detect

package
v1.113.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2026 License: MPL-2.0 Imports: 8 Imported by: 0

Documentation

Overview

============================================================================= NFTBan v1.73 - Installer Conflict Detection (PR-P2-2: thin adapter over extfw) ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-detect-conflicts" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Conflicting firewall detection (services + ghost nft tables)" meta:inventory.files="internal/installer/detect/conflicts.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================

PR-P2-2 unification note: 

This file used to own its own detection surface (service probes +
ghost-nft-table parsing). As of PR-P2-2 it is a thin adapter over
internal/installer/extfw.Detect(), which is the single source of
truth for external-firewall detection across the install, update,
and uninstall lifecycle paths.

The Conflict struct and DetectConflicts()/ConflictNames() API are
preserved for backward compatibility with existing consumers
(phaseDetect, switchop.DisableConflicts, etc.). Internally, every
signal comes from extfw.Detect.

Option A resolution (2026-04-20): /etc/csf/csf.conf is a valid CSF signal. Install side now honors it — same as uninstall — so the two lifecycle surfaces cannot disagree about whether CSF is present.

=============================================================================

============================================================================= NFTBan v1.73 - Installer CT Limits Detection ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-detect-ctlimits" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="DDoS connection tracking limit reads from config" meta:inventory.files="internal/installer/detect/ctlimits.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="/etc/nftban/conf.d/ddos/classic.conf" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="none" =============================================================================

============================================================================= NFTBan v1.73 - Installer Distro Detection ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-detect-distro" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="OS distribution detection and nftables.conf path resolution" meta:inventory.files="internal/installer/detect/distro.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="/etc/os-release" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="none" =============================================================================

============================================================================= NFTBan v1.75.1 - Installer Panel Detection ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-detect-panel" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Control panel detection by directory existence" meta:inventory.files="internal/installer/detect/panel.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="none" =============================================================================

============================================================================= NFTBan v1.73 - Installer SSH Port Detection ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-detect-ssh" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="4-source SSH port detection chain for installer" meta:inventory.files="internal/installer/detect/ssh.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="/etc/ssh/sshd_config" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================

Index

Constants

View Source 
const (
	PathDirectAdmin = "/usr/local/directadmin"
	PathCPanel      = "/usr/local/cpanel"
	PathPlesk       = "/usr/local/psa"
	PathCyberPanel  = "/usr/local/CyberCP"
	PathHestia      = "/usr/local/hestia"
	PathVesta       = "/usr/local/vesta"
	PathCWP         = "/usr/local/cwpsrv"
	PathInterWorx   = "/usr/local/interworx"
)

Panel directory paths (exported for use by switchop and services packages).

Variables

This section is empty.

Functions

func ConflictNames 

func ConflictNames(conflicts []Conflict) []string

ConflictNames returns a deduplicated list of conflict names, preserving the order they appeared in the input slice.

func HasPanel 

func HasPanel(panel PanelType) bool

HasPanel returns true if any panel was detected.

func SSHPort 

func SSHPort(exec executor.Executor, log *logging.Logger) (int, error)

SSHPort detects the active SSH port using a 4-source priority chain. Returns the port number (1-65535) or an error if no source yields a valid port.

Priority:

  1. ss listener (most authoritative — reflects actual running sshd)
  2. sshd_config + drop-in dirs (config-declared)
  3. State file from previous install (/var/lib/nftban/state/ssh_port_active.state)
  4. nftban.conf.local override (/etc/nftban/nftban.conf.local SSH_PORT=)

func SSHPortWithSource added in v1.100.4 

func SSHPortWithSource(exec executor.Executor, log *logging.Logger) (port int, source string, err error)

SSHPortWithSource returns the resolved SSH port AND a short string identifying which source yielded it: "ss" / "sshd_config" / "state" / "config" — matching the schema enum required by the PR-26-code-D restore evidence record (§39.1 / §48.6 lock).

Same priority chain as SSHPort. Read-only typed introspection; no mutation. Per §51.5-A2 invariant, this is OUTSIDE the bounded mutation surface cap. Added in PR-26-code-D.

Types

type CTLimits 

type CTLimits struct {
	SSH  int // DDOS_CLASSIC_SSH_CONN_LIMIT, default 15
	HTTP int // DDOS_CLASSIC_HTTP_CONN_LIMIT, default 200
	Mail int // DDOS_CLASSIC_SMTP_CONN_LIMIT, default 30
}

CTLimits holds DDoS connection tracking limits used in nftables template rendering.

func DefaultCTLimits 

func DefaultCTLimits() CTLimits

DefaultCTLimits returns the defaults matching the shell %post.

func ReadCTLimits 

func ReadCTLimits(exec executor.Executor, log *logging.Logger) CTLimits

ReadCTLimits reads DDoS connection tracking limits from config files. Reads classic.conf first, then classic.conf.local as override. Returns defaults for any value not found.

type Conflict 

type Conflict struct {
	Name    string // e.g., "CSF", "UFW", "firewalld", "iptables", "iptables-nft"
	Service string // systemd unit name; empty for non-service observations
	Active  bool   // always true — if it was observed, it's active
}

Conflict represents a detected conflicting firewall. One observation (service / ghost table / config file) maps to one Conflict. A single firewall may produce multiple Conflicts — CSF with both csf.service and lfd.service active emits two Conflict entries so the takeover path can stop+disable+mask each unit independently.

func DetectConflicts 

func DetectConflicts(exec executor.Executor, log *logging.Logger) []Conflict

DetectConflicts returns the conflict list for the current host. Read-only; delegates to extfw.Detect for the underlying signals.

PR-P2-2A: only observations whose Name is in the canonical Active list become Conflicts. Observations from informational-only signals (e.g. iptables ghost-table alone, which does NOT corroborate to a real iptables presence under the Path B rule) are recorded in res.Observations for transparency but excluded from the Conflict list because they do not classify external authority.

type DistroInfo 

type DistroInfo struct {
	ID          string // normalized: "rocky", "almalinux", "centos", "rhel", "debian", "ubuntu", "fedora"
	VersionID   string // e.g., "9", "10", "24.04"
	PrettyName  string // e.g., "AlmaLinux 9.7 (Moss Jungle Cat)"
	NftConfPath string // system nftables.conf path for this distro
}

DistroInfo holds detected OS distribution information.

func DetectDistro 

func DetectDistro(exec executor.Executor, log *logging.Logger) (*DistroInfo, error)

DetectDistro parses /etc/os-release and determines the nftables.conf path.

type PanelType 

type PanelType string

PanelType identifies a hosting control panel. 

const (
	PanelNone        PanelType = ""
	PanelDirectAdmin PanelType = "directadmin"
	PanelCPanel      PanelType = "cpanel"
	PanelPlesk       PanelType = "plesk"
	PanelCyberPanel  PanelType = "cyberpanel"
	PanelHestia      PanelType = "hestia"
	PanelVesta       PanelType = "vesta"
	PanelCWP         PanelType = "cwp"
	PanelInterWorx   PanelType = "interworx"
)

func DetectPanel 

func DetectPanel(exec executor.Executor, log *logging.Logger) PanelType

DetectPanel checks for installed control panels by directory existence. Returns PanelNone if no panel is detected.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.