Documentation
¶
Index ¶
- Constants
- func NF_ADD(m v1.Match, a v1.Action, chain string, buffer *bytes.Buffer, args ...string)
- func NF_DEL(m v1.Match, a v1.Action, chain string, buffer *bytes.Buffer, args ...string)
- type Balance
- type CTSTATE
- type ChainName
- type ConnMark
- type Dnat
- type FlushFlag
- type IPV4Interface
- type IPV6Interface
- type Interface
- type L3Protocol
- type L4Protocol
- type Mark
- type Masquerade
- type Match
- type Option
- type Policy
- type RestoreCountersFlag
- type RulePosition
- type Snat
- type TableName
- type Target
- type TargetCommand
Constants ¶
View Source
const ( TableNAT TableName = "nat" TableFilter TableName = "filter" TableMangle TableName = "mangle" TableRaw TableName = "raw" ChainInput ChainName = "INPUT" ChainOutput ChainName = "OUTPUT" ChainForward ChainName = "FORWARD" ChainPrerouting ChainName = "PREROUTING" ChainPostrouting ChainName = "POSTROUTING" PolicyAccept Policy = "ACCEPT" PolicyReturn Policy = "RETURN" PolicyReject Policy = "REJECT" PolicyDrop Policy = "DROP" ProtocolIPv4 L3Protocol = "IPv4" ProtocolIPv6 L3Protocol = "IPv6" ProtocolTCP L4Protocol = "tcp" ProtocolUDP L4Protocol = "udp" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ConnMark ¶
type ConnMark struct {
// set-mark mark[/mask]. Set connection mark. If a mask is specified then only those bits set in the mask is modified.
SetMark string `json:"--set-mark,omitempty"`
// save-mark [--mask mask]. Copy the netfilter packet mark value to the connection mark. If a mask is specified then only those bits are copied.
SaveMark string `json:"--save-mark,omitempty"`
// restore-mark [--mask mask]. Copy the connection mark value to the packet. If a mask is specified then only those bits are copied. This is only valid in the mangle table.
RestoreMark string `json:"--restore-mark,omitempty"`
}
type Dnat ¶
type Dnat struct {
// to-destination ipaddr[-ipaddr][:port-port]. which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then the destination port will never be modified.
Destination string `json:"--to-destination,omitempty"`
}
type IPV4Interface ¶
type IPV4Interface interface {
Interface
}
func NewIPV4 ¶
func NewIPV4() IPV4Interface
type IPV6Interface ¶
type IPV6Interface interface {
Interface
}
func NewIPV6 ¶
func NewIPV6() IPV6Interface
type Interface ¶
type Interface interface {
// EnsureChain checks if the specified chain exists and, if not, creates it. If the chain existed, return true.
EnsureChain(table TableName, chain ChainName) (bool, error)
// FlushChain clears the specified chain. If the chain did not exist, return error.
FlushChain(table TableName, chain ChainName) error
// DeleteChain deletes the specified chain. If the chain did not exist, return error.
DeleteChain(table TableName, chain ChainName) error
// EnsureRule checks if the specified rule is present and, if not, creates it. If the rule existed, return true.
EnsureRule(position RulePosition, table TableName, chain ChainName, args ...string) (bool, error)
// DeleteRule checks if the specified rule is present and, if so, deletes it.
DeleteRule(table TableName, chain ChainName, args ...string) error
// IsIPv6 returns true if this is managing ipv6 tables.
IsIPv6() bool
// Protocol returns the IP family this instance is managing,
L3Protocol() L3Protocol
// SaveInto calls `iptables-save` for table and stores result in a given buffer.
SaveInto(table TableName, buffer *bytes.Buffer) error
// Restore runs `iptables-restore` passing data through []byte.
// table is the Table to restore
// data should be formatted like the output of SaveInto()
// flush sets the presence of the "--noflush" flag. see: FlushFlag
// counters sets the "--counters" flag. see: RestoreCountersFlag
Restore(table TableName, data []byte, flush FlushFlag, counters RestoreCountersFlag) error
// RestoreAll is the same as Restore except that no table is specified.
RestoreAll(data []byte, flush FlushFlag, counters RestoreCountersFlag) error
// Monitor detects when the given iptables tables have been flushed by an external
// tool (e.g. a firewall reload) by creating canary chains and polling to see if
// they have been deleted. (Specifically, it polls tables[0] every interval until
// the canary has been deleted from there, then waits a short additional time for
// the canaries to be deleted from the remaining tables as well. You can optimize
// the polling by listing a relatively empty table in tables[0]). When a flush is
// detected, this calls the reloadFunc so the caller can reload their own iptables
// rules. If it is unable to create the canary chains (either initially or after
// a reload) it will log an error and stop monitoring.
// (This function should be called from a goroutine.)
Monitor(canary ChainName, tables []TableName, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})
// HasRandomFully reveals whether `-j MASQUERADE` takes the
// `--random-fully` option. This is helpful to work around a
// Linux kernel bug that sometimes causes multiple flows to get
// mapped to the same IP:PORT and consequently some suffer packet
// drops.
HasRandomFully() bool
GetChainLines(table TableName, bytes []byte) map[ChainName][]byte
}
type L3Protocol ¶
type L3Protocol string
type L4Protocol ¶
type L4Protocol string
type Mark ¶
type Mark struct {
// set-mark mark. This is used to set the netfilter mark value associated with the packet. Range: 2^32-1
MarkValue uint32 `json:"--set-mark,omitempty"`
}
type Masquerade ¶
type Masquerade struct {
// to-ports port[-port]. This specifies a range of source ports to use, overriding the default SNAT source port-selection heuristics (see above). This is only valid if the rule also specifies -p tcp or -p udp
Port string `json:"--to-ports,omitempty"`
}
func (*Masquerade) EnsurePort ¶
func (m *Masquerade) EnsurePort() string
type RestoreCountersFlag ¶
type RestoreCountersFlag bool
RestoreCountersFlag is an option flag for Restore
const NoRestoreCounters RestoreCountersFlag = false
NoRestoreCounters a boolean false constant for the option flag RestoreCountersFlag
const RestoreCounters RestoreCountersFlag = true
RestoreCounters a boolean true constant for the option flag RestoreCountersFlag
type RulePosition ¶
type RulePosition string
const ( // Prepend is the insert flag for iptable Prepend RulePosition = "-I" // Append is the append flag for iptable Append RulePosition = "-A" )
type Snat ¶
type Snat struct {
//to-source ipaddr[-ipaddr][:port-port]. port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur.
Source string `json:"--to-source,omitempty"`
}
func (*Snat) EnsureSource ¶
type TargetCommand ¶
type TargetCommand string
const ( BALANCE TargetCommand = "BALANCE" CONNMARK TargetCommand = "CONNMARK" DNAT TargetCommand = "DNAT" MARK TargetCommand = "MARK" MASQUERADE TargetCommand = "MASQUERADE" SNAT TargetCommand = "SNAT" )
Source Files
Click to show internal directories.
Click to hide internal directories.