firewall

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 14, 2025 License: Apache-2.0 Imports: 2 Imported by: 0

Documentation

Overview

Package firewall contains API Schema definitions for the structs contained in firewallconfiguration API in networking v1beta1.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Chain 

type Chain struct {
	// Name is the name of the chain.
	Name *string `json:"name"`
	// Rules is a list of rules to be applied to the chain.
	Rules RulesSet `json:"rules"`
	// Type defines what this chain will be used for.
	// +kubebuilder:validation:Enum="filter";"route";"nat"
	Type *ChainType `json:"type"`
	// Policy defines what this chain default policy will be.
	// +kubebuilder:validation:Enum="drop";"accept"
	Policy *ChainPolicy `json:"policy"`
	// Hook specifies at which step in packet processing the Chain should be executed.
	// +kubebuilder:validation:Enum="prerouting";"input";"forward";"output";"postrouting";"ingress"
	Hook *ChainHook `json:"hook"`
	// Priority orders the chain relative to Netfilter internal operations.
	// +kubebuilder:default=0
	Priority *ChainPriority `json:"priority"`
}

Chain is a chain of rules to be applied to a table. +kubebuilder:object:generate=true

func (*Chain) DeepCopy 

func (in *Chain) DeepCopy() *Chain

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Chain.

func (*Chain) DeepCopyInto 

func (in *Chain) DeepCopyInto(out *Chain)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ChainHook 

type ChainHook string

ChainHook specifies at which step in packet processing the Chain should be executed. https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks 

var (
	ChainHookPrerouting  ChainHook = "prerouting"
	ChainHookInput       ChainHook = "input"
	ChainHookForward     ChainHook = "forward"
	ChainHookOutput      ChainHook = "output"
	ChainHookPostrouting ChainHook = "postrouting"
	ChainHookIngress     ChainHook = "ingress"
)

Possible ChainHook values.

type ChainPolicy 

type ChainPolicy string

ChainPolicy defines what this chain default policy will be. 

const (
	ChainPolicyDrop   ChainPolicy = "drop"
	ChainPolicyAccept ChainPolicy = "accept"
)

Possible ChainPolicy values.

type ChainPriority 

type ChainPriority int32

ChainPriority orders the chain relative to Netfilter internal operations. https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority 

var (
	ChainPriorityFirst           ChainPriority = math.MinInt32
	ChainPriorityConntrackDefrag ChainPriority = -400
	ChainPriorityRaw             ChainPriority = -300
	ChainPrioritySELinuxFirst    ChainPriority = -225
	ChainPriorityConntrack       ChainPriority = -200
	ChainPriorityMangle          ChainPriority = -150
	ChainPriorityNATDest         ChainPriority = -100
	//nolint:revive // We need a variable with zero value.
	ChainPriorityFilter           ChainPriority = 0
	ChainPrioritySecurity         ChainPriority = 50
	ChainPriorityNATSource        ChainPriority = 100
	ChainPrioritySELinuxLast      ChainPriority = 225
	ChainPriorityConntrackHelper  ChainPriority = 300
	ChainPriorityConntrackConfirm ChainPriority = math.MaxInt32
	ChainPriorityLast             ChainPriority = math.MaxInt32
)

Possible ChainPriority values. from /usr/include/linux/netfilter_ipv4.h.

type ChainType 

type ChainType string

ChainType defines what this chain will be used for. https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types 

const (
	ChainTypeFilter ChainType = "filter"
	ChainTypeRoute  ChainType = "route"
	ChainTypeNAT    ChainType = "nat"
)

Possible ChainType values.

type FilterAction 

type FilterAction string

FilterAction is the action to be applied to the rule. 

const (
	// ActionCtMark is the action to be applied to the rule.
	// It is used to mark the connection using the conntrack.
	ActionCtMark FilterAction = "ctmark"
	// ActionSetMetaMarkFromCtMark is the action to be applied to the rule.
	// It is used to set the meta mark from the conntrack mark.
	ActionSetMetaMarkFromCtMark FilterAction = "metamarkfromctmark"
)

type FilterRule 

type FilterRule struct {
	// Name is the name of the rule.
	Name *string `json:"name,omitempty"`
	// Match is the match to be applied to the rule.
	// They can be multiple and they are applied with an AND operator.
	Match []Match `json:"match"`
	// Action is the action to be applied to the rule.
	// +kubebuilder:validation:Enum=ctmark;metamarkfromctmark
	Action FilterAction `json:"action"`
	// Value is the value to be used for the action.
	Value *string `json:"value,omitempty"`
}

