package iptables

kubernetes – k8s.io/kubernetes/pkg/util/iptables Index | Files | Directories

package iptables

import "k8s.io/kubernetes/pkg/util/iptables"

Package iptables provides an interface and implementations for running iptables commands.

Index ¶

Constants
Variables
func GetChainsFromTable(save []byte) sets.Set[Chain]
func IsNotFoundError(err error) bool
func MakeChainLine(chain Chain) string
func NewDualStack() map[v1.IPFamily]Interface
type Chain
type FlushFlag
type Interface

func New(protocol Protocol) Interface

type LineData

func ExtractLines(lines []byte, line, count int) []LineData

type ParseError
type Protocol
type RestoreCountersFlag
type RulePosition
type Table

Constants ¶

const LockfilePath14x = "@xtables"

LockfilePath14x is the iptables 1.4.x lock file acquired by any process that's making any change in the iptable rule

const LockfilePath16x = "/run/xtables.lock"

LockfilePath16x is the iptables 1.6.x lock file acquired by any process that's making any change in the iptable rule

const WaitIntervalString = "-W"

WaitIntervalString a constant for specifying the wait interval flag

const WaitIntervalUsecondsValue = "100000"

WaitIntervalUsecondsValue a constant for specifying the default wait interval useconds

const WaitSecondsValue = "5"

WaitSecondsValue a constant for specifying the default wait seconds

const WaitString = "-w"

WaitString a constant for specifying the wait flag

Variables ¶

var MinCheckVersion = utilversion.MustParseGeneric("1.4.11")

MinCheckVersion minimum version to be checked Versions of iptables less than this do not support the -C / --check flag (test whether a rule exists).

var RandomFullyMinVersion = utilversion.MustParseGeneric("1.6.2")

RandomFullyMinVersion is the minimum version from which the --random-fully flag is supported, used for port mapping to be fully randomized

var WaitIntervalMinVersion = utilversion.MustParseGeneric("1.6.1")

WaitIntervalMinVersion a minimum iptables versions supporting the wait interval useconds

var WaitMinVersion = utilversion.MustParseGeneric("1.4.20")

WaitMinVersion a minimum iptables versions supporting the -w and -w<seconds> flags

var WaitRestoreMinVersion = utilversion.MustParseGeneric("1.6.2")

WaitRestoreMinVersion a minimum iptables versions supporting the wait restore seconds

var WaitSecondsMinVersion = utilversion.MustParseGeneric("1.4.22")

WaitSecondsMinVersion a minimum iptables versions supporting the wait seconds

Functions ¶

func GetChainsFromTable ¶

func GetChainsFromTable(save []byte) sets.Set[Chain]

GetChainsFromTable parses iptables-save data to find the chains that are defined. It assumes that save contains a single table's data, and returns a set with keys for every chain defined in that table.

func IsNotFoundError ¶

func IsNotFoundError(err error) bool

IsNotFoundError returns true if the error indicates "not found". It parses the error string looking for known values, which is imperfect; beware using this function for anything beyond deciding between logging or ignoring an error.

func MakeChainLine ¶

func MakeChainLine(chain Chain) string

MakeChainLine return an iptables-save/restore formatted chain line given a Chain

func NewDualStack ¶

func NewDualStack() map[v1.IPFamily]Interface

NewDualStack returns a map containing an IPv4 Interface (if IPv4 iptables is supported) and an IPv6 Interface (if IPv6 iptables is supported). If either family is not supported, no Interface will be returned for that family.

Types ¶

type Chain ¶

type Chain string

Chain represents the different rules

const (
	// ChainPostrouting used for source NAT in nat table
	ChainPostrouting Chain = "POSTROUTING"
	// ChainPrerouting used for DNAT (destination NAT) in nat table
	ChainPrerouting Chain = "PREROUTING"
	// ChainOutput used for the packets going out from local
	ChainOutput Chain = "OUTPUT"
	// ChainInput used for incoming packets
	ChainInput Chain = "INPUT"
	// ChainForward used for the packets for another NIC
	ChainForward Chain = "FORWARD"
)

