Documentation ¶
Index ¶
- Constants
- func Accept() *expr.Verdict
- func Bitwise(length uint32, mask []byte, xor []byte) *expr.Bitwise
- func BitwiseWithRegisters(sourceRegister uint32, destRegister uint32, length uint32, mask []byte, ...) *expr.Bitwise
- func CompareCtState(mask uint32) ([]expr.Any, error)
- func CompareCtStateWithRegister(reg uint32, mask uint32) ([]expr.Any, error)
- func CompareDestinationAddress(ip netip.Addr) ([]expr.Any, error)
- func CompareDestinationAddressSet(set *nftables.Set) ([]expr.Any, error)
- func CompareDestinationAddressSetWithRegister(set *nftables.Set, reg uint32) ([]expr.Any, error)
- func CompareDestinationAddressWithRegister(ip netip.Addr, reg uint32) ([]expr.Any, error)
- func CompareDestinationPort(port uint16) ([]expr.Any, error)
- func CompareDestinationPortSet(set *nftables.Set) []expr.Any
- func CompareDestinationPortSetWithRegister(set *nftables.Set, reg uint32) []expr.Any
- func CompareDestinationPortWithRegister(port uint16, reg uint32) ([]expr.Any, error)
- func CompareProtocolFamily(proto nftables.TableFamily) []expr.Any
- func CompareProtocolFamilyWithRegister(proto nftables.TableFamily, reg uint32) []expr.Any
- func CompareSourceAddress(ip netip.Addr) ([]expr.Any, error)
- func CompareSourceAddressSet(set *nftables.Set) ([]expr.Any, error)
- func CompareSourceAddressSetWithRegister(set *nftables.Set, reg uint32) ([]expr.Any, error)
- func CompareSourceAddressWithRegister(ip netip.Addr, reg uint32) ([]expr.Any, error)
- func CompareSourcePort(port uint16) ([]expr.Any, error)
- func CompareSourcePortSet(set *nftables.Set) ([]expr.Any, error)
- func CompareSourcePortSetWithRegister(set *nftables.Set, reg uint32) ([]expr.Any, error)
- func CompareSourcePortWithRegister(port uint16, reg uint32) ([]expr.Any, error)
- func CompareTransportProtocol(proto byte) []expr.Any
- func CompareTransportProtocolWithRegister(proto byte, reg uint32) []expr.Any
- func CreateIface(log Logger, iface, linkType string, ip net.IP, ipNet *net.IPNet) error
- func DestinationPort(reg uint32) *expr.Payload
- func Drop() *expr.Verdict
- func Equals(data []byte, reg uint32) *expr.Cmp
- func ExprAccept() *expr.Verdict
- func ExprBitwise(dReg, sReg, l uint32, mask, xor []byte) *expr.Bitwise
- func ExprCmp(op expr.CmpOp, data []byte, reg ...uint32) *expr.Cmp
- func ExprCmpEq(reg uint32, data []byte) *expr.Cmp
- func ExprCmpEqIFName(name string) *expr.Cmp
- func ExprCmpNeq(reg uint32, data []byte) *expr.Cmp
- func ExprCmpNeqIFName(name string) *expr.Cmp
- func ExprCmpPort(op expr.CmpOp, port uint16, reg ...uint32) *expr.Cmp
- func ExprConnLimit(count uint32, flags uint32) *expr.Connlimit
- func ExprCounter() *expr.Counter
- func ExprCtState(reg uint32) *expr.Ct
- func ExprDNAT(regAddrMin, regAddrMax uint32, regPortMinAndMax ...uint32) *expr.NAT
- func ExprDNATv6(regAddrMin, regAddrMax uint32, regPortMinAndMax ...uint32) *expr.NAT
- func ExprDrop() *expr.Verdict
- func ExprDynamicLimitSet(set *nftables.Set, rateStr string, burst uint32, otherExprs ...expr.Any) (*expr.Dynset, error)
- func ExprIIFName() *expr.Meta
- func ExprImmediate(reg uint32, ip net.IP) *expr.Immediate
- func ExprImmediateWithPort(reg uint32, port uint16) *expr.Immediate
- func ExprLimit(t expr.LimitType, rate uint64, over bool, unit expr.LimitTime, burst uint32) *expr.Limit
