linuxfw

package

v0.0.0-...-113f59a Latest Latest Go to latest Published: Feb 16, 2024 License: BSD-3-Clause Imports: 29 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Creling/tailscale

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func CheckIPRuleSupportsV6(logf logger.Logf) error
func DebugIptables(logf logger.Logf) error
func DebugNetfilter(logf logger.Logf) error
func IPTablesCleanup(logf logger.Logf)
func NewFakeIPTablesRunner() *iptablesRunner
func NfTablesCleanUp(logf logger.Logf)
type FWModeNotSupportedError
type FirewallMode
type MatchDecision
type NetfilterRunner
- func New(logf logger.Logf, prefHint string) (NetfilterRunner, error)

Constants ¶

View Source

const (
	// The mask for reading/writing the 'firewall mask' bits on a packet.
	// See the comment on the const block on why we only use the third byte.
	//
	// We claim bits 16:23 entirely. For now we only use the lower four
	// bits, leaving the higher 4 bits for future use.
	TailscaleFwmarkMask    = "0xff0000"
	TailscaleFwmarkMaskNum = 0xff0000

	// Packet is from Tailscale and to a subnet route destination, so
	// is allowed to be routed through this machine.
	TailscaleSubnetRouteMark    = "0x40000"
	TailscaleSubnetRouteMarkNum = 0x40000

	// Packet was originated by tailscaled itself, and must not be
	// routed over the Tailscale network.
	TailscaleBypassMark    = "0x80000"
	TailscaleBypassMarkNum = 0x80000
)

The following bits are added to packet marks for Tailscale use.

We tried to pick bits sufficiently out of the way that it's unlikely to collide with existing uses. We have 4 bytes of mark bits to play with. We leave the lower byte alone on the assumption that sysadmins would use those. Kubernetes uses a few bits in the second byte, so we steer clear of that too.

Empirically, most of the documentation on packet marks on the internet gives the impression that the marks are 16 bits wide. Based on this, we theorize that the upper two bytes are relatively unused in the wild, and so we consume bits 16:23 (the third byte).

The constants are in the iptables/iproute2 string format for matching and setting the bits, so they can be directly embedded in commands.

Variables ¶

This section is empty.

Functions ¶

func CheckIPRuleSupportsV6 ¶

func CheckIPRuleSupportsV6(logf logger.Logf) error

func DebugIptables ¶

func DebugIptables(logf logger.Logf) error

DebugNetfilter prints debug information about iptables rules to the provided log function.

func DebugNetfilter ¶

func DebugNetfilter(logf logger.Logf) error

DebugNetfilter prints debug information about netfilter rules to the provided log function.

func IPTablesCleanup ¶

func IPTablesCleanup(logf logger.Logf)

IPTablesCleanup removes all Tailscale added iptables rules. Any errors that occur are logged to the provided logf.

func NewFakeIPTablesRunner ¶

func NewFakeIPTablesRunner() *iptablesRunner

func NfTablesCleanUp ¶

func NfTablesCleanUp(logf logger.Logf)

NfTablesCleanUp removes all Tailscale added nftables rules. Any errors that occur are logged to the provided logf.

Types ¶

type FWModeNotSupportedError ¶

type FWModeNotSupportedError struct {
	Mode FirewallMode
	Err  error
}

func (FWModeNotSupportedError) Error ¶

func (e FWModeNotSupportedError) Error() string

func (FWModeNotSupportedError) Is ¶

func (e FWModeNotSupportedError) Is(target error) bool

func (FWModeNotSupportedError) Unwrap ¶

func (e FWModeNotSupportedError) Unwrap() error

type FirewallMode ¶

type FirewallMode string

const (
	FirewallModeIPTables FirewallMode = "iptables"
	FirewallModeNfTables FirewallMode = "nftables"
)

type MatchDecision ¶

type MatchDecision int

MatchDecision is the decision made by the firewall for a packet matched by a rule. It is used to decide whether to accept or masquerade a packet in addMatchSubnetRouteMarkRule.

const (
	Accept MatchDecision = iota
	Masq
)

type NetfilterRunner ¶

type NetfilterRunner interface {
	// AddLoopbackRule adds a rule to permit loopback traffic to addr. This rule
	// is added only if it does not already exist.
	AddLoopbackRule(addr netip.Addr) error

	// DelLoopbackRule removes the rule added by AddLoopbackRule.
	DelLoopbackRule(addr netip.Addr) error

	// AddHooks adds rules to conventional chains like "FORWARD", "INPUT" and
	// "POSTROUTING" to jump from those chains to tailscale chains.
	AddHooks() error

	// DelHooks deletes rules added by AddHooks.
	DelHooks(logf logger.Logf) error

	// AddChains creates custom Tailscale chains.
	AddChains() error

	// DelChains removes chains added by AddChains.
	DelChains() error

	// AddBase adds rules reused by different other rules.
	AddBase(tunname string) error

	// DelBase removes rules added by AddBase.
	DelBase() error

	// AddSNATRule adds the netfilter rule to SNAT incoming traffic over
	// the Tailscale interface destined for local subnets. An error is
	// returned if the rule already exists.
	AddSNATRule() error

	// DelSNATRule removes the rule added by AddSNATRule.
	DelSNATRule() error

	// HasIPV6 reports true if the system supports IPv6.
	HasIPV6() bool

	// HasIPV6NAT reports true if the system supports IPv6 NAT.
	HasIPV6NAT() bool

	// AddDNATRule adds a rule to the nat/PREROUTING chain to DNAT traffic
	// destined for the given original destination to the given new destination.
	// This is used to forward all traffic destined for the Tailscale interface
	// to the provided destination, as used in the Kubernetes ingress proxies.
	AddDNATRule(origDst, dst netip.Addr) error

	// AddSNATRuleForDst adds a rule to the nat/POSTROUTING chain to SNAT
	// traffic destined for dst to src.
	// This is used to forward traffic destined for the local machine over
	// the Tailscale interface, as used in the Kubernetes egress proxies.
	AddSNATRuleForDst(src, dst netip.Addr) error

	// DNATNonTailscaleTraffic adds a rule to the nat/PREROUTING chain to DNAT
	// all traffic inbound from any interface except exemptInterface to dst.
	// This is used to forward traffic destined for the local machine over
	// the Tailscale interface, as used in the Kubernetes egress proxies.//
	DNATNonTailscaleTraffic(exemptInterface string, dst netip.Addr) error

	// ClampMSSToPMTU adds a rule to the mangle/FORWARD chain to clamp MSS for
	// traffic destined for the provided tun interface.
	ClampMSSToPMTU(tun string, addr netip.Addr) error

	// AddMagicsockPortRule adds a rule to the ts-input chain to accept
	// incoming traffic on the specified port, to allow magicsock to
	// communicate.
	AddMagicsockPortRule(port uint16, network string) error

	// DelMagicsockPortRule removes the rule created by AddMagicsockPortRule,
	// if it exists.
	DelMagicsockPortRule(port uint16, network string) error
}

NetfilterRunner abstracts helpers to run netfilter commands. It is implemented by linuxfw.IPTablesRunner and linuxfw.NfTablesRunner.

func New ¶

func New(logf logger.Logf, prefHint string) (NetfilterRunner, error)

New creates a NetfilterRunner, auto-detecting whether to use nftables or iptables. As nftables is still experimental, iptables will be used unless either the TS_DEBUG_FIREWALL_MODE environment variable, or the prefHint parameter, is set to one of "nftables" or "auto".

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
linuxfwtest Package linuxfwtest contains tests for the linuxfw package.	Package linuxfwtest contains tests for the linuxfw package.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL