package link
import "github.com/containernetworking/plugins/pkg/link"
Index ¶
Types ¶
type NftConfigurer ¶
type NftConfigurer interface {
Apply(*nft.Config) (*nft.Config, error)
Read(filterCommands ...string) (*nft.Config, error)
}
type SpoofChecker ¶
type SpoofChecker struct {
// contains filtered or unexported fields
}
func NewSpoofChecker ¶
func NewSpoofChecker(iface, macAddress, refID string) *SpoofChecker
func NewSpoofCheckerWithConfigurer ¶
func NewSpoofCheckerWithConfigurer(iface, macAddress, refID string, configurer NftConfigurer) *SpoofChecker
func (*SpoofChecker) Setup ¶
func (sc *SpoofChecker) Setup() error
Setup applies nftables configuration to restrict traffic from the provided interface. Only traffic with the mentioned mac address is allowed to pass, all others are blocked. The configuration follows the format libvirt and ebtables implemented, allowing extensions to the rules in the future. refID is used to label the rules with a unique comment, identifying the rule-set.
In order to take advantage of the nftables configuration change atomicity, the following steps are taken to apply the configuration: - Declare the table and chains (they will be created in case not present). - Apply the rules, while first flushing the iface/mac specific regular chain rules. Two transactions are used because the flush succeeds only if the table/chain it targets exists. This avoids the need to query the existing state and acting upon it (a raceful pattern). Although two transactions are taken place, only the 2nd one where the rules are added has a real impact on the system.
func (*SpoofChecker) Teardown ¶
func (sc *SpoofChecker) Teardown() error
Teardown removes the interface and mac-address specific chains and their rules. The table and base-chain are expected to survive while the base-chain rule that matches the interface is removed.
Source Files ¶
- Version
- v1.7.1 (latest)
- Published
- Apr 25, 2025
- Platform
- linux/amd64
- Imports
- 6 packages
- Last checked
- 1 day ago –
Tools for package owners.