drivers

package
v0.0.0-...-433fd04 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 17, 2021 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const FilterIPv4All = "0.0.0.0"

FilterIPv4All used to indicate to firewall package to filter all IPv4 traffic.

View Source 
const FilterIPv6All = "::"

FilterIPv6All used to indicate to firewall package to filter all IPv6 traffic.

Variables

This section is empty.

Functions

This section is empty.

Types

type ACLRule 

type ACLRule struct {
	Direction       string // Either "ingress" or "egress.
	Action          string
	Log             bool   // Whether or not to log matched packets.
	LogName         string // Log label name (requires Log be true).
	Source          string
	Destination     string
	Protocol        string
	SourcePort      string
	DestinationPort string
	ICMPType        string
	ICMPCode        string
}

ACLRule represents an ACL rule that can be added to a firewall.

type FeatureOpts 

type FeatureOpts struct {
	ICMPDHCPDNSAccess bool // Add rules to allow ICMP, DHCP and DNS access.
	ForwardingAllow   bool // Add rules to allow IP forwarding. Blocked if false.
}

FeatureOpts specify how firewall features are setup.

type Nftables 

type Nftables struct{}

Nftables is an implmentation of LXD firewall using nftables.

func (Nftables) Compat 

func (d Nftables) Compat() (bool, error)

Compat returns whether the driver backend is in use, and any host compatibility errors.

func (Nftables) InstanceClearBridgeFilter 

func (d Nftables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, _ net.IP, _ net.IP) error

InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.

func (Nftables) InstanceClearProxyNAT 

func (d Nftables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error

InstanceClearProxyNAT remove DNAT rules for proxy devices.

func (Nftables) InstanceClearRPFilter 

func (d Nftables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error

InstanceClearRPFilter removes reverse path filtering for the specified instance device on the host interface.

func (Nftables) InstanceSetupBridgeFilter 

func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4 net.IP, IPv6 net.IP, _ bool) error

InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering.

func (Nftables) InstanceSetupProxyNAT 

func (d Nftables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, listen, connect *deviceConfig.ProxyAddress) error

InstanceSetupProxyNAT creates DNAT rules for proxy devices.

func (Nftables) InstanceSetupRPFilter 

func (d Nftables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error

InstanceSetupRPFilter activates reverse path filtering for the specified instance device on the host interface.

func (Nftables) NetworkApplyACLRules 

func (d Nftables) NetworkApplyACLRules(networkName string, rules []ACLRule) error

NetworkApplyACLRules applies ACL rules to the existing firewall chains.

func (Nftables) NetworkClear 

func (d Nftables) NetworkClear(networkName string, _ bool, _ []uint) error

NetworkClear removes the LXD network related chains. The delete and ipeVersions arguments have no effect for nftables driver.

func (Nftables) NetworkSetup 

func (d Nftables) NetworkSetup(networkName string, opts Opts) error

NetworkSetup configure network firewall.

func (Nftables) String 

func (d Nftables) String() string

String returns the driver name.

type Opts 

type Opts struct {
	FeaturesV4 *FeatureOpts // Enable IPv4 firewall with specified options. Off if not provided.
	FeaturesV6 *FeatureOpts // Enable IPv6 firewall with specified options. Off if not provided.
	SNATV4     *SNATOpts    // Enable IPv4 SNAT with specified options. Off if not provided.
	SNATV6     *SNATOpts    // Enable IPv6 SNAT with specified options. Off if not provided.
	ACL        bool         // Enable ACL during setup.
}

Opts for setting up the firewall.

type SNATOpts 

type SNATOpts struct {
	Append      bool       // Append rules (has no effect if driver doesn't support it).
	Subnet      *net.IPNet // Subnet of source network used to identify candidate traffic.
	SNATAddress net.IP     // SNAT IP address to use. If nil then MASQUERADE is used.
}

SNATOpts specify how SNAT rules are setup.

type Xtables 

type Xtables struct{}

Xtables is an implmentation of LXD firewall using {ip, ip6, eb}tables

func (Xtables) Compat 

func (d Xtables) Compat() (bool, error)

Compat returns whether the driver backend is in use, and any host compatibility errors.

func (Xtables) InstanceClearBridgeFilter 

func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4 net.IP, IPv6 net.IP) error

InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.

func (Xtables) InstanceClearProxyNAT 

func (d Xtables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error

InstanceClearProxyNAT remove DNAT rules for proxy devices.

func (Xtables) InstanceClearRPFilter 

func (d Xtables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error

InstanceClearRPFilter removes reverse path filtering for the specified instance device on the host interface.

func (Xtables) InstanceSetupBridgeFilter 

func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4 net.IP, IPv6 net.IP, parentManaged bool) error

InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering. If the parent bridge is managed by LXD then parentManaged argument should be true so that the rules added can use the iptablesChainACLFilterPrefix chain. If not they are added to the main filter chains directly (which only works for unmanaged bridges because those don't support ACLs).

func (Xtables) InstanceSetupProxyNAT 

func (d Xtables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, listen *deviceConfig.ProxyAddress, connect *deviceConfig.ProxyAddress) error

InstanceSetupProxyNAT creates DNAT rules for proxy devices.

func (Xtables) InstanceSetupRPFilter 

func (d Xtables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error

InstanceSetupRPFilter activates reverse path filtering for the specified instance device on the host interface.

func (Xtables) NetworkApplyACLRules 

func (d Xtables) NetworkApplyACLRules(networkName string, rules []ACLRule) error

NetworkApplyACLRules applies ACL rules to the existing firewall chains.

func (Xtables) NetworkClear 

func (d Xtables) NetworkClear(networkName string, delete bool, ipVersions []uint) error

NetworkClear removes network rules from filter, mangle and nat tables. If delete is true then network-specific chains are also removed.

func (Xtables) NetworkSetup 

func (d Xtables) NetworkSetup(networkName string, opts Opts) error

NetworkSetup configure network firewall.

func (Xtables) String 

func (d Xtables) String() string

String returns the driver name.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.