rule

package

v0.0.17 Latest Latest Go to latest Published: Aug 22, 2023 License: MIT Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/ngrok/firewall_toolkit

Links

Open Source Insights

Documentation ¶

Rendered for

Overview ¶

A library for managing nftables rules

Index ¶

func Build(v expr.VerdictKind, matches ...Match) ([]expr.Any, error)
type ManagedRules
- func ManagerInit(ruleTarget RuleTarget, f RulesUpdateFunc, interval time.Duration, ...) (ManagedRules, error)
- func (r *ManagedRules) GetRuleTarget() RuleTarget
- func (r *ManagedRules) Start(ctx context.Context) error
type Match
type RuleData
- func NewRuleData(id []byte, exprs []expr.Any) RuleData
- func (d RuleData) Counters() (*uint64, *uint64, error)
type RuleTarget
- func NewRuleTarget(table *nftables.Table, chain *nftables.Chain) RuleTarget
type RulesUpdateFunc

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Build ¶ added in v0.0.13

func Build(v expr.VerdictKind, matches ...Match) ([]expr.Any, error)

Build requires Verdict, AddrFamily, and TransportProto to build a minimal rule for nftables. Optionally, any number of matches can be provided in order to increase specificity of the rule. Build will return an error if the rule does not make sense. For instance, if you use IPv4 and then attempt to provide IPv6 addresses.

Types ¶

type ManagedRules ¶

type ManagedRules struct {
	// contains filtered or unexported fields
}

Represents a table/chain ruleset managed by the manager goroutine

func ManagerInit ¶

func ManagerInit(ruleTarget RuleTarget, f RulesUpdateFunc, interval time.Duration, logger logger.Logger, metrics m.Metrics) (ManagedRules, error)

func (*ManagedRules) GetRuleTarget ¶ added in v0.0.6

func (r *ManagedRules) GetRuleTarget() RuleTarget

Get the rule target that this manager is operating on

func (*ManagedRules) Start ¶

func (r *ManagedRules) Start(ctx context.Context) error

Start the rule manager goroutine

type Match ¶ added in v0.0.13

type Match func(*builder) error

Defines a Match signature for supply matches to rules to it can modify the underlying builder and return any errors it encounter when attempting to build a rule.

func AddressFamily ¶ added in v0.0.13

func AddressFamily(af expressions.AddrFamily) Match

AddressFamily sets the AddrFamily for the rule. This will error if used more than once in a single rule since nftables does not support mixing address families in a single rule.

func Any ¶ added in v0.0.13

func Any(e ...expr.Any) Match

Any is a convenience function for adding any number of raw expr.Any types to the rule. Use this with caution and if you know how nftables will interpret the expressions added.

func ConnectionTrackingState ¶ added in v0.0.13

func ConnectionTrackingState(mask uint32) Match

ConnectionTrackingState adds the state mask to the rule to match what the state the connection should be in to match. You may supply multiple values by supplying a bitwise OR set (ex. `StateNew | StateEstablished`)

func DestinationAddress ¶ added in v0.0.13

func DestinationAddress(ip netip.Addr) Match

DestinationAddress adds a single destination IP address to the rule to match on.

func DestinationAddressSet ¶ added in v0.0.13

func DestinationAddressSet(set *nftables.Set) Match

DestinationAddressSet adds an nftables named set of destination IP addresses to match on. It ensure this named set already exists in nftables so you don't have a rule referencing a non-existant named set.

func DestinationPort ¶ added in v0.0.13

func DestinationPort(port uint16) Match

DestinationPort adds a single destination port to the rule to match on.

func DestinationPortSet ¶ added in v0.0.13

func DestinationPortSet(set *nftables.Set) Match

DestinationPortSet adds an nftables named set of destination ports to match on. It ensure this named set already exists in nftables so you don't have a rule referencing a non-existant named set.

func LoadConnectionTrackingState ¶ added in v0.0.13

func LoadConnectionTrackingState(key expr.CtKey) Match

LoadConnectionTrackingState loads the key in which the connection tracking information should be loaded into the rule.

func SourceAddress ¶ added in v0.0.13

func SourceAddress(ip netip.Addr) Match

SourceAddress adds a single source IP address to the rule to match on.

func SourceAddressSet ¶ added in v0.0.13

func SourceAddressSet(set *nftables.Set) Match

SourceAddressSet adds an nftables named set of source IP addresses to match on. It ensure this named set already exists in nftables so you don't have a rule referencing a non-existant named set.

func SourcePort ¶ added in v0.0.13

func SourcePort(port uint16) Match

SourcePort adds a single source port to the rule to match on.

func SourcePortSet ¶ added in v0.0.13

func SourcePortSet(set *nftables.Set) Match

SourcePortSet adds an nftables named set of source ports to match on. It ensure this named set already exists in nftables so you don't have a rule referencing a non-existant named set.

func TransportProtocol ¶ added in v0.0.13

func TransportProtocol(tp expressions.TransportProto) Match

TransportProtocol sets the TransportProto for the rule. This will error if used more than once in a single rule since nftables does not support mixing transport protocols in a single rule.

type RuleData ¶

type RuleData struct {
	Expressions []expr.Any
	// we use rule user data to store the ID
	// we do this so we can give each rule a specific id across hosts and etc
	// handles are less deterministic without setting them explicitly and lack context (only ints)
	ID []byte
}

RuleData is a struct that is used to create rules in a given table and chain

func NewRuleData ¶

func NewRuleData(id []byte, exprs []expr.Any) RuleData

Create a new RuleData from an ID and list of nftables expressions

func (RuleData) Counters ¶ added in v0.0.17

func (d RuleData) Counters() (*uint64, *uint64, error)

type RuleTarget ¶ added in v0.0.3

type RuleTarget struct {
	// contains filtered or unexported fields
}

RuleTarget represents a location to manipulate nftables rules

func NewRuleTarget ¶ added in v0.0.3

func NewRuleTarget(table *nftables.Table, chain *nftables.Chain) RuleTarget

Create a new location to manipulate nftables rules

func (*RuleTarget) Add ¶ added in v0.0.3

func (r *RuleTarget) Add(c *nftables.Conn, ruleData RuleData) (bool, error)

Add a rule with a given ID to a specific table and chain, returns true if the rule was added

func (*RuleTarget) Delete ¶ added in v0.0.3

func (r *RuleTarget) Delete(c *nftables.Conn, ruleData RuleData) (bool, error)

Delete a rule with a given ID from a specific table and chain, returns true if the rule was deleted

func (*RuleTarget) Exists ¶ added in v0.0.3

func (r *RuleTarget) Exists(c *nftables.Conn, ruleData RuleData) (bool, error)

Determine if a rule with a given ID exists in a specific table and chain

func (*RuleTarget) Get ¶ added in v0.0.14

func (r *RuleTarget) Get(c *nftables.Conn) ([]RuleData, error)

Get the rule data associated with a table and chain

func (*RuleTarget) GetTableAndChain ¶ added in v0.0.6

func (r *RuleTarget) GetTableAndChain() (*nftables.Table, *nftables.Chain)

Get the nftables table and chain associated with this RuleTarget

func (*RuleTarget) Update ¶ added in v0.0.3

func (r *RuleTarget) Update(c *nftables.Conn, rules []RuleData) (bool, int, int, error)

Compare existing and incoming rule IDs adding/removing the difference

First return value is true if the number of rules has changed, false if there were no updates. The second and third return values indicate the number of rules added or removed, respectively.

type RulesUpdateFunc ¶

type RulesUpdateFunc func() ([]RuleData, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL