netlink

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 27, 2026 License: MIT Imports: 29 Imported by: 0

Documentation

Overview

Package netlink provides utilities for managing network configuration using netlink

Index

Constants

View Source 
const GeneveMTUOverhead = 58

GeneveMTUOverhead is the number of bytes subtracted from the primary interface MTU to derive the GENEVE tunnel MTU. This accounts for the outer IPv6 header (40), UDP header (8), and GENEVE base header (8), plus 2 bytes of padding for potential GENEVE TLV options.

View Source 
const IPIPMTUOverhead = 20

IPIPMTUOverhead is the number of bytes subtracted from the primary interface MTU to derive the IPIP (IP-in-IP) tunnel MTU. This accounts for the outer IP header (20). IPIP has the lowest overhead of any tunnel type since it carries no additional headers.

View Source 
const VXLANMTUOverhead = 50

VXLANMTUOverhead is the number of bytes subtracted from the primary interface MTU to derive the VXLAN tunnel MTU. This accounts for the outer IP header (20), UDP header (8), VXLAN header (8), and inner Ethernet header (14).

View Source 
const WireGuardMTUOverhead = 80

WireGuardMTUOverhead is the number of bytes subtracted from the primary interface MTU to derive the WireGuard tunnel MTU. This accounts for the outer IP header, UDP header, and WireGuard encapsulation overhead.

Variables

View Source 
var (
	WireGuardPeers = promauto.NewGaugeVec(prometheus.GaugeOpts{
		Namespace: nodeNamespace,
		Name:      "wireguard_peers",
		Help:      "Current number of WireGuard peers by interface.",
	}, []string{"interface"})

	WireGuardConfigureDuration = promauto.NewHistogramVec(prometheus.HistogramOpts{
		Namespace: nodeNamespace,
		Name:      "wireguard_configure_duration_seconds",
		Help:      "Duration of WireGuard peer configuration in seconds.",
		Buckets:   metrics.DefaultDurationBuckets,
	}, []string{"interface"})

	WireGuardConfigureErrors = promauto.NewCounterVec(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "wireguard_configure_errors_total",
		Help:      "Total WireGuard configuration errors.",
	}, []string{"interface"})

	WireGuardPeersAdded = promauto.NewCounter(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "wireguard_peers_added_total",
		Help:      "Total WireGuard peers added.",
	})

	WireGuardPeersRemoved = promauto.NewCounter(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "wireguard_peers_removed_total",
		Help:      "Total WireGuard peers removed.",
	})
)

WireGuard metrics.

View Source 
var (
	RoutesInstalled = promauto.NewGaugeVec(prometheus.GaugeOpts{
		Namespace: nodeNamespace,
		Name:      "routes_installed",
		Help:      "Current number of installed routes by table.",
	}, []string{"table"})

	RouteSyncDuration = promauto.NewHistogramVec(prometheus.HistogramOpts{
		Namespace: nodeNamespace,
		Name:      "route_sync_duration_seconds",
		Help:      "Duration of route sync operations in seconds.",
		Buckets:   metrics.DefaultDurationBuckets,
	}, []string{"source"})

	RouteSyncErrors = promauto.NewCounterVec(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "route_sync_errors_total",
		Help:      "Total route sync errors.",
	}, []string{"source"})

	RoutesAdded = promauto.NewCounterVec(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "routes_added_total",
		Help:      "Total routes added.",
	}, []string{"source"})

	RoutesRemoved = promauto.NewCounterVec(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "routes_removed_total",
		Help:      "Total routes removed.",
	}, []string{"source"})

	ECMPRoutesInstalled = promauto.NewGauge(prometheus.GaugeOpts{
		Namespace: nodeNamespace,
		Name:      "ecmp_routes_installed",
		Help:      "Current number of installed ECMP routes.",
	})
)

Route metrics.

View Source 
var (
	MasqueradeRules = promauto.NewGaugeVec(prometheus.GaugeOpts{
		Namespace: nodeNamespace,
		Name:      "masquerade_rules",
		Help:      "Current number of masquerade rules by address family.",
	}, []string{"family"})

	MasqueradeSyncDuration = promauto.NewHistogram(prometheus.HistogramOpts{
		Namespace: nodeNamespace,
		Name:      "masquerade_sync_duration_seconds",
		Help:      "Duration of masquerade rule sync in seconds.",
		Buckets:   metrics.DefaultDurationBuckets,
	})

	MasqueradeSyncErrors = promauto.NewCounter(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "masquerade_sync_errors_total",
		Help:      "Total masquerade sync errors.",
	})

	MasqueradeChainRebuilds = promauto.NewCounter(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "masquerade_chain_rebuilds_total",
		Help:      "Total masquerade chain full rebuilds.",
	})
)

Masquerade metrics.

View Source 
var (
	Interfaces = promauto.NewGaugeVec(prometheus.GaugeOpts{
		Namespace: nodeNamespace,
		Name:      "interfaces",
		Help:      "Current number of managed interfaces by type.",
	}, []string{"type"})

	InterfaceOperations = promauto.NewCounterVec(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "interface_operations_total",
		Help:      "Total interface operations by type.",
	}, []string{"operation"})

	InterfaceOperationErrors = promauto.NewCounterVec(prometheus.CounterOpts{
		Namespace: nodeNamespace,
		Name:      "interface_operation_errors_total",
		Help:      "Total interface operation errors by type.",
	}, []string{"operation"})
)

Link/interface metrics.

Functions

func DetectDefaultGateway 

func DetectDefaultGateway(family int) string

DetectDefaultGateway returns the default gateway interface name for the given IP family. family should be netlink.FAMILY_V4 or netlink.FAMILY_V6. Returns empty string if no default route is found.

func DetectDefaultRouteInterface 

func DetectDefaultRouteInterface() (string, int, error)

DetectDefaultRouteInterface returns the name and link index of the network interface that carries the IPv4 default route. Returns an error if no default route is found or the interface cannot be queried.

func DetectDefaultRouteInterfaceFromCache 

func DetectDefaultRouteInterfaceFromCache(cache *NetlinkCache) (string, int, error)

DetectDefaultRouteInterfaceFromCache is like DetectDefaultRouteInterface but reads from the provided cache. Falls back to direct calls if cache is nil.

func DetectDefaultRouteMTU 

func DetectDefaultRouteMTU() int

DetectDefaultRouteMTU returns the MTU of the network interface that carries the IPv4 default route. Returns 0 if no default route is found or the interface cannot be queried.

func DetectDefaultRouteMTUFromCache 

func DetectDefaultRouteMTUFromCache(cache *NetlinkCache) int

DetectDefaultRouteMTUFromCache is like DetectDefaultRouteMTU but reads from the provided cache instead of making direct netlink syscalls. Falls back to direct calls if the cache is nil.

func EnsureIPRule 

func EnsureIPRule(tableID, priority int, fwmark, fwmask uint32) error

EnsureIPRule ensures an ip rule exists for policy routing in both IPv4 and IPv6. When fwmark is 0, an unconditional lookup rule is created (no mark matching). When fwmark > 0, a fwmark-based rule is created with the given mask; a zero fwmask is treated as 0xffffffff. Stale rules with the same mark+table but mismatched mask or priority are removed automatically.

func EnsureRtTablesEntry 

func EnsureRtTablesEntry(tableID int, name string) error

EnsureRtTablesEntry ensures a route table entry with the given tableID and name exists in /etc/iproute2/rt_tables. It is idempotent: if an entry for the tableID already exists (even under a different name), no changes are made.

func FlushRouteTable 

func FlushRouteTable(tableID int) error

FlushRouteTable removes all routes in the specified routing table for both IPv4 and IPv6.

func InterfaceHasRoutes 

func InterfaceHasRoutes(ifaceName string) bool

InterfaceHasRoutes checks if the given interface has any routes in the kernel routing table. This queries the actual kernel state, not in-memory tracking. Used to determine if a gateway was healthy before a pod restart (interface exists + has routes).

func InterfaceHasRoutesWithCache 

func InterfaceHasRoutesWithCache(cache *NetlinkCache, ifaceName string) bool

InterfaceHasRoutesWithCache is like InterfaceHasRoutes but reads from the provided cache when available.

func LastHandshakeAge 

func LastHandshakeAge(lastHandshake time.Time) time.Duration

LastHandshakeAge returns the duration since the last handshake for a peer, or 0 if the handshake time is zero.

func ListRoutesInTable 

func ListRoutesInTable(tableID int) ([]netlink.Route, error)

ListRoutesInTable returns all routes in the specified routing table for both IPv4 and IPv6.

func RemoveIPRule 

func RemoveIPRule(tableID, priority int, fwmark, fwmask uint32) error

RemoveIPRule removes ip rules matching the given table, priority, and fwmark for both IPv4 and IPv6. When fwmark is 0, only unconditional (no-mark) rules are matched. A zero fwmask is treated as 0xffffffff when fwmark > 0.

Types

type DesiredNexthop 

type DesiredNexthop struct {
	PeerID    string // unique peer identifier (e.g., "node-foo/wg51820")
	LinkIndex int    // interface index
	Gateway   net.IP // gateway IP (nil for link-scope)
}

DesiredNexthop describes a single nexthop for a route.

type DesiredRoute 

type DesiredRoute struct {
	Prefix            net.IPNet        // destination prefix
	Nexthops          []DesiredNexthop // one or more nexthops (for ECMP)
	Metric            int              // route metric (lower = preferred)
	MTU               int              // per-route MTU (0 = no MTU set)
	Table             int              // routing table (0 = main)
	HealthCheckImmune bool             // if true, route is never withdrawn by healthcheck
	Encap             netlink.Encap    // lightweight tunnel encap (nil = none)
	Flags             int              // route flags (e.g. unix.RTNH_F_ONLINK)
	ScopeGlobal       bool             // if true, use scope global instead of link for gatewayless routes
}

DesiredRoute describes a route to be programmed by the UnifiedRouteManager.

type GatewayPolicyManager deprecated 

type GatewayPolicyManager struct {
	// contains filtered or unexported fields
}

Deprecated: GatewayPolicyManager is deprecated. Policy-based routing (PBR) via connmark/fwmark/ip-rule is replaced by per-interface iptables FORWARD ACCEPT rules. This type is retained for backward compatibility when enablePolicyRouting is explicitly set to true.

GatewayPolicyManager manages policy routing rules to ensure return traffic from gateway interfaces leaves via the same interface it arrived on. This is necessary for proper bidirectional communication through WireGuard tunnels.

func NewGatewayPolicyManager 

func NewGatewayPolicyManager(wireguardBasePort int) (*GatewayPolicyManager, error)

NewGatewayPolicyManager creates a new GatewayPolicyManager.

func (*GatewayPolicyManager) Cleanup 

func (m *GatewayPolicyManager) Cleanup() error

Cleanup removes all gateway policy iptables rules/chains managed by this manager.

func (*GatewayPolicyManager) ConfigureInterface 

func (m *GatewayPolicyManager) ConfigureInterface(ifaceName string, tableNum int) error

ConfigureInterface sets up policy routing for a gateway interface. This ensures return traffic leaves via the same interface it arrived on. The tableNum is the routing table number to use (typically the WireGuard listen port).

func (*GatewayPolicyManager) ReconcileExpectedInterfaces 

func (m *GatewayPolicyManager) ReconcileExpectedInterfaces(expected map[string]int) error

ReconcileExpectedInterfaces ensures managed UNBOUNDED-* chain rules only contain expected gateway interface entries and removes stale policy rules/tables.

func (*GatewayPolicyManager) RemoveInterface 

func (m *GatewayPolicyManager) RemoveInterface(ifaceName string) error

RemoveInterface removes policy routing configuration for an interface

type IPEncap 

type IPEncap struct {
	Src net.IP
	Dst net.IP
}

IPEncap implements netlink.Encap for LWTUNNEL_ENCAP_IP (lightweight tunnel IPv4 encapsulation). It carries source and destination addresses used by external/flow-based tunnel devices such as vxlan0 in FlowBased mode.

func (*IPEncap) Decode 

func (e *IPEncap) Decode(buf []byte) error

Decode deserializes netlink TLV attributes into the IPEncap fields.

func (*IPEncap) Encode 

func (e *IPEncap) Encode() ([]byte, error)

Encode serializes the encap into netlink TLV attributes.

func (*IPEncap) Equal 

func (e *IPEncap) Equal(x netlink.Encap) bool

Equal returns true when the other Encap is an IPEncap with the same addresses.

func (*IPEncap) String 

func (e *IPEncap) String() string

String returns a human-readable representation matching `ip route` output.

func (*IPEncap) Type 

func (e *IPEncap) Type() int

Type returns the lightweight tunnel encap type for IPv4.

type InstalledRoute 

type InstalledRoute struct {
	Prefix    string   // CIDR string
	Nexthops  []string // peer IDs that are active in this route
	Metric    int
	MTU       int
	Table     int
	LinkScope bool // true if the route is link-scope (no gateway)
}

InstalledRoute describes a route currently installed in the kernel, returned by GetInstalledRoutes for status reporting.

type LinkManager 

type LinkManager struct {
	// contains filtered or unexported fields
}

LinkManager manages a network link (interface) and its addresses

func NewLinkManager 

func NewLinkManager(ifaceName string) *LinkManager

NewLinkManager creates a new LinkManager for the specified interface 

func (lm *LinkManager) DeleteLink() error

DeleteLink removes the interface

func (*LinkManager) EnsureBridge 

func (lm *LinkManager) EnsureBridge() error

EnsureBridge creates the bridge interface if it does not exist and brings it up. Used to ensure cbr0 exists on gateway nodes where the CNI plugin may not have created it.

func (*LinkManager) EnsureDummyInterface 

func (lm *LinkManager) EnsureDummyInterface() error

EnsureDummyInterface creates a dummy interface if it does not exist and brings it up. Dummy interfaces are ideal for eBPF tunnel dataplanes -- the kernel routes packets to the device and TC egress BPF handles encapsulation and redirect. ARP/NDP requests on dummy interfaces go nowhere (no physical medium), so no neighbor resolution issues.

func (*LinkManager) EnsureGeneveInterface 

func (lm *LinkManager) EnsureGeneveInterface(vni uint32, dstPort int) error

EnsureGeneveInterface creates a GENEVE interface if it does not already exist. The interface is created in point-to-multipoint mode (no fixed remote) with learning disabled so that FDB entries are managed explicitly.

func (*LinkManager) EnsureGeneveInterfaceWithCache 

func (lm *LinkManager) EnsureGeneveInterfaceWithCache(cache *NetlinkCache, vni uint32, dstPort int, remote net.IP) error

EnsureGeneveInterfaceWithCache is like EnsureGeneveInterfaceWithRemote but checks existence via the netlink cache instead of a netlink syscall. Falls back to a direct LinkByName if the cache is nil.

func (*LinkManager) EnsureGeneveInterfaceWithRemote 

func (lm *LinkManager) EnsureGeneveInterfaceWithRemote(vni uint32, dstPort int, remote net.IP) error

EnsureGeneveInterfaceWithRemote creates a point-to-point GENEVE interface with a fixed remote tunnel endpoint. Each peer gets its own interface.

func (*LinkManager) EnsureIPIPExternalInterface 

func (lm *LinkManager) EnsureIPIPExternalInterface() error

EnsureIPIPExternalInterface creates an external/flow-based IPIP interface for use with the eBPF tunnel dataplane. The BPF program sets the tunnel destination per-packet via bpf_skb_set_tunnel_key.

func (*LinkManager) EnsureIPIPInterfaceWithCache 

func (lm *LinkManager) EnsureIPIPInterfaceWithCache(cache *NetlinkCache, local, remote net.IP) error

EnsureIPIPInterfaceWithCache is like EnsureIPIPInterfaceWithRemote but checks existence via the netlink cache instead of a netlink syscall. Falls back to a direct LinkByName if the cache is nil.

func (*LinkManager) EnsureIPIPInterfaceWithRemote 

func (lm *LinkManager) EnsureIPIPInterfaceWithRemote(local, remote net.IP) error

EnsureIPIPInterfaceWithRemote creates a point-to-point IPIP tunnel interface with 20 bytes of overhead (just an outer IP header, no UDP wrapper).

func (*LinkManager) EnsureMTU 

func (lm *LinkManager) EnsureMTU(mtu int) error

EnsureMTU checks the current MTU of the managed interface and sets it to the desired value if it differs. Returns nil when the MTU is already correct or was successfully updated.

func (*LinkManager) EnsureMTUWithCache 

func (lm *LinkManager) EnsureMTUWithCache(cache *NetlinkCache, mtu int) error

EnsureMTUWithCache checks and sets MTU using a cached link lookup. Falls back to direct LinkByName if the cache is nil or misses.

func (*LinkManager) EnsureVXLANInterface 

func (lm *LinkManager) EnsureVXLANInterface(dstPort, srcPortLow, srcPortHigh int) error

EnsureVXLANInterface creates an external/flow-based VXLAN interface if it does not already exist. The interface is created with FlowBased=true (no fixed remote, no fixed VNI), Learning disabled, and the specified UDP destination port. Per-peer routing is done via lightweight tunnel encap directives on routes rather than per-peer interfaces. EnsureVXLANInterface creates a flow-based VXLAN interface if it does not exist. The srcPortLow/srcPortHigh parameters control the UDP source port range used for outbound VXLAN packets. A narrow range reduces the number of distinct flows seen by cloud platform networking, helping avoid VM flow table limits on platforms like Azure or GCP.

func (*LinkManager) EnsureWireGuardInterface 

func (lm *LinkManager) EnsureWireGuardInterface() error

EnsureWireGuardInterface creates the WireGuard interface if it doesn't exist

func (*LinkManager) Exists 

func (lm *LinkManager) Exists() bool

Exists returns true if the interface exists

func (*LinkManager) GetAddresses 

func (lm *LinkManager) GetAddresses() ([]string, error)

GetAddresses returns the current addresses on the interface

func (*LinkManager) SetLinkAddress 

func (lm *LinkManager) SetLinkAddress(addr net.HardwareAddr) error

SetLinkAddress sets the hardware (MAC) address on the interface.

func (*LinkManager) SetLinkNoARP 

func (lm *LinkManager) SetLinkNoARP() error

SetLinkNoARP disables ARP on the interface. This is needed for external/ flow-based tunnel interfaces where the BPF program handles encapsulation -- the kernel should send packets directly without neighbor resolution.

func (*LinkManager) SetLinkUp 

func (lm *LinkManager) SetLinkUp() error

SetLinkUp brings the interface up

func (*LinkManager) SetLinkUpWithCache 

func (lm *LinkManager) SetLinkUpWithCache(cache *NetlinkCache) error

SetLinkUpWithCache brings the interface up using a cached link lookup. Falls back to direct LinkByName if the cache is nil or misses.

func (*LinkManager) SyncAddresses 

func (lm *LinkManager) SyncAddresses(desiredAddrs []string, removeAll bool) (added, removed int, err error)

SyncAddresses performs a differential update of addresses on the interface. It adds addresses that are in desired but not currently configured, and removes addresses that are configured but not in desired. When removeAll is true, link-local addresses are also removed during cleanup; when false, link-local addresses are preserved (normal operational mode). Returns the number of addresses added and removed.

type MSSClampManager 

type MSSClampManager struct {
	// contains filtered or unexported fields
}

MSSClampManager installs iptables mangle rules that clamp TCP MSS on SYN packets transiting WireGuard interfaces. This prevents pods (whose network namespace sees a 1500-byte veth MTU) from advertising an MSS too large for the WireGuard tunnel, which would cause silent drops of large TLS responses at gateway forwarding hops.

func NewMSSClampManager 

func NewMSSClampManager() (*MSSClampManager, error)

NewMSSClampManager creates a manager and ensures the mangle chain exists.

func (*MSSClampManager) Cleanup 

func (m *MSSClampManager) Cleanup() error

Cleanup removes all MSS clamping rules installed by this manager.

func (*MSSClampManager) EnsureRules 

func (m *MSSClampManager) EnsureRules() error

EnsureRules installs the TCPMSS clamp rules if not already present. Safe to call on every reconciliation loop.

type MasqueradeManager 

type MasqueradeManager struct {
	// contains filtered or unexported fields
}

MasqueradeManager manages iptables masquerade rules for pod egress traffic. It supports both IPv4 and IPv6 with separate rule sets.

func NewMasqueradeManager 

func NewMasqueradeManager() (*MasqueradeManager, error)

NewMasqueradeManager creates a new MasqueradeManager with IPv4 and IPv6 support. Returns an error if iptables is not available.

func (*MasqueradeManager) Cleanup 

func (mm *MasqueradeManager) Cleanup() error

Cleanup removes all masquerade rules installed by this manager

func (*MasqueradeManager) SyncRules 

func (mm *MasqueradeManager) SyncRules(defaultIfaceV4, defaultIfaceV6 string, nonMasqCIDRs []string) error

SyncRules synchronizes the masquerade rules with the desired state. It handles both IPv4 and IPv6 CIDRs, automatically classifying them by family.

type NetlinkCache 

type NetlinkCache struct {
	// contains filtered or unexported fields
}

NetlinkCache maintains an in-memory cache of network links, addresses, and routes, updated via netlink subscribe events with periodic full resync as a safety net. Analogous to a Kubernetes informer.

func NewNetlinkCache 

func NewNetlinkCache(resyncInterval time.Duration) *NetlinkCache

NewNetlinkCache creates a new cache with the given resync interval.

func (*NetlinkCache) AddrList 

func (c *NetlinkCache) AddrList(link netlink.Link, family int) ([]netlink.Addr, error)

AddrList returns cached addresses for the given link and address family.

func (*NetlinkCache) BeginRouteBatch 

func (c *NetlinkCache) BeginRouteBatch()

BeginRouteBatch suppresses route event resyncs. Multiple calls nest -- route resync runs when the outermost batch ends. Use this before making multiple route changes to coalesce them into a single RouteList.

func (*NetlinkCache) EndRouteBatch 

func (c *NetlinkCache) EndRouteBatch()

EndRouteBatch decrements the batch depth. When the outermost batch ends, if any route events arrived during the batch, a single RouteList resync is triggered. 

func (c *NetlinkCache) HasLink(name string) bool

HasLink returns true if a link with the given name exists in the cache.

func (*NetlinkCache) LinkByIndex 

func (c *NetlinkCache) LinkByIndex(index int) (netlink.Link, error)

LinkByIndex returns the cached link with the given index.

func (*NetlinkCache) LinkByName 

func (c *NetlinkCache) LinkByName(name string) (netlink.Link, error)

LinkByName returns the cached link with the given name. 

func (c *NetlinkCache) LinkList() []netlink.Link

LinkList returns all cached links.

func (*NetlinkCache) RouteList 

func (c *NetlinkCache) RouteList(link netlink.Link, family int) ([]netlink.Route, error)

RouteList returns cached routes, optionally filtered by link.

func (*NetlinkCache) Start 

func (c *NetlinkCache) Start(ctx context.Context) error

Start subscribes to netlink events, performs an initial full sync, and launches the background event-processing goroutine. Subscribe channels are opened before the initial list to avoid missing changes between List and Subscribe.

func (*NetlinkCache) Stats 

func (c *NetlinkCache) Stats() (links, addrs, routes int)

Stats returns cache statistics for debugging.

type UnifiedRouteManager 

type UnifiedRouteManager struct {
	// contains filtered or unexported fields
}

UnifiedRouteManager manages all routes -- both simple link-scope and ECMP multipath -- using a single code path. It replaces both RouteManager and ECMPRouteManager with unified support for:

  • Link-scope routes (no gateway, scope=link) for bootstrap routes
  • ECMP multipath routes with gateways
  • Per-route MTU
  • Preferred source IPs
  • Route table selection (main table, custom tables)
  • Fast peer removal/restoration for health-check integration
  • Differential sync (add missing, update changed, remove stale)

func NewUnifiedRouteManager 

func NewUnifiedRouteManager(linkName string, defaultTable int) *UnifiedRouteManager

NewUnifiedRouteManager creates a new route manager. linkName is the primary interface used for metrics labelling; actual route interfaces come from each DesiredNexthop.LinkIndex. defaultTable is the routing table ID used for routes whose Table field is 0; pass 0 to use the main table (254) for backward compatibility.

func (*UnifiedRouteManager) GetInstalledRoutes 

func (m *UnifiedRouteManager) GetInstalledRoutes() []InstalledRoute

GetInstalledRoutes returns the current set of installed routes for status reporting.

func (*UnifiedRouteManager) RemoveAllRoutes 

func (m *UnifiedRouteManager) RemoveAllRoutes() error

RemoveAllRoutes removes all managed routes and clears tracking state.

func (*UnifiedRouteManager) RemoveNexthopForPeer 

func (m *UnifiedRouteManager) RemoveNexthopForPeer(peerID string) error

RemoveNexthopForPeer removes a peer's nexthop from all groups and routes. This is called when a health-check session goes down.

