Documentation
¶
Index ¶
- type ACLRule
- type AddressForward
- type AddressSet
- type FeatureOpts
- type NftListSetsEntry
- type NftListSetsOutput
- type NftSet
- type Nftables
- func (d Nftables) Compat() (bool, error)
- func (d Nftables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, ...) error
- func (d Nftables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error
- func (d Nftables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error
- func (d Nftables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error
- func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, ...) error
- func (d Nftables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error
- func (d Nftables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, ...) error
- func (d Nftables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error
- func (d Nftables) NamedAddressSetExists(setName string, family string) (bool, error)
- func (d Nftables) NetworkApplyACLRules(networkName string, rules []ACLRule) error
- func (d Nftables) NetworkApplyAddressSets(sets []AddressSet, nftTable string) error
- func (d Nftables) NetworkApplyForwards(networkName string, rules []AddressForward) error
- func (d Nftables) NetworkClear(networkName string, _ bool, _ []uint) error
- func (d Nftables) NetworkDeleteAddressSetsIfUnused(nftTable string) error
- func (d Nftables) NetworkSetup(networkName string, opts Opts) error
- func (d Nftables) RemoveIncusAddressSets(nftTable string) error
- func (d Nftables) String() string
- type Opts
- type SNATOpts
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ACLRule ¶
type ACLRule struct {
Direction string // Either "ingress" or "egress.
Action string
Log bool // Whether or not to log matched packets.
LogName string // Log label name (requires Log be true).
Source string
Destination string
Protocol string
SourcePort string
DestinationPort string
ICMPType string
ICMPCode string
}
ACLRule represents an ACL rule that can be added to a firewall.
type AddressForward ¶
type AddressForward struct {
ListenAddress net.IP
TargetAddress net.IP
Protocol string
ListenPorts []uint64
TargetPorts []uint64
SNAT bool
}
AddressForward represents a NAT address forward.
type AddressSet ¶
AddressSet represent an address set.
type FeatureOpts ¶
type FeatureOpts struct {
ICMPDHCPDNSAccess bool // Add rules to allow ICMP, DHCP and DNS access.
ForwardingAllow bool // Add rules to allow IP forwarding. Blocked if false.
}
FeatureOpts specify how firewall features are setup.
type NftListSetsEntry ¶
type NftListSetsEntry struct {
Set *NftSet `json:"set,omitempty"`
}
NftListSetsEntry structure to read JSON output of nft set listing.
type NftListSetsOutput ¶
type NftListSetsOutput struct {
Nftables []NftListSetsEntry `json:"nftables"`
}
NftListSetsOutput structure to read JSON output of set listing.
type NftSet ¶
type NftSet struct {
Family string `json:"family"`
Name string `json:"name"`
Table string `json:"table"`
}
NftSet structure to parse the JSON of a set returned by nft -j list sets.
type Nftables ¶
type Nftables struct{}
Nftables is an implementation of Incus firewall using nftables.
func (Nftables) Compat ¶
Compat returns whether the driver backend is in use, and any host compatibility errors.
func (Nftables) InstanceClearBridgeFilter ¶
func (d Nftables) InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, _ []*net.IPNet, _ []*net.IPNet) error
InstanceClearBridgeFilter removes any filter rules that were added to apply bridged device IP filtering.
func (Nftables) InstanceClearNetPrio ¶
func (d Nftables) InstanceClearNetPrio(projectName string, instanceName string, deviceName string) error
InstanceClearNetPrio removes setting of skb->priority for the specified instance device on the host interface.
func (Nftables) InstanceClearProxyNAT ¶
func (d Nftables) InstanceClearProxyNAT(projectName string, instanceName string, deviceName string) error
InstanceClearProxyNAT remove DNAT rules for proxy devices.
func (Nftables) InstanceClearRPFilter ¶
func (d Nftables) InstanceClearRPFilter(projectName string, instanceName string, deviceName string) error
InstanceClearRPFilter removes reverse path filtering for the specified instance device on the host interface.
func (Nftables) InstanceSetupBridgeFilter ¶
func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, IPv4DNS []string, IPv6DNS []string, parentManaged bool, macFiltering bool, aclRules []ACLRule) error
InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering.
func (Nftables) InstanceSetupNetPrio ¶
func (d Nftables) InstanceSetupNetPrio(projectName string, instanceName string, deviceName string, netPrio uint32) error
InstanceSetupNetPrio activates setting of skb->priority for the specified instance device on the host interface.
func (Nftables) InstanceSetupProxyNAT ¶
func (d Nftables) InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, forward *AddressForward) error
InstanceSetupProxyNAT creates DNAT rules for proxy devices.
func (Nftables) InstanceSetupRPFilter ¶
func (d Nftables) InstanceSetupRPFilter(projectName string, instanceName string, deviceName string, hostName string) error
InstanceSetupRPFilter activates reverse path filtering for the specified instance device on the host interface.
func (Nftables) NamedAddressSetExists ¶
NamedAddressSetExists checks if a named set exists in nftables. It returns true if the set exists in the nftables namespace.
func (Nftables) NetworkApplyACLRules ¶
NetworkApplyACLRules applies ACL rules to the existing firewall chains.
func (Nftables) NetworkApplyAddressSets ¶
func (d Nftables) NetworkApplyAddressSets(sets []AddressSet, nftTable string) error
NetworkApplyAddressSets creates or updates named nft sets for all address sets.
func (Nftables) NetworkApplyForwards ¶
func (d Nftables) NetworkApplyForwards(networkName string, rules []AddressForward) error
NetworkApplyForwards apply network address forward rules to firewall.
func (Nftables) NetworkClear ¶
NetworkClear removes the Incus network related chains and address sets. The delete and ipeVersions arguments have no effect for nftables driver.
func (Nftables) NetworkDeleteAddressSetsIfUnused ¶
NetworkDeleteAddressSetsIfUnused delete unused address set from table nftTable.
func (Nftables) NetworkSetup ¶
NetworkSetup configure network firewall.
func (Nftables) RemoveIncusAddressSets ¶
RemoveIncusAddressSets remove every address set in incus namespace.
type Opts ¶
type Opts struct {
FeaturesV4 *FeatureOpts // Enable IPv4 firewall with specified options. Off if not provided.
FeaturesV6 *FeatureOpts // Enable IPv6 firewall with specified options. Off if not provided.
SNATV4 *SNATOpts // Enable IPv4 SNAT with specified options. Off if not provided.
SNATV6 *SNATOpts // Enable IPv6 SNAT with specified options. Off if not provided.
ACL bool // Enable ACL during setup.
AddressSet bool // Enable address sets, only for netfilter.
}
Opts for setting up the firewall.
type SNATOpts ¶
type SNATOpts struct {
Append bool // Append rules (has no effect if driver doesn't support it).
Subnet *net.IPNet // Subnet of source network used to identify candidate traffic.
SNATAddress net.IP // SNAT IP address to use. If nil then MASQUERADE is used.
}
SNATOpts specify how SNAT rules are setup.
Source Files