Struct EgressPolicy 

pub struct EgressPolicy {
    pub allowed_cidrs: Vec<String>,
    pub allowed_tcp_ports: Vec<u16>,
    pub allowed_udp_ports: Vec<u16>,
    pub log_denied: bool,
    pub allow_dns: bool,
}

Egress policy for audited outbound network access.

When set, iptables OUTPUT chain rules restrict which destinations the container process can connect to. An empty allowed list means no outbound connections are permitted (deny-all egress).

Fields

allowed_cidrs: Vec<String>

Allowed destination CIDRs (e.g., “10.0.0.0/8”, “192.168.1.0/24”).

allowed_tcp_ports: Vec<u16>

Allowed destination TCP ports. Empty means all ports on allowed CIDRs.

allowed_udp_ports: Vec<u16>

Allowed destination UDP ports.

log_denied: bool

Whether to log denied egress attempts (rate-limited).

allow_dns: bool

Whether to allow DNS (port 53 UDP/TCP) to configured resolvers even in deny-all mode. Defaults to true for usability; set to false for strict deny-all egress (containers must use pre-resolved addresses).

Implementations

impl EgressPolicy

pub fn deny_all() -> Self

Create a deny-all egress policy. DNS is still permitted by default so containers can resolve names; use allow_dns = false for strict deny-all egress.

pub fn with_allowed_cidrs(self, cidrs: Vec<String>) -> Self

Allow egress to the given CIDRs on any port.

pub fn with_allowed_tcp_ports(self, ports: Vec<u16>) -> Self

pub fn with_allowed_udp_ports(self, ports: Vec<u16>) -> Self

Trait Implementations

impl Clone for EgressPolicy

fn clone(&self) -> EgressPolicy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for EgressPolicy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for EgressPolicy

fn default() -> Self

Returns the “default value” for a type.