rulefp

package
v1.140.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 28, 2026 License: MPL-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const BaselineFile = "/var/lib/nftban/state/ruleset_fingerprint.json"

BaselineFile is the canonical baseline location under the FHS state dir (/var/lib/nftban/state, 0750 nftban:nftban — see internal/installer/fhs/paths.go StateDir). Both the daemon apply hook and the verify-rules CLI use this one path so there is a single baseline format/location.

Variables

This section is empty.

Functions

func CaptureBaseline 

func CaptureBaseline(path, rulesetText string) error

CaptureBaseline writes the fingerprint of rulesetText to path atomically (temp + rename), mode 0640. Called after a successful apply/rebuild.

func CaptureLive 

func CaptureLive(ctx context.Context, path string) error

CaptureLive fetches the live nftban ruleset and writes its fingerprint baseline to path. Call this ONLY after a trusted, successful apply/rebuild — never from a verify path (otherwise an injected rule could become the new "truth").

func Digest 

func Digest(rulesetText string) string

Digest returns the hex sha256 of the normalized ruleset.

func LiveRuleset 

func LiveRuleset(ctx context.Context) (string, error)

LiveRuleset returns the concatenated nftban table text for the ip and ip6 families (whichever exist). It is the canonical input for Digest/Verify. Returns ("", error) only when neither family table can be read (→ caller maps to NFT_UNAVAILABLE). A missing ip6 table alone is not fatal.

func Normalize 

func Normalize(rulesetText string) string

Normalize canonicalizes nftban-table ruleset text for fingerprinting.

It STRIPS volatile content (packet/byte counters, rule handles, last-used / expires timers, and the contents of dynamic set/map `elements = { … }` blocks — ban/unban churn) while PRESERVING the structural skeleton: table/chain declarations, chain type/hook/priority/policy, and every static rule body.

Consequences (the SEC-RULEFP detection contract):

  • an injected rule (e.g. `ip saddr 1.2.3.4 accept`) is a chain rule line → preserved → digest changes → DETECTED.
  • a chain-policy flip (`policy drop;` → `policy accept;`) is in the chain header → preserved → digest changes → DETECTED.
  • counter ticks, banned-IP set churn, and timer drift → stripped → digest UNCHANGED (no false positive).

Types

type VerifyStatus 

type VerifyStatus string

VerifyStatus is the outcome of a verify-rules check. 

const (
	// StatusOK — live digest matches the baseline.
	StatusOK VerifyStatus = "OK"
	// StatusMismatch — live digest differs (possible rule injection / chain-policy flip).
	StatusMismatch VerifyStatus = "MISMATCH"
	// StatusBaselineMissing — no baseline captured yet.
	StatusBaselineMissing VerifyStatus = "BASELINE_MISSING"
	// StatusNFTUnavailable — nft / kernel ruleset not readable.
	StatusNFTUnavailable VerifyStatus = "NFT_UNAVAILABLE"
)

func Verify 

func Verify(path, currentRulesetText string) (status VerifyStatus, expected, actual string)

Verify recomputes the live fingerprint and compares it to the baseline at path. It NEVER mutates rules. Returns the status plus the expected (baseline) and actual (live) digests for diagnostics.

func VerifyLive 

func VerifyLive(ctx context.Context, path string) (status VerifyStatus, expected, actual string, err error)

VerifyLive fetches the live ruleset and verifies it against the baseline at path, mapping an nft failure to NFT_UNAVAILABLE.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.