Documentation
¶
Index ¶
- Constants
- func CheckIPRuleSupportsV6(logf logger.Logf) error
- func DebugIptables(logf logger.Logf) error
- func DebugNetfilter(logf logger.Logf) error
- func DetectIptables() (int, error)
- func DetectNetfilter() (int, error)
- func IPTablesCleanup(logf logger.Logf)
- func NewIPTablesRunner(logf logger.Logf) (*iptablesRunner, error)
- func NewNfTablesRunner(logf logger.Logf) (*nftablesRunner, error)
- func NfTablesCleanUp(logf logger.Logf)
- type FWModeNotSupportedError
- type FirewallMode
- type MatchDecision
Constants ¶
const ( // The mask for reading/writing the 'firewall mask' bits on a packet. // See the comment on the const block on why we only use the third byte. // // We claim bits 16:23 entirely. For now we only use the lower four // bits, leaving the higher 4 bits for future use. TailscaleFwmarkMask = "0xff0000" TailscaleFwmarkMaskNum = 0xff0000 // Packet is from Tailscale and to a subnet route destination, so // is allowed to be routed through this machine. TailscaleSubnetRouteMark = "0x40000" TailscaleSubnetRouteMarkNum = 0x40000 // Packet was originated by tailscaled itself, and must not be // routed over the Tailscale network. TailscaleBypassMark = "0x80000" TailscaleBypassMarkNum = 0x80000 )
The following bits are added to packet marks for Tailscale use.
We tried to pick bits sufficiently out of the way that it's unlikely to collide with existing uses. We have 4 bytes of mark bits to play with. We leave the lower byte alone on the assumption that sysadmins would use those. Kubernetes uses a few bits in the second byte, so we steer clear of that too.
Empirically, most of the documentation on packet marks on the internet gives the impression that the marks are 16 bits wide. Based on this, we theorize that the upper two bytes are relatively unused in the wild, and so we consume bits 16:23 (the third byte).
The constants are in the iptables/iproute2 string format for matching and setting the bits, so they can be directly embedded in commands.
Variables ¶
This section is empty.
Functions ¶
func CheckIPRuleSupportsV6 ¶ added in v1.46.0
func DebugIptables ¶
DebugNetfilter prints debug information about iptables rules to the provided log function.
func DebugNetfilter ¶
DebugNetfilter prints debug information about netfilter rules to the provided log function.
func DetectIptables ¶
DetectIptables returns the number of iptables rules that are present in the system, ignoring the default "ACCEPT" rule present in the standard iptables chains.
It only returns an error when there is no iptables binary, or when iptables -S fails. In all other cases, it returns the number of non-default rules.
func DetectNetfilter ¶
DetectNetfilter returns the number of nftables rules present in the system.
func IPTablesCleanup ¶ added in v1.46.0
IPTablesCleanup removes all Tailscale added iptables rules. Any errors that occur are logged to the provided logf.
func NewIPTablesRunner ¶ added in v1.46.0
NewIPTablesRunner constructs a NetfilterRunner that programs iptables rules. If the underlying iptables library fails to initialize, that error is returned. The runner probes for IPv6 support once at initialization time and if not found, no IPv6 rules will be modified for the lifetime of the runner.
func NewNfTablesRunner ¶ added in v1.46.0
NewNfTablesRunner creates a new nftablesRunner without guaranteeing the existence of the tables and chains.
func NfTablesCleanUp ¶ added in v1.46.0
NfTablesCleanUp removes all Tailscale added nftables rules. Any errors that occur are logged to the provided logf.
Types ¶
type FWModeNotSupportedError ¶ added in v1.48.0
type FWModeNotSupportedError struct {
Mode FirewallMode
Err error
}
func (FWModeNotSupportedError) Error ¶ added in v1.48.0
func (e FWModeNotSupportedError) Error() string
func (FWModeNotSupportedError) Is ¶ added in v1.48.0
func (e FWModeNotSupportedError) Is(target error) bool
func (FWModeNotSupportedError) Unwrap ¶ added in v1.48.0
func (e FWModeNotSupportedError) Unwrap() error
type FirewallMode ¶ added in v1.48.0
type FirewallMode string
const ( FirewallModeIPTables FirewallMode = "iptables" FirewallModeNfTables FirewallMode = "nftables" )
type MatchDecision ¶ added in v1.46.0
type MatchDecision int
MatchDecision is the decision made by the firewall for a packet matched by a rule. It is used to decide whether to accept or masquerade a packet in addMatchSubnetRouteMarkRule.
const ( Accept MatchDecision = iota Masq )
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package linuxfwtest contains tests for the linuxfw package.
|
Package linuxfwtest contains tests for the linuxfw package. |