Documentation
¶
Overview ¶
============================================================================= NFTBan v1.73 - Installer Post-Install Assertions ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-validate-assertions" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Post-install kernel + service + state assertions" meta:inventory.files="internal/installer/validate/assertions.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
============================================================================= NFTBan v1.73 - Installer Authority File Write ============================================================================= SPDX-License-Identifier: MPL-2.0 meta:name="installer-validate-authority" meta:type="lib" meta:owner="Antonios Voulvoulis <contact@nftban.com>" meta:created_date="2026-04-04" meta:description="Write /var/lib/nftban/state/authority and .firewall_authority" meta:inventory.files="internal/installer/validate/authority.go" meta:inventory.binaries="" meta:inventory.env_vars="" meta:inventory.config_files="" meta:inventory.systemd_units="" meta:inventory.network="" meta:inventory.privileges="root" =============================================================================
Index ¶
- func AllPassed(results []AssertionResult) bool
- func FailedNames(results []AssertionResult) []string
- func RunPermissionsEnforce(exec executor.Executor, log *logging.Logger)
- func SetImmutableFlags(exec executor.Executor, log *logging.Logger)
- func WriteAuthorityFiles(exec executor.Executor, decision authority.Decision, log *logging.Logger)
- type AssertionResult
- type RevalidateResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AllPassed ¶
func AllPassed(results []AssertionResult) bool
AllPassed returns true if all assertions passed.
func FailedNames ¶
func FailedNames(results []AssertionResult) []string
FailedNames returns the names of all failed assertions.
func RunPermissionsEnforce ¶ added in v1.76.0
RunPermissionsEnforce calls `nftban permissions enforce` for full FHS fix (G10 parity).
func SetImmutableFlags ¶ added in v1.76.0
SetImmutableFlags sets chattr +i on security-critical files (G8 parity). Shell postinst set immutable on nftban.conf and nft_schema.sh to prevent accidental or malicious modification.
func WriteAuthorityFiles ¶
WriteAuthorityFiles records the authority decision to state files. Two locations for compatibility:
- /var/lib/nftban/state/authority (primary, read by Go daemon)
- /etc/nftban/.firewall_authority (legacy, read by CLI scripts)
Types ¶
type AssertionResult ¶
AssertionResult holds the outcome of a single assertion.
func RunAssertions ¶
RunAssertions performs all post-install assertions and returns the results. None of these are individually fatal — the caller decides based on the aggregate.
type RevalidateResult ¶ added in v1.98.0
type RevalidateResult struct {
// Validate1Passed is true if initial assertions all passed.
Validate1Passed bool
// FixAttempted is true if bounded safe fix was run (only when V1 fails).
FixAttempted bool
// FixExitCode is the exit code of the permissions enforce command.
FixExitCode int
// Validate2Passed is true if re-validation passed after fix.
// Only meaningful when FixAttempted is true.
Validate2Passed bool
// FinalPassed is the authoritative result: V1 if no fix needed, V2 if fix ran.
FinalPassed bool
// FailedNames contains assertion names that failed in the final validation.
FailedNames []string
}
RevalidateResult captures the outcome of the VALIDATE_1 → FIX → VALIDATE_2 flow.
func RunWithBoundedFix ¶ added in v1.98.0
RunWithBoundedFix implements the VALIDATE_1 → FIX → VALIDATE_2 state machine.
Flow:
- Run assertions (VALIDATE_1)
- If all pass → return success immediately
- If some fail → run bounded safe fix (permissions enforce only, INV-I-011)
- Re-run assertions (VALIDATE_2, INV-I-013)
- Return VALIDATE_2 result as authoritative
The fix runs at most ONCE (INV-I-012). It calls ONLY 'nftban permissions enforce' which is bounded to chmod/chown on FHS-managed paths. It does NOT call 'health fix all'.
Source Files