Documentation
¶
Overview ¶
Package iptables supports packet filtering and manipulation via the iptables tool.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Chain ¶
type Chain struct {
// Name is the chain name.
Name string
// Rules is the list of rules to traverse.
Rules []Rule
}
A Chain defines a list of rules for packet processing. When a packet traverses a chain, it is checked against each rule until either a rule returns a verdict or the chain ends.
By convention, builtin chains end with a rule that matches everything and returns either Accept or Drop. User-defined chains end with Return. These aren't strictly necessary here, but the iptables tool writes tables this way.
type Hook ¶
type Hook uint
A Hook specifies one of the hooks built into the network stack.
Userspace app Userspace app
^ |
| v
[Input] [Output]
^ |
| v
| routing
| |
| v
----->[Prerouting]----->routing----->[Forward]---------Postrouting----->
const ( // Prerouting happens before a packet is routed to applications or to // be forwarded. Prerouting Hook = iota // Input happens before a packet reaches an application. Input // Forward happens once it's decided that a packet should be forwarded // to another host. Forward // Output happens after a packet is written by an application to be // sent out. Output // Postrouting happens just before a packet goes out on the wire. Postrouting // The total number of hooks. NumHooks )
These values correspond to values in include/uapi/linux/netfilter.h.
type IPTables ¶
type IPTables struct {
// Tables maps table names to tables. User tables have arbitrary names.
Tables map[string]Table
// Priorities maps each hook to a list of table names. The order of the
// list is the order in which each table should be visited for that
// hook.
Priorities map[Hook][]string
}
IPTables holds all the tables for a netstack.
func DefaultTables ¶
func DefaultTables() IPTables
DefaultTables returns a default set of tables. Each chain is set to accept all packets.
type Matcher ¶
type Matcher interface {
// Match returns whether the packet matches and whether the packet
// should be "hotdropped", i.e. dropped immediately. This is usually
// used for suspicious packets.
Match(hook Hook, packet buffer.VectorisedView, interfaceName string) (matches bool, hotdrop bool)
}
A Matcher is the interface for matching packets.
type Rule ¶
type Rule struct {
// Matchers is the list of matchers for this rule.
Matchers []Matcher
// Target is the action to invoke if all the matchers match the packet.
Target Target
}
A Rule is a packet processing rule. It consists of two pieces. First it contains zero or more matchers, each of which is a specification of which packets this rule applies to. If there are no matchers in the rule, it applies to any packet.
type Table ¶
type Table struct {
// BuiltinChains holds the un-deletable chains built into netstack. If
// a hook isn't present in the map, this table doesn't utilize that
// hook.
BuiltinChains map[Hook]Chain
// DefaultTargets holds a target for each hook that will be executed if
// chain traversal doesn't yield a verdict.
DefaultTargets map[Hook]Target
// UserChains holds user-defined chains for the keyed by name. Users
// can give their chains arbitrary names.
UserChains map[string]Chain
// Chains maps names to chains for both builtin and user-defined chains.
// Its entries point to Chains already either in BuiltinChains or
// UserChains, and its purpose is to make looking up tables by name
// fast.
Chains map[string]*Chain
// contains filtered or unexported fields
}
A Table defines a set of chains and hooks into the network stack. The currently supported tables are:
- nat
- mangle
func (*Table) Metadata ¶
func (table *Table) Metadata() interface{}
Metadata returns the metadata object stored in table.
func (*Table) SetMetadata ¶
func (table *Table) SetMetadata(metadata interface{})
SetMetadata sets the metadata object stored in table.
func (*Table) ValidHooks ¶
ValidHooks returns a bitmap of the builtin hooks for the given table.
type Target ¶
type Target interface {
// Action takes an action on the packet and returns a verdict on how
// traversal should (or should not) continue. If the return value is
// Jump, it also returns the name of the chain to jump to.
Action(packet buffer.VectorisedView) (Verdict, string)
}
A Target is the interface for taking an action for a packet.
type UnconditionalAcceptTarget ¶
type UnconditionalAcceptTarget struct{}
UnconditionalAcceptTarget accepts all packets.
func (UnconditionalAcceptTarget) Action ¶
func (UnconditionalAcceptTarget) Action(packet buffer.VectorisedView) (Verdict, string)
Action implements Target.Action.
type UnconditionalDropTarget ¶
type UnconditionalDropTarget struct{}
UnconditionalDropTarget denies all packets.
func (UnconditionalDropTarget) Action ¶
func (UnconditionalDropTarget) Action(packet buffer.VectorisedView) (Verdict, string)
Action implements Target.Action.
type Verdict ¶
type Verdict int
A Verdict is returned by a rule's target to indicate how traversal of rules should (or should not) continue.
const ( // Accept indicates the packet should continue traversing netstack as // normal. Accept Verdict = iota // Drop inicates the packet should be dropped, stopping traversing // netstack. Drop // Stolen indicates the packet was co-opted by the target and should // stop traversing netstack. Stolen // Queue indicates the packet should be queued for userspace processing. Queue // Repeat indicates the packet should re-traverse the chains for the // current hook. Repeat // None indicates no verdict was reached. None // Jump indicates a jump to another chain. Jump // Continue indicates that traversal should continue at the next rule. Continue // Return indicates that traversal should return to the calling chain. Return )
Source Files