Destination Filter

The filter allows TCP and UDP traffic only to the specified destination addresses and ports. Destination rules may include byte-per-second and packet-per-second rate limits. The filter can operate in either white list or black list mode.

Default policy: Destination traffic that does not match any explicit dst rule is processed according to the default action defined in the defaults. The default action for dst may be allow, block, or a named ratelimit. If no action for the corresponding protocol is specified in the defaults section, block is used as the default action.

A node running the destination filter may also proxy traffic. For example, an HTTP accelerator may accept traffic on 1.1.1.1:443 and proxy it to hundreds of upstream servers or services, each with different peak capacities. The filter allows rules to be configured separately for each destination group.

The same NIC may be used for both external and internal networks, so the system must distinguish traffic direction, as different filters may apply to ingress and egress traffic. The destination ingress filter (dst ingress) is applied to all incoming requests, regardless of the source. The destination egress filter (dst egress) is applied only to outgoing requests directed to the intranet. Therefore, the net section must be specified, since the destination egress filter is applied only when the destination address belongs to the protected network.

It is the last filter in the chain and serves as the final countermeasure: if all other filters allow the traffic, the last remaining option to protect upstream servers is to rate-limit the traffic forwarded to them.

Example configuration:

dst=microservice1 ip4.udp : block {
    1.1.1.1:8001,
    127.0.0.1:22
}

You can add destinations to the rule named microservice1 using the /add command:

dst=microservice1/add {
    192.168.1.10:80
}

In a patch, you can delete specific destinations from the rule named microservice1 using the /del command:

dst=microservice1/del {
    1.1.1.1:8001
}

You can delete the entire rule in a patch with:

dst=microservice1/del;

You can also update only rule attributes using the /replace command. All attributes must be specified; otherwise, unspecified attributes will be replaced with their default values:

dst=microservice1/replace ip4.udp : ratelimit=new_ratelimit;

When the /replace command is used with destinations, the entire rule—both attributes and destination list—is replaced:

dst=microservice1/replace ip4.udp : block{
    1.1.1.1:8001,
    127.0.0.1:22
}

By default, the /replace command is used. You can define multiple destination rules with different names. Each rule name must be unique; otherwise, the configuration is rejected. An empty name is not allowed, so the reserved name ip4.udp can be used:

dst ip4.udp : ratelimit=whitelist_ratelimit {
    127.0.0.1:22
}

In this case, /add, /del, and /replace operations are still permitted in a patch:

dst=ip4.udp/del;

Every dst rule must have a port.

Rate limit is applied independently to each listed destination.

Use the defaults section to apply an action to all destination traffic for a specific L3 protocol or for a specific L3/L4 protocol combination:

defaults {
    ... 
    dst ip6: block;        # applies to all L4 protocols over IPv6
    dst ip4.tcp: block;    # applies specifically to TCP over IPv4
    ...
}

This filter may require specifying a protected network.