Documentation
¶
Index ¶
- type Chain
- type FakeIPTables
- func (f *FakeIPTables) ChainExists(table iptables.Table, chain iptables.Chain) (bool, error)
- func (f *FakeIPTables) DeleteChain(table iptables.Table, chain iptables.Chain) error
- func (f *FakeIPTables) DeleteRule(table iptables.Table, chain iptables.Chain, args ...string) error
- func (f *FakeIPTables) EnsureChain(table iptables.Table, chain iptables.Chain) (bool, error)
- func (f *FakeIPTables) EnsureRule(position iptables.RulePosition, table iptables.Table, chain iptables.Chain, ...) (bool, error)
- func (f *FakeIPTables) FlushChain(table iptables.Table, chain iptables.Chain) error
- func (f *FakeIPTables) HasRandomFully() bool
- func (f *FakeIPTables) IsIPv6() bool
- func (f *FakeIPTables) Monitor(canary iptables.Chain, tables []iptables.Table, reloadFunc func(), ...)
- func (f *FakeIPTables) Present() bool
- func (f *FakeIPTables) Protocol() iptables.Protocol
- func (f *FakeIPTables) Restore(table iptables.Table, data []byte, flush iptables.FlushFlag, ...) error
- func (f *FakeIPTables) RestoreAll(data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error
- func (f *FakeIPTables) SaveInto(table iptables.Table, buffer *bytes.Buffer) error
- func (f *FakeIPTables) SetHasRandomFully(can bool) *FakeIPTables
- type IPTablesDump
- type IPTablesValue
- type Rule
- type Table
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Chain ¶
type Chain struct {
Name iptables.Chain
Packets uint64
Bytes uint64
Rules []*Rule
// Deleted is set if the input contained a "-X Name" line; this would never
// appear in iptables-save output but it could appear in iptables-restore *input*.
Deleted bool
}
Chain represents an IPTables chain
type FakeIPTables ¶
type FakeIPTables struct {
Dump *IPTablesDump
// contains filtered or unexported fields
}
FakeIPTables is no-op implementation of iptables Interface.
func NewIPv6Fake ¶
func NewIPv6Fake() *FakeIPTables
NewIPv6Fake returns a no-op iptables.Interface with IsIPv6() == true
func (*FakeIPTables) ChainExists ¶
ChainExists is part of iptables.Interface
func (*FakeIPTables) DeleteChain ¶
DeleteChain is part of iptables.Interface
func (*FakeIPTables) DeleteRule ¶
DeleteRule is part of iptables.Interface
func (*FakeIPTables) EnsureChain ¶
EnsureChain is part of iptables.Interface
func (*FakeIPTables) EnsureRule ¶
func (f *FakeIPTables) EnsureRule(position iptables.RulePosition, table iptables.Table, chain iptables.Chain, args ...string) (bool, error)
EnsureRule is part of iptables.Interface
func (*FakeIPTables) FlushChain ¶
FlushChain is part of iptables.Interface
func (*FakeIPTables) HasRandomFully ¶
func (f *FakeIPTables) HasRandomFully() bool
HasRandomFully is part of iptables.Interface
func (*FakeIPTables) IsIPv6 ¶
func (f *FakeIPTables) IsIPv6() bool
IsIPv6 is part of iptables.Interface
func (*FakeIPTables) Monitor ¶
func (f *FakeIPTables) Monitor(canary iptables.Chain, tables []iptables.Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})
Monitor is part of iptables.Interface
func (*FakeIPTables) Present ¶
func (f *FakeIPTables) Present() bool
func (*FakeIPTables) Protocol ¶
func (f *FakeIPTables) Protocol() iptables.Protocol
Protocol is part of iptables.Interface
func (*FakeIPTables) Restore ¶
func (f *FakeIPTables) Restore(table iptables.Table, data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error
Restore is part of iptables.Interface
func (*FakeIPTables) RestoreAll ¶
func (f *FakeIPTables) RestoreAll(data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error
RestoreAll is part of iptables.Interface
func (*FakeIPTables) SetHasRandomFully ¶
func (f *FakeIPTables) SetHasRandomFully(can bool) *FakeIPTables
SetHasRandomFully sets f's return value for HasRandomFully()
type IPTablesDump ¶
type IPTablesDump struct {
Tables []Table
}
IPTablesDump represents a parsed IPTables rules dump (ie, the output of "iptables-save" or input to "iptables-restore")
func ParseIPTablesDump ¶
func ParseIPTablesDump(data string) (*IPTablesDump, error)
ParseIPTablesDump parses an IPTables rules dump. Note: this may ignore some bad data.
func (*IPTablesDump) GetTable ¶
func (dump *IPTablesDump) GetTable(table iptables.Table) (*Table, error)
func (*IPTablesDump) String ¶
func (dump *IPTablesDump) String() string
type IPTablesValue ¶
IPTablesValue is a value of a parameter in an Rule, where the parameter is possibly negated.
func (*IPTablesValue) Matches ¶
func (v *IPTablesValue) Matches(cmp string) bool
Matches returns true if cmp equals / doesn't equal v.Value (depending on v.Negated).
func (*IPTablesValue) String ¶
func (v *IPTablesValue) String() string
for debugging; otherwise %v will just print the pointer value
type Rule ¶
type Rule struct {
// Raw contains the original raw rule string
Raw string
Chain iptables.Chain `param:"-A"`
Comment *IPTablesValue `param:"--comment"`
Protocol *IPTablesValue `param:"-p" negatable:"true"`
SourceAddress *IPTablesValue `param:"-s" negatable:"true"`
SourceType *IPTablesValue `param:"--src-type" negatable:"true"`
SourcePort *IPTablesValue `param:"--sport" negatable:"true"`
DestinationAddress *IPTablesValue `param:"-d" negatable:"true"`
DestinationType *IPTablesValue `param:"--dst-type" negatable:"true"`
DestinationPort *IPTablesValue `param:"--dport" negatable:"true"`
MatchSet *IPTablesValue `param:"--match-set" negatable:"true"`
Jump *IPTablesValue `param:"-j"`
RandomFully *bool `param:"--random-fully"`
Probability *IPTablesValue `param:"--probability"`
DNATDestination *IPTablesValue `param:"--to-destination"`
// We don't actually use the values of these, but we care if they are present
AffinityCheck *bool `param:"--rcheck" negatable:"true"`
MarkCheck *IPTablesValue `param:"--mark" negatable:"true"`
CTStateCheck *IPTablesValue `param:"--ctstate" negatable:"true"`
// We don't currently care about any of these in the unit tests, but we expect
// them to be present in some rules that we parse, so we define how to parse them.
AffinityName *IPTablesValue `param:"--name"`
AffinitySeconds *IPTablesValue `param:"--seconds"`
AffinitySet *bool `param:"--set" negatable:"true"`
AffinityReap *bool `param:"--reap"`
StatisticMode *IPTablesValue `param:"--mode"`
}
Rule represents a single parsed IPTables rule. (This currently covers all of the rule types that we actually use in pkg/proxy/iptables or pkg/proxy/ipvs.)
The parsing is mostly-automated based on type reflection. The `param` tag on a field indicates the parameter whose value will be placed into that field. (The code assumes that we don't use both the short and long forms of any parameter names (eg, "-s" vs "--source"), which is currently true, but it could be extended if necessary.) The `negatable` tag indicates if a parameter is allowed to be preceded by "!".
Parameters that take a value are stored as type `*IPTablesValue`, which encapsulates a string value and whether the rule was negated (ie, whether the rule requires that we *match* or *don't match* that value). But string-valued parameters that can't be negated use `IPTablesValue` rather than `string` too, just for API consistency.
Parameters that don't take a value are stored as `*bool`, where the value is `nil` if the parameter was not present, `&true` if the parameter was present, or `&false` if the parameter was present but negated.
Parsing skips over "-m MODULE" parameters because most parameters have unique names anyway even ignoring the module name, and in the cases where they don't (eg "-m tcp --sport" vs "-m udp --sport") the parameters are mutually-exclusive and it's more convenient to store them in the same struct field anyway.
Source Files