nftablesutils

package module
v0.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 21, 2023 License: Apache-2.0 Imports: 19 Imported by: 1

README

NFTables Utils

linux only

Documentation

Index

Constants

View Source 
const (
	StateNew         = `new`
	StateEstablished = `established`
	StateRelated     = `related`
)
View Source 
const (
	SrcPortOffset = 0
	DstPortOffset = 2
	PortLen       = 2
)

Transport protocol lengths and offsets

View Source 
const (
	IPv4SrcOffset = 12
	IPv4DstOffset = 16
	IPv4AddrLen   = net.IPv4len
)

IPv4 lengths and offsets

View Source 
const (
	IPv6SrcOffset = 8
	IPv6DstOffset = 24
	IPv6AddrLen   = net.IPv6len
)

IPv6 lengths and offsets

View Source 
const (
	ProtoTCPOffset = 9
	ProtoTCPLen    = 1
)
View Source 
const (
	ProtoUDPOffset = 9
	ProtoUDPLen    = 1
)
View Source 
const (
	ProtoICMPOffset = 9
	ProtoICMPLen    = 1
)
View Source 
const (
	ProtoICMPv6Offset = 6
	ProtoICMPv6Len    = 1
)
View Source 
const (
	ConnTrackStateLen = 4
)

Variables

This section is empty.

Functions

func Accept 

func Accept() *expr.Verdict

Returns an accept verdict expression

func Bitwise 

func Bitwise(length uint32, mask []byte, xor []byte) *expr.Bitwise

func BitwiseWithRegisters 

func BitwiseWithRegisters(sourceRegister uint32, destRegister uint32, length uint32, mask []byte, xor []byte) *expr.Bitwise

func CompareCtState 

func CompareCtState(mask uint32) ([]expr.Any, error)

func CompareCtStateWithRegister 

func CompareCtStateWithRegister(reg uint32, mask uint32) ([]expr.Any, error)

Makes the comparison specified by `mask` to the CT State already loaded in `reg`. Valid values for mask are: expr.CtStateBitInvalid = 1 expr.CtStateBitESTABLISHED = 2 expr.CtStateBitRELATED = 4 expr.CtStateBitNEW = 8 expr.CtStateBitUNTRACKED = 64 Or combinations with a bitwise OR: `expr.CtStateBitNEW | expr.CtStateBitUNTRACKED`

func CompareDestinationAddress 

func CompareDestinationAddress(ip netip.Addr) ([]expr.Any, error)

Returns a list of expressions that will compare the destination address of traffic

func CompareDestinationAddressSet 

func CompareDestinationAddressSet(set *nftables.Set) ([]expr.Any, error)

Returns a list of expressions that will compare the destination address of traffic against a set

func CompareDestinationAddressSetWithRegister 

func CompareDestinationAddressSetWithRegister(set *nftables.Set, reg uint32) ([]expr.Any, error)

Returns a list of expressions that will compare the destnation address of traffic against a set, with a user defined register

func CompareDestinationAddressWithRegister 

func CompareDestinationAddressWithRegister(ip netip.Addr, reg uint32) ([]expr.Any, error)

Returns a list of expressions that will compare the destination address of traffic, with a user defined register

func CompareDestinationPort 

func CompareDestinationPort(port uint16) ([]expr.Any, error)

Returns a list of expressions that will compare the destination port of traffic

func CompareDestinationPortSet 

func CompareDestinationPortSet(set *nftables.Set) []expr.Any

Returns a list of expressions that will compare the destination port of traffic against a set

func CompareDestinationPortSetWithRegister 

func CompareDestinationPortSetWithRegister(set *nftables.Set, reg uint32) []expr.Any

Returns a list of expressions that will compare the destination port of traffic against a set, with a user defined register

func CompareDestinationPortWithRegister 

func CompareDestinationPortWithRegister(port uint16, reg uint32) ([]expr.Any, error)

Returns a list of expressions that will compare the destination port of traffic, with a user defined register

func CompareProtocolFamily 

func CompareProtocolFamily(proto nftables.TableFamily) []expr.Any

Returns a list of expressions that will compare the netfilter protocol family of traffic

func CompareProtocolFamilyWithRegister 

func CompareProtocolFamilyWithRegister(proto nftables.TableFamily, reg uint32) []expr.Any

