drivers

package
v6.17.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 26, 2025 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ACLRule 

type ACLRule struct {
	Direction       string // Either "ingress" or "egress.
	Action          string
	Log             bool   // Whether or not to log matched packets.
	LogName         string // Log label name (requires Log be true).
	Source          string
	Destination     string
	Protocol        string
	SourcePort      string
	DestinationPort string
	ICMPType        string
	ICMPCode        string
}

ACLRule represents an ACL rule that can be added to a firewall.

type AddressForward 

type AddressForward struct {
	ListenAddress net.IP
	TargetAddress net.IP
	Protocol      string
	ListenPorts   []uint64
	TargetPorts   []uint64
	SNAT          bool
}

AddressForward represents a NAT address forward.

type AddressSet added in v6.12.0 

type AddressSet struct {
	Name      string
	Addresses []string
}

AddressSet represent an address set.

type FeatureOpts 

type FeatureOpts struct {
	ICMPDHCPDNSAccess bool // Add rules to allow ICMP, DHCP and DNS access.
	ForwardingAllow   bool // Add rules to allow IP forwarding. Blocked if false.
}

FeatureOpts specify how firewall features are setup.

type NftListSetsEntry added in v6.12.0 

type NftListSetsEntry struct {
	Set *NftSet `json:"set,omitempty"`
}

NftListSetsEntry structure to read JSON output of nft set listing.

type NftListSetsOutput added in v6.12.0 

type NftListSetsOutput struct {
	Nftables []NftListSetsEntry `json:"nftables"`
}

NftListSetsOutput structure to read JSON output of set listing.

type NftSet added in v6.12.0 

type NftSet struct {
	Family string `json:"family"`
	Name   string `json:"name"`
	Table  string `json:"table"`
}

NftSet structure to parse the JSON of a set returned by nft -j list sets.

type Nftables 

type Nftables struct{}

Nftables is an implementation of Incus firewall using nftables.

func (Nftables) Compat 

func (d Nftables) Compat() (bool, error)

Compat returns whether the driver backend is in use, and any host compatibility errors.

func (Nftables) InstanceClearBridgeFilter 

func (d Nftables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, _ []*net.IPNet, _ []*net.IPNet) error

InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.

func (Nftables) InstanceClearNetPrio 

func (d Nftables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error

InstanceClearNetPrio removes setting of skb->priority for the specified instance device on the host interface.

func (Nftables) InstanceClearProxyNAT 

func (d Nftables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error

InstanceClearProxyNAT remove DNAT rules for proxy devices.

func (Nftables) InstanceClearRPFilter 

func (d Nftables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error

InstanceClearRPFilter removes reverse path filtering for the specified instance device on the host interface.

func (Nftables) InstanceSetupBridgeFilter 

func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, IPv4DNS []string, IPv6DNS []string, parentManaged bool, macFiltering bool, aclRules []ACLRule) error

InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering.

func (Nftables) InstanceSetupNetPrio 

func (d Nftables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error

InstanceSetupNetPrio activates setting of skb->priority for the specified instance device on the host interface.

func (Nftables) InstanceSetupProxyNAT 

func (d Nftables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, forward *AddressForward) error

InstanceSetupProxyNAT creates DNAT rules for proxy devices.

func (Nftables) InstanceSetupRPFilter 

func (d Nftables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error

InstanceSetupRPFilter activates reverse path filtering for the specified instance device on the host interface.

func (Nftables) NamedAddressSetExists added in v6.12.0 

func (d Nftables) NamedAddressSetExists(setName string, family string) (bool, error)

NamedAddressSetExists checks if a named set exists in nftables. It returns true if the set exists in the nftables namespace.

func (Nftables) NetworkApplyACLRules 

func (d Nftables) NetworkApplyACLRules(networkName string, rules []ACLRule) error

NetworkApplyACLRules applies ACL rules to the existing firewall chains.

func (Nftables) NetworkApplyAddressSets added in v6.12.0 

func (d Nftables) NetworkApplyAddressSets(sets []AddressSet, nftTable string) error

NetworkApplyAddressSets creates or updates named nft sets for all address sets.

func (Nftables) NetworkApplyForwards 

func (d Nftables) NetworkApplyForwards(networkName string, rules []AddressForward) error

NetworkApplyForwards apply network address forward rules to firewall.

func (Nftables) NetworkClear 

func (d Nftables) NetworkClear(networkName string, _ bool, _ []uint) error

NetworkClear removes the Incus network related chains and address sets. The delete and ipeVersions arguments have no effect for nftables driver.

func (Nftables) NetworkDeleteAddressSetsIfUnused added in v6.12.0 

func (d Nftables) NetworkDeleteAddressSetsIfUnused(nftTable string) error

NetworkDeleteAddressSetsIfUnused delete unused address set from table nftTable.

func (Nftables) NetworkSetup 

func (d Nftables) NetworkSetup(networkName string, opts Opts) error

NetworkSetup configure network firewall.

func (Nftables) RemoveIncusAddressSets added in v6.12.0 

func (d Nftables) RemoveIncusAddressSets(nftTable string) error

RemoveIncusAddressSets remove every address set in incus namespace.

func (Nftables) String 

func (d Nftables) String() string

String returns the driver name.

type Opts 

type Opts struct {
	FeaturesV4 *FeatureOpts // Enable IPv4 firewall with specified options. Off if not provided.
	FeaturesV6 *FeatureOpts // Enable IPv6 firewall with specified options. Off if not provided.
	SNATV4     *SNATOpts    // Enable IPv4 SNAT with specified options. Off if not provided.
	SNATV6     *SNATOpts    // Enable IPv6 SNAT with specified options. Off if not provided.
	ACL        bool         // Enable ACL during setup.
	AddressSet bool         // Enable address sets, only for netfilter.
}

Opts for setting up the firewall.

type SNATOpts 

type SNATOpts struct {
	Append      bool       // Append rules (has no effect if driver doesn't support it).
	Subnet      *net.IPNet // Subnet of source network used to identify candidate traffic.
	SNATAddress net.IP     // SNAT IP address to use. If nil then MASQUERADE is used.
}

SNATOpts specify how SNAT rules are setup.

type Xtables 

type Xtables struct{}

Xtables is an implementation of Incus firewall using {ip, ip6, eb}tables.

func (Xtables) Compat 

func (d Xtables) Compat() (bool, error)

Compat returns whether the driver backend is in use, and any host compatibility errors.

func (Xtables) InstanceClearBridgeFilter 

func (d Xtables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet) error

InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.

func (Xtables) InstanceClearNetPrio 

func (d Xtables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error

InstanceClearNetPrio removes setting of skb->priority for the specified instance device on the host interface.

func (Xtables) InstanceClearProxyNAT 

func (d Xtables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error

InstanceClearProxyNAT remove DNAT rules for proxy devices.

func (Xtables) InstanceClearRPFilter 

func (d Xtables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error

InstanceClearRPFilter removes reverse path filtering for the specified instance device on the host interface.

func (Xtables) InstanceSetupBridgeFilter 

func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, IPv4DNS []string, IPv6DNS []string, parentManaged bool, macFiltering bool, aclRules []ACLRule) error

InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering. If the parent bridge is managed by Incus then parentManaged argument should be true so that the rules added can use the iptablesChainACLFilterPrefix chain. If not they are added to the main filter chains directly (which only works for unmanaged bridges because those don't support ACLs).

func (Xtables) InstanceSetupNetPrio 

func (d Xtables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error

InstanceSetupNetPrio activates setting of skb->priority for the specified instance device on the host interface.

func (Xtables) InstanceSetupProxyNAT 

func (d Xtables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, forward *AddressForward) error

InstanceSetupProxyNAT creates DNAT rules for proxy devices.

func (Xtables) InstanceSetupRPFilter 

func (d Xtables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error

InstanceSetupRPFilter activates reverse path filtering for the specified instance device on the host interface.

func (Xtables) NetworkApplyACLRules 

func (d Xtables) NetworkApplyACLRules(networkName string, rules []ACLRule) error

NetworkApplyACLRules applies ACL rules to the existing firewall chains.

func (Xtables) NetworkApplyAddressSets added in v6.12.0 

func (d Xtables) NetworkApplyAddressSets(sets []AddressSet, nftTable string) error

NetworkApplyAddressSets isn't supported under xtables.

func (Xtables) NetworkApplyForwards 

func (d Xtables) NetworkApplyForwards(networkName string, rules []AddressForward) error

NetworkApplyForwards apply network address forward rules to firewall.

func (Xtables) NetworkClear 

func (d Xtables) NetworkClear(networkName string, delete bool, ipVersions []uint) error

NetworkClear removes network rules from filter, mangle and nat tables. If delete is true then network-specific chains are also removed.

func (Xtables) NetworkDeleteAddressSetsIfUnused added in v6.12.0 

func (d Xtables) NetworkDeleteAddressSetsIfUnused(nftTable string) error

NetworkDeleteAddressSetsIfUnused isn't supported under xtables.

func (Xtables) NetworkSetup 

func (d Xtables) NetworkSetup(networkName string, opts Opts) error

NetworkSetup configure network firewall.

func (Xtables) String 

func (d Xtables) String() string

String returns the driver name.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.