apps/EasyTier
1
0
Fork 0
mirror of https://github.com/EasyTier/EasyTier.git synced 2025-09-26 12:41:23 +08:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity
Files
08a92a53c302c524320435191763ed52cfa0bee2
EasyTier/easytier/src/proto/acl.proto
Mg Pig 08a92a53c3 feat(acl): add group-based ACL rules and related structures (#1265) 
* feat(acl): add group-based ACL rules and related structures

* refactor(acl): optimize group handling with Arc and improve cache management

* refactor(acl): clippy

* feat(tests): add performance tests for generate_with_proof and verify methods

* feat: update group_trust_map to use HashMap for more secure group proofs

* refactor: refactor the logic of the trusted group getting and setting

* feat(acl): support kcp/quic use group acl

* feat(proxy): optimize group retrieval by IP in Kcp and Quic proxy handlers

* feat(tests): add group-based ACL tree node test

* always allow quic proxy traffic

---------

Co-authored-by: Sijie.Sun <sunsijie@buaa.edu.cn>
Co-authored-by: sijie.sun <sijie.sun@smartx.com>
2025-08-22 22:25:00 +08:00

145 lines
3.1 KiB
Protocol Buffer
Raw Blame History

syntax = "proto3";
import "common.proto";
package acl;
// Enhanced protocol enum with more granular options
enum Protocol {
Unspecified = 0;
TCP = 1;
UDP = 2;
ICMP = 3;
ICMPv6 = 4;
Any = 5;
}
enum Action {
Noop = 0;
Allow = 1;
Drop = 2; // Silent drop (no response)
}
enum ChainType {
UnspecifiedChain = 0;
// send to this node
Inbound = 1;
// send from this node
Outbound = 2;
// subnet proxy
Forward = 3;
}
// Time-based access control
message TimeWindow {
// Days of week: 0=Sunday, 1=Monday, ..., 6=Saturday
repeated uint32 days_of_week = 1;
// Time in minutes from midnight (0-1439)
uint32 start_time = 2;
uint32 end_time = 3;
// Timezone offset in minutes from UTC
int32 timezone_offset = 4;
}
// Enhanced rule with priority and metadata
message Rule {
// Rule identification and metadata
string name = 1; // Human-readable rule name
string description = 2; // Rule description
uint32 priority = 3; // Higher number = higher priority (0-65535)
bool enabled = 4; // Rule enabled/disabled state
// Core matching criteria
Protocol protocol = 5;
repeated string ports = 6;
repeated string source_ips = 7; // Source IP ranges
repeated string destination_ips = 8; // Destination IP ranges
// Enhanced matching criteria
repeated string source_ports = 9; // Source port range
// Action and logging
Action action = 10;
// Rate limiting (packets per second)
uint32 rate_limit = 11; // 0 = no limit
uint32 burst_limit = 12; // Burst allowance
// Connection tracking
bool stateful = 13; // Enable connection tracking
// Group matching criteria
repeated string source_groups = 14;
repeated string destination_groups = 15;
}
// Rule chain with metadata and optimization hints
message Chain {
// Chain identification
string name = 1; // Human-readable chain name
ChainType chain_type = 2;
string description = 3; // Chain description
bool enabled = 4; // Chain enabled/disabled state
// Rules in priority order (highest priority first)
repeated Rule rules = 5;
// Default action when no rules match
Action default_action = 6;
}
message GroupInfo {
repeated GroupIdentity declares = 1;
repeated string members = 2;
}
message GroupIdentity {
string group_name = 1;
string group_secret = 2;
}
message AclV1 {
repeated Chain chains = 1;
GroupInfo group = 2;
}
enum ConnState {
New = 0;
Established = 1;
Related = 2;
Invalid = 3;
}
// Connection tracking entry for stateful ACLs
message ConnTrackEntry {
common.SocketAddr src_addr = 1;
common.SocketAddr dst_addr = 2;
Protocol protocol = 3; // IP protocol number (e.g., 6 = TCP, 17 = UDP)
ConnState state = 4;
uint64 created_at = 5; // Unix timestamp (seconds)
uint64 last_seen = 6; // Unix timestamp (seconds)
uint64 packet_count = 7;
uint64 byte_count = 8;
}
// Top-level ACL configuration
message Acl {
AclV1 acl_v1 = 2;
}
message StatItem {
uint64 packet_count = 1;
uint64 byte_count = 2;
}
message RuleStats {
Rule rule = 1;
StatItem stat = 2;
}
message AclStats {
repeated RuleStats rules = 1;
repeated ConnTrackEntry conn_track = 2;
map<string, uint64> global = 3;
}
Reference in New Issue View Git Blame Copy Permalink