docker: Index | Files

package iptables

import ""


Package Files

conntrack.go firewalld.go iptables.go


const (
    // Append appends the rule at the end of the chain.
    Append Action = "-A"
    // Delete deletes the rule from the chain.
    Delete Action = "-D"
    // Insert inserts the rule at the top of the chain.
    Insert Action = "-I"
    // Nat table is used for nat translation rules.
    Nat Table = "nat"
    // Filter table is used for filter rules.
    Filter Table = "filter"
    // Mangle table is used for mangling the packet.
    Mangle Table = "mangle"
    // Drop is the default iptables DROP policy
    Drop Policy = "DROP"
    // Accept is the default iptables ACCEPT policy
    Accept Policy = "ACCEPT"
    // IPv4 is version 4
    IPv4 IPVersion = "IPV4"
    // IPv6 is version 6
    IPv6 IPVersion = "IPV6"


var (
    // ErrConntrackNotConfigurable means that conntrack module is not loaded or does not have the netlink module loaded
    ErrConntrackNotConfigurable = errors.New("conntrack is not available")
var (

    // ErrIptablesNotFound is returned when the rule is not found.
    ErrIptablesNotFound = errors.New("Iptables not found")

func AddInterfaceFirewalld Uses

func AddInterfaceFirewalld(intf string) error

AddInterfaceFirewalld adds the interface to the trusted zone

func DelInterfaceFirewalld Uses

func DelInterfaceFirewalld(intf string) error

DelInterfaceFirewalld removes the interface from the trusted zone

func DeleteConntrackEntries Uses

func DeleteConntrackEntries(nlh *netlink.Handle, ipv4List []net.IP, ipv6List []net.IP) (uint, uint, error)

DeleteConntrackEntries deletes all the conntrack connections on the host for the specified IP Returns the number of flows deleted for IPv4, IPv6 else error

func FirewalldInit Uses

func FirewalldInit() error

FirewalldInit initializes firewalld management code.

func GetVersion Uses

func GetVersion() (major, minor, micro int, err error)

GetVersion reads the iptables version numbers during initialization

func IsConntrackProgrammable Uses

func IsConntrackProgrammable(nlh *netlink.Handle) bool

IsConntrackProgrammable returns true if the handle supports the NETLINK_NETFILTER and the base modules are loaded

func OnReloaded Uses

func OnReloaded(callback func())

OnReloaded add callback

func Passthrough Uses

func Passthrough(ipv IPV, args ...string) ([]byte, error)

Passthrough method simply passes args through to iptables/ip6tables

type Action Uses

type Action string

Action signifies the iptable action.

type ChainError Uses

type ChainError struct {
    Chain  string
    Output []byte

ChainError is returned to represent errors during ip table operation.

func (ChainError) Error Uses

func (e ChainError) Error() string

type ChainInfo Uses

type ChainInfo struct {
    Name        string
    Table       Table
    HairpinMode bool
    IPTable     IPTable

ChainInfo defines the iptables chain.

func (*ChainInfo) Forward Uses

func (c *ChainInfo) Forward(action Action, ip net.IP, port int, proto, destAddr string, destPort int, bridgeName string) error

Forward adds forwarding rule to 'filter' table and corresponding nat rule to 'nat' table.

func (c *ChainInfo) Link(action Action, ip1, ip2 net.IP, port int, proto string, bridgeName string) error

Link adds reciprocal ACCEPT rule for two supplied IP addresses. Traffic is allowed from ip1 to ip2 and vice-versa

func (*ChainInfo) Output Uses

func (c *ChainInfo) Output(action Action, args ...string) error

Output adds linking rule to an OUTPUT chain.

func (*ChainInfo) Prerouting Uses

func (c *ChainInfo) Prerouting(action Action, args ...string) error

Prerouting adds linking rule to nat/PREROUTING chain.

func (*ChainInfo) Remove Uses

func (c *ChainInfo) Remove() error

Remove removes the chain.

type Conn Uses

type Conn struct {
    // contains filtered or unexported fields

Conn is a connection to firewalld dbus endpoint.

type IPTable Uses

type IPTable struct {
    Version IPVersion

IPTable defines struct with IPVersion

func GetIptable Uses

func GetIptable(version IPVersion) *IPTable

GetIptable returns an instance of IPTable with specified version

func (IPTable) AddReturnRule Uses

func (iptable IPTable) AddReturnRule(chain string) error

AddReturnRule adds a return rule for the chain in the filter table

func (IPTable) EnsureJumpRule Uses

func (iptable IPTable) EnsureJumpRule(fromChain, toChain string) error

EnsureJumpRule ensures the jump rule is on top

func (IPTable) ExistChain Uses

func (iptable IPTable) ExistChain(chain string, table Table) bool

ExistChain checks if a chain exists

func (IPTable) Exists Uses

func (iptable IPTable) Exists(table Table, chain string, rule ...string) bool

Exists checks if a rule exists

func (IPTable) ExistsNative Uses

func (iptable IPTable) ExistsNative(table Table, chain string, rule ...string) bool

ExistsNative behaves as Exists with the difference it will always invoke `iptables` binary.

func (IPTable) LoopbackByVersion Uses

func (iptable IPTable) LoopbackByVersion() string

LoopbackByVersion returns loopback address by version

func (IPTable) NewChain Uses

func (iptable IPTable) NewChain(name string, table Table, hairpinMode bool) (*ChainInfo, error)

NewChain adds a new chain to ip table.

func (IPTable) ProgramChain Uses

func (iptable IPTable) ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) error

ProgramChain is used to add rules to a chain

func (IPTable) ProgramRule Uses

func (iptable IPTable) ProgramRule(table Table, chain string, action Action, args []string) error

ProgramRule adds the rule specified by args only if the rule is not already present in the chain. Reciprocally, it removes the rule only if present.

func (IPTable) Raw Uses

func (iptable IPTable) Raw(args ...string) ([]byte, error)

Raw calls 'iptables' system command, passing supplied arguments.

func (IPTable) RawCombinedOutput Uses

func (iptable IPTable) RawCombinedOutput(args ...string) error

RawCombinedOutput internally calls the Raw function and returns a non nil error if Raw returned a non nil error or a non empty output

func (IPTable) RawCombinedOutputNative Uses

func (iptable IPTable) RawCombinedOutputNative(args ...string) error

RawCombinedOutputNative behave as RawCombinedOutput with the difference it will always invoke `iptables` binary

func (IPTable) RemoveExistingChain Uses

func (iptable IPTable) RemoveExistingChain(name string, table Table) error

RemoveExistingChain removes existing chain from the table.

func (IPTable) SetDefaultPolicy Uses

func (iptable IPTable) SetDefaultPolicy(table Table, chain string, policy Policy) error

SetDefaultPolicy sets the passed default policy for the table/chain

type IPV Uses

type IPV string

IPV defines the table string

const (
    // Iptables point ipv4 table
    Iptables IPV = "ipv4"
    // IP6Tables point to ipv6 table
    IP6Tables IPV = "ipv6"
    // Ebtables point to bridge table
    Ebtables IPV = "eb"

type IPVersion Uses

type IPVersion string

IPVersion refers to IP version, v4 or v6

type Policy Uses

type Policy string

Policy is the default iptable policies

type Table Uses

type Table string

Table refers to Nat, Filter or Mangle.

type ZoneSettings Uses

type ZoneSettings struct {
    // contains filtered or unexported fields

ZoneSettings holds the firewalld zone settings, documented in

Package iptables imports 13 packages (graph). Updated 2020-12-24. Refresh now. Tools for package owners.