FilterRule is a rule to be applied to a filter chain. +kubebuilder:object:generate=true

func (*FilterRule) DeepCopy 

func (in *FilterRule) DeepCopy() *FilterRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterRule.

func (*FilterRule) DeepCopyInto 

func (in *FilterRule) DeepCopyInto(out *FilterRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IPValueType 

type IPValueType string

IPValueType is the type of the match value. 

const (
	// IPValueTypeIP is a string representing an ip.
	IPValueTypeIP IPValueType = "ip"
	// IPValueTypeSubnet is a string representing a subnet (eg. 10.0.0.0/24).
	IPValueTypeSubnet IPValueType = "subnet"
	// IPValueTypeVoid is a void match value.
	IPValueTypeVoid IPValueType = "void"
)

type L4Proto 

type L4Proto string

L4Proto is the protocol of the packet. 

const (
	// L4ProtoTCP is the protocol of the packet.
	L4ProtoTCP L4Proto = "tcp"
	// L4ProtoUDP is the protocol of the packet.
	L4ProtoUDP L4Proto = "udp"
)

type Match 

type Match struct {
	// Op is the operation of the match.
	// +kubebuilder:validation:Enum=eq;neq
	Op MatchOperation `json:"op"`
	// IP contains the options to match an IP or a Subnet.
	IP *MatchIP `json:"ip,omitempty"`
	// Port contains the options to match a port.
	Port *MatchPort `json:"port,omitempty"`
	// Proto contains the options to match a protocol.
	Proto *MatchProto `json:"proto,omitempty"`
	// Dev contains the options to match a device.
	Dev *MatchDev `json:"dev,omitempty"`
}

Match is a match to be applied to a rule. +kubebuilder:object:generate=true

func (*Match) DeepCopy 

func (in *Match) DeepCopy() *Match

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Match.

func (*Match) DeepCopyInto 

func (in *Match) DeepCopyInto(out *Match)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MatchDev 

type MatchDev struct {
	// Value is the name of the device to be matched.
	Value string `json:"value"`
	// Position is the source device of the packet.
	// +kubebuilder:validation:Enum=in;out
	Position MatchDevPosition `json:"position"`
}

MatchDev is a device to be matched. +kubebuilder:object:generate=true

func (*MatchDev) DeepCopy 

func (in *MatchDev) DeepCopy() *MatchDev

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchDev.

func (*MatchDev) DeepCopyInto 

func (in *MatchDev) DeepCopyInto(out *MatchDev)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MatchDevPosition 

type MatchDevPosition string

MatchDevPosition is the position of the device in the packet. 

const (
	// MatchDevPositionIn is the position of the device in the packet.
	MatchDevPositionIn MatchDevPosition = "in"
	// MatchDevPositionOut is the position of the device in the packet.
	MatchDevPositionOut MatchDevPosition = "out"
)

type MatchIP 

type MatchIP struct {
	// Value is the IP or a Subnet to be matched.
	Value string `json:"value"`
	// Position is the position of the IP in the packet.
	// +kubebuilder:validation:Enum=src;dst
	Position MatchPosition `json:"position"`
}

MatchIP is an IP to be matched. +kubebuilder:object:generate=true

func (*MatchIP) DeepCopy 

func (in *MatchIP) DeepCopy() *MatchIP

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchIP.

func (*MatchIP) DeepCopyInto 

func (in *MatchIP) DeepCopyInto(out *MatchIP)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MatchOperation 

type MatchOperation string

MatchOperation is the operation of the match. 

const (
	// MatchOperationEq is the operation of the match.
	MatchOperationEq MatchOperation = "eq"
	// MatchOperationNeq is the operation of the match.
	MatchOperationNeq MatchOperation = "neq"
)

type MatchPort 

type MatchPort struct {
	// Value is the port or a range (eg. 3000-4000) to be matched.
	Value string `json:"value"`
	// Position is the position of the port in the packet.
	// +kubebuilder:validation:Enum=src;dst
	Position MatchPosition `json:"position"`
}

MatchPort is a port to be matched. +kubebuilder:object:generate=true

func (*MatchPort) DeepCopy 

func (in *MatchPort) DeepCopy() *MatchPort

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchPort.

func (*MatchPort) DeepCopyInto 

func (in *MatchPort) DeepCopyInto(out *MatchPort)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MatchPosition 

type MatchPosition string

MatchPosition is the position of the IP in the packet. 

const (
	// MatchPositionSrc is the position of the IP in the packet.
	MatchPositionSrc MatchPosition = "src"
	// MatchPositionDst is the position of the IP in the packet.
	MatchPositionDst MatchPosition = "dst"
)

type MatchProto 

type MatchProto struct {
	// Value is the protocol to be matched.
	// +kubebuilder:validation:Enum=tcp;udp
	Value L4Proto `json:"value"`
}

