Documentation
¶
Overview ¶
Package firewall provides firewall service to the caller
Index ¶
- Constants
- Variables
- func NewError(err error) error
- type Agent
- type ConnectionState
- type ConnectionStates
- type Direction
- type Error
- type Firewall
- type FirewallManager
- func (f *FirewallManager) APIAllowlist() error
- func (f *FirewallManager) APIDenylist() error
- func (f *FirewallManager) AllowFileshare(peer meshnet.UniqueAddress) error
- func (f *FirewallManager) AllowIncoming(peer meshnet.UniqueAddress, allowLocal bool) error
- func (f *FirewallManager) BlockTraffic() error
- func (f *FirewallManager) DenyFileshare(peerUID string) error
- func (f *FirewallManager) DenyIncoming(peerUID string) error
- func (f *FirewallManager) SetAllowlist(udpPorts []int, tcpPorts []int, subnets []netip.Prefix) error
- func (f *FirewallManager) UnblockTraffic() error
- func (f *FirewallManager) UnsetAllowlist() error
- type OrderedRules
- type PortRange
- type PortsDirection
- type Rule
- type Service
Constants ¶
View Source
const ( TrafficBlock iptablesmanager.RulePriority = iota ApiAllowlistMark ApiAllowlistOutputConnmark UserAllowlist MeshnetIncoming MeshnetBlockIncomingLAN )
Variables ¶
View Source
var ( // ErrRuleNotFound defines that rule was not found in the firewall ErrRuleNotFound = fmt.Errorf("rule with specified name does not exist") // ErrRuleAlreadyExists defines that rule with specified name or parameters already exists ErrRuleAlreadyExists = fmt.Errorf("rule with specified name already exists") // ErrRuleWithoutName is returned when provided firewall rule does not have a name ErrRuleWithoutName = fmt.Errorf("rule must have a name") // ErrFirewallAlreadyEnabled defines that enable was called twice in a row ErrFirewallAlreadyEnabled = fmt.Errorf("firewall is already enabled") // ErrFirewallAlreadyDisabled defines that disable was called twice in a row ErrFirewallAlreadyDisabled = fmt.Errorf("firewall is already disabled") )
View Source
var ( ErrRuleAlreadyActive = errors.New("rule is already active") ErrRuleNotActive = errors.New("rule does not exist") )
Functions ¶
Types ¶
type Agent ¶
type Agent interface {
// Add a firewall rule
Add(Rule) error
// Delete a firewall rule
Delete(Rule) error
}
Agent carries out required firewall changes.
Used by implementers.
type ConnectionState ¶
type ConnectionState int
ConnectionState defines a state of a connection
const ( // Established means that packet is associated with a connection Established ConnectionState = iota // Related means that packet creates a new connection, but it is related with the existing one Related // New means that packet creates a new connection New )
type ConnectionStates ¶
type ConnectionStates struct {
SrcAddr netip.Addr
States []ConnectionState
}
func (ConnectionStates) Equal ¶
func (c ConnectionStates) Equal(other ConnectionStates) bool
type Direction ¶
type Direction int
Direction defines a direction of packages to which rule is applicable
type Error ¶
type Error struct {
// contains filtered or unexported fields
}
Error marks that it originated in firewall package
type Firewall ¶
type Firewall struct {
// contains filtered or unexported fields
}
Firewall is responsible for correctly changing one firewall agent over another.
Thread-safe.
func NewFirewall ¶
NewFirewall produces an instance of Firewall.
type FirewallManager ¶
type FirewallManager struct {
// contains filtered or unexported fields
}
func NewFirewallManager ¶
func NewFirewallManager(devices device.ListFunc, cmdRunner iptablesmanager.CommandRunner, connmark uint32, ip6TablesSupported bool, enabled bool) FirewallManager
func (*FirewallManager) APIAllowlist ¶
func (f *FirewallManager) APIAllowlist() error
APIAllowlist adds ACCEPT rules for privileged traffic, for each interface.
func (*FirewallManager) APIDenylist ¶
func (f *FirewallManager) APIDenylist() error
ApiDenylis removes ACCEPT rules added by ApiAllowlist.
func (*FirewallManager) AllowFileshare ¶
func (f *FirewallManager) AllowFileshare(peer meshnet.UniqueAddress) error
AllowFileshare adds ACCEPT rule for all incoming connections to tcp port 49111 from the peer with given UniqueAddress.
func (*FirewallManager) AllowIncoming ¶
func (f *FirewallManager) AllowIncoming(peer meshnet.UniqueAddress, allowLocal bool) error
func (*FirewallManager) BlockTraffic ¶
func (f *FirewallManager) BlockTraffic() error
BlocTraffic adds DROP rules for all the incoming traffic, for every viable network interface
func (*FirewallManager) DenyFileshare ¶
func (f *FirewallManager) DenyFileshare(peerUID string) error
DenyFileshare removes ACCEPT rule for all incoming connections to tcp port 49111 from the peer with given UniqueAddress.
func (*FirewallManager) DenyIncoming ¶
func (f *FirewallManager) DenyIncoming(peerUID string) error
func (*FirewallManager) SetAllowlist ¶
func (f *FirewallManager) SetAllowlist(udpPorts []int, tcpPorts []int, subnets []netip.Prefix) error
SetAllowlist adds allowlist rules for the given udpPorts, tcpPorts and subnets.
func (*FirewallManager) UnblockTraffic ¶
func (f *FirewallManager) UnblockTraffic() error
UnblockTraffic removes DROP rules added by BlockTraffic. Returns an error if BlockTraffic was not previously called.
func (*FirewallManager) UnsetAllowlist ¶
func (f *FirewallManager) UnsetAllowlist() error
UnsetAllowlist removes all the rules added by SetAllowlist.
type OrderedRules ¶
type OrderedRules struct {
// contains filtered or unexported fields
}
OrderedRules stores rules in an order they were added.
func (*OrderedRules) Add ¶
func (or *OrderedRules) Add(rule Rule) error
func (*OrderedRules) Delete ¶
func (or *OrderedRules) Delete(name string) error
Delete rule by name if found.
type PortsDirection ¶
type PortsDirection int
PortsDirection represents direction in which ports are open to, source, destination or both
const ( SourceAndDestination PortsDirection = iota Destination Source )
type Rule ¶
type Rule struct {
// Name of the firewall rule
Name string `json:"name"`
// Interfaces define a list of network interfaces to which rule is applicable
Interfaces []net.Interface `json:"interfaces"`
// Networks is a list of IP networks to which rule is applicable
RemoteNetworks []netip.Prefix `json:"remote_networks"`
LocalNetworks []netip.Prefix `json:"local_networks"`
// Ports is a list of ports to which rule is applicable
Ports []int `json:"ports"`
// PortsDirection is a direction that ports are open to
PortsDirection PortsDirection
// Protocols is a list of protocol string values to which rule is applicable
Protocols []string `json:"protocols"`
// Direction defines to which packets rule is applicable
Direction Direction `json:"direction"`
// ConnectionStates defines to which connection states rule is applicable
ConnectionStates ConnectionStates `json:"connection_states"`
// Marks defines that packets marked with any of the marks are
// affected by the firewall rule
Marks []uint32
// Allow defines if rule denies packets via current rule or allows them
Allow bool `json:"allow"`
Ipv6Only bool `json:"ipv6_only"`
Icmpv6Types []int `json:"icmp6_types"`
HopLimit uint8 `json:"hop_limit"`
SourcePorts []int `json:"source_ports"`
DestinationPorts []int `json:"destination_ports"`
Comment string `json:"comment"`
}
Rule defines a single firewall rule which is applicable for set of addresses, ports and protocols
type Service ¶
type Service interface {
// Add and apply firewall rules
Add([]Rule) error
// Delete a list of firewall rules by defined names
Delete(names []string) error
// Enable firewall
Enable() error
// Disable firewall
Disable() error
}
Service adapts system firewall configuration to firewall rules
Used by callers.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package allowlist implements allowlist routing.
|
Package allowlist implements allowlist routing. |
|
Package iptables implements iptables firewall agent.
|
Package iptables implements iptables firewall agent. |
|
Package notables implements noop firewall agent.
|
Package notables implements noop firewall agent. |
Click to show internal directories.
Click to hide internal directories.