ContextQMD
Back to Falco

Inbound Outbound

content/en/docs/reference/rules/default-macros/inbound_outbound.md

latest246 B
Original Source
yaml
- macro: inbound_outbound
  condition: >
    ((evt.type in (accept,listen,connect)) or
     (fd.typechar = 4 or fd.typechar = 6) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and (evt.rawres >= 0 or evt.res = EINPROGRESS))