Documentation ¶
Index ¶
- Constants
- func GetChain(name string, table *nftables.Table) *nftables.Chain
- func GetChainPriority(family, cType, hook string) (*nftables.ChainPriority, nftables.ChainType)
- func GetConntrackPriority(hook string) (*nftables.ChainPriority, nftables.ChainType)
- func GetFamilyCode(family string) nftables.TableFamily
- func GetHook(chain string) *nftables.ChainHook
- func InitMapsStore()
- func NewNft() *nftables.Conn
- type Action
- type Nft
- func (n *Nft) AddChain(name, table, family string, priority *nftables.ChainPriority, ...) *nftables.Chain
- func (n *Nft) AddInterceptionChains() error
- func (n *Nft) AddInterceptionTables() error
- func (n *Nft) AddRule(chain, table, family string, position uint64, key string, exprs *[]expr.Any) (*nftables.Rule, error)
- func (n *Nft) AddSystemRule(rule *config.FwRule, chain *config.FwChain) (err4, err6 error)
- func (n *Nft) AddSystemRules(reload, backupExistingChains bool)
- func (n *Nft) AddTable(name, family string) (*nftables.Table, error)
- func (n *Nft) AreRulesLoaded() bool
- func (n *Nft) CleanRules(logErrors bool)
- func (n *Nft) Commit() bool
- func (n *Nft) CreateSystemRule(chain *config.FwChain, logErrors bool) bool
- func (n *Nft) DelChain(chain *nftables.Chain) error
- func (n *Nft) DelInterceptionRules()
- func (n *Nft) DelSystemTables()
- func (n *Nft) DeleteSystemRules(force, restoreExistingChains, logErrors bool)
- func (n *Nft) Deserialize(sysfw *protocol.SysFirewall) ([]byte, error)
- func (n *Nft) DisableInterception(logErrors bool)
- func (n *Nft) EnableInterception()
- func (n *Nft) GetChain(name string, table *nftables.Table, family string) *nftables.Chain
- func (n *Nft) GetTable(name, family string) *nftables.Table
- func (n *Nft) Init(qNum uint16, configPath, monitorInterval string, bypassQueue bool)
- func (n *Nft) InsertRule(chain, table, family string, position uint64, exprs *[]expr.Any) error
- func (n *Nft) Name() string
- func (n *Nft) PreloadConfCallback()
- func (n *Nft) QueueConnections(enable, logError bool) (error, error)
- func (n *Nft) QueueDNSResponses(enable, logError bool) (error, error)
- func (n *Nft) ReloadConfCallback()
- func (n *Nft) ReloadRulesCallback()
- func (n *Nft) Serialize() (*protocol.SysFirewall, error)
- func (n *Nft) Stop()
Constants ¶
const ( InterceptionRuleKey = fwKey + "-interception" SystemRuleKey = fwKey + "-system" Name = "nftables" )
Actions we apply to the firewall.
Variables ¶
This section is empty.
Functions ¶
func GetChainPriority ¶
func GetChainPriority(family, cType, hook string) (*nftables.ChainPriority, nftables.ChainType)
GetChainPriority gets the corresponding priority for the given chain, based on the following configuration matrix: https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook https://github.com/google/nftables/blob/master/chain.go#L48 man nft (table 6.)
func GetConntrackPriority ¶
func GetConntrackPriority(hook string) (*nftables.ChainPriority, nftables.ChainType)
https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook
func GetFamilyCode ¶
func GetFamilyCode(family string) nftables.TableFamily
func InitMapsStore ¶
func InitMapsStore()
InitMapsStore initializes internal stores of chains and maps.
Types ¶
type Nft ¶
type Nft struct { Conn *nftables.Conn common.Common config.Config sync.Mutex // contains filtered or unexported fields }
Nft holds the fields of our nftables firewall
func (*Nft) AddChain ¶
func (n *Nft) AddChain(name, table, family string, priority *nftables.ChainPriority, ctype nftables.ChainType, hook *nftables.ChainHook, policy nftables.ChainPolicy) *nftables.Chain
AddChain adds a new chain to nftables. https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook
func (*Nft) AddInterceptionChains ¶
AddInterceptionChains adds the needed chains to intercept traffic.
func (*Nft) AddInterceptionTables ¶
AddInterceptionTables adds the needed tables to intercept traffic.
func (*Nft) AddRule ¶
func (n *Nft) AddRule(chain, table, family string, position uint64, key string, exprs *[]expr.Any) (*nftables.Rule, error)
AddRule adds a rule to the system.
func (*Nft) AddSystemRule ¶
AddSystemRule inserts a new rule.
func (*Nft) AddSystemRules ¶
AddSystemRules creates the system firewall from configuration.
func (*Nft) AreRulesLoaded ¶
AreRulesLoaded checks if the firewall rules for intercept traffic are loaded.
func (*Nft) CleanRules ¶
CleanRules deletes the rules we added.
func (*Nft) Commit ¶
Commit applies the queued changes, creating new objects (tables, chains, etc). You add rules, chains or tables, and after calling to Flush() they're added to the system. NOTE: it's very important not to call Flush() without queued tasks.
func (*Nft) CreateSystemRule ¶
CreateSystemRule create the custom firewall chains and adds them to system. nft insert rule ip opensnitch-filter opensnitch-input udp dport 1153
func (*Nft) DelInterceptionRules ¶
func (n *Nft) DelInterceptionRules()
DelInterceptionRules deletes our interception rules, by key.
func (*Nft) DelSystemTables ¶
func (n *Nft) DelSystemTables()
DelSystemTables deletes tables created from fw configuration.
func (*Nft) DeleteSystemRules ¶
DeleteSystemRules deletes the system rules. If force is false and the rule has not been previously added, it won't try to delete the tables and chains. Otherwise it'll try to delete them.
func (*Nft) Deserialize ¶
func (n *Nft) Deserialize(sysfw *protocol.SysFirewall) ([]byte, error)
Deserialize converts a protocolbuffer structure to byte array.
func (*Nft) DisableInterception ¶
DisableInterception removes firewall rules to intercept outbound connections.
func (*Nft) EnableInterception ¶
func (n *Nft) EnableInterception()
EnableInterception adds firewall rules to intercept connections
func (*Nft) InsertRule ¶
InsertRule inserts a rule at the top of rules list.
func (*Nft) PreloadConfCallback ¶
func (n *Nft) PreloadConfCallback()
PreloadConfCallback gets called before the fw configuration is loaded
func (*Nft) QueueConnections ¶
QueueConnections inserts the firewall rule which redirects connections to us. Connections are queued until the user denies/accept them, or reaches a timeout. This rule must be added at the end of all the other rules, that way we can add rules above this one to exclude a service/app from being intercepted. nft insert rule ip mangle OUTPUT ct state new queue num 0 bypass
func (*Nft) QueueDNSResponses ¶
QueueDNSResponses redirects DNS responses to us, in order to keep a cache of resolved domains. This rule must be added in top of the system rules, otherwise it may get bypassed. nft insert rule ip filter input udp sport 53 queue num 0 bypass
func (*Nft) ReloadConfCallback ¶
func (n *Nft) ReloadConfCallback()
ReloadConfCallback gets called after the configuration changes.
func (*Nft) ReloadRulesCallback ¶
func (n *Nft) ReloadRulesCallback()
ReloadRulesCallback gets called when the interception rules are not present.