Returns a list of expressions that will compare the protocol family of traffic, with a user defined register

func CompareSourceAddress 

func CompareSourceAddress(ip netip.Addr) ([]expr.Any, error)

Returns a list of expressions that will compare the source address of traffic

func CompareSourceAddressSet 

func CompareSourceAddressSet(set *nftables.Set) ([]expr.Any, error)

Returns a list of expressions that will compare the source address of traffic against a set

func CompareSourceAddressSetWithRegister 

func CompareSourceAddressSetWithRegister(set *nftables.Set, reg uint32) ([]expr.Any, error)

Returns a list of expressions that will compare the source address of traffic against a set, with a user defined register

func CompareSourceAddressWithRegister 

func CompareSourceAddressWithRegister(ip netip.Addr, reg uint32) ([]expr.Any, error)

Returns a list of expressions that will compare the source address of traffic, with a user defined register

func CompareSourcePort 

func CompareSourcePort(port uint16) ([]expr.Any, error)

Returns a list of expressions that will compare the source port of traffic

func CompareSourcePortSet 

func CompareSourcePortSet(set *nftables.Set) ([]expr.Any, error)

Returns a list of expressions that will compare the source port of traffic against a set

func CompareSourcePortSetWithRegister 

func CompareSourcePortSetWithRegister(set *nftables.Set, reg uint32) ([]expr.Any, error)

Returns a list of expressions that will compare the source port of traffic against a set, with a user defined register

func CompareSourcePortWithRegister 

func CompareSourcePortWithRegister(port uint16, reg uint32) ([]expr.Any, error)

Returns a list of expressions that will compare the source port of traffic, with a user defined register

func CompareTransportProtocol 

func CompareTransportProtocol(proto byte) []expr.Any

Returns a list of expressions that will compare the transport protocol of traffic

func CompareTransportProtocolWithRegister 

func CompareTransportProtocolWithRegister(proto byte, reg uint32) []expr.Any

Returns a list of expressions that will compare the transport protocol of traffic, with a user defined register

func CreateIface 

func CreateIface(
	log Logger,
	iface, linkType string,
	ip net.IP, ipNet *net.IPNet,
) error

Create network link for interface.

func DestinationPort 

func DestinationPort(reg uint32) *expr.Payload

Returns a destination port payload expression

func Drop 

func Drop() *expr.Verdict

Returns an drop verdict expression

func Equals 

func Equals(data []byte, reg uint32) *expr.Cmp

Returns an equal comparison expression

func ExprAccept 

func ExprAccept() *expr.Verdict

ExprAccept wrapper

func ExprBitwise 

func ExprBitwise(dReg, sReg, l uint32, mask, xor []byte) *expr.Bitwise

ExprBitwise wrapper

func ExprCmp added in v0.1.0 

func ExprCmp(op expr.CmpOp, data []byte, reg ...uint32) *expr.Cmp

ExprCmp wrapper

func ExprCmpEq 

func ExprCmpEq(reg uint32, data []byte) *expr.Cmp

ExprCmpEq wrapper

func ExprCmpEqIFName 

func ExprCmpEqIFName(name string) *expr.Cmp

ExprCmpEqIFName wrapper

func ExprCmpNeq 

func ExprCmpNeq(reg uint32, data []byte) *expr.Cmp

ExprCmpNeq wrapper

func ExprCmpNeqIFName 

func ExprCmpNeqIFName(name string) *expr.Cmp

ExprCmpNeqIFName wrapper

func ExprCmpPort added in v0.1.0 

func ExprCmpPort(op expr.CmpOp, port uint16, reg ...uint32) *expr.Cmp

ExprCmpPort returns a new port expression with the given matching operator.

func ExprConnLimit 

func ExprConnLimit(count uint32, flags uint32) *expr.Connlimit

ExprConnLimit wrapper over==true ? flags=1 : flags=0

func ExprCounter 

func ExprCounter() *expr.Counter

Returns a counter expression

func ExprCtState 

func ExprCtState(reg uint32) *expr.Ct

ExprCtState wrapper

func ExprDNAT 

func ExprDNAT(regAddrMin, regAddrMax uint32, regPortMinAndMax ...uint32) *expr.NAT

ExprDNAT wrapper

func ExprDNATv6 

func ExprDNATv6(regAddrMin, regAddrMax uint32, regPortMinAndMax ...uint32) *expr.NAT

ExprDNATv6 wrapper

func ExprDrop 

func ExprDrop() *expr.Verdict

ExprDrop wrapper

func ExprDynamicLimitSet added in v0.0.7 

func ExprDynamicLimitSet(set *nftables.Set, rateStr string, burst uint32, otherExprs ...expr.Any) (
	*expr.Dynset, error)

func ExprIIFName 

func ExprIIFName() *expr.Meta

ExprIIFName wrapper

func ExprImmediate 

func ExprImmediate(reg uint32, ip net.IP) *expr.Immediate

ExprImmediate wrapper

func ExprImmediateWithPort added in v0.0.3 

func ExprImmediateWithPort(reg uint32, port uint16) *expr.Immediate

ExprImmediateWithPort wrapper

func ExprLimit 

func ExprLimit(t expr.LimitType, rate uint64, over bool, unit expr.LimitTime, burst uint32) *expr.Limit

ExprLimit wrapper

func ExprLookupSet 

func ExprLookupSet(reg uint32, name string, id uint32, isEq ...bool) *expr.Lookup

ExprLookupSet wrapper

func ExprLookupSetFromSet 

func ExprLookupSetFromSet(set *nftables.Set, reg uint32, isEq ...bool) *expr.Lookup

ExprLookupSetFromSet wrapper

func ExprMasquerade 

func ExprMasquerade(protoMin, protoMax uint32) *expr.Masq

ExprMasquerade wrapper

func ExprMeta 

func ExprMeta(meta expr.MetaKey, reg uint32) *expr.Meta

Returns a meta expression

func ExprOIFName 

func ExprOIFName() *expr.Meta

ExprOIFName wrapper

func ExprPayloadNetHeader 

func ExprPayloadNetHeader(reg, offset, l uint32) *expr.Payload

ExprPayloadNetHeader wrapper

func ExprPayloadTransportHeader 

func ExprPayloadTransportHeader(reg, offset, l uint32) *expr.Payload

ExprPayloadTransportHeader wrapper

func ExprRedirect 

func ExprRedirect(protoMin, protoMax uint32) *expr.Redir

ExprRedirect wrapper

func ExprReject 

func ExprReject(t uint32, c uint8) *expr.Reject

ExprReject wrapper

func ExprSNAT 

func ExprSNAT(regAddrMin, regAddrMax uint32, regPortMinAndMax ...uint32) *expr.NAT

ExprSNAT wrapper

func ExprSNATv6 

func ExprSNATv6(regAddrMin, regAddrMax uint32, regPortMinAndMax ...uint32) *expr.NAT

ExprSNATv6 wrapper

func ExprTproxy 

func ExprTproxy() *expr.TProxy

func ExprTproxy6 

func ExprTproxy6() *expr.TProxy

func GetCmpOp added in v0.1.0 

func GetCmpOp(isEq ...bool) expr.CmpOp

func GetConntrackStateSet 

func GetConntrackStateSet(t *nftables.Table) *nftables.Set

GetConntrackStateSet helper.

func GetConntrackStateSetElems 

func GetConntrackStateSetElems(states []string) []nftables.SetElement

GetConntrackStateSetElems helper.

func GetIPv4AddrSet 

func GetIPv4AddrSet(t *nftables.Table, isInterval ...bool) *nftables.Set

GetIPv4AddrSet helper.

func GetIPv6AddrSet 

func GetIPv6AddrSet(t *nftables.Table, isInterval ...bool) *nftables.Set

GetIPv6AddrSet helper.

func GetNetInterface 

func GetNetInterface(interfaceName string) (ipv4NetInterfaces []NetInterface, ipv6NetInterfaces []NetInterface, err error)

GetNetInterface 获得网卡地址 (返回ipv4, ipv6地址)

func GetPayloadDirectives 

func GetPayloadDirectives(direction ExprDirection, isIPv4 bool, isIPv6 bool) (uint32, uint32, []byte)

GetPayloadDirectives get expression directives based on ip version and direction

func GetPortElems 

func GetPortElems(ports []uint16) []nftables.SetElement

GetPortElems helper.

func GetPortSet 

func GetPortSet(t *nftables.Table) *nftables.Set

GetPortSet helper.

func IPAddr 

func IPAddr() (string, net.IP, net.IP, error)

IPAddr returns default gw iface name, gw ip address and wan ip address.

func IPv4DestinationAddress 

func IPv4DestinationAddress(reg uint32) *expr.Payload

Returns a IPv4 destination address payload expression

func IPv4SourceAddress 

func IPv4SourceAddress(reg uint32) *expr.Payload

Returns a IPv4 source address payload expression

func IPv6Addr 

func IPv6Addr() (string, net.IP, net.IP, error)

func IPv6DestinationAddress 

func IPv6DestinationAddress(reg uint32) *expr.Payload

Returns a IPv6 destination address payload expression

func IPv6SourceAddress 

func IPv6SourceAddress(reg uint32) *expr.Payload

Returns a IPv6 source address payload expression

func IsInvert added in v0.1.0 

func IsInvert(isEq ...bool) bool

func LoadCtByKey 

func LoadCtByKey(ctKey expr.CtKey) (*expr.Ct, error)

func LoadCtByKeyWithRegister 

func LoadCtByKeyWithRegister(ctKey expr.CtKey, reg uint32) (*expr.Ct, error)

func Match 

func Match(name string, revision uint32, info xt.InfoAny) *expr.Match

Returns a xtables match expression

func MatchBPF 

func MatchBPF(info []byte) *expr.Match

Returns a xtables match bpf expression

func MatchBPFWithVerdict 

func MatchBPFWithVerdict(info []byte, verdict *expr.Verdict) []expr.Any

Returns a xtables match bpf expression with a verdict

func MatchUnknown 

func MatchUnknown(name string, revision uint32, info []byte) *expr.Match

Returns a xtables match expression of unknown type

func NotEquals 

func NotEquals(data []byte, reg uint32) *expr.Cmp

Returns a not-equal comparison expression

func ParseConnLimit added in v0.1.1 

func ParseConnLimit(limitStr string) (*expr.Connlimit, error)

func ParseLimits added in v0.0.3 

func ParseLimits(rateStr string, burst uint32) (*expr.Limit, error)

ParseLimits parse expr.Limit rateStr := `1+/p/s` rateStr := `1+/bytes/second`

func ProtoTCP 

func ProtoTCP(reg uint32) *expr.Payload

func ProtoUDP 

func ProtoUDP(reg uint32) *expr.Payload

func Reject 

func Reject() *expr.Reject

Returns an reject expression

func RemoveIface 

func RemoveIface(log Logger, iface string) error

Remove network link for interface.

func SetCIDRMatcher 

func SetCIDRMatcher(direction ExprDirection, cidr string, isINet bool, isEq ...bool) ([]expr.Any, error)

SetCIDRMatcher generates nftables expressions that matches a CIDR SetCIDRMatcher(ExprDirectionSource, `127.0.0.0/24`)

func SetCIDRMatcherIngoreError added in v0.3.2 

func SetCIDRMatcherIngoreError(direction ExprDirection, cidr string, isINet bool, isEq ...bool) []expr.Any

