iptables

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source
const (
	TableNAT    TableName = "nat"
	TableFilter TableName = "filter"
	TableMangle TableName = "mangle"
	TableRaw    TableName = "raw"

	ChainInput       ChainName = "INPUT"
	ChainOutput      ChainName = "OUTPUT"
	ChainForward     ChainName = "FORWARD"
	ChainPrerouting  ChainName = "PREROUTING"
	ChainPostrouting ChainName = "POSTROUTING"

	PolicyAccept Policy = "ACCEPT"
	PolicyReturn Policy = "RETURN"
	PolicyReject Policy = "REJECT"
	PolicyDrop   Policy = "DROP"

	ProtocolIPv4 L3Protocol = "IPv4"
	ProtocolIPv6 L3Protocol = "IPv6"

	ProtocolTCP L4Protocol = "tcp"
	ProtocolUDP L4Protocol = "udp"
)

Variables

This section is empty.

Functions

func NF_ADD

func NF_ADD(m v1.Match, a v1.Action, chain string, buffer *bytes.Buffer, args ...string)

func NF_DEL

func NF_DEL(m v1.Match, a v1.Action, chain string, buffer *bytes.Buffer, args ...string)

Types

type Balance

type Balance struct {
	Destination net.IP `json:"--to-destination,omitempty"`
}

type CTSTATE

type CTSTATE string
const (
	CTSTATE_NEW         CTSTATE = "NEW"
	CTSTATE_ESTABLISHED CTSTATE = "ESTABLISHED"
	CTSTATE_RELATED     CTSTATE = "RELATED"
)

type ChainName

type ChainName string

type ConnMark

type ConnMark struct {
	// set-mark mark[/mask]. Set connection mark. If a mask is specified then only those bits set in the mask is modified.
	SetMark string `json:"--set-mark,omitempty"`
	// save-mark [--mask mask]. Copy the netfilter packet mark value to the connection mark. If a mask is specified then only those bits are copied.
	SaveMark string `json:"--save-mark,omitempty"`
	// restore-mark [--mask mask]. Copy the connection mark value to the packet. If a mask is specified then only those bits are copied. This is only valid in the mangle table.
	RestoreMark string `json:"--restore-mark,omitempty"`
}

type Dnat

type Dnat struct {
	// to-destination ipaddr[-ipaddr][:port-port]. which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then the destination port will never be modified.
	Destination string `json:"--to-destination,omitempty"`
}

type FlushFlag

type FlushFlag bool

FlushFlag an option flag for Flush

const FlushTables FlushFlag = true

FlushTables a boolean true constant for option flag FlushFlag

const NoFlushTables FlushFlag = false

NoFlushTables a boolean false constant for option flag FlushFlag

type IPV4Interface

type IPV4Interface interface {
	Interface
}

func NewIPV4

func NewIPV4() IPV4Interface

type IPV6Interface

type IPV6Interface interface {
	Interface
}

func NewIPV6

func NewIPV6() IPV6Interface

type Interface

type Interface interface {
	// EnsureChain checks if the specified chain exists and, if not, creates it.  If the chain existed, return true.
	EnsureChain(table TableName, chain ChainName) (bool, error)
	// FlushChain clears the specified chain.  If the chain did not exist, return error.
	FlushChain(table TableName, chain ChainName) error
	// DeleteChain deletes the specified chain.  If the chain did not exist, return error.
	DeleteChain(table TableName, chain ChainName) error
	// EnsureRule checks if the specified rule is present and, if not, creates it.  If the rule existed, return true.
	EnsureRule(position RulePosition, table TableName, chain ChainName, args ...string) (bool, error)
	// DeleteRule checks if the specified rule is present and, if so, deletes it.
	DeleteRule(table TableName, chain ChainName, args ...string) error
	// IsIPv6 returns true if this is managing ipv6 tables.
	IsIPv6() bool
	// Protocol returns the IP family this instance is managing,
	L3Protocol() L3Protocol
	// SaveInto calls `iptables-save` for table and stores result in a given buffer.
	SaveInto(table TableName, buffer *bytes.Buffer) error
	// Restore runs `iptables-restore` passing data through []byte.
	// table is the Table to restore
	// data should be formatted like the output of SaveInto()
	// flush sets the presence of the "--noflush" flag. see: FlushFlag
	// counters sets the "--counters" flag. see: RestoreCountersFlag
	Restore(table TableName, data []byte, flush FlushFlag, counters RestoreCountersFlag) error
	// RestoreAll is the same as Restore except that no table is specified.
	RestoreAll(data []byte, flush FlushFlag, counters RestoreCountersFlag) error
	// Monitor detects when the given iptables tables have been flushed by an external
	// tool (e.g. a firewall reload) by creating canary chains and polling to see if
	// they have been deleted. (Specifically, it polls tables[0] every interval until
	// the canary has been deleted from there, then waits a short additional time for
	// the canaries to be deleted from the remaining tables as well. You can optimize
	// the polling by listing a relatively empty table in tables[0]). When a flush is
	// detected, this calls the reloadFunc so the caller can reload their own iptables
	// rules. If it is unable to create the canary chains (either initially or after
	// a reload) it will log an error and stop monitoring.
	// (This function should be called from a goroutine.)
	Monitor(canary ChainName, tables []TableName, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})
	// HasRandomFully reveals whether `-j MASQUERADE` takes the
	// `--random-fully` option.  This is helpful to work around a
	// Linux kernel bug that sometimes causes multiple flows to get
	// mapped to the same IP:PORT and consequently some suffer packet
	// drops.
	HasRandomFully() bool

	GetChainLines(table TableName, bytes []byte) map[ChainName][]byte
}

type L3Protocol

type L3Protocol string

type L4Protocol

type L4Protocol string

type Mark

type Mark struct {
	// set-mark mark. This is used to set the netfilter mark value associated with the packet. Range: 2^32-1
	MarkValue uint32 `json:"--set-mark,omitempty"`
}

type Masquerade

type Masquerade struct {
	//	to-ports port[-port]. This specifies a range of source ports to use, overriding the default SNAT source port-selection heuristics (see above). This is only valid if the rule also specifies -p tcp or -p udp
	Port string `json:"--to-ports,omitempty"`
}

func (*Masquerade) EnsurePort

func (m *Masquerade) EnsurePort() string

type Match

type Match struct {
	Source       net.IP `json:"source,omitempty"`
	Destination  net.IP `json:"destination,omitempty"`
	InInterface  string `json:"in-interface,omitempty"`
	OutInterface string `json:"out-interface,omitempty"`
	// contains filtered or unexported fields
}

type Option

type Option struct{}

type Policy

type Policy string

type RestoreCountersFlag

type RestoreCountersFlag bool

RestoreCountersFlag is an option flag for Restore

const NoRestoreCounters RestoreCountersFlag = false

NoRestoreCounters a boolean false constant for the option flag RestoreCountersFlag

const RestoreCounters RestoreCountersFlag = true

RestoreCounters a boolean true constant for the option flag RestoreCountersFlag

type RulePosition

type RulePosition string
const (
	// Prepend is the insert flag for iptable
	Prepend RulePosition = "-I"
	// Append is the append flag for iptable
	Append RulePosition = "-A"
)

type Snat

type Snat struct {
	//to-source ipaddr[-ipaddr][:port-port]. port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur.
	Source string `json:"--to-source,omitempty"`
}

func (*Snat) EnsureSource

func (s *Snat) EnsureSource() string

type TableName

type TableName string

type Target

type Target struct {
	Balance    Balance    `json:"BALANCE,omitempty"`
	ConnMark   ConnMark   `json:"CONNMARK,omitempty"`
	Dnat       Dnat       `json:"DNAT,omitempty"`
	Mark       Mark       `json:"MARK,omitempty"`
	Masquerade Masquerade `json:"MASQUERADE,omitempty"`
	Snat       Snat       `json:"SNAT,omitempty"`
}

type TargetCommand

type TargetCommand string
const (
	BALANCE    TargetCommand = "BALANCE"
	CONNMARK   TargetCommand = "CONNMARK"
	DNAT       TargetCommand = "DNAT"
	MARK       TargetCommand = "MARK"
	MASQUERADE TargetCommand = "MASQUERADE"
	SNAT       TargetCommand = "SNAT"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL