v0.0.0-...-55fcc16 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Nov 23, 2019 License: Apache-2.0 Imports: 1 Imported by: 53



Package iptables supports packet filtering and manipulation via the iptables tool.



This section is empty.


This section is empty.


This section is empty.


type Chain

type Chain struct {
	// Name is the chain name.
	Name string

	// Rules is the list of rules to traverse.
	Rules []Rule

A Chain defines a list of rules for packet processing. When a packet traverses a chain, it is checked against each rule until either a rule returns a verdict or the chain ends.

By convention, builtin chains end with a rule that matches everything and returns either Accept or Drop. User-defined chains end with Return. These aren't strictly necessary here, but the iptables tool writes tables this way.

type Hook

type Hook uint

A Hook specifies one of the hooks built into the network stack.

Userspace app          Userspace app
      ^                      |
      |                      v
   [Input]               [Output]
      ^                      |
      |                      v
      |                   routing
      |                      |
      |                      v


const (
	// Prerouting happens before a packet is routed to applications or to
	// be forwarded.
	Prerouting Hook = iota

	// Input happens before a packet reaches an application.

	// Forward happens once it's decided that a packet should be forwarded
	// to another host.

	// Output happens after a packet is written by an application to be
	// sent out.

	// Postrouting happens just before a packet goes out on the wire.

	// The total number of hooks.

These values correspond to values in include/uapi/linux/netfilter.h.

type IPTables

type IPTables struct {
	// Tables maps table names to tables. User tables have arbitrary names.
	Tables map[string]Table

	// Priorities maps each hook to a list of table names. The order of the
	// list is the order in which each table should be visited for that
	// hook.
	Priorities map[Hook][]string

IPTables holds all the tables for a netstack.

func DefaultTables

func DefaultTables() IPTables

DefaultTables returns a default set of tables. Each chain is set to accept all packets.

type Matcher

type Matcher interface {
	// Match returns whether the packet matches and whether the packet
	// should be "hotdropped", i.e. dropped immediately. This is usually
	// used for suspicious packets.
	Match(hook Hook, packet buffer.VectorisedView, interfaceName string) (matches bool, hotdrop bool)

A Matcher is the interface for matching packets.

type Rule

type Rule struct {
	// Matchers is the list of matchers for this rule.
	Matchers []Matcher

	// Target is the action to invoke if all the matchers match the packet.
	Target Target

A Rule is a packet processing rule. It consists of two pieces. First it contains zero or more matchers, each of which is a specification of which packets this rule applies to. If there are no matchers in the rule, it applies to any packet.

type Table

type Table struct {
	// BuiltinChains holds the un-deletable chains built into netstack. If
	// a hook isn't present in the map, this table doesn't utilize that
	// hook.
	BuiltinChains map[Hook]Chain

	// DefaultTargets holds a target for each hook that will be executed if
	// chain traversal doesn't yield a verdict.
	DefaultTargets map[Hook]Target

	// UserChains holds user-defined chains for the keyed by name. Users
	// can give their chains arbitrary names.
	UserChains map[string]Chain

	// Chains maps names to chains for both builtin and user-defined chains.
	// Its entries point to Chains already either in BuiltinChains or
	// UserChains, and its purpose is to make looking up tables by name
	// fast.
	Chains map[string]*Chain
	// contains filtered or unexported fields

A Table defines a set of chains and hooks into the network stack. The currently supported tables are:

  • nat
  • mangle

func (*Table) Metadata

func (table *Table) Metadata() interface{}

Metadata returns the metadata object stored in table.

func (*Table) SetMetadata

func (table *Table) SetMetadata(metadata interface{})

SetMetadata sets the metadata object stored in table.

func (*Table) ValidHooks

func (table *Table) ValidHooks() uint32

ValidHooks returns a bitmap of the builtin hooks for the given table.

type Target

type Target interface {
	// Action takes an action on the packet and returns a verdict on how
	// traversal should (or should not) continue. If the return value is
	// Jump, it also returns the name of the chain to jump to.
	Action(packet buffer.VectorisedView) (Verdict, string)

A Target is the interface for taking an action for a packet.

type UnconditionalAcceptTarget

type UnconditionalAcceptTarget struct{}

UnconditionalAcceptTarget accepts all packets.

func (UnconditionalAcceptTarget) Action

Action implements Target.Action.

type UnconditionalDropTarget

type UnconditionalDropTarget struct{}

UnconditionalDropTarget denies all packets.

func (UnconditionalDropTarget) Action

Action implements Target.Action.

type Verdict

type Verdict int

A Verdict is returned by a rule's target to indicate how traversal of rules should (or should not) continue.

const (
	// Accept indicates the packet should continue traversing netstack as
	// normal.
	Accept Verdict = iota

	// Drop inicates the packet should be dropped, stopping traversing
	// netstack.

	// Stolen indicates the packet was co-opted by the target and should
	// stop traversing netstack.

	// Queue indicates the packet should be queued for userspace processing.

	// Repeat indicates the packet should re-traverse the chains for the
	// current hook.

	// None indicates no verdict was reached.

	// Jump indicates a jump to another chain.

	// Continue indicates that traversal should continue at the next rule.

	// Return indicates that traversal should return to the calling chain.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL