linuxfw

package

v0.0.0-...-9d29f1b Latest Latest Go to latest Published: Sep 4, 2023 License: BSD-3-Clause Imports: 25 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mayef/tailscale

Documentation ¶

Rendered for

Index ¶

Constants
func CheckIPRuleSupportsV6(logf logger.Logf) error
func DebugIptables(logf logger.Logf) error
func DebugNetfilter(logf logger.Logf) error
func DetectIptables() (int, error)
func DetectNetfilter() (int, error)
func IPTablesCleanup(logf logger.Logf)
func NewIPTablesRunner(logf logger.Logf) (*iptablesRunner, error)
func NewNfTablesRunner(logf logger.Logf) (*nftablesRunner, error)
func NfTablesCleanUp(logf logger.Logf)
type FWModeNotSupportedError
type FirewallMode
type MatchDecision

Constants ¶

View Source

const (
	// The mask for reading/writing the 'firewall mask' bits on a packet.
	// See the comment on the const block on why we only use the third byte.
	//
	// We claim bits 16:23 entirely. For now we only use the lower four
	// bits, leaving the higher 4 bits for future use.
	TailscaleFwmarkMask    = "0xff0000"
	TailscaleFwmarkMaskNum = 0xff0000

	// Packet is from Tailscale and to a subnet route destination, so
	// is allowed to be routed through this machine.
	TailscaleSubnetRouteMark    = "0x40000"
	TailscaleSubnetRouteMarkNum = 0x40000

	// Packet was originated by tailscaled itself, and must not be
	// routed over the Tailscale network.
	TailscaleBypassMark    = "0x80000"
	TailscaleBypassMarkNum = 0x80000
)

The following bits are added to packet marks for Tailscale use.

We tried to pick bits sufficiently out of the way that it's unlikely to collide with existing uses. We have 4 bytes of mark bits to play with. We leave the lower byte alone on the assumption that sysadmins would use those. Kubernetes uses a few bits in the second byte, so we steer clear of that too.

Empirically, most of the documentation on packet marks on the internet gives the impression that the marks are 16 bits wide. Based on this, we theorize that the upper two bytes are relatively unused in the wild, and so we consume bits 16:23 (the third byte).

The constants are in the iptables/iproute2 string format for matching and setting the bits, so they can be directly embedded in commands.

Variables ¶

This section is empty.

Functions ¶

func CheckIPRuleSupportsV6 ¶

func CheckIPRuleSupportsV6(logf logger.Logf) error

func DebugIptables ¶

func DebugIptables(logf logger.Logf) error

DebugNetfilter prints debug information about iptables rules to the provided log function.

func DebugNetfilter ¶

func DebugNetfilter(logf logger.Logf) error

DebugNetfilter prints debug information about netfilter rules to the provided log function.

func DetectIptables ¶

func DetectIptables() (int, error)

DetectIptables returns the number of iptables rules that are present in the system, ignoring the default "ACCEPT" rule present in the standard iptables chains.

It only returns an error when there is no iptables binary, or when iptables -S fails. In all other cases, it returns the number of non-default rules.

func DetectNetfilter ¶

func DetectNetfilter() (int, error)

DetectNetfilter returns the number of nftables rules present in the system.

func IPTablesCleanup ¶

func IPTablesCleanup(logf logger.Logf)

IPTablesCleanup removes all Tailscale added iptables rules. Any errors that occur are logged to the provided logf.

func NewIPTablesRunner ¶

func NewIPTablesRunner(logf logger.Logf) (*iptablesRunner, error)

NewIPTablesRunner constructs a NetfilterRunner that programs iptables rules. If the underlying iptables library fails to initialize, that error is returned. The runner probes for IPv6 support once at initialization time and if not found, no IPv6 rules will be modified for the lifetime of the runner.

func NewNfTablesRunner ¶

func NewNfTablesRunner(logf logger.Logf) (*nftablesRunner, error)

NewNfTablesRunner creates a new nftablesRunner without guaranteeing the existence of the tables and chains.

func NfTablesCleanUp ¶

func NfTablesCleanUp(logf logger.Logf)

NfTablesCleanUp removes all Tailscale added nftables rules. Any errors that occur are logged to the provided logf.

Types ¶

type FWModeNotSupportedError ¶

type FWModeNotSupportedError struct {
	Mode FirewallMode
	Err  error
}

func (FWModeNotSupportedError) Error ¶

func (e FWModeNotSupportedError) Error() string

func (FWModeNotSupportedError) Is ¶

func (e FWModeNotSupportedError) Is(target error) bool

func (FWModeNotSupportedError) Unwrap ¶

func (e FWModeNotSupportedError) Unwrap() error

type FirewallMode ¶

type FirewallMode string

const (
	FirewallModeIPTables FirewallMode = "iptables"
	FirewallModeNfTables FirewallMode = "nftables"
)

type MatchDecision ¶

type MatchDecision int

MatchDecision is the decision made by the firewall for a packet matched by a rule. It is used to decide whether to accept or masquerade a packet in addMatchSubnetRouteMarkRule.

const (
	Accept MatchDecision = iota
	Masq
)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
linuxfwtest Package linuxfwtest contains tests for the linuxfw package.	Package linuxfwtest contains tests for the linuxfw package.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL