Tempesta Technologies
  • Home
  • Tempesta FW
    • Features
      • Web acceleration
      • Load balancing
      • Application performance monitoring
    • Performance
    • How it works
    • Deployment
    • Support
    • Knowledge base
  • Services
    • Software development
      • High performance
      • Networking
      • Databases
      • Linux kernel
      • Machine learning
      • How we work
      • Case studies
    • Performance analysis
    • Network security
      • DDoS protection
      • Application security
      • Cryptography
      • Security assessment
      • How we work
      • Case Studies
  • Solutions
    • DDoS Protection
    • Web Acceleration
  • Blog
  • Company
    • Research
    • Careers
    • Contact
Tempesta Technologies

Protected Network Definition

net defines (optionally masked) IP addresses that belong to the protected network. The destination egress filter is currently applied only to outgoing requests directed to the intranet.

A configuration example:

net ip4 {
    127.0.0.1,
    127.0.0.0/8
}
net ip6 {
    3001:db8:85a3::8a2e:370:7334/120
}

By default, network rules use the protocol name as their identifier, so you can remove a rule in a patch with:

net=ip6/del;

Currently, specifying a protected network is required in the following cases:

  1. Using the destination filter (dst) in host mode when the application layer performs load balancing or another type of proxying. In this scenario, eBPF programs do not “see” the final upstream destination addresses and ports, as they are defined at the application layer.

  2. Using the destination filter (dst) with NAT in gate mode, where packets change their destination addresses and ports during NAT and must be tracked accordingly.

  3. Using the TCP authentication filter, which tracks TCP handshake state and therefore needs to distinguish between ingress and egress traffic.

  • Home
  • XFW
    • Basic Administration
    • Quick start
    • DNS DDoS protection
    • Observability
    • Performance
  • XFW Filtration Rules
    • Chaining
    • Evaluation Mode
    • IP Filter
    • ICMP Filter
    • DNS Filter
    • UDP Anomaly Filter
    • TCP Anomaly Filter
    • TCP Authentication Filter
    • TCP SYN Cookies
    • TCP Flags Filter
    • Destination Filter
    • Source Filter
    • Protected Network Definition
    • Rate Limits
    • Default Rules
  • Manager
    • Management daemon
    • Client library
    • Command line interface
  • DDoS Protection Use Cases
    • DNS server
    • Web server
    • Advanced Protection
  • Troubleshooting
    • Troubleshooting System Description
    • Troubleshooting System Verification Script
    • Troubleshooting Netconsole Configuration
    • Troubleshooting Server
    • Troubleshooting Support Server

Powered by Tempesta FW

Stay up to date with our latest developments

Useful Links

Home
Blog

Tempesta® FW

Features
Performance
Deployment
Support
Knowledge Base

Services

Software Development
Performance analysis
Network Security

Solutions

DDoS Protection

Web Acceleration

Company

Research
Careers
Contact