nftables

package
v0.65.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 17, 2026 License: BSD-3-Clause Imports: 30 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AclManager added in v0.24.4 

type AclManager struct {
	// contains filtered or unexported fields
}

func (*AclManager) AddPeerFiltering added in v0.30.0 

func (m *AclManager) AddPeerFiltering(
	id []byte,
	ip net.IP,
	proto firewall.Protocol,
	sPort *firewall.Port,
	dPort *firewall.Port,
	action firewall.Action,
	ipsetName string,
) ([]firewall.Rule, error)

AddPeerFiltering rule to the firewall

If comment argument is empty firewall manager should set rule ID as comment for the rule

func (*AclManager) DeletePeerRule added in v0.30.0 

func (m *AclManager) DeletePeerRule(rule firewall.Rule) error

DeletePeerRule from the firewall by rule definition

func (*AclManager) Flush added in v0.24.4 

func (m *AclManager) Flush() error

Flush rule/chain/set operations from the buffer

Method also get all rules after flush and refreshes handle values in the rulesets

type InterfaceState added in v0.30.3 

type InterfaceState struct {
	NameStr       string         `json:"name"`
	WGAddress     wgaddr.Address `json:"wg_address"`
	UserspaceBind bool           `json:"userspace_bind"`
	MTU           uint16         `json:"mtu"`
}

func (*InterfaceState) Address added in v0.30.3 

func (i *InterfaceState) Address() wgaddr.Address

func (*InterfaceState) IsUserspaceBind added in v0.30.3 

func (i *InterfaceState) IsUserspaceBind() bool

func (*InterfaceState) Name added in v0.30.3 

func (i *InterfaceState) Name() string

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager of iptables firewall

func Create 

func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error)

Create nftables firewall manager

func (*Manager) AddDNATRule added in v0.38.0 

func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)

AddDNATRule adds a DNAT rule

func (*Manager) AddInboundDNAT added in v0.59.9 

func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error

AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.

func (*Manager) AddNatRule added in v0.30.0 

func (m *Manager) AddNatRule(pair firewall.RouterPair) error

func (*Manager) AddPeerFiltering added in v0.30.0 

func (m *Manager) AddPeerFiltering(
	id []byte,
	ip net.IP,
	proto firewall.Protocol,
	sPort *firewall.Port,
	dPort *firewall.Port,
	action firewall.Action,
	ipsetName string,
) ([]firewall.Rule, error)

AddPeerFiltering rule to the firewall

If comment argument is empty firewall manager should set rule ID as comment for the rule

func (*Manager) AddRouteFiltering added in v0.30.0 

func (m *Manager) AddRouteFiltering(
	id []byte,
	sources []netip.Prefix,
	destination firewall.Network,
	proto firewall.Protocol,
	sPort, dPort *firewall.Port,
	action firewall.Action,
) (firewall.Rule, error)

func (*Manager) AllowNetbird added in v0.23.0 

func (m *Manager) AllowNetbird() error

AllowNetbird allows netbird interface traffic

func (*Manager) Close added in v0.37.2 

func (m *Manager) Close(stateManager *statemanager.Manager) error

Close closes the firewall manager

func (*Manager) DeleteDNATRule added in v0.38.0 

func (m *Manager) DeleteDNATRule(rule firewall.Rule) error

DeleteDNATRule deletes a DNAT rule

func (*Manager) DeletePeerRule added in v0.30.0 

func (m *Manager) DeletePeerRule(rule firewall.Rule) error

DeletePeerRule from the firewall by rule definition

func (*Manager) DeleteRouteRule added in v0.30.0 

func (m *Manager) DeleteRouteRule(rule firewall.Rule) error

DeleteRouteRule deletes a routing rule

func (*Manager) DisableRouting added in v0.36.6 

func (m *Manager) DisableRouting() error

func (*Manager) EnableRouting added in v0.36.6 

func (m *Manager) EnableRouting() error

func (*Manager) Flush added in v0.21.9 

func (m *Manager) Flush() error

Flush rule/chain/set operations from the buffer

Method also get all rules after flush and refreshes handle values in the rulesets todo review this method usage

func (*Manager) Init added in v0.30.3 

func (m *Manager) Init(stateManager *statemanager.Manager) error

Init nftables firewall manager

func (*Manager) IsServerRouteSupported added in v0.24.4 

func (m *Manager) IsServerRouteSupported() bool

func (*Manager) IsStateful added in v0.46.0 

func (m *Manager) IsStateful() bool

func (*Manager) RemoveInboundDNAT added in v0.59.9 

func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error

RemoveInboundDNAT removes an inbound DNAT rule.

func (*Manager) RemoveNatRule added in v0.30.0 

func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error

func (*Manager) SetLegacyManagement added in v0.30.0 

func (m *Manager) SetLegacyManagement(isLegacy bool) error

SetLegacyManagement sets the route manager to use legacy management

func (*Manager) SetLogLevel added in v0.36.6 

func (m *Manager) SetLogLevel(log.Level)

SetLogLevel sets the log level for the firewall manager

func (*Manager) SetupEBPFProxyNoTrack added in v0.64.2 

func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error

SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic. This prevents conntrack from tracking WireGuard proxy traffic on loopback, which can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).

Traffic flows that need NOTRACK:

  1. Egress: WireGuard -> fake endpoint (before eBPF rewrite) src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort Matched by: sport=wgPort

  2. Egress: Proxy -> WireGuard (via raw socket) src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort Matched by: dport=wgPort

  3. Ingress: Packets to WireGuard dst=127.0.0.1:wgPort Matched by: dport=wgPort

  4. Ingress: Packets to proxy (after eBPF rewrite) dst=127.0.0.1:proxyPort Matched by: dport=proxyPort

Rules are cleaned up when the firewall manager is closed.

func (*Manager) UpdateSet added in v0.43.0 

func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error

UpdateSet updates the set with the given prefixes

type Rule 

type Rule struct {
	// contains filtered or unexported fields
}

Rule to handle management of rules

func (*Rule) ID added in v0.38.0 

func (r *Rule) ID() string

GetRuleID returns the rule id

type ShutdownState added in v0.30.3 

type ShutdownState struct {
	InterfaceState *InterfaceState `json:"interface_state,omitempty"`
}

func (*ShutdownState) Cleanup added in v0.30.3 

func (s *ShutdownState) Cleanup() error

func (*ShutdownState) Name added in v0.30.3 

func (s *ShutdownState) Name() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.