package iptables

import "github.com/dotcloud/docker/libnetwork/iptables"

Index

Functions

func AddInterfaceFirewalld 

func AddInterfaceFirewalld(intf string) error

AddInterfaceFirewalld adds the interface to the trusted zone. It is a no-op if firewalld is not running.

func DelInterfaceFirewalld 

func DelInterfaceFirewalld(intf string) error

DelInterfaceFirewalld removes the interface from the trusted zone It is a no-op if firewalld is not running.

func DeleteConntrackEntries 

func DeleteConntrackEntries(nlh nlwrap.Handle, ipv4List []net.IP, ipv6List []net.IP) error

DeleteConntrackEntries deletes all the conntrack connections on the host for the specified IP Returns the number of flows deleted for IPv4, IPv6 else error

func DeleteConntrackEntriesByPort 

func DeleteConntrackEntriesByPort(nlh nlwrap.Handle, proto types.Protocol, ports []uint16) error

func FirewalldReloadedAt 

func FirewalldReloadedAt() time.Time

FirewalldReloadedAt returns the time at which the daemon last completed a firewalld reload, or a zero-valued time.Time if it has not been reloaded since the daemon started.

func OnReloaded 

func OnReloaded(callback func())

OnReloaded add callback

func UsingFirewalld 

func UsingFirewalld() (bool, error)

UsingFirewalld returns true if iptables rules will be applied via firewalld's passthrough interface. The error return is non-nil if the status cannot be determined because the initialisation function has not been called.

Types

type Action 

type Action string

Action signifies the iptable action. 

const (
	// Append appends the rule at the end of the chain.
	Append Action = "-A"
	// Delete deletes the rule from the chain.
	Delete Action = "-D"
	// Insert inserts the rule at the top of the chain.
	Insert Action = "-I"
)

type ChainError 

type ChainError struct {
	Chain  string
	Output []byte
}

ChainError is returned to represent errors during ip table operation.

func (ChainError) Error 

func (e ChainError) Error() string

type ChainInfo 

type ChainInfo struct {
	Name      string
	Table     Table
	IPVersion IPVersion
}

ChainInfo defines the iptables chain. 

func (c *ChainInfo) Link(action Action, ip1, ip2 netip.Addr, port int, proto string, bridgeName string) error

Link adds reciprocal ACCEPT rule for two supplied IP addresses. Traffic is allowed from ip1 to ip2 and vice-versa

func (*ChainInfo) Output 

func (c *ChainInfo) Output(action Action, args ...string) error

Output adds linking rule to an OUTPUT chain.

func (*ChainInfo) Prerouting 

func (c *ChainInfo) Prerouting(action Action, args ...string) error

Prerouting adds linking rule to nat/PREROUTING chain.

func (*ChainInfo) Remove 

func (c *ChainInfo) Remove() error

Remove removes the chain.

type Conn 

type Conn struct {
	// contains filtered or unexported fields
}

Conn is a connection to firewalld dbus endpoint.

type IPTable 

type IPTable struct {
	// contains filtered or unexported fields
}

IPTable defines struct with IPVersion.

func GetIptable 

func GetIptable(version IPVersion) *IPTable

GetIptable returns an instance of IPTable with specified version (IPv4 or IPv6). It panics if an invalid IPVersion is provided.

func (IPTable) AddReturnRule 

func (iptable IPTable) AddReturnRule(chain string) error

AddReturnRule adds a return rule for the chain in the filter table

func (IPTable) DeleteJumpRule 

func (iptable IPTable) DeleteJumpRule(fromChain, toChain string, rule ...string) error

DeleteJumpRule deletes a rule added by EnsureJumpRule. It's a no-op if the rule doesn't exist.

func (IPTable) EnsureJumpRule 

func (iptable IPTable) EnsureJumpRule(fromChain, toChain string, rule ...string) error

EnsureJumpRule ensures the jump rule is on top

func (IPTable) ExistChain 

func (iptable IPTable) ExistChain(chain string, table Table) bool

ExistChain checks if a chain exists

func (IPTable) Exists 

func (iptable IPTable) Exists(table Table, chain string, rule ...string) bool

Exists checks if a rule exists

func (IPTable) ExistsNative 

func (iptable IPTable) ExistsNative(table Table, chain string, rule ...string) bool

ExistsNative behaves as Exists with the difference it will always invoke `iptables` binary.

func (IPTable) NewChain 

func (iptable IPTable) NewChain(name string, table Table) (*ChainInfo, error)

NewChain adds a new chain to ip table.

func (IPTable) ProgramRule 

func (iptable IPTable) ProgramRule(table Table, chain string, action Action, args []string) error

ProgramRule adds the rule specified by args only if the rule is not already present in the chain. Reciprocally, it removes the rule only if present.

func (IPTable) Raw 

func (iptable IPTable) Raw(args ...string) ([]byte, error)

Raw calls 'iptables' system command, passing supplied arguments.

func (IPTable) RawCombinedOutput 

func (iptable IPTable) RawCombinedOutput(args ...string) error

RawCombinedOutput internally calls the Raw function and returns a non nil error if Raw returned a non nil error or a non empty output

func (IPTable) RawCombinedOutputNative 

func (iptable IPTable) RawCombinedOutputNative(args ...string) error

RawCombinedOutputNative behave as RawCombinedOutput with the difference it will always invoke `iptables` binary

func (IPTable) RemoveExistingChain 

func (iptable IPTable) RemoveExistingChain(name string, table Table) error

RemoveExistingChain removes existing chain from the table.

func (IPTable) SetDefaultPolicy 

func (iptable IPTable) SetDefaultPolicy(table Table, chain string, policy Policy) error

SetDefaultPolicy sets the passed default policy for the table/chain

type IPVersion 

type IPVersion string

IPVersion refers to IP version, v4 or v6 

const (
	// IPv4 is version 4.
	IPv4 IPVersion = "ipv4"
	// IPv6 is version 6.
	IPv6 IPVersion = "ipv6"
)

type Policy 

type Policy string

Policy is the default iptable policies 

const (
	// Drop is the default iptables DROP policy.
	Drop Policy = "DROP"
	// Accept is the default iptables ACCEPT policy.
	Accept Policy = "ACCEPT"
)

type Rule 

type Rule struct {
	IPVer IPVersion
	Table Table
	Chain string
	Args  []string
}

func (Rule) Append 

func (r Rule) Append() error

Append appends the rule to the end of the chain. If the rule already exists anywhere in the chain, this is a no-op.

func (Rule) Delete 

func (r Rule) Delete() error

Delete deletes the rule from the kernel. If the rule does not exist, this is a no-op.

func (Rule) Exists 

func (r Rule) Exists() bool

Exists returns true if the rule exists in the kernel.

func (Rule) Insert 

func (r Rule) Insert() error

Insert inserts the rule at the head of the chain. If the rule already exists anywhere in the chain, this is a no-op.

func (Rule) String 

func (r Rule) String() string

func (Rule) WithChain 

func (r Rule) WithChain(chain string) Rule

WithChain returns a version of the rule with its Chain field set to chain.

type Table 

type Table string

Table refers to Nat, Filter or Mangle. 

const (
	// Nat table is used for nat translation rules.
	Nat Table = "nat"
	// Filter table is used for filter rules.
	Filter Table = "filter"
	// Mangle table is used for mangling the packet.
	Mangle Table = "mangle"
	// Raw table is used for filtering packets before they are NATed.
	Raw Table = "raw"
)

Source Files

conntrack.go firewalld.go iptables.go

Version
v28.1.1+incompatible (latest)
Published
Apr 18, 2025
Platform
linux/amd64
Imports
20 packages
Last checked
48 seconds ago

Tools for package owners.