Documentation ¶
Overview ¶
Package nftables manipulates Linux nftables (the iptables successor).
Index ¶
- Constants
- Variables
- func NetFirstAndLastIP(networkCIDR string) (first, last net.IP, err error)
- type Chain
- type ChainHook
- type ChainPolicy
- type ChainPriority
- type ChainType
- type Conn
- func (cc *Conn) AddChain(c *Chain) *Chain
- func (cc *Conn) AddFlowtable(f *Flowtable) *Flowtable
- func (cc *Conn) AddMonitor(monitor *Monitor) (chan *MonitorEvent, error)
- func (cc *Conn) AddObj(o Obj) Obj
- func (cc *Conn) AddObject(o Obj) Obj
- func (cc *Conn) AddRule(r *Rule) *Rule
- func (cc *Conn) AddSet(s *Set, vals []SetElement) error
- func (cc *Conn) AddTable(t *Table) *Table
- func (cc *Conn) CloseLasting() error
- func (cc *Conn) CreateTable(t *Table) *Table
- func (cc *Conn) DelChain(c *Chain)
- func (cc *Conn) DelFlowtable(f *Flowtable)
- func (cc *Conn) DelRule(r *Rule) error
- func (cc *Conn) DelSet(s *Set)
- func (cc *Conn) DelTable(t *Table)
- func (cc *Conn) DeleteObject(o Obj)
- func (cc *Conn) Flush() error
- func (cc *Conn) FlushChain(c *Chain)
- func (cc *Conn) FlushRuleset()
- func (cc *Conn) FlushSet(s *Set)
- func (cc *Conn) FlushTable(t *Table)
- func (cc *Conn) GetObj(o Obj) ([]Obj, error)
- func (cc *Conn) GetObjReset(o Obj) ([]Obj, error)
- func (cc *Conn) GetObject(o Obj) (Obj, error)
- func (cc *Conn) GetObjects(t *Table) ([]Obj, error)
- func (cc *Conn) GetRule(t *Table, c *Chain) ([]*Rule, error)deprecated
- func (cc *Conn) GetRules(t *Table, c *Chain) ([]*Rule, error)
- func (cc *Conn) GetSetByName(t *Table, name string) (*Set, error)
- func (cc *Conn) GetSetElements(s *Set) ([]SetElement, error)
- func (cc *Conn) GetSets(t *Table) ([]*Set, error)
- func (cc *Conn) InsertRule(r *Rule) *Rule
- func (cc *Conn) ListChains() ([]*Chain, error)
- func (cc *Conn) ListChainsOfTableFamily(family TableFamily) ([]*Chain, error)
- func (cc *Conn) ListFlowtables(t *Table) ([]*Flowtable, error)
- func (cc *Conn) ListTables() ([]*Table, error)
- func (cc *Conn) ListTablesOfFamily(family TableFamily) ([]*Table, error)
- func (cc *Conn) ReplaceRule(r *Rule) *Rule
- func (cc *Conn) ResetObject(o Obj) (Obj, error)
- func (cc *Conn) ResetObjects(t *Table) ([]Obj, error)
- func (cc *Conn) SetAddElements(s *Set, vals []SetElement) error
- func (cc *Conn) SetDeleteElements(s *Set, vals []SetElement) error
- type ConnOption
- type CounterObj
- type Flowtable
- type FlowtableFlags
- type FlowtableHook
- type FlowtablePriority
- type Monitor
- type MonitorAction
- type MonitorEvent
- type MonitorEventType
- type MonitorObject
- type MonitorOption
- type NFGenMsg
- type Obj
- type QuotaObj
- type Rule
- type Set
- type SetDatatype
- type SetElement
- type Table
- type TableFamily
Examples ¶
Constants ¶
const ( // not in ztypes_linux.go, added here // https://cs.opensource.google/go/x/sys/+/c6bc011c:unix/ztypes_linux.go;l=1870-1892 NFT_MSG_NEWFLOWTABLE = 0x16 NFT_MSG_GETFLOWTABLE = 0x17 NFT_MSG_DELFLOWTABLE = 0x18 )
const ( NFTA_FLOWTABLE_TABLE NFTA_FLOWTABLE_NAME NFTA_FLOWTABLE_HOOK NFTA_FLOWTABLE_USE NFTA_FLOWTABLE_HANDLE NFTA_FLOWTABLE_PAD NFTA_FLOWTABLE_FLAGS )
const ( NFTA_FLOWTABLE_HOOK_NUM NFTA_FLOWTABLE_PRIORITY NFTA_FLOWTABLE_DEVS )
const ( NFTA_OBJ_USERDATA = 8 NFT_OBJECT_QUOTA = 2 )
const ( SetConcatTypeBits = 6 SetConcatTypeMask = (1 << SetConcatTypeBits) - 1 // below consts added because not found in go unix package // https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n306 NFT_SET_CONCAT = 0x80 // https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n330 NFTA_SET_DESC_CONCAT = 2 // https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n428 NFTA_SET_ELEM_KEY_END = 10 // https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n429 NFTA_SET_ELEM_EXPRESSIONS = 0x11 )
SetConcatTypeBits defines concatination bits, originally defined in https://git.netfilter.org/iptables/tree/iptables/nft.c?id=26753888720d8e7eb422ae4311348347f5a05cb4#n1002
const ( // not in ztypes_linux.go, added here, used for flowtable device name specification // https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n1709 NFTA_DEVICE_NAME = 1 )
Variables ¶
var ( TypeInvalid = SetDatatype{Name: "invalid", /* contains filtered or unexported fields */} TypeVerdict = SetDatatype{Name: "verdict", Bytes: 0, /* contains filtered or unexported fields */} TypeNFProto = SetDatatype{Name: "nf_proto", Bytes: 1, /* contains filtered or unexported fields */} TypeBitmask = SetDatatype{Name: "bitmask", Bytes: 0, /* contains filtered or unexported fields */} TypeInteger = SetDatatype{Name: "integer", Bytes: 4, /* contains filtered or unexported fields */} TypeString = SetDatatype{Name: "string", Bytes: 0, /* contains filtered or unexported fields */} TypeLLAddr = SetDatatype{Name: "ll_addr", Bytes: 0, /* contains filtered or unexported fields */} TypeIPAddr = SetDatatype{Name: "ipv4_addr", Bytes: 4, /* contains filtered or unexported fields */} TypeIP6Addr = SetDatatype{Name: "ipv6_addr", Bytes: 16, /* contains filtered or unexported fields */} TypeEtherAddr = SetDatatype{Name: "ether_addr", Bytes: 6, /* contains filtered or unexported fields */} TypeEtherType = SetDatatype{Name: "ether_type", Bytes: 2, /* contains filtered or unexported fields */} TypeARPOp = SetDatatype{Name: "arp_op", Bytes: 2, /* contains filtered or unexported fields */} TypeInetProto = SetDatatype{Name: "inet_proto", Bytes: 1, /* contains filtered or unexported fields */} TypeInetService = SetDatatype{Name: "inet_service", Bytes: 2, /* contains filtered or unexported fields */} TypeICMPType = SetDatatype{Name: "icmp_type", Bytes: 1, /* contains filtered or unexported fields */} TypeTCPFlag = SetDatatype{Name: "tcp_flag", Bytes: 1, /* contains filtered or unexported fields */} TypeDCCPPktType = SetDatatype{Name: "dccp_pkttype", Bytes: 1, /* contains filtered or unexported fields */} TypeMHType = SetDatatype{Name: "mh_type", Bytes: 1, /* contains filtered or unexported fields */} TypeTime = SetDatatype{Name: "time", Bytes: 8, /* contains filtered or unexported fields */} TypeMark = SetDatatype{Name: "mark", Bytes: 4, /* contains filtered or unexported fields */} TypeIFIndex = SetDatatype{Name: "iface_index", Bytes: 4, /* contains filtered or unexported fields */} TypeARPHRD = SetDatatype{Name: "iface_type", Bytes: 2, /* contains filtered or unexported fields */} TypeRealm = SetDatatype{Name: "realm", Bytes: 4, /* contains filtered or unexported fields */} TypeClassID = SetDatatype{Name: "classid", Bytes: 4, /* contains filtered or unexported fields */} TypeUID = SetDatatype{Name: "uid", Bytes: sizeOfUIDT, /* contains filtered or unexported fields */} TypeGID = SetDatatype{Name: "gid", Bytes: sizeOfGIDT, /* contains filtered or unexported fields */} TypeCTState = SetDatatype{Name: "ct_state", Bytes: 4, /* contains filtered or unexported fields */} TypeCTDir = SetDatatype{Name: "ct_dir", Bytes: 1, /* contains filtered or unexported fields */} TypeCTStatus = SetDatatype{Name: "ct_status", Bytes: 4, /* contains filtered or unexported fields */} TypeICMP6Type = SetDatatype{Name: "icmpv6_type", Bytes: 1, /* contains filtered or unexported fields */} TypeCTLabel = SetDatatype{Name: "ct_label", Bytes: ctLabelBitSize / 8, /* contains filtered or unexported fields */} TypePktType = SetDatatype{Name: "pkt_type", Bytes: 1, /* contains filtered or unexported fields */} TypeICMPCode = SetDatatype{Name: "icmp_code", Bytes: 1, /* contains filtered or unexported fields */} TypeICMPV6Code = SetDatatype{Name: "icmpv6_code", Bytes: 1, /* contains filtered or unexported fields */} TypeICMPXCode = SetDatatype{Name: "icmpx_code", Bytes: 1, /* contains filtered or unexported fields */} TypeDevGroup = SetDatatype{Name: "devgroup", Bytes: 4, /* contains filtered or unexported fields */} TypeDSCP = SetDatatype{Name: "dscp", Bytes: 1, /* contains filtered or unexported fields */} TypeECN = SetDatatype{Name: "ecn", Bytes: 1, /* contains filtered or unexported fields */} TypeFIBAddr = SetDatatype{Name: "fib_addrtype", Bytes: 4, /* contains filtered or unexported fields */} TypeBoolean = SetDatatype{Name: "boolean", Bytes: 1, /* contains filtered or unexported fields */} TypeCTEventBit = SetDatatype{Name: "ct_event", Bytes: 4, /* contains filtered or unexported fields */} TypeIFName = SetDatatype{Name: "ifname", Bytes: ifNameSize, /* contains filtered or unexported fields */} TypeIGMPType = SetDatatype{Name: "igmp_type", Bytes: 1, /* contains filtered or unexported fields */} TypeTimeDate = SetDatatype{Name: "time", Bytes: 8, /* contains filtered or unexported fields */} TypeTimeHour = SetDatatype{Name: "hour", Bytes: 4, /* contains filtered or unexported fields */} TypeTimeDay = SetDatatype{Name: "day", Bytes: 1, /* contains filtered or unexported fields */} TypeCGroupV2 = SetDatatype{Name: "cgroupsv2", Bytes: 8, /* contains filtered or unexported fields */} )
NFT datatypes. See: https://git.netfilter.org/nftables/tree/include/datatype.h
var ErrTooManyTypes = errors.New("too many types to concat")
ErrTooManyTypes is the error returned by ConcatSetType, if nftMagic would overflow.
Functions ¶
func NetFirstAndLastIP ¶ added in v0.2.0
NetFirstAndLastIP takes the beginning address of an entire network in CIDR notation (e.g. 192.168.1.0/24) and returns the first and last IP addresses within the network (e.g. first 192.168.1.0, last 192.168.1.255).
Note that these are the first and last IP addresses, not the first and last *usable* IP addresses (which would be 192.168.1.1 and 192.168.1.254, respectively, for 192.168.1.0/24).
Types ¶
type Chain ¶
type Chain struct { Name string Table *Table Hooknum *ChainHook Priority *ChainPriority Type ChainType Policy *ChainPolicy }
A Chain contains Rules. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
type ChainHook ¶
type ChainHook uint32
ChainHook specifies at which step in packet processing the Chain should be executed. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks
var ( ChainHookPrerouting *ChainHook = ChainHookRef(unix.NF_INET_PRE_ROUTING) ChainHookInput *ChainHook = ChainHookRef(unix.NF_INET_LOCAL_IN) ChainHookForward *ChainHook = ChainHookRef(unix.NF_INET_FORWARD) ChainHookOutput *ChainHook = ChainHookRef(unix.NF_INET_LOCAL_OUT) ChainHookPostrouting *ChainHook = ChainHookRef(unix.NF_INET_POST_ROUTING) ChainHookIngress *ChainHook = ChainHookRef(unix.NF_NETDEV_INGRESS) )
Possible ChainHook values.
func ChainHookRef ¶
ChainHookRef returns a pointer to a ChainHookRef value.
type ChainPolicy ¶
type ChainPolicy uint32
ChainPolicy defines what this chain default policy will be.
const ( ChainPolicyDrop ChainPolicy = iota ChainPolicyAccept )
Possible ChainPolicy values.
type ChainPriority ¶
type ChainPriority int32
ChainPriority orders the chain relative to Netfilter internal operations. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
var ( ChainPriorityFirst *ChainPriority = ChainPriorityRef(math.MinInt32) ChainPriorityConntrackDefrag *ChainPriority = ChainPriorityRef(-400) ChainPriorityRaw *ChainPriority = ChainPriorityRef(-300) ChainPrioritySELinuxFirst *ChainPriority = ChainPriorityRef(-225) ChainPriorityConntrack *ChainPriority = ChainPriorityRef(-200) ChainPriorityMangle *ChainPriority = ChainPriorityRef(-150) ChainPriorityNATDest *ChainPriority = ChainPriorityRef(-100) ChainPriorityFilter *ChainPriority = ChainPriorityRef(0) ChainPrioritySecurity *ChainPriority = ChainPriorityRef(50) ChainPriorityNATSource *ChainPriority = ChainPriorityRef(100) ChainPrioritySELinuxLast *ChainPriority = ChainPriorityRef(225) ChainPriorityConntrackHelper *ChainPriority = ChainPriorityRef(300) ChainPriorityConntrackConfirm *ChainPriority = ChainPriorityRef(math.MaxInt32) ChainPriorityLast *ChainPriority = ChainPriorityRef(math.MaxInt32) )
Possible ChainPriority values.
func ChainPriorityRef ¶
func ChainPriorityRef(p ChainPriority) *ChainPriority
ChainPriorityRef returns a pointer to a ChainPriority value.
type ChainType ¶
type ChainType string
ChainType defines what this chain will be used for. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types
type Conn ¶
type Conn struct { TestDial nltest.Func // for testing only; passed to nltest.Dial NetNS int // fd referencing the network namespace netlink will interact with. // contains filtered or unexported fields }
A Conn represents a netlink connection of the nftables family.
All methods return their input, so that variables can be defined from string literals when desired.
Commands are buffered. Flush sends all buffered commands in a single batch.
func New ¶
func New(opts ...ConnOption) (*Conn, error)
New returns a netlink connection for querying and modifying nftables. Some aspects of the new netlink connection can be configured using the options WithNetNSFd, WithTestDial, and AsLasting.
A lasting netlink connection should be closed by calling CloseLasting() to close the underlying lasting netlink connection, cancelling all pending operations using this connection.
func (*Conn) AddChain ¶
AddChain adds the specified Chain. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Adding_base_chains
func (*Conn) AddFlowtable ¶
func (*Conn) AddMonitor ¶ added in v0.2.0
func (cc *Conn) AddMonitor(monitor *Monitor) (chan *MonitorEvent, error)
AddMonitor to perform the monitor immediately. The channel will be closed after calling Close on Monitor or encountering a netlink conn error while Receive. Caller may receive a MonitorEventTypeOOB event which contains an error we didn't handle, for now.
func (*Conn) AddObj ¶
AddObj adds the specified Obj. See also https://wiki.nftables.org/wiki-nftables/index.php/Stateful_objects
func (*Conn) AddSet ¶
func (cc *Conn) AddSet(s *Set, vals []SetElement) error
AddSet adds the specified Set.
func (*Conn) AddTable ¶
AddTable adds the specified Table, just like `nft add table ...`. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
func (*Conn) CloseLasting ¶
CloseLasting closes the lasting netlink connection that has been opened using AsLasting option when creating this connection. If either no lasting netlink connection has been opened or the lasting connection is already in the process of closing or has been closed, CloseLasting will immediately return without any error.
CloseLasting will terminate all pending netlink operations using the lasting connection.
After closing a lasting connection, the connection will revert to using on-demand transient netlink connections when calling further netlink operations (such as GetTables).
func (*Conn) CreateTable ¶ added in v0.2.0
CreateTable create the specified Table if it do not existed. just like `nft create table ...`.
func (*Conn) DelChain ¶
DelChain deletes the specified Chain. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Deleting_chains
func (*Conn) DelFlowtable ¶
func (*Conn) DeleteObject ¶
DeleteObject deletes the specified Obj
func (*Conn) FlushChain ¶
FlushChain removes all rules within the specified Chain. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Flushing_chain
func (*Conn) FlushRuleset ¶
func (cc *Conn) FlushRuleset()
FlushRuleset flushes the entire ruleset. See also https://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level
func (*Conn) FlushTable ¶
FlushTable removes all rules in all chains within the specified Table. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables#Flushing_tables
func (*Conn) GetObj ¶
GetObj is a legacy method that return all Obj that belongs to the same table as the given one
func (*Conn) GetObjReset ¶
GetObjReset is a legacy method that reset all Obj that belongs the same table as the given one
func (*Conn) GetObjects ¶
GetObjects get all the Obj that belongs to the given table
func (*Conn) GetSetByName ¶
GetSetByName returns the set in the specified table if matching name is found.
func (*Conn) GetSetElements ¶
func (cc *Conn) GetSetElements(s *Set) ([]SetElement, error)
GetSetElements returns the elements in the specified set.
func (*Conn) InsertRule ¶
func (*Conn) ListChains ¶
ListChains returns currently configured chains in the kernel
func (*Conn) ListChainsOfTableFamily ¶
func (cc *Conn) ListChainsOfTableFamily(family TableFamily) ([]*Chain, error)
ListChainsOfTableFamily returns currently configured chains for the specified family in the kernel. It lists all chains ins all tables if family is TableFamilyUnspecified.
func (*Conn) ListTables ¶
ListTables returns currently configured tables in the kernel
func (*Conn) ListTablesOfFamily ¶
func (cc *Conn) ListTablesOfFamily(family TableFamily) ([]*Table, error)
ListTablesOfFamily returns currently configured tables for the specified table family in the kernel. It lists all tables if family is TableFamilyUnspecified.
func (*Conn) ReplaceRule ¶
func (*Conn) ResetObject ¶
ResetObject reset the given Obj
func (*Conn) ResetObjects ¶
ResetObjects reset all the Obj that belongs to the given table
func (*Conn) SetAddElements ¶
func (cc *Conn) SetAddElements(s *Set, vals []SetElement) error
SetAddElements applies data points to an nftables set.
func (*Conn) SetDeleteElements ¶
func (cc *Conn) SetDeleteElements(s *Set, vals []SetElement) error
SetDeleteElements deletes data points from an nftables set.
type ConnOption ¶
type ConnOption func(*Conn)
ConnOption is an option to change the behavior of the nftables Conn returned by Open.
func AsLasting ¶
func AsLasting() ConnOption
AsLasting creates the new netlink connection as a lasting connection that is reused across multiple netlink operations, instead of opening and closing the underlying netlink connection only for the duration of a single netlink operation.
func WithNetNSFd ¶
func WithNetNSFd(fd int) ConnOption
WithNetNSFd sets the network namespace to create a new netlink connection to: the fd must reference a network namespace.
func WithTestDial ¶
func WithTestDial(f nltest.Func) ConnOption
WithTestDial sets the specified nltest.Func when creating a new netlink connection.
type CounterObj ¶
CounterObj implements Obj.
type Flowtable ¶
type Flowtable struct { Table *Table Name string Hooknum *FlowtableHook Priority *FlowtablePriority Devices []string Use uint32 // Bitmask flags, can be HW_OFFLOAD or COUNTER // https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n1621 Flags FlowtableFlags Handle uint64 }
type FlowtableFlags ¶
type FlowtableFlags uint32
const ( FlowtableFlagsHWOffload FlowtableFlags FlowtableFlagsCounter FlowtableFlagsMask = (FlowtableFlagsHWOffload | FlowtableFlagsCounter) )
type FlowtableHook ¶
type FlowtableHook uint32
var ( // Only ingress is supported // https://github.com/torvalds/linux/blob/b72018ab8236c3ae427068adeb94bdd3f20454ec/net/netfilter/nf_tables_api.c#L7378-L7379 FlowtableHookIngress *FlowtableHook = FlowtableHookRef(unix.NF_NETDEV_INGRESS) )
func FlowtableHookRef ¶
func FlowtableHookRef(h FlowtableHook) *FlowtableHook
type FlowtablePriority ¶
type FlowtablePriority int32
var ( // As per man page: // The priority can be a signed integer or filter which stands for 0. Addition and subtraction can be used to set relative priority, e.g. filter + 5 equals to 5. // https://git.netfilter.org/nftables/tree/doc/nft.txt?id=8c600a843b7c0c1cc275ecc0603bd1fc57773e98#n712 FlowtablePriorityFilter *FlowtablePriority = FlowtablePriorityRef(0) )
func FlowtablePriorityRef ¶
func FlowtablePriorityRef(p FlowtablePriority) *FlowtablePriority
type Monitor ¶ added in v0.2.0
type Monitor struct {
// contains filtered or unexported fields
}
A Monitor is an event-based nftables monitor that will receive one event per new (or deleted) table, chain, rule, set, etc., depending on the monitor configuration.
func NewMonitor ¶ added in v0.2.0
func NewMonitor(opts ...MonitorOption) *Monitor
NewMonitor returns a Monitor with options to be started.
Note that NewMonitor only prepares a Monitor. To install the monitor, call Conn.AddMonitor.
Example ¶
package main import ( "log" "github.com/google/nftables" ) func main() { conn, err := nftables.New() if err != nil { log.Fatal(err) } mon := nftables.NewMonitor() defer mon.Close() events, err := conn.AddMonitor(mon) if err != nil { log.Fatal(err) } for ev := range events { log.Printf("ev: %+v, data = %T", ev, ev.Data) switch ev.Type { case nftables.MonitorEventTypeNewTable: log.Printf("data = %+v", ev.Data.(*nftables.Table)) // …more cases if needed… } } }
Output:
type MonitorAction ¶ added in v0.2.0
type MonitorAction uint8
const ( MonitorActionNew MonitorAction = 1 << iota MonitorActionDel MonitorActionMask MonitorAction = (1 << iota) - 1 MonitorActionAny MonitorAction = MonitorActionMask )
Possible MonitorAction values.
type MonitorEvent ¶ added in v0.2.0
type MonitorEvent struct { Type MonitorEventType Data any Error error }
A MonitorEvent represents a single change received via a Monitor.
Depending on the Type, the Data field can be type-asserted to the specific data type for this event, e.g. when Type is nftables.MonitorEventTypeNewTable, you can access the corresponding table details via Data.(*nftables.Table).
type MonitorEventType ¶ added in v0.2.0
type MonitorEventType int
const ( MonitorEventTypeNewTable MonitorEventType = unix.NFT_MSG_NEWTABLE MonitorEventTypeDelTable MonitorEventType = unix.NFT_MSG_DELTABLE MonitorEventTypeNewChain MonitorEventType = unix.NFT_MSG_NEWCHAIN MonitorEventTypeDelChain MonitorEventType = unix.NFT_MSG_DELCHAIN MonitorEventTypeNewRule MonitorEventType = unix.NFT_MSG_NEWRULE MonitorEventTypeDelRule MonitorEventType = unix.NFT_MSG_DELRULE MonitorEventTypeNewSet MonitorEventType = unix.NFT_MSG_NEWSET MonitorEventTypeDelSet MonitorEventType = unix.NFT_MSG_DELSET MonitorEventTypeNewSetElem MonitorEventType = unix.NFT_MSG_NEWSETELEM MonitorEventTypeDelSetElem MonitorEventType = unix.NFT_MSG_DELSETELEM MonitorEventTypeNewObj MonitorEventType = unix.NFT_MSG_NEWOBJ MonitorEventTypeDelObj MonitorEventType = unix.NFT_MSG_DELOBJ MonitorEventTypeOOB MonitorEventType = math.MaxInt // out of band event )
type MonitorObject ¶ added in v0.2.0
type MonitorObject uint32
const ( MonitorObjectTables MonitorObject = 1 << iota MonitorObjectChains MonitorObjectSets MonitorObjectRules MonitorObjectElements MonitorObjectRuleset MonitorObjectMask MonitorObject = (1 << iota) - 1 MonitorObjectAny MonitorObject = MonitorObjectMask )
Possible MonitorObject values.
type MonitorOption ¶ added in v0.2.0
type MonitorOption func(*Monitor)
func WithMonitorAction ¶ added in v0.2.0
func WithMonitorAction(action MonitorAction) MonitorOption
WithMonitorAction to set monitor actions like new, del or any.
func WithMonitorEventBuffer ¶ added in v0.2.0
func WithMonitorEventBuffer(size int) MonitorOption
func WithMonitorObject ¶ added in v0.2.0
func WithMonitorObject(object MonitorObject) MonitorOption
WithMonitorObject to set monitor objects.
type NFGenMsg ¶ added in v0.2.0
General form of address family dependent message, see https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nfnetlink.h#29
type Obj ¶
type Obj interface {
// contains filtered or unexported methods
}
Obj represents a netfilter stateful object. See also https://wiki.nftables.org/wiki-nftables/index.php/Stateful_objects
type Rule ¶
type Rule struct { Table *Table Chain *Chain Position uint64 Handle uint64 // The list of possible flags are specified by nftnl_rule_attr, see // https://git.netfilter.org/libnftnl/tree/include/libnftnl/rule.h#n21 // Current nftables go implementation supports only // NFTNL_RULE_POSITION flag for setting rule at position 0 Flags uint32 Exprs []expr.Any UserData []byte }
A Rule does something with a packet. See also https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management
type Set ¶
type Set struct { Table *Table ID uint32 Name string Anonymous bool Constant bool Interval bool IsMap bool HasTimeout bool Counter bool // Can be updated per evaluation path, per `nft list ruleset` // indicates that set contains "flags dynamic" // https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n298 Dynamic bool // Indicates that the set contains a concatenation // https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n306 Concatenation bool Timeout time.Duration KeyType SetDatatype DataType SetDatatype // Either host (binaryutil.NativeEndian) or big (binaryutil.BigEndian) endian as per // https://git.netfilter.org/nftables/tree/include/datatype.h?id=d486c9e626405e829221b82d7355558005b26d8a#n109 KeyByteOrder binaryutil.ByteOrder }
Set represents an nftables set. Anonymous sets are only valid within the context of a single batch.
type SetDatatype ¶
SetDatatype represents a datatype declared by nft.
func ConcatSetType ¶
func ConcatSetType(types ...SetDatatype) (SetDatatype, error)
ConcatSetType constructs a new SetDatatype which consists of a concatenation of the passed types. It returns ErrTooManyTypes, if nftMagic would overflow (more than 5 types).
func ConcatSetTypeElements ¶
func ConcatSetTypeElements(t SetDatatype) []SetDatatype
ConcatSetTypeElements uses the ConcatSetType name to calculate and return a list of base types which were used to construct the concatenated type
func MustConcatSetType ¶
func MustConcatSetType(types ...SetDatatype) SetDatatype
MustConcatSetType does the same as ConcatSetType, but panics instead of an error. It simplifies safe initialization of global variables.
func (*SetDatatype) GetNFTMagic ¶
func (s *SetDatatype) GetNFTMagic() uint32
GetNFTMagic returns a custom datatype based on user's parameters
func (*SetDatatype) SetNFTMagic ¶
func (s *SetDatatype) SetNFTMagic(nftMagic uint32)
SetNFTMagic returns a custom datatype based on user's parameters
type SetElement ¶
type SetElement struct { Key []byte Val []byte // Field used for definition of ending interval value in concatenated types // https://git.netfilter.org/libnftnl/tree/include/set_elem.h?id=e2514c0eff4da7e8e0aabd410f7b7d0b7564c880#n11 KeyEnd []byte IntervalEnd bool // To support vmap, a caller must be able to pass Verdict type of data. // If IsMap is true and VerdictData is not nil, then Val of SetElement will be ignored // and VerdictData will be wrapped into Attribute data. VerdictData *expr.Verdict // To support aging of set elements Timeout time.Duration // Life left of the "timeout" elements Expires time.Duration Counter *expr.Counter }
SetElement represents a data point within a set.
type Table ¶
type Table struct { Name string // NFTA_TABLE_NAME Use uint32 // NFTA_TABLE_USE (Number of chains in table) Flags uint32 // NFTA_TABLE_FLAGS Family TableFamily }
A Table contains Chains. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables
type TableFamily ¶
type TableFamily byte
TableFamily specifies the address family for this table.
const ( TableFamilyUnspecified TableFamily = unix.NFPROTO_UNSPEC TableFamilyINet TableFamily = unix.NFPROTO_INET TableFamilyIPv4 TableFamily = unix.NFPROTO_IPV4 TableFamilyIPv6 TableFamily = unix.NFPROTO_IPV6 TableFamilyARP TableFamily = unix.NFPROTO_ARP TableFamilyNetdev TableFamily = unix.NFPROTO_NETDEV TableFamilyBridge TableFamily = unix.NFPROTO_BRIDGE )
Possible TableFamily values.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package alignedbuff implements encoding and decoding aligned data elements to/from buffers in native endianess.
|
Package alignedbuff implements encoding and decoding aligned data elements to/from buffers in native endianess. |
Package binaryutil contains convenience wrappers around encoding/binary.
|
Package binaryutil contains convenience wrappers around encoding/binary. |
Package expr provides nftables rule expressions.
|
Package expr provides nftables rule expressions. |
internal
|
|
nftest
Package nftest contains utility functions for nftables testing.
|
Package nftest contains utility functions for nftables testing. |
Package userdata implements a TLV parser/serializer for libnftables-compatible comments
|
Package userdata implements a TLV parser/serializer for libnftables-compatible comments |
Package xt implements dedicated types for (some) of the "Info" payload in Match and Target expressions that bridge between the nftables and xtables worlds.
|
Package xt implements dedicated types for (some) of the "Info" payload in Match and Target expressions that bridge between the nftables and xtables worlds. |