Documentation
¶
Overview ¶
Package iptables supports packet filtering and manipulation via the iptables tool.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Chain ¶
type Chain struct {
// Name is the chain name.
Name string
// Rules is the list of rules to traverse.
Rules []Rule
}
A Chain defines a list of rules for packet processing. When a packet traverses a chain, it is checked against each rule until either a rule returns a verdict or the chain ends.
By convention, builtin chains end with a rule that matches everything and returns either Accept or Drop. User-defined chains end with Return. These aren't strictly necessary here, but the iptables tool writes tables this way.
type Hook ¶
type Hook uint
A Hook specifies one of the hooks built into the network stack.
Userspace app Userspace app
^ |
| v
[Input] [Output]
^ |
| v
| routing
| |
| v
----->[Prerouting]----->routing----->[Forward]---------Postrouting----->
Hook 指定了网络协议栈中内置的钩子。
const ( // Prerouting happens before a packet is routed to applications or to be forwarded. // Prerouting 发生在数据包被路由到应用程序或被 forward 转发前。 Prerouting Hook = iota // Input happens before a packet reaches an application. // Input 发生在数据包到达应用程序之前。 Input // Forward happens once it's decided that a packet should be forwarded to another host. // Forward 发生在将一个数据包转发到另一台主机时。 Forward // Output happens after a packet is written by an application to be sent out. // Output 发生在应用程序写入一个数据包并将其发送出去之后。 Output // Postrouting happens just before a packet goes out on the wire. // Postrouting 发生在数据包在线路上发出之前。 Postrouting // The total number of hooks. // 钩子的总数。 NumHooks )
These values correspond to values in include/uapi/linux/netfilter.h.
type IPTables ¶
type IPTables struct {
// Tables maps table names to tables. User tables have arbitrary names.
Tables map[string]Table
// Priorities maps each hook to a list of table names. The order of the
// list is the order in which each table should be visited for that hook.
Priorities map[Hook][]string
}
IPTables holds all the tables for a netstack.
func DefaultTables ¶
func DefaultTables() IPTables
DefaultTables returns a default set of tables.
Each chain is set to accept all packets.
type Matcher ¶
type Matcher interface {
// Match returns whether the packet matches and whether the packet
// should be "hotdropped", i.e. dropped immediately. This is usually
// used for suspicious packets.
Match(hook Hook, packet buffer.VectorisedView, interfaceName string) (matches bool, hotdrop bool)
}
A Matcher is the interface for matching packets.
type Rule ¶
type Rule struct {
// Matchers is the list of matchers for this rule.
Matchers []Matcher
// Target is the action to invoke if all the matchers match the packet.
Target Target
}
A Rule is a packet processing rule. It consists of two pieces. First it contains zero or more matchers, each of which is a specification of which packets this rule applies to. If there are no matchers in the rule, it applies to any packet.
type Table ¶
type Table struct {
// BuiltinChains holds the un-deletable chains built into netstack.
// If a hook isn't present in the map, this table doesn't utilize that hook.
BuiltinChains map[Hook]Chain
// DefaultTargets holds a target for each hook that will be executed if
// chain traversal doesn't yield a verdict.
DefaultTargets map[Hook]Target
// UserChains holds user-defined chains for the keyed by name. Users
// can give their chains arbitrary names.
UserChains map[string]Chain
// Chains maps names to chains for both builtin and user-defined chains.
// Its entries point to Chains already either in BuiltinChains or
// UserChains, and its purpose is to make looking up tables by name
// fast.
Chains map[string]*Chain
// contains filtered or unexported fields
}
A Table defines a set of chains and hooks into the network stack. The currently supported tables are:
- nat
- mangle
func (*Table) Metadata ¶
func (table *Table) Metadata() interface{}
Metadata returns the metadata object stored in table.
func (*Table) SetMetadata ¶
func (table *Table) SetMetadata(metadata interface{})
SetMetadata sets the metadata object stored in table.
func (*Table) ValidHooks ¶
ValidHooks returns a bitmap of the builtin hooks for the given table.
type Target ¶
type Target interface {
// Action takes an action on the packet and returns a verdict on how
// traversal should (or should not) continue. If the return value is
// Jump, it also returns the name of the chain to jump to.
Action(packet buffer.VectorisedView) (Verdict, string)
}
A Target is the interface for taking an action for a packet.
type UnconditionalAcceptTarget ¶
type UnconditionalAcceptTarget struct{}
UnconditionalAcceptTarget accepts all packets.
func (UnconditionalAcceptTarget) Action ¶
func (UnconditionalAcceptTarget) Action(packet buffer.VectorisedView) (Verdict, string)
Action implements Target.Action.
type UnconditionalDropTarget ¶
type UnconditionalDropTarget struct{}
UnconditionalDropTarget denies all packets.
func (UnconditionalDropTarget) Action ¶
func (UnconditionalDropTarget) Action(packet buffer.VectorisedView) (Verdict, string)
Action implements Target.Action.
type Verdict ¶
type Verdict int
A Verdict is returned by a rule's target to indicate how traversal of rules should (or should not) continue.
Verdict 由规则的目标返回,用于指示规则的遍历应该(或不应该)如何继续。
const ( // Accept indicates the packet should continue traversing netstack as normal. // Accept 表示数据包应该正常地继续遍历 netstack 。 Accept Verdict = iota // Drop inicates the packet should be dropped, stopping traversing netstack. // Drop 指示数据包应该被丢弃,停止遍历 netstack 。 Drop // Stolen indicates the packet was co-opted by the target and should stop traversing netstack. // Stolen 表示数据包被目标方获取,应停止遍历 netstack 。(?) Stolen // Queue indicates the packet should be queued for userspace processing. // Queue 表示数据包应该排队等待用户空间处理。 Queue // Repeat indicates the packet should re-traverse the chains for the current hook. // Repeat 表示数据包应该为当前的钩子重新遍历链。(?) Repeat // None indicates no verdict was reached. // None 表示没有作出判决。 None // Jump indicates a jump to another chain. // Jump 表示跳到另一个链上。 Jump // Continue indicates that traversal should continue at the next rule. // Continue 表示应在下一条规则处继续遍历。 Continue // Return indicates that traversal should return to the calling chain. // Return 表示遍历应该返回到调用链。 Return )
Source Files