Documentation ¶
Overview ¶
Package expr provides nftables rule expressions.
Index ¶
- Constants
- func Marshal(fam byte, e Any) ([]byte, error)
- func Unmarshal(fam byte, data []byte, e Any) error
- type Any
- type Bitwise
- type Byteorder
- type ByteorderOp
- type Cmp
- type CmpOp
- type Connlimit
- type Counter
- type Ct
- type CtKey
- type Dup
- type Dynset
- type Exthdr
- type ExthdrOp
- type Fib
- type FlowOffload
- type Hash
- type HashType
- type Immediate
- type Limit
- type LimitTime
- type LimitType
- type Log
- type LogFlags
- type LogLevel
- type Lookup
- type Masq
- type Match
- type Meta
- type MetaKey
- type NAT
- type NATType
- type Notrack
- type Numgen
- type Objref
- type Payload
- type PayloadBase
- type PayloadCsumType
- type PayloadOperationType
- type Queue
- type QueueAttribute
- type QueueFlag
- type Quota
- type Range
- type Redir
- type Reject
- type Rt
- type RtKey
- type Socket
- type SocketKey
- type TProxy
- type Target
- type Verdict
- type VerdictKind
Constants ¶
const ( // Per https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n1167 NFTA_CONNLIMIT_UNSPEC = iota NFTA_CONNLIMIT_COUNT NFTA_CONNLIMIT_FLAGS NFT_CONNLIMIT_F_INV = 1 )
const ( CtKeySTATE CtKey = unix.NFT_CT_STATE CtKeyDIRECTION CtKey = unix.NFT_CT_DIRECTION CtKeySTATUS CtKey = unix.NFT_CT_STATUS CtKeyMARK CtKey = unix.NFT_CT_MARK CtKeySECMARK CtKey = unix.NFT_CT_SECMARK CtKeyEXPIRATION CtKey = unix.NFT_CT_EXPIRATION CtKeyHELPER CtKey = unix.NFT_CT_HELPER CtKeyL3PROTOCOL CtKey = unix.NFT_CT_L3PROTOCOL CtKeySRC CtKey = unix.NFT_CT_SRC CtKeyDST CtKey = unix.NFT_CT_DST CtKeyPROTOCOL CtKey = unix.NFT_CT_PROTOCOL CtKeyPROTOSRC CtKey = unix.NFT_CT_PROTO_SRC CtKeyPROTODST CtKey = unix.NFT_CT_PROTO_DST CtKeyLABELS CtKey = unix.NFT_CT_LABELS CtKeyPKTS CtKey = unix.NFT_CT_PKTS CtKeyBYTES CtKey = unix.NFT_CT_BYTES CtKeyAVGPKT CtKey = unix.NFT_CT_AVGPKT CtKeyZONE CtKey = unix.NFT_CT_ZONE CtKeyEVENTMASK CtKey = unix.NFT_CT_EVENTMASK // https://sources.debian.org/src//nftables/0.9.8-3/src/ct.c/?hl=39#L39 CtStateBitINVALID uint32 = 1 CtStateBitESTABLISHED uint32 = 2 CtStateBitRELATED uint32 = 4 CtStateBitNEW uint32 = 8 CtStateBitUNTRACKED uint32 = 64 )
Possible CtKey values.
const ( NFTA_DYNSET_EXPRESSIONS = 0xa NFT_DYNSET_F_EXPR = (1 << 1) )
Not yet supported by unix package https://cs.opensource.google/go/x/sys/+/c6bc011c:unix/ztypes_linux.go;l=2027-2036
const ( // NF_NAT_RANGE_PROTO_RANDOM defines flag for a random masquerade NF_NAT_RANGE_PROTO_RANDOM = 0x4 // NF_NAT_RANGE_PROTO_RANDOM_FULLY defines flag for a fully random masquerade NF_NAT_RANGE_PROTO_RANDOM_FULLY = 0x10 // NF_NAT_RANGE_PERSISTENT defines flag for a persistent masquerade NF_NAT_RANGE_PERSISTENT = 0x8 // NF_NAT_RANGE_NETMAP defines flag for NETMAP iptables target NF_NAT_RANGE_NETMAP = 0x40 )
TODO, Once the constants below are available in golang.org/x/sys/unix, switch to use those.
const ( QueueNum QueueAttribute = unix.NFTA_QUEUE_NUM QueueTotal QueueAttribute = unix.NFTA_QUEUE_TOTAL QueueFlags QueueAttribute = unix.NFTA_QUEUE_FLAGS // TODO: get into x/sys/unix QueueFlagBypass QueueFlag = 0x01 QueueFlagFanout QueueFlag = 0x02 QueueFlagMask QueueFlag = 0x03 )
Possible QueueAttribute values
const ( // TODO, Once the constants below are available in golang.org/x/sys/unix, switch to use those. NFTA_SOCKET_KEY = 1 NFTA_SOCKET_DREG = 2 NFTA_SOCKET_LEVEL = 3 NFT_SOCKET_TRANSPARENT = 0 NFT_SOCKET_MARK = 1 NFT_SOCKET_WILDCARD = 2 NFT_SOCKET_CGROUPV2 = 3 SocketKeyTransparent SocketKey = NFT_SOCKET_TRANSPARENT SocketKeyMark SocketKey = NFT_SOCKET_MARK SocketKeyWildcard SocketKey = NFT_SOCKET_WILDCARD SocketKeyCgroupv2 SocketKey = NFT_SOCKET_CGROUPV2 )
const ( // NFTA_TPROXY_FAMILY defines attribute for a table family NFTA_TPROXY_FAMILY = 0x01 // NFTA_TPROXY_REG_ADDR defines attribute for a register carrying redirection address value NFTA_TPROXY_REG_ADDR = 0x02 // NFTA_TPROXY_REG_PORT defines attribute for a register carrying redirection port value NFTA_TPROXY_REG_PORT = 0x03 )
const NFTNL_EXPR_FLOW_TABLE_NAME = 1
const XTablesExtensionNameMaxLen = 29
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Any ¶
type Any interface {
// contains filtered or unexported methods
}
Any is an interface implemented by any expression type.
type Byteorder ¶
type Byteorder struct { SourceRegister uint32 DestRegister uint32 Op ByteorderOp Len uint32 Size uint32 }
type ByteorderOp ¶
type ByteorderOp uint32
const ( ByteorderNtoh ByteorderOp = unix.NFT_BYTEORDER_NTOH ByteorderHton ByteorderOp = unix.NFT_BYTEORDER_HTON )
type CmpOp ¶
type CmpOp uint32
CmpOp specifies which type of comparison should be performed.
const ( CmpOpEq CmpOp = unix.NFT_CMP_EQ CmpOpNeq CmpOp = unix.NFT_CMP_NEQ CmpOpLt CmpOp = unix.NFT_CMP_LT CmpOpLte CmpOp = unix.NFT_CMP_LTE CmpOpGt CmpOp = unix.NFT_CMP_GT CmpOpGte CmpOp = unix.NFT_CMP_GTE )
Possible CmpOp values.
type CtKey ¶
type CtKey uint32
CtKey specifies which piece of conntrack information should be loaded. See also https://wiki.nftables.org/wiki-nftables/index.php/Matching_connection_tracking_stateful_metainformation
type Dynset ¶
type Dynset struct { SrcRegKey uint32 SrcRegData uint32 SetID uint32 SetName string Operation uint32 Timeout time.Duration Invert bool Exprs []Any }
Dynset represent a rule dynamically adding or updating a set or a map based on an incoming packet.
type ExthdrOp ¶
type ExthdrOp uint32
const ( ExthdrOpIpv6 ExthdrOp = unix.NFT_EXTHDR_OP_IPV6 ExthdrOpTcpopt ExthdrOp = unix.NFT_EXTHDR_OP_TCPOPT )
type Fib ¶
type Fib struct { Register uint32 ResultOIF bool ResultOIFNAME bool ResultADDRTYPE bool FlagSADDR bool FlagDADDR bool FlagMARK bool FlagIIF bool FlagOIF bool FlagPRESENT bool }
Fib defines fib expression structure
type FlowOffload ¶
type FlowOffload struct {
Name string
}
type Hash ¶
type Hash struct { SourceRegister uint32 DestRegister uint32 Length uint32 Modulus uint32 Seed uint32 Offset uint32 Type HashType }
Hash defines type for nftables internal hashing functions
type HashType ¶
type HashType uint32
const ( HashTypeJenkins HashType = unix.NFT_HASH_JENKINS HashTypeSym HashType = unix.NFT_HASH_SYM )
type LimitType ¶
type LimitType uint32
LimitType represents the type of the limit expression.
const ( LimitTypePkts LimitType = unix.NFT_LIMIT_PKTS LimitTypePktBytes LimitType = unix.NFT_LIMIT_PKT_BYTES )
Imported from the nft_limit_type enum in netfilter/nf_tables.h.
type Log ¶
type Log struct { Level LogLevel // Refers to log flags (flags all, flags ip options, ...) Flags LogFlags // Equivalent to expression flags. // Indicates that an option is set by setting a bit // on index referred by the NFTA_LOG_* value. // See https://cs.opensource.google/go/x/sys/+/3681064d:unix/ztypes_linux.go;l=2126;drc=3681064d51587c1db0324b3d5c23c2ddbcff6e8f Key uint32 Snaplen uint32 Group uint16 QThreshold uint16 // Log prefix string content Data []byte }
Log defines type for NFT logging See https://git.netfilter.org/libnftnl/tree/src/expr/log.c?id=09456c720e9c00eecc08e41ac6b7c291b3821ee5#n25
type LogFlags ¶
type LogFlags uint32
const ( // See https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_log.h?id=5b364657a35f4e4cd5d220ba2a45303d729c8eca LogFlagsTCPSeq LogFlags = 0x01 << iota LogFlagsTCPOpt LogFlagsIPOpt LogFlagsUID LogFlagsNFLog LogFlagsMACDecode LogFlagsMask LogFlags = 0x2f )
type LogLevel ¶
type LogLevel uint32
const ( // See https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=5b364657a35f4e4cd5d220ba2a45303d729c8eca#n1226 LogLevelEmerg LogLevel = iota LogLevelAlert LogLevelCrit LogLevelErr LogLevelWarning LogLevelNotice LogLevelInfo LogLevelDebug LogLevelAudit )
type Lookup ¶
type Lookup struct { SourceRegister uint32 DestRegister uint32 IsDestRegSet bool SetID uint32 SetName string Invert bool }
Lookup represents a match against the contents of a set.
type Masq ¶
type Masq struct { Random bool FullyRandom bool Persistent bool ToPorts bool RegProtoMin uint32 RegProtoMax uint32 }
Masq (Masquerade) is a special case of SNAT, where the source address is automagically set to the address of the output interface. See also https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Masquerading
type Meta ¶
Meta loads packet meta information for later comparisons. See also https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
type MetaKey ¶
type MetaKey uint32
MetaKey specifies which piece of meta information should be loaded. See also https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
const ( MetaKeyLEN MetaKey = unix.NFT_META_LEN MetaKeyPROTOCOL MetaKey = unix.NFT_META_PROTOCOL MetaKeyPRIORITY MetaKey = unix.NFT_META_PRIORITY MetaKeyMARK MetaKey = unix.NFT_META_MARK MetaKeyIIF MetaKey = unix.NFT_META_IIF MetaKeyOIF MetaKey = unix.NFT_META_OIF MetaKeyIIFNAME MetaKey = unix.NFT_META_IIFNAME MetaKeyOIFNAME MetaKey = unix.NFT_META_OIFNAME MetaKeyIIFTYPE MetaKey = unix.NFT_META_IIFTYPE MetaKeyOIFTYPE MetaKey = unix.NFT_META_OIFTYPE MetaKeySKUID MetaKey = unix.NFT_META_SKUID MetaKeySKGID MetaKey = unix.NFT_META_SKGID MetaKeyNFTRACE MetaKey = unix.NFT_META_NFTRACE MetaKeyRTCLASSID MetaKey = unix.NFT_META_RTCLASSID MetaKeySECMARK MetaKey = unix.NFT_META_SECMARK MetaKeyNFPROTO MetaKey = unix.NFT_META_NFPROTO MetaKeyL4PROTO MetaKey = unix.NFT_META_L4PROTO MetaKeyBRIIIFNAME MetaKey = unix.NFT_META_BRI_IIFNAME MetaKeyBRIOIFNAME MetaKey = unix.NFT_META_BRI_OIFNAME MetaKeyPKTTYPE MetaKey = unix.NFT_META_PKTTYPE MetaKeyCPU MetaKey = unix.NFT_META_CPU MetaKeyIIFGROUP MetaKey = unix.NFT_META_IIFGROUP MetaKeyOIFGROUP MetaKey = unix.NFT_META_OIFGROUP MetaKeyCGROUP MetaKey = unix.NFT_META_CGROUP MetaKeyPRANDOM MetaKey = unix.NFT_META_PRANDOM )
Possible MetaKey values.
type NATType ¶
type NATType uint32
const ( NATTypeSourceNAT NATType = unix.NFT_NAT_SNAT NATTypeDestNAT NATType = unix.NFT_NAT_DNAT )
Possible NATType values.
type Payload ¶
type Payload struct { OperationType PayloadOperationType DestRegister uint32 SourceRegister uint32 Base PayloadBase Offset uint32 Len uint32 CsumType PayloadCsumType CsumOffset uint32 CsumFlags uint32 }
type PayloadBase ¶
type PayloadBase uint32
const ( PayloadBaseLLHeader PayloadBase = unix.NFT_PAYLOAD_LL_HEADER PayloadBaseNetworkHeader PayloadBase = unix.NFT_PAYLOAD_NETWORK_HEADER PayloadBaseTransportHeader PayloadBase = unix.NFT_PAYLOAD_TRANSPORT_HEADER )
Possible PayloadBase values.
type PayloadCsumType ¶
type PayloadCsumType uint32
const ( CsumTypeNone PayloadCsumType = unix.NFT_PAYLOAD_CSUM_NONE CsumTypeInet PayloadCsumType = unix.NFT_PAYLOAD_CSUM_INET )
Possible PayloadCsumType values.
type PayloadOperationType ¶
type PayloadOperationType uint32
const ( PayloadLoad PayloadOperationType = iota PayloadWrite )
Possible PayloadOperationType values.
type QueueAttribute ¶
type QueueAttribute uint16
type RtKey ¶
type RtKey uint32
const ( RtClassid RtKey = unix.NFT_RT_CLASSID RtNexthop4 RtKey = unix.NFT_RT_NEXTHOP4 RtNexthop6 RtKey = unix.NFT_RT_NEXTHOP6 RtTCPMSS RtKey = unix.NFT_RT_TCPMSS )
type Verdict ¶
type Verdict struct { Kind VerdictKind Chain string }
type VerdictKind ¶
type VerdictKind int64
const ( VerdictReturn VerdictKind = iota - 5 VerdictGoto VerdictJump VerdictBreak VerdictContinue VerdictDrop VerdictAccept VerdictStolen VerdictQueue VerdictRepeat VerdictStop )
Verdicts, as per netfilter.h and netfilter/nf_tables.h.
Source Files ¶
- bitwise.go
- byteorder.go
- connlimit.go
- counter.go
- ct.go
- dup.go
- dynset.go
- expr.go
- exthdr.go
- fib.go
- flow_offload.go
- hash.go
- immediate.go
- limit.go
- log.go
- lookup.go
- match.go
- nat.go
- notrack.go
- numgen.go
- objref.go
- payload.go
- queue.go
- quota.go
- range.go
- redirect.go
- reject.go
- rt.go
- socket.go
- target.go
- tproxy.go
- verdict.go