nft

package
v1.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 25, 2019 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	NFT = iota
	TABLE
	CHAIN

	FamilyIP     = Family("ip")
	FamilyIP6    = Family("ip6")
	FamilyNET    = Family("net")
	FamilyINET   = Family("inet")
	FamilyARP    = Family("arp")
	FamilyBridge = Family("bridge")

	TypeSkipCreate = Type("")
	TypeNAT        = Type("nat")
	TypeFilter     = Type("filter")
)
View Source 
const (
	//NFTDebug if true, nft files will not be deleted for inspection
	NFTDebug = false
)

Variables

This section is empty.

Functions

func Apply 

func Apply(nft Nft) error

Apply (merge) nft rules

func ApplyFromFile 

func ApplyFromFile(cfg string) error

ApplyFromFile applies nft rules from a file

func Drop 

func Drop(family Family, table, chain string, handle int) error

Drop drops a single rule given a handle

func IPv4Set added in v1.5.0 

func IPv4Set(family Family, table string, name string, ips ...string) error

IPv4Set creates/updates element set of type ipv4_addr

func IPv4SetDel added in v1.5.0 

func IPv4SetDel(family Family, table, name string, ips ...string) error

IPv4SetDel delete ips from a ipv4_addr set

func IPv4SetGet added in v1.5.0 

func IPv4SetGet(family Family, table, name string) ([]string, error)

IPv4SetGet gets the current ipv4 set

Types

type API added in v1.5.0 

type API interface {
	Apply(nft Nft) error
	Drop(family Family, table, chain string, handle int) error
	Find(filter ...Filter) ([]FilterRule, error)

	IPv4Set(family Family, table string, name string, ips ...string) error
	IPv4SetDel(family Family, table, name string, ips ...string) error
}

API defines nft api

type And added in v1.5.0 

type And []Filter

And allows grouping filters in an And op

func (And) Match added in v1.5.0 

func (f And) Match(rule *NftRuleBlock) bool

type Chain 

type Chain struct {
	Type     Type
	Hook     string
	Priority int
	Policy   string
	Rules    []Rule
}

type ChainFilter added in v1.5.0 

type ChainFilter struct {
	Chain string
}

func (*ChainFilter) Match added in v1.5.0 

func (f *ChainFilter) Match(rule *NftRuleBlock) bool

type Chains 

type Chains map[string]Chain

type Family 

type Family string

type FamilyFilter added in v1.5.0 

type FamilyFilter struct {
	Family Family
}

func (*FamilyFilter) Match added in v1.5.0 

func (f *FamilyFilter) Match(rule *NftRuleBlock) bool

type Filter added in v1.5.0 

type Filter interface {
	Match(rule *NftRuleBlock) bool
}

Filter interface

type FilterRule added in v1.5.0 

type FilterRule struct {
	Rule
	Handle int
	Table  string
	Chain  string
	Family Family
}

func Find added in v1.5.0 

func Find(f ...Filter) ([]FilterRule, error)

type IPMatchFilter added in v1.5.0 

type IPMatchFilter struct {
	Name  string
	Field string
	Value net.IP
}

func (*IPMatchFilter) Match added in v1.5.0 

func (f *IPMatchFilter) Match(rule *NftRuleBlock) bool

type IntMatchFilter added in v1.5.0 

type IntMatchFilter struct {
	Name  string
	Field string
	Value uint64
}

MatchFilter is a simple match rule

func (*IntMatchFilter) Match added in v1.5.0 

func (f *IntMatchFilter) Match(rule *NftRuleBlock) bool

type MarkFilter added in v1.5.0 

type MarkFilter struct {
	Mark uint32
}

MetaFilter find a rule by meta mark

func (*MarkFilter) Match added in v1.5.0 

func (f *MarkFilter) Match(rule *NftRuleBlock) bool

type MetaMatchFilter added in v1.5.0 

type MetaMatchFilter struct {
	Name  string
	Value string
}

func (*MetaMatchFilter) Match added in v1.5.0 

func (f *MetaMatchFilter) Match(rule *NftRuleBlock) bool

type NetworkMatchFilter added in v1.5.0 

type NetworkMatchFilter struct {
	Name  string
	Field string
	Value *net.IPNet
}

func (*NetworkMatchFilter) Match added in v1.5.0 

func (f *NetworkMatchFilter) Match(rule *NftRuleBlock) bool

type Nft 

type Nft map[string]Table

func (Nft) MarshalText 

func (n Nft) MarshalText() ([]byte, error)

type NftChainBlock added in v1.5.0 

type NftChainBlock struct {
	/*
		{'hook': 'prerouting',
		'family': 'ip',
		'prio': 0,
		'table': 'nat',
		'name': 'pre',
		'handle': 1,
		'type': 'nat',
		'policy': 'accept'}
	*/
	Hook     string `json:"hook"`
	Family   Family `json:"family"`
	Priority int    `json:"prio"`
	Table    string `json:"table"`
	Name     string `json:"name"`
	Handle   int    `json:"handle"`
	Type     Type   `json:"type"`
	Policy   string `json:"policy"`
}

type NftJsonBlock added in v1.5.0 

type NftJsonBlock map[string]json.RawMessage

NftJsonBlock defines a nft json block

type NftRuleBlock added in v1.5.0 

type NftRuleBlock struct {
	/*
		{'family': 'inet',
		'expr': [{'match': {'right': {'set': ['established', 'related']},
			'left': {'ct': {'key': 'state'}}}},
		{'accept': None}],
		'table': 'filter',
		'handle': 5,
		'chain': 'input'}
	*/
	Family    Family         `json:"family"`
	Expresion []NftJsonBlock `json:"expr"`
	Table     string         `json:"table"`
	Handle    int            `json:"handle"`
	Chain     string         `json:"chain"`
}

type NftSetBlock added in v1.5.0 

type NftSetBlock struct {
	Family   Family   `json:"family"`
	Name     string   `json:"name"`
	Table    string   `json:"table"`
	Elements []string `json:"elem"`
	Type     string   `json:"type"`
	Handle   int      `json:"handle"`
}

type NftTableBlock added in v1.5.0 

type NftTableBlock struct {
	//{'family': 'ip', 'name': 'nat', 'handle': 0}
	Family Family `json:"family"`
	Name   string `json:"name"`
	Handle int    `json:"handle"`
}

type Or added in v1.5.0 

type Or []Filter

func (Or) Match added in v1.5.0 

func (f Or) Match(rule *NftRuleBlock) bool

type Port added in v1.5.0 

type Port struct {
	Port      uint16 `json:"port"`
	Interface string `json:"interface,omitempty"`
	Subnet    string `json:"subnet,omitempty"`
}

type Rule 

type Rule struct {
	Body string
}

type Set added in v1.5.0 

type Set struct {
	//We only support ipv4_addr type
	Elements []string
}

type Sets added in v1.5.0 

type Sets map[string]Set

type Table 

type Table struct {
	Family Family
	Chains Chains
	Sets   Sets
}

type TableFilter added in v1.5.0 

type TableFilter struct {
	Table string
}

func (*TableFilter) Match added in v1.5.0 

func (f *TableFilter) Match(rule *NftRuleBlock) bool

type Type 

type Type string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.