nftables

package
v0.0.0-...-6e7aaf9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 21, 2024 License: GPL-3.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	InterceptionRuleKey = fwKey + "-interception"
	SystemRuleKey       = fwKey + "-system"
	Name                = "nftables"
)

Actions we apply to the firewall.

Variables

This section is empty.

Functions

func GetChain

func GetChain(name string, table *nftables.Table) *nftables.Chain

GetChain gets an existing chain

func GetChainPriority

func GetChainPriority(family, cType, hook string) (*nftables.ChainPriority, nftables.ChainType)

GetChainPriority gets the corresponding priority for the given chain, based on the following configuration matrix: https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook https://github.com/google/nftables/blob/master/chain.go#L48 man nft (table 6.)

func GetFamilyCode

func GetFamilyCode(family string) nftables.TableFamily

func GetHook

func GetHook(chain string) *nftables.ChainHook

func InitMapsStore

func InitMapsStore()

InitMapsStore initializes internal stores of chains and maps.

func NewNft

func NewNft() *nftables.Conn

NewNft creates a new nftables object

Types

type Action

type Action string

Action is the modifier we apply to a rule.

type Nft

type Nft struct {
	Conn *nftables.Conn

	common.Common
	config.Config
	sync.Mutex
	// contains filtered or unexported fields
}

Nft holds the fields of our nftables firewall

func Fw

func Fw() (*Nft, error)

Fw initializes a new nftables object

func (*Nft) AddChain

func (n *Nft) AddChain(name, table, family string, priority *nftables.ChainPriority, ctype nftables.ChainType, hook *nftables.ChainHook, policy nftables.ChainPolicy) *nftables.Chain

AddChain adds a new chain to nftables. https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook

func (*Nft) AddInterceptionChains

func (n *Nft) AddInterceptionChains() error

AddInterceptionChains adds the needed chains to intercept traffic.

func (*Nft) AddInterceptionTables

func (n *Nft) AddInterceptionTables() error

AddInterceptionTables adds the needed tables to intercept traffic.

func (*Nft) AddRule

func (n *Nft) AddRule(chain, table, family string, position uint64, key string, exprs *[]expr.Any) (*nftables.Rule, error)

AddRule adds a rule to the system.

func (*Nft) AddSystemRule

func (n *Nft) AddSystemRule(rule *config.FwRule, chain *config.FwChain) (err4, err6 error)

AddSystemRule inserts a new rule.

func (*Nft) AddSystemRules

func (n *Nft) AddSystemRules(reload, backupExistingChains bool)

AddSystemRules creates the system firewall from configuration.

func (*Nft) AddTable

func (n *Nft) AddTable(name, family string) (*nftables.Table, error)

AddTable adds a new table to nftables.

func (*Nft) AreRulesLoaded

func (n *Nft) AreRulesLoaded() bool

AreRulesLoaded checks if the firewall rules for intercept traffic are loaded.

func (*Nft) CleanRules

func (n *Nft) CleanRules(logErrors bool)

CleanRules deletes the rules we added.

func (*Nft) Commit

func (n *Nft) Commit() bool

Commit applies the queued changes, creating new objects (tables, chains, etc). You add rules, chains or tables, and after calling to Flush() they're added to the system. NOTE: it's very important not to call Flush() without queued tasks.

func (*Nft) CreateSystemRule

func (n *Nft) CreateSystemRule(chain *config.FwChain, logErrors bool) bool

CreateSystemRule create the custom firewall chains and adds them to system. nft insert rule ip opensnitch-filter opensnitch-input udp dport 1153

func (*Nft) DelChain

func (n *Nft) DelChain(chain *nftables.Chain) error

DelChain deletes a chain from the system.

func (*Nft) DelInterceptionRules

func (n *Nft) DelInterceptionRules()

DelInterceptionRules deletes our interception rules, by key.

func (*Nft) DelSystemTables

func (n *Nft) DelSystemTables()

DelSystemTables deletes tables created from fw configuration.

func (*Nft) DeleteSystemRules

func (n *Nft) DeleteSystemRules(force, restoreExistingChains, logErrors bool)

DeleteSystemRules deletes the system rules. If force is false and the rule has not been previously added, it won't try to delete the tables and chains. Otherwise it'll try to delete them.

func (*Nft) Deserialize

func (n *Nft) Deserialize(sysfw *protocol.SysFirewall) ([]byte, error)

Deserialize converts a protocolbuffer structure to byte array.

func (*Nft) DisableInterception

func (n *Nft) DisableInterception(logErrors bool)

DisableInterception removes firewall rules to intercept outbound connections.

func (*Nft) EnableInterception

func (n *Nft) EnableInterception()

EnableInterception adds firewall rules to intercept connections

func (*Nft) GetChain

func (n *Nft) GetChain(name string, table *nftables.Table, family string) *nftables.Chain

GetChain checks if a chain in the given table exists.

func (*Nft) GetTable

func (n *Nft) GetTable(name, family string) *nftables.Table

GetTable retrieves an already added table to the system.

func (*Nft) Init

func (n *Nft) Init(qNum uint16, configPath, monitorInterval string, bypassQueue bool)

Init inserts the firewall rules and starts monitoring for firewall changes.

func (*Nft) InsertRule

func (n *Nft) InsertRule(chain, table, family string, position uint64, exprs *[]expr.Any) error

InsertRule inserts a rule at the top of rules list.

func (*Nft) Name

func (n *Nft) Name() string

Name returns the name of the firewall

func (*Nft) PreloadConfCallback

func (n *Nft) PreloadConfCallback()

PreloadConfCallback gets called before the fw configuration is loaded

func (*Nft) QueueConnections

func (n *Nft) QueueConnections(enable, logError bool) (error, error)

QueueConnections inserts the firewall rule which redirects connections to us. Connections are queued until the user denies/accept them, or reaches a timeout. This rule must be added at the end of all the other rules, that way we can add rules above this one to exclude a service/app from being intercepted. nft insert rule ip mangle OUTPUT ct state new queue num 0 bypass

func (*Nft) QueueDNSResponses

func (n *Nft) QueueDNSResponses(enable, logError bool) (error, error)

QueueDNSResponses redirects DNS responses to us, in order to keep a cache of resolved domains. This rule must be added in top of the system rules, otherwise it may get bypassed. nft insert rule ip filter input udp sport 53 queue num 0 bypass

func (*Nft) ReloadConfCallback

func (n *Nft) ReloadConfCallback()

ReloadConfCallback gets called after the configuration changes.

func (*Nft) ReloadRulesCallback

func (n *Nft) ReloadRulesCallback()

ReloadRulesCallback gets called when the interception rules are not present.

func (*Nft) Serialize

func (n *Nft) Serialize() (*protocol.SysFirewall, error)

Serialize converts the configuration from json to protobuf

func (*Nft) Stop

func (n *Nft) Stop()

Stop deletes the firewall rules, allowing network traffic.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL