masque_ip_packet (masque v0.7.0)
View SourceLightweight read-only IP packet parsing for CONNECT-IP scope checks (RFC 9484 section 5).
The proxy negotiates a target (destination IP / prefix scope) and an ipproto (upper-layer protocol scope) when the URI template binds them. Inbound packets that fall outside the negotiated scope must be dropped before forwarding.
IPv6 carries the upper-layer protocol behind a chain of extension headers; this module walks that chain to find the first non-extension Next Header value, which is what RFC 9484 says ipproto is matched against.
Summary
Functions
Extract the IP version and destination address from Packet.
Reasonful variant of scope_passes/3 for telemetry. Returns the first failing axis instead of a boolean.
Combined target / ipproto scope check used by the data plane. * means "any" on either axis.
Return the upper-layer protocol number, walking IPv6 extension headers (Hop-by-Hop 0, Routing 43, Fragment 44, Destination 60, AH 51) to find the first non-extension Next Header.
Types
-type address() :: inet:ip4_address() | inet:ip6_address().
-type proto() :: 0..255.
-type version() :: 4 | 6.
Functions
Extract the IP version and destination address from Packet.
-spec scope_check(binary(), masque_uri_ip:ip_target(), masque_uri_ip:ip_ipproto()) -> ok | {error, malformed | scope_target | scope_ipproto}.
Reasonful variant of scope_passes/3 for telemetry. Returns the first failing axis instead of a boolean.
-spec scope_passes(binary(), masque_uri_ip:ip_target(), masque_uri_ip:ip_ipproto()) -> boolean().
Combined target / ipproto scope check used by the data plane. * means "any" on either axis.
Return the upper-layer protocol number, walking IPv6 extension headers (Hop-by-Hop 0, Routing 43, Fragment 44, Destination 60, AH 51) to find the first non-extension Next Header.