v1.30.1 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: May 14, 2024 License: Apache-2.0 Imports: 9 Imported by: 35




This section is empty.


This section is empty.


This section is empty.


type Chain added in v1.25.0

type Chain struct {
	Name    iptables.Chain
	Packets uint64
	Bytes   uint64
	Rules   []*Rule

	// Deleted is set if the input contained a "-X Name" line; this would never
	// appear in iptables-save output but it could appear in iptables-restore *input*.
	Deleted bool

Chain represents an IPTables chain

type FakeIPTables added in v1.5.0

type FakeIPTables struct {
	Dump *IPTablesDump
	// contains filtered or unexported fields

FakeIPTables is no-op implementation of iptables Interface.

func NewFake

func NewFake() *FakeIPTables

NewFake returns a no-op iptables.Interface

func NewIPv6Fake added in v1.19.0

func NewIPv6Fake() *FakeIPTables

NewIPv6Fake returns a no-op iptables.Interface with IsIPv6() == true

func (*FakeIPTables) ChainExists added in v1.21.0

func (f *FakeIPTables) ChainExists(table iptables.Table, chain iptables.Chain) (bool, error)

ChainExists is part of iptables.Interface

func (*FakeIPTables) DeleteChain added in v1.5.0

func (f *FakeIPTables) DeleteChain(table iptables.Table, chain iptables.Chain) error

DeleteChain is part of iptables.Interface

func (*FakeIPTables) DeleteRule added in v1.5.0

func (f *FakeIPTables) DeleteRule(table iptables.Table, chain iptables.Chain, args ...string) error

DeleteRule is part of iptables.Interface

func (*FakeIPTables) EnsureChain added in v1.5.0

func (f *FakeIPTables) EnsureChain(table iptables.Table, chain iptables.Chain) (bool, error)

EnsureChain is part of iptables.Interface

func (*FakeIPTables) EnsureRule added in v1.5.0

func (f *FakeIPTables) EnsureRule(position iptables.RulePosition, table iptables.Table, chain iptables.Chain, args ...string) (bool, error)

EnsureRule is part of iptables.Interface

func (*FakeIPTables) FlushChain added in v1.5.0

func (f *FakeIPTables) FlushChain(table iptables.Table, chain iptables.Chain) error

FlushChain is part of iptables.Interface

func (*FakeIPTables) HasRandomFully added in v1.16.0

func (f *FakeIPTables) HasRandomFully() bool

HasRandomFully is part of iptables.Interface

func (*FakeIPTables) IsIPv6 added in v1.19.0

func (f *FakeIPTables) IsIPv6() bool

IsIPv6 is part of iptables.Interface

func (*FakeIPTables) Monitor added in v1.17.0

func (f *FakeIPTables) Monitor(canary iptables.Chain, tables []iptables.Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})

Monitor is part of iptables.Interface

func (*FakeIPTables) Present added in v1.23.0

func (f *FakeIPTables) Present() bool

func (*FakeIPTables) Protocol added in v1.19.0

func (f *FakeIPTables) Protocol() iptables.Protocol

Protocol is part of iptables.Interface

func (*FakeIPTables) Restore added in v1.5.0

func (f *FakeIPTables) Restore(table iptables.Table, data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error

Restore is part of iptables.Interface

func (*FakeIPTables) RestoreAll added in v1.5.0

func (f *FakeIPTables) RestoreAll(data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error

RestoreAll is part of iptables.Interface

func (*FakeIPTables) SaveInto added in v1.7.0

func (f *FakeIPTables) SaveInto(table iptables.Table, buffer *bytes.Buffer) error

SaveInto is part of iptables.Interface

func (*FakeIPTables) SetHasRandomFully added in v1.16.0

func (f *FakeIPTables) SetHasRandomFully(can bool) *FakeIPTables

SetHasRandomFully sets f's return value for HasRandomFully()

type IPTablesDump added in v1.25.0

type IPTablesDump struct {
	Tables []Table

IPTablesDump represents a parsed IPTables rules dump (ie, the output of "iptables-save" or input to "iptables-restore")

func ParseIPTablesDump added in v1.25.0

func ParseIPTablesDump(data string) (*IPTablesDump, error)

ParseIPTablesDump parses an IPTables rules dump. Note: this may ignore some bad data.

