Documentation ¶
Index ¶
- type ACLRule
- type AddressForward
- type FeatureOpts
- type Nftables
- func (d Nftables) Compat() (bool, error)
- func (d Nftables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, ...) error
- func (d Nftables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error
- func (d Nftables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error
- func (d Nftables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error
- func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, ...) error
- func (d Nftables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error
- func (d Nftables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, ...) error
- func (d Nftables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error
- func (d Nftables) NetworkApplyACLRules(networkName string, rules []ACLRule) error
- func (d Nftables) NetworkApplyForwards(networkName string, rules []AddressForward) error
- func (d Nftables) NetworkClear(networkName string, _ bool, _ []uint) error
- func (d Nftables) NetworkSetup(networkName string, ip4Address net.IP, ip6Address net.IP, opts Opts) error
- func (d Nftables) String() string
- type Opts
- type SNATOpts
- type Xtables
- func (d Xtables) Compat() (bool, error)
- func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, ...) error
- func (d Xtables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error
- func (d Xtables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error
- func (d Xtables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error
- func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, ...) error
- func (d Xtables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error
- func (d Xtables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, ...) error
- func (d Xtables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error
- func (d Xtables) NetworkApplyACLRules(networkName string, rules []ACLRule) error
- func (d Xtables) NetworkApplyForwards(networkName string, rules []AddressForward) error
- func (d Xtables) NetworkClear(networkName string, delete bool, ipVersions []uint) error
- func (d Xtables) NetworkSetup(networkName string, ipv4Address net.IP, ipv6Address net.IP, opts Opts) error
- func (d Xtables) String() string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ACLRule ¶
type ACLRule struct { Direction string // Either "ingress" or "egress. Action string Log bool // Whether or not to log matched packets. LogName string // Log label name (requires Log be true). Source string Destination string Protocol string SourcePort string DestinationPort string ICMPType string ICMPCode string }
ACLRule represents an ACL rule that can be added to a firewall.
type AddressForward ¶
type AddressForward struct { ListenAddress net.IP TargetAddress net.IP Protocol string ListenPorts []uint64 TargetPorts []uint64 }
AddressForward represents a NAT address forward.
type FeatureOpts ¶
type FeatureOpts struct { ICMPDHCPDNSAccess bool // Add rules to allow ICMP, DHCP and DNS access. ForwardingAllow bool // Add rules to allow IP forwarding. Blocked if false. }
FeatureOpts specify how firewall features are setup.
type Nftables ¶
type Nftables struct{}
Nftables is an implmentation of LXD firewall using nftables.
func (Nftables) Compat ¶
Compat returns whether the driver backend is in use, and any host compatibility errors.
func (Nftables) InstanceClearBridgeFilter ¶
func (d Nftables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, _ []*net.IPNet, _ []*net.IPNet) error
InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.
func (Nftables) InstanceClearNetPrio ¶
func (d Nftables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error
InstanceClearNetPrio removes setting of skb->priority for the specified instance device on the host interface.
func (Nftables) InstanceClearProxyNAT ¶
func (d Nftables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error
InstanceClearProxyNAT remove DNAT rules for proxy devices.
func (Nftables) InstanceClearRPFilter ¶
func (d Nftables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error
InstanceClearRPFilter removes reverse path filtering for the specified instance device on the host interface.
func (Nftables) InstanceSetupBridgeFilter ¶
func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, parentManaged bool) error
InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering.
func (Nftables) InstanceSetupNetPrio ¶
func (d Nftables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error
InstanceSetupNetPrio activates setting of skb->priority for the specified instance device on the host interface.
func (Nftables) InstanceSetupProxyNAT ¶
func (d Nftables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, forward *AddressForward) error
InstanceSetupProxyNAT creates DNAT rules for proxy devices.
func (Nftables) InstanceSetupRPFilter ¶
func (d Nftables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error
InstanceSetupRPFilter activates reverse path filtering for the specified instance device on the host interface.
func (Nftables) NetworkApplyACLRules ¶
NetworkApplyACLRules applies ACL rules to the existing firewall chains.
func (Nftables) NetworkApplyForwards ¶
func (d Nftables) NetworkApplyForwards(networkName string, rules []AddressForward) error
NetworkApplyForwards apply network address forward rules to firewall.
func (Nftables) NetworkClear ¶
NetworkClear removes the LXD network related chains. The delete and ipeVersions arguments have no effect for nftables driver.
type Opts ¶
type Opts struct { FeaturesV4 *FeatureOpts // Enable IPv4 firewall with specified options. Off if not provided. FeaturesV6 *FeatureOpts // Enable IPv6 firewall with specified options. Off if not provided. SNATV4 *SNATOpts // Enable IPv4 SNAT with specified options. Off if not provided. SNATV6 *SNATOpts // Enable IPv6 SNAT with specified options. Off if not provided. ACL bool // Enable ACL during setup. }
Opts for setting up the firewall.
type SNATOpts ¶
type SNATOpts struct { Append bool // Append rules (has no effect if driver doesn't support it). Subnet *net.IPNet // Subnet of source network used to identify candidate traffic. SNATAddress net.IP // SNAT IP address to use. If nil then MASQUERADE is used. }
SNATOpts specify how SNAT rules are setup.
type Xtables ¶
type Xtables struct{}
Xtables is an implmentation of LXD firewall using {ip, ip6, eb}tables.
func (Xtables) Compat ¶
Compat returns whether the driver backend is in use, and any host compatibility errors.
func (Xtables) InstanceClearBridgeFilter ¶
func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet) error
InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.
func (Xtables) InstanceClearNetPrio ¶
func (d Xtables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error
InstanceClearNetPrio removes setting of skb->priority for the specified instance device on the host interface.
func (Xtables) InstanceClearProxyNAT ¶
func (d Xtables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error
InstanceClearProxyNAT remove DNAT rules for proxy devices.
func (Xtables) InstanceClearRPFilter ¶
func (d Xtables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error
InstanceClearRPFilter removes reverse path filtering for the specified instance device on the host interface.
func (Xtables) InstanceSetupBridgeFilter ¶
func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, parentManaged bool) error
InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering. If the parent bridge is managed by LXD then parentManaged argument should be true so that the rules added can use the iptablesChainACLFilterPrefix chain. If not they are added to the main filter chains directly (which only works for unmanaged bridges because those don't support ACLs).
func (Xtables) InstanceSetupNetPrio ¶
func (d Xtables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error
InstanceSetupNetPrio activates setting of skb->priority for the specified instance device on the host interface.
func (Xtables) InstanceSetupProxyNAT ¶
func (d Xtables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, forward *AddressForward) error
InstanceSetupProxyNAT creates DNAT rules for proxy devices.
func (Xtables) InstanceSetupRPFilter ¶
func (d Xtables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error
InstanceSetupRPFilter activates reverse path filtering for the specified instance device on the host interface.
func (Xtables) NetworkApplyACLRules ¶
NetworkApplyACLRules applies ACL rules to the existing firewall chains.
func (Xtables) NetworkApplyForwards ¶
func (d Xtables) NetworkApplyForwards(networkName string, rules []AddressForward) error
NetworkApplyForwards apply network address forward rules to firewall.
func (Xtables) NetworkClear ¶
NetworkClear removes network rules from filter, mangle and nat tables. If delete is true then network-specific chains are also removed.