nftableslib

package module
v0.0.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 2, 2023 License: Apache-2.0 Imports: 14 Imported by: 0

README

Build Status

nftableslib - a library for Golang to talk to Netfilter

nftableslib is a library offering an interface to Netfilter tables. It is based on "github.com/google/nftables" and offers a higher level of abstraction. It allows to create tables, chains and rules. Once table is creates, a caller can request this table's Chains interface to create chains within this table. Similarly, once chain is created, a caller can request this chain's Rules interface to create rules for this chain.

A caller defines netfilter rule by means of a Rule struct.

Rule contains parameters for a rule to configure L3(ip/ipv6) and L4(tcp/udp/port) parameters.

type Rule struct {
	Fib        *Fib
	L3         *L3Rule
	L4         *L4Rule
	Conntracks []*Conntrack
	Meta       *Meta
	Log        *Log
	RelOp      Operator
	Action     *RuleAction
	UserData   []byte
}

Meta Allows to specify additional matching criteria, for more details on supported keys, see Meta Expressions section in nft man document

Log Allows to trigger logging for a specific rule. The helper function SetLog(key int, value []byte) allows to customize certain logging parameters, below is the list of supported keys and values type:

Keyword Description Type
unix.NFTA_LOG_PREFIX Log message prefix string
unix.NFTA_LOG_LEVEL Syslog level of logging emerg, alert, crit, err, warn [default], notice, info, debug
unix.NFTA_LOG_GROUP FLOG group to send messages to uint16
unix.NFTA_LOG_SNAPLEN Length of packet payload to include in netlink message uint32
unix.NFTA_LOG_QTHRESHOLD Number of packets to queue inside the kernel before sending them to userspace uint32

Exclude flag is true when the condition specified by the rules should be inverted. Example, L4 condition specifies match on tcp traffic for a range of ports 1025-1028, setting Exclude to true will match every tcp port with the exception of the ports specified in the range.

RuleAction defines what action needs to be executed on the rule match. Currently, there are two choices, Verdict type and Redirect.

SetVerdict(key int, chain ...string) function defines the verdict based on passed arguments and returns *RuleActionan action. In some cases Verdict can be used without any conditions to be the last action in the chain. Example, when chain has default policy of Accept, but you want the traffic which did not match any condition to be dropped.

SetRedirectport int, tproxy bool function defines the redirection or where the traffic matching condition should be fowarded to. If transparent proxy is required, tproxy parameter should be set to true

A single rule can carry L3 and L4 parameteres. L3 and L4 can be combined in the same rule. Redirect requires either L3 or L4, if there is no condition to match some traffic validation of a rule will fail.

L4 parameters are defined by L4 type:

type L4Rule struct {
	L4Proto uint8
	Src     *Port
	Dst     *Port
	RelOp   Operator
}

L3 parameters are defined by L3 type:

type L3Rule struct {
	Src      *IPAddrSpec
	Dst      *IPAddrSpec
	Version  *byte
	Protocol *uint32
	RelOp    Operator
}

Version parameter is used to match against a particular IP protocol version. Example, all IPv4 or all IPv6 traffic.

Protocol parameter is used to match a specific L4 protocol, example all TCP or UDP or ICMP traffic

Rule type offers Validation method which checks all parameters provided in Rule structure for consistency.

Here is example of programming a simple L3 rule:

package main

import (
	"fmt"
	"net"
	"os"

	"golang.org/x/sys/unix"

	"github.com/google/nftables"
	"github.com/sbezverk/nftableslib"
)

func main() {
	// Initializing netlink connection for a global namespace,
	// if non-global namespace is needed, namespace id must be specified in InitConn
	conn := nftableslib.InitConn()
	// Initializing nftableslib
	ti := nftableslib.InitNFTables(conn)

	// Clean up previously defined nf tables
	conn.FlushRuleset()

	// Creating nf table for IPv4 family
	ti.Tables().Create("ipv4table", nftables.TableFamilyIPv4)

	// Alternatively ti.Tables().CreateImm("ipv4table", nftables.TableFamilyIPv4) could be 
	// used which does not require following conn.Flush()
	// There is CreateImm api call for tables, chains and rules following the same pattern, 
	// the result of calling them would be immediate programming in kernel table,chain or a rule.

	// Pushing table config to nf tables module
	// Pushing config after each create is not mandatory, it is done for debugging purposes.
	if err := conn.Flush(); err != nil {
		fmt.Printf("Failed to programm nftable with error: %+v\n", err)
		os.Exit(1)
	}

	// Getting Chains Interface for just created table
	ci, err := ti.Tables().Table("ipv4table", nftables.TableFamilyIPv4)
	if err != nil {
		fmt.Printf("Failed to get chains interface for table ipv4table with error: %+v\n", err)
		os.Exit(1)
	}
	
	// Creating new chain
	ci.Chains().Create("ipv4chain-1", nftables.ChainHookPrerouting,
		nftables.ChainPriorityFirst, nftables.ChainTypeFilter)
	
	if err := conn.Flush(); err != nil {
		fmt.Printf("Failed to programm nftable with error: %+v\n", err)
		os.Exit(1)
	}
	// Specifying L3 rule if ipv4 traffic is source from one of these ip addresses
	// stiop processing.
	ruleAction, err := nftableslib.SetVerdict(unix.NFT_JUMP, "fake-chain-1")
	if err != nil {
		fmt.Printf("Failed to set the verdict with error: %+v\n", err)
		os.Exit(1)
	}
	ipv4addr1, _ := nftableslib.NewIPAddr("1.2.3.4")
	ipv4addr2, _ := nftableslib.NewIPAddr("2.3.4.5")
	rule1 := nftableslib.Rule{
		L3: &nftableslib.L3Rule{
			Src: &nftableslib.IPAddrSpec{
				List: []*nftableslib.IPAddr{ipv4addr1,ipv4addr2},
			},
		},
        Action: ruleAction,
		Exclude: false,
	}
	// Getting Rules interface from chain ipv4chain-1
	ri, err := ci.Chains().Chain("ipv4chain-1")
	if err != nil {
		fmt.Printf("Failed to get rules interface for chain ipv4chain-1 with error: %+v\n", err)
		os.Exit(1)
	}
	// Creating rule
	if err := ri.Rules().Create("ipv4rule-1", &rule1); err != nil {
		fmt.Printf("failed to create chain with error: %+v, exiting...\n", err)
		os.Exit(1)
	}
	// Final programming
	if err := conn.Flush(); err != nil {
		fmt.Printf("Failed to programm nftable with error: %+v\n", err)
		os.Exit(1)
	}
}

As a result of execution of this program, nft client displays the following configuration:

sudo nft list table ip ipv4table
table ip ipv4table {
	set ipv4rule-1 {
		type ipv4_addr
		flags constant
		elements = { 1.2.3.4, 2.3.4.5 }
	}

	chain ipv4chain-1 {
		type filter hook prerouting priority -2147483648; policy accept;
		ip saddr == @ipv4rule-1 jump fake-chain-1
	}
}

Documentation

Index

Constants

View Source 
const (
	// ChainPolicyAccept defines "accept" chain policy
	ChainPolicyAccept ChainPolicy = 1
	// ChainPolicyDrop defines "drop" chain policy
	ChainPolicyDrop ChainPolicy = 0
	// ChainReadyTimeout defines maximum time to wait for a chain to be ready
	ChainReadyTimeout = time.Millisecond * 100
	// ChainDeleteTimeout defines maximum time to wait for a chain to be ready
	ChainDeleteTimeout = time.Second * 60
)
View Source 
const (
	// NFT_DROP defines Drop action for a verdict
	NFT_DROP = 0x0
	// NFT_ACCEPT defines Accept action for a verdict
	NFT_ACCEPT = 0x1
)

By some reason github.com/golang/unix does not define these constants but they can by used in a Verdict.

