

pub fn deny_domain<S: AsRef<str>>( self, name: S, ) -> Result<Self, DomainNameError>

Single-name sugar over Self::deny_domains.

Source

pub fn allow_domain<S: AsRef<str>>( self, name: S, ) -> Result<Self, DomainNameError>

Single-name sugar over Self::allow_domains.

Source

pub fn deny_domain_suffix<S: AsRef<str>>( self, suffix: S, ) -> Result<Self, DomainNameError>

Single-suffix sugar over Self::deny_domain_suffixes.

Source

pub fn allow_domain_suffix<S: AsRef<str>>( self, suffix: S, ) -> Result<Self, DomainNameError>

Single-suffix sugar over Self::allow_domain_suffixes.

Source

pub fn deny_domains<I, S>(self, names: I) -> Result<Self, DomainNameError>
where I: IntoIterator<Item = S>, S: AsRef<str>,

Prepend deny Domain(name) egress rules. Prepending lets the deny outrank catch-all allows like allow Public.

Source

pub fn allow_domains<I, S>(self, names: I) -> Result<Self, DomainNameError>
where I: IntoIterator<Item = S>, S: AsRef<str>,

Prepend allow Domain(name) egress rules.

Source

pub fn deny_domain_suffixes<I, S>( self, suffixes: I, ) -> Result<Self, DomainNameError>
where I: IntoIterator<Item = S>, S: AsRef<str>,

Prepend deny DomainSuffix(suffix) egress rules. Suffixes match the apex and any subdomain (label-aligned).

Source

pub fn allow_domain_suffixes<I, S>( self, suffixes: I, ) -> Result<Self, DomainNameError>
where I: IntoIterator<Item = S>, S: AsRef<str>,

Prepend allow DomainSuffix(suffix) egress rules.

Trait Implementations§

Source§

impl Clone for NetworkPolicy

Source§

fn clone(&self) -> NetworkPolicy

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for NetworkPolicy

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for NetworkPolicy

Source§

fn default() -> Self

Returns the “default value” for a type. Read more
Source§

impl<'de> Deserialize<'de> for NetworkPolicy

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Serialize for NetworkPolicy

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> AsAny for T
where T: Any,

Source§

fn as_any(&self) -> &(dyn Any + 'static)

Source§

fn as_mut_any(&mut self) -> &mut (dyn Any + 'static)

Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,