- func ExprLookupSet(reg uint32, name string, id uint32, isEq ...bool) *expr.Lookup
- func ExprLookupSetFromSet(set *nftables.Set, reg uint32, isEq ...bool) *expr.Lookup
- func ExprMasquerade(protoMin, protoMax uint32) *expr.Masq
- func ExprMeta(meta expr.MetaKey, reg uint32) *expr.Meta
- func ExprOIFName() *expr.Meta
- func ExprPayloadNetHeader(reg, offset, l uint32) *expr.Payload
- func ExprPayloadTransportHeader(reg, offset, l uint32) *expr.Payload
- func ExprPortRange(startPort uint16, endPort uint16) []expr.Any
- func ExprRedirect(protoMin, protoMax uint32) *expr.Redir
- func ExprReject(t uint32, c uint8) *expr.Reject
- func ExprSNAT(regAddrMin, regAddrMax uint32, regPortMinAndMax ...uint32) *expr.NAT
- func ExprSNATv6(regAddrMin, regAddrMax uint32, regPortMinAndMax ...uint32) *expr.NAT
- func ExprTproxy() *expr.TProxy
- func ExprTproxy6() *expr.TProxy
- func GetCmpOp(isEq ...bool) expr.CmpOp
- func GetConntrackStateSet(t *nftables.Table) *nftables.Set
- func GetConntrackStateSetElems(states []string) []nftables.SetElement
- func GetIPv4AddrSet(t *nftables.Table, isInterval ...bool) *nftables.Set
- func GetIPv6AddrSet(t *nftables.Table, isInterval ...bool) *nftables.Set
- func GetNetInterface(interfaceName string) (ipv4NetInterfaces []NetInterface, ipv6NetInterfaces []NetInterface, err error)
- func GetPayloadDirectives(direction ExprDirection, isIPv4 bool, isIPv6 bool) (uint32, uint32, []byte)
- func GetPortElems(ports []uint16) []nftables.SetElement
- func GetPortSet(t *nftables.Table) *nftables.Set
- func IPAddr() (string, net.IP, net.IP, error)
- func IPv4DestinationAddress(reg uint32) *expr.Payload
- func IPv4SourceAddress(reg uint32) *expr.Payload
- func IPv6Addr() (string, net.IP, net.IP, error)
- func IPv6DestinationAddress(reg uint32) *expr.Payload
- func IPv6SourceAddress(reg uint32) *expr.Payload
- func IsInvert(isEq ...bool) bool
- func LoadCtByKey(ctKey expr.CtKey) (*expr.Ct, error)
- func LoadCtByKeyWithRegister(ctKey expr.CtKey, reg uint32) (*expr.Ct, error)
- func Match(name string, revision uint32, info xt.InfoAny) *expr.Match
- func MatchBPF(info []byte) *expr.Match
- func MatchBPFWithVerdict(info []byte, verdict *expr.Verdict) []expr.Any
- func MatchUnknown(name string, revision uint32, info []byte) *expr.Match
- func NotEquals(data []byte, reg uint32) *expr.Cmp
- func ParseConnLimit(limitStr string) (*expr.Connlimit, error)
- func ParseLimits(rateStr string, burst uint32) (*expr.Limit, error)
- func ProtoTCP(reg uint32) *expr.Payload
- func ProtoUDP(reg uint32) *expr.Payload
- func Reject() *expr.Reject
- func RemoveIface(log Logger, iface string) error
- func SetCIDRMatcher(direction ExprDirection, cidr string, isINet bool, isEq ...bool) ([]expr.Any, error)
- func SetCIDRMatcherIngoreError(direction ExprDirection, cidr string, isINet bool, isEq ...bool) []expr.Any
- func SetConnLimits(connLimitStr string, rateStr string, burst uint32) ([]expr.Any, error)
- func SetDNAT(ip net.IP, portMinAndMax ...uint16) []expr.Any
- func SetDNATRange(ipStart net.IP, ipEnd net.IP, portMinAndMax ...uint16) []expr.Any
- func SetDNATv6(ip net.IP, portMinAndMax ...uint16) []expr.Any
- func SetDNATv6Range(ipStart net.IP, ipEnd net.IP, portMinAndMax ...uint16) []expr.Any
- func SetDPortRange(min uint16, max uint16) []expr.Any
- func SetDynamicLimitDropSet(set *nftables.Set, rateStr string, burst uint32, otherExprs ...expr.Any) ([]expr.Any, error)
- func SetDynamicLimitSet(set *nftables.Set, rateStr string, burst uint32, otherExprs ...expr.Any) ([]expr.Any, error)
- func SetNATWithIPAndPort(dir ExprDirection, isIPv6 bool, ipStart net.IP, ipEnd net.IP, ...) []expr.Any
- func SetRedirect(portMin uint16, portMax ...uint16) []expr.Any
- func SetSNAT(ip net.IP, portMinAndMax ...uint16) []expr.Any
- func SetSNATRange(ipStart net.IP, ipEnd net.IP, portMinAndMax ...uint16) []expr.Any
- func SetSNATv6(ip net.IP, portMinAndMax ...uint16) []expr.Any
- func SetSNATv6Range(ipStart net.IP, ipEnd net.IP, portMinAndMax ...uint16) []expr.Any
- func SetSPortRange(min uint16, max uint16) []expr.Any
- func SourcePort(reg uint32) *expr.Payload
- func TypeConntrackStateDatatype() nftables.SetDatatype
- func TypeConntrackStateEstablished() []byte
- func TypeConntrackStateNew() []byte
- func TypeConntrackStateRelated() []byte
- func TypeICMPTypeEchoRequest() []byte
- func TypeICMPv6TypeEchoRequest() []byte
- func TypeProtoICMP() []byte
- func TypeProtoICMPV6() []byte
- func TypeProtoTCP() []byte
- func TypeProtoUDP() []byte
- func ValidateAddress(ip netip.Addr) error
- func ValidateAddressRange(start netip.Addr, end netip.Addr) error
- func ValidatePort(port uint16) error
- func ValidatePortRange(start uint16, end uint16) error
- func ValidatePrefix(prefix netip.Prefix) error
- type ExprDirection
- type Exprs
- func JoinExprs(exprs ...[]expr.Any) Exprs
- func SetConntrackStateEstablished() Exprs
- func SetConntrackStateNew() Exprs
- func SetConntrackStateRelated() Exprs
- func SetConntrackStateSet(s *nftables.Set) Exprs
- func SetDAddrIPv6Set(s *nftables.Set, isEq ...bool) Exprs
- func SetDAddrSet(s *nftables.Set, isEq ...bool) Exprs
- func SetDPort(p uint16, isEq ...bool) Exprs
- func SetDPortSet(s *nftables.Set, isEq ...bool) Exprs
- func SetICMPTypeEchoRequest() Exprs
- func SetICMPv6TypeEchoRequest() Exprs
- func SetIIF(iface string) Exprs
- func SetINetProtoICMP(isEq ...bool) Exprs
- func SetINetProtoICMPv6(isEq ...bool) Exprs
- func SetNIIF(iface string) Exprs
- func SetNOIF(iface string) Exprs
- func SetOIF(iface string) Exprs
- func SetProtoICMP(isEq ...bool) Exprs
- func SetProtoICMPv6(isEq ...bool) Exprs
- func SetProtoTCP(isEq ...bool) Exprs
- func SetProtoUDP(isEq ...bool) Exprs
- func SetSAddrIPv6Set(s *nftables.Set, isEq ...bool) Exprs
- func SetSAddrSet(s *nftables.Set, isEq ...bool) Exprs
- func SetSPort(p uint16, isEq ...bool) Exprs
- func SetSPortSet(s *nftables.Set, isEq ...bool) Exprs
- func SetSourceIPv4Net(addr []byte, mask []byte, isEq ...bool) Exprs
- type Logger
- type NetInterface
- type Operator
Constants ¶
const ( StateNew = `new` StateEstablished = `established` StateRelated = `related` )
const ( SrcPortOffset = 0 DstPortOffset = 2 PortLen = 2 )
Transport protocol lengths and offsets
const ( IPv4SrcOffset = 12 IPv4DstOffset = 16 IPv4AddrLen = net.IPv4len )
IPv4 lengths and offsets
const ( IPv6SrcOffset = 8 IPv6DstOffset = 24 IPv6AddrLen = net.IPv6len )
IPv6 lengths and offsets
const ( ProtoTCPOffset = 9 ProtoTCPLen = 1 )
const ( ProtoUDPOffset = 9 ProtoUDPLen = 1 )
const ( ProtoICMPOffset = 9 ProtoICMPLen = 1 )
const ( ProtoICMPv6Offset = 6 ProtoICMPv6Len = 1 )
const (
ConnTrackStateLen = 4
)
Variables ¶
This section is empty.
Functions ¶
func BitwiseWithRegisters ¶
func CompareCtStateWithRegister ¶
Makes the comparison specified by `mask` to the CT State already loaded in `reg`. Valid values for mask are: expr.CtStateBitInvalid = 1 expr.CtStateBitESTABLISHED = 2 expr.CtStateBitRELATED = 4 expr.CtStateBitNEW = 8 expr.CtStateBitUNTRACKED = 64 Or combinations with a bitwise OR: `expr.CtStateBitNEW | expr.CtStateBitUNTRACKED`
func CompareDestinationAddress ¶
Returns a list of expressions that will compare the destination address of traffic
func CompareDestinationAddressSet ¶
Returns a list of expressions that will compare the destination address of traffic against a set
func CompareDestinationAddressSetWithRegister ¶
Returns a list of expressions that will compare the destnation address of traffic against a set, with a user defined register
func CompareDestinationAddressWithRegister ¶
Returns a list of expressions that will compare the destination address of traffic, with a user defined register
func CompareDestinationPort ¶
Returns a list of expressions that will compare the destination port of traffic
func CompareDestinationPortSet ¶
Returns a list of expressions that will compare the destination port of traffic against a set
func CompareDestinationPortSetWithRegister ¶
Returns a list of expressions that will compare the destination port of traffic against a set, with a user defined register
func CompareDestinationPortWithRegister ¶
Returns a list of expressions that will compare the destination port of traffic, with a user defined register
func CompareProtocolFamily ¶
func CompareProtocolFamily(proto nftables.TableFamily) []expr.Any
Returns a list of expressions that will compare the netfilter protocol family of traffic
func CompareProtocolFamilyWithRegister ¶
func CompareProtocolFamilyWithRegister(proto nftables.TableFamily, reg uint32) []expr.Any
Returns a list of expressions that will compare the protocol family of traffic, with a user defined register
func CompareSourceAddress ¶
Returns a list of expressions that will compare the source address of traffic
func CompareSourceAddressSet ¶
Returns a list of expressions that will compare the source address of traffic against a set
func CompareSourceAddressSetWithRegister ¶
Returns a list of expressions that will compare the source address of traffic against a set, with a user defined register
func CompareSourceAddressWithRegister ¶
Returns a list of expressions that will compare the source address of traffic, with a user defined register
func CompareSourcePort ¶
Returns a list of expressions that will compare the source port of traffic
func CompareSourcePortSet ¶
Returns a list of expressions that will compare the source port of traffic against a set
func CompareSourcePortSetWithRegister ¶
Returns a list of expressions that will compare the source port of traffic against a set, with a user defined register
func CompareSourcePortWithRegister ¶
Returns a list of expressions that will compare the source port of traffic, with a user defined register
func CompareTransportProtocol ¶
Returns a list of expressions that will compare the transport protocol of traffic
func CompareTransportProtocolWithRegister ¶
Returns a list of expressions that will compare the transport protocol of traffic, with a user defined register
func CreateIface ¶
Create network link for interface.
func DestinationPort ¶
Returns a destination port payload expression
func ExprBitwise ¶
ExprBitwise wrapper
func ExprCmpPort ¶ added in v0.1.0
ExprCmpPort returns a new port expression with the given matching operator.
func ExprConnLimit ¶
ExprConnLimit wrapper over==true ? flags=1 : flags=0
func ExprDNATv6 ¶
ExprDNATv6 wrapper
func ExprDynamicLimitSet ¶ added in v0.0.7
func ExprImmediate ¶
ExprImmediate wrapper
func ExprImmediateWithPort ¶ added in v0.0.3
ExprImmediateWithPort wrapper
func ExprLimit ¶
func ExprLimit(t expr.LimitType, rate uint64, over bool, unit expr.LimitTime, burst uint32) *expr.Limit
ExprLimit wrapper
func ExprLookupSet ¶
ExprLookupSet wrapper
func ExprLookupSetFromSet ¶
ExprLookupSetFromSet wrapper
func ExprMasquerade ¶
ExprMasquerade wrapper
func ExprPayloadNetHeader ¶
ExprPayloadNetHeader wrapper
func ExprPayloadTransportHeader ¶
ExprPayloadTransportHeader wrapper
func ExprPortRange ¶ added in v0.3.4
ExprPortRange returns a new port range expression.
func ExprSNATv6 ¶
ExprSNATv6 wrapper
func ExprTproxy ¶
func ExprTproxy6 ¶
func GetConntrackStateSet ¶
GetConntrackStateSet helper.
func GetConntrackStateSetElems ¶
func GetConntrackStateSetElems(states []string) []nftables.SetElement
GetConntrackStateSetElems helper.
func GetIPv4AddrSet ¶
GetIPv4AddrSet helper.
func GetIPv6AddrSet ¶
GetIPv6AddrSet helper.
func GetNetInterface ¶
func GetNetInterface(interfaceName string) (ipv4NetInterfaces []NetInterface, ipv6NetInterfaces []NetInterface, err error)
GetNetInterface 获得网卡地址 (返回ipv4, ipv6地址)
func GetPayloadDirectives ¶
func GetPayloadDirectives(direction ExprDirection, isIPv4 bool, isIPv6 bool) (uint32, uint32, []byte)
GetPayloadDirectives get expression directives based on ip version and direction
func IPv4DestinationAddress ¶
Returns a IPv4 destination address payload expression
func IPv4SourceAddress ¶
Returns a IPv4 source address payload expression
func IPv6DestinationAddress ¶
Returns a IPv6 destination address payload expression
func IPv6SourceAddress ¶
Returns a IPv6 source address payload expression
func LoadCtByKeyWithRegister ¶
func MatchBPFWithVerdict ¶
Returns a xtables match bpf expression with a verdict
func MatchUnknown ¶
Returns a xtables match expression of unknown type
func ParseLimits ¶ added in v0.0.3
ParseLimits parse expr.Limit rateStr := `1+/p/s` rateStr := `1+/bytes/second`
func RemoveIface ¶
Remove network link for interface.
func SetCIDRMatcher ¶
func SetCIDRMatcher(direction ExprDirection, cidr string, isINet bool, isEq ...bool) ([]expr.Any, error)
SetCIDRMatcher generates nftables expressions that matches a CIDR SetCIDRMatcher(ExprDirectionSource, `127.0.0.0/24`)
func SetCIDRMatcherIngoreError ¶ added in v0.3.2
func SetCIDRMatcherIngoreError(direction ExprDirection, cidr string, isINet bool, isEq ...bool) []expr.Any
SetCIDRMatcherIngoreError generates nftables expressions that matches a CIDR SetCIDRMatcherIngoreError(ExprDirectionSource, `127.0.0.0/24`)
func SetConnLimits ¶ added in v0.0.3
func SetDNATRange ¶ added in v0.0.3
func SetDNATv6Range ¶ added in v0.0.3
func SetDPortRange ¶
SetDPortRange returns a new port range expression.
func SetDynamicLimitDropSet ¶ added in v0.0.3
func SetDynamicLimitSet ¶ added in v0.0.8
func SetNATWithIPAndPort ¶ added in v0.0.3
func SetSNATRange ¶ added in v0.0.3
func SetSNATv6Range ¶ added in v0.0.3
func SetSPortRange ¶
SetSPortRange returns a new port range expression.
func SourcePort ¶
Returns a source port payload expression
func TypeConntrackStateDatatype ¶
func TypeConntrackStateDatatype() nftables.SetDatatype
ConntrackStateDatatype object.
func TypeConntrackStateEstablished ¶
func TypeConntrackStateEstablished() []byte
TypeConntrackStateEstablished bytes.
func TypeConntrackStateRelated ¶
func TypeConntrackStateRelated() []byte
TypeConntrackStateRelated bytes.
func TypeICMPv6TypeEchoRequest ¶
func TypeICMPv6TypeEchoRequest() []byte
TypeICMPv6TypeEchoRequest bytes.
func ValidateAddressRange ¶
Validates an IP address range
func ValidatePortRange ¶
Validates start and end port numbers
Types ¶
type ExprDirection ¶
type ExprDirection string
const ( ExprDirectionSource ExprDirection = `source` ExprDirectionDestination ExprDirection = `destination` )
type Exprs ¶
func SetConntrackStateEstablished ¶
func SetConntrackStateEstablished() Exprs
SetConntrackStateEstablished helper.
func SetConntrackStateRelated ¶
func SetConntrackStateRelated() Exprs
SetConntrackStateRelated helper.
func SetConntrackStateSet ¶
SetConntrackStateSet helper.
func SetDAddrIPv6Set ¶
SetDAddrIPv6Set helper.
func SetICMPv6TypeEchoRequest ¶
func SetICMPv6TypeEchoRequest() Exprs
SetICMPv6TypeEchoRequest helper.
func SetINetProtoICMPv6 ¶
func SetProtoICMPv6 ¶
func SetSAddrIPv6Set ¶
SetSAddrIPv6Set helper.
func SetSourceIPv4Net ¶
SetSourceIPv4Net helper.