View Source 
const (
	// MaxCommentLength defines Maximum Length of Rule's Comment field
	MaxCommentLength = 127
)

Variables

View Source 
var (
	CTStateNew         uint32 = 0x08000000
	CTStateRelated     uint32 = 0x04000000
	CTStateEstablished uint32 = 0x02000000
	CTStateInvalid     uint32 = 0x01000000
)

Define States of Connection tracking State key

Functions

func GenSetKeyType 

func GenSetKeyType(types ...nftables.SetDatatype) nftables.SetDatatype

GenSetKeyType generates a composite key type, combining all types

func InitConn 

func InitConn(netns ...int) *nftables.Conn

InitConn initializes netlink connection of the nftables family

func IsNFTablesOn 

func IsNFTablesOn() bool

IsNFTablesOn detects whether nf_tables module is loaded or not, it return true is ListChains call succeeds, otherwise it return false.

func L3Protocol 

func L3Protocol(proto int) *uint32

L3Protocol is a helper function to convert a value of L3 protocol to the type required by L3Rule *uint32

func MakeConcatElement 

func MakeConcatElement(keys []nftables.SetDatatype,
	vals []ElementValue, ra *RuleAction) (*nftables.SetElement, error)

MakeConcatElement creates an element of a set/map as a concatination of standard SetDatatypes example: nftables.TypeIPAddr and nftables.TypeInetService

func MakeElement 

func MakeElement(input *ElementValue) ([]nftables.SetElement, error)

MakeElement creates a list of Elements for IPv4 or IPv6 address, slice of IPAddrElement carries IP address which will be used as a key in the element, and 3 possible values depending on the type of a set. Value could be IP address as a string, Port as uint16 and a nftables.Verdict For IPv4 addresses ipv4 bool should be set to true, otherwise IPv6 addresses are expected.

func MakeRuleComment 

func MakeRuleComment(s string) []byte

MakeRuleComment makes NFTNL_UDATA_RULE_COMMENT TLV. Length of TLV is 1 bytes as a result, the maximum comment length is 254 bytes.

func SetPortList 

func SetPortList(ports []int) []*uint16

SetPortList is a helper function which transforms a slice of int into a format required by Port struct

func SetPortRange 

func SetPortRange(ports [2]int) [2]*uint16

SetPortRange is a helper function which transforms an 2 element array of int into a format required by Port struct

Types

type ChainAttributes 

type ChainAttributes struct {
	Type     nftables.ChainType
	Hook     *nftables.ChainHook
	Priority *nftables.ChainPriority
	Device   string
	Policy   *ChainPolicy
}

ChainAttributes defines attributes which can be apply to a chain of BASE type

func (*ChainAttributes) Validate 

func (cha *ChainAttributes) Validate() error

Validate validate attributes passed for a base chain creation

type ChainFuncs 

type ChainFuncs interface {
	Chain(name string) (RulesInterface, error)
	Create(name string, attributes *ChainAttributes) error
	CreateImm(name string, attributes *ChainAttributes) error
	Delete(name string) error
	DeleteImm(name string) error
	Exist(name string) bool
	Sync() error
	Dump() ([]byte, error)
	Get() ([]string, error)
}

ChainFuncs defines funcations to operate with chains

type ChainPolicy 

type ChainPolicy uint32

ChainPolicy defines type for chain policies

type ChainsInterface 

type ChainsInterface interface {
	Chains() ChainFuncs
}

ChainsInterface defines third level interface operating with nf chains

type Concat 

type Concat struct {
	Elements []*ConcatElement
	// VMap defines if concatination is used with verdict map, if set to true
	// Rule's Action will be ignored as the action is stored in the verdict of the map.
	VMap bool
	// SetRef defines name and id of map for
	SetRef *SetRef
}

Concat defines parameters of Concatination rule

type ConcatElement 

type ConcatElement struct {
	// Etype defines an element type as defined in github.com/google/nftables
	// example nftables.InetService or nftables.IPAddr
	EType nftables.SetDatatype
	// EProto defines a protocol as defined in golang.org/x/sys/unix
	EProto byte
	// ESource defines a direction, if true then element is saddr or sport,
	// if false then daddr or dport
	ESource bool
	// EMask defines mask of the element, mostly used along with IPAddr
	EMask []byte
}

ConcatElement defines 1 element of Concatination rule

type Conntrack 

type Conntrack struct {
	Key   uint32
	Value []byte
}

Conntrack defines a key and value for Ccnnection tracking

type Counter 

type Counter struct {
}

Counter indicates a presence of a counter object in the rule

type Dynamic 

type Dynamic struct {
	Match MatchType
	// Op defines an operation, supported operations are Add and Update.
	Op uint32
	// Key defines a key to use for a new entry added to a Set or Map.
	Key uint32
	// SetRef defines a reference to the Set or Map that gets updated.
	SetRef *SetRef
	// Timeout defines an aging timeout for a new entry.
	Timeout time.Duration
	Invert  bool
}

Dynamic defines a rule which dynamically add or update a Set or Map based on an incoming packet.

type ElementValue 

type ElementValue struct {
	Addr   string
	Port   *uint16
	AddrIP *string
	Action *RuleAction
	// New members
	Integer     *uint32
	IPAddr      []byte
	EtherAddr   []byte
	InetProto   *byte
	InetService *uint16
	Mark        *uint32
}

ElementValue defines key:value of the element of the type nftables.TypeIPAddr if IPAddrElement is element of a basic set, then only Addr will be specified, if it is element of a map then either Port or AddrIP and if it is element of a vmap, then Verdict.

type Fib 

type Fib struct {
	ResultOIF      bool
	ResultOIFNAME  bool
	ResultADDRTYPE bool
	FlagSADDR      bool
	FlagDADDR      bool
	FlagMARK       bool
	FlagIIF        bool
	FlagOIF        bool
	FlagPRESENT    bool
	RelOp          Operator
	Data           []byte
}

Fib defines nftables Fib expression. Results and Flags can have multiple selections. Data is a slice of bytes, its content depends up on Result and Flags combination. Example: if fib expression specifies a particular address type, then Data would carry one of constants defined in golang.org/x/sys/unix RTN_UNICAST = 0x1 RTN_LOCAL = 0x2 RTN_BROADCAST = 0x3 RTN_ANYCAST = 0x4 RTN_MULTICAST = 0x5 RTN_BLACKHOLE = 0x6 RTN_UNREACHABLE = 0x7 RTN_PROHIBIT = 0x8 RTN_THROW = 0x9 RTN_NAT = 0xa RTN_XRESOLVE = 0xb

type IPAddr 

type IPAddr struct {
	*net.IPAddr
	CIDR bool
	Mask *uint8
}

IPAddr defines a type of ip address, if it is host address with mask of 32 for ipv4 and mask of 128 for ipv6 then CIDR should be false, if it is a network address, then CIDR should be true and Mask set to a number of bits in the address' mask. Mask value is from 0 to 32 for ipv4 and from 0 to 128 for ipv6 addresses.

func NewIPAddr 

func NewIPAddr(addr string) (*IPAddr, error)

NewIPAddr is a helper function which converts ip address into IPAddr format required by IPAddrSpec. If CIDR format is specified, Mask will be set to address' subnet mask and CIDR will e set to true

func (*IPAddr) IsIPv6 

func (ip *IPAddr) IsIPv6() bool

IsIPv6 is a helper function, it returns true if IPAddr struct holds IPv6 address, otherwise it returns false

func (*IPAddr) Validate 

func (ip *IPAddr) Validate() error

Validate checks validity of ip address and its parameters

type IPAddrSpec 

type IPAddrSpec struct {
	List   []*IPAddr
	Range  [2]*IPAddr
	SetRef *SetRef
	RelOp  Operator
}

IPAddrSpec lists possible flavours if specifying ip address, either List or Range can be specified

func (*IPAddrSpec) Validate 

func (ip *IPAddrSpec) Validate() error

Validate checks IPAddrSpec struct

type L3Rule 

type L3Rule struct {
	Src      *IPAddrSpec
	Dst      *IPAddrSpec
	Version  *byte
	Protocol *uint32
	RelOp    Operator
	Counter  *Counter
}

L3Rule contains parameters for L3 based rule, either Source or Destination can be specified

func (*L3Rule) Validate 

func (l3 *L3Rule) Validate() error

Validate checks parameters of L3Rule struct

type L4Rule 

type L4Rule struct {
	L4Proto uint8
	Src     *Port
	Dst     *Port
	RelOp   Operator
	Counter *Counter
}

L4Rule contains parameters for L4 based rule

func (*L4Rule) Validate 

func (l4 *L4Rule) Validate() error

Validate checks parameters of L4Rule struct

type Log 

type Log struct {
	Key   uint32
	Value []byte
}

Log defines nftables logging parameters for a rule

func SetLog 

func SetLog(key int, value []byte) (*Log, error)

SetLog is a helper function returning Log struct with validated values

type MatchAct 

type MatchAct struct {
	Match MatchType
	// MatchRef defines a reference to the named map { match criteria : integer }
	MatchRef *SetRef
	// ActElements defines a slice elements of type { integer : action }, these will be placed into
	// the anonymous action map.
	ActElement map[int]*RuleAction
}

MatchAct rule defines a special type of rules (no support yet by nft cli tool), where matching is done by referring to a named map { match criteria : integer } and action is defined in an anonymous vmap { integer : action }. The match returns a key which is used as input for action lookup in the anonymous vmap.

type MatchType 

type MatchType uint32

MatchType defines a matching criteria for an incoming packet. Only one of the criterias can be specified. 

const (
	// MatchTypeL3Src match Layer 3 source address
	MatchTypeL3Src MatchType = iota
	// MatchTypeL3Dst match Layer 3 destination address
	MatchTypeL3Dst
	// MatchTypeL4Src match Layer 4 source port
	MatchTypeL4Src
	// MatchTypeL4Dst match Layer 4 destination port
	MatchTypeL4Dst
)

type Meta 

type Meta struct {
	Mark *MetaMark
	Expr []MetaExpr
}

Meta defines parameters used to build nft meta expression

type MetaExpr 

type MetaExpr struct {
	Key   uint32
	Value []byte
	RelOp Operator
}

MetaExpr allows specifing Meta expressions by meta key and its value, example Key: unix.NFT_META_SKGID and Value: 1024

type MetaMark 

type MetaMark struct {
	Set   bool
	Value uint32
	Mask  uint32
}

MetaMark defines Mark keyword of Meta key Mark can be used either to Set or Match a mark. If Set is true, then the Value will be used to mark a packet, and if Set is false, then the Value will be used to match packet's mark against it. Mask can be used to test for or to set only particular bits in mark. If mask is 0, than it is not used at all.

type NATAttributes 

type NATAttributes struct {
	L3Addr      [2]*IPAddr
	Port        [2]uint16
	FullyRandom bool
	Random      bool
	Persistent  bool
}

NATAttributes defines parameters used to generate nftables nat rule it is used as input parameter to two helper functions SetSNAT and SetDNAT Either L3Addr or Port must be defined. When 2 elements of array are specified, then the range of either ip addresses or ports will be specified in NAT rule.

type NetNS 

type NetNS interface {
	Flush() error
	FlushRuleset()
	AddTable(*nftables.Table) *nftables.Table
	DelTable(*nftables.Table)
	ListTables() ([]*nftables.Table, error)
	AddChain(*nftables.Chain) *nftables.Chain
	DelChain(*nftables.Chain)
	ListChains() ([]*nftables.Chain, error)
	AddRule(*nftables.Rule) *nftables.Rule
	InsertRule(*nftables.Rule) *nftables.Rule
	ReplaceRule(*nftables.Rule) *nftables.Rule
	DelRule(*nftables.Rule) error
	GetRule(*nftables.Table, *nftables.Chain) ([]*nftables.Rule, error)
	AddSet(*nftables.Set, []nftables.SetElement) error
	DelSet(*nftables.Set)
	GetSets(*nftables.Table) ([]*nftables.Set, error)
	GetSetByName(*nftables.Table, string) (*nftables.Set, error)
	GetSetElements(*nftables.Set) ([]nftables.SetElement, error)
	SetAddElements(*nftables.Set, []nftables.SetElement) error
	SetDeleteElements(*nftables.Set, []nftables.SetElement) error
}

NetNS defines interface needed to nf tables

type Operator 

type Operator byte

Operator defines type used for relational operations in the rule 

const (
	EQ Operator = iota
	NEQ
)

List of supported relational operations, starts with 0. if not specified, default 0 inidcates eq operator

type Port 

type Port struct {
	List   []*uint16
	Range  [2]*uint16
	RelOp  Operator
	SetRef *SetRef
}

Port lists possible flavours of specifying port information

func (*Port) Validate 

func (p *Port) Validate() error

Validate check parameters of Port struct

type Rule 

type Rule struct {
	Concat     *Concat
	Dynamic    *Dynamic
	MatchAct   *MatchAct
	Fib        *Fib
	L3         *L3Rule
	L4         *L4Rule
	Conntracks []*Conntrack
	Meta       *Meta
	Log        *Log
	RelOp      Operator
	Counter    *Counter
	Action     *RuleAction
	UserData   []byte
	// Position identifies the desired position of the rule, depending on the operation
	// Add, Insert or Replace, the resulting position may vary.
	// AddRule with position 0, will add a rule to the end of the chain
	// AddRule with position != 0, will add a rule right after the rule with specified position
	// InsertRule with position 0 will insert a rule at the beginning of the chain
	// InsertRule with position != 0 will insert a rule right before the rule with specified position
	// Replace operation with position 0 will fail.
	Position int
}

Rule contains parameters for a rule to configure, only L3 OR L4 parameters can be specified

func (Rule) Validate 

func (r Rule) Validate() error

Validate checks parameters passed in struct and returns error if inconsistency is found

type RuleAction 

type RuleAction struct {
	// contains filtered or unexported fields
}

RuleAction defines what action needs to be executed on the rule match

func SetDNAT 

func SetDNAT(natAttrs *NATAttributes) (*RuleAction, error)

SetDNAT builds RuleAction struct for DNAT action

func SetLoadbalance 

func SetLoadbalance(chains []string, action int, mode int) (*RuleAction, error)

SetLoadbalance builds RuleAction struct for Verdict based actions, action parameter defines whether unix.NFT_JUMP (default) or unix.NFT_GOTO will be used to reach one of load balanced chains mode parameters defines the mode of load balancing between the chains; unix.NFT_NG_RANDOM (default) or unix.NFT_NG_INCREMENTAL.

func SetMasq 

func SetMasq(random, fullyRandom, persistent bool) (*RuleAction, error)

SetMasq builds RuleAction struct for Masquerade action

func SetMasqToPort 

func SetMasqToPort(port ...int) (*RuleAction, error)

SetMasqToPort builds RuleAction struct for Masquerade action

func SetRedirect 

func SetRedirect(port int, tproxy bool) (*RuleAction, error)

SetRedirect builds RuleAction struct for Redirect action

func SetReject 

func SetReject(rt int, rc int) (*RuleAction, error)

SetReject builds RuleAction struct for Reject action, rt defines Reject type ICMP or TCP rc defines ICMP Reject Code

func SetSNAT 

func SetSNAT(natAttrs *NATAttributes) (*RuleAction, error)

SetSNAT builds RuleAction struct for SNAT action

func SetVerdict 

func SetVerdict(key int, chain ...string) (*RuleAction, error)

SetVerdict builds RuleAction struct for Verdict based actions

func (*RuleAction) Validate 

func (ra *RuleAction) Validate() error

Validate method validates RuleAction parameters and returns error if inconsistency if found

type RuleFuncs 

type RuleFuncs interface {
	Create(*Rule) (uint32, error)
	CreateImm(*Rule) (uint64, error)
	Delete(uint32) error
	DeleteImm(uint64) error
	Insert(*Rule) (uint32, error)
	InsertImm(*Rule) (uint64, error)
	Update(*Rule, uint64) error
	Dump() ([]byte, error)
	Sync() error
	UpdateRulesHandle() error
	GetRuleHandle(id uint32) (uint64, error)
	GetRulesUserData() (map[uint64][]byte, error)
	GetRulesExpr() (map[uint64][]expr.Any, error)
}

RuleFuncs defines funcations to operate with Rules

type RulesInterface 

type RulesInterface interface {
	Rules() RuleFuncs
}

RulesInterface defines third level interface operating with nf Rules

type SetAttributes 

type SetAttributes struct {
	Name       string
	Constant   bool
	IsMap      bool
	HasTimeout bool
	Timeout    time.Duration
	// Interval flag must be set only when the set elements are ranges, address ranges or port ranges
	Interval bool
	KeyType  nftables.SetDatatype
	DataType nftables.SetDatatype
}

SetAttributes defines parameters of a nftables Set

type SetFuncs 

type SetFuncs interface {
	CreateSet(*SetAttributes, []nftables.SetElement) (*nftables.Set, error)
	DelSet(string) error
	GetSets() ([]*nftables.Set, error)
	GetSetByName(string) (*nftables.Set, error)
	GetSetElements(string) ([]nftables.SetElement, error)
	SetAddElements(string, []nftables.SetElement) error
	SetDelElements(string, []nftables.SetElement) error
}

SetFuncs defines funcations to operate with nftables Sets

type SetRef 

type SetRef struct {
	Name  string
	ID    uint32
	IsMap bool
}

SetRef defines a reference to a Set/Map/Vmap

type SetsInterface 

type SetsInterface interface {
	Sets() SetFuncs
}

SetsInterface defines third level interface operating with nf maps

type TableFuncs 

type TableFuncs interface {
	Table(name string, familyType nftables.TableFamily) (ChainsInterface, error)
	TableChains(name string, familyType nftables.TableFamily) (ChainsInterface, error)
	TableSets(name string, familyType nftables.TableFamily) (SetsInterface, error)
	Create(name string, familyType nftables.TableFamily) error
	Delete(name string, familyType nftables.TableFamily) error
	CreateImm(name string, familyType nftables.TableFamily) error
	DeleteImm(name string, familyType nftables.TableFamily) error
	Exist(name string, familyType nftables.TableFamily) bool
	Get(familyType nftables.TableFamily) ([]string, error)
	Sync(familyType nftables.TableFamily) error
	Dump() ([]byte, error)
}

TableFuncs defines second level interface operating with nf tables

type TablesInterface 

type TablesInterface interface {
	Tables() TableFuncs
}

TablesInterface defines a top level interface

func InitNFTables 

func InitNFTables(conn NetNS) TablesInterface

InitNFTables initializes netlink connection of the nftables family

Source Files

View all Source files

Directories

Path Synopsis
cmd
concurrent
e2e
pkg
e2e/setenv
e2e/validations

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.