SetCIDRMatcherIngoreError generates nftables expressions that matches a CIDR SetCIDRMatcherIngoreError(ExprDirectionSource, `127.0.0.0/24`)

func SetConnLimits added in v0.0.3 

func SetConnLimits(connLimitStr string, rateStr string, burst uint32) (
	[]expr.Any, error)

func SetDNAT added in v0.0.3 

func SetDNAT(ip net.IP, portMinAndMax ...uint16) []expr.Any

func SetDNATRange added in v0.0.3 

func SetDNATRange(ipStart net.IP, ipEnd net.IP, portMinAndMax ...uint16) []expr.Any

func SetDNATv6 added in v0.0.3 

func SetDNATv6(ip net.IP, portMinAndMax ...uint16) []expr.Any

func SetDNATv6Range added in v0.0.3 

func SetDNATv6Range(ipStart net.IP, ipEnd net.IP, portMinAndMax ...uint16) []expr.Any

func SetDPortRange 

func SetDPortRange(min uint16, max uint16) []expr.Any

SetDPortRange returns a new port range expression.

func SetDynamicLimitDropSet added in v0.0.3 

func SetDynamicLimitDropSet(set *nftables.Set, rateStr string, burst uint32, otherExprs ...expr.Any) (
	[]expr.Any, error)

func SetDynamicLimitSet added in v0.0.8 

func SetDynamicLimitSet(set *nftables.Set, rateStr string, burst uint32, otherExprs ...expr.Any) ([]expr.Any, error)

func SetNATWithIPAndPort added in v0.0.3 

func SetNATWithIPAndPort(
	dir ExprDirection, isIPv6 bool,
	ipStart net.IP, ipEnd net.IP,
	portMinAndMax ...uint16) []expr.Any

func SetRedirect added in v0.0.3 

func SetRedirect(portMin uint16, portMax ...uint16) []expr.Any

func SetSNAT added in v0.0.3 

func SetSNAT(ip net.IP, portMinAndMax ...uint16) []expr.Any

func SetSNATRange added in v0.0.3 

func SetSNATRange(ipStart net.IP, ipEnd net.IP, portMinAndMax ...uint16) []expr.Any

func SetSNATv6 added in v0.0.3 

func SetSNATv6(ip net.IP, portMinAndMax ...uint16) []expr.Any

func SetSNATv6Range added in v0.0.3 

func SetSNATv6Range(ipStart net.IP, ipEnd net.IP, portMinAndMax ...uint16) []expr.Any

func SetSPortRange 

func SetSPortRange(min uint16, max uint16) []expr.Any

SetSPortRange returns a new port range expression.

func SourcePort 

func SourcePort(reg uint32) *expr.Payload

Returns a source port payload expression

func TypeConntrackStateDatatype 

func TypeConntrackStateDatatype() nftables.SetDatatype

ConntrackStateDatatype object.

func TypeConntrackStateEstablished 

func TypeConntrackStateEstablished() []byte

TypeConntrackStateEstablished bytes.

func TypeConntrackStateNew 

func TypeConntrackStateNew() []byte

TypeConntrackStateNew bytes.

func TypeConntrackStateRelated 

func TypeConntrackStateRelated() []byte

TypeConntrackStateRelated bytes.

func TypeICMPTypeEchoRequest 

func TypeICMPTypeEchoRequest() []byte

TypeICMPTypeEchoRequest bytes.

func TypeICMPv6TypeEchoRequest 

func TypeICMPv6TypeEchoRequest() []byte

TypeICMPv6TypeEchoRequest bytes.

func TypeProtoICMP 

func TypeProtoICMP() []byte

TypeProtoICMP bytes.

func TypeProtoICMPV6 

func TypeProtoICMPV6() []byte

TypeProtoICMPV6 bytes.

func TypeProtoTCP 

func TypeProtoTCP() []byte

TypeProtoTCP bytes.

func TypeProtoUDP 

func TypeProtoUDP() []byte

TypeProtoUDP bytes.

func ValidateAddress 

func ValidateAddress(ip netip.Addr) error

Validates an IP address

func ValidateAddressRange 

func ValidateAddressRange(start netip.Addr, end netip.Addr) error

Validates an IP address range

func ValidatePort 

func ValidatePort(port uint16) error

Validates a port number

func ValidatePortRange 

func ValidatePortRange(start uint16, end uint16) error

Validates start and end port numbers

func ValidatePrefix 

func ValidatePrefix(prefix netip.Prefix) error

Validates a Prefix/CIDR

Types

type ExprDirection 

type ExprDirection string
const (
	ExprDirectionSource      ExprDirection = `source`
	ExprDirectionDestination ExprDirection = `destination`
)

type Exprs 

type Exprs []expr.Any

func JoinExprs 

func JoinExprs(exprs ...[]expr.Any) Exprs

func SetConntrackStateEstablished 

func SetConntrackStateEstablished() Exprs

SetConntrackStateEstablished helper.

func SetConntrackStateNew 

func SetConntrackStateNew() Exprs

SetConntrackStateNew helper.

func SetConntrackStateRelated 

func SetConntrackStateRelated() Exprs

SetConntrackStateRelated helper.

func SetConntrackStateSet 

func SetConntrackStateSet(s *nftables.Set) Exprs

SetConntrackStateSet helper.

func SetDAddrIPv6Set 

func SetDAddrIPv6Set(s *nftables.Set, isEq ...bool) Exprs

SetDAddrIPv6Set helper.

func SetDAddrSet 

func SetDAddrSet(s *nftables.Set, isEq ...bool) Exprs

SetDAddrSet helper.

func SetDPort 

func SetDPort(p uint16, isEq ...bool) Exprs

SetDPort helper.

func SetDPortSet 

func SetDPortSet(s *nftables.Set, isEq ...bool) Exprs

SetDPortSet helper.

func SetICMPTypeEchoRequest 

func SetICMPTypeEchoRequest() Exprs

SetICMPTypeEchoRequest helper.

func SetICMPv6TypeEchoRequest 

func SetICMPv6TypeEchoRequest() Exprs

SetICMPv6TypeEchoRequest helper.

func SetIIF 

func SetIIF(iface string) Exprs

SetIIF equals input-interface

func SetINetProtoICMP 

func SetINetProtoICMP(isEq ...bool) Exprs

SetINetProtoICMP helper.

func SetINetProtoICMPv6 

func SetINetProtoICMPv6(isEq ...bool) Exprs

func SetNIIF 

func SetNIIF(iface string) Exprs

SetNIIF not equals input-interface

func SetNOIF 

func SetNOIF(iface string) Exprs

SetNOIF not equals output-interface

func SetOIF 

func SetOIF(iface string) Exprs

SetOIF equals output-interface

func SetProtoICMP 

func SetProtoICMP(isEq ...bool) Exprs

SetProtoICMP helper.

func SetProtoICMPv6 

func SetProtoICMPv6(isEq ...bool) Exprs

func SetProtoTCP 

func SetProtoTCP(isEq ...bool) Exprs

SetProtoTCP helper.

func SetProtoUDP 

func SetProtoUDP(isEq ...bool) Exprs

SetProtoUDP helper.

func SetSAddrIPv6Set 

func SetSAddrIPv6Set(s *nftables.Set, isEq ...bool) Exprs

SetSAddrIPv6Set helper.

func SetSAddrSet 

func SetSAddrSet(s *nftables.Set, isEq ...bool) Exprs

SetSAddrSet helper.

func SetSPort 

func SetSPort(p uint16, isEq ...bool) Exprs

SetSPort helper.

func SetSPortSet 

func SetSPortSet(s *nftables.Set, isEq ...bool) Exprs

SetSPortSet helper.

func SetSourceIPv4Net 

func SetSourceIPv4Net(addr []byte, mask []byte, isEq ...bool) Exprs

SetSourceIPv4Net helper.

func (Exprs) Add 

func (e Exprs) Add(v ...expr.Any) Exprs

type Logger 

type Logger interface {
	Debugf(format string, a ...interface{})
}

type NetInterface 

type NetInterface struct {
	Name    string
	Address []string
}

NetInterface 本机网络

type Operator 

type Operator string

func (Operator) CmpOp 

func (o Operator) CmpOp() expr.CmpOp

func (Operator) Expr 

func (o Operator) Expr() *expr.Cmp

Source Files

View all Source files

Directories

Path Synopsis
Package rule A library for managing nftables rules
 Package rule A library for managing nftables rules
Package set A library for managing IP and port nftables sets
 Package set A library for managing IP and port nftables sets

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.