MatchProto is a protocol to be matched. +kubebuilder:object:generate=true

func (*MatchProto) DeepCopy 

func (in *MatchProto) DeepCopy() *MatchProto

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchProto.

func (*MatchProto) DeepCopyInto 

func (in *MatchProto) DeepCopyInto(out *MatchProto)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NatRule 

type NatRule struct {
	// Name is the name of the rule.
	Name *string `json:"name,omitempty"`
	// Match is the match to be applied to the rule.
	// They can be multiple and they are applied with an AND operator.
	Match []Match `json:"match"`
	// NatType is the type of the NAT rule.
	// +kubebuilder:validation:Enum=dnat;snat;masquerade
	NatType NatType `json:"natType"`
	// To is the IP to be used for the NAT translation.
	To *string `json:"to,omitempty"`
	// TargetRef is the reference to the target object of the rule.
	// It is optional and it can be used for custom purposes.
	TargetRef *corev1.ObjectReference `json:"targetRef,omitempty"`
}

NatRule is a rule to be applied to a NAT chain. +kubebuilder:object:generate=true

func (*NatRule) DeepCopy 

func (in *NatRule) DeepCopy() *NatRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NatRule.

func (*NatRule) DeepCopyInto 

func (in *NatRule) DeepCopyInto(out *NatRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NatType 

type NatType string

NatType is the type of the NAT rule. 

const (
	// NatTypeDestination is the type of the NAT rule.
	NatTypeDestination NatType = "dnat"
	// NatTypeSource is the type of the NAT rule.
	NatTypeSource NatType = "snat"
	// NatTypeMasquerade is the type of the NAT rule.
	NatTypeMasquerade NatType = "masquerade"
)

type PortValueType 

type PortValueType string

PortValueType is the type of the match value. 

const (
	// PortValueTypePort is a string representing a port.
	PortValueTypePort PortValueType = "port"
	// PortValueTypeRange is a string representing a range of ports (eg. 3000-4000).
	PortValueTypeRange PortValueType = "range"
	// PortValueTypeVoid is a void match value.
	PortValueTypeVoid PortValueType = "void"
)

type RouteRule 

type RouteRule struct {
	// Name is the name of the rule.
	Name *string `json:"name,omitempty"`
}

RouteRule is a rule to be applied to a route chain. +kubebuilder:object:generate=true

func (*RouteRule) DeepCopy 

func (in *RouteRule) DeepCopy() *RouteRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteRule.

func (*RouteRule) DeepCopyInto 

func (in *RouteRule) DeepCopyInto(out *RouteRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RulesSet 

type RulesSet struct {
	// NatRules is a list of rules to be applied to the chain.
	NatRules []NatRule `json:"natRules,omitempty"`
	// FilterRules is a list of rules to be applied to the chain.
	FilterRules []FilterRule `json:"filterRules,omitempty"`
	// RouteRules is a list of rules to be applied to the chain.
	RouteRules []RouteRule `json:"routeRules,omitempty"`
}

RulesSet is a set of rules to be applied to a chain. +kubebuilder:object:generate=true +kubebuilder:validation:MaxProperties=1

func (*RulesSet) DeepCopy 

func (in *RulesSet) DeepCopy() *RulesSet

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesSet.

func (*RulesSet) DeepCopyInto 

func (in *RulesSet) DeepCopyInto(out *RulesSet)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Table 

type Table struct {
	// Name is the name of the table.
	Name *string `json:"name"`
	// Chains is a list of chains to be applied to the table.
	// +kubebuilder:validation:Optional
	Chains []Chain `json:"chains"`
	// Family is the family of the table.
	// +kubebuilder:validation:Enum="INET";"IPV4";"IPV6";"ARP";"NETDEV";"BRIDGE"
	Family *TableFamily `json:"family"`
}

Table is a generic table to be applied to a chain. +kubebuilder:object:generate=true

func (*Table) DeepCopy 

func (in *Table) DeepCopy() *Table

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Table.

func (*Table) DeepCopyInto 

func (in *Table) DeepCopyInto(out *Table)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TableFamily 

type TableFamily string

TableFamily specifies the family of the table. 

const (
	TableFamilyINet   TableFamily = "INET"
	TableFamilyIPv4   TableFamily = "IPV4"
	TableFamilyIPv6   TableFamily = "IPV6"
	TableFamilyARP    TableFamily = "ARP"
	TableFamilyNetdev TableFamily = "NETDEV"
	TableFamilyBridge TableFamily = "BRIDGE"
)

Possible TableFamily values. https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.