type FlushFlag ¶

type FlushFlag bool

FlushFlag an option flag for Flush

const FlushTables FlushFlag = true

FlushTables a boolean true constant for option flag FlushFlag

const NoFlushTables FlushFlag = false

NoFlushTables a boolean false constant for option flag FlushFlag

type Interface ¶

type Interface interface {
	// EnsureChain checks if the specified chain exists and, if not, creates it.  If the chain existed, return true.
	EnsureChain(table Table, chain Chain) (bool, error)
	// FlushChain clears the specified chain.  If the chain did not exist, return error.
	FlushChain(table Table, chain Chain) error
	// DeleteChain deletes the specified chain.  If the chain did not exist, return error.
	DeleteChain(table Table, chain Chain) error
	// ChainExists tests whether the specified chain exists, returning an error if it
	// does not, or if it is unable to check.
	ChainExists(table Table, chain Chain) (bool, error)
	// EnsureRule checks if the specified rule is present and, if not, creates it.  If the rule existed, return true.
	EnsureRule(position RulePosition, table Table, chain Chain, args ...string) (bool, error)
	// DeleteRule checks if the specified rule is present and, if so, deletes it.
	DeleteRule(table Table, chain Chain, args ...string) error
	// IsIPv6 returns true if this is managing ipv6 tables.
	IsIPv6() bool
	// Protocol returns the IP family this instance is managing,
	Protocol() Protocol
	// SaveInto calls `iptables-save` for table and stores result in a given buffer.
	SaveInto(table Table, buffer *bytes.Buffer) error
	// Restore runs `iptables-restore` passing data through []byte.
	// table is the Table to restore
	// data should be formatted like the output of SaveInto()
	// flush sets the presence of the "--noflush" flag. see: FlushFlag
	// counters sets the "--counters" flag. see: RestoreCountersFlag
	Restore(table Table, data []byte, flush FlushFlag, counters RestoreCountersFlag) error
	// RestoreAll is the same as Restore except that no table is specified.
	RestoreAll(data []byte, flush FlushFlag, counters RestoreCountersFlag) error
	// Monitor detects when the given iptables tables have been flushed by an external
	// tool (e.g. a firewall reload) by creating canary chains and polling to see if
	// they have been deleted. (Specifically, it polls tables[0] every interval until
	// the canary has been deleted from there, then waits a short additional time for
	// the canaries to be deleted from the remaining tables as well. You can optimize
	// the polling by listing a relatively empty table in tables[0]). When a flush is
	// detected, this calls the reloadFunc so the caller can reload their own iptables
	// rules. If it is unable to create the canary chains (either initially or after
	// a reload) it will log an error and stop monitoring.
	// (This function should be called from a goroutine.)
	Monitor(canary Chain, tables []Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})
	// HasRandomFully reveals whether `-j MASQUERADE` takes the
	// `--random-fully` option.  This is helpful to work around a
	// Linux kernel bug that sometimes causes multiple flows to get
	// mapped to the same IP:PORT and consequently some suffer packet
	// drops.
	HasRandomFully() bool

	// Present checks if the kernel supports the iptable interface
	Present() bool
}

Interface is an injectable interface for running iptables commands. Implementations must be goroutine-safe.

func New ¶

func New(protocol Protocol) Interface

New returns a new Interface which will exec iptables.

type LineData ¶

type LineData struct {
	// Line holds the line number (the first line is 1).
	Line int
	// The data of the line.
	Data string
}

LineData represents a single numbered line of data.

func ExtractLines ¶

func ExtractLines(lines []byte, line, count int) []LineData

ExtractLines extracts the -count and +count data from the lineNum row of lines and return NOTE: lines start from line 1

type ParseError ¶

type ParseError interface {
	// Line returns the line number on which the parse error was reported.
	// NOTE: First line is 1.
	Line() int
	// Error returns the error message of the parse error, including line number.
	Error() string
}

ParseError records the payload when iptables reports an error parsing its input.

type Protocol ¶

type Protocol string

Protocol defines the ip protocol either ipv4 or ipv6

const (
	// ProtocolIPv4 represents ipv4 protocol in iptables
	ProtocolIPv4 Protocol = "IPv4"
	// ProtocolIPv6 represents ipv6 protocol in iptables
	ProtocolIPv6 Protocol = "IPv6"
)

type RestoreCountersFlag ¶

type RestoreCountersFlag bool

RestoreCountersFlag is an option flag for Restore

const NoRestoreCounters RestoreCountersFlag = false

NoRestoreCounters a boolean false constant for the option flag RestoreCountersFlag

const RestoreCounters RestoreCountersFlag = true

RestoreCounters a boolean true constant for the option flag RestoreCountersFlag

type RulePosition ¶

type RulePosition string

RulePosition holds the -I/-A flags for iptable

const (
	// Prepend is the insert flag for iptable
	Prepend RulePosition = "-I"
	// Append is the append flag for iptable
	Append RulePosition = "-A"
)

type Table ¶

type Table string

Table represents different iptable like filter,nat, mangle and raw

const (
	// TableNAT represents the built-in nat table
	TableNAT Table = "nat"
	// TableFilter represents the built-in filter table
	TableFilter Table = "filter"
	// TableMangle represents the built-in mangle table
	TableMangle Table = "mangle"
)

Source Files ¶

doc.go iptables.go iptables_linux.go save_restore.go

Directories ¶

Path	Synopsis
pkg/util/iptables/testing

Version: v1.33.0 (latest)
Published: Apr 23, 2025
Platform: linux/amd64
Imports: 20 packages
Last checked: 3 hours ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples