firewall

package
v0.0.0-...-aa2490a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 4, 2025 License: GPL-3.0 Imports: 11 Imported by: 0

Documentation

Overview

Package firewall provides firewall service to the caller

Index

Constants

View Source 
const (
	TrafficBlock iptablesmanager.RulePriority = iota
	ApiAllowlistMark
	ApiAllowlistOutputConnmark
	UserAllowlist
	MeshnetFileshare
	MeshnetIncoming
	MeshnetBlockIncomingLAN
)

Variables

View Source 
var (
	// ErrRuleNotFound defines that rule was not found in the firewall
	ErrRuleNotFound = fmt.Errorf("rule with specified name does not exist")
	// ErrRuleAlreadyExists defines that rule with specified name or parameters already exists
	ErrRuleAlreadyExists = fmt.Errorf("rule with specified name already exists")
	// ErrRuleWithoutName is returned when provided firewall rule does not have a name
	ErrRuleWithoutName = fmt.Errorf("rule must have a name")
	// ErrFirewallAlreadyEnabled defines that enable was called twice in a row
	ErrFirewallAlreadyEnabled = fmt.Errorf("firewall is already enabled")
	// ErrFirewallAlreadyDisabled defines that disable was called twice in a row
	ErrFirewallAlreadyDisabled = fmt.Errorf("firewall is already disabled")
)
View Source 
var (
	ErrRuleAlreadyActive = errors.New("rule is already active")
	ErrRuleNotActive     = errors.New("rule does not exist")
)

Functions

func NewError 

func NewError(err error) error

Types

type Agent 

type Agent interface {
	// Add a firewall rule
	Add(Rule) error
	// Delete a firewall rule
	Delete(Rule) error
	// Flush removes all nordvpn rules
	Flush() error
}

Agent carries out required firewall changes.

Used by implementers.

type ConnectionState 

type ConnectionState int

ConnectionState defines a state of a connection 

const (
	// Established means that packet is associated with a connection
	Established ConnectionState = iota
	// Related means that packet creates a new connection, but it is related with the existing one
	Related
	// New means that packet creates a new connection
	New
)

type ConnectionStates 

type ConnectionStates struct {
	SrcAddr netip.Addr
	States  []ConnectionState
}

func (ConnectionStates) Equal 

func (c ConnectionStates) Equal(other ConnectionStates) bool

type Direction 

type Direction int

Direction defines a direction of packages to which rule is applicable 

const (
	// Inbound defines that rule is applicable for incoming packets
	Inbound Direction = iota
	// Outbound defines that rule is applicable for outgoing packets
	Outbound
	// TwoWay defines that rule is applicable for both incoming and outgoing packets
	TwoWay
	// Forward new case, as Firewall does not only In/Out but also Forwarding control
	Forward
)

type Error 

type Error struct {
	// contains filtered or unexported fields
}

Error marks that it originated in firewall package

func (*Error) Error 

func (e *Error) Error() string

func (*Error) Unwrap 

func (e *Error) Unwrap() error

type Firewall 

type Firewall struct {
	// contains filtered or unexported fields
}

Firewall is responsible for correctly changing one firewall agent over another.

Thread-safe.

func NewFirewall 

func NewFirewall(noop, working Agent, publisher events.Publisher[string], enabled bool) *Firewall

NewFirewall produces an instance of Firewall.

func (*Firewall) Add 

func (fw *Firewall) Add(rules []Rule) error

Add rules to the firewall.

func (*Firewall) Delete 

func (fw *Firewall) Delete(names []string) error

Delete rules from firewall by their names.

func (*Firewall) Disable 

func (fw *Firewall) Disable() error

Disable turns all firewall operations into no-ops.

func (*Firewall) Enable 

func (fw *Firewall) Enable() error

Enable restores firewall operations from no-ops.

func (*Firewall) Flush 

func (fw *Firewall) Flush() error

type FirewallManager 

type FirewallManager struct {
	// contains filtered or unexported fields
}

func NewFirewallManager 

func NewFirewallManager(devices device.ListFunc,
	cmdRunner iptablesmanager.CommandRunner,
	connmark uint32,
	ip6TablesSupported bool,
	enabled bool) FirewallManager

func (*FirewallManager) APIAllowlist 

func (f *FirewallManager) APIAllowlist() error

APIAllowlist adds ACCEPT rules for privileged traffic, for each interface.

func (*FirewallManager) APIDenylist 

func (f *FirewallManager) APIDenylist() error

ApiDenylis removes ACCEPT rules added by ApiAllowlist.

func (*FirewallManager) AllowFileshare 

func (f *FirewallManager) AllowFileshare(peer meshnet.UniqueAddress) error

AllowFileshare adds ACCEPT rule for all incoming connections to tcp port 49111 from the peer with given UniqueAddress.

func (*FirewallManager) AllowIncoming 

func (f *FirewallManager) AllowIncoming(peer meshnet.UniqueAddress, allowLocal bool) error

func (*FirewallManager) BlockTraffic 

func (f *FirewallManager) BlockTraffic() error

BlocTraffic adds DROP rules for all the incoming traffic, for every viable network interface

func (*FirewallManager) DenyFileshare 

func (f *FirewallManager) DenyFileshare(peerUID string) error

DenyFileshare removes ACCEPT rule for all incoming connections to tcp port 49111 from the peer with given UniqueAddress.

func (*FirewallManager) DenyIncoming 

func (f *FirewallManager) DenyIncoming(peerUID string) error

func (*FirewallManager) SetAllowlist 

func (f *FirewallManager) SetAllowlist(udpPorts []int, tcpPorts []int, subnets []netip.Prefix) error

SetAllowlist adds allowlist rules for the given udpPorts, tcpPorts and subnets.

func (*FirewallManager) UnblockTraffic 

func (f *FirewallManager) UnblockTraffic() error

UnblockTraffic removes DROP rules added by BlockTraffic. Returns an error if BlockTraffic was not previously called.

func (*FirewallManager) UnsetAllowlist 

func (f *FirewallManager) UnsetAllowlist() error

UnsetAllowlist removes all the rules added by SetAllowlist.

type OrderedRules 

type OrderedRules struct {
	// contains filtered or unexported fields
}

OrderedRules stores rules in an order they were added.

func (*OrderedRules) Add 

func (or *OrderedRules) Add(rule Rule) error

func (*OrderedRules) Delete 

func (or *OrderedRules) Delete(name string) error

Delete rule by name if found.

func (*OrderedRules) Get 

func (or *OrderedRules) Get(name string) (Rule, error)

type PortRange 

type PortRange struct {
	// contains filtered or unexported fields
}

type PortsDirection 

type PortsDirection int

PortsDirection represents direction in which ports are open to, source, destination or both 

const (
	SourceAndDestination PortsDirection = iota
	Destination
	Source
)

type Rule 

type Rule struct {
	// Name of the firewall rule
	Name string `json:"name"`
	// Interfaces define a list of network interfaces to which rule is applicable
	Interfaces []net.Interface `json:"interfaces"`
	// Networks is a list of IP networks to which rule is applicable
	RemoteNetworks []netip.Prefix `json:"remote_networks"`
	LocalNetworks  []netip.Prefix `json:"local_networks"`

	// Ports is a list of ports to which rule is applicable
	Ports []int `json:"ports"`
	// PortsDirection is a direction that ports are open to
	PortsDirection PortsDirection
	// Protocols is a list of protocol string values to which rule is applicable
	Protocols []string `json:"protocols"`
	// Direction defines to which packets rule is applicable
	Direction Direction `json:"direction"`
	// ConnectionStates defines to which connection states rule is applicable
	ConnectionStates ConnectionStates `json:"connection_states"`
	// Marks defines that packets marked with any of the marks are
	// affected by the firewall rule
	Marks []uint32
	// Allow defines if rule denies packets via current rule or allows them
	Allow bool `json:"allow"`

	Ipv6Only         bool   `json:"ipv6_only"`
	Icmpv6Types      []int  `json:"icmp6_types"`
	HopLimit         uint8  `json:"hop_limit"`
	SourcePorts      []int  `json:"source_ports"`
	DestinationPorts []int  `json:"destination_ports"`
	Comment          string `json:"comment"`
}

Rule defines a single firewall rule which is applicable for set of addresses, ports and protocols

func (Rule) Equal 

func (r Rule) Equal(other Rule) bool

type Service 

type Service interface {
	// Add and apply firewall rules
	Add([]Rule) error
	// Delete a list of firewall rules by defined names
	Delete(names []string) error
	// Enable firewall
	Enable() error
	// Disable firewall
	Disable() error
	// Flushes firewall
	Flush() error
}

Service adapts system firewall configuration to firewall rules

Used by callers.

Source Files

View all Source files

Directories

Path Synopsis
Package allowlist implements allowlist routing.
 Package allowlist implements allowlist routing.
Package forwarder manages the FORWARD chain rules(meshnet and allowlist).
 Package forwarder manages the FORWARD chain rules(meshnet and allowlist).
Package iptables implements iptables firewall agent.
 Package iptables implements iptables firewall agent.
Package notables implements noop firewall agent.
 Package notables implements noop firewall agent.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.