drivers

package
v0.0.0-...-4df9163 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 20, 2024 License: AGPL-3.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ACLRule

type ACLRule struct {
	Direction       string // Either "ingress" or "egress.
	Action          string
	Log             bool   // Whether or not to log matched packets.
	LogName         string // Log label name (requires Log be true).
	Source          string
	Destination     string
	Protocol        string
	SourcePort      string
	DestinationPort string
	ICMPType        string
	ICMPCode        string
}

ACLRule represents an ACL rule that can be added to a firewall.

type AddressForward

type AddressForward struct {
	ListenAddress net.IP
	TargetAddress net.IP
	Protocol      string
	ListenPorts   []uint64
	TargetPorts   []uint64
}

AddressForward represents a NAT address forward.

type FeatureOpts

type FeatureOpts struct {
	ICMPDHCPDNSAccess bool // Add rules to allow ICMP, DHCP and DNS access.
	ForwardingAllow   bool // Add rules to allow IP forwarding. Blocked if false.
}

FeatureOpts specify how firewall features are setup.

type Nftables

type Nftables struct{}

Nftables is an implmentation of LXD firewall using nftables.

func (Nftables) Compat

func (d Nftables) Compat() (bool, error)

Compat returns whether the driver backend is in use, and any host compatibility errors.

func (Nftables) InstanceClearBridgeFilter

func (d Nftables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, _ []*net.IPNet, _ []*net.IPNet) error

InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.

func (Nftables) InstanceClearNetPrio

func (d Nftables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error

InstanceClearNetPrio removes setting of skb->priority for the specified instance device on the host interface.

func (Nftables) InstanceClearProxyNAT

func (d Nftables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error

InstanceClearProxyNAT remove DNAT rules for proxy devices.

func (Nftables) InstanceClearRPFilter

func (d Nftables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error

InstanceClearRPFilter removes reverse path filtering for the specified instance device on the host interface.

func (Nftables) InstanceSetupBridgeFilter

func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, parentManaged bool) error

InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering.

func (Nftables) InstanceSetupNetPrio

func (d Nftables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error

InstanceSetupNetPrio activates setting of skb->priority for the specified instance device on the host interface.

func (Nftables) InstanceSetupProxyNAT

func (d Nftables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, forward *AddressForward) error

InstanceSetupProxyNAT creates DNAT rules for proxy devices.

func (Nftables) InstanceSetupRPFilter

func (d Nftables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error

InstanceSetupRPFilter activates reverse path filtering for the specified instance device on the host interface.

func (Nftables) NetworkApplyACLRules

func (d Nftables) NetworkApplyACLRules(networkName string, rules []ACLRule) error

NetworkApplyACLRules applies ACL rules to the existing firewall chains.

func (Nftables) NetworkApplyForwards

func (d Nftables) NetworkApplyForwards(networkName string, rules []AddressForward) error

NetworkApplyForwards apply network address forward rules to firewall.

func (Nftables) NetworkClear

func (d Nftables) NetworkClear(networkName string, _ bool, _ []uint) error

NetworkClear removes the LXD network related chains. The delete and ipeVersions arguments have no effect for nftables driver.

func (Nftables) NetworkSetup

func (d Nftables) NetworkSetup(networkName string, ip4Address net.IP, ip6Address net.IP, opts Opts) error

NetworkSetup configure network firewall.

func (Nftables) String

func (d Nftables) String() string

String returns the driver name.

type Opts

type Opts struct {
	FeaturesV4 *FeatureOpts // Enable IPv4 firewall with specified options. Off if not provided.
	FeaturesV6 *FeatureOpts // Enable IPv6 firewall with specified options. Off if not provided.
	SNATV4     *SNATOpts    // Enable IPv4 SNAT with specified options. Off if not provided.
	SNATV6     *SNATOpts    // Enable IPv6 SNAT with specified options. Off if not provided.
	ACL        bool         // Enable ACL during setup.
}

Opts for setting up the firewall.

type SNATOpts

type SNATOpts struct {
	Append      bool       // Append rules (has no effect if driver doesn't support it).
	Subnet      *net.IPNet // Subnet of source network used to identify candidate traffic.
	SNATAddress net.IP     // SNAT IP address to use. If nil then MASQUERADE is used.
}

SNATOpts specify how SNAT rules are setup.

type Xtables

type Xtables struct{}

Xtables is an implmentation of LXD firewall using {ip, ip6, eb}tables.

func (Xtables) Compat

func (d Xtables) Compat() (bool, error)

Compat returns whether the driver backend is in use, and any host compatibility errors.

func (Xtables) InstanceClearBridgeFilter

func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet) error

InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.

func (Xtables) InstanceClearNetPrio

func (d Xtables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error

InstanceClearNetPrio removes setting of skb->priority for the specified instance device on the host interface.

func (Xtables) InstanceClearProxyNAT

func (d Xtables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error

InstanceClearProxyNAT remove DNAT rules for proxy devices.

func (Xtables) InstanceClearRPFilter

func (d Xtables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error

InstanceClearRPFilter removes reverse path filtering for the specified instance device on the host interface.

func (Xtables) InstanceSetupBridgeFilter

func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, parentManaged bool) error

InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering. If the parent bridge is managed by LXD then parentManaged argument should be true so that the rules added can use the iptablesChainACLFilterPrefix chain. If not they are added to the main filter chains directly (which only works for unmanaged bridges because those don't support ACLs).

func (Xtables) InstanceSetupNetPrio

func (d Xtables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error

InstanceSetupNetPrio activates setting of skb->priority for the specified instance device on the host interface.

func (Xtables) InstanceSetupProxyNAT

func (d Xtables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, forward *AddressForward) error

InstanceSetupProxyNAT creates DNAT rules for proxy devices.

func (Xtables) InstanceSetupRPFilter

func (d Xtables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error

InstanceSetupRPFilter activates reverse path filtering for the specified instance device on the host interface.

func (Xtables) NetworkApplyACLRules

func (d Xtables) NetworkApplyACLRules(networkName string, rules []ACLRule) error

NetworkApplyACLRules applies ACL rules to the existing firewall chains.

func (Xtables) NetworkApplyForwards

func (d Xtables) NetworkApplyForwards(networkName string, rules []AddressForward) error

NetworkApplyForwards apply network address forward rules to firewall.

func (Xtables) NetworkClear

func (d Xtables) NetworkClear(networkName string, delete bool, ipVersions []uint) error

NetworkClear removes network rules from filter, mangle and nat tables. If delete is true then network-specific chains are also removed.

func (Xtables) NetworkSetup

func (d Xtables) NetworkSetup(networkName string, ipv4Address net.IP, ipv6Address net.IP, opts Opts) error

NetworkSetup configure network firewall.

func (Xtables) String

func (d Xtables) String() string

String returns the driver name.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL