nftables

package
v1.11.0-cni-plu...-8f3027a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 27, 2024 License: Apache-2.0, Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ProtoIPIP   = 4
	ProtoTCP    = 6
	ProtoUDP    = 17
	ProtoICMPv6 = 58
	ProtoSCTP   = 132
)
View Source 
const (
	MaxChainNameLength = knftables.NameLengthMax
)

Variables

View Source 
var Wildcard = "*"

Functions

func Actions 

func Actions() generictables.ActionFactory

func CalculateRuleHashes 

func CalculateRuleHashes(chainName string, rules []generictables.Rule, features *environment.Features) []string

func LegalizeSetName 

func LegalizeSetName(setName string) string

func Match 

func Match() generictables.MatchCriteria

func NewTable 

func NewTable(
	name string,
	ipVersion uint8,
	hashPrefix string,
	featureDetector environment.FeatureDetectorIface,
	options TableOptions,
) generictables.Table

func NewTableLayer 

func NewTableLayer(name string, table generictables.Table) generictables.Table

func PortRangesToMultiport 

func PortRangesToMultiport(ports []*proto.PortRange) string

func PortsToMultiport 

func PortsToMultiport(ports []uint16) string

PortsToMultiport converts a list of ports to a multiport set suitable for inline use in nftables rules.

Types

type AcceptAction 

type AcceptAction struct {
	TypeAccept struct{}
}

func (AcceptAction) String 

func (g AcceptAction) String() string

func (AcceptAction) ToFragment 

func (g AcceptAction) ToFragment(features *environment.Features) string

type ClearMarkAction 

type ClearMarkAction struct {
	Mark          uint32
	TypeClearMark struct{}
}

func (ClearMarkAction) String 

func (c ClearMarkAction) String() string

func (ClearMarkAction) ToFragment 

func (c ClearMarkAction) ToFragment(features *environment.Features) string

type DNATAction 

type DNATAction struct {
	DestAddr string
	DestPort uint16
	TypeDNAT struct{}
}

func (DNATAction) String 

func (g DNATAction) String() string

func (DNATAction) ToFragment 

func (g DNATAction) ToFragment(features *environment.Features) string

type DropAction 

type DropAction struct {
	TypeDrop struct{}
}

func (DropAction) String 

func (g DropAction) String() string

func (DropAction) ToFragment 

func (g DropAction) ToFragment(features *environment.Features) string

type GotoAction 

type GotoAction struct {
	Target   string
	TypeGoto struct{}
}

func (GotoAction) Namespace 

func (g GotoAction) Namespace(ns string) generictables.Action

func (GotoAction) ReferencedChain 

func (g GotoAction) ReferencedChain() string

func (GotoAction) String 

func (g GotoAction) String() string

func (GotoAction) ToFragment 

func (g GotoAction) ToFragment(features *environment.Features) string

type IPSets 

type IPSets struct {
	IPVersionConfig *ipsets.IPVersionConfig
	// contains filtered or unexported fields
}

IPSets manages a whole "plane" of IP sets, i.e. all the IPv4 sets, or all the IPv6 IP sets.

func NewIPSets 

func NewIPSets(ipVersionConfig *ipsets.IPVersionConfig, nft knftables.Interface, recorder logutils.OpRecorder) *IPSets

func NewIPSetsWithShims 

func NewIPSetsWithShims(ipVersionConfig *ipsets.IPVersionConfig, sleep func(time.Duration), nft knftables.Interface, recorder logutils.OpRecorder) *IPSets

NewIPSetsWithShims is an internal test constructor.

func (*IPSets) AddMembers 

func (s *IPSets) AddMembers(setID string, newMembers []string)

AddMembers adds the given members to the IP set. Filters out members that are of the incorrect IP version.

func (*IPSets) AddOrReplaceIPSet 

func (s *IPSets) AddOrReplaceIPSet(setMetadata ipsets.IPSetMetadata, members []string)

AddOrReplaceIPSet queues up the creation (or replacement) of an IP set. After the next call to ApplyUpdates(), the IP sets will be replaced with the new contents and the set's metadata will be updated as appropriate.

func (*IPSets) ApplyDeletions 

func (s *IPSets) ApplyDeletions() bool

ApplyDeletions tries to delete any IP sets that are no longer needed. Failures are ignored, deletions will be retried the next time we do a resync.

func (*IPSets) ApplyUpdates 

func (s *IPSets) ApplyUpdates()

ApplyUpdates applies the updates to the dataplane. Returns a set of programmed IPs in the IPSets included by the ipsetFilter.

func (*IPSets) GetDesiredMembers 

func (s *IPSets) GetDesiredMembers(setID string) (set.Set[string], error)

func (*IPSets) GetIPFamily 

func (s *IPSets) GetIPFamily() ipsets.IPFamily

func (*IPSets) GetTypeOf 

func (s *IPSets) GetTypeOf(setID string) (ipsets.IPSetType, error)

func (*IPSets) NFTablesSet 

func (s *IPSets) NFTablesSet(name string) *knftables.Set

func (*IPSets) QueueResync 

func (s *IPSets) QueueResync()

QueueResync forces a resync with the dataplane on the next ApplyUpdates() call.

func (*IPSets) RemoveIPSet 

func (s *IPSets) RemoveIPSet(setID string)

RemoveIPSet queues up the removal of an IP set, it need not be empty. The IP sets will be removed on the next call to ApplyDeletions().

func (*IPSets) RemoveMembers 

func (s *IPSets) RemoveMembers(setID string, removedMembers []string)

RemoveMembers queues up removal of the given members from an IP set. Members of the wrong IP version are ignored.

func (*IPSets) SetFilter 

func (s *IPSets) SetFilter(ipSetNames set.Set[string])

type JumpAction 

type JumpAction struct {
	Target   string
	TypeJump struct{}
}

func (JumpAction) Namespace 

func (g JumpAction) Namespace(ns string) generictables.Action

func (JumpAction) ReferencedChain 

func (g JumpAction) ReferencedChain() string

func (JumpAction) String 

func (g JumpAction) String() string

func (JumpAction) ToFragment 

func (g JumpAction) ToFragment(features *environment.Features) string

type LogAction 

type LogAction struct {
	Prefix  string
	TypeLog struct{}
}

func (LogAction) String 

func (g LogAction) String() string

func (LogAction) ToFragment 

func (g LogAction) ToFragment(features *environment.Features) string

type MasqAction 

type MasqAction struct {
	ToPorts  string
	TypeMasq struct{}
}

func (MasqAction) String 

func (g MasqAction) String() string

func (MasqAction) ToFragment 

func (g MasqAction) ToFragment(features *environment.Features) string

type NFTMatchCriteria 

type NFTMatchCriteria interface {
	generictables.MatchCriteria

	IPVersion(version uint8) generictables.MatchCriteria

	ConntrackStatus(statusNames string) generictables.MatchCriteria
	NotConntrackStatus(statusNames string) generictables.MatchCriteria
}

NFTMatchCriteria extends the generictables.MatchCriteria interface with nftables-specific methods.

type NFTRenderer 

type NFTRenderer interface {
	generictables.RuleHasher
	Render(chain string, hash string, rule generictables.Rule, features *environment.Features) *knftables.Rule
}

func NewNFTRenderer 

func NewNFTRenderer(hashCommentPrefix string, ipv uint8) NFTRenderer

type NoTrackAction 

type NoTrackAction struct {
	TypeNoTrack struct{}
}

func (NoTrackAction) String 

func (g NoTrackAction) String() string

func (NoTrackAction) ToFragment 

func (g NoTrackAction) ToFragment(features *environment.Features) string

type Referrer 

type Referrer interface {
	ReferencedChain() string
}

type RejectAction 

type RejectAction struct {
	TypeReject struct{}
	With       string
}

func (RejectAction) String 

func (g RejectAction) String() string

func (RejectAction) ToFragment 

func (g RejectAction) ToFragment(features *environment.Features) string

type RestoreConnMarkAction 

type RestoreConnMarkAction struct {
	RestoreMask  uint32
	TypeConnMark struct{}
}

func (RestoreConnMarkAction) String 

func (c RestoreConnMarkAction) String() string

func (RestoreConnMarkAction) ToFragment 

func (c RestoreConnMarkAction) ToFragment(features *environment.Features) string

type ReturnAction 

type ReturnAction struct {
	TypeReturn struct{}
}

func (ReturnAction) IsReturnAction 

func (r ReturnAction) IsReturnAction()

func (ReturnAction) String 

func (r ReturnAction) String() string

func (ReturnAction) ToFragment 

func (r ReturnAction) ToFragment(features *environment.Features) string

type SNATAction 

type SNATAction struct {
	ToAddr   string
	TypeSNAT struct{}
}

func (SNATAction) String 

func (g SNATAction) String() string

func (SNATAction) ToFragment 

func (g SNATAction) ToFragment(features *environment.Features) string

type SaveConnMarkAction 

type SaveConnMarkAction struct {
	SaveMask     uint32
	TypeConnMark struct{}
}

func (SaveConnMarkAction) String 

func (c SaveConnMarkAction) String() string

func (SaveConnMarkAction) ToFragment 

func (c SaveConnMarkAction) ToFragment(features *environment.Features) string

type SetConnMarkAction 

type SetConnMarkAction struct {
	Mark         uint32
	Mask         uint32
	TypeConnMark struct{}
}

func (SetConnMarkAction) String 

func (c SetConnMarkAction) String() string

func (SetConnMarkAction) ToFragment 

func (c SetConnMarkAction) ToFragment(features *environment.Features) string

type SetMarkAction 

type SetMarkAction struct {
	Mark        uint32
	TypeSetMark struct{}
}

func (SetMarkAction) String 

func (c SetMarkAction) String() string

func (SetMarkAction) ToFragment 

func (c SetMarkAction) ToFragment(features *environment.Features) string

type SetMaskedMarkAction 

type SetMaskedMarkAction struct {
	Mark              uint32
	Mask              uint32
	TypeSetMaskedMark struct{}
}

func (SetMaskedMarkAction) String 

func (c SetMaskedMarkAction) String() string

func (SetMaskedMarkAction) ToFragment 

func (c SetMaskedMarkAction) ToFragment(features *environment.Features) string

type SetMember 

type SetMember interface {
	ipsets.IPSetMember
	Key() []string
}

SetMember represents a member of an nftables set.

func CanonicaliseMember 

func CanonicaliseMember(t ipsets.IPSetType, member string) SetMember

CanonicaliseMember converts the string representation of an nftables set member to a canonical object of some kind that implements the IPSetMember interface. The object is required to by hashable.

func UnknownMember 

func UnknownMember(k []string) SetMember

type TableOptions 

type TableOptions struct {
	// NewDataplane is an optional function to override the creation of the knftables client,
	// used for testing.
	NewDataplane func(knftables.Family, string) (knftables.Interface, error)

	RefreshInterval time.Duration

	// SleepOverride for tests, if non-nil, replacement for time.Sleep()
	SleepOverride func(d time.Duration)

	// NowOverride for tests, if non-nil, replacement for time.Now()
	NowOverride func() time.Time

	// LookPathOverride for tests, if non-nil, replacement for exec.LookPath()
	LookPathOverride func(file string) (string, error)

	// Thunk to call periodically when doing a long-running operation.
	OnStillAlive func()

	// OpRecorder to tell when we do resyncs etc.
	OpRecorder logutils.OpRecorder
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.