Documentation ¶
Index ¶
- Constants
- func Concat(args ...interface{}) string
- func IsAlreadyExists(err error) bool
- func IsNotFound(err error) bool
- func ParsePriority(family Family, priority string) (int, error)
- func PtrTo[T any](val T) *T
- type BaseChainHook
- type BaseChainPriority
- type BaseChainType
- type Chain
- type Element
- type Fake
- func (fake *Fake) Check(_ context.Context, tx *Transaction) error
- func (fake *Fake) Dump() string
- func (fake *Fake) List(_ context.Context, objectType string) ([]string, error)
- func (fake *Fake) ListElements(_ context.Context, objectType, name string) ([]*Element, error)
- func (fake *Fake) ListRules(_ context.Context, chain string) ([]*Rule, error)
- func (fake *Fake) NewTransaction() *Transaction
- func (fake *Fake) ParseDump(data string) (err error)
- func (fake *Fake) Run(_ context.Context, tx *Transaction) error
- type FakeChain
- type FakeMap
- type FakeSet
- type FakeTable
- type Family
- type Interface
- type Map
- type Object
- type Rule
- type Set
- type SetFlag
- type SetPolicy
- type Table
- type Transaction
- func (tx *Transaction) Add(obj Object)
- func (tx *Transaction) Create(obj Object)
- func (tx *Transaction) Delete(obj Object)
- func (tx *Transaction) Flush(obj Object)
- func (tx *Transaction) Insert(obj Object)
- func (tx *Transaction) NumOperations() int
- func (tx *Transaction) Replace(obj Object)
- func (tx *Transaction) String() string
Constants ¶
const ( // Maximum length of a table, chain, set, etc, name NameLengthMax = 256 // Maximum length of a comment CommentLengthMax = 128 )
Variables ¶
This section is empty.
Functions ¶
func Concat ¶
func Concat(args ...interface{}) string
Concat is a helper (primarily) for constructing Rule objects. It takes a series of arguments and concatenates them together into a single string with spaces between the arguments. Strings are output as-is, string arrays are output element by element, numbers are output as with `fmt.Sprintf("%d")`, and all other types are output as with `fmt.Sprintf("%s")`. To help with set/map lookup syntax, an argument of "@" will not be followed by a space, so you can do, eg, `Concat("ip saddr", "@", setName)`.
func IsAlreadyExists ¶
IsAlreadyExists tests if err corresponds to an nftables "already exists" error (e.g. when doing a "create" rather than an "add").
func IsNotFound ¶
IsNotFound tests if err corresponds to an nftables "not found" error of any sort. (e.g., in response to a "delete rule" command, this might indicate that the rule doesn't exist, or the chain doesn't exist, or the table doesn't exist.)
func ParsePriority ¶
ParsePriority tries to convert the string form of a chain priority into a number
Types ¶
type BaseChainHook ¶
type BaseChainHook string
BaseChainHook represents the "hook" that a base chain is attached to. See https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks and https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
const ( // PreroutingHook is the "prerouting" stage of packet processing, which is the // first stage (after "ingress") for inbound ("input path" and "forward path") // packets. PreroutingHook BaseChainHook = "prerouting" // InputHook is the "input" stage of packet processing, which happens after // "prerouting" for inbound packets being delivered to an interface on this host, // in this network namespace. InputHook BaseChainHook = "input" // ForwardHook is the "forward" stage of packet processing, which happens after // "prerouting" for inbound packets destined for a non-local IP (i.e. on another // host or in another network namespace) ForwardHook BaseChainHook = "forward" // OutputHook is the "output" stage of packet processing, which is the first stage // for outbound packets, regardless of their final destination. OutputHook BaseChainHook = "output" // PostroutingHook is the "postrouting" stage of packet processing, which is the // final stage (before "egress") for outbound ("forward path" and "output path") // packets. PostroutingHook BaseChainHook = "postrouting" // IngressHook is the "ingress" stage of packet processing, in the "netdev" family // or (with kernel >= 5.10 and nft >= 0.9.7) the "inet" family. IngressHook BaseChainHook = "ingress" // EgressHook is the "egress" stage of packet processing, in the "netdev" family // (with kernel >= 5.16 and nft >= 1.0.1). EgressHook BaseChainHook = "egress" )
type BaseChainPriority ¶
type BaseChainPriority string
BaseChainPriority represents the "priority" of a base chain. Lower values run earlier. See https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority and https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Priority_within_hook
In addition to the const values, you can also use a signed integer value, or an arithmetic expression consisting of a const value followed by "+" or "-" and an integer.