func (*UnifiedRouteManager) RestoreNexthopForPeer 

func (m *UnifiedRouteManager) RestoreNexthopForPeer(peerID string) error

RestoreNexthopForPeer re-adds a peer's nexthop to all applicable routes. This is called when a health-check session comes back up.

func (*UnifiedRouteManager) SetNetlinkCache 

func (m *UnifiedRouteManager) SetNetlinkCache(cache *NetlinkCache)

SetNetlinkCache sets the cache used for read-path operations (route listing, link lookups). Pass nil to revert to direct netlink syscalls.

func (*UnifiedRouteManager) SetPreferredSourceIPs 

func (m *UnifiedRouteManager) SetPreferredSourceIPs(ipv4, ipv6 net.IP)

SetPreferredSourceIPs sets the preferred source IPs for routes. IPv4 routes will use ipv4 and IPv6 routes will use ipv6 as the preferred source for locally-originated packets. Pass nil to disable.

func (*UnifiedRouteManager) SyncRoutes 

func (m *UnifiedRouteManager) SyncRoutes(desired []DesiredRoute) error

SyncRoutes performs a differential sync of all routes. It ensures nexthop objects are tracked for all referenced peers, then adds/updates/removes kernel routes as needed.

func (*UnifiedRouteManager) ValidateRoutes 

func (m *UnifiedRouteManager) ValidateRoutes() int

ValidateRoutes checks the kernel routing table against the desired state and corrects any drift. Routes that are missing are re-added, routes that should not exist are removed, and routes whose nexthops have diverged from the expected healthy set are replaced. Returns the number of corrections made.

When the manager uses a dedicated table (not the main table), validation scopes its kernel route listing to that table and treats every RTPROT_STATIC route in it as managed. When using the main table, only routes matching a desired prefix are considered.

type WireGuardCollector 

type WireGuardCollector struct {
	// contains filtered or unexported fields
}

WireGuardCollector is a Prometheus collector that queries active WireGuard managers for per-peer transfer and handshake statistics at scrape time.

func NewWireGuardCollector 

func NewWireGuardCollector() *WireGuardCollector

NewWireGuardCollector creates a new collector. Register WireGuard managers with SetManagers as they are created.

func (*WireGuardCollector) Collect 

func (c *WireGuardCollector) Collect(ch chan<- prometheus.Metric)

Collect implements prometheus.Collector. It queries each registered WireGuard manager and emits per-peer gauges.

func (*WireGuardCollector) Describe 

func (c *WireGuardCollector) Describe(ch chan<- *prometheus.Desc)

Describe implements prometheus.Collector.

func (*WireGuardCollector) SetManagers 

func (c *WireGuardCollector) SetManagers(managers []*WireGuardManager)

SetManagers replaces the set of WireGuard managers to query on each scrape.

type WireGuardManager 

type WireGuardManager struct {
	// contains filtered or unexported fields
}

WireGuardManager manages WireGuard device configuration using wgctrl

func NewWireGuardManager 

func NewWireGuardManager(ifaceName string) (*WireGuardManager, error)

NewWireGuardManager creates a new WireGuardManager for the specified interface

func (*WireGuardManager) Close 

func (wm *WireGuardManager) Close() error

Close releases resources held by the WireGuardManager

func (*WireGuardManager) Configure 

func (wm *WireGuardManager) Configure(privateKey string, listenPort int, peers []WireGuardPeer) error

Configure applies the WireGuard configuration to the interface using delta updates. It compares the current peer configuration with the desired configuration and only makes changes where necessary (add new peers, remove stale peers, update changed peers). privateKey is the base64-encoded private key listenPort is the UDP port to listen on peers is the list of desired peer configurations

func (*WireGuardManager) GetDevice 

func (wm *WireGuardManager) GetDevice() (*wgtypes.Device, error)

GetDevice returns the current WireGuard device configuration

func (*WireGuardManager) GetPeers 

func (wm *WireGuardManager) GetPeers() ([]wgtypes.Peer, error)

GetPeers returns the current list of peers configured on the device

type WireGuardPeer 

type WireGuardPeer struct {
	PublicKey           string
	Endpoint            string // host:port format
	AllowedIPs          []string
	PersistentKeepalive int // seconds, 0 to disable
}

WireGuardPeer represents a WireGuard peer configuration

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.