nftables

package module
v0.0.0-...-4c77bb5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 12, 2020 License: Apache-2.0 Imports: 9 Imported by: 0

README

Build Status GoDoc

This is not the correct repository for issues with the Linux nftables project! This repository contains a third-party Go package to programmatically interact with nftables. Find the official nftables website at https://wiki.nftables.org/

This package manipulates Linux nftables (the iptables successor). It is implemented in pure Go, i.e. does not wrap libnftnl.

This is not an official Google product.

Breaking changes

This package is in very early stages, and only contains enough data types and functions to install very basic nftables rules. It is likely that mistakes with the data types/API will be identified as more functionality is added.

Contributions

Contributions are very welcome!

Documentation

Overview

Package nftables manipulates Linux nftables (the iptables successor).

Index

Constants

View Source 
const SetConcatTypeBits = 6

SetConcatTypeBits defines concatination bits, originally defined in https://git.netfilter.org/iptables/tree/iptables/nft.c?id=26753888720d8e7eb422ae4311348347f5a05cb4#n1002

Variables

View Source 
var (
	TypeInvalid     = SetDatatype{Name: "invalid", /* contains filtered or unexported fields */}
	TypeVerdict     = SetDatatype{Name: "verdict", Bytes: 0, /* contains filtered or unexported fields */}
	TypeInteger     = SetDatatype{Name: "integer", Bytes: 4, /* contains filtered or unexported fields */}
	TypeIPAddr      = SetDatatype{Name: "ipv4_addr", Bytes: 4, /* contains filtered or unexported fields */}
	TypeIP6Addr     = SetDatatype{Name: "ipv6_addr", Bytes: 16, /* contains filtered or unexported fields */}
	TypeEtherAddr   = SetDatatype{Name: "ether_addr", Bytes: 6, /* contains filtered or unexported fields */}
	TypeInetProto   = SetDatatype{Name: "inet_proto", Bytes: 1, /* contains filtered or unexported fields */}
	TypeInetService = SetDatatype{Name: "inet_service", Bytes: 2, /* contains filtered or unexported fields */}
	TypeMark        = SetDatatype{Name: "mark", Bytes: 4, /* contains filtered or unexported fields */}
)

NFT datatypes. See: https://git.netfilter.org/nftables/tree/src/datatype.c

Functions

This section is empty.

Types

type Chain 

type Chain struct {
	Name     string
	Table    *Table
	Hooknum  ChainHook
	Priority ChainPriority
	Type     ChainType
	Policy   *ChainPolicy
}

A Chain contains Rules. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains

type ChainHook 

type ChainHook uint32

ChainHook specifies at which step in packet processing the Chain should be executed. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks 

const (
	ChainHookPrerouting  ChainHook = unix.NF_INET_PRE_ROUTING
	ChainHookInput       ChainHook = unix.NF_INET_LOCAL_IN
	ChainHookForward     ChainHook = unix.NF_INET_FORWARD
	ChainHookOutput      ChainHook = unix.NF_INET_LOCAL_OUT
	ChainHookPostrouting ChainHook = unix.NF_INET_POST_ROUTING
	ChainHookIngress     ChainHook = unix.NF_NETDEV_INGRESS
)

Possible ChainHook values.

type ChainPolicy 

type ChainPolicy uint32

ChainPolicy defines what this chain default policy will be. 

const (
	ChainPolicyDrop ChainPolicy = iota
	ChainPolicyAccept
)

Possible ChainPolicy values.

type ChainPriority 

type ChainPriority int32

ChainPriority orders the chain relative to Netfilter internal operations. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority 

const (
	ChainPriorityFirst            ChainPriority = math.MinInt32
	ChainPriorityConntrackDefrag  ChainPriority = -400
	ChainPriorityRaw              ChainPriority = -300
	ChainPrioritySELinuxFirst     ChainPriority = -225
	ChainPriorityConntrack        ChainPriority = -200
	ChainPriorityMangle           ChainPriority = -150
	ChainPriorityNATDest          ChainPriority = -100
	ChainPriorityFilter           ChainPriority = 0
	ChainPrioritySecurity         ChainPriority = 50
	ChainPriorityNATSource        ChainPriority = 100
	ChainPrioritySELinuxLast      ChainPriority = 225
	ChainPriorityConntrackHelper  ChainPriority = 300
	ChainPriorityConntrackConfirm ChainPriority = math.MaxInt32
	ChainPriorityLast             ChainPriority = math.MaxInt32
)

Possible ChainPriority values.

type ChainType 

type ChainType string

ChainType defines what this chain will be used for. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types 

const (
	ChainTypeFilter ChainType = "filter"
	ChainTypeRoute  ChainType = "route"
	ChainTypeNAT    ChainType = "nat"
)

Possible ChainType values.

type Conn 

type Conn struct {
	TestDial nltest.Func // for testing only; passed to nltest.Dial
	NetNS    int         // Network namespace netlink will interact with.
	sync.Mutex
	// contains filtered or unexported fields
}

A Conn represents a netlink connection of the nftables family.

All methods return their input, so that variables can be defined from string literals when desired.

Commands are buffered. Flush sends all buffered commands in a single batch.

func (*Conn) AddChain 

func (cc *Conn) AddChain(c *Chain) *Chain

AddChain adds the specified Chain. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Adding_base_chains

func (*Conn) AddObj 

func (cc *Conn) AddObj(o Obj) Obj

AddObj adds the specified Obj. See also https://wiki.nftables.org/wiki-nftables/index.php/Stateful_objects

func (*Conn) AddRule 

func (cc *Conn) AddRule(r *Rule) *Rule

func (*Conn) AddSet 

func (cc *Conn) AddSet(s *Set, vals []SetElement) error

AddSet adds the specified Set.

func (*Conn) AddTable 

func (cc *Conn) AddTable(t *Table) *Table

AddTable adds the specified Table. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables

func (*Conn) DelChain 

func (cc *Conn) DelChain(c *Chain)

DelChain deletes the specified Chain. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Deleting_chains

func (*Conn) DelRule 

func (cc *Conn) DelRule(r *Rule) error

DelRule deletes the specified Rule, rule's handle cannot be 0

func (*Conn) DelSet 

func (cc *Conn) DelSet(s *Set)

DelSet deletes a specific set, along with all elements it contains.

func (*Conn) DelTable 

func (cc *Conn) DelTable(t *Table)

DelTable deletes a specific table, along with all chains/rules it contains.

func (*Conn) Flush 

func (cc *Conn) Flush() error

Flush sends all buffered commands in a single batch to nftables.

func (*Conn) FlushChain 

func (cc *Conn) FlushChain(c *Chain)

FlushChain removes all rules within the specified Chain. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Flushing_chain

func (*Conn) FlushRuleset 

func (cc *Conn) FlushRuleset()

FlushRuleset flushes the entire ruleset. See also https://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level

func (*Conn) FlushSet 

func (cc *Conn) FlushSet(s *Set)

FlushSet deletes all data points from an nftables set.

func (*Conn) FlushTable 

func (cc *Conn) FlushTable(t *Table)

FlushTable removes all rules in all chains within the specified Table. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables#Flushing_tables

func (*Conn) GetObj 

func (cc *Conn) GetObj(o Obj) ([]Obj, error)

GetObj gets the specified Obj without resetting it.

func (*Conn) GetObjReset 

func (cc *Conn) GetObjReset(o Obj) ([]Obj, error)

GetObjReset gets the specified Obj and resets it.

func (*Conn) GetRule 

func (cc *Conn) GetRule(t *Table, c *Chain) ([]*Rule, error)

GetRule returns the rules in the specified table and chain.

func (*Conn) GetSetElements 

func (cc *Conn) GetSetElements(s *Set) ([]SetElement, error)

GetSetElements returns the elements in the specified set.

func (*Conn) GetSets 

func (cc *Conn) GetSets(t *Table) ([]*Set, error)

GetSets returns the sets in the specified table.

func (*Conn) InsertRule 

func (cc *Conn) InsertRule(r *Rule) *Rule

func (*Conn) ListChains 

func (cc *Conn) ListChains() ([]*Chain, error)

ListChains returns currently configured chains in the kernel

func (*Conn) ListTables 

func (cc *Conn) ListTables() ([]*Table, error)

ListTables returns currently configured tables in the kernel

func (*Conn) ReplaceRule 

func (cc *Conn) ReplaceRule(r *Rule) *Rule

func (*Conn) SetAddElements 

func (cc *Conn) SetAddElements(s *Set, vals []SetElement) error

SetAddElements applies data points to an nftables set.

func (*Conn) SetDeleteElements 

func (cc *Conn) SetDeleteElements(s *Set, vals []SetElement) error

SetDeleteElements deletes data points from an nftables set.

type CounterObj 

type CounterObj struct {
	Table *Table
	Name  string // e.g. “fwded”

	Bytes   uint64
	Packets uint64
}

CounterObj implements Obj.

type Obj 

type Obj interface {
	// contains filtered or unexported methods
}

Obj represents a netfilter stateful object. See also https://wiki.nftables.org/wiki-nftables/index.php/Stateful_objects

type Rule 

type Rule struct {
	Table    *Table
	Chain    *Chain
	Position uint64
	Handle   uint64
	Exprs    []expr.Any
	UserData []byte
}

A Rule does something with a packet. See also https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management

type Set 

type Set struct {
	Table     *Table
	ID        uint32
	Name      string
	Anonymous bool
	Constant  bool
	Interval  bool
	IsMap     bool

	KeyType  SetDatatype
	DataType SetDatatype
}

Set represents an nftables set. Anonymous sets are only valid within the context of a single batch.

type SetDatatype 

type SetDatatype struct {
	Name  string
	Bytes uint32
	// contains filtered or unexported fields
}

SetDatatype represents a datatype declared by nft.

func (*SetDatatype) GetNFTMagic 

func (s *SetDatatype) GetNFTMagic() uint32

GetNFTMagic returns a custom datatype based on user's parameters

func (*SetDatatype) SetNFTMagic 

func (s *SetDatatype) SetNFTMagic(nftMagic uint32)

SetNFTMagic returns a custom datatype based on user's parameters

type SetElement 

type SetElement struct {
	Key         []byte
	Val         []byte
	IntervalEnd bool
	// To support vmap, a caller must be able to pass Verdict type of data.
	// If IsMap is true and VerdictData is not nil, then Val of SetElement will be ignored
	// and VerdictData will be wrapped into Attribute data.
	VerdictData *expr.Verdict
}

SetElement represents a data point within a set.

type Table 

type Table struct {
	Name   string // NFTA_TABLE_NAME
	Use    uint32 // NFTA_TABLE_USE (Number of chains in table)
	Flags  uint32 // NFTA_TABLE_FLAGS
	Family TableFamily
}

A Table contains Chains. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables

type TableFamily 

type TableFamily byte

TableFamily specifies the address family for this table. 

const (
	TableFamilyINet   TableFamily = unix.NFPROTO_INET
	TableFamilyIPv4   TableFamily = unix.NFPROTO_IPV4
	TableFamilyIPv6   TableFamily = unix.NFPROTO_IPV6
	TableFamilyARP    TableFamily = unix.NFPROTO_ARP
	TableFamilyNetdev TableFamily = unix.NFPROTO_NETDEV
	TableFamilyBridge TableFamily = unix.NFPROTO_BRIDGE
)

Possible TableFamily values.

Source Files

View all Source files

Directories

Path Synopsis
Package binaryutil contains convenience wrappers around encoding/binary.
 Package binaryutil contains convenience wrappers around encoding/binary.
Package expr provides nftables rule expressions.
 Package expr provides nftables rule expressions.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.