Documentation ¶
Index ¶
- type Chain
- type FakeIPTables
- func (f *FakeIPTables) ChainExists(table iptables.Table, chain iptables.Chain) (bool, error)
- func (f *FakeIPTables) DeleteChain(table iptables.Table, chain iptables.Chain) error
- func (f *FakeIPTables) DeleteRule(table iptables.Table, chain iptables.Chain, args ...string) error
- func (f *FakeIPTables) EnsureChain(table iptables.Table, chain iptables.Chain) (bool, error)
- func (f *FakeIPTables) EnsureRule(position iptables.RulePosition, table iptables.Table, chain iptables.Chain, ...) (bool, error)
- func (f *FakeIPTables) FlushChain(table iptables.Table, chain iptables.Chain) error
- func (f *FakeIPTables) HasRandomFully() bool
- func (f *FakeIPTables) IsIPv6() bool
- func (f *FakeIPTables) Monitor(canary iptables.Chain, tables []iptables.Table, reloadFunc func(), ...)
- func (f *FakeIPTables) Present() bool
- func (f *FakeIPTables) Protocol() iptables.Protocol
- func (f *FakeIPTables) Restore(table iptables.Table, data []byte, flush iptables.FlushFlag, ...) error
- func (f *FakeIPTables) RestoreAll(data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error
- func (f *FakeIPTables) SaveInto(table iptables.Table, buffer *bytes.Buffer) error
- func (f *FakeIPTables) SetHasRandomFully(can bool) *FakeIPTables
- type IPTablesDump
- type IPTablesValue
- type Rule
- type Table
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Chain ¶ added in v1.5.0
type Chain struct { Name iptables.Chain Packets uint64 Bytes uint64 Rules []*Rule // Deleted is set if the input contained a "-X Name" line; this would never // appear in iptables-save output but it could appear in iptables-restore *input*. Deleted bool }
Chain represents an IPTables chain
type FakeIPTables ¶
type FakeIPTables struct { Dump *IPTablesDump // contains filtered or unexported fields }
FakeIPTables is no-op implementation of iptables Interface.
func NewIPv6Fake ¶ added in v1.5.0
func NewIPv6Fake() *FakeIPTables
NewIPv6Fake returns a no-op iptables.Interface with IsIPv6() == true
func (*FakeIPTables) ChainExists ¶ added in v1.5.0
ChainExists is part of iptables.Interface
func (*FakeIPTables) DeleteChain ¶
DeleteChain is part of iptables.Interface
func (*FakeIPTables) DeleteRule ¶
DeleteRule is part of iptables.Interface
func (*FakeIPTables) EnsureChain ¶
EnsureChain is part of iptables.Interface
func (*FakeIPTables) EnsureRule ¶
func (f *FakeIPTables) EnsureRule(position iptables.RulePosition, table iptables.Table, chain iptables.Chain, args ...string) (bool, error)
EnsureRule is part of iptables.Interface
func (*FakeIPTables) FlushChain ¶
FlushChain is part of iptables.Interface
func (*FakeIPTables) HasRandomFully ¶
func (f *FakeIPTables) HasRandomFully() bool
HasRandomFully is part of iptables.Interface
func (*FakeIPTables) IsIPv6 ¶ added in v1.5.0
func (f *FakeIPTables) IsIPv6() bool
IsIPv6 is part of iptables.Interface
func (*FakeIPTables) Monitor ¶
func (f *FakeIPTables) Monitor(canary iptables.Chain, tables []iptables.Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})
Monitor is part of iptables.Interface
func (*FakeIPTables) Present ¶ added in v1.5.0
func (f *FakeIPTables) Present() bool
func (*FakeIPTables) Protocol ¶ added in v1.5.0
func (f *FakeIPTables) Protocol() iptables.Protocol
Protocol is part of iptables.Interface
func (*FakeIPTables) Restore ¶
func (f *FakeIPTables) Restore(table iptables.Table, data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error
Restore is part of iptables.Interface
func (*FakeIPTables) RestoreAll ¶
func (f *FakeIPTables) RestoreAll(data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error
RestoreAll is part of iptables.Interface
func (*FakeIPTables) SetHasRandomFully ¶
func (f *FakeIPTables) SetHasRandomFully(can bool) *FakeIPTables
SetHasRandomFully sets f's return value for HasRandomFully()
type IPTablesDump ¶ added in v1.5.0
type IPTablesDump struct {
Tables []Table
}
IPTablesDump represents a parsed IPTables rules dump (ie, the output of "iptables-save" or input to "iptables-restore")
func ParseIPTablesDump ¶ added in v1.5.0
func ParseIPTablesDump(data string) (*IPTablesDump, error)
ParseIPTablesDump parses an IPTables rules dump. Note: this may ignore some bad data.
func (*IPTablesDump) GetTable ¶ added in v1.5.0
func (dump *IPTablesDump) GetTable(table iptables.Table) (*Table, error)
func (*IPTablesDump) String ¶ added in v1.5.0
func (dump *IPTablesDump) String() string
type IPTablesValue ¶ added in v1.5.0
IPTablesValue is a value of a parameter in an Rule, where the parameter is possibly negated.
func (*IPTablesValue) Matches ¶ added in v1.5.0
func (v *IPTablesValue) Matches(cmp string) bool
Matches returns true if cmp equals / doesn't equal v.Value (depending on v.Negated).
func (*IPTablesValue) String ¶ added in v1.5.0
func (v *IPTablesValue) String() string
for debugging; otherwise %v will just print the pointer value
type Rule ¶
type Rule struct { // Raw contains the original raw rule string Raw string Chain iptables.Chain `param:"-A"` Comment *IPTablesValue `param:"--comment"` Protocol *IPTablesValue `param:"-p" negatable:"true"` SourceAddress *IPTablesValue `param:"-s" negatable:"true"` SourceType *IPTablesValue `param:"--src-type" negatable:"true"` SourcePort *IPTablesValue `param:"--sport" negatable:"true"` DestinationAddress *IPTablesValue `param:"-d" negatable:"true"` DestinationType *IPTablesValue `param:"--dst-type" negatable:"true"` DestinationPort *IPTablesValue `param:"--dport" negatable:"true"` MatchSet *IPTablesValue `param:"--match-set" negatable:"true"` Jump *IPTablesValue `param:"-j"` RandomFully *bool `param:"--random-fully"` Probability *IPTablesValue `param:"--probability"` DNATDestination *IPTablesValue `param:"--to-destination"` // We don't actually use the values of these, but we care if they are present AffinityCheck *bool `param:"--rcheck" negatable:"true"` MarkCheck *IPTablesValue `param:"--mark" negatable:"true"` CTStateCheck *IPTablesValue `param:"--ctstate" negatable:"true"` // We don't currently care about any of these in the unit tests, but we expect // them to be present in some rules that we parse, so we define how to parse them. AffinityName *IPTablesValue `param:"--name"` AffinitySeconds *IPTablesValue `param:"--seconds"` AffinitySet *bool `param:"--set" negatable:"true"` AffinityReap *bool `param:"--reap"` StatisticMode *IPTablesValue `param:"--mode"` }
Rule represents a single parsed IPTables rule. (This currently covers all of the rule types that we actually use in pkg/proxy/iptables or pkg/proxy/ipvs.)
The parsing is mostly-automated based on type reflection. The `param` tag on a field indicates the parameter whose value will be placed into that field. (The code assumes that we don't use both the short and long forms of any parameter names (eg, "-s" vs "--source"), which is currently true, but it could be extended if necessary.) The `negatable` tag indicates if a parameter is allowed to be preceded by "!".
Parameters that take a value are stored as type `*IPTablesValue`, which encapsulates a string value and whether the rule was negated (ie, whether the rule requires that we *match* or *don't match* that value). But string-valued parameters that can't be negated use `IPTablesValue` rather than `string` too, just for API consistency.
Parameters that don't take a value are stored as `*bool`, where the value is `nil` if the parameter was not present, `&true` if the parameter was present, or `&false` if the parameter was present but negated.
Parsing skips over "-m MODULE" parameters because most parameters have unique names anyway even ignoring the module name, and in the cases where they don't (eg "-m tcp --sport" vs "-m udp --sport") the parameters are mutually-exclusive and it's more convenient to store them in the same struct field anyway.