Documentation ¶
Index ¶
- Variables
- type Action
- type Address
- func (a Address) Any() bool
- func (a Address) Dynamic() bool
- func (a Address) DynamicCount() int
- func (a Address) DynamicFlag(flag DynamicFlag) bool
- func (a Address) IPNet() *net.IPNet
- func (a Address) IPRange() (net.IP, net.IP)
- func (a Address) Interface() string
- func (a Address) Mask() bool
- func (a Address) NoRoute() bool
- func (a *Address) ParseCIDR(address string) error
- func (a Address) Range() bool
- func (a *Address) SetAny()
- func (a *Address) SetDynamicFlag(flag DynamicFlag)
- func (a *Address) SetIPNet(ipn *net.IPNet)
- func (a *Address) SetIPRange(start, end net.IP)
- func (a *Address) SetInterface(itf string) error
- func (a *Address) SetNoRoute()
- func (a *Address) SetTableName(name string) error
- func (a *Address) SetURPFFailed()
- func (a Address) String() string
- func (a Address) Table() bool
- func (a Address) TableCount() int
- func (a Address) TableName() string
- func (a Address) URPFFailed() bool
- type AddressFamily
- type Direction
- type DynamicFlag
- type FlagHeader
- type Flags
- type Protocol
- type Rule
- func (r Rule) Action() Action
- func (r Rule) AddressFamily() AddressFamily
- func (r Rule) Direction() Direction
- func (r Rule) Flags() Flags
- func (r Rule) Log() bool
- func (r Rule) LogAll() bool
- func (r Rule) LogIf() uint8
- func (r *Rule) ParseDestination(dst, port string, neg bool) error
- func (r *Rule) ParseSource(src, port string, neg bool) error
- func (r Rule) Protocol() Protocol
- func (r Rule) Quick() bool
- func (r Rule) Return() bool
- func (r *Rule) SetAction(a Action)
- func (r *Rule) SetAddressFamily(af AddressFamily)
- func (r *Rule) SetDirection(dir Direction)
- func (r *Rule) SetFlags(f Flags)
- func (r *Rule) SetLog(enabled bool)
- func (r *Rule) SetLogAll(enabled bool)
- func (r *Rule) SetLogIf(i uint8)
- func (r *Rule) SetProtocol(p Protocol)
- func (r *Rule) SetQuick(enabled bool)
- func (r *Rule) SetReturn(t bool)
- func (r *Rule) SetState(s State)
- func (r Rule) State() State
- func (r Rule) Stats(stats *RuleStats)
- func (r Rule) String() string
- type RuleStats
- type State
Constants ¶
This section is empty.
Variables ¶
var AllDynamicFlags = []DynamicFlag{ DynamicFlagNetwork, DynamicFlagBroadcast, DynamicFlagPeer, DynamicFlagNoAlias, }
AllDynamicFlags contains all danymic flags in usual order
var Protocols = map[int]string{ int(ProtocolAny): "any", int(ProtocolICMP): "icmp", int(ProtocolTCP): "tcp", int(ProtocolUDP): "udp", }
Default set of protocols.
Functions ¶
This section is empty.
Types ¶
type Action ¶
type Action uint8
Action that should be performed by pf
const ( // ActionPass Filter rule action to pass the traffic ActionPass Action = C.PF_PASS // ActionDrop Filter rule action to drop the traffic ActionDrop Action = C.PF_DROP // ActionScrub Scrub rule action to do scrubbing ActionScrub Action = C.PF_SCRUB // ActionNoScrub Srub rule action to not do scrubbing ActionNoScrub Action = C.PF_NOSCRUB // ActionNAT NAT rule action to to NAT ActionNAT Action = C.PF_NAT // ActionNoNAT NAT rule action to not do NAT ActionNoNAT Action = C.PF_NONAT // ActionBINAT NAT rule action to to BINAT ActionBINAT Action = C.PF_BINAT // ActionNoBINAT NAT rule action to not do BINAT ActionNoBINAT Action = C.PF_NOBINAT // ActionRDR RDR rule action to to RDR ActionRDR Action = C.PF_RDR // ActionNoRDR RDR rule action to not do RDR ActionNoRDR Action = C.PF_NORDR // ActionSynProxyDrop TODO ActionSynProxyDrop Action = C.PF_SYNPROXY_DROP // ActionDefer TODO is this divert? ActionDefer Action = C.PF_DEFER )
type Address ¶
type Address struct {
// contains filtered or unexported fields
}
Address wraps the pf address (cgo)
func (Address) DynamicCount ¶
DynamicCount returns the dynamic count
func (Address) DynamicFlag ¶
func (a Address) DynamicFlag(flag DynamicFlag) bool
DynamicFlag returns true if the flag is set for the address
func (Address) Interface ¶
Interface the name of the interface (e..g. used for dynamic address), returns an empty string if no interface is set
func (*Address) ParseCIDR ¶
ParseCIDR parses the passed address in CIDR notation and sets the extracted addess, mask and af. Id mask is missing IP address is assumed and mask is set to 32 IPv4 or 128 IPv6. May return a parse error if the address is invalid CIDR or IP address
func (*Address) SetAny ¶
func (a *Address) SetAny()
SetAny will turn the address into an any IP address
func (*Address) SetDynamicFlag ¶
func (a *Address) SetDynamicFlag(flag DynamicFlag)
SetDynamicFlag sets the dynamic interface flag
func (*Address) SetIPNet ¶
SetIPNet updates the ip address and mask and changes the type to AddressMask
func (*Address) SetIPRange ¶
SetIPRange sets start and end address and turns object into ip range
func (*Address) SetInterface ¶
SetInterface turns address into dynamic interface reference, type of interface reference can be changed with flags
func (*Address) SetNoRoute ¶
func (a *Address) SetNoRoute()
SetNoRoute turns address into no routeable address
func (*Address) SetTableName ¶
SetTableName turns address into table reference, using given name
func (*Address) SetURPFFailed ¶
func (a *Address) SetURPFFailed()
SetURPFFailed see URPFFailed for details
func (Address) URPFFailed ¶
URPFFailed any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address
type AddressFamily ¶
type AddressFamily uint8
AddressFamily that should be filtered by pf (inet / inet6)
const ( // AddressFamilyAny Any matches any address family AddressFamilyAny AddressFamily = 0 // AddressFamilyInet IPv4 AddressFamilyInet AddressFamily = C.AF_INET // AddressFamilyInet6 IPv6 AddressFamilyInet6 AddressFamily = C.AF_INET6 )
func (AddressFamily) String ¶
func (af AddressFamily) String() string
type DynamicFlag ¶
type DynamicFlag uint8
DynamicFlag can be set on an address that is derived from an interface
const ( // DynamicFlagNetwork translates to the network(s) attached to the interface DynamicFlagNetwork DynamicFlag = C.PFI_AFLAG_NETWORK // DynamicFlagBroadcast translates to the interface's broadcast address(es). DynamicFlagBroadcast DynamicFlag = C.PFI_AFLAG_BROADCAST // DynamicFlagPeer translates to the point-to-point interface's peer address(es). DynamicFlagPeer DynamicFlag = C.PFI_AFLAG_PEER // DynamicFlagNoAlias do not include interface aliases. DynamicFlagNoAlias DynamicFlag = C.PFI_AFLAG_NOALIAS )
func (DynamicFlag) String ¶
func (f DynamicFlag) String() string
type FlagHeader ¶
type FlagHeader uint8
FlagHeader is a TCP flag header.
const ( FlagFIN FlagHeader = C.TH_FIN FlagSYN FlagHeader = C.TH_SYN FlagRST FlagHeader = C.TH_RST FlagPSH FlagHeader = C.TH_PUSH FlagACK FlagHeader = C.TH_ACK FlagURG FlagHeader = C.TH_URG FlagECE FlagHeader = C.TH_ECE FlagCWR FlagHeader = C.TH_CWR )
func (FlagHeader) String ¶
func (f FlagHeader) String() string
type Flags ¶
type Flags struct { Set FlagHeader OutOf FlagHeader }
Flags specifies which TCP flags must be Set from the flags in OutOf for a rule to match. See pf.conf(5) for an explanation.
type Protocol ¶
type Protocol uint8
Protocol that should be filtered by pf
const ( // ProtocolAny Any matches any protocol ProtocolAny Protocol = 0 // ProtocolTCP TCP ProtocolTCP Protocol = C.IPPROTO_TCP // ProtocolUDP UDP ProtocolUDP Protocol = C.IPPROTO_UDP // ProtocolICMP ICMP ProtocolICMP Protocol = C.IPPROTO_ICMP )
type Rule ¶
type Rule struct {
// contains filtered or unexported fields
}
Rule wraps the pf rule (cgo)
func (Rule) AddressFamily ¶
func (r Rule) AddressFamily() AddressFamily
AddressFamily returns the address family that is matched on
func (Rule) Flags ¶
Flags returns the TCP flags out of flagset that must be set for this rule to match. See pf.conf(5) for an explanation.
func (Rule) LogAll ¶
LogAll returns whether, for rules keeping state, all packets are logged instead of just the initial one.
func (*Rule) ParseDestination ¶
ParseDestination sets the destination (inet and inet6) based on the passed strings, if parsing failes err returned
func (*Rule) ParseSource ¶
ParseSource sets the source ip (inet and inet6) based on the passed strings, if parsing failes err is returned
func (*Rule) SetAddressFamily ¶
func (r *Rule) SetAddressFamily(af AddressFamily)
SetAddressFamily sets the address family to match on
func (*Rule) SetDirection ¶
SetDirection sets the direction the traffic flows
func (*Rule) SetFlags ¶
Flags sets the TCP flags out of flagset that must be set for this rule to match. See pf.conf(5) for an explanation.
func (*Rule) SetLogAll ¶
SetLogAll sets whether, for rules keeping state, all packets are logged instead of just the initial one.
func (*Rule) SetProtocol ¶
SetProtocol sets the protocol matcher of the rule if the
type State ¶
type State uint8
State wether the packet filter should keep track of the packet flows (stateful packet filter) or not (stateless packet filter).
const ( // StateNo no state tracking with this rule StateNo State = 0 // StateKeep track state inside the packet filter StateKeep State = C.PF_STATE_NORMAL // StateModulate keeps state and adds high quality random sequence numbers // for tcp StateModulate State = C.PF_STATE_MODULATE // StateSynproxy keeps state and creates new tcp connections to hide internals StateSynproxy State = C.PF_STATE_SYNPROXY )