kubernetesk8s.io/kubernetes/pkg/util/iptables Index | Files | Directories

package iptables

import "k8s.io/kubernetes/pkg/util/iptables"

Package iptables provides an interface and implementations for running iptables commands.

Index

Constants 

const LockfilePath16x = "/run/xtables.lock"
const WaitSecondsValue = "5"
const WaitString = "-w"

Variables 

var MinCheckVersion = utilversion.MustParseGeneric("1.4.11")

Versions of iptables less than this do not support the -C / --check flag (test whether a rule exists). 

var RandomFullyMinVersion = utilversion.MustParseGeneric("1.6.2")
var WaitMinVersion = utilversion.MustParseGeneric("1.4.20")

Minimum iptables versions supporting the -w and -w<seconds> flags 

var WaitRestoreMinVersion = utilversion.MustParseGeneric("1.6.2")
var WaitSecondsMinVersion = utilversion.MustParseGeneric("1.4.22")

Functions

func GetChainLines 

func GetChainLines(table Table, save []byte) map[Chain][]byte

GetChainLines parses a table's iptables-save data to find chains in the table. It returns a map of iptables.Chain to []byte where the []byte is the chain line from save (with counters etc.). Note that to avoid allocations memory is SHARED with save.

func IsNotFoundError 

func IsNotFoundError(err error) bool

IsNotFoundError returns true if the error indicates "not found". It parses the error string looking for known values, which is imperfect; beware using this function for anything beyond deciding between logging or ignoring an error.

func MakeChainLine 

func MakeChainLine(chain Chain) string

MakeChainLine return an iptables-save/restore formatted chain line given a Chain

Types

type Chain 

type Chain string
const (
	ChainPostrouting Chain = "POSTROUTING"
	ChainPrerouting  Chain = "PREROUTING"
	ChainOutput      Chain = "OUTPUT"
	ChainInput       Chain = "INPUT"
	ChainForward     Chain = "FORWARD"
)

type FlushFlag 

type FlushFlag bool

Option flag for Flush 

const FlushTables FlushFlag = true
const NoFlushTables FlushFlag = false

type Interface 

type Interface interface {
	// EnsureChain checks if the specified chain exists and, if not, creates it.  If the chain existed, return true.
	EnsureChain(table Table, chain Chain) (bool, error)
	// FlushChain clears the specified chain.  If the chain did not exist, return error.
	FlushChain(table Table, chain Chain) error
	// DeleteChain deletes the specified chain.  If the chain did not exist, return error.
	DeleteChain(table Table, chain Chain) error
	// EnsureRule checks if the specified rule is present and, if not, creates it.  If the rule existed, return true.
	EnsureRule(position RulePosition, table Table, chain Chain, args ...string) (bool, error)
	// DeleteRule checks if the specified rule is present and, if so, deletes it.
	DeleteRule(table Table, chain Chain, args ...string) error
	// IsIpv6 returns true if this is managing ipv6 tables
	IsIpv6() bool
	// SaveInto calls `iptables-save` for table and stores result in a given buffer.
	SaveInto(table Table, buffer *bytes.Buffer) error
	// Restore runs `iptables-restore` passing data through []byte.
	// table is the Table to restore
	// data should be formatted like the output of SaveInto()
	// flush sets the presence of the "--noflush" flag. see: FlushFlag
	// counters sets the "--counters" flag. see: RestoreCountersFlag
	Restore(table Table, data []byte, flush FlushFlag, counters RestoreCountersFlag) error
	// RestoreAll is the same as Restore except that no table is specified.
	RestoreAll(data []byte, flush FlushFlag, counters RestoreCountersFlag) error
	// Monitor detects when the given iptables tables have been flushed by an external
	// tool (e.g. a firewall reload) by creating canary chains and polling to see if
	// they have been deleted. (Specifically, it polls tables[0] every interval until
	// the canary has been deleted from there, then waits a short additional time for
	// the canaries to be deleted from the remaining tables as well. You can optimize
	// the polling by listing a relatively empty table in tables[0]). When a flush is
	// detected, this calls the reloadFunc so the caller can reload their own iptables
	// rules. If it is unable to create the canary chains (either initially or after
	// a reload) it will log an error and stop monitoring.
	// (This function should be called from a goroutine.)
	Monitor(canary Chain, tables []Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})
	// HasRandomFully reveals whether `-j MASQUERADE` takes the
	// `--random-fully` option.  This is helpful to work around a
	// Linux kernel bug that sometimes causes multiple flows to get
	// mapped to the same IP:PORT and consequently some suffer packet
	// drops.
	HasRandomFully() bool
}

An injectable interface for running iptables commands. Implementations must be goroutine-safe.

func New 

func New(exec utilexec.Interface, protocol Protocol) Interface

New returns a new Interface which will exec iptables.

type Protocol 

type Protocol byte
const (
	ProtocolIpv4 Protocol = iota + 1
	ProtocolIpv6
)

type RestoreCountersFlag 

type RestoreCountersFlag bool

Option flag for Restore 

const NoRestoreCounters RestoreCountersFlag = false
const RestoreCounters RestoreCountersFlag = true

type RulePosition 

type RulePosition string
const (
	Prepend RulePosition = "-I"
	Append  RulePosition = "-A"
)

type Table 

type Table string
const (
	TableNAT    Table = "nat"
	TableFilter Table = "filter"
	TableMangle Table = "mangle"
)

Source Files

doc.go iptables.go iptables_unsupported.go save_restore.go

Directories

PathSynopsis
pkg/util/iptables/testing
Version
v1.17.0-rc.2
Published
Dec 3, 2019
Platform
js/wasm
Imports
14 packages
Last checked
37 seconds ago

Tools for package owners.