Documentation
¶
Index ¶
- type InterfaceState
- type Manager
- func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
- func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, ...) error
- func (m *Manager) AddNatRule(pair firewall.RouterPair) error
- func (m *Manager) AddPeerFiltering(id []byte, ip net.IP, proto firewall.Protocol, sPort *firewall.Port, ...) ([]firewall.Rule, error)
- func (m *Manager) AddRouteFiltering(id []byte, sources []netip.Prefix, destination firewall.Network, ...) (firewall.Rule, error)
- func (m *Manager) AllowNetbird() error
- func (m *Manager) Close(stateManager *statemanager.Manager) error
- func (m *Manager) DeleteDNATRule(rule firewall.Rule) error
- func (m *Manager) DeletePeerRule(rule firewall.Rule) error
- func (m *Manager) DeleteRouteRule(rule firewall.Rule) error
- func (m *Manager) DisableRouting() error
- func (m *Manager) EnableRouting() error
- func (m *Manager) Flush() error
- func (m *Manager) Init(stateManager *statemanager.Manager) error
- func (m *Manager) IsServerRouteSupported() bool
- func (m *Manager) IsStateful() bool
- func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, ...) error
- func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error
- func (m *Manager) SetLegacyManagement(isLegacy bool) error
- func (m *Manager) SetLogLevel(log.Level)
- func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error
- func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error
- type Rule
- type ShutdownState
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type InterfaceState ¶ added in v0.30.3
type InterfaceState struct {
NameStr string `json:"name"`
WGAddress wgaddr.Address `json:"wg_address"`
UserspaceBind bool `json:"userspace_bind"`
MTU uint16 `json:"mtu"`
}
func (*InterfaceState) Address ¶ added in v0.30.3
func (i *InterfaceState) Address() wgaddr.Address
func (*InterfaceState) IsUserspaceBind ¶ added in v0.30.3
func (i *InterfaceState) IsUserspaceBind() bool
func (*InterfaceState) Name ¶ added in v0.30.3
func (i *InterfaceState) Name() string
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager of iptables firewall
func (*Manager) AddDNATRule ¶ added in v0.38.0
AddDNATRule adds a DNAT rule
func (*Manager) AddInboundDNAT ¶ added in v0.59.9
func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error
AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
func (*Manager) AddNatRule ¶ added in v0.30.0
func (m *Manager) AddNatRule(pair firewall.RouterPair) error
func (*Manager) AddPeerFiltering ¶ added in v0.30.0
func (m *Manager) AddPeerFiltering( id []byte, ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipsetName string, ) ([]firewall.Rule, error)
AddPeerFiltering adds a rule to the firewall
Comment will be ignored because some system this feature is not supported
func (*Manager) AddRouteFiltering ¶ added in v0.30.0
func (*Manager) AllowNetbird ¶ added in v0.23.0
AllowNetbird allows netbird interface traffic
func (*Manager) Close ¶ added in v0.37.2
func (m *Manager) Close(stateManager *statemanager.Manager) error
Reset firewall to the default state
func (*Manager) DeleteDNATRule ¶ added in v0.38.0
DeleteDNATRule deletes a DNAT rule
func (*Manager) DeletePeerRule ¶ added in v0.30.0
DeletePeerRule from the firewall by rule definition
func (*Manager) DeleteRouteRule ¶ added in v0.30.0
func (*Manager) DisableRouting ¶ added in v0.36.6
func (*Manager) EnableRouting ¶ added in v0.36.6
func (*Manager) Init ¶ added in v0.30.3
func (m *Manager) Init(stateManager *statemanager.Manager) error
func (*Manager) IsServerRouteSupported ¶ added in v0.24.4
func (*Manager) IsStateful ¶ added in v0.46.0
func (*Manager) RemoveInboundDNAT ¶ added in v0.59.9
func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error
RemoveInboundDNAT removes an inbound DNAT rule.
func (*Manager) RemoveNatRule ¶ added in v0.30.0
func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error
func (*Manager) SetLegacyManagement ¶ added in v0.30.0
func (*Manager) SetLogLevel ¶ added in v0.36.6
SetLogLevel sets the log level for the firewall manager
func (*Manager) SetupEBPFProxyNoTrack ¶ added in v0.64.2
SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic. This prevents conntrack from tracking WireGuard proxy traffic on loopback, which can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).
Traffic flows that need NOTRACK:
Egress: WireGuard -> fake endpoint (before eBPF rewrite) src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort Matched by: sport=wgPort
Egress: Proxy -> WireGuard (via raw socket) src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort Matched by: dport=wgPort
Ingress: Packets to WireGuard dst=127.0.0.1:wgPort Matched by: dport=wgPort
Ingress: Packets to proxy (after eBPF rewrite) dst=127.0.0.1:proxyPort Matched by: dport=proxyPort
Rules are cleaned up when the firewall manager is closed.
type Rule ¶
type Rule struct {
// contains filtered or unexported fields
}
Rule to handle management of rules
type ShutdownState ¶ added in v0.30.3
type ShutdownState struct {
sync.Mutex
InterfaceState *InterfaceState `json:"interface_state,omitempty"`
RouteRules routeRules `json:"route_rules,omitempty"`
RouteIPsetCounter *ipsetCounter `json:"route_ipset_counter,omitempty"`
ACLEntries aclEntries `json:"acl_entries,omitempty"`
ACLIPsetStore *ipsetStore `json:"acl_ipset_store,omitempty"`
}
func (*ShutdownState) Cleanup ¶ added in v0.30.3
func (s *ShutdownState) Cleanup() error
func (*ShutdownState) Name ¶ added in v0.30.3
func (s *ShutdownState) Name() string
Source Files