pub struct NetAllow {
pub protocol: Protocol,
pub host: Option<String>,
pub ports: Vec<u16>,
pub all_ports: bool,
}Expand description
A network endpoint allow rule.
Each rule permits one protocol’s traffic to one host (or any IP, for
the :port form) on a specific set of ports. Multiple rules are
OR’d: traffic is permitted if any rule matches the protocol, the
destination IP, and the destination port.
ICMP rules carry no port (ICMP has none); their ports is empty
and all_ports is false.
Fields§
§protocol: ProtocolL4 protocol this rule applies to.
host: Option<String>Hostname; None means “any IP” (the :port form, or icmp://*).
ports: Vec<u16>Permitted ports. Must be non-empty unless all_ports is true,
in which case it must be empty. Always empty for Protocol::Icmp.
all_ports: bool“Any port” wildcard from the * token in port position. When
true, ports is empty; the rule permits every TCP/UDP port to
the host (or to any IP, when host is None).
Implementations§
Source§impl NetAllow
impl NetAllow
Sourcepub fn parse(s: &str) -> Result<Self, SandboxError>
pub fn parse(s: &str) -> Result<Self, SandboxError>
Parse a rule spec. Forms:
host:port[,port,...],:port,*:port,host:*,:*,*:*— TCP (the default scheme).tcp://...— explicit TCP, same suffix grammar as the bare form.udp://...— UDP, same suffix grammar as the bare form.icmp://hostoricmp://*— ICMP echo (kernel ping socket). No port field;icmp://host:80is rejected.
* in port position means “any port” (the all-ports wildcard).
Mixing * with concrete ports (e.g. host:80,*) is rejected.