firewall

package
v0.0.0-...-6832b3c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 15, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	FilterTable      = "filter"
	NATTable         = "nat"
	InputChain       = "INPUT"
	ForwardChain     = "FORWARD"
	OutputChain      = "OUTPUT"
	PreroutingChain  = "PREROUTING"
	PostRoutingChain = "POSTROUTING"
)

Variables

View Source 
var (
	StandardFilterTable = TableConfig{
		Name:   FilterTable,
		Family: nftables.TableFamilyINet,
		Chains: []ChainConfig{
			{
				Name:     InputChain,
				Table:    FilterTable,
				Create:   true,
				Type:     &[]nftables.ChainType{nftables.ChainTypeFilter}[0],
				Hook:     nftables.ChainHookInput,
				Priority: nftables.ChainPriorityFilter,
				Policy:   getChainPolicyAccept(),
			},
			{
				Name:     ForwardChain,
				Table:    FilterTable,
				Create:   true,
				Type:     &[]nftables.ChainType{nftables.ChainTypeFilter}[0],
				Hook:     nftables.ChainHookForward,
				Priority: nftables.ChainPriorityFilter,
				Policy:   getChainPolicyAccept(),
			},
			{
				Name:     OutputChain,
				Table:    FilterTable,
				Create:   true,
				Type:     &[]nftables.ChainType{nftables.ChainTypeFilter}[0],
				Hook:     nftables.ChainHookOutput,
				Priority: nftables.ChainPriorityFilter,
				Policy:   getChainPolicyAccept(),
			},
		},
	}

	StandardNATTable = TableConfig{
		Name:   NATTable,
		Family: nftables.TableFamilyIPv4,
		Chains: []ChainConfig{
			{
				Name:     PreroutingChain,
				Table:    NATTable,
				Create:   true,
				Type:     &[]nftables.ChainType{nftables.ChainTypeNAT}[0],
				Hook:     nftables.ChainHookPrerouting,
				Priority: nftables.ChainPriorityNATDest,
				Policy:   getChainPolicyAccept(),
			},
			{
				Name:     PostRoutingChain,
				Table:    NATTable,
				Create:   true,
				Type:     &[]nftables.ChainType{nftables.ChainTypeNAT}[0],
				Hook:     nftables.ChainHookPostrouting,
				Priority: nftables.ChainPriorityNATSource,
				Policy:   getChainPolicyAccept(),
			},
		},
	}
)

Predefined standard table configurations

Functions

func AddJumpRule 

func AddJumpRule(fromChainName, toChainName, tableName string) error

func AddRules 

func AddRules(rules *Rules) error

func ConfigureFirewall 

func ConfigureFirewall(oldInterface, newInterface, bridgeName string) error

func CreateStandardFilterTable 

func CreateStandardFilterTable(conn *nftables.Conn) error

CreateStandardFilterTable creates the standard filter table with INPUT, FORWARD, OUTPUT chains

func CreateStandardNATTable 

func CreateStandardNATTable(conn *nftables.Conn) error

CreateStandardNATTable creates the standard NAT table with PREROUTING, POSTROUTING chains

func CreateTableFromConfig 

func CreateTableFromConfig(conn *nftables.Conn, config TableConfig) error

CreateTableFromConfig creates a table and its chains based on the provided configuration

func EnsureStandardFirewallInfrastructure 

func EnsureStandardFirewallInfrastructure(conn *nftables.Conn) error

EnsureStandardFirewallInfrastructure creates both filter and NAT tables

func NewChain 

func NewChain(opts ...Option) (*nftables.Chain, *nftables.Table, error)

func RemoveRules 

func RemoveRules(rules *Rules) error

Types

type ChainConfig 

type ChainConfig struct {
	Name   string
	Table  string
	Create bool
	// Rich configuration options (optional - for creating new chains)
	Type     *nftables.ChainType
	Hook     *nftables.ChainHook
	Priority *nftables.ChainPriority
	Policy   *nftables.ChainPolicy
}

type NewRule 

type NewRule func(*Rules) error

func ForwardOutboundRule 

func ForwardOutboundRule(chainName, tableName, hostIf, internalIf string) NewRule

func ForwardReturnTrafficRule 

func ForwardReturnTrafficRule(chainName, tableName, hostIf, internalIf string) NewRule

func MasqueradeRule 

func MasqueradeRule(chainName, tableName, interfaceName string) NewRule

func PortRule 

func PortRule(port uint16, proto, chainName, tableName string) NewRule

type Option 

type Option func(*ChainConfig)

func Create 

func Create() Option

func WithChainType 

func WithChainType(chainType nftables.ChainType) Option

func WithHook 

func WithHook(hook *nftables.ChainHook) Option

func WithName 

func WithName(chainName string) Option

func WithPolicy 

func WithPolicy(policy *nftables.ChainPolicy) Option

func WithPriority 

func WithPriority(priority *nftables.ChainPriority) Option

func WithinTable 

func WithinTable(tableName string) Option

type Rules 

type Rules struct {
	// contains filtered or unexported fields
}

func NewRules 

func NewRules(rules ...NewRule) (*Rules, error)

type TableConfig 

type TableConfig struct {
	Name   string
	Family nftables.TableFamily
	Chains []ChainConfig // Now using the unified ChainConfig
}

TableConfig defines the configuration for a complete table

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.