const ( // RawPriority is the earliest named priority. In particular, it can be used for // rules that need to run before conntrack. It is equivalent to the value -300 and // can be used in the ip, ip6, and inet families. RawPriority BaseChainPriority = "raw" // ManglePriority is the standard priority for packet-rewriting operations. It is // equivalent to the value -150 and can be used in the ip, ip6, and inet families. ManglePriority BaseChainPriority = "mangle" // DNATPriority is the standard priority for DNAT operations. In the ip, ip6, and // inet families, it is equivalent to the value -100. In the bridge family it is // equivalent to the value -300. In both cases it can only be used from the // prerouting hook. DNATPriority BaseChainPriority = "dstnat" // FilterPriority is the standard priority for filtering operations. In the ip, // ip6, inet, arp, and netdev families, it is equivalent to the value 0. In the // bridge family it is equivalent to the value -200. FilterPriority BaseChainPriority = "filter" // OutPriority is FIXME. It is equivalent to the value 300 and can only be used in // the bridge family. OutPriority BaseChainPriority = "out" // SecurityPriority is the standard priority for security operations ("where // secmark can be set for example"). It is equivalent to the value 50 and can be // used in the ip, ip6, and inet families. SecurityPriority BaseChainPriority = "security" // SNATPriority is the standard priority for SNAT operations. In the ip, ip6, and // inet families, it is equivalent to the value 100. In the bridge family it is // equivalent to the value 300. In both cases it can only be used from the // postrouting hook. SNATPriority BaseChainPriority = "srcnat" )
type BaseChainType ¶
type BaseChainType string
BaseChainType represents the "type" of a "base chain" (ie, a chain that is attached to a hook). See https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types
const ( // FilterType is the chain type for basic packet filtering. FilterType BaseChainType = "filter" // NATType is the chain type for doing DNAT, SNAT, and masquerading. // NAT operations are only available from certain hooks. NATType BaseChainType = "nat" // RouteType is the chain type for rules that change the routing of packets. // Chains of this type can only be added to the "output" hook. RouteType BaseChainType = "route" )
type Chain ¶
type Chain struct { // Name is the name of the chain. Name string // Type is the chain type; this must be set for a base chain and unset for a // regular chain. Type *BaseChainType // Hook is the hook that the chain is connected to; this must be set for a base // chain and unset for a regular chain. Hook *BaseChainHook // Priority is the chain priority; this must be set for a base chain and unset for // a regular chain. You can call ParsePriority() to convert this to a number. Priority *BaseChainPriority // Device is the network interface that the chain is attached to; this must be set // for a base chain connected to the "ingress" or "egress" hooks, and unset for // all other chains. Device *string // Comment is an optional comment for the object. (Requires kernel >= 5.10 and // nft >= 0.9.7; otherwise this field will be silently ignored. Requires // nft >= 1.0.8 to include comments in List() results.) Comment *string // Handle is an identifier that can be used to uniquely identify an object when // deleting it. When adding a new object, this must be nil Handle *int }
Chain represents an nftables chain; either a "base chain" (if Type, Hook, and Priority are specified), or a "regular chain" (if they are not).
type Element ¶
type Element struct { // Set is the name of the set that contains this element (or the empty string if // this is a map element.) Set string // Map is the name of the map that contains this element (or the empty string if // this is a set element.) Map string // Key is the element key. (The list contains a single element for "simple" keys, // or multiple elements for concatenations.) Key []string // Value is the map element value. As with Key, this may be a single value or // multiple. For set elements, this must be nil. Value []string // Comment is an optional comment for the element Comment *string }
Element represents a set or map element
type Fake ¶
type Fake struct { // Table contains the Interface's table. This will be `nil` until you `tx.Add()` // the table. Table *FakeTable // LastTransaction is the last transaction passed to Run(). It will remain set until the // next time Run() is called. (It is not affected by Check().) LastTransaction *Transaction // contains filtered or unexported fields }
Fake is a fake implementation of Interface
func (*Fake) Check ¶
func (fake *Fake) Check(_ context.Context, tx *Transaction) error
Check is part of Interface
func (*Fake) Dump ¶
Dump dumps the current contents of fake, in a way that looks like an nft transaction.
func (*Fake) ListElements ¶
ListElements is part of Interface
func (*Fake) NewTransaction ¶
func (fake *Fake) NewTransaction() *Transaction
NewTransaction is part of Interface
type FakeMap ¶
type FakeMap struct { Map // Elements contains the map's elements. You can also use the FakeMap's // FindElement() method to see if a particular element is present. Elements []*Element }
FakeMap wraps Set for the Fake implementation
func (*FakeMap) FindElement ¶
FindElement finds an element of the map with the given key. If there is no matching element, it returns nil.
type FakeSet ¶
type FakeSet struct { Set // Elements contains the set's elements. You can also use the FakeSet's // FindElement() method to see if a particular element is present. Elements []*Element }
FakeSet wraps Set for the Fake implementation
func (*FakeSet) FindElement ¶
FindElement finds an element of the set with the given key. If there is no matching element, it returns nil.
type FakeTable ¶
type FakeTable struct { Table // Chains contains the table's chains, keyed by name Chains map[string]*FakeChain // Sets contains the table's sets, keyed by name Sets map[string]*FakeSet // Maps contains the table's maps, keyed by name Maps map[string]*FakeMap }
FakeTable wraps Table for the Fake implementation
type Family ¶
type Family string
Family is an nftables family
const ( // IPv4Family represents the "ip" nftables family, for IPv4 rules. IPv4Family Family = "ip" // IPv6Family represents the "ip6" nftables family, for IPv6 rules. IPv6Family Family = "ip6" // InetFamily represents the "inet" nftables family, for mixed IPv4 and IPv6 rules. InetFamily Family = "inet" // ARPFamily represents the "arp" nftables family, for ARP rules. ARPFamily Family = "arp" // BridgeFamily represents the "bridge" nftables family, for rules operating // on packets traversing a bridge. BridgeFamily Family = "bridge" // NetDevFamily represents the "netdev" nftables family, for rules operating on // the device ingress/egress path. NetDevFamily Family = "netdev" )
type Interface ¶
type Interface interface { // NewTransaction returns a new (empty) Transaction NewTransaction() *Transaction // Run runs a Transaction and returns the result. The IsNotFound and // IsAlreadyExists methods can be used to test the result. Run(ctx context.Context, tx *Transaction) error // Check does a dry-run of a Transaction (as with `nft --check`) and returns the // result. The IsNotFound and IsAlreadyExists methods can be used to test the // result. Check(ctx context.Context, tx *Transaction) error // List returns a list of the names of the objects of objectType ("chain", "set", // or "map") in the table. If there are no such objects, this will return an empty // list and no error. List(ctx context.Context, objectType string) ([]string, error) // ListRules returns a list of the rules in a chain, in order. If no chain name is // specified, then all rules within the table will be returned. Note that at the // present time, the Rule objects will have their `Comment` and `Handle` fields // filled in, but *not* the actual `Rule` field. So this can only be used to find // the handles of rules if they have unique comments to recognize them by, or if // you know the order of the rules within the chain. If the chain exists but // contains no rules, this will return an empty list and no error. ListRules(ctx context.Context, chain string) ([]*Rule, error) // ListElements returns a list of the elements in a set or map. (objectType should // be "set" or "map".) If the set/map exists but contains no elements, this will // return an empty list and no error. ListElements(ctx context.Context, objectType, name string) ([]*Element, error) }
Interface is an interface for running nftables commands against a given family and table.
type Map ¶
type Map struct { // Name is the name of the map. Name string // Type is the type of the map key and value (eg "ipv4_addr : verdict"). Either // Type or TypeOf, but not both, must be non-empty. Type string // TypeOf is the type of the set key as an nftables expression (eg "ip saddr : verdict"). // Either Type or TypeOf, but not both, must be non-empty. (Requires at least nft 0.9.4, // and newer than that for some types.) TypeOf string // Flags are the map flags Flags []SetFlag // Timeout is the time that an element will stay in the set before being removed. // (Optional; mandatory for sets that will be added to from the packet path) Timeout *time.Duration // GCInterval is the interval at which timed-out elements will be removed from the // set. (Optional; FIXME DEFAULT) GCInterval *time.Duration // Size if the maximum numer of elements in the set. // (Optional; mandatory for sets that will be added to from the packet path) Size *uint64 // Policy is the FIXME Policy *SetPolicy // Comment is an optional comment for the object. (Requires kernel >= 5.10 and // nft >= 0.9.7; otherwise this field will be silently ignored.) Comment *string // Handle is an identifier that can be used to uniquely identify an object when // deleting it. When adding a new object, this must be nil Handle *int }
Map represents the definition of an nftables map (but not its elements)
type Object ¶
type Object interface {
// contains filtered or unexported methods
}
Object is the interface for an nftables object. All of the concrete object types implement this interface.
type Rule ¶
type Rule struct { // Chain is the name of the chain that contains this rule Chain string // Rule is the rule in standard nftables syntax. (Should be empty on Delete, but // is ignored if not.) Note that this does not include any rule comment, which is // separate from the rule itself. Rule string // Comment is an optional comment for the rule. Comment *string // Index is the number of a rule (counting from 0) to Add this Rule after or // Insert it before. Cannot be specified along with Handle. If neither Index // nor Handle is specified then Add appends the rule the end of the chain and // Insert prepends it to the beginning. Index *int // Handle is a rule handle. In Add or Insert, if set, this is the handle of // existing rule to put the new rule after/before. In Delete or Replace, this // indicates the existing rule to delete/replace, and is mandatory. In the result // of a List, this will indicate the rule's handle that can then be used in a // later operation. Handle *int }
Rule represents a rule in a chain
type Set ¶
type Set struct { // Name is the name of the set. Name string // Type is the type of the set key (eg "ipv4_addr"). Either Type or TypeOf, but // not both, must be non-empty. Type string // TypeOf is the type of the set key as an nftables expression (eg "ip saddr"). // Either Type or TypeOf, but not both, must be non-empty. (Requires at least nft // 0.9.4, and newer than that for some types.) TypeOf string // Flags are the set flags Flags []SetFlag // Timeout is the time that an element will stay in the set before being removed. // (Optional; mandatory for sets that will be added to from the packet path) Timeout *time.Duration // GCInterval is the interval at which timed-out elements will be removed from the // set. (Optional; FIXME DEFAULT) GCInterval *time.Duration // Size if the maximum numer of elements in the set. // (Optional; mandatory for sets that will be added to from the packet path) Size *uint64 // Policy is the FIXME Policy *SetPolicy // AutoMerge indicates that adjacent/overlapping set elements should be merged // together (only for interval sets) AutoMerge *bool // Comment is an optional comment for the object. (Requires kernel >= 5.10 and // nft >= 0.9.7; otherwise this field will be silently ignored.) Comment *string // Handle is an identifier that can be used to uniquely identify an object when // deleting it. When adding a new object, this must be nil Handle *int }
Set represents the definition of an nftables set (but not its elements)