func (*IPTablesDump) GetChain added in v1.25.0

func (dump *IPTablesDump) GetChain(table iptables.Table, chain iptables.Chain) (*Chain, error)

func (*IPTablesDump) GetTable added in v1.25.0

func (dump *IPTablesDump) GetTable(table iptables.Table) (*Table, error)

func (*IPTablesDump) String added in v1.25.0

func (dump *IPTablesDump) String() string

type IPTablesValue added in v1.25.0

type IPTablesValue struct {
	Negated bool
	Value   string

IPTablesValue is a value of a parameter in an Rule, where the parameter is possibly negated.

func (*IPTablesValue) Matches added in v1.25.0

func (v *IPTablesValue) Matches(cmp string) bool

Matches returns true if cmp equals / doesn't equal v.Value (depending on v.Negated).

func (*IPTablesValue) String added in v1.25.0

func (v *IPTablesValue) String() string

for debugging; otherwise %v will just print the pointer value

type Rule added in v1.5.0

type Rule struct {
	// Raw contains the original raw rule string
	Raw string

	Chain   iptables.Chain `param:"-A"`
	Comment *IPTablesValue `param:"--comment"`

	Protocol *IPTablesValue `param:"-p" negatable:"true"`

	SourceAddress *IPTablesValue `param:"-s" negatable:"true"`
	SourceType    *IPTablesValue `param:"--src-type" negatable:"true"`
	SourcePort    *IPTablesValue `param:"--sport" negatable:"true"`

	DestinationAddress *IPTablesValue `param:"-d" negatable:"true"`
	DestinationType    *IPTablesValue `param:"--dst-type" negatable:"true"`
	DestinationPort    *IPTablesValue `param:"--dport" negatable:"true"`

	MatchSet *IPTablesValue `param:"--match-set" negatable:"true"`

	Jump            *IPTablesValue `param:"-j"`
	RandomFully     *bool          `param:"--random-fully"`
	Probability     *IPTablesValue `param:"--probability"`
	DNATDestination *IPTablesValue `param:"--to-destination"`

	// We don't actually use the values of these, but we care if they are present
	AffinityCheck *bool          `param:"--rcheck" negatable:"true"`
	MarkCheck     *IPTablesValue `param:"--mark" negatable:"true"`
	CTStateCheck  *IPTablesValue `param:"--ctstate" negatable:"true"`

	// We don't currently care about any of these in the unit tests, but we expect
	// them to be present in some rules that we parse, so we define how to parse them.
	AffinityName    *IPTablesValue `param:"--name"`
	AffinitySeconds *IPTablesValue `param:"--seconds"`
	AffinitySet     *bool          `param:"--set" negatable:"true"`
	AffinityReap    *bool          `param:"--reap"`
	StatisticMode   *IPTablesValue `param:"--mode"`

Rule represents a single parsed IPTables rule. (This currently covers all of the rule types that we actually use in pkg/proxy/iptables or pkg/proxy/ipvs.)

The parsing is mostly-automated based on type reflection. The `param` tag on a field indicates the parameter whose value will be placed into that field. (The code assumes that we don't use both the short and long forms of any parameter names (eg, "-s" vs "--source"), which is currently true, but it could be extended if necessary.) The `negatable` tag indicates if a parameter is allowed to be preceded by "!".

Parameters that take a value are stored as type `*IPTablesValue`, which encapsulates a string value and whether the rule was negated (ie, whether the rule requires that we *match* or *don't match* that value). But string-valued parameters that can't be negated use `IPTablesValue` rather than `string` too, just for API consistency.

Parameters that don't take a value are stored as `*bool`, where the value is `nil` if the parameter was not present, `&true` if the parameter was present, or `&false` if the parameter was present but negated.

Parsing skips over "-m MODULE" parameters because most parameters have unique names anyway even ignoring the module name, and in the cases where they don't (eg "-m tcp --sport" vs "-m udp --sport") the parameters are mutually-exclusive and it's more convenient to store them in the same struct field anyway.

func ParseRule added in v1.25.0

func ParseRule(rule string, strict bool) (*Rule, error)

ParseRule parses rule. If strict is false, it will parse the recognized parameters and ignore unrecognized ones. If it is true, parsing will fail if there are unrecognized parameters.

type Table added in v1.25.0

type Table struct {
	Name   iptables.Table
	Chains []Chain

Table represents an IPTables table

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL