Documentation
¶
Overview ¶
Package iptables provides an interface and implementations for running iptables commands.
Index ¶
Constants ¶
const LockfilePath14x = "@xtables"
LockfilePath14x is the iptables 1.4.x lock file acquired by any process that's making any change in the iptable rule
const LockfilePath16x = "/run/xtables.lock"
LockfilePath16x is the iptables 1.6.x lock file acquired by any process that's making any change in the iptable rule
const WaitIntervalString = "-W"
WaitIntervalString a constant for specifying the wait interval flag
const WaitIntervalUsecondsValue = "100000"
WaitIntervalUsecondsValue a constant for specifying the default wait interval useconds
const WaitSecondsValue = "5"
WaitSecondsValue a constant for specifying the default wait seconds
const WaitString = "-w"
WaitString a constant for specifying the wait flag
Variables ¶
var MinCheckVersion = utilversion.MustParseGeneric("1.4.11")
MinCheckVersion minimum version to be checked Versions of iptables less than this do not support the -C / --check flag (test whether a rule exists).
var RandomFullyMinVersion = utilversion.MustParseGeneric("1.6.2")
RandomFullyMinVersion is the minimum version from which the --random-fully flag is supported, used for port mapping to be fully randomized
var WaitIntervalMinVersion = utilversion.MustParseGeneric("1.6.1")
WaitIntervalMinVersion a minimum iptables versions supporting the wait interval useconds
var WaitMinVersion = utilversion.MustParseGeneric("1.4.20")
WaitMinVersion a minimum iptables versions supporting the -w and -w<seconds> flags
var WaitRestoreMinVersion = utilversion.MustParseGeneric("1.6.2")
WaitRestoreMinVersion a minimum iptables versions supporting the wait restore seconds
var WaitSecondsMinVersion = utilversion.MustParseGeneric("1.4.22")
WaitSecondsMinVersion a minimum iptables versions supporting the wait seconds
Functions ¶
func GetChainsFromTable ¶ added in v1.25.0
GetChainsFromTable parses iptables-save data to find the chains that are defined. It assumes that save contains a single table's data, and returns a map with keys for every chain defined in that table.
func IsNotFoundError ¶ added in v1.2.0
IsNotFoundError returns true if the error indicates "not found". It parses the error string looking for known values, which is imperfect; beware using this function for anything beyond deciding between logging or ignoring an error.
func MakeChainLine ¶ added in v1.3.0
MakeChainLine return an iptables-save/restore formatted chain line given a Chain
Types ¶
type Chain ¶
type Chain string
Chain represents the different rules
const ( // ChainPostrouting used for source NAT in nat table ChainPostrouting Chain = "POSTROUTING" // ChainPrerouting used for DNAT (destination NAT) in nat table ChainPrerouting Chain = "PREROUTING" // ChainOutput used for the packets going out from local ChainOutput Chain = "OUTPUT" // ChainInput used for incoming packets ChainInput Chain = "INPUT" // ChainForward used for the packets for another NIC ChainForward Chain = "FORWARD" )
type Interface ¶
type Interface interface {
// EnsureChain checks if the specified chain exists and, if not, creates it. If the chain existed, return true.
EnsureChain(table Table, chain Chain) (bool, error)
// FlushChain clears the specified chain. If the chain did not exist, return error.
FlushChain(table Table, chain Chain) error
// DeleteChain deletes the specified chain. If the chain did not exist, return error.
DeleteChain(table Table, chain Chain) error
// ChainExists tests whether the specified chain exists, returning an error if it
// does not, or if it is unable to check.
ChainExists(table Table, chain Chain) (bool, error)
// EnsureRule checks if the specified rule is present and, if not, creates it. If the rule existed, return true.
EnsureRule(position RulePosition, table Table, chain Chain, args ...string) (bool, error)
// DeleteRule checks if the specified rule is present and, if so, deletes it.
DeleteRule(table Table, chain Chain, args ...string) error
// IsIPv6 returns true if this is managing ipv6 tables.
IsIPv6() bool
// Protocol returns the IP family this instance is managing,
Protocol() Protocol
// SaveInto calls `iptables-save` for table and stores result in a given buffer.
SaveInto(table Table, buffer *bytes.Buffer) error
// Restore runs `iptables-restore` passing data through []byte.
// table is the Table to restore
// data should be formatted like the output of SaveInto()
// flush sets the presence of the "--noflush" flag. see: FlushFlag
// counters sets the "--counters" flag. see: RestoreCountersFlag
Restore(table Table, data []byte, flush FlushFlag, counters RestoreCountersFlag) error
// RestoreAll is the same as Restore except that no table is specified.
RestoreAll(data []byte, flush FlushFlag, counters RestoreCountersFlag) error
// Monitor detects when the given iptables tables have been flushed by an external
// tool (e.g. a firewall reload) by creating canary chains and polling to see if
// they have been deleted. (Specifically, it polls tables[0] every interval until
// the canary has been deleted from there, then waits a short additional time for
// the canaries to be deleted from the remaining tables as well. You can optimize
// the polling by listing a relatively empty table in tables[0]). When a flush is
// detected, this calls the reloadFunc so the caller can reload their own iptables
// rules. If it is unable to create the canary chains (either initially or after
// a reload) it will log an error and stop monitoring.
// (This function should be called from a goroutine.)
Monitor(canary Chain, tables []Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})
// HasRandomFully reveals whether `-j MASQUERADE` takes the
// `--random-fully` option. This is helpful to work around a
// Linux kernel bug that sometimes causes multiple flows to get
// mapped to the same IP:PORT and consequently some suffer packet
// drops.
HasRandomFully() bool
// Present checks if the kernel supports the iptable interface
Present() bool
}
Interface is an injectable interface for running iptables commands. Implementations must be goroutine-safe.
type LineData ¶ added in v1.24.0
type LineData struct {
// Line holds the line number (the first line is 1).
Line int
// The data of the line.
Data string
}
LineData represents a single numbered line of data.
func ExtractLines ¶ added in v1.24.0
ExtractLines extracts the -count and +count data from the lineNum row of lines and return NOTE: lines start from line 1
type ParseError ¶ added in v1.24.0
type ParseError interface {
// Line returns the line number on which the parse error was reported.
// NOTE: First line is 1.
Line() int
// Error returns the error message of the parse error, including line number.
Error() string
}
ParseError records the payload when iptables reports an error parsing its input.
type Protocol ¶ added in v0.5.1
type Protocol string
Protocol defines the ip protocol either ipv4 or ipv6
type RestoreCountersFlag ¶ added in v1.1.0
type RestoreCountersFlag bool
RestoreCountersFlag is an option flag for Restore
const NoRestoreCounters RestoreCountersFlag = false
NoRestoreCounters a boolean false constant for the option flag RestoreCountersFlag
const RestoreCounters RestoreCountersFlag = true
RestoreCounters a boolean true constant for the option flag RestoreCountersFlag
type RulePosition ¶ added in v0.18.0
type RulePosition string
RulePosition holds the -I/-A flags for iptable
const ( // Prepend is the insert flag for iptable Prepend RulePosition = "-I" // Append is the append flag for iptable Append RulePosition = "-A" )
Source Files
Directories