type SetFlag ¶
type SetFlag string
SetFlag represents a set or map flag
const ( // ConstantFlag is a flag indicating that the set/map is constant. FIXME UNDOCUMENTED ConstantFlag SetFlag = "constant" // DynamicFlag is a flag indicating that the set contains stateful objects // (counters, quotas, or limits) that will be dynamically updated. DynamicFlag SetFlag = "dynamic" // IntervalFlag is a flag indicating that the set contains either CIDR elements or // IP ranges. IntervalFlag SetFlag = "interval" // TimeoutFlag is a flag indicating that the set/map has a timeout after which // dynamically added elements will be removed. (It is set automatically if the // set/map has a Timeout.) TimeoutFlag SetFlag = "timeout" )
type Table ¶
type Table struct { // Comment is an optional comment for the table. (Requires kernel >= 5.10 and // nft >= 0.9.7; otherwise this field will be silently ignored. Requires // nft >= 1.0.8 to include comments in List() results.) Comment *string // Handle is an identifier that can be used to uniquely identify an object when // deleting it. When adding a new object, this must be nil. Handle *int }
Table represents an nftables table.
type Transaction ¶
type Transaction struct {
// contains filtered or unexported fields
}
Transaction represents an nftables transaction
func (*Transaction) Add ¶
func (tx *Transaction) Add(obj Object)
Add adds an "nft add" operation to tx, ensuring that obj exists by creating it if it did not already exist. (If obj is a Rule, it will be appended to the end of its chain, or else added after the Rule indicated by this rule's Index or Handle.) The Add() call always succeeds, but if obj is invalid, or inconsistent with the existing nftables state, then an error will be returned when the transaction is Run.
func (*Transaction) Create ¶
func (tx *Transaction) Create(obj Object)
Create adds an "nft create" operation to tx, creating obj, which must not already exist. (If obj is a Rule, it will be appended to the end of its chain, or else added after the Rule indicated by this rule's Index or Handle.) The Create() call always succeeds, but if obj is invalid, already exists, or is inconsistent with the existing nftables state, then an error will be returned when the transaction is Run.
func (*Transaction) Delete ¶
func (tx *Transaction) Delete(obj Object)
Delete adds an "nft delete" operation to tx, deleting obj. The Delete() call always succeeds, but if obj does not exist or cannot be deleted based on the information provided (eg, Handle is required but not set) then an error will be returned when the transaction is Run.
func (*Transaction) Flush ¶
func (tx *Transaction) Flush(obj Object)
Flush adds an "nft flush" operation to tx, clearing the contents of obj. The Flush() call always succeeds, but if obj does not exist (or does not support flushing) then an error will be returned when the transaction is Run.
func (*Transaction) Insert ¶
func (tx *Transaction) Insert(obj Object)
Insert adds an "nft insert" operation to tx, inserting obj (which must be a Rule) at the start of its chain, or before the other Rule indicated by this rule's Index or Handle. The Insert() call always succeeds, but if obj is invalid or is inconsistent with the existing nftables state, then an error will be returned when the transaction is Run.
func (*Transaction) NumOperations ¶ added in v0.0.17
func (tx *Transaction) NumOperations() int
NumOperations returns the number of operations queued in the transaction.
func (*Transaction) Replace ¶
func (tx *Transaction) Replace(obj Object)
Replace adds an "nft replace" operation to tx, replacing an existing rule with obj (which must be a Rule). The Replace() call always succeeds, but if obj is invalid, does not contain the Handle of an existing rule, or is inconsistent with the existing nftables state, then an error will be returned when the transaction is Run.
func (*Transaction) String ¶
func (tx *Transaction) String() string
String returns the transaction as a string containing the nft commands; if there is a pending error, it will be output as a comment at the end of the transaction.