rule

package
v0.0.17 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 22, 2023 License: MIT Imports: 15 Imported by: 0

Documentation

Overview

A library for managing nftables rules

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Build added in v0.0.13 

func Build(v expr.VerdictKind, matches ...Match) ([]expr.Any, error)

Build requires Verdict, AddrFamily, and TransportProto to build a minimal rule for nftables. Optionally, any number of matches can be provided in order to increase specificity of the rule. Build will return an error if the rule does not make sense. For instance, if you use IPv4 and then attempt to provide IPv6 addresses.

Types

type ManagedRules 

type ManagedRules struct {
	// contains filtered or unexported fields
}

Represents a table/chain ruleset managed by the manager goroutine

func ManagerInit 

func ManagerInit(ruleTarget RuleTarget, f RulesUpdateFunc, interval time.Duration, logger logger.Logger, metrics m.Metrics) (ManagedRules, error)

func (*ManagedRules) GetRuleTarget added in v0.0.6 

func (r *ManagedRules) GetRuleTarget() RuleTarget

Get the rule target that this manager is operating on

func (*ManagedRules) Start 

func (r *ManagedRules) Start(ctx context.Context) error

Start the rule manager goroutine

type Match added in v0.0.13 

type Match func(*builder) error

Defines a Match signature for supply matches to rules to it can modify the underlying builder and return any errors it encounter when attempting to build a rule.

func AddressFamily added in v0.0.13 

func AddressFamily(af expressions.AddrFamily) Match

AddressFamily sets the AddrFamily for the rule. This will error if used more than once in a single rule since nftables does not support mixing address families in a single rule.

func Any added in v0.0.13 

func Any(e ...expr.Any) Match

Any is a convenience function for adding any number of raw expr.Any types to the rule. Use this with caution and if you know how nftables will interpret the expressions added.

func ConnectionTrackingState added in v0.0.13 

func ConnectionTrackingState(mask uint32) Match

ConnectionTrackingState adds the state mask to the rule to match what the state the connection should be in to match. You may supply multiple values by supplying a bitwise OR set (ex. `StateNew | StateEstablished`)

func DestinationAddress added in v0.0.13 

func DestinationAddress(ip netip.Addr) Match

DestinationAddress adds a single destination IP address to the rule to match on.

func DestinationAddressSet added in v0.0.13 

func DestinationAddressSet(set *nftables.Set) Match

DestinationAddressSet adds an nftables named set of destination IP addresses to match on. It ensure this named set already exists in nftables so you don't have a rule referencing a non-existant named set.

func DestinationPort added in v0.0.13 

func DestinationPort(port uint16) Match

DestinationPort adds a single destination port to the rule to match on.

func DestinationPortSet added in v0.0.13 

func DestinationPortSet(set *nftables.Set) Match

DestinationPortSet adds an nftables named set of destination ports to match on. It ensure this named set already exists in nftables so you don't have a rule referencing a non-existant named set.

func LoadConnectionTrackingState added in v0.0.13 

func LoadConnectionTrackingState(key expr.CtKey) Match

LoadConnectionTrackingState loads the key in which the connection tracking information should be loaded into the rule.

func SourceAddress added in v0.0.13 

func SourceAddress(ip netip.Addr) Match

SourceAddress adds a single source IP address to the rule to match on.

func SourceAddressSet added in v0.0.13 

func SourceAddressSet(set *nftables.Set) Match

SourceAddressSet adds an nftables named set of source IP addresses to match on. It ensure this named set already exists in nftables so you don't have a rule referencing a non-existant named set.

func SourcePort added in v0.0.13 

func SourcePort(port uint16) Match

SourcePort adds a single source port to the rule to match on.

func SourcePortSet added in v0.0.13 

func SourcePortSet(set *nftables.Set) Match

SourcePortSet adds an nftables named set of source ports to match on. It ensure this named set already exists in nftables so you don't have a rule referencing a non-existant named set.

func TransportProtocol added in v0.0.13 

func TransportProtocol(tp expressions.TransportProto) Match

TransportProtocol sets the TransportProto for the rule. This will error if used more than once in a single rule since nftables does not support mixing transport protocols in a single rule.

type RuleData 

type RuleData struct {
	Expressions []expr.Any
	// we use rule user data to store the ID
	// we do this so we can give each rule a specific id across hosts and etc
	// handles are less deterministic without setting them explicitly and lack context (only ints)
	ID []byte
}

RuleData is a struct that is used to create rules in a given table and chain

func NewRuleData 

func NewRuleData(id []byte, exprs []expr.Any) RuleData

Create a new RuleData from an ID and list of nftables expressions

func (RuleData) Counters added in v0.0.17 

func (d RuleData) Counters() (*uint64, *uint64, error)

type RuleTarget added in v0.0.3 

type RuleTarget struct {
	// contains filtered or unexported fields
}

RuleTarget represents a location to manipulate nftables rules

func NewRuleTarget added in v0.0.3 

func NewRuleTarget(table *nftables.Table, chain *nftables.Chain) RuleTarget

Create a new location to manipulate nftables rules

func (*RuleTarget) Add added in v0.0.3 

func (r *RuleTarget) Add(c *nftables.Conn, ruleData RuleData) (bool, error)

Add a rule with a given ID to a specific table and chain, returns true if the rule was added

func (*RuleTarget) Delete added in v0.0.3 

func (r *RuleTarget) Delete(c *nftables.Conn, ruleData RuleData) (bool, error)

Delete a rule with a given ID from a specific table and chain, returns true if the rule was deleted

func (*RuleTarget) Exists added in v0.0.3 

func (r *RuleTarget) Exists(c *nftables.Conn, ruleData RuleData) (bool, error)

Determine if a rule with a given ID exists in a specific table and chain

func (*RuleTarget) Get added in v0.0.14 

func (r *RuleTarget) Get(c *nftables.Conn) ([]RuleData, error)

Get the rule data associated with a table and chain

func (*RuleTarget) GetTableAndChain added in v0.0.6 

func (r *RuleTarget) GetTableAndChain() (*nftables.Table, *nftables.Chain)

Get the nftables table and chain associated with this RuleTarget

func (*RuleTarget) Update added in v0.0.3 

func (r *RuleTarget) Update(c *nftables.Conn, rules []RuleData) (bool, int, int, error)

Compare existing and incoming rule IDs adding/removing the difference

First return value is true if the number of rules has changed, false if there were no updates. The second and third return values indicate the number of rules added or removed, respectively.

type RulesUpdateFunc 

type RulesUpdateFunc func() ([]RuleData, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.