nftables

package module
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 10, 2024 License: Apache-2.0 Imports: 15 Imported by: 141

README

Build Status GoDoc

This is not the correct repository for issues with the Linux nftables project! This repository contains a third-party Go package to programmatically interact with nftables. Find the official nftables website at https://wiki.nftables.org/

This package manipulates Linux nftables (the iptables successor). It is implemented in pure Go, i.e. does not wrap libnftnl.

This is not an official Google product.

Breaking changes

This package is in very early stages, and only contains enough data types and functions to install very basic nftables rules. It is likely that mistakes with the data types/API will be identified as more functionality is added.

Contributions

Contributions are very welcome!

Documentation

Overview

Package nftables manipulates Linux nftables (the iptables successor).

Index

Examples

Constants

View Source
const (
	// not in ztypes_linux.go, added here
	// https://cs.opensource.google/go/x/sys/+/c6bc011c:unix/ztypes_linux.go;l=1870-1892
	NFT_MSG_NEWFLOWTABLE = 0x16
	NFT_MSG_GETFLOWTABLE = 0x17
	NFT_MSG_DELFLOWTABLE = 0x18
)
View Source
const (
	NFTA_FLOWTABLE_TABLE
	NFTA_FLOWTABLE_NAME
	NFTA_FLOWTABLE_HOOK
	NFTA_FLOWTABLE_USE
	NFTA_FLOWTABLE_HANDLE
	NFTA_FLOWTABLE_PAD
	NFTA_FLOWTABLE_FLAGS
)
View Source
const (
	NFTA_FLOWTABLE_HOOK_NUM
	NFTA_FLOWTABLE_PRIORITY
	NFTA_FLOWTABLE_DEVS
)
View Source
const (
	NFTA_OBJ_USERDATA = 8
	NFT_OBJECT_QUOTA  = 2
)

SetConcatTypeBits defines concatination bits, originally defined in https://git.netfilter.org/iptables/tree/iptables/nft.c?id=26753888720d8e7eb422ae4311348347f5a05cb4#n1002

View Source
const (
	// not in ztypes_linux.go, added here, used for flowtable device name specification
	// https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n1709
	NFTA_DEVICE_NAME = 1
)

Variables

View Source
var (
	TypeInvalid     = SetDatatype{Name: "invalid", /* contains filtered or unexported fields */}
	TypeVerdict     = SetDatatype{Name: "verdict", Bytes: 0, /* contains filtered or unexported fields */}
	TypeNFProto     = SetDatatype{Name: "nf_proto", Bytes: 1, /* contains filtered or unexported fields */}
	TypeBitmask     = SetDatatype{Name: "bitmask", Bytes: 0, /* contains filtered or unexported fields */}
	TypeInteger     = SetDatatype{Name: "integer", Bytes: 4, /* contains filtered or unexported fields */}
	TypeString      = SetDatatype{Name: "string", Bytes: 0, /* contains filtered or unexported fields */}
	TypeLLAddr      = SetDatatype{Name: "ll_addr", Bytes: 0, /* contains filtered or unexported fields */}
	TypeIPAddr      = SetDatatype{Name: "ipv4_addr", Bytes: 4, /* contains filtered or unexported fields */}
	TypeIP6Addr     = SetDatatype{Name: "ipv6_addr", Bytes: 16, /* contains filtered or unexported fields */}
	TypeEtherAddr   = SetDatatype{Name: "ether_addr", Bytes: 6, /* contains filtered or unexported fields */}
	TypeEtherType   = SetDatatype{Name: "ether_type", Bytes: 2, /* contains filtered or unexported fields */}
	TypeARPOp       = SetDatatype{Name: "arp_op", Bytes: 2, /* contains filtered or unexported fields */}
	TypeInetProto   = SetDatatype{Name: "inet_proto", Bytes: 1, /* contains filtered or unexported fields */}
	TypeInetService = SetDatatype{Name: "inet_service", Bytes: 2, /* contains filtered or unexported fields */}
	TypeICMPType    = SetDatatype{Name: "icmp_type", Bytes: 1, /* contains filtered or unexported fields */}
	TypeTCPFlag     = SetDatatype{Name: "tcp_flag", Bytes: 1, /* contains filtered or unexported fields */}
	TypeDCCPPktType = SetDatatype{Name: "dccp_pkttype", Bytes: 1, /* contains filtered or unexported fields */}
	TypeMHType      = SetDatatype{Name: "mh_type", Bytes: 1, /* contains filtered or unexported fields */}
	TypeTime        = SetDatatype{Name: "time", Bytes: 8, /* contains filtered or unexported fields */}
	TypeMark        = SetDatatype{Name: "mark", Bytes: 4, /* contains filtered or unexported fields */}
	TypeIFIndex     = SetDatatype{Name: "iface_index", Bytes: 4, /* contains filtered or unexported fields */}
	TypeARPHRD      = SetDatatype{Name: "iface_type", Bytes: 2, /* contains filtered or unexported fields */}
	TypeRealm       = SetDatatype{Name: "realm", Bytes: 4, /* contains filtered or unexported fields */}
	TypeClassID     = SetDatatype{Name: "classid", Bytes: 4, /* contains filtered or unexported fields */}
	TypeUID         = SetDatatype{Name: "uid", Bytes: sizeOfUIDT, /* contains filtered or unexported fields */}
	TypeGID         = SetDatatype{Name: "gid", Bytes: sizeOfGIDT, /* contains filtered or unexported fields */}
	TypeCTState     = SetDatatype{Name: "ct_state", Bytes: 4, /* contains filtered or unexported fields */}
	TypeCTDir       = SetDatatype{Name: "ct_dir", Bytes: 1, /* contains filtered or unexported fields */}
	TypeCTStatus    = SetDatatype{Name: "ct_status", Bytes: 4, /* contains filtered or unexported fields */}
	TypeICMP6Type   = SetDatatype{Name: "icmpv6_type", Bytes: 1, /* contains filtered or unexported fields */}
	TypeCTLabel     = SetDatatype{Name: "ct_label", Bytes: ctLabelBitSize / 8, /* contains filtered or unexported fields */}
	TypePktType     = SetDatatype{Name: "pkt_type", Bytes: 1, /* contains filtered or unexported fields */}
	TypeICMPCode    = SetDatatype{Name: "icmp_code", Bytes: 1, /* contains filtered or unexported fields */}
	TypeICMPV6Code  = SetDatatype{Name: "icmpv6_code", Bytes: 1, /* contains filtered or unexported fields */}
	TypeICMPXCode   = SetDatatype{Name: "icmpx_code", Bytes: 1, /* contains filtered or unexported fields */}
	TypeDevGroup    = SetDatatype{Name: "devgroup", Bytes: 4, /* contains filtered or unexported fields */}
	TypeDSCP        = SetDatatype{Name: "dscp", Bytes: 1, /* contains filtered or unexported fields */}
	TypeECN         = SetDatatype{Name: "ecn", Bytes: 1, /* contains filtered or unexported fields */}
	TypeFIBAddr     = SetDatatype{Name: "fib_addrtype", Bytes: 4, /* contains filtered or unexported fields */}
	TypeBoolean     = SetDatatype{Name: "boolean", Bytes: 1, /* contains filtered or unexported fields */}
	TypeCTEventBit  = SetDatatype{Name: "ct_event", Bytes: 4, /* contains filtered or unexported fields */}
	TypeIFName      = SetDatatype{Name: "ifname", Bytes: ifNameSize, /* contains filtered or unexported fields */}
	TypeIGMPType    = SetDatatype{Name: "igmp_type", Bytes: 1, /* contains filtered or unexported fields */}
	TypeTimeDate    = SetDatatype{Name: "time", Bytes: 8, /* contains filtered or unexported fields */}
	TypeTimeHour    = SetDatatype{Name: "hour", Bytes: 4, /* contains filtered or unexported fields */}
	TypeTimeDay     = SetDatatype{Name: "day", Bytes: 1, /* contains filtered or unexported fields */}
	TypeCGroupV2    = SetDatatype{Name: "cgroupsv2", Bytes: 8, /* contains filtered or unexported fields */}
)

NFT datatypes. See: https://git.netfilter.org/nftables/tree/include/datatype.h

View Source
var ErrTooManyTypes = errors.New("too many types to concat")

ErrTooManyTypes is the error returned by ConcatSetType, if nftMagic would overflow.

Functions

func NetFirstAndLastIP added in v0.2.0

func NetFirstAndLastIP(networkCIDR string) (first, last net.IP, err error)

NetFirstAndLastIP takes the beginning address of an entire network in CIDR notation (e.g. 192.168.1.0/24) and returns the first and last IP addresses within the network (e.g. first 192.168.1.0, last 192.168.1.255).

Note that these are the first and last IP addresses, not the first and last *usable* IP addresses (which would be 192.168.1.1 and 192.168.1.254, respectively, for 192.168.1.0/24).

Types

type Chain

type Chain struct {
	Name     string
	Table    *Table
	Hooknum  *ChainHook
	Priority *ChainPriority
	Type     ChainType
	Policy   *ChainPolicy
}

A Chain contains Rules. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains

type ChainHook

type ChainHook uint32

ChainHook specifies at which step in packet processing the Chain should be executed. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks

Possible ChainHook values.

func ChainHookRef

func ChainHookRef(h ChainHook) *ChainHook

ChainHookRef returns a pointer to a ChainHookRef value.

type ChainPolicy

type ChainPolicy uint32

ChainPolicy defines what this chain default policy will be.

const (
	ChainPolicyDrop ChainPolicy = iota
	ChainPolicyAccept
)

Possible ChainPolicy values.

type ChainPriority

type ChainPriority int32

ChainPriority orders the chain relative to Netfilter internal operations. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority

var (
	ChainPriorityFirst            *ChainPriority = ChainPriorityRef(math.MinInt32)
	ChainPriorityConntrackDefrag  *ChainPriority = ChainPriorityRef(-400)
	ChainPriorityRaw              *ChainPriority = ChainPriorityRef(-300)
	ChainPrioritySELinuxFirst     *ChainPriority = ChainPriorityRef(-225)
	ChainPriorityConntrack        *ChainPriority = ChainPriorityRef(-200)
	ChainPriorityMangle           *ChainPriority = ChainPriorityRef(-150)
	ChainPriorityNATDest          *ChainPriority = ChainPriorityRef(-100)
	ChainPriorityFilter           *ChainPriority = ChainPriorityRef(0)
	ChainPrioritySecurity         *ChainPriority = ChainPriorityRef(50)
	ChainPriorityNATSource        *ChainPriority = ChainPriorityRef(100)
	ChainPrioritySELinuxLast      *ChainPriority = ChainPriorityRef(225)
	ChainPriorityConntrackHelper  *ChainPriority = ChainPriorityRef(300)
	ChainPriorityConntrackConfirm *ChainPriority = ChainPriorityRef(math.MaxInt32)
	ChainPriorityLast             *ChainPriority = ChainPriorityRef(math.MaxInt32)
)

Possible ChainPriority values.

func ChainPriorityRef

func ChainPriorityRef(p ChainPriority) *ChainPriority

ChainPriorityRef returns a pointer to a ChainPriority value.

type ChainType

type ChainType string

ChainType defines what this chain will be used for. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types

const (
	ChainTypeFilter ChainType = "filter"
	ChainTypeRoute  ChainType = "route"
	ChainTypeNAT    ChainType = "nat"
)

Possible ChainType values.

type Conn

type Conn struct {
	TestDial nltest.Func // for testing only; passed to nltest.Dial
	NetNS    int         // fd referencing the network namespace netlink will interact with.
	// contains filtered or unexported fields
}

A Conn represents a netlink connection of the nftables family.

All methods return their input, so that variables can be defined from string literals when desired.

Commands are buffered. Flush sends all buffered commands in a single batch.

func New

func New(opts ...ConnOption) (*Conn, error)

New returns a netlink connection for querying and modifying nftables. Some aspects of the new netlink connection can be configured using the options WithNetNSFd, WithTestDial, and AsLasting.

A lasting netlink connection should be closed by calling CloseLasting() to close the underlying lasting netlink connection, cancelling all pending operations using this connection.

func (*Conn) AddChain

func (cc *Conn) AddChain(c *Chain) *Chain

AddChain adds the specified Chain. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Adding_base_chains

func (*Conn) AddFlowtable

func (cc *Conn) AddFlowtable(f *Flowtable) *Flowtable

func (*Conn) AddMonitor added in v0.2.0

func (cc *Conn) AddMonitor(monitor *Monitor) (chan *MonitorEvent, error)

AddMonitor to perform the monitor immediately. The channel will be closed after calling Close on Monitor or encountering a netlink conn error while Receive. Caller may receive a MonitorEventTypeOOB event which contains an error we didn't handle, for now.

func (*Conn) AddObj

func (cc *Conn) AddObj(o Obj) Obj

AddObj adds the specified Obj. See also https://wiki.nftables.org/wiki-nftables/index.php/Stateful_objects

func (*Conn) AddObject

func (cc *Conn) AddObject(o Obj) Obj

AddObject adds the specified Obj. Alias of AddObj.

func (*Conn) AddRule

func (cc *Conn) AddRule(r *Rule) *Rule

func (*Conn) AddSet

func (cc *Conn) AddSet(s *Set, vals []SetElement) error

AddSet adds the specified Set.

func (*Conn) AddTable

func (cc *Conn) AddTable(t *Table) *Table

AddTable adds the specified Table, just like `nft add table ...`. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables

func (*Conn) CloseLasting

func (cc *Conn) CloseLasting() error

CloseLasting closes the lasting netlink connection that has been opened using AsLasting option when creating this connection. If either no lasting netlink connection has been opened or the lasting connection is already in the process of closing or has been closed, CloseLasting will immediately return without any error.

CloseLasting will terminate all pending netlink operations using the lasting connection.

After closing a lasting connection, the connection will revert to using on-demand transient netlink connections when calling further netlink operations (such as GetTables).

func (*Conn) CreateTable added in v0.2.0

func (cc *Conn) CreateTable(t *Table) *Table

CreateTable create the specified Table if it do not existed. just like `nft create table ...`.

func (*Conn) DelChain

func (cc *Conn) DelChain(c *Chain)

DelChain deletes the specified Chain. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Deleting_chains

func (*Conn) DelFlowtable

func (cc *Conn) DelFlowtable(f *Flowtable)

func (*Conn) DelRule

func (cc *Conn) DelRule(r *Rule) error

DelRule deletes the specified Rule, rule's handle cannot be 0

func (*Conn) DelSet

func (cc *Conn) DelSet(s *Set)

DelSet deletes a specific set, along with all elements it contains.

func (*Conn) DelTable

func (cc *Conn) DelTable(t *Table)

DelTable deletes a specific table, along with all chains/rules it contains.

func (*Conn) DeleteObject

func (cc *Conn) DeleteObject(o Obj)

DeleteObject deletes the specified Obj

func (*Conn) Flush

func (cc *Conn) Flush() error

Flush sends all buffered commands in a single batch to nftables.

func (*Conn) FlushChain

func (cc *Conn) FlushChain(c *Chain)

FlushChain removes all rules within the specified Chain. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Flushing_chain

func (*Conn) FlushRuleset

func (cc *Conn) FlushRuleset()

FlushRuleset flushes the entire ruleset. See also https://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level

func (*Conn) FlushSet

func (cc *Conn) FlushSet(s *Set)

FlushSet deletes all data points from an nftables set.

func (*Conn) FlushTable

func (cc *Conn) FlushTable(t *Table)

FlushTable removes all rules in all chains within the specified Table. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables#Flushing_tables

func (*Conn) GetObj

func (cc *Conn) GetObj(o Obj) ([]Obj, error)

GetObj is a legacy method that return all Obj that belongs to the same table as the given one

func (*Conn) GetObjReset

func (cc *Conn) GetObjReset(o Obj) ([]Obj, error)

GetObjReset is a legacy method that reset all Obj that belongs the same table as the given one

func (*Conn) GetObject

func (cc *Conn) GetObject(o Obj) (Obj, error)

GetObject gets the specified Object

func (*Conn) GetObjects

func (cc *Conn) GetObjects(t *Table) ([]Obj, error)

GetObjects get all the Obj that belongs to the given table

func (*Conn) GetRule deprecated

func (cc *Conn) GetRule(t *Table, c *Chain) ([]*Rule, error)

GetRule returns the rules in the specified table and chain.

Deprecated: use GetRules instead.

func (*Conn) GetRules

func (cc *Conn) GetRules(t *Table, c *Chain) ([]*Rule, error)

GetRules returns the rules in the specified table and chain.

func (*Conn) GetSetByName

func (cc *Conn) GetSetByName(t *Table, name string) (*Set, error)

GetSetByName returns the set in the specified table if matching name is found.

func (*Conn) GetSetElements

func (cc *Conn) GetSetElements(s *Set) ([]SetElement, error)

GetSetElements returns the elements in the specified set.

func (*Conn) GetSets

func (cc *Conn) GetSets(t *Table) ([]*Set, error)

GetSets returns the sets in the specified table.

func (*Conn) InsertRule

func (cc *Conn) InsertRule(r *Rule) *Rule

func (*Conn) ListChains

func (cc *Conn) ListChains() ([]*Chain, error)

ListChains returns currently configured chains in the kernel

func (*Conn) ListChainsOfTableFamily

func (cc *Conn) ListChainsOfTableFamily(family TableFamily) ([]*Chain, error)

ListChainsOfTableFamily returns currently configured chains for the specified family in the kernel. It lists all chains ins all tables if family is TableFamilyUnspecified.

func (*Conn) ListFlowtables

func (cc *Conn) ListFlowtables(t *Table) ([]*Flowtable, error)

func (*Conn) ListTables

func (cc *Conn) ListTables() ([]*Table, error)

ListTables returns currently configured tables in the kernel

func (*Conn) ListTablesOfFamily

func (cc *Conn) ListTablesOfFamily(family TableFamily) ([]*Table, error)

ListTablesOfFamily returns currently configured tables for the specified table family in the kernel. It lists all tables if family is TableFamilyUnspecified.

func (*Conn) ReplaceRule

func (cc *Conn) ReplaceRule(r *Rule) *Rule

func (*Conn) ResetObject

func (cc *Conn) ResetObject(o Obj) (Obj, error)

ResetObject reset the given Obj

func (*Conn) ResetObjects

func (cc *Conn) ResetObjects(t *Table) ([]Obj, error)

ResetObjects reset all the Obj that belongs to the given table

func (*Conn) SetAddElements

func (cc *Conn) SetAddElements(s *Set, vals []SetElement) error

SetAddElements applies data points to an nftables set.

func (*Conn) SetDeleteElements

func (cc *Conn) SetDeleteElements(s *Set, vals []SetElement) error

SetDeleteElements deletes data points from an nftables set.

type ConnOption

type ConnOption func(*Conn)

ConnOption is an option to change the behavior of the nftables Conn returned by Open.

func AsLasting

func AsLasting() ConnOption

AsLasting creates the new netlink connection as a lasting connection that is reused across multiple netlink operations, instead of opening and closing the underlying netlink connection only for the duration of a single netlink operation.

func WithNetNSFd

func WithNetNSFd(fd int) ConnOption

WithNetNSFd sets the network namespace to create a new netlink connection to: the fd must reference a network namespace.

func WithTestDial

func WithTestDial(f nltest.Func) ConnOption

WithTestDial sets the specified nltest.Func when creating a new netlink connection.

type CounterObj

type CounterObj struct {
	Table *Table
	Name  string // e.g. “fwded”

	Bytes   uint64
	Packets uint64
}

CounterObj implements Obj.

type Flowtable

type Flowtable struct {
	Table    *Table
	Name     string
	Hooknum  *FlowtableHook
	Priority *FlowtablePriority
	Devices  []string
	Use      uint32
	// Bitmask flags, can be HW_OFFLOAD or COUNTER
	// https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n1621
	Flags  FlowtableFlags
	Handle uint64
}

type FlowtableFlags

type FlowtableFlags uint32
const (
	FlowtableFlagsHWOffload FlowtableFlags
	FlowtableFlagsCounter
	FlowtableFlagsMask = (FlowtableFlagsHWOffload | FlowtableFlagsCounter)
)

type FlowtablePriority

type FlowtablePriority int32
var (
	// As per man page:
	// The priority can be a signed integer or filter which stands for 0. Addition and subtraction can be used to set relative priority, e.g. filter + 5 equals to 5.
	// https://git.netfilter.org/nftables/tree/doc/nft.txt?id=8c600a843b7c0c1cc275ecc0603bd1fc57773e98#n712
	FlowtablePriorityFilter *FlowtablePriority = FlowtablePriorityRef(0)
)

func FlowtablePriorityRef

func FlowtablePriorityRef(p FlowtablePriority) *FlowtablePriority

type Monitor added in v0.2.0

type Monitor struct {
	// contains filtered or unexported fields
}

A Monitor is an event-based nftables monitor that will receive one event per new (or deleted) table, chain, rule, set, etc., depending on the monitor configuration.

func NewMonitor added in v0.2.0

func NewMonitor(opts ...MonitorOption) *Monitor

NewMonitor returns a Monitor with options to be started.

Note that NewMonitor only prepares a Monitor. To install the monitor, call Conn.AddMonitor.

Example
package main

import (
	"log"

	"github.com/google/nftables"
)

func main() {
	conn, err := nftables.New()
	if err != nil {
		log.Fatal(err)
	}

	mon := nftables.NewMonitor()
	defer mon.Close()
	events, err := conn.AddMonitor(mon)
	if err != nil {
		log.Fatal(err)
	}
	for ev := range events {
		log.Printf("ev: %+v, data = %T", ev, ev.Data)
		switch ev.Type {
		case nftables.MonitorEventTypeNewTable:
			log.Printf("data = %+v", ev.Data.(*nftables.Table))

			// …more cases if needed…
		}
	}
}
Output:

func (*Monitor) Close added in v0.2.0

func (monitor *Monitor) Close() error

type MonitorAction added in v0.2.0

type MonitorAction uint8
const (
	MonitorActionNew MonitorAction = 1 << iota
	MonitorActionDel
	MonitorActionMask MonitorAction = (1 << iota) - 1
	MonitorActionAny  MonitorAction = MonitorActionMask
)

Possible MonitorAction values.

type MonitorEvent added in v0.2.0

type MonitorEvent struct {
	Type  MonitorEventType
	Data  any
	Error error
}

A MonitorEvent represents a single change received via a Monitor.

Depending on the Type, the Data field can be type-asserted to the specific data type for this event, e.g. when Type is nftables.MonitorEventTypeNewTable, you can access the corresponding table details via Data.(*nftables.Table).

type MonitorEventType added in v0.2.0

type MonitorEventType int
const (
	MonitorEventTypeNewTable   MonitorEventType = unix.NFT_MSG_NEWTABLE
	MonitorEventTypeDelTable   MonitorEventType = unix.NFT_MSG_DELTABLE
	MonitorEventTypeNewChain   MonitorEventType = unix.NFT_MSG_NEWCHAIN
	MonitorEventTypeDelChain   MonitorEventType = unix.NFT_MSG_DELCHAIN
	MonitorEventTypeNewRule    MonitorEventType = unix.NFT_MSG_NEWRULE
	MonitorEventTypeDelRule    MonitorEventType = unix.NFT_MSG_DELRULE
	MonitorEventTypeNewSet     MonitorEventType = unix.NFT_MSG_NEWSET
	MonitorEventTypeDelSet     MonitorEventType = unix.NFT_MSG_DELSET
	MonitorEventTypeNewSetElem MonitorEventType = unix.NFT_MSG_NEWSETELEM
	MonitorEventTypeDelSetElem MonitorEventType = unix.NFT_MSG_DELSETELEM
	MonitorEventTypeNewObj     MonitorEventType = unix.NFT_MSG_NEWOBJ
	MonitorEventTypeDelObj     MonitorEventType = unix.NFT_MSG_DELOBJ
	MonitorEventTypeOOB        MonitorEventType = math.MaxInt // out of band event
)

type MonitorObject added in v0.2.0

type MonitorObject uint32
const (
	MonitorObjectTables MonitorObject = 1 << iota
	MonitorObjectChains
	MonitorObjectSets
	MonitorObjectRules
	MonitorObjectElements
	MonitorObjectRuleset
	MonitorObjectMask MonitorObject = (1 << iota) - 1
	MonitorObjectAny  MonitorObject = MonitorObjectMask
)

Possible MonitorObject values.

type MonitorOption added in v0.2.0

type MonitorOption func(*Monitor)

func WithMonitorAction added in v0.2.0

func WithMonitorAction(action MonitorAction) MonitorOption

WithMonitorAction to set monitor actions like new, del or any.

func WithMonitorEventBuffer added in v0.2.0

func WithMonitorEventBuffer(size int) MonitorOption

func WithMonitorObject added in v0.2.0

func WithMonitorObject(object MonitorObject) MonitorOption

WithMonitorObject to set monitor objects.

type NFGenMsg added in v0.2.0

type NFGenMsg struct {
	NFGenFamily uint8
	Version     uint8
	ResourceID  uint16
}

General form of address family dependent message, see https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nfnetlink.h#29

func (*NFGenMsg) Decode added in v0.2.0

func (genmsg *NFGenMsg) Decode(b []byte)

type Obj

type Obj interface {
	// contains filtered or unexported methods
}

Obj represents a netfilter stateful object. See also https://wiki.nftables.org/wiki-nftables/index.php/Stateful_objects

type QuotaObj added in v0.2.0

type QuotaObj struct {
	Table    *Table
	Name     string
	Bytes    uint64
	Consumed uint64
	Over     bool
}

type Rule

type Rule struct {
	Table    *Table
	Chain    *Chain
	Position uint64
	Handle   uint64
	// The list of possible flags are specified by nftnl_rule_attr, see
	// https://git.netfilter.org/libnftnl/tree/include/libnftnl/rule.h#n21
	// Current nftables go implementation supports only
	// NFTNL_RULE_POSITION flag for setting rule at position 0
	Flags    uint32
	Exprs    []expr.Any
	UserData []byte
}

A Rule does something with a packet. See also https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management

type Set

type Set struct {
	Table      *Table
	ID         uint32
	Name       string
	Anonymous  bool
	Constant   bool
	Interval   bool
	IsMap      bool
	HasTimeout bool
	Counter    bool
	// Can be updated per evaluation path, per `nft list ruleset`
	// indicates that set contains "flags dynamic"
	// https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=84d12cfacf8ddd857a09435f3d982ab6250d250c#n298
	Dynamic bool
	// Indicates that the set contains a concatenation
	// https://git.netfilter.org/nftables/tree/include/linux/netfilter/nf_tables.h?id=d1289bff58e1878c3162f574c603da993e29b113#n306
	Concatenation bool
	Timeout       time.Duration
	KeyType       SetDatatype
	DataType      SetDatatype
	// Either host (binaryutil.NativeEndian) or big (binaryutil.BigEndian) endian as per
	// https://git.netfilter.org/nftables/tree/include/datatype.h?id=d486c9e626405e829221b82d7355558005b26d8a#n109
	KeyByteOrder binaryutil.ByteOrder
}

Set represents an nftables set. Anonymous sets are only valid within the context of a single batch.

type SetDatatype

type SetDatatype struct {
	Name  string
	Bytes uint32
	// contains filtered or unexported fields
}

SetDatatype represents a datatype declared by nft.

func ConcatSetType

func ConcatSetType(types ...SetDatatype) (SetDatatype, error)

ConcatSetType constructs a new SetDatatype which consists of a concatenation of the passed types. It returns ErrTooManyTypes, if nftMagic would overflow (more than 5 types).

func ConcatSetTypeElements

func ConcatSetTypeElements(t SetDatatype) []SetDatatype

ConcatSetTypeElements uses the ConcatSetType name to calculate and return a list of base types which were used to construct the concatenated type

func MustConcatSetType

func MustConcatSetType(types ...SetDatatype) SetDatatype

MustConcatSetType does the same as ConcatSetType, but panics instead of an error. It simplifies safe initialization of global variables.

func (*SetDatatype) GetNFTMagic

func (s *SetDatatype) GetNFTMagic() uint32

GetNFTMagic returns a custom datatype based on user's parameters

func (*SetDatatype) SetNFTMagic

func (s *SetDatatype) SetNFTMagic(nftMagic uint32)

SetNFTMagic returns a custom datatype based on user's parameters

type SetElement

type SetElement struct {
	Key []byte
	Val []byte
	// Field used for definition of ending interval value in concatenated types
	// https://git.netfilter.org/libnftnl/tree/include/set_elem.h?id=e2514c0eff4da7e8e0aabd410f7b7d0b7564c880#n11
	KeyEnd      []byte
	IntervalEnd bool
	// To support vmap, a caller must be able to pass Verdict type of data.
	// If IsMap is true and VerdictData is not nil, then Val of SetElement will be ignored
	// and VerdictData will be wrapped into Attribute data.
	VerdictData *expr.Verdict
	// To support aging of set elements
	Timeout time.Duration

	// Life left of the "timeout" elements
	Expires time.Duration

	Counter *expr.Counter
}

SetElement represents a data point within a set.

type Table

type Table struct {
	Name   string // NFTA_TABLE_NAME
	Use    uint32 // NFTA_TABLE_USE (Number of chains in table)
	Flags  uint32 // NFTA_TABLE_FLAGS
	Family TableFamily
}

A Table contains Chains. See also https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables

type TableFamily

type TableFamily byte

TableFamily specifies the address family for this table.

const (
	TableFamilyUnspecified TableFamily = unix.NFPROTO_UNSPEC
	TableFamilyINet        TableFamily = unix.NFPROTO_INET
	TableFamilyIPv4        TableFamily = unix.NFPROTO_IPV4
	TableFamilyIPv6        TableFamily = unix.NFPROTO_IPV6
	TableFamilyARP         TableFamily = unix.NFPROTO_ARP
	TableFamilyNetdev      TableFamily = unix.NFPROTO_NETDEV
	TableFamilyBridge      TableFamily = unix.NFPROTO_BRIDGE
)

Possible TableFamily values.

Directories

Path Synopsis
Package alignedbuff implements encoding and decoding aligned data elements to/from buffers in native endianess.
Package alignedbuff implements encoding and decoding aligned data elements to/from buffers in native endianess.
Package binaryutil contains convenience wrappers around encoding/binary.
Package binaryutil contains convenience wrappers around encoding/binary.
Package expr provides nftables rule expressions.
Package expr provides nftables rule expressions.
internal
nftest
Package nftest contains utility functions for nftables testing.
Package nftest contains utility functions for nftables testing.
Package userdata implements a TLV parser/serializer for libnftables-compatible comments
Package userdata implements a TLV parser/serializer for libnftables-compatible comments
Package xt implements dedicated types for (some) of the "Info" payload in Match and Target expressions that bridge between the nftables and xtables worlds.
Package xt implements dedicated types for (some) of the "Info" payload in Match and Target expressions that bridge between the nftables and xtables worlds.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL