Affected by 
Documentation
¶
Overview ¶
Package iptables provides an interface and implementations for running iptables commands.
Index ¶
Constants ¶
const LockfilePath14x = "@xtables"
LockfilePath14x is the iptables 1.4.x lock file acquired by any process that's making any change in the iptable rule
const LockfilePath16x = "/run/xtables.lock"
LockfilePath16x is the iptables 1.6.x lock file acquired by any process that's making any change in the iptable rule
const WaitIntervalString = "-W"
WaitIntervalString a constant for specifying the wait interval flag
const WaitIntervalUsecondsValue = "100000"
WaitIntervalUsecondsValue a constant for specifying the default wait interval useconds
const WaitSecondsValue = "5"
WaitSecondsValue a constant for specifying the default wait seconds
const WaitString = "-w"
WaitString a constant for specifying the wait flag
Variables ¶
var MinCheckVersion = utilversion.MustParseGeneric("1.4.11")
MinCheckVersion minimum version to be checked Versions of iptables less than this do not support the -C / --check flag (test whether a rule exists).
var RandomFullyMinVersion = utilversion.MustParseGeneric("1.6.2")
RandomFullyMinVersion is the minimum version from which the --random-fully flag is supported, used for port mapping to be fully randomized
var WaitIntervalMinVersion = utilversion.MustParseGeneric("1.6.1")
WaitIntervalMinVersion a minimum iptables versions supporting the wait interval useconds
var WaitMinVersion = utilversion.MustParseGeneric("1.4.20")
WaitMinVersion a minimum iptables versions supporting the -w and -w<seconds> flags
var WaitRestoreMinVersion = utilversion.MustParseGeneric("1.6.2")
WaitRestoreMinVersion a minimum iptables versions supporting the wait restore seconds
var WaitSecondsMinVersion = utilversion.MustParseGeneric("1.4.22")
WaitSecondsMinVersion a minimum iptables versions supporting the wait seconds
Functions ¶
func GetChainLines ¶ added in v1.3.0
GetChainLines parses a table's iptables-save data to find chains in the table. It returns a map of iptables.Chain to []byte where the []byte is the chain line from save (with counters etc.). Note that to avoid allocations memory is SHARED with save.
func IsNotFoundError ¶ added in v1.2.0
IsNotFoundError returns true if the error indicates "not found". It parses the error string looking for known values, which is imperfect; beware using this function for anything beyond deciding between logging or ignoring an error.
func MakeChainLine ¶ added in v1.3.0
MakeChainLine return an iptables-save/restore formatted chain line given a Chain
Types ¶
type Chain ¶
type Chain string
Chain represents the different rules
const ( // ChainPostrouting used for source NAT in nat table ChainPostrouting Chain = "POSTROUTING" // ChainPrerouting used for DNAT (destination NAT) in nat table ChainPrerouting Chain = "PREROUTING" // ChainOutput used for the packets going out from local ChainOutput Chain = "OUTPUT" // ChainInput used for incoming packets ChainInput Chain = "INPUT" // ChainForward used for the packets for another NIC ChainForward Chain = "FORWARD" )
type Interface ¶
type Interface interface {
// EnsureChain checks if the specified chain exists and, if not, creates it. If the chain existed, return true.
EnsureChain(table Table, chain Chain) (bool, error)
// FlushChain clears the specified chain. If the chain did not exist, return error.
FlushChain(table Table, chain Chain) error
// DeleteChain deletes the specified chain. If the chain did not exist, return error.
DeleteChain(table Table, chain Chain) error
// ChainExists tests whether the specified chain exists, returning an error if it
// does not, or if it is unable to check.
ChainExists(table Table, chain Chain) (bool, error)
// EnsureRule checks if the specified rule is present and, if not, creates it. If the rule existed, return true.
EnsureRule(position RulePosition, table Table, chain Chain, args ...string) (bool, error)
// DeleteRule checks if the specified rule is present and, if so, deletes it.
DeleteRule(table Table, chain Chain, args ...string) error
// IsIPv6 returns true if this is managing ipv6 tables.
IsIPv6() bool
// Protocol returns the IP family this instance is managing,
Protocol() Protocol
// SaveInto calls `iptables-save` for table and stores result in a given buffer.
SaveInto(table Table, buffer *bytes.Buffer) error
// Restore runs `iptables-restore` passing data through []byte.
// table is the Table to restore
// data should be formatted like the output of SaveInto()
// flush sets the presence of the "--noflush" flag. see: FlushFlag
// counters sets the "--counters" flag. see: RestoreCountersFlag
Restore(table Table, data []byte, flush FlushFlag, counters RestoreCountersFlag) error
// RestoreAll is the same as Restore except that no table is specified.
RestoreAll(data []byte, flush FlushFlag, counters RestoreCountersFlag) error
// Monitor detects when the given iptables tables have been flushed by an external
// tool (e.g. a firewall reload) by creating canary chains and polling to see if
// they have been deleted. (Specifically, it polls tables[0] every interval until
// the canary has been deleted from there, then waits a short additional time for
// the canaries to be deleted from the remaining tables as well. You can optimize
// the polling by listing a relatively empty table in tables[0]). When a flush is
// detected, this calls the reloadFunc so the caller can reload their own iptables
// rules. If it is unable to create the canary chains (either initially or after
// a reload) it will log an error and stop monitoring.
// (This function should be called from a goroutine.)
Monitor(canary Chain, tables []Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})
// HasRandomFully reveals whether `-j MASQUERADE` takes the
// `--random-fully` option. This is helpful to work around a
// Linux kernel bug that sometimes causes multiple flows to get
// mapped to the same IP:PORT and consequently some suffer packet
// drops.
HasRandomFully() bool
// Present checks if the kernel supports the iptable interface
Present() bool
}
Interface is an injectable interface for running iptables commands. Implementations must be goroutine-safe.
type Protocol ¶ added in v0.5.1
type Protocol string
Protocol defines the ip protocol either ipv4 or ipv6
type RestoreCountersFlag ¶ added in v1.1.0
type RestoreCountersFlag bool
RestoreCountersFlag is an option flag for Restore
const NoRestoreCounters RestoreCountersFlag = false
NoRestoreCounters a boolean false constant for the option flag RestoreCountersFlag
const RestoreCounters RestoreCountersFlag = true
RestoreCounters a boolean true constant for the option flag RestoreCountersFlag
type RulePosition ¶ added in v0.18.0
type RulePosition string
RulePosition holds the -I/-A flags for iptable
const ( // Prepend is the insert flag for iptable Prepend RulePosition = "-I" // Append is the append flag for iptable Append RulePosition = "-A" )
Source Files
Directories