mirror/Easytier
1
0
Fork 0
mirror of https://github.com/EasyTier/EasyTier.git synced 2026-05-06 17:59:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement ACL (#1140)

Browse Source 
1. get acl stats
```
./easytier-cli acl stats
AclStats:
  Global:
    CacheHits: 4
    CacheMaxSize: 10000
    CacheSize: 5
    DefaultAllows: 3
    InboundPacketsAllowed: 2
    InboundPacketsTotal: 2
    OutboundPacketsAllowed: 7
    OutboundPacketsTotal: 7
    PacketsAllowed: 9
    PacketsTotal: 9
    RuleMatches: 2
  ConnTrack:
    [src: 10.14.11.1:57444, dst: 10.14.11.2:1000, proto: Tcp, state: New, pkts: 1, bytes: 60, created: 2025-07-24 10:13:39 +08:00, last_seen: 2025-07-24 10:13:39 +08:00]
  Rules:
    [name: 'tcp_whitelist', prio: 1000, action: Allow, enabled: true, proto: Tcp, ports: ["1000"], src_ports: [], src_ips: [], dst_ips: [], stateful: true, rate: 0, burst: 0] [pkts: 2, bytes: 120]

  ```
2. use tcp/udp whitelist to block unexpected traffic.
   `sudo ./easytier-core -d --tcp-whitelist 1000`

3. use complete acl ability with config file:

```
[[acl.acl_v1.chains]]
name = "inbound_whitelist"
chain_type = 1
description = "Auto-generated inbound whitelist from CLI"
enabled = true
default_action = 2

[[acl.acl_v1.chains.rules]]
name = "tcp_whitelist"
description = "Auto-generated TCP whitelist rule"
priority = 1000
enabled = true
protocol = 1
ports = ["1000"]
source_ips = []
destination_ips = []
source_ports = []
action = 1
rate_limit = 0
burst_limit = 0
stateful = true

```
This commit is contained in:
Sijie.Sun
2025-07-24 22:13:45 +08:00
committed by GitHub
parent 4f53fccd25
commit 8e7a8de5e5
22 changed files with 2377 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
easytier/src/proto/common.proto
+18 -10
View File
@@ -18,7 +18,8 @@ message FlagsInConfig {
bool disable_p2p = 11;
bool relay_all_peer_rpc = 12;
bool disable_udp_hole_punching = 13;
// string ipv6_listener = 14; [deprecated = true]; use -l udp://[::]:12345 instead
// string ipv6_listener = 14; [deprecated = true]; use -l udp://[::]:12345
// instead
bool multi_thread = 15;
CompressionAlgoPb data_compress_algo = 16;
bool bind_device = 17;
@@ -144,6 +145,13 @@ message Ipv6Inet {
uint32 network_length = 2;
}
message IpInet {
oneof ip {
Ipv4Inet ipv4 = 1;
Ipv6Inet ipv6 = 2;
};
}
message Url { string url = 1; }
message SocketAddr {
@@ -173,7 +181,7 @@ message PeerFeatureFlag {
bool is_public_server = 1;
bool avoid_relay_data = 2;
bool kcp_input = 3;
bool no_relay_kcp = 4;
bool no_relay_kcp = 4;
}
enum SocketType {
@@ -182,17 +190,17 @@ enum SocketType {
}
message PortForwardConfigPb {
SocketAddr bind_addr = 1;
SocketAddr dst_addr = 2;
SocketType socket_type = 3;
SocketAddr bind_addr = 1;
SocketAddr dst_addr = 2;
SocketType socket_type = 3;
}
message ProxyDstInfo {
SocketAddr dst_addr = 1;
}
message ProxyDstInfo { SocketAddr dst_addr = 1; }
message LimiterConfig {
optional uint64 burst_rate = 1; // default 1 means no burst (capacity is same with bps)
optional uint64 burst_rate =
1; // default 1 means no burst (capacity is same with bps)
optional uint64 bps = 2; // default 0 means no limit (unit is B/s)
optional uint64 fill_duration_ms = 3; // default 10ms, the period to fill the bucket
optional uint64 fill_duration_ms =
3; // default 10ms, the period